Prepare for 1.1.0-pre4 release

Reviewed-by: Emilia Käsper <emilia@openssl.org>

.gitignore

@@ -87,7 +87,7 @@ Makefile.save
 *.bak
 /tags
 /TAGS
-cscope.out
+cscope.*
 *.d
 /crypto.map
 /ssl.map
@@ -103,6 +103,7 @@ cscope.out
 /out32dll.dbg
 /inc32
 /MINFO
+/ms/.rnd
 /ms/bcb.mak
 /ms/libeay32.def
 /ms/nt.mak

.travis-create-release.sh

@@ -4,9 +4,8 @@
 
 ./Configure dist
 if [ "$1" == osx ]; then
-    make NAME='_srcdist' TARFLAGS='-n' TARFILE='_srcdist.tar' \
-	 TAR_COMMAND='$(TAR) $(TARFLAGS) -s "|^|$(NAME)/|" -T $(TARFILE).list -cvf -' \
-	 SHELL='sh -vx' tar
+    make NAME='_srcdist' TARFILE='_srcdist.tar' \
+         TAR_COMMAND='$(TAR) $(TARFLAGS) -cvf -' tar
 else
-    make TARFILE='_srcdist.tar' NAME='_srcdist' SHELL='sh -v' dist
+    make TARFILE='_srcdist.tar' NAME='_srcdist' dist
 fi

.travis.yml

@@ -1,8 +1,10 @@
 language: c
+cache: ccache
 
 addons:
     apt:
         packages:
+            - ccache
             - clang-3.6
             - gcc-5
             - binutils-mingw-w64
@@ -18,21 +20,16 @@ os:
 
 compiler:
     - clang
-    - clang-3.6
     - gcc
-    - gcc-5
-    - i686-w64-mingw32-gcc
-    - x86_64-w64-mingw32-gcc
 
 env:
-    - CONFIG_OPTS=""
     - CONFIG_OPTS="shared"
-    - CONFIG_OPTS="no-asm"
     - CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-    - CONFIG_OPTS="--unified"
-    - CONFIG_OPTS="--unified shared"
-    - CONFIG_OPTS="--unified no-asm"
-    - CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="" BUILDONLY="yes"
+    - CONFIG_OPTS="--classic" BUILDONLY="yes"
+    - CONFIG_OPTS="--classic shared" BUILDONLY="yes"
+    - CONFIG_OPTS="no-pic" BUILDONLY="yes"
+    - CONFIG_OPTS="no-engine" BUILDONLY="yes"
 
 matrix:
     include:
@@ -41,74 +38,68 @@ matrix:
           env: CONFIG_OPTS="-fsanitize=address"
         - os: linux
           compiler: clang-3.6
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-asm --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
         - os: linux
           compiler: gcc-5
           env: CONFIG_OPTS="-fsanitize=address"
         - os: linux
           compiler: gcc-5
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-asm --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
+        - os: linux
+          compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-pic"
+        - os: linux
+          compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-pic"
     exclude:
-        - os: osx
-          compiler: clang-3.6
+        - os: linux
+          compiler: clang
         - os: osx
           compiler: gcc
-        - os: osx
-          compiler: gcc-5
-        - os: osx
-          compiler: i686-w64-mingw32-gcc
-        - os: osx
-          compiler: x86_64-w64-mingw32-gcc
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="shared"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="shared"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="no-asm"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="no-asm"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified shared"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified shared"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified no-asm"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified no-asm"
-    allow_failures:
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
 
 before_script:
     - sh .travis-create-release.sh $TRAVIS_OS_NAME
     - tar -xvzf _srcdist.tar.gz
-    - cd _srcdist
+    - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then
+          srcdir=.;
+          cd _srcdist;
+      else
+          srcdir=../_srcdist;
+          mkdir _build;
+          cd _build;
+      fi
     - if [ "$CC" == i686-w64-mingw32-gcc ]; then
           export CROSS_COMPILE=${CC%%gcc}; unset CC;
-          ./Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
+          $srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
       elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
           export CROSS_COMPILE=${CC%%gcc}; unset CC;
-          ./Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
+          $srcdir/Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
       else
-          ./config $CONFIG_OPTS;
+          if which ccache >/dev/null && [ "$CC" != clang-3.6 ]; then
+              CC="ccache $CC";
+          fi;
+          $srcdir/config $CONFIG_OPTS;
       fi
     - cd ..
 
 script:
-    - cd _srcdist
-    - make
-    - if [ -n "$CROSS_COMPILE" ]; then
-          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
+    - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then
+          cd _srcdist;
+      else
+          cd _build;
+      fi
+    - make
+    - if [ -z "$BUILDONLY" ]; then
+          if [ -n "$CROSS_COMPILE" ]; then
+              export EXE_SHELL="wine" WINEPREFIX=`pwd`;
+          fi;
+          HARNESS_VERBOSE=yes make test;
+      else
+          make build_tests;
       fi
-    - HARNESS_VERBOSE=yes make test
     - cd ..
 
 notifications:
     email:
         - openssl-commits@openssl.org
+

CHANGES

@@ -2,7 +2,130 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
+
+  *) Add support for HKDF.
+     [Alessandro Ghedini]
+
+  *) Add support for blake2b and blake2s
+     [Bill Cox]
+
+  *) Added support for "pipelining". Ciphers that have the
+     EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
+     encryptions/decryptions simultaneously. There are currently no built-in
+     ciphers with this property but the expectation is that engines will be able
+     to offer it to significantly improve throughput. Support has been extended
+     into libssl so that multiple records for a single connection can be
+     processed in one go (for >=TLS 1.1).
+     [Matt Caswell]
+
+  *) Added the AFALG engine. This is an async capable engine which is able to
+     offload work to the Linux kernel. In this initial version it only supports
+     AES128-CBC. The kernel must be version 4.1.0 or greater.
+     [Catriona Lucey]
+
+  *) OpenSSL now uses a new threading API. It is no longer necessary to
+     set locking callbacks to use OpenSSL in a multi-threaded environment. There
+     are two supported threading models: pthreads and windows threads. It is
+     also possible to configure OpenSSL at compile time for "no-threads". The
+     old threading API should no longer be used. The functions have been
+     replaced with "no-op" compatibility macros.
+     [Alessandro Ghedini, Matt Caswell]
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
+     [Todd Short]
+
+  *) Add SSL_CIPHER queries for authentication and key-exchange.
+     [Todd Short]
+
+  *) Changes to the DEFAULT cipherlist:
+       - Prefer (EC)DHE handshakes over plain RSA.
+       - Prefer AEAD ciphers over legacy ciphers.
+       - Prefer ECDSA over RSA when both certificates are available.
+       - Prefer TLSv1.2 ciphers/PRF.
+       - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+         default cipherlist.
+     [Emilia Käsper]
+
+  *) Change the ECC default curve list to be this, in order: x25519,
+     secp256r1, secp521r1, secp384r1.
+     [Rich Salz]
+
+  *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+     disabled by default. They can be re-enabled using the
+     enable-weak-ssl-ciphers option to Configure.
+     [Matt Caswell]
+
+  *) If the server has ALPN configured, but supports no protocols that the
+     client advertises, send a fatal "no_application_protocol" alert.
+     This behaviour is SHALL in RFC 7301, though it isn't universally
+     implemented by other servers.
+     [Emilia Käsper]
+
+  *) Add X25519 support.
+     Integrate support for X25519 into EC library. This includes support
+     for public and private key encoding using the format documented in
+     draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
+     OID from that draft, encodes public keys using little endian
+     format in the ECPoint structure and private keys using
+     little endian form in the privateKey field of the ECPrivateKey
+     structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
+     and uses X25519(29).
+
+     Note: the current version supports key generation, public and
+     private key encoding and ECDH key agreement using the EC API.
+     Low level point operations such as EC_POINT_add(), EC_POINT_mul()
+     are NOT supported.
+     [Steve Henson]
+
+  *) Deprecate SRP_VBASE_get_by_user.
+     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+     In order to fix an unavoidable memory leak (CVE-2016-0798),
+     SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+     seed, even if the seed is configured.
+
+     Users should use SRP_VBASE_get1_by_user instead. Note that in
+     SRP_VBASE_get1_by_user, caller must free the returned value. Note
+     also that even though configuring the SRP seed attempts to hide
+     invalid usernames by continuing the handshake with fake
+     credentials, this behaviour is not constant time and no strong
+     guarantees are made that the handshake is indistinguishable from
+     that of a valid user.
+     [Emilia Käsper]
+
+  *) Configuration change; it's now possible to build dynamic engines
+     without having to build shared libraries and vice versa.  This
+     only applies to the engines in engines/, those in crypto/engine/
+     will always be built into libcrypto (i.e. "static").
+
+     Building dynamic engines is enabled by default; to disable, use
+     the configuration option "disable-dynamic-engine".
+
+     The only requirements for building dynamic engines are the
+     presence of the DSO module and building with position independent
+     code, so they will also automatically be disabled if configuring
+     with "disable-dso" or "disable-pic".
+
+     The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
+     are also taken away from openssl/opensslconf.h, as they are
+     irrelevant.
+     [Richard Levitte]
+
+  *) Configuration change; if there is a known flag to compile
+     position independent code, it will always be applied on the
+     libcrypto and libssl object files, and never on the application
+     object files.  This means other libraries that use routines from
+     libcrypto / libssl can be made into shared libraries regardless
+     of how OpenSSL was configured.
+
+     If this isn't desirable, the configuration options "disable-pic"
+     or "no-pic" can be used to disable the use of PIC.  This will
+     also disable building shared libraries and dynamic engines.
+     [Richard Levitte]
+
+  *) Removed JPAKE code.  It was experimental and has no wide use.
+     [Rich Salz]
 
   *) The INSTALL_PREFIX Makefile variable has been renamed to
      DESTDIR.  That makes for less confusion on what this variable
@@ -23,7 +146,7 @@
      The "unified" build system is aimed to be a common system for all
      platforms we support.  With it comes new support for VMS.
 
-     This system builds supports building in a differnt directory tree
+     This system builds supports building in a different directory tree
      than the source tree.  It produces one Makefile (for unix family
      or lookalikes), or one descrip.mms (for VMS).
 
@@ -275,7 +398,7 @@
      [Rich Salz]
 
   *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
-     and sureware.
+     sureware and ubsec.
      [Matt Caswell, Rich Salz]
 
   *) New ASN.1 embed macro.
@@ -794,6 +917,143 @@
      whose return value is often ignored. 
      [Steve Henson]
 
+  *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+     These allow SCTs (signed certificate timestamps) to be requested and
+     validated when establishing a connection.
+     [Rob Percival <robpercival@google.com>]
+
+ Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
+
+  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+    Builds that are not configured with "enable-weak-ssl-ciphers" will not
+    provide any "EXPORT" or "LOW" strength ciphers.
+    [Viktor Dukhovni]
+
+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+    is by default disabled at build-time.  Builds that are not configured with
+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+    will need to explicitly call either of:
+
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+    or
+        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+    as appropriate.  Even if either of those is used, or the application
+    explicitly uses the version-specific SSLv2_method() or its client and
+    server variants, SSLv2 ciphers vulnerable to exhaustive search key
+    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
+    ciphers, and SSLv2 56-bit DES are no longer available.
+    (CVE-2016-0800)
+    [Viktor Dukhovni]
+
+  *) Fix a double-free in DSA code
+
+     A double free bug was discovered when OpenSSL parses malformed DSA private
+     keys and could lead to a DoS attack or memory corruption for applications
+     that receive DSA private keys from untrusted sources.  This scenario is
+     considered rare.
+
+     This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2016-0705)
+     [Stephen Henson]
+
+  *) Disable SRP fake user seed to address a server memory leak.
+
+     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+     In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+     was changed to ignore the "fake user" SRP seed, even if the seed
+     is configured.
+
+     Users should use SRP_VBASE_get1_by_user instead. Note that in
+     SRP_VBASE_get1_by_user, caller must free the returned value. Note
+     also that even though configuring the SRP seed attempts to hide
+     invalid usernames by continuing the handshake with fake
+     credentials, this behaviour is not constant time and no strong
+     guarantees are made that the handshake is indistinguishable from
+     that of a valid user.
+     (CVE-2016-0798)
+     [Emilia Käsper]
+
+  *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+     In the BN_hex2bn function the number of hex digits is calculated using an
+     int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+     large values of |i| this can result in |bn_expand| not allocating any
+     memory because |i * 4| is negative. This can leave the internal BIGNUM data
+     field as NULL leading to a subsequent NULL ptr deref. For very large values
+     of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+     In this case memory is allocated to the internal BIGNUM data field, but it
+     is insufficiently sized leading to heap corruption. A similar issue exists
+     in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+     is ever called by user applications with very large untrusted hex/dec data.
+     This is anticipated to be a rare occurrence.
+
+     All OpenSSL internal usage of these functions use data that is not expected
+     to be untrusted, e.g. config file data or application command line
+     arguments. If user developed applications generate config file data based
+     on untrusted data then it is possible that this could also lead to security
+     consequences. This is also anticipated to be rare.
+
+     This issue was reported to OpenSSL by Guido Vranken.
+     (CVE-2016-0797)
+     [Matt Caswell]
+
+  *) Fix memory issues in BIO_*printf functions
+
+     The internal |fmtstr| function used in processing a "%s" format string in
+     the BIO_*printf functions could overflow while calculating the length of a
+     string and cause an OOB read when printing very long strings.
+
+     Additionally the internal |doapr_outch| function can attempt to write to an
+     OOB memory location (at an offset from the NULL pointer) in the event of a
+     memory allocation failure. In 1.0.2 and below this could be caused where
+     the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+     could be in processing a very long "%s" format string. Memory leaks can
+     also occur.
+
+     The first issue may mask the second issue dependent on compiler behaviour.
+     These problems could enable attacks where large amounts of untrusted data
+     is passed to the BIO_*printf functions. If applications use these functions
+     in this way then they could be vulnerable. OpenSSL itself uses these
+     functions when printing out human-readable dumps of ASN.1 data. Therefore
+     applications that print this data could be vulnerable if the data is from
+     untrusted sources. OpenSSL command line applications could also be
+     vulnerable where they print out ASN.1 data, or if untrusted data is passed
+     as command line arguments.
+
+     Libssl is not considered directly vulnerable. Additionally certificates etc
+     received via remote connections via libssl are also unlikely to be able to
+     trigger these issues because of message size limits enforced within libssl.
+
+     This issue was reported to OpenSSL Guido Vranken.
+     (CVE-2016-0799)
+     [Matt Caswell]
+
+  *) Side channel attack on modular exponentiation
+
+     A side-channel attack was found which makes use of cache-bank conflicts on
+     the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+     of RSA keys.  The ability to exploit this issue is limited as it relies on
+     an attacker who has control of code in a thread running on the same
+     hyper-threaded core as the victim thread which is performing decryptions.
+
+     This issue was reported to OpenSSL by Yuval Yarom, The University of
+     Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+     Nadia Heninger, University of Pennsylvania with more information at
+     http://cachebleed.info.
+     (CVE-2016-0702)
+     [Andy Polyakov]
+
+  *) Change the req app to generate a 2048-bit RSA/DSA key by default,
+     if no keysize is specified with default_bits. This fixes an
+     omission in an earlier change that changed all RSA/DSA key generation
+     apps to use 2048 bits by default.
+     [Emilia Käsper]
+
  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
   *) DH small subgroups
 

Configurations/00-base-templates.conf

@@ -1,19 +1,16 @@
 # -*- Mode: perl -*-
 %targets=(
-    BASE => {
+    DEFAULTS => {
 	template	=> 1,
 
 	cflags		=> "",
 	defines		=> [],
-	debug_cflags	=> "",
-	debug_defines	=> [],
-	release_cflags	=> "",
-	release_defines => [],
-	thread_cflags	=> "",
+	thread_scheme	=> "(unknown)", # Assume we don't know
 	thread_defines	=> [],
 
-	apps_extra_src	=> "",
+	apps_aux_src	=> "",
 	cpuid_asm_src	=> "mem_clr.c",
+	uplink_aux_src	=> "",
 	bn_asm_src	=> "bn_asm.c",
 	ec_asm_src	=> "",
 	des_asm_src	=> "des_enc.c fcrypt_b.c",
@@ -34,11 +31,116 @@
 	unistd		=> "<unistd.h>",
 	shared_target	=> "",
 	shared_cflag	=> "",
+	shared_defines	=> [],
 	shared_ldflag	=> "",
 	shared_rcflag	=> "",
 	shared_extension	=> "",
-	build_scheme	=> "unixmake",
-	build_file      => "Makefile",
+
+        build_scheme    => [ "unified", "unix" ],
+        build_file      => "Makefile",
+    },
+
+    BASE_common => {
+	template	=> 1,
+	defines		=>
+	    [ sub {
+		unless ($disabled{zlib}) {
+		    if (defined($disabled{"zlib-dynamic"})) {
+			return "ZLIB";
+		    } else {
+			return "ZLIB_SHARED";
+		    }
+		}
+		return (); }
+	    ],
+    },
+
+    BASE_unix => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        ex_libs         =>
+            sub {
+                unless ($disabled{zlib}) {
+                    if (defined($disabled{"zlib-dynamic"})) {
+                        if (defined($withargs{zlib_lib})) {
+                            return "-L".$withargs{zlib_lib}." -lz";
+                        } else {
+                            return "-lz";
+                        }
+                    }
+                }
+                return (); },
+
+        build_scheme    => [ "unified", "unix" ],
+        build_file      => "Makefile",
+    },
+
+    BASE_Windows => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        ex_libs         =>
+            sub {
+                unless ($disabled{zlib}) {
+                    if (defined($disabled{"zlib-dynamic"})) {
+                        return "zlib1.lib";
+                    }
+                }
+                return (); },
+
+        ld              => "link",
+        lflags          => "/nologo",
+        loutflag        => "/out:",
+        ar              => "lib",
+        arflags         => "/nologo",
+        aroutflag       => "/out:",
+
+        build_file      => "makefile",
+        build_scheme    => [ "unified", "windows" ],
+    },
+
+    BASE_VMS => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        ex_libs          =>
+            sub {
+                unless ($disabled{zlib}) {
+                    if (defined($disabled{"zlib-dynamic"})) {
+                        if (defined($withargs{zlib_lib})) {
+                            return $withargs{zlib_lib}.'GNV$LIBZSHR.EXE/SHARED'
+                        } else {
+                            return 'GNV$LIBZSHR/SHARE';
+                        }
+                    }
+                }
+                return (); },
+
+        build_file       => "descrip.mms",
+        build_scheme     => [ "unified", "VMS" ],
+    },
+
+    uplink_common => {
+	template	=> 1,
+	apps_aux_src	=> add("../ms/applink.c"),
+	uplink_aux_src	=> add("../ms/uplink.c"),
+	shared_defines	=> add("OPENSSL_USE_APPLINK", { separator => undef }),
+    },
+    x86_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-x86.s"),
+    },
+    x86_64_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-x86_64.s"),
+    },
+    ia64_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-ia64.s"),
     },
 
     x86_asm => {
@@ -97,14 +199,14 @@
     sparcv9_asm => {
 	template	=> 1,
 	cpuid_asm_src   => "sparcv9cap.c sparccpuid.S",
-	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.s sparcv9a-mont.s vis3-mont.s sparct4-mont.S sparcv9-gf2m.S",
+	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.S sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S",
 	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-sparcv9.S",
-	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.s",
-	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.s aest4-sparcv9.s",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.S aest4-sparcv9.S",
 	md5_asm_src     => "md5-sparcv9.S",
 	sha1_asm_src    => "sha1-sparcv9.S sha256-sparcv9.S sha512-sparcv9.S",
-	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.s",
-	modes_asm_src   => "ghash-sparcv9.s",
+	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.S",
+	modes_asm_src   => "ghash-sparcv9.S",
 	poly1305_asm_src=> "poly1305-sparcv9.S",
 	perlasm_scheme	=> "void"
     },
@@ -136,7 +238,7 @@
     },
     s390x_asm => {
 	template	=> 1,
-	cpuid_asm_src   => "s390xcap.c s390xcpuid.s",
+	cpuid_asm_src   => "s390xcap.c s390xcpuid.S",
 	bn_asm_src      => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
 	aes_asm_src     => "aes-s390x.S aes-ctr.fake aes-xts.fake",
 	sha1_asm_src    => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",

Configurations/90-team.conf

@@ -1,30 +1,37 @@
 ## -*- mode: perl; -*-
 ## Build configuration targets for openssl-team members
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
+
+sub threads {
+    my @flags = @_;
+    return sub { add($disabled{threads} ? () : @flags)->(); }
+}
+
+sub combine {
+    my @stuff = @_;
+    return sub { add(@stuff)->(); }
+}
 
 %targets = (
     "purify" => {
         cc               => "purify gcc",
         cflags           => "-g -Wall",
-        thread_cflag     => "(unknown)",
-        ex_libs          => "-lsocket -lnsl",
+        thread_scheme    => "(unknown)",
+        ex_libs          => add(" ","-lsocket -lnsl"),
     },
     "debug" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
-        thread_cflag     => "(unknown)",
-        ex_libs          => "-lefence",
+        thread_scheme    => "(unknown)",
+        ex_libs          => add(" ","-lefence"),
     },
     "debug-erbridge" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -36,28 +43,31 @@
     "debug-linux-pentium" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
     },
     "debug-linux-ppro" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
     },
     "debug-linux-elf-noefence" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -65,9 +75,9 @@
     },
     "debug-linux-ia32-aes" => {
         cc               => "gcc",
-        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
         cpuid_asm_src    => "x86cpuid.s",
         bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
@@ -83,6 +93,7 @@
         wp_asm_src       => "wp_block.s wp-mmx.s",
         modes_asm_src    => "ghash-x86.s",
         padlock_asm_src  => "e_padlock-x86.s",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -92,14 +103,15 @@
     "dist" => {
         cc               => "cc",
         cflags           => "-O",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-test-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -109,10 +121,11 @@
     "darwin64-debug-test-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         sys_id           => "MACOSX",
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "macosx",
         dso_scheme       => "dlfcn",
         shared_target    => "darwin-shared",

Configurations/99-personal-ben.conf

@@ -1,37 +1,34 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-ben" => {
         cc               => "gcc",
         cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-openbsd" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-openbsd-debug" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-debug" => {
         cc               => "gcc",
         cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-debug-64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -41,9 +38,10 @@
     "debug-ben-debug-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -53,9 +51,10 @@
     "debug-ben-debug-64-noopt" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -65,26 +64,27 @@
     "debug-ben-macos" => {
         cc               => "cc",
         cflags           => "$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-no-opt" => {
         cc               => "gcc",
         cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -Werror -DL_ENDIAN -Wall -g3",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-strict" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-darwin64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "cc",
-        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
-        thread_cflag     => "-D_REENTRANT",
+        cflags           => combine("$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
+                                    threads("-D_REENTRANT")),
         sys_id           => "MACOSX",
         plib_lflags      => "-Wl,-search_paths_first",
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "macosx",
         dso_scheme       => "dlfcn",
         shared_target    => "darwin-shared",

Configurations/99-personal-bodo.conf

@@ -1,18 +1,15 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-bodo" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",

Configurations/99-personal-geoff.conf

@@ -1,17 +1,14 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-geoff32" => {
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -19,10 +16,11 @@
     },
     "debug-geoff64" => {
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",

Configurations/99-personal-levitte.conf

@@ -1,22 +1,26 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
+
+sub picker {
+    my %opts = @_;
+    return sub { add($opts{default} || (),
+                     $opts{$config{build_type}} || ())->(); }
+}
 
 %targets = (
     "levitte-linux-elf" => {
         inherit_from     => [ "linux-elf" ],
-        debug_cflags     => add("-ggdb -g3"),
-        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        cflags           => add(picker(debug => "-ggdb -g3")),
+        defines          => add(picker(debug => "LEVITTE_DEBUG"),
+                                { separator => undef }),
         build_scheme     => [ "unified", "unix" ],
         build_file       => "Makefile",
     },
     "levitte-linux-x86_64" => {
         inherit_from     => [ "linux-x86_64" ],
-        debug_cflags     => add("-ggdb -g3"),
-        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        cflags           => add(picker(debug => "-ggdb -g3")),
+        defines          => add(picker(debug => "LEVITTE_DEBUG"),
+                                { separator => undef }),
         build_scheme     => [ "unified", "unix" ],
         build_file       => "Makefile",
     },

Configurations/99-personal-rse.conf

@@ -1,16 +1,12 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-rse" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "cc",
         cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
         bn_ops           => "BN_LLONG",
     },
 );

Configurations/99-personal-steve.conf

@@ -1,18 +1,15 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-steve64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -23,11 +20,12 @@
     "debug-steve32" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
+        cflags           => combine("$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
         lflags           => "-rdynamic",
-        ex_libs          => "-ldl",
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -37,10 +35,11 @@
     "debug-steve-opt" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",

Configurations/README

@@ -28,30 +28,6 @@ In each table entry, the following keys are significant:
                            given here, they MUST be as an array of the
                            string such as "MACRO=value", or just
                            "MACRO" for definitions without value.
-        debug_cflags    => Extra compilation flags used when making a
-                           debug build (when Configure receives the
-                           --debug option).  Typically something like
-                           "-g -O0".
-        debug_defines   => Similarly to `debug_cflags', this gets
-                           combined with `defines' during a debug
-                           build.  The value here MUST also be an
-                           array of the same form as for `defines'.
-        release_cflags  => Extra compilation flags used when making a
-                           release build (when Configure receives the
-                           --release option, or doesn't receive the
-                           --debug option).  Typically something like
-                           "-O" or "-O3".
-        release_defines => Similarly to `release_cflags', this gets
-                           combined with `defines' during a release
-                           build.  The value here MUST also be an
-                           array of the same form as for `defines'.
-        thread_cflags   => Extra compilation flags used when
-                           compiling with threading enabled.
-                           Explained further below.  [2]
-        thread_defines  => Similarly to `thread_cflags', this gets
-                           combined with `defines' when threading is
-                           enabled.  The value here MUST also be an
-                           array of the same form as for `defines'.
         shared_cflag    => Extra compilation flags used when
                            compiling for shared libraries, typically
                            something like "-fPIC".
@@ -70,9 +46,6 @@ In each table entry, the following keys are significant:
         ex_libs         => Extra libraries that are needed when
                            linking.
 
-        debug_lflags    => Like debug_cflags, but used when linking.
-        release_lflags  => Like release_cflags, but used when linking.
-
         ar              => The library archive command, the default is
                            "ar".
                            (NOTE: this is here for future use, it's
@@ -97,6 +70,14 @@ In each table entry, the following keys are significant:
                            this is here for future use, it's not
                            implemented yet)
 
+        thread_scheme   => The type of threads is used on the
+                           configured platform.  Currently known
+                           values are "(unknown)", "pthreads",
+                           "uithreads" (a.k.a solaris threads) and
+                           "winthreads".  Except for "(unknown)", the
+                           actual value is currently ignored but may
+                           be used in the future.  See further notes
+                           below [2].
         dso_scheme      => The type of dynamic shared objects to build
                            for.  This mostly comes into play with
                            engines, but can be used for other purposes
@@ -216,7 +197,7 @@ In each table entry, the following keys are significant:
     'inherit_from' that indicate what other configurations to inherit
     data from.  These are resolved recursively.
 
-    Inheritance works as a set of default values that can be overriden
+    Inheritance works as a set of default values that can be overridden
     by corresponding key values in the inheriting configuration.
 
     Note 1: any configuration table can be used as a template.
@@ -265,7 +246,7 @@ In each table entry, the following keys are significant:
         }
 
 [2] OpenSSL is built with threading capabilities unless the user
-    specifies 'no-threads'.  The value of the key 'thread_cflags' may
+    specifies 'no-threads'.  The value of the key 'thread_scheme' may
     be "(unknown)", in which case the user MUST give some compilation
     flags to Configure.
 
@@ -382,8 +363,22 @@ include paths the build of their source files should use:
 
     INCLUDE[foo]=include
 
-It's possible to have raw build file lines, between BEGINRAW and
-ENDRAW lines as follows:
+In some cases, one might want to generate some source files from
+others, that's done as follows:
+
+    GENERATE[foo.s]=asm/something.pl $(CFLAGS)
+    GENERATE[bar.s]=asm/bar.S
+
+The value of each GENERATE line is a command line or part of it.
+Configure places no rules on the command line, except the the first
+item muct be the generator file.  It is, however, entirely up to the
+build file template to define exactly how those command lines should
+be handled, how the output is captured and so on.
+
+NOTE: GENERATE lines are limited to one command only per GENERATE.
+
+As a last resort, it's possible to have raw build file lines, between
+BEGINRAW and ENDRAW lines as follows:
 
     BEGINRAW[Makefile(unix)]
     haha.h: {- $builddir -}/Makefile
@@ -409,6 +404,18 @@ configuration items:
    build hoho.h: echo "/* hoho */" > hoho.h
    ENDRAW[build.ninja(unix)]
 
+Should it be needed because the recipes within a RAW section might
+clash with those generated by Configure, it's possible to tell it
+not to generate them with the use of OVERRIDES, for example:
+
+    SOURCE[libfoo]=foo.c bar.c
+    
+    OVERRIDES=bar.o
+    BEGINRAW[Makefile(unix)]
+    bar.o: bar.c
+    	$(CC) $(CFLAGS) -DSPECIAL -c -o $@ $<
+    ENDRAW[Makefile(unix)]
+
 See the documentation further up for more information on configuration
 items.
 
@@ -430,7 +437,7 @@ example, the above would have "something" used, since 1 is true.
 Together with the use of Text::Template, this can be used as
 conditions based on something in the passed variables, for example:
 
-    IF[{- $config{no_shared} -}]
+    IF[{- $disabled{shared} -}]
       LIBS=libcrypto
       SOURCE[libcrypto]=...
     ELSE
@@ -480,25 +487,25 @@ The build-file template is expected to define at least the following
 perl functions in a perl code fragment enclosed with "{-" and "-}".
 They are all expected to return a string with the lines they produce.
 
-    src2dep     - function that produces build file lines to get the
-                  dependencies for an object file into a dependency
-                  file.
+    generatesrc - function that produces build file lines to generate
+                  a source file from some input.
 
                   It's called like this:
 
-                        src2dep(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                        generatesrc(src => "PATH/TO/tobegenerated",
+                                    generator => [ "generatingfile", ... ]
+                                    deps => [ "dep1", ... ],
+                                    intent => one of "libs", "dso", "bin" );
 
-                  'obj' has the dependent object file as well as
-                  object file the dependencies are for; it's *without*
-                  extension, src2dep() is expected to add that.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.
+                  'src' has the name of the file to be generated.
+                  'generator' is the command or part of command to
+                  generate the file, of which the first item is
+                  expected to be the file to generate from.
+                  generatesrc() is expected to analyse and figure out
+                  exactly how to apply that file and how to capture
+                  the result.  'deps' is a list of explicit
+                  dependencies.  'intent' indicates what the generated
+                  file is going to be used for.
 
     src2obj     - function that produces build file lines to build an
                   object file from source files and associated data.
@@ -508,7 +515,8 @@ They are all expected to return a string with the lines they produce.
                         src2obj(obj => "PATH/TO/objectfile",
                                 srcs => [ "PATH/TO/sourcefile", ... ],
                                 deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                                incs => [ "INCL/PATH", ... ]
+                                intent => one of "lib", "dso", "bin" );
 
                   'obj' has the intended object file *without*
                   extension, src2obj() is expected to add that.
@@ -516,7 +524,9 @@ They are all expected to return a string with the lines they produce.
                   object file, with the first item being the source
                   file that directly corresponds to the object file.
                   'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.
+                  is a list of include file directories.  Finally,
+                  'intent' indicates what this object file is going
+                  to be used for.
 
     obj2lib     - function that produces build file lines to build a
                   static library file ("libfoo.a" in Unix terms) from
@@ -547,7 +557,7 @@ They are all expected to return a string with the lines they produce.
 
                   'lib' has the intended library file name *without*
                   extension, libobj2shlib is expected to add that.
-                  'shlib' has the correcponding shared library name
+                  'shlib' has the corresponding shared library name
                   *without* extension.  'deps' has the list of other
                   libraries (also *without* extension) this library
                   needs to be linked with.  'objs' has the list of
@@ -562,16 +572,15 @@ They are all expected to return a string with the lines they produce.
                   corresponding static library as input to make the
                   shared library, or the list of object files.
 
-    obj2dynlib  - function that produces build file lines to build a
-                  dynamically loadable library file ("libfoo.so" on
-                  Unix) from object files.
+    obj2dso     - function that produces build file lines to build a
+                  dynamic shared object file from object files.
 
                   called like this:
 
-                        obj2dynlib(lib => "PATH/TO/libfile",
-                                   objs => [ "PATH/TO/objectfile", ... ],
-                                   deps => [ "PATH/TO/otherlibfile",
-                                   ... ]);
+                        obj2dso(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/otherlibfile",
+                                ... ]);
 
                   This is almost the same as libobj2shlib, but the
                   intent is to build a shareable library that can be
@@ -614,7 +623,7 @@ the build file actions run with the build tree top as current working
 directory.
 
 Make sure to end the section with these functions with a string that
-you thing is apropriate for the resulting build file.  If nothing
+you thing is appropriate for the resulting build file.  If nothing
 else, end it like this:
 
       "";       # Make sure no lingering values end up in the Makefile

Configurations/README.design

@@ -28,11 +28,11 @@ information needed to build output files, and therefore only (with a
 few possible exceptions [1]) have information about end products (such
 as scripts, library files and programs) and source files (such as C
 files, C header files, assembler files, etc).  Intermediate files such
-as object files are rarely directly refered to in build.info files (and
+as object files are rarely directly referred to in build.info files (and
 when they are, it's always with the file name extension .o), they are
-infered by Configure.  By the same rule of minimalism, end product
+inferred by Configure.  By the same rule of minimalism, end product
 file name extensions (such as .so, .a, .exe, etc) are never mentioned
-in build.info.  Their file name extensions will be infered by the
+in build.info.  Their file name extensions will be inferred by the
 build-file templates, adapted for the platform they are meant for (see
 sections on %unified_info and build-file templates further down).
 
@@ -89,11 +89,8 @@ depends on the library 'libssl' to function properly.
     SOURCE[../libcrypto]=aes.c evp.c cversion.c
     DEPEND[cversion.o]=buildinf.h
     
-    BEGINRAW[Makefile(unix)]
-    crypto/buildinf.h : Makefile
-    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
-    	    > crypto/buildinf.h
-    ENDRAW[Makefile(unix)]
+    GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
+    DEPEND[buildinf.h]=../Makefile
 
 This is the build.info file in 'crypto', and it tells us a little more
 about what's needed to produce 'libcrypto'.  LIBS is used again to
@@ -112,7 +109,7 @@ Unix-like operating systems.
 
 Two things are worth an extra note:
 
-'DEPEND[cversion.o]' mentiones an object file.  DEPEND indexes is the
+'DEPEND[cversion.o]' mentions an object file.  DEPEND indexes is the
 only location where it's valid to mention them
 
 Lines in 'BEGINRAW'..'ENDRAW' sections must always mention files as
@@ -161,11 +158,8 @@ information comes down to this:
     DEPEND[engines/libossltest]=libcrypto
     INCLUDE[engines/libossltest]=include
     
-    BEGINRAW[Makefile(unix)]
-    crypto/buildinf.h : Makefile
-    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
-    	    > crypto/buildinf.h
-    ENDRAW[Makefile(unix)]
+    GENERATE[crypto/buildinf.h]=util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
+    DEPEND[crypto/buildinf.h]=Makefile
 
 
 A few notes worth mentioning:
@@ -180,7 +174,7 @@ The indexes for SOURCE, INCLUDE and ORDINALS must only be end product
 files, such as libraries, programs or engines.  The values of SOURCE
 variables must only be source files (possibly generated)
 
-DEPEND shows a relationship between different end product files, such
+DEPEND shows a relationship between different produced files, such
 as a program depending on a library, or between an object file and
 some extra source file.
 
@@ -296,12 +290,12 @@ section above would be digested into a %unified_info table:
                 "libcrypto" =>
                     [
                         "crypto",
-                        "util/libeay.num",
+                        "util/libcrypto.num",
                     ],
                 "libssl" =>
                     [
                         "ssl",
-                        "util/ssleay.num",
+                        "util/libssl.num",
                     ],
             },
         "programs" =>
@@ -361,7 +355,7 @@ section above would be digested into a %unified_info table:
             },
     );
 
-As can be seen, everything in %unified_info is fairly simple nuggest
+As can be seen, everything in %unified_info is fairly simple suggest
 of information.  Still, it tells us that to build all programs, we
 must build 'apps/openssl', and to build the latter, we will need to
 build all its sources ('apps/openssl.o' in this case) and all the
@@ -384,24 +378,6 @@ build static libraries from object files, to build shared libraries
 from static libraries, to programs from object files and libraries,
 etc.
 
-    src2dep     - function that produces build file lines to get the
-                  dependencies for an object file into a dependency
-                  file.
-
-                  It's called like this:
-
-                        src2dep(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                incs => [ "INCL/PATH", ... ]);
-
-                  'obj' has the dependent object file as well as
-                  object file the dependencies are for; it's *without*
-                  extension, src2dep() is expected to add that.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'incs' is a list of include file directories.
-
     src2obj     - function that produces build file lines to build an
                   object file from source files and associated data.
 
@@ -410,15 +386,18 @@ etc.
                         src2obj(obj => "PATH/TO/objectfile",
                                 srcs => [ "PATH/TO/sourcefile", ... ],
                                 deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                                incs => [ "INCL/PATH", ... ]
+                                intent => one of "lib", "dso", "bin" );
 
                   'obj' has the intended object file *without*
                   extension, src2obj() is expected to add that.
                   'srcs' has the list of source files to build the
                   object file, with the first item being the source
                   file that directly corresponds to the object file.
-                  'deps' is a list of dependencies.  'incs' is a list
-                  of include file directories.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.  Finally,
+                  'intent' indicates what this object file is going
+                  to be used for.
 
     obj2lib     - function that produces build file lines to build a
                   static library file ("libfoo.a" in Unix terms) from
@@ -449,7 +428,7 @@ etc.
 
                   'lib' has the intended library file name *without*
                   extension, libobj2shlib is expected to add that.
-                  'shlib' has the correcponding shared library name
+                  'shlib' has the corresponding shared library name
                   *without* extension.  'deps' has the list of other
                   libraries (also *without* extension) this library
                   needs to be linked with.  'objs' has the list of
@@ -457,7 +436,7 @@ etc.
                   this library.  'ordinals' MAY be present, and when
                   it is, its value is an array where the word is
                   "crypto" or "ssl" and the file is one of the ordinal
-                  files util/libeay.num or util/ssleay.num in the
+                  files util/libcrypto.num or util/libssl.num in the
                   source directory.
 
                   This function has a choice; it can use the
@@ -530,7 +509,7 @@ following calls:
                  lib => "libssl",
                  objs => [ "ssl/tls.o" ],
                  deps => [ "libcrypto" ]
-                 ordinals => [ "ssl", "util/ssleay.num" ]);
+                 ordinals => [ "ssl", "util/libssl.num" ]);
 
     obj2lib(lib => "libssl"
             objs => [ "ssl/tls.o" ]);

Configurations/common.tmpl

@@ -1,6 +1,7 @@
 {- # -*- Mode: perl -*-
 
-     my $a;
+     # A cache of objects for which a recipe has already been generated
+     my %cache;
 
  # resolvedepends and reducedepends work in tandem to make sure
  # there are no duplicate dependencies and that they are in the
@@ -31,24 +32,50 @@
      @newlist;
  }
 
+ # dogenerate is responsible for producing all the recipes that build
+ # generated source files.  It recurses in case a dependency is also a
+ # generated source file.
+ sub dogenerate {
+     my $src = shift;
+     return "" if $cache{$src};
+     my $obj = shift;
+     my $bin = shift;
+     my %opts = @_;
+     if ($unified_info{generate}->{$src}) {
+         $OUT .= generatesrc(src => $src,
+                             generator => $unified_info{generate}->{$src},
+                             deps => $unified_info{depends}->{$src},
+                             incs => [ @{$unified_info{includes}->{$bin}},
+                                       @{$unified_info{includes}->{$obj}} ],
+                             %opts);
+         foreach (@{$unified_info{depends}->{$src}}) {
+             dogenerate($_, $obj, $bin, %opts);
+         }
+     }
+     $cache{$src} = 1;
+ }
+
  # doobj is responsible for producing all the recipes that build
  # object files as well as dependency files.
  sub doobj {
      my $obj = shift;
+     return "" if $cache{$obj};
      (my $obj_no_o = $obj) =~ s|\.o$||;
      my $bin = shift;
+     my %opts = @_;
      if (@{$unified_info{sources}->{$obj}}) {
          $OUT .= src2obj(obj => $obj_no_o,
                          srcs => $unified_info{sources}->{$obj},
-                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         deps => $unified_info{depends}->{$obj},
                          incs => [ @{$unified_info{includes}->{$bin}},
-                                   @{$unified_info{includes}->{$obj}} ]);
-         $OUT .= src2dep(obj => $obj_no_o,
-                         srcs => $unified_info{sources}->{$obj},
-                         deps => [ reducedepends(resolvedepends($obj)) ],
-                         incs => [ @{$unified_info{includes}->{$bin}},
-                                   @{$unified_info{includes}->{$obj}} ]);
+                                   @{$unified_info{includes}->{$obj}} ],
+                         %opts);
+         foreach ((@{$unified_info{sources}->{$obj}},
+                   @{$unified_info{depends}->{$obj}})) {
+             dogenerate($_, $obj, $bin, %opts);
+         }
      }
+     $cache{$obj} = 1;
  }
 
  # dolib is responsible for building libraries.  It will call
@@ -57,7 +84,8 @@
  # built.
  sub dolib {
      my $lib = shift;
-     if (!$config{no_shared}) {
+     return "" if $cache{$lib};
+     unless ($disabled{shared}) {
          my %ordinals =
              $unified_info{ordinals}->{$lib}
              ? (ordinals => $unified_info{ordinals}->{$lib}) : ();
@@ -72,40 +100,50 @@
                      objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                                @{$unified_info{sources}->{$lib}} ]);
      map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+     $cache{$lib} = 1;
  }
 
  # doengine is responsible for building engines.  It will call
- # obj2dynlib, and also makes sure all object files for the library
+ # obj2dso, and also makes sure all object files for the library
  # are built.
  sub doengine {
      my $lib = shift;
-     $OUT .= obj2dynlib(lib => $lib,
-                        objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
-                                  @{$unified_info{sources}->{$lib}} ],
-                        deps => [ resolvedepends($lib) ]);
-     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+     return "" if $cache{$lib};
+     $OUT .= obj2dso(lib => $lib,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               @{$unified_info{sources}->{$lib}} ],
+                     deps => [ resolvedepends($lib) ]);
+     map { doobj($_, $lib, intent => "dso") } @{$unified_info{sources}->{$lib}};
+     $cache{$lib} = 1;
  }
 
  # dobin is responsible for building programs.  It will call obj2bin,
  # and also makes sure all object files for the library are built.
  sub dobin {
      my $bin = shift;
+     return "" if $cache{$bin};
      my $deps = [ reducedepends(resolvedepends($bin)) ];
      $OUT .= obj2bin(bin => $bin,
                      objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                                @{$unified_info{sources}->{$bin}} ],
                      deps => $deps);
      map { doobj($_, $bin, intent => "bin") } @{$unified_info{sources}->{$bin}};
+     $cache{$bin} = 1;
  }
 
  # dobin is responsible for building scripts from templates.  It will
  # call in2script.
  sub doscript {
      my $script = shift;
+     return "" if $cache{$script};
      $OUT .= in2script(script => $script,
                        sources => $unified_info{sources}->{$script});
+     $cache{$script} = 1;
  }
 
+ # Start with populating the cache with all the overrides
+ %cache = map { $_ => 1 } @{$unified_info{overrides}};
+
  # Build all known libraries, engines, programs and scripts.
  # Everything else will be handled as a consequence.
  map { dolib($_) } @{$unified_info{libraries}};

Configurations/descrip.mms.tmpl

@@ -50,15 +50,13 @@
   }
   my $sd1 = sourcedir("ssl","record");
   my $sd2 = sourcedir("ssl","statem");
-  $unified_info{before}->{"[.crypto.ct]ct_lib.OBJ"}
-      = $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
+  $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
       = $unified_info{before}->{"[.test]ssltest.OBJ"}
       = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
         define record 'record'
         statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
         define statem 'statem');
-  $unified_info{after}->{"[.crypto.ct]ct_lib.OBJ"}
-      = $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
+  $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
       = $unified_info{after}->{"[.test]ssltest.OBJ"}
       = qq(deassign statem
         deassign record);
@@ -105,6 +103,12 @@ ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{engines}}) -}
 PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } grep { !m|^\[\.test\]| } @{$unified_info{programs}}) -}
 TESTPROGS={- join(", ", map { "-\n\t".$_.".EXE" } grep { m|^\[\.test\]| } @{$unified_info{programs}}) -}
 SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
+{- output_off() if $disabled{makedepend}; "" -}
+DEPS={- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+                    grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                    keys %{$unified_info{sources}};
+        join(", ", map { "-\n\t".$_ } @deps); -}
+{- output_on() if $disabled{makedepend}; "" -}
 
 # DESTDIR is for package builders so that they can configure for, say,
 # SYS$COMMON:[OPENSSL] and yet have everything installed in STAGING:[USER].
@@ -124,10 +128,11 @@ OPENSSLDIR={- catdir($config{openssldir}) ||
 ENGINESDIR={- $osslprefix -}ENGINES:
 
 CC= {- $target{cc} -}
-CFLAGS= /DEFINE=({- join(",", @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $config{cflags} -}
+CFLAGS= /DEFINE=({- join(",", @{$target{defines}}, @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $target{cflags} -} {- $config{cflags} -}
+CFLAGS_Q=$(CFLAGS)
 DEPFLAG= /DEFINE=({- join(",", @{$config{depdefines}}) -})
-LDFLAGS= {- $config{lflags} -}
-EX_LIBS= {- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
+LDFLAGS= {- $target{lflags} -}
+EX_LIBS= {- $target{ex_libs} ? ",".$target{ex_libs} : "" -}{- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
 
 PERL={- $config{perl} -}
 
@@ -152,7 +157,7 @@ ASFLAG={- $target{asflags} -}
 NODEBUG=@
 .FIRST :
         $(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
-        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","a.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc1 = F$PARSE("[.crypto.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc3 = F$PARSE("{- catdir($config{sourcedir},"[.crypto.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
@@ -200,14 +205,22 @@ NODEBUG=@
 
 # The main targets ###################################################
 
-all : descrip.mms, build_libs, build_engines, build_apps
+all : configdata.pm, -
+      build_libs_nodep, build_engines_nodep, build_apps_nodep, -
+      depend
 
-build_libs : $(LIBS)
-build_engines : $(ENGINES)
-build_apps : $(PROGRAMS), $(SCRIPTS)
-build_tests : $(TESTPROGS)
+build_libs : configdata.pm, build_libs_nodep, depend
+build_libs_nodep : $(LIBS)
+build_engines : configdata.pm, build_engines_nodep, depend
+build_engines_nodep : $(ENGINES)
+build_apps : configdata.pm, build_apps_nodep, depend
+build_apps_nodep : $(PROGRAMS), $(SCRIPTS)
+build_tests : configdata.pm, build_tests_nodep, depend
+build_tests_nodep : $(TESTPROGS)
 
-test tests : build_apps, build_engines, build_tests, rehash
+test tests : configdata.pm, -
+             build_apps_nodep, build_engines_nodep, build_tests_nodep, -
+             depend
         SET DEFAULT [.test]{- move("test") -}
         DEFINE SRCTOP {- sourcedir() -}
         DEFINE BLDTOP {- builddir() -}
@@ -229,6 +242,15 @@ libclean :
         - DELETE []CXX$DEMANGLER_DB.;*
 
 install : install_sw install_docs
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "######################################################################"
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "Installation complete"
+        @ WRITE SYS$OUTPUT ""
+        @ IF "$(DESTDIR)" .EQS. "" THEN -
+             PIPE ( WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names" ; -
+                    WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands" ; -
+                    WRITE SYS$OUTPUT "" )
 
 uninstall : uninstall_docs uninstall_sw
 
@@ -242,37 +264,24 @@ clean : libclean
         - DELETE [.test]*.LOG;*
         - DELETE []*.MAP;*
 
-DCLEAN_CMD=$(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }"
-dclean :
-        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
-        RENAME descrip.mms.new descrip.mms
-        PURGE descrip.mms
-
-{- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
-               grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
-               keys %{$unified_info{sources}};
-   ""; -}
-depend : {- join(",-\n\t", @deps); -}
-        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
-        OPEN/APPEND DESCRIP descrip.mms.new
-        WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
-        {- join("\n\t", map { "TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
-        CLOSE DESCRIP
-        RENAME descrip.mms.new descrip.mms
-        PURGE descrip.mms
+depend : descrip.mms
+descrip.mms : FORCE
+	@ ! {- output_off() if $disabled{makedepend}; "" -}
+        @ $(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }" -
+                < descrip.mms > descrip.mms-new
+        @ OPEN/APPEND DESCRIP descrip.mms-new
+        @ WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
+        {- join("\n\t", map { "\@ IF F\$SEARCH(\"$_\") .NES. \"\" THEN TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
+        @ CLOSE DESCRIP
+        @ PIPE ( $(PERL) -e "use File::Compare qw/compare_text/; my $x = compare_text(""descrip.mms"",""descrip.mms-new""); exit(0x10000000 + ($x == 0));" || -
+                 RENAME descrip.mms-new descrip.mms )
+        @ IF F$SEARCH("descrip.mms-new") .NES. "" THEN DELETE descrip.mms-new;*
+        -@ SPAWN/OUTPUT=NLA0: PURGE/NOLOG descrip.mms
+	@ ! {- output_on() if $disabled{makedepend}; "" -}
 
 # Install helper targets #############################################
 
 install_sw : all install_dev install_engines install_runtime install_config
-        @ WRITE SYS$OUTPUT ""
-        @ WRITE SYS$OUTPUT "######################################################################"
-        @ WRITE SYS$OUTPUT ""
-        @ WRITE SYS$OUTPUT "Installation complete"
-        @ WRITE SYS$OUTPUT ""
-        @ IF "$(DESTDIR)" .NES. "" THEN EXIT 1
-        @ WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names"
-        @ WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands"
-        @ WRITE SYS$OUTPUT ""
 
 uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime uninstall_config
 
@@ -286,22 +295,22 @@ install_dev : check_INSTALLTOP
         CREATE/DIR ossl_installroot:[include.openssl]
         COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
         @ ! Install libraries
-        CREATE/DIR ossl_installroot:['arch'.LIB]
+        CREATE/DIR ossl_installroot:[LIB.'arch']
         {- join("\n        ",
-                map { "COPY/PROT=W:R $_.OLB ossl_installroot:['arch'.LIB]" }
+                map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" }
                 @{$unified_info{libraries}}) -}
-        @ {- output_off() if $config{no_shared}; "" -} !
+        @ {- output_off() if $disabled{shared}; "" -} !
         {- join("\n        ",
-                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:['arch'.LIB]" }
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[LIB.'arch']" }
                 map { $unified_info{sharednames}->{$_} || () }
                 @{$unified_info{libraries}}) -}
-        @ {- output_on() if $config{no_shared}; "" -} !
+        @ {- output_on() if $disabled{shared}; "" -} !
 
 install_runtime : check_INSTALLTOP
         @ WRITE SYS$OUTPUT "*** Installing runtime files"
         @ ! Install the main program
-        CREATE/DIR ossl_installroot:['arch'.EXE]
-        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:['arch'.EXE]
+        CREATE/DIR ossl_installroot:[EXE.'arch']
+        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:[EXE.'arch']
         @ ! Install scripts
         CREATE/DIR ossl_installroot:[EXE]
         COPY/PROT=W:RE [.APPS]CA.pl ossl_installroot:[EXE]
@@ -311,11 +320,13 @@ install_runtime : check_INSTALLTOP
                 ossl_installroot:[000000]openssl.cnf
 
 install_engines : check_INSTALLTOP
-        @ {- output_off() if $config{no_shared}; "" -} !
+        @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} !
         @ WRITE SYS$OUTPUT "*** Installing engines"
-        CREATE/DIR ossl_installroot:['arch'.ENGINES]
-        COPY/PROT=W:RE [.ENGINES]*.EXE ossl_installroot:['arch'.ENGINES]
-        @ {- output_on() if $config{no_shared}; "" -} !
+        CREATE/DIR ossl_installroot:[ENGINES.'arch']
+        {- join("\n        ",
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES.'arch']" }
+                grep(!m|ossltest$|i, @{$unified_info{engines}})) -}
+        @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} !
 
 install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                  check_INSTALLTOP
@@ -345,17 +356,17 @@ install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                 {- sourcefile("VMS", "openssl_shutdown.com.in") -} -
                 > [.VMS]openssl_shutdown.com
 
-vmsconfig.pm : descrip.mms
+vmsconfig.pm : configdata.pm
         OPEN/WRITE/SHARE=READ CONFIG []vmsconfig.pm
         WRITE CONFIG "package vmsconfig;"
         WRITE CONFIG "use strict; use warnings;"
         WRITE CONFIG "use Exporter;"
         WRITE CONFIG "our @ISA = qw(Exporter);"
-        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info);"
+        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info %disabled);"
         WRITE CONFIG "our %config = ("
         WRITE CONFIG "  target => '{- $config{target} -}',"
         WRITE CONFIG "  version => '$(MAJOR).$(MINOR)',"
-        WRITE CONFIG "  no_shared => '","{- $config{no_shared} -}","',"
+        WRITE CONFIG "  no_shared => '","{- $disabled{shared} -}","',"
         WRITE CONFIG "  INSTALLTOP => '$(INSTALLTOP)',"
         WRITE CONFIG "  OPENSSLDIR => '$(OPENSSLDIR)',"
         WRITE CONFIG "  pointersize => '","{- $target{pointersize} -}","',"
@@ -364,6 +375,7 @@ vmsconfig.pm : descrip.mms
         WRITE CONFIG "  ],"
         WRITE CONFIG ");"
         WRITE CONFIG "our %target = ();"
+        WRITE CONFIG "our %disabled = ();"
         WRITE CONFIG "our %withargs = ();"
         WRITE CONFIG "our %unified_info = ();"
         WRITE CONFIG "1;"
@@ -377,16 +389,6 @@ check_INSTALLTOP :
 
 # Helper targets #####################################################
 
-rehash : [.apps]openssl.exe, copy-certs
-        !MCR [.apps]openssl.exe rehash {- builddir("certs", "demo") -}
-        $(PERL) [.tools]c_rehash. [.certs.demo]
-
-copy-certs :
-        @ IF F$SEARCH("{- buildfile("certs.dir") -}") .EQS. "" THEN -
-             CREATE/DIR {- builddir("certs") -}
-        -@ IF "{- sourcedir("certs") -}" .NES. "{- builddir("certs") -}" THEN -
-             COPY {- tree(sourcedir("certs")) -}*.* {- tree(builddir("certs")) -}
-
 # Developer targets ##################################################
 
 debug_logicals :
@@ -396,8 +398,8 @@ debug_logicals :
 
 # Building targets ###################################################
 
-descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Configure ! $(SRCDIR)config.com
-        @ WRITE SYS$OUTPUT "descrip.mms is older than $?."
+configdata.pm : {- join(" ", sourcefile("Configurations", "descrip.mms.tmpl"), sourcefile("Configurations", "common.tmpl")) -} $(SRCDIR)Configure $(SRCDIR)config.com {- join(" ", @{$config{build_infos}}) -}
+        @ WRITE SYS$OUTPUT "Detected changed: $?"
         @ WRITE SYS$OUTPUT "Reconfiguring..."
         perl $(SRCDIR)Configure reconf
         @ WRITE SYS$OUTPUT "*************************************************"
@@ -405,48 +407,26 @@ descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Co
         @ WRITE SYS$OUTPUT "***   Please run the same mms command again   ***"
         @ WRITE SYS$OUTPUT "***                                           ***"
         @ WRITE SYS$OUTPUT "*************************************************"
-        @ exit %10000000
+        @ PIPE ( EXIT %X10000000 )
 
 {-
   use File::Basename;
   use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
-  sub src2dep {
+
+  sub generatesrc {
       my %args = @_;
-      my $dep = $args{obj};
-      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+      my $generator = join(" ", @{$args{generator}});
 
-      # Because VMS C isn't very good at combining a /INCLUDE path with
-      # #includes having a relative directory (like '#include "../foo.h"),
-      # the best choice is to move to the first source file's intended
-      # directory before compiling, and make sure to write the object file
-      # in the correct position (important when the object tree is other
-      # than the source tree).
-      my $forward = dirname($args{srcs}->[0]);
-      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
-      my $depd = abs2rel(rel2abs(dirname($dep)), rel2abs($forward));
-      my $depn = basename($dep);
-      my $srcs =
-          join(", ",
-               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
-      my $incs =
-          "/INCLUDE=(".join(",",
-                            map {
-                               file_name_is_absolute($_)
-                               ? $_ : catdir($backward,$_)
-                            } @{$args{incs}}).")";
-      my $before = $unified_info{before}->{$dep.".OBJ"} || "\@ !";
-      my $after = $unified_info{after}->{$dep.".OBJ"} || "\@ !";
-
-      return <<"EOF";
-$dep.MMS : $deps
-        ${before}
-        SET DEFAULT $forward
-        \$(CC) \$(CFLAGS)${incs} /MMS=(TARGET=.OBJ)/OBJECT=${depd}${depn}.MMS $srcs
-        SET DEFAULT $backward
-        ${after}
-        - PURGE $dep.MMS
+      if ($args{src} !~ /\.[sS]$/) {
+          return <<"EOF";
+$args{src} : $args{generator}->[0]
+	\$(PERL) $generator > \$@
 EOF
+      } else {
+          die "No method to generate assembler source present.\n";
+      }
   }
+
   sub src2obj {
       my %args = @_;
       my $obj = $args{obj};
@@ -473,14 +453,19 @@ EOF
                             } @{$args{incs}}).")";
       my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
       my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
+      my $depbuild = $disabled{makedepend} ? ""
+          : " /MMS=(FILE=${objd}${objn}.tmp-MMS,TARGET=$obj.OBJ)";
 
       return <<"EOF";
 $obj.OBJ : $deps
         ${before}
         SET DEFAULT $forward
-        \$(CC) \$(CFLAGS)${incs} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        \$(CC) \$(CFLAGS)${incs}${depbuild} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
         SET DEFAULT $backward
         ${after}
+        \@ PIPE ( \$(PERL) -e "use File::Compare qw/compare_text/; my \$x = compare_text(""$obj.MMS"",""$obj.tmp-MMS""); exit(0x10000000 + (\$x == 0));" || -
+                 RENAME $obj.tmp-MMS $obj.mms )
+        \@ IF F\$SEARCH("$obj.tmp-MMS") .NES. "" THEN DELETE $obj.tmp-MMS;*
         - PURGE $obj.OBJ
 EOF
   }
@@ -492,10 +477,10 @@ EOF
       my $libn = basename($lib);
       (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib//i;
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @deps);
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
       my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
                                                "VMS", "engine.opt")),
@@ -513,7 +498,7 @@ EOF
       my $write_opt =
           join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
                              $x =~ s|(\.EXE)|$1/SHARE|;
-                             $x =~ s|(\.LIB)|$1/LIB|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
                              "WRITE OPT_FILE \"$x\"" } @deps)
           || "\@ !";
       return <<"EOF";
@@ -536,7 +521,7 @@ $shlib.EXE : $lib.OLB $deps $ordinalsfile
         - PURGE $shlib.EXE,$shlib.OPT,$shlib.MAP
 EOF
   }
-  sub obj2dynlib {
+  sub obj2dso {
       my %args = @_;
       my $lib = $args{lib};
       my $libd = dirname($lib);
@@ -544,10 +529,10 @@ EOF
       (my $libn_nolib = $libn) =~ s/^lib//;
       my @objs = map { "$_.OBJ" } @{$args{objs}};
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @objs, @deps);
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
                                                "VMS", "engine.opt")),
                                rel2abs($config{builddir}));
@@ -561,7 +546,7 @@ EOF
           "\"\n\t".
           join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
                              $x =~ s|(\.EXE)|$1/SHARE|;
-                             $x =~ s|(\.LIB)|$1/LIB|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
                              "WRITE OPT_FILE \"$x\"" } @deps)
           || "\@ !";
       return <<"EOF";
@@ -594,7 +579,7 @@ EOF
       my $binn = basename($bin);
       my @objs = map { "$_.OBJ" } @{$args{objs}};
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @objs, @deps);
       # The "[]" hack is because in .OPT files, each line inherits the

Configurations/unix-Makefile.tmpl

@@ -3,11 +3,60 @@
 ##
 ## {- join("\n## ", @autowarntext) -}
 {-
+     our $objext = $target{obj_extension} || ".o";
+     our $depext = $target{dep_extension} || ".d";
+     our $exeext = $target{exe_extension} || "";
+     our $libext = $target{lib_extension} || ".a";
+     our $shlibext = $target{shared_extension} || ".so";
+     our $shlibextsimple = $target{shared_extension_simple} || ".so";
+     our $shlibextimport = $target{shared_import_extension} || "";
+     our $dsoext = $target{dso_extension} || ".so";
+
      sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
-     sub shlib_ext { $target{shared_extension} || ".so" }
-     sub shlib_ext_simple { (my $x = $target{shared_extension})
-                                =~ s/\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\)//;
-                            $x }
+
+     # shlib and shlib_simple both take a static library name and figure
+     # out what the shlib name should be.
+     #
+     # When OpenSSL is configured "no-shared", these functions will just
+     # return empty lists, making them suitable to join().
+     #
+     # With Windows DLL producers, shlib($libname) will return the shared
+     # library name (which usually is different from the static library
+     # name) with the default shared extension appended to it, while
+     # shlib_simple($libname) will return the static library name with
+     # the shared extension followed by ".a" appended to it.  The former
+     # result is used as the runtime shared library while the latter is
+     # used as the DLL import library.
+     #
+     # On all Unix systems, shlib($libname) will return the library name
+     # with the default shared extension, while shlib_simple($libname)
+     # will return the name from shlib($libname) with any SO version number
+     # removed.  On some systems, they may therefore return the exact same
+     # string.
+     sub shlib {
+         return () if $disabled{shared};
+         my $lib = shift;
+         return $unified_info{sharednames}->{$lib} . $shlibext;
+     }
+     sub shlib_simple {
+         return () if $disabled{shared};
+
+         my $lib = shift;
+         if (windowsdll()) {
+             return $lib . $shlibextimport;
+         }
+         return $lib .  $shlibextsimple;
+     }
+
+     # dso is a complement to shlib / shlib_simple that returns the
+     # given libname with the simple shared extension (possible SO version
+     # removed).  This differs from shlib_simple() by being unconditional.
+     sub dso {
+         my $engine = shift;
+
+         return $engine . $dsoext;
+     }
+     '';
 -}
 PLATFORM={- $config{target} -}
 OPTIONS={- $config{options} -}
@@ -24,24 +73,26 @@ SHLIB_MAJOR={- $config{shlib_major} -}
 SHLIB_MINOR={- $config{shlib_minor} -}
 SHLIB_TARGET={- $target{shared_target} -}
 
-EXE_EXT={- $target{exe_extension} || "" -}
-LIB_EXT={- $target{lib_extension} || ".a" -}
-SHLIB_EXT={- shlib_ext() -}
-SHLIB_EXT_SIMPLE={- shlib_ext_simple() -}
-OBJ_EXT={- $target{obj_extension} || ".o" -}
-DEP_EXT={- $target{dep_extension} || ".d" -}
-
-LIBS={- join(" ", map { $_."\$(LIB_EXT)" } @{$unified_info{libraries}}) -}
-SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
-ENGINES={- join(" ", map { $_."\$(SHLIB_EXT_SIMPLE)" } @{$unified_info{engines}}) -}
-PROGRAMS={- join(" ", map { $_."\$(EXE_EXT)" } grep { !m|^test/| } @{$unified_info{programs}}) -}
-TESTPROGS={- join(" ", map { $_."\$(EXE_EXT)" } grep { m|^test/| } @{$unified_info{programs}}) -}
+LIBS={- join(" ", map { $_.$libext } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { dso($_) } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test/| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_.$exeext } grep { m|^test/| } @{$unified_info{programs}}) -}
 SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+{- output_off() if $disabled{makedepend}; "" -}
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+{- output_on() if $disabled{makedepend}; "" -}
+GENERATED={- join(" ", map { (my $x = $_) =~ s|\.S$|\.s|; $x } keys %{$unified_info{generate}}) -}
+
 BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
 MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \
 	     $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \
 	     $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget
 
+SHLIB_INFO={- join(" ", map { "\"".shlib($_).";".shlib_simple($_)."\"" } @{$unified_info{libraries}}) -}
+
 # DESTDIR is for package builders so that they can configure for, say,
 # /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -83,7 +134,8 @@ ENGINESDIR={- use File::Spec::Functions;
               catdir($prefix,$libdir,"engines") -}
 
 MANDIR=$(INSTALLTOP)/share/man
-HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
+DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
+HTMLDIR=$(DOCDIR)/html
 
 # MANSUFFIX is for the benefit of anyone who may want to have a suffix
 # appended after the manpage file section number.  "ssl" is popular,
@@ -95,27 +147,30 @@ HTMLSUFFIX=html
 
 CROSS_COMPILE= {- $config{cross_compile_prefix} -}
 CC= $(CROSS_COMPILE){- $target{cc} -}
-CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
 CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
-DEPFLAGS= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
-LDFLAGS= {- $config{lflags} -}
-PLIB_LDFLAGS= {- $config{plib_lflags} -}
-EX_LIBS= {- $config{ex_libs} -}
-SHARED_LDFLAGS={- $target{shared_ldflag}
-                  # Unlike other OSes (like Solaris, Linux, Tru64,
-                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
-                  # and FreeBSD) "demand" RPATH set on .so objects.
-                  # Apparently application RPATH is not global and
-                  # does not apply to .so linked with other .so.
-                  # Problem manifests itself when libssl.so fails to
-                  # load libcrypto.so. One can argue that we should
-                  # engrave this into Makefile.shared rules or into
-                  # BSD-* config lines above. Meanwhile let's try to
-                  # be cautious and pass -rpath to linker only when
-                  # $prefix is not /usr.
-                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
-                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
-SHARED_RCFLAGS={- $target{shared_rcflag} -}
+LDFLAGS= {- $target{lflags} -}
+PLIB_LDFLAGS= {- $target{plib_lflags} -}
+EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
+LIB_CFLAGS={- $target{shared_cflag} || "" -}
+LIB_LDFLAGS={- $target{shared_ldflag}." ".$config{shared_ldflag}
+               # Unlike other OSes (like Solaris, Linux, Tru64,
+               # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+               # and FreeBSD) "demand" RPATH set on .so objects.
+               # Apparently application RPATH is not global and
+               # does not apply to .so linked with other .so.
+               # Problem manifests itself when libssl.so fails to
+               # load libcrypto.so. One can argue that we should
+               # engrave this into Makefile.shared rules or into
+               # BSD-* config lines above. Meanwhile let's try to
+               # be cautious and pass -rpath to linker only when
+               # $prefix is not /usr.
+               . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                  ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+RCFLAGS={- $target{shared_rcflag} -}
+DSO_CFLAGS={- $target{shared_cflag} || "" -}
+DSO_LDFLAGS=$(LIB_LDFLAGS)
+BIN_CFLAGS={- "" -}
 
 PERL={- $config{perl} -}
 
@@ -124,8 +179,10 @@ AR=$(CROSS_COMPILE){- $target{ar} || "ar" -} $(ARFLAGS) r
 RANLIB= {- $target{ranlib} -}
 NM= $(CROSS_COMPILE){- $target{nm} || "nm" -}
 RM= rm -f
+RMDIR= rmdir
 TAR= {- $target{tar} || "tar" -}
 TARFLAGS= {- $target{tarflags} -}
+MAKEDEPEND={- $config{makedepprog} -}
 
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
@@ -146,64 +203,104 @@ PROCESSOR= {- $config{processor} -}
 
 # The main targets ###################################################
 
-all: build_libs build_engines build_apps link-utils
+all: configdata.pm build_libs_nodep build_engines_nodep build_apps_nodep \
+     depend link-utils
 
-# The pkg-config files depend on the libraries as well as Makefile
-build_libs: libcrypto.pc libssl.pc openssl.pc
-build_engines: $(ENGINES)
-build_apps: $(PROGRAMS) $(SCRIPTS)
-build_tests: $(TESTPROGS)
+build_libs: configdata.pm build_libs_nodep depend
+build_libs_nodep: libcrypto.pc libssl.pc openssl.pc
+build_engines: configdata.pm build_engines_nodep depend
+build_engines_nodep: $(ENGINES)
+build_apps: configdata.pm build_apps_nodep depend
+build_apps_nodep: $(PROGRAMS) $(SCRIPTS)
+build_tests: configdata.pm build_tests_nodep depend
+build_tests_nodep: $(TESTPROGS)
 
-test tests: build_tests build_apps build_engines rehash
+test tests: build_tests_nodep build_apps_nodep build_engines_nodep depend
 	( cd test; \
 	  SRCTOP=../$(SRCDIR) \
 	  BLDTOP=../$(BLDDIR) \
+	  EXE_EXT={- $exeext -} \
 	    $(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
 
 list-tests:
 	@TOP=$(SRCDIR) PERL=$(PERL) $(PERL) $(SRCDIR)/test/run_tests.pl list
 
 libclean:
-	-rm -f `find $(BLDDIR) -name '*$(LIB_EXT)' -o -name '*$(SHLIB_EXT)'`
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		echo $(RM) $$s1; \
+		$(RM) $$s1; \
+		if [ "$$s1" != "$$s2" ]; then \
+			echo $(RM) $$s2; \
+			$(RM) $$s2; \
+		fi; \
+	done
+	$(RM) $(LIBS)
 
 install: install_sw install_ssldirs install_docs
 
 uninstall: uninstall_docs uninstall_sw
 
 clean: libclean
-	rm -f $(PROGRAMS) $(TESTPROGS)
-	rm -f `find $(BLDDIR) -name '*$(DEP_EXT)'`
-	rm -f `find $(BLDDIR) -name '*$(OBJ_EXT)'`
-	rm -f $(BLDDIR)/core $(BLDDIR)/rehash.time
-	rm -f $(BLDDIR)/tags $(BLDDIR)/TAGS
-	rm -f $(BLDDIR)/openssl.pc $(BLDDIR)/libcrypto.pc $(BLDDIR)/libssl.pc
-	-rm -f `find $(BLDDIR) -type l`
+	rm -f $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
+	rm -f $(GENERATED)
+	-rm -f `find . -name '*{- $depext -}'`
+	-rm -f `find . -name '*{- $objext -}'`
+	rm -f core
+	rm -f tags TAGS
+	rm -f openssl.pc libcrypto.pc libssl.pc
+	-rm -f `find . -type l`
 	rm -f $(TARFILE)
 
-DCLEAN_CMD=sed -e '/^DO NOT DELETE.*/,$$d'
-dclean:
-	$(DCLEAN_CMD) < Makefile >Makefile.new
-	mv -f Makefile.new Makefile
-
-DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
-                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
-                  keys %{$unified_info{sources}}); -}
-depend: $(DEPS)
-	( $(DCLEAN_CMD) < Makefile; \
-	  echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
-	  echo; \
-	  cat `find . -name '*$(DEP_EXT)'` ) > Makefile.new
-	mv -f Makefile.new Makefile
+# This exists solely for those who still type 'make depend'
+#
+# We check if any depfile is newer than Makefile and decide to
+# concatenate only if that is true, or if 'test' (a.k.a [ )
+# doesn't have the option to figure it out (-nt).
+#
+# To check if test has the file age comparison operator, we
+# simply try, and rely test to exit with 0 if the comparison
+# was true, 1 if false, and most importantly, 2 if it doesn't
+# recognise the operator.
+depend:
+	@: {- output_off() if $disabled{makedepend}; "" -}
+	@catdepends=false; \
+	if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \
+	  for d in $(DEPS); do \
+	    if [ $$d -nt Makefile ]; then \
+	      catdepends=true; \
+	      break; \
+	    fi; \
+	  done; \
+	else \
+	  catdepends=true; \
+	fi; \
+	if [ $$catdepends = true ]; then \
+	  ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \
+	    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
+	    echo; \
+	    for d in $(DEPS); do \
+	      if [ -f $$d ]; then cat $$d; fi; \
+	    done ) > Makefile.new; \
+	  if cmp Makefile.new Makefile >/dev/null 2>&1; then \
+	    rm -f Makefile.new; \
+	  else \
+	    mv -f Makefile.new Makefile; \
+	  fi; \
+	fi
+	@: {- output_on() if $disabled{makedepend}; "" -}
 
 # Install helper targets #############################################
 
 install_sw: all install_dev install_engines install_runtime
 
-uninstall_sw: uninstall_dev uninstall_engines uninstall_runtime
+uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
 
 install_docs: install_man_docs install_html_docs
 
 uninstall_docs: uninstall_man_docs uninstall_html_docs
+	$(RM) -r -v $(DESTDIR)$(DOCDIR)
 
 install_ssldirs:
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
@@ -230,28 +327,31 @@ install_dev:
 		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
 	done
-	@ : {- output_off() if $config{no_shared}; "" -}
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$s`; \
-		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-		cp $$s $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
-		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
-		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
-		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
-			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
-			ln -sf $$fn $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+	@ : {- output_off() if $disabled{shared}; "" -}
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		fn1=`basename $$s1`; \
+		fn2=`basename $$s2`; \
+		: {- output_off() if windowsdll(); "" -}; \
+		echo "install $$s1 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+		cp $$s1 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1; \
+		if [ "$$fn1" != "$$fn2" ]; then \
+			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+			ln -sf $$fn1 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		fi; \
-		: {- output_off() unless windowsdll(); "" -}; \
-		echo "install $$s.a -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
-		cp $$s.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
-		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new \
-		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
+		echo "install $$s2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+		cp $$s2 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		: {- output_on() unless windowsdll(); "" -}; \
 	done
-	@ : {- output_on() if $config{no_shared}; "" -}
+	@ : {- output_on() if $disabled{shared}; "" -}
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
 	@echo "install libcrypto.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
 	@cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
@@ -271,31 +371,37 @@ uninstall_dev:
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
 	done
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include
 	@set -e; for l in $(LIBS); do \
 		fn=`basename $$l`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
 	done
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$s`; \
-		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
-			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+	@ : {- output_off() if $disabled{shared}; "" -}
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		fn1=`basename $$s1`; \
+		fn2=`basename $$s2`; \
+		: {- output_off() if windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1; \
+		if [ "$$fn1" != "$$fn2" ]; then \
 			echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
 			$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		fi; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
-		: {- output_off() unless windowsdll(); "" -}; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		: {- output_on() unless windowsdll(); "" -}; \
 	done
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	@ : {- output_on() if $disabled{shared}; "" -}
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
 
 install_engines:
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@@ -303,7 +409,10 @@ install_engines:
 	@echo "*** Installing engines"
 	@set -e; for e in $(ENGINES); do \
 		fn=`basename $$e`; \
-		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
+			continue; \
+		fi; \
+		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \
 		cp $$e $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
 		chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
 		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \
@@ -314,9 +423,13 @@ uninstall_engines:
 	@echo "*** Uninstalling engines"
 	@set -e; for e in $(ENGINES); do \
 		fn=`basename $$e`; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
+			continue; \
+		fi; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
 	done
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines
 
 install_runtime:
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@@ -325,7 +438,7 @@ install_runtime:
 	@echo "*** Installing runtime files"
 	: {- output_off() unless windowsdll(); "" -};
 	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$i`; \
+		fn=`basename $$s`; \
 		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
 		chmod 644 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -384,12 +497,14 @@ uninstall_runtime:
 	done
 	: {- output_off() unless windowsdll(); "" -};
 	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$i`; \
+		fn=`basename $$s`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
 	: {- output_on() unless windowsdll(); "" -};
 	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
+	-$(RMDIR) $(DESTDIR)$(OPENSSLDIR)/misc
 
 # A method to extract all names from a .pod file
 # The first sed extracts everything between "=head1 NAME" and the next =head1
@@ -462,6 +577,7 @@ UNINSTALL_DOCS=\
 			$(RM) $$top/man$$SEC/$$n$$suf; \
 		    fi; \
 		done; \
+		( $(RMDIR) $$top/man$$SEC 2>/dev/null || exit 0 ); \
 	    done; \
 	done
 
@@ -533,8 +649,6 @@ errors:
 	      $(PERL) ../util/mkerr.pl -conf $$e \
 		      -nostatic -staticloader -write *.c; \
 	  done )
-	( cd $(SRCDIR)/crypto/ct; \
-	  $(PERL) ../../util/mkerr.pl -conf ct.ec -hprefix internal/ -write *.c )
 
 ordinals:
 	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
@@ -553,9 +667,11 @@ tags TAGS: FORCE
 
 # Release targets (note: only available on Unix) #####################
 
+TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - 
+PREPARE_CMD=:
 tar:
 	TMPDIR=/var/tmp/openssl-copy.$$$$; \
-	DISTDIR=openssl-$(VERSION); \
+	DISTDIR=$(NAME); \
 	mkdir -p $$TMPDIR/$$DISTDIR; \
 	(cd $(SRCDIR); \
 	 git ls-tree -r --name-only --full-tree HEAD \
@@ -564,11 +680,11 @@ tar:
 	       cp $$F $$TMPDIR/$$DISTDIR/$$F; \
 	   done); \
 	(cd $$TMPDIR; \
-	 [ -n "$(PREPARE_CMD)" ] && $(PREPARE_CMD); \
+	 $(PREPARE_CMD); \
 	 find $$TMPDIR/$$DISTDIR -type d -print | xargs chmod 755; \
 	 find $$TMPDIR/$$DISTDIR -type f -print | xargs chmod a+r; \
 	 find $$TMPDIR/$$DISTDIR -type f -perm -0100 -print | xargs chmod a+x; \
-	 $(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - $$DISTDIR) \
+	 $(TAR_COMMAND) $$DISTDIR) \
 	| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
 	rm -rf $$TMPDIR
 	cd $(SRCDIR); ls -l $(TARFILE).gz
@@ -578,35 +694,19 @@ dist:
 
 # Helper targets #####################################################
 
-rehash: link-utils copy-certs build_apps
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
-		(OPENSSL="$(BLDDIR)/util/shlib_wrap.sh apps/openssl"; \
-		[ -x "$(BLDDIR)/openssl.exe" ] && OPENSSL="$(BLDDIR)/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$$OPENSSL rehash certs/demo \
-		|| $(PERL) tools/c_rehash certs/demo) && \
-		touch rehash.time; \
-	else :; fi
-
 link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh
 
-$(BLDDIR)/util/opensslwrap.sh: Makefile
+$(BLDDIR)/util/opensslwrap.sh: configdata.pm
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/util"; \
 	    ln -sf "../$(SRCDIR)/util/opensslwrap.sh" "$(BLDDIR)/util"; \
 	fi
-$(BLDDIR)/util/shlib_wrap.sh: Makefile
+$(BLDDIR)/util/shlib_wrap.sh: configdata.pm
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/util"; \
 	    ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \
 	fi
 
-copy-certs: FORCE
-	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
-	    cp -R "$(SRCDIR)/certs" "$(BLDDIR)/"; \
-	fi
-
 $(SRCDIR)/apps/openssl-vms.cnf: $(SRCDIR)/apps/openssl.cnf
 	$(PERL) $(SRCDIR)/VMS/VMSify-conf.pl \
                 < $(SRCDIR)/apps/openssl.cnf > $(SRCDIR)/apps/openssl-vms.cnf
@@ -650,11 +750,11 @@ $(SRCDIR)/crypto/objects/obj_xref.h: $(SRCDIR)/crypto/objects/objxref.pl \
                 > $(SRCDIR)/crypto/objects/obj_xref.h
 	@sleep 1; touch $(SRCDIR)/crypto/objects/obj_xref.h; sleep 1
 
-FORCE :
+FORCE:
 
 # Building targets ###################################################
 
-libcrypto.pc libssl.pc openssl.pc: Makefile $(LIBS)
+libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS)
 libcrypto.pc:
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
@@ -697,8 +797,8 @@ openssl.pc:
 # wasn't passed down automatically.  It's quite safe to use it like we do
 # below; if it doesn't exist, the result will be empty and 'make' will pick
 # up $(MAKEFLAGS) which is passed down as an environment variable.
-Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/config
-	@echo "Makefile is older than {- $config{build_file_template} -}, $(SRCDIR)/Configure or $(SRCDIR)/config."
+configdata.pm: $(SRCDIR)/Configurations/unix-Makefile.tmpl $(SRCDIR)/Configurations/common.tmpl $(SRCDIR)/Configure $(SRCDIR)/config {- join(" ", @{$config{build_infos}}) -}
+	@echo "Detected changed: $?"
 	@echo "Reconfiguring..."
 	$(SRCDIR)/Configure reconf
 	@echo "**************************************************"
@@ -715,56 +815,111 @@ Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/confi
   # Helper function to figure out dependencies on libraries
   # It takes a list of library names and outputs a list of dependencies
   sub compute_lib_depends {
-      if ($config{no_shared}) {
-          return map { $_."\$(LIB_EXT)" } @_;
+      if ($disabled{shared}) {
+          return map { $_.$libext } @_;
       }
 
       # Depending on shared libraries:
       # On Windows POSIX layers, we depend on {libname}.dll.a
       # On Unix platforms, we depend on {shlibname}.so
-      return map { if (windowsdll()) {
-                       "$_\$(SHLIB_EXT_SIMPLE).a"
-		   } else {
-		       my $libname =
-		           $unified_info{sharednames}->{$_} || $_;
-		       "$libname\$(SHLIB_EXT_SIMPLE)"
-		   } } @_;
+      return map { shlib_simple($_) } @_;
   }
 
-  sub src2dep {
+  sub generatesrc {
       my %args = @_;
-      my $dep = $args{obj}.'$(DEP_EXT)';
-      my $obj = $args{obj}.'$(OBJ_EXT)';
-      my $srcs = join(" ", @{$args{srcs}});
-      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
-      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
-      my $makedepprog = $config{makedepprog};
-      if ($makedepprog eq "makedepend") {
+      my $generator = join(" ", @{$args{generator}});
+      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+
+      if ($args{src} !~ /\.[sS]$/) {
           return <<"EOF";
-$dep : $deps
-	rm -f \$\@.tmp; touch \$\@.tmp
-	\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj"\
-	    -- -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs \
-	    -- $srcs
-	sed -e 's/^.*|//' -e 's/ \\/\\(\\\\.\\|[^ ]\\)*//g' -e '/: *\$/d' -e '/^\\(#.*\\| *\\)\$/d' \$\@.tmp > \$\@
-	rm \$\@.tmp
+$args{src}: $args{generator}->[0]
+	\$(PERL) $generator > \$@
+EOF
+      } else {
+          if ($args{generator}->[0] =~ /\.pl$/) {
+              $generator = 'CC="$(CC)" $(PERL) '.$generator;
+          } elsif ($args{generator}->[0] =~ /\.m4$/) {
+              $generator = 'm4 -B 8192 '.$generator.' >'
+          } elsif ($args{generator}->[0] =~ /\.S$/) {
+              $generator = undef;
+          } else {
+              die "Generator type for $args{src} unknown: $generator\n";
+          }
+
+          if (defined($generator)) {
+              # If the target is named foo.S in build.info, we want to
+              # end up generating foo.s in two steps.
+              if ($args{src} =~ /\.S$/) {
+                   (my $target = $args{src}) =~ s|\.S$|.s|;
+                   return <<"EOF";
+$target: $args{generator}->[0]
+	( trap "rm -f \$@.*" INT 0; \\
+	  $generator \$@.S; \\
+	  \$(CC) \$(CFLAGS) $incs -E -P \$@.S > \$@.i && mv -f \$@.i \$@ )
+EOF
+              }
+              # Otherwise....
+              return <<"EOF";
+$args{src}: $args{generator}->[0]
+	$generator \$@
+EOF
+          }
+          return <<"EOF";
+$args{src}: $args{generator}->[0]
+	\$(CC) \$(CFLAGS) $incs -E -P \$< > \$@
 EOF
       }
-      return <<"EOF";
-$dep : $deps Makefile
-	\$(CC) -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs -MM -MF \$\@ -MQ $obj $srcs
-EOF
   }
+
+  # Should one wonder about the end of the Perl snippet, it's because this
+  # second regexp eats up line endings as well, if the removed path is the
+  # last in the line.  We may therefore need to put back a line ending.
   sub src2obj {
       my %args = @_;
-      my $obj = $args{obj}.'$(OBJ_EXT)';
-      my $srcs = join(" ", @{$args{srcs}});
-      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
-      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
-      return <<"EOF";
-$obj : $deps
-	\$(CC) \$(CFLAGS)$incs -c -o \$\@ $srcs
+      my $obj = $args{obj};
+      my @srcs = map { (my $x = $_) =~ s/\.S$/.s/; $x } ( @{$args{srcs}} );
+      my $srcs = join(" ",  @srcs);
+      my $deps = join(" ", @srcs, @{$args{deps}});
+      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+      my $ecflags = { lib => '$(LIB_CFLAGS)',
+                      dso => '$(DSO_CFLAGS)',
+                      bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
+      my $makedepprog = $config{makedepprog};
+      my $recipe = "";
+      if (!$disabled{makedepend} && $makedepprog =~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$depext: $deps
+	rm -f \$\@.tmp; touch \$\@.tmp
+	-\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj$objext" -- \$(CFLAGS) $ecflags$incs -- $srcs \\
+	    2>/dev/null
+	perl -i -pe 's/^.*\\|//; s/ \\/(\\\\.|[^ ])*//; \$\$_ = undef if (/: *\$\$/ || /^(#.*| *)\$\$/); \$\$_.="\\n" unless !defined(\$\$_) or /\\R\$\$/g;' \$\@.tmp
+	\@if cmp \$\@.tmp \$\@ > /dev/null 2> /dev/null; then \\
+		rm -f \$\@.tmp; \\
+	else \\
+		mv \$\@.tmp \$\@; \\
+	fi
 EOF
+          $deps = $obj.$depext;
+      }
+      if ($disabled{makedepend} || $makedepprog =~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -c -o \$\@ $srcs
+EOF
+      }
+      if (!$disabled{makedepend} && $makedepprog !~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs
+	\@touch $obj$depext.tmp
+	\@if cmp $obj$depext.tmp $obj$depext > /dev/null 2> /dev/null; then \\
+		rm -f $obj$depext.tmp; \\
+	else \\
+		mv $obj$depext.tmp $obj$depext; \\
+	fi
+EOF
+      }
+      return $recipe;
   }
   # On Unix, we build shlibs from static libs, so we're ignoring the
   # object file array.  We *know* this routine is only called when we've
@@ -783,38 +938,37 @@ EOF
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $shlib_target = $target{shared_target};
       my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
-      my $shlibtarget = windowsdll() ?
-	  "$lib\$(SHLIB_EXT_SIMPLE).a" : "$shlib\$(SHLIB_EXT_SIMPLE)";
+      my $target = shlib_simple($lib);
       return <<"EOF"
 # With a build on a Windows POSIX layer (Cygwin or Mingw), we know for a fact
 # that two files get produced, {shlibname}.dll and {libname}.dll.a.
 # With all other Unix platforms, we often build a shared library with the
 # SO version built into the file name and a symlink without the SO version
 # It's not necessary to have both as targets.  The choice falls on the
-# simplest, {libname}\$(SHLIB_EXT_SIMPLE).a for Windows POSIX layers and
-# {libname}\$(SHLIB_EXT_SIMPLE) for the Unix platforms.
-$shlibtarget : $lib\$(LIB_EXT) $deps $ordinalsfile
+# simplest, {libname}$shlibextimport for Windows POSIX layers and
+# {libname}$shlibextsimple for the Unix platforms.
+$target: $lib$libext $deps $ordinalsfile
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PLATFORM=\$(PLATFORM) \\
-		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
-		INSTALLTOP="\$(INSTALLTOP)" LIBDIR="\$(LIBDIR)" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		PERL=\$(PERL) SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
+		INSTALLTOP='\$(INSTALLTOP)' LIBDIR='\$(LIBDIR)' \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$linklibs"' \$(EX_LIBS)' \\
 		LIBNAME=$libname LIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
-		LIBCOMPATVERSIONS=";\$(SHLIB_VERSION_HISTORY)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
-		CROSS_COMPILE="\$(CROSS_COMPILE)" \\
-		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" SHLIB_EXT=\$(SHLIB_EXT) \\
-		SHARED_RCFLAGS="\$(SHARED_RCFLAGS)" \\
-		link_a.$shlib_target
+		LIBCOMPATVERSIONS=';\$(SHLIB_VERSION_HISTORY)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(LIB_CFLAGS)' \\
+		CROSS_COMPILE='\$(CROSS_COMPILE)' LDFLAGS='\$(LDFLAGS)' \\
+		SHARED_LDFLAGS='\$(LIB_LDFLAGS)' SHLIB_EXT=$shlibext \\
+		SHARED_RCFLAGS='\$(RCFLAGS)' \\
+		link_shlib.$shlib_target
 EOF
 	  . (windowsdll() ? <<"EOF" : "");
-	rm -f apps/$shlib\$(SHLIB_EXT)
-	rm -f test/$shlib\$(SHLIB_EXT)
-	cp -p $shlib\$(SHLIB_EXT) apps/
-	cp -p $shlib\$(SHLIB_EXT) test/
+	rm -f apps/$shlib$shlibext
+	rm -f test/$shlib$shlibext
+	cp -p $shlib$shlibext apps/
+	cp -p $shlib$shlibext test/
 EOF
   }
-  sub obj2dynlib {
+  sub obj2dso {
       my %args = @_;
       my $lib = $args{lib};
       my $libd = dirname($lib);
@@ -826,27 +980,28 @@ EOF
                                      " -L$d -l$l" } @{$args{deps}});
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $shlib_target = $target{shared_target};
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
+      my $target = dso($lib);
       return <<"EOF";
-$lib\$(SHLIB_EXT_SIMPLE): $objs $deps
+$target: $objs $deps
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PLATFORM=\$(PLATFORM) \\
-		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $shlibdeps \$(EX_LIBS)" \\
-		LIBNAME=$libname LDFLAGS="\$(LDFLAGS)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" \\
-		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" \\
-		SHLIB_EXT=\$(SHLIB_EXT_SIMPLE) \\
+		PERL=\$(PERL) SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$shlibdeps"' \$(EX_LIBS)' \\
+		LIBNAME=$libname LDFLAGS='\$(LDFLAGS)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(DSO_CFLAGS)' \\
+		SHARED_LDFLAGS='\$(DSO_LDFLAGS)' \\
+		SHLIB_EXT=$dsoext \\
 		LIBEXTRAS="$objs" \\
-		link_o.$shlib_target
+		link_dso.$shlib_target
 EOF
   }
   sub obj2lib {
       my %args = @_;
       my $lib = $args{lib};
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
       return <<"EOF";
-$lib\$(LIB_EXT) : $objs
+$lib$libext: $objs
 	\$(AR) \$\@ $objs
 	\$(RANLIB) \$\@ || echo Never mind.
 EOF
@@ -856,23 +1011,23 @@ EOF
       my $bin = $args{bin};
       my $bind = dirname($bin);
       my $binn = basename($bin);
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $linklibs = join("", map { my $d = dirname($_);
                                     my $f = basename($_);
                                     $d = "." if $d eq $f;
                                     (my $l = $f) =~ s/^lib//;
                                     " -L$d -l$l" } @{$args{deps}});
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       return <<"EOF";
-$bin\$(EXE_EXT) : $objs $deps
-	\$(RM) $bin\$(EXE_EXT)
+$bin$exeext: $objs $deps
+	\$(RM) $bin$exeext
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PERL=\$(PERL) SRCDIR=\$(SRCDIR) \\
-		APPNAME=$bin OBJECTS="$objs" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
-		LIBRPATH="\$(INSTALLTOP)/\$(LIBDIR)" \\
+		APPNAME=$bin$exeext OBJECTS="$objs" \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$linklibs"' \$(EX_LIBS)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(BIN_CFLAGS)' \\
+		LDFLAGS='\$(LDFLAGS)' LIBRPATH='\$(INSTALLTOP)/\$(LIBDIR)' \\
 		link_app.$shlib_target
 EOF
   }
@@ -884,7 +1039,7 @@ EOF
                                            "util", "dofile.pl")),
                            rel2abs($config{builddir}));
       return <<"EOF";
-$script : $sources
+$script: $sources
 	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
 	    "-o$target{build_file}" $sources > "$script"
 	chmod a+x $script

Configurations/windows-makefile.tmpl

@@ -0,0 +1,368 @@
+##
+## Makefile for OpenSSL
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+ our $objext = $target{obj_extension} || ".obj";
+ our $depext = $target{dep_extension} || ".d";
+ our $exeext = $target{exe_extension} || ".exe";
+ our $libext = $target{lib_extension} || ".lib";
+ our $shlibext = $target{shared_extension} || ".dll";
+ our $shlibextimport = $target{shared_import_extension} || ".lib";
+ our $dsoext = $target{dso_extension} || ".dll";
+
+ sub shlib {
+     return () if $disabled{shared};
+     my $lib = shift;
+     return $unified_info{sharednames}->{$lib} . $shlibext;
+ }
+
+ sub shlib_import {
+     return () if $disabled{shared};
+     my $lib = shift;
+     return $lib . $shlibextimport;
+ }
+
+ sub dso {
+     my $dso = shift;
+
+     return $dso . $dsoext;
+ }
+ '';
+-}
+
+PLATFORM={- $config{target} -}
+SRCDIR={- $config{sourcedir} -}
+BLDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+
+LIBS={- join(" ", map { $_.$libext } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { dso($_) } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test\\| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_.$exeext } grep { m|^test\\| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "/usr/local";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : catdir($prefix, "ssl");
+              $openssldir -}
+LIBDIR={- #
+          # if $prefix/lib$target{multilib} is not an existing
+          # directory, then assume that it's not searched by linker
+          # automatically, in which case adding $target{multilib} suffix
+          # causes more grief than we're ready to tolerate, so don't...
+          our $multilib =
+              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
+          our $libdir = $config{libdir} || "lib$multilib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              our $enginesdir = catdir($prefix,$libdir,"engines");
+	      $enginesdir -}
+
+CC={- $target{cc} -}
+CFLAGS={- join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}})) -} {- join(" ", quotify_l("-DENGINESDIR=\"$enginesdir\"", "-DOPENSSLDIR=\"$openssldir\"")) -} {- $target{cflags} -} {- $config{cflags} -}
+COUTFLAG={- $target{coutflag} || "/Fo" -}
+LD={- $target{ld} || "link" -}
+LDFLAGS={- $target{lflags} -}
+LDOUTFLAG={- $target{loutflag} || "/out:" -}
+EX_LIBS={- $target{ex_libs} -}
+LIB_CFLAGS={- join(" ", $target{lib_cflags}, $target{shared_cflag}) || "" -}
+LIB_LDFLAGS={- $target{shared_ldflag} || "" -}
+DSO_CFLAGS={- join(" ", $target{dso_cflags}, $target{shared_cflag}) || "" -}
+DSO_LDFLAGS={- join(" ", $target{dso_lflags}, $target{shared_ldflag}) || "" -}
+BIN_CFLAGS={- $target{bin_cflags} -}
+BIN_LDFLAGS={- $target{bin_lflags} -}
+
+PERL={- $config{perl} -}
+
+AR={- $target{ar} -}
+ARFLAGS= {- $target{arflags} -}
+AROUTFLAG={- $target{aroutflag} || "/out:" -}
+
+AS={- $target{as} -}
+ASFLAGS={- $target{asflags} -}
+ASOUTFLAG={- $target{asoutflag} -}
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}
+
+PROCESSOR= {- $config{processor} -}
+
+# The main targets ###################################################
+
+all: configdata.pm build_libs_nodep build_engines_nodep build_apps_nodep depend
+
+build_libs: configdata.pm build_libs_nodep depend
+build_libs_nodep: $(LIBS)
+build_engines: configdata.pm build_engines_nodep depend
+build_engines_nodep: $(ENGINES)
+build_apps: configdata.pm build_apps_nodep depend
+build_apps_nodep: $(PROGRAMS) $(SCRIPTS)
+build_tests: configdata.pm build_tests_nodep depend
+build_tests_nodep: $(TESTPROGS)
+
+test tests: build_tests_nodep build_apps_nodep build_engines_nodep depend
+	set SRCTOP=$(SRCDIR)
+	set BLDTOP=$(BLDDIR)
+	set PERL=$(PERL)
+	$(PERL) $(SRCDIR)\test\run_tests.pl $(TESTS)
+
+list-tests:
+	@set TOP=$(SRCDIR)
+	@set PERL=$(PERL)
+	@$(PERL) $(SRCDIR)\test\run_tests.pl list
+
+libclean:
+	del /Q /F $(LIBS) $(SHLIBS)
+	del lib.pdb
+
+clean: libclean
+	del /Q /F $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
+	del /Q /S /F *.asm
+	del /Q /S /F *.d
+	del /Q /S /F *.obj
+	del /Q /S /F *.pdb
+	del /Q /S /F *.exp
+	del /Q /S /F engines\*.ilk
+	del /Q /S /F engines\*.lib
+
+depend:
+
+# Building targets ###################################################
+
+configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure
+	@echo "Detected changed: $?"
+	@echo "Reconfiguring..."
+	$(PERL) $(SRCDIR)\Configure reconf
+	@echo "**************************************************"
+	@echo "***                                            ***"
+	@echo "***   Please run the same make command again   ***"
+	@echo "***                                            ***"
+	@echo "**************************************************"
+	@( exit 1 )
+
+{-
+ use File::Basename;
+ use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+ # Helper function to figure out dependencies on libraries
+ # It takes a list of library names and outputs a list of dependencies
+ sub compute_lib_depends {
+     if ($disabled{shared}) {
+	 return map { $_.$libext } @_;
+     }
+     return map { shlib_import($_) } @_;
+ }
+
+  sub generatesrc {
+      my %args = @_;
+      (my $target = $args{src}) =~ s/\.[sS]$/.asm/;
+      my $generator = join(" ", @{$args{generator}});
+      my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+
+      if ($target !~ /\.asm$/) {
+          return <<"EOF";
+$target: $args{generator}->[0]
+	\$(PERL) $generator > \$@
+EOF
+      } else {
+          if ($args{generator}->[0] =~ /\.pl$/) {
+              $generator = '$(PERL) '.$generator;
+          } elsif ($args{generator}->[0] =~ /\.S$/) {
+              $generator = undef;
+          } else {
+              die "Generator type for $src unknown: $generator\n";
+          }
+
+          if (defined($generator)) {
+              # If the target is named foo.S in build.info, we want to
+              # end up generating foo.s in two steps.
+              if ($args{src} =~ /\.S$/) {
+                   return <<"EOF";
+$target: $args{generator}->[0]
+	set ASM=\$(AS)
+	set CC=\$(CC)
+	$generator \$@.S
+	\$(CC) \$(CFLAGS) $incs /EP /C \$@.S > \$@
+        del /Q \$@.S
+EOF
+              }
+              # Otherwise....
+              return <<"EOF";
+$target: $args{generator}->[0]
+	set ASM=\$(AS)
+	set CC=\$(CC)
+	$generator \$@
+EOF
+          }
+          return <<"EOF";
+$target: $args{generator}->[0]
+	\$(CC) \$(CFLAGS) $incs /EP /C \$< > \$@
+EOF
+      }
+  }
+
+ sub src2obj {
+     my %args = @_;
+     my $obj = $args{obj};
+     my @srcs = map { (my $x = $_) =~ s/\.[sS]$/.asm/; $x } ( @{$args{srcs}} );
+     my $srcs = join(" ",  @srcs);
+     my $deps = join(" ", @srcs, @{$args{deps}});
+     my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+     my $ecflags = { lib => '$(LIB_CFLAGS)',
+		     dso => '$(DSO_CFLAGS)',
+		     bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
+     my $makedepprog = $config{makedepprog};
+     if ($srcs[0] =~ /\.asm$/) {
+         return <<"EOF";
+$obj$objext: $deps
+	\$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs
+EOF
+     }
+     return <<"EOF";
+$obj$depext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\
+	    \$(PERL) -n << > $obj$depext
+chomp;
+s/^Note: including file: *//;
+\$\$collect{\$\$_} = 1;
+END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" }
+<<KEEP
+$obj$objext: $obj$depext
+	\$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ @<<
+$srcs
+<<KEEP
+EOF
+ }
+
+ # On Unix, we build shlibs from static libs, so we're ignoring the
+ # object file array.  We *know* this routine is only called when we've
+ # configure 'shared'.
+ sub libobj2shlib {
+     my %args = @_;
+     my $lib = $args{lib};
+     my $shlib = $args{shlib};
+     (my $mkdef_key = $lib) =~ s/^lib//i;
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+     my $mkdef_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+					    "util", "mkdef.pl")),
+			    rel2abs($config{builddir}));
+     my $target = shlib_import($lib);
+     return <<"EOF"
+$target: $deps $ordinalsfile $mkdef_pl
+	\$(PERL) $mkdef_pl "$mkdef_key" 32 > $shlib.def
+	\$(PERL) -i.tmp -pe "s|^LIBRARY\\s+${mkdef_key}32|LIBRARY $shlib|;" $shlib.def
+	DEL $shlib.def.tmp
+	\$(LD) \$(LDFLAGS) \$(LIB_LDFLAGS) \\
+		/implib:$target \$(LDOUTFLAG)$shlib$shlibext /def:$shlib.def @<<
+$objs$linklibs \$(EX_LIBS)
+<<
+	DEL /F apps\\$shlib$shlibext
+	DEL /F test\\$shlib$shlibext
+	COPY $shlib$shlibext apps
+	COPY $shlib$shlibext test
+EOF
+ }
+ sub obj2dso {
+     my %args = @_;
+     my $dso = $args{lib};
+     my $dso_n = basename($dso);
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     return <<"EOF";
+$dso$dsoext: $deps
+	\$(LD) \$(LDFLAGS) \$(DSO_LDFLAGS) \$(LDOUTFLAG)$dso$dsoext /def:<< @<<
+LIBRARY         $dso_n
+EXPORTS
+    bind_engine		@1
+    v_check		@2
+<<
+$objs$linklibs \$(EX_LIBS)
+<<
+EOF
+ }
+ sub obj2lib {
+     # Because static libs and import libs are both named the same in native
+     # Windows, we can't have both.  We skip the static lib in that case,
+     # as the shared libs are what we use anyway.
+     return "" unless $disabled{"shared"};
+
+     my %args = @_;
+     my $lib = $args{lib};
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $deps = join(" ", map { $_.$objext } @{$args{objs}});
+     return <<"EOF";
+$lib$libext: $deps
+	\$(AR) \$(ARFLAGS) \$(AROUTFLAG)$lib$libext @<<
+$objs
+<<
+EOF
+ }
+ sub obj2bin {
+     my %args = @_;
+     my $bin = $args{bin};
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     return <<"EOF";
+$bin$exeext: $deps
+	\$(LD) \$(LDFLAGS) \$(BIN_LDFLAGS) \$(LDOUTFLAG)$bin$exeext @<<
+$objs setargv.obj$linklibs \$(EX_LIBS)
+<<
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script: $sources
+	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
+	    "-o$target{build_file}" $sources > "$script"
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}

GitConfigure

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-./Configure $@
-make files
-util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH init

GitMake

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH $@

INSTALL

@@ -1,13 +1,13 @@
 
- INSTALLATION ON THE UNIX PLATFORM
- ---------------------------------
+ OPENSSL INSTALLATION
+ --------------------
 
- [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
-  and NetWare is described in INSTALL.DJGPP, INSTALL.WIN, INSTALL.VMS,
-  INSTALL.MacOS and INSTALL.NW.
+ [Installation on DOS (with djgpp), MacOS (before MacOS X)
+  and NetWare is described in INSTALL.DJGPP, INSTALL.MacOS
+  and INSTALL.NW.
   
-  This document describes installation on operating systems in the Unix
-  family.]
+  This document describes installation on the main supported operating
+  systems, currently the Linux/Unix family, OpenVMS and Windows.]
 
  To install OpenSSL, you will need:
 
@@ -15,27 +15,59 @@
   * Perl 5 with core modules (please read README.PERL)
   * The perl module Text::Template (please read README.PERL)
   * an ANSI C compiler
-  * a development environment in form of development libraries and C
+  * a development environment in the form of development libraries and C
     header files
-  * a supported Unix operating system
+  * a supported operating system
+
+ For more details regarding specific platforms, there are these notes
+ available:
+
+  * NOTES.VMS (OpenVMS)
+  * NOTES.WIN (any Windows except for Windows CE)
 
  Quick Start
  -----------
 
  If you want to just get on with it, do:
 
-  $ ./config
-  $ make
-  $ make test
-  $ make install
+  on Unix:
+
+    $ ./config
+    $ make
+    $ make test
+    $ make install
+
+  on OpenVMS:
+
+    $ @config
+    $ mms
+    $ mms test
+    $ mms install
+
+  on Windows (only pick one of the targets for configuration):
+
+    $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE }
+    $ nmake
+    $ nmake test
 
  [If any of these steps fails, see section Installation in Detail below.]
 
- This will build and install OpenSSL in the default location, which is (for
- historical reasons) /usr/local/ssl. If you want to install it anywhere else,
- run config like this:
+ This will build and install OpenSSL in the default location, which is:
 
-  $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
+  Unix:    normal installation directories under /usr/local
+  OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
+           OpenSSL version number ('major'_'minor').
+  Windows: currently don't have an install function     <TBA>
+
+ If you want to install it anywhere else, run config like this:
+
+  On Unix:
+
+    $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl
+
+  On OpenVMS:
+
+    $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
 
 
  Configuration Options
@@ -44,78 +76,91 @@
  There are several options to ./config (or ./Configure) to customize
  the build:
 
-  --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
-	        Configuration files used by OpenSSL will be in DIR/ssl
-                or the directory specified by --openssldir.
+  --prefix=DIR     The top of the installation directory tree.  Defaults are:
 
-  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
-                the library files and binaries are also installed there.
+                   Unix:           /usr/local
+                   OpenVMS:        SYS$COMMON:[OPENSSL-'version']
 
-  no-autoalginit Don't automatically load all supported ciphers and digests.
-                Typically OpenSSL will make available all of its supported
-                ciphers and digests. For a statically linked application this
-                may be undesirable if small executable size is an objective.
-                This only affects libcrypto. Ciphers and digests will have to be
-                loaded manually using EVP_add_cipher() and EVP_add_digest() if
-                this option is used.
+  --openssldir=DIR Directory for OpenSSL configuration files, and also the
+                   default certificate and key store.  Defaults are:
 
-  no-autoerrinit Don't automatically load all libcrypto/libssl error strings.
-                Typically OpenSSL will automatically load human readable error
-                strings. For a statically linked application this may be
-                undesirable if small executable size is an objective.
+                   Unix:           PREFIX/ssl (PREFIX is given by --prefix)
+                   OpenVMS:        SYS$COMMON:[SSL]
 
-  no-threads    Don't try to build with support for multi-threaded
-                applications.
+  --api=x.y.z      Don't build with support for deprecated APIs below the
+                   specified version number. For example "--api=1.1.0" will
+                   remove support for all APIS that were deprecated in OpenSSL
+                   version 1.1.0 or below.
 
-  threads       Build with support for multi-threaded applications.
-                This will usually require additional system-dependent options!
-                See "Note on multi-threading" below.
+  no-deprecated    Don't build with support for any deprecated APIs. This is the
+                   same as using "--api" and supplying the latest version
+                   number.
 
-  no-zlib       Don't try to build with support for zlib compression and
-                decompression.
+  no-autoalginit   Don't automatically load all supported ciphers and digests.
+                   Typically OpenSSL will make available all of its supported
+                   ciphers and digests. For a statically linked application this
+                   may be undesirable if small executable size is an objective.
+                   This only affects libcrypto. Ciphers and digests will have to
+                   be loaded manually using EVP_add_cipher() and
+                   EVP_add_digest() if this option is used.
 
-  zlib          Build with support for zlib compression/decompression.
+  no-autoerrinit   Don't automatically load all libcrypto/libssl error strings.
+                   Typically OpenSSL will automatically load human readable
+                   error strings. For a statically linked application this may
+                   be undesirable if small executable size is an objective.
 
-  zlib-dynamic  Like "zlib", but has OpenSSL load the zlib library dynamically
-                when needed.  This is only supported on systems where loading
-                of shared libraries is supported.  This is the default choice.
+  no-threads       Don't try to build with support for multi-threaded
+                   applications.
 
-  no-shared     Don't try to create shared libraries.
+  threads          Build with support for multi-threaded applications.
+                   This will usually require additional system-dependent
+                   options! See "Note on multi-threading" below.
 
-  shared        In addition to the usual static libraries, create shared
-                libraries on platforms where it's supported.  See "Note on
-                shared libraries" below.
+  no-zlib          Don't try to build with support for zlib compression and
+                   decompression.
 
-  no-asm        Do not use assembler code.
+  zlib             Build with support for zlib compression/decompression.
 
-  386           Use the 80386 instruction set only (the default x86 code is
-                more efficient, but requires at least a 486). Note: Use
-                compiler flags for any other CPU specific configuration,
-                e.g. "-m32" to build x86 code on an x64 system.
+  zlib-dynamic     Like "zlib", but has OpenSSL load the zlib library
+                   dynamically when needed.  This is only supported on systems
+                   where loading of shared libraries is supported.  This is the
+                   default choice.
 
-  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extension is
-		detected at run-time, but the decision whether or not the
-		machine code will be executed is taken solely on CPU
-		capability vector. This means that if you happen to run OS
-		kernel which does not support SSE2 extension on Intel P4
-		processor, then your application might be exposed to
-		"illegal instruction" exception. There might be a way
-		to enable support in kernel, e.g. FreeBSD kernel can be
-		compiled with CPU_ENABLE_SSE, and there is a way to
-		disengage SSE2 code pathes upon application start-up,
-		but if you aim for wider "audience" running such kernel,
-		consider no-sse2. Both 386 and no-asm options above imply
-		no-sse2.
+  no-shared        Don't try to create shared libraries.
 
-  no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
-                hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
-                The crypto/<cipher> directory can be removed after running
-                "make depend".
+  shared           In addition to the usual static libraries, create shared
+                   libraries on platforms where it's supported.  See "Note on
+                   shared libraries" below.
 
-  -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
-                be passed through to the compiler to allow you to
-                define preprocessor symbols, specify additional libraries,
-                library directories or other compiler options.
+  no-asm           Do not use assembler code.
+
+  386              On Intel hardware, use the 80386 instruction set only
+                   (the default x86 code is more efficient, but requires at
+                   least a 486). Note: Use compiler flags for any other CPU
+                   specific configuration, e.g. "-m32" to build x86 code on
+                   an x64 system.
+
+  no-sse2          Exclude SSE2 code pathes. Normally SSE2 extension is
+                   detected at run-time, but the decision whether or not the
+                   machine code will be executed is taken solely on CPU
+                   capability vector. This means that if you happen to run OS
+                   kernel which does not support SSE2 extension on Intel P4
+                   processor, then your application might be exposed to
+                   "illegal instruction" exception. There might be a way
+                   to enable support in kernel, e.g. FreeBSD kernel can be
+                   compiled with CPU_ENABLE_SSE, and there is a way to
+                   disengage SSE2 code pathes upon application start-up,
+                   but if you aim for wider "audience" running such kernel,
+                   consider no-sse2. Both 386 and no-asm options above imply
+                   no-sse2.
+
+  no-<alg>         Build without the specified algorithm (bf, cast, des, dh,
+                   dsa, hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
+
+  -Dxxx, -lxxx,    These system specific options will be passed through to the
+  -Lxxx, -fxxx,    compiler to allow you to define preprocessor symbols, specify
+  -mXXX, -Kxxx     additional libraries, library directories or other compiler
+                   options.
 
 
  Installation in Detail
@@ -123,7 +168,16 @@
 
  1a. Configure OpenSSL for your operation system automatically:
 
-       $ ./config [options]
+     NOTE: This is not available on Windows.
+
+       $ ./config [options]                             # Unix
+
+       or
+
+       $ @config [options]                              ! OpenVMS
+
+     For the remainder of this text, the Unix form will be used in all
+     examples, please use the appropriate form for your platform.
 
      This guesses at your operating system (and compiler, if necessary) and
      configures OpenSSL based on this guess. Run ./config -t to see
@@ -140,42 +194,95 @@
      OpenSSL knows about a range of different operating system, hardware and
      compiler combinations. To see the ones it knows about, run
 
-       $ ./Configure
+       $ ./Configure                                    # Unix
+
+       or
+
+       $ perl Configure                                 # All other platforms
+
+     For the remainder of this text, the Unix form will be used in all
+     examples, please use the appropriate form for your platform.
 
      Pick a suitable name from the list that matches your system. For most
      operating systems there is a choice between using "cc" or "gcc".  When
      you have identified your system (and if necessary compiler) use this name
-     as the argument to ./Configure. For example, a "linux-elf" user would
+     as the argument to Configure. For example, a "linux-elf" user would
      run:
 
        $ ./Configure linux-elf [options]
 
-     If your system is not available, you will have to edit the Configure
-     program and add the correct configuration for your system. The
-     generic configurations "cc" or "gcc" should usually work on 32 bit
-     systems.
+     If your system isn't listed, you will have to create a configuration
+     file named Configurations/{something}.conf and add the correct
+     configuration for your system. See the available configs as examples
+     and read Configurations/README and Configurations/README.design for
+     more information.
 
-     Configure creates the file Makefile.ssl from Makefile.in and
+     The generic configurations "cc" or "gcc" should usually work on 32 bit
+     Unix-like systems.
+
+     Configure creates a build file ("Makefile" on Unix and "descrip.mms"
+     on OpenVMS) from a suitable template in Configurations, and
      defines various macros in crypto/opensslconf.h (generated from
      crypto/opensslconf.h.in).
 
+ 1c. Configure OpenSSL for building outside of the source tree.
+
+     OpenSSL can be configured to build in a build directory separate from
+     the directory with the source code.  It's done by placing yourself in
+     some other directory and invoking the configuration commands from
+     there.
+
+     Unix example:
+
+       $ mkdir /var/tmp/openssl-build
+       $ cd /var/tmp/openssl-build
+       $ /PATH/TO/OPENSSL/SOURCE/config [options]
+
+       or
+
+       $ /PATH/TO/OPENSSL/SOURCE/Configure [target] [options]
+
+     OpenVMS example:
+
+       $ set default sys$login:
+       $ create/dir [.tmp.openssl-build]
+       $ set default [.tmp.openssl-build]
+       $ @[PATH.TO.OPENSSL.SOURCE]config {options}
+
+       or
+
+       $ @[PATH.TO.OPENSSL.SOURCE]Configure {target} {options}
+
+     Windows example:
+
+       $ C:
+       $ mkdir \temp-openssl
+       $ cd \temp-openssl
+       $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {target} {options}
+
+     Paths can be relative just as well as absolute.  Configure will
+     do its best to translate them to relative paths whenever possible.
+
   2. Build OpenSSL by running:
 
-       $ make
+       $ make                                           # Unix
+       $ mms                                            ! (or mmk) OpenVMS
+       $ nmake                                          # Windows
 
-     This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
-     OpenSSL binary ("openssl"). The libraries will be built in the top-level
-     directory, and the binary will be in the "apps" directory.
+     This will build the OpenSSL libraries (libcrypto.a and libssl.a on
+     Unix, corresponding on other platforms) and the OpenSSL binary
+     ("openssl"). The libraries will be built in the top-level directory,
+     and the binary will be in the "apps" subdirectory.
 
-     If "make" fails, look at the output.  There may be reasons for
+     If the build fails, look at the output.  There may be reasons for
      the failure that aren't problems in OpenSSL itself (like missing
      standard headers).  If it is a problem with OpenSSL itself, please
-     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be recorded in the request tracker publicly readable
-     at https://www.openssl.org/community/index.html#bugs and will be
-     forwarded to a public mailing list). Include the output of "make
-     report" in your message.  Please check out the request tracker. Maybe
-     the bug was already reported or has already been fixed.
+     report the problem to <rt@openssl.org> (note that your message
+     will be recorded in the request tracker publicly readable at
+     https://www.openssl.org/community/index.html#bugs and will be
+     forwarded to a public mailing list). Please check out the request
+     tracker. Maybe the bug was already reported or has already been
+     fixed.
 
      [If you encounter assembler error messages, try the "no-asm"
      configuration option as an immediate fix.]
@@ -185,142 +292,130 @@
 
   3. After a successful build, the libraries should be tested. Run:
 
-       $ make test
+       $ make test                                      # Unix
+       $ mms test                                       ! OpenVMS
+       $ nmake test                                     # Windows
 
      If some tests fail, look at the output.  There may be reasons for
      the failure that isn't a problem in OpenSSL itself (like a
      malfunction with Perl).  You may want increased verbosity, that
      can be accomplished like this:
 
-       $ HARNESS_VERBOSE=yes make test
+       $ HARNESS_VERBOSE=yes make test                  # Unix
+
+       $ DEFINE HARNESS_VERBOSE YES
+       $ mms test                                       ! OpenVMS
+
+       $ set HARNESS_VERBOSE=yes
+       $ nmake test                                     # Windows
 
      If you want to run just one or a few specific tests, you can use
      the make variable TESTS to specify them, like this:
 
-       $ make TESTS='test_rsa test_dsa' test
+       $ make TESTS='test_rsa test_dsa' test            # Unix
+       $ mms/macro="TESTS=test_rsa test_dsa" test       ! OpenVMS
+       $ nmake TESTS='test_rsa test_dsa' test           # Windows
 
-     And of course, you can combine:
+     And of course, you can combine (Unix example shown):
        
        $ HARNESS_VERBOSE=yes make TESTS='test_rsa test_dsa' test
 
      You can find the list of available tests like this:
 
-       $ make list-tests
+       $ make list-tests                                # Unix
+       $ mms list-tests                                 ! OpenVMS
+       $ nmake list-tests                               # Windows
 
      Have a look at the manual for the perl module Test::Harness to
      see what other HARNESS_* variables there are.
 
      If you find a problem with OpenSSL itself, try removing any
-     compiler optimization flags from the CFLAG line in Makefile and
-     run "make clean; make".
+     compiler optimization flags from the CFLAGS line in Makefile and
+     run "make clean; make" or corresponding.
 
-     Please send a bug report to <openssl-bugs@openssl.org>, and when
-     you do, please run the following and include the output in your
-     report:
-
-       $ make report
+     Please send a bug reports to <rt@openssl.org>.
 
   4. If everything tests ok, install OpenSSL with
 
-       $ make install
+       $ make install                                   # Unix
+       $ mms install                                    ! OpenVMS
 
-     This will create the installation directory (if it does not exist) and
-     then the following subdirectories:
+     This will install all the software components in this directory
+     tree under PREFIX (the directory given with --prefix or its
+     default):
 
-       certs           Initially empty, this is the default location
-                       for certificate files.
-       man/man1        Manual pages for the 'openssl' command line tool
-       man/man3        Manual pages for the libraries (very incomplete)
-       misc            Various scripts.
-       private         Initially empty, this is the default location
-                       for private key files.
+       Unix:
 
-     If you didn't choose a different installation prefix, the
-     following additional subdirectories will be created:
+         bin/           Contains the openssl binary and a few other
+                        utility scripts.
+         include/openssl
+                        Contains the header files needed if you want
+                        to build your own programs that use libcrypto
+                        or libssl.
+         lib            Contains the OpenSSL library files.
+         lib/engines    Contains the OpenSSL dynamically loadable engines.
+         share/man/{man1,man3,man5,man7}
+                        Contains the OpenSSL man-pages.
+         share/doc/openssl/html/{man1,man3,man5,man7}
+                        Contains the HTML rendition of the man-pages.
 
-       bin             Contains the openssl binary and a few other 
-                       utility programs. 
-       include/openssl Contains the header files needed if you want to
-                       compile programs with libcrypto or libssl.
-       lib             Contains the OpenSSL library files themselves.
+       OpenVMS ('arch' is replaced with the architecture name, "Alpha"
+       or "ia64"):
 
-     Use "make install_sw" to install the software without documentation,
-     and "install_docs_html" to install HTML renditions of the manual
-     pages.
+         [.EXE.'arch']  Contains the openssl binary and a few other
+                        utility scripts.
+         [.include.openssl]
+                        Contains the header files needed if you want
+                        to build your own programs that use libcrypto
+                        or libssl.
+         [.LIB.'arch']  Contains the OpenSSL library files.
+         [.ENGINES.'arch']
+                        Contains the OpenSSL dynamically loadable engines.
+         [.SYS$STARTUP] Contains startup, login and shutdown scripts.
+                        These define appropriate logical names and
+                        command symbols.
+                        
+
+     Additionally, install will add the following directories under
+     OPENSSLDIR (the directory given with --openssldir or its default)
+     for you convenience:
+
+         certs          Initially empty, this is the default location
+                        for certificate files.
+         private        Initially empty, this is the default location
+                        for private key files.
+         misc           Various scripts.
 
      Package builders who want to configure the library for standard
      locations, but have the package installed somewhere else so that
      it can easily be packaged, can use
 
-       $ make DESTDIR=/tmp/package-root install
+       $ make DESTDIR=/tmp/package-root install         # Unix
+       $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
 
      The specified destination directory will be prepended to all
-     installation target filenames.
+     installation target paths.
 
-
-  NOTE: The header files used to reside directly in the include
-  directory, but have now been moved to include/openssl so that
-  OpenSSL can co-exist with other libraries which use some of the
-  same filenames.  This means that applications that use OpenSSL
-  should now use C preprocessor directives of the form
-
-       #include <openssl/ssl.h>
-
-  instead of "#include <ssl.h>", which was used with library versions
-  up to OpenSSL 0.9.2b.
-
-  If you install a new version of OpenSSL over an old library version,
-  you should delete the old header files in the include directory.
-
-  Compatibility issues:
+  Compatibility issues with previous OpenSSL versions:
 
   *  COMPILING existing applications
 
-     To compile an application that uses old filenames -- e.g.
-     "#include <ssl.h>" --, it will usually be enough to find
-     the CFLAGS definition in the application's Makefile and
-     add a C option such as
+     OpenSSL 1.1 hides a number of structures that were previously
+     open.  This includes all internal libssl structures and a number
+     of EVP types.  Accessor functions have been added to allow
+     controlled access to the structures' data.
 
-          -I/usr/local/ssl/include/openssl
+     This means that some software needs to be rewritten to adapt to
+     the new ways of doing things.  This often amounts to allocating
+     an instance of a structure explicitly where you could previously
+     allocate them on the stack as automatic variables, and using the
+     provided accessor functions where you would previously access a
+     structure's field directly.
 
-     to it.
+     <TBA>
 
-     But don't delete the existing -I option that points to
-     the ..../include directory!  Otherwise, OpenSSL header files
-     could not #include each other.
-
-  *  WRITING applications
-
-     To write an application that is able to handle both the new
-     and the old directory layout, so that it can still be compiled
-     with library versions up to OpenSSL 0.9.2b without bothering
-     the user, you can proceed as follows:
-
-     -  Always use the new filename of OpenSSL header files,
-        e.g. #include <openssl/ssl.h>.
-
-     -  Create a directory "incl" that contains only a symbolic
-        link named "openssl", which points to the "include" directory
-        of OpenSSL.
-        For example, your application's Makefile might contain the
-        following rule, if OPENSSLDIR is a pathname (absolute or
-        relative) of the directory where OpenSSL resides:
-
-        incl/openssl:
-        	-mkdir incl
-        	cd $(OPENSSLDIR) # Check whether the directory really exists
-        	-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
-
-        You will have to add "incl/openssl" to the dependencies
-        of those C files that include some OpenSSL header file.
-
-     -  Add "-Iincl" to your CFLAGS.
-
-     With these additions, the OpenSSL header files will be available
-     under both name variants if an old library version is used:
-     Your application can reach them under names like <openssl/foo.h>,
-     while the header files still are able to #include each other
-     with names of the form <foo.h>.
+     Some APIs have changed as well.  However, older APIs have been
+     preserved when possible.
 
 
  Note on multi-threading
@@ -352,13 +447,10 @@
  use them would be to conserve memory on systems where several programs
  are using OpenSSL.
 
- For some systems, the OpenSSL Configure script knows what is needed to
+ For most systems, the OpenSSL Configure script knows what is needed to
  build shared libraries for libcrypto and libssl.  On these systems,
  the shared libraries are currently not created by default, but giving
- the option "shared" will get them created.  This method supports Makefile
- targets for shared library creation, like linux-shared.  Those targets
- can currently be used on their own just as well, but this is expected
- to change in future versions of OpenSSL.
+ the option "shared" will get them created.
 
  Note on random number generation
  --------------------------------
@@ -372,24 +464,3 @@
  Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
  and the FAQ for more information.
 
- Note on support for multiple builds
- -----------------------------------
-
- OpenSSL is usually built in its source tree.  Unfortunately, this doesn't
- support building for multiple platforms from the same source tree very well.
- It is however possible to build in a separate tree through the use of lots
- of symbolic links, which should be prepared like this:
-
-	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
-	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
-	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
-		mkdir -p `dirname $F`
-		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
-		echo $F '->' $OPENSSL_SOURCE/$F
-	done
-	make -f Makefile.in clean
-
- OPENSSL_SOURCE is an environment variable that contains the absolute (this
- is important!) path to the OpenSSL source tree.
-
- Also, operations like 'make update' should still be made in the source tree.

INSTALL.VMS

@@ -1,66 +0,0 @@
-
- INSTALLATION ON THE VMS PLATFORM
- --------------------------------
-
- Intro
- -----
-
- This file is divided in the following parts:
-
-   Requirements                 - Mandatory reading.
-   Cheking the distribution     - Mandatory reading.
-   Quick start
-   Test                         <TO BE ADDED>
-   Installation                 <TO BE ADDED>
-   Backward portability         <TO BE ADDED>
-   Possible bugs and quirks     <TO BE ADDED>
-
-
- Requirements
- ------------
-
- To build and install OpenSSL, you will need:
-
-  * Perl 5 with core modules (please read README.PERL)
-  * The perl module Text::Template (please read README.PERL)
-  * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
-    [Note: OpenSSL has only been tested with DEC C.  Compiling with 
-     a different ANSI C compiler may require some work]
-
- Checking the distribution
- -------------------------
-
- There have been reports of places where the distribution didn't quite
- get through, for example if you've copied the tree from a NFS-mounted
- Unix mount point.
-
- The easiest way to check if everything got through as it should is to
- check for one of the following files:
-
-  [.crypto]opensslconf^.h.in
-
- The best way to get a correct distribution is to download the gzipped
- tar file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress
- it and use VMSTAR to unpack the resulting tar file.
-
- GUNZIP is available {FIXME: where is it available?}
-
- VMSTAR is available {FIXME: where is it available?}
-
-
- Quick start
- -----------
-
- If you want to just get on with it, do this:
-
-  $ @config
-  $ mms
-  $ mms test
-  $ mmm install
-
- This will buidl and install OpenSSL in the default location, which is
- SYS$COMMON:[OPENSSL-'VERSION'].  If you want it to be anywhere else,
- run config.com like this:
-
-  $ @config --prefix=PROGRAM:[OPENSSL]
-

INSTALL.WIN

@@ -1,192 +0,0 @@
-
- INSTALLATION ON WINDOWS PLATFORMS
- ---------------------------------
-
- [Instructions for building for Windows CE can be found in INSTALL.WCE]
-
- Here are a few comments about building OpenSSL for Windows environments.
-
- - you need Perl.  Unless you will build on Cygwin, you will need
-   ActiveState Perl, available from http://www.activestate.com/ActivePerl.  
-   You also need the perl module Text::Template, available on CPAN.
-   Please read README.PERL for more information.
-
- - one of the following C compilers:
-
-  * Visual C++
-  * GNU C (Cygwin or MinGW)
-
-- Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
-  is required if you intend to utilize assembler modules. Note that NASM
-  is now the only supported assembler. Without this the "Configure" step below
-  must be done with the "no-asm" option. The Microsoft provided assembler is NOT
-  supported.
-
- Visual C++
- ----------
-
- If you want to compile in the assembly language routines with Visual
- C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
- be available on your %PATH%.
-
- Firstly you should run Configure and generate the Makefiles. If you don't want
- the assembly language files then add the "no-asm" option (without quotes) to
- the Configure lines below.
-
- For Win32:
-
- > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
- > ms\do_nasm
-
- Note: replace the last line above with the following if not using the assembly
- language files:
-
- > ms\do_ms
-
- For Win64/x64:
-
- > perl Configure VC-WIN64A --prefix=c:\some\openssl\dir
- > ms\do_win64a
-
- For Win64/IA64:
-
- > perl Configure VC-WIN64I --prefix=c:\some\openssl\dir
- > ms\do_win64i
-
- Where the prefix argument specifies where OpenSSL will be installed to.
-
- Then from the VC++ environment at a prompt do the following. Note, your %PATH%
- and other environment variables should be set up for 32-bit or 64-bit
- development as appropriate.
-
- > nmake -f ms\ntdll.mak
-
- If all is well it should compile and you will have some DLLs and
- executables in out32dll. If you want to try the tests then do:
-
- > nmake -f ms\ntdll.mak test
-
- To install OpenSSL to the specified location do:
-
- > nmake -f ms\ntdll.mak install
-
- Tweaks:
-
- There are various changes you can make to the Windows compile
- environment. By default the library is not compiled with debugging
- symbols. If you add --debug to the Configure lines above then debugging symbols
- will be compiled in.
-
- By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
- libraries. If you specify the "enable-static-engine" option on the command line
- to Configure the shared library build (ms\ntdll.mak) will compile the engines
- into libeay32.dll instead.
-
- You can also build a static version of the library using the Makefile
- ms\nt.mak
-
- GNU C (Cygwin)
- --------------
-
- Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
- Windows subsystem and provides a bash shell and GNU tools environment.
- Consequently, a make of OpenSSL with Cygwin is virtually identical to the
- Unix procedure. It is also possible to create Windows binaries that only
- use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
- MinGW. MinGW can be used in the Cygwin development environment or in a
- standalone setup as described in the following section.
-
- To build OpenSSL using Cygwin:
-
- * Install Cygwin (see http://cygwin.com/)
-
- * Install Perl and ensure it is in the path. Both Cygwin perl
-   (5.6.1-2 or newer) and ActivePerl work.
-
- * Run the Cygwin bash shell
-
- * $ tar zxvf openssl-x.x.x.tar.gz
-   $ cd openssl-x.x.x
-
-   To build the Cygwin version of OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
-   This will create a default install in /usr/local/ssl.
-
-   To build the MinGW version (native Windows) in Cygwin:
-
-   $ ./Configure mingw
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
- Cygwin Notes:
-
- "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
- stripping of carriage returns. To avoid this ensure that a binary
- mount is used, e.g. mount -b c:\somewhere /home.
-
- GNU C (MinGW/MSYS)
- -------------
-
- * Compiler and shell environment installation:
-
-   MinGW and MSYS are available from http://www.mingw.org/, both are
-   required. Run the installers and do whatever magic they say it takes
-   to start MSYS bash shell with GNU tools on its PATH.
-
- * Compile OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-
-   This will create the library and binaries in root source directory
-   and openssl.exe application in apps directory.
-
-   It is also possible to cross-compile it on Linux by configuring
-   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'. Other
-   possible targets include x86_64-w64-mingw32- and i686-w64-mingw32-.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
- Linking your application
- ------------------------
-
- If you link with static OpenSSL libraries [those built with ms/nt.mak],
- then you're expected to additionally link your application with
- WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about linking
- with the latter two, as they are justly associated with interactive
- desktop, which is not available to service processes. The toolkit is
- designed to detect in which context it's currently executed, GUI,
- console app or service, and act accordingly, namely whether or not to
- actually make GUI calls. Additionally those who wish to
- /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
- off service process should consider implementing and exporting from
- .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
- E.g., on Windows Vista and later you could:
-
-	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
-	{   DWORD sess;
-	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
-	        return sess==0;
-	    return FALSE;
-	}
-
- If you link with OpenSSL .DLLs, then you're expected to include into
- your application code small "shim" snippet, which provides glue between
- OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
- manual page for further details.

Makefile.in

@@ -10,7 +10,10 @@ SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
 SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
 SHLIB_MAJOR={- $config{shlib_major} -}
 SHLIB_MINOR={- $config{shlib_minor} -}
-SHLIB_EXT={- $target{shared_extension} -}
+SHLIB_EXT={- $target{shared_extension} || ".so" -}
+SHLIB_EXT_SIMPLE={- $target{shared_extension_simple} || ".so" -}
+SHLIB_EXT_IMPORT={- $target{shared_import_extension} || "" -}
+DSO_EXT={- $target{dso_extension} || ".so" -}
 PLATFORM={- $config{target} -}
 OPTIONS={- $config{options} -}
 CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
@@ -90,12 +93,11 @@ ENGINESDIR={- use File::Spec::Functions;
 
 CROSS_COMPILE= {- $config{cross_compile_prefix} -}
 CC= $(CROSS_COMPILE){- $target{cc} -}
-CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
 CFLAG_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
-DEPFLAG= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
-LDFLAG= {- $config{lflags} -}
-PLIB_LDFLAG= {- $config{plib_lflags} -}
-EX_LIBS= {- $config{ex_libs} -}
+LDFLAG= {- $target{lflags} -} {- $config{lflags} -}
+PLIB_LDFLAG= {- $target{plib_lflags} -} {- $config{plib_lflags} -}
+EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
 EXE_EXT= {- $target{exe_extension} -}
 ARFLAGS= {- $target{arflags} -}
 AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r
@@ -121,7 +123,9 @@ ASFLAG=$(CFLAG)
 PROCESSOR= {- $config{processor} -}
 
 # CPUID module collects small commonly used assembler snippets
+APPS_OBJ={- $target{apps_obj} -}
 CPUID_OBJ= {- $target{cpuid_obj} -}
+UPLINK_OBJ= {- $target{uplink_obj} -}
 BN_ASM= {- $target{bn_obj} -}
 EC_ASM= {- $target{ec_obj} -}
 DES_ENC= {- $target{des_obj} -}
@@ -133,6 +137,7 @@ RC5_ENC= {- $target{rc5_obj} -}
 MD5_ASM_OBJ= {- $target{md5_obj} -}
 SHA1_ASM_OBJ= {- $target{sha1_obj} -}
 RMD160_ASM_OBJ= {- $target{rmd160_obj} -}
+BLAKE2_OBJ= {- $target{blake2_obj} -}
 WP_ASM_OBJ= {- $target{wp_obj} -}
 CMLL_ENC= {- $target{cmll_obj} -}
 MODES_ASM_OBJ= {- $target{modes_obj} -}
@@ -190,8 +195,9 @@ TOP=    .
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS={- '$(SHARED_CRYPTO) $(SHARED_SSL)' if (!$config{no_shared}) -}
-SHARED_LDFLAG={- $target{shared_ldflag}
+SHARED_LIBS={- $disabled{shared} ? '' : '$(SHARED_CRYPTO) $(SHARED_SSL)'  -}
+SHARED_CFLAG={- $target{shared_cflag} -}
+SHARED_LDFLAG={- $target{shared_ldflag}." ".$config{shared_ldflag}
                  # Unlike other OSes (like Solaris, Linux, Tru64,
                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
                  # and FreeBSD) "demand" RPATH set on .so objects.
@@ -206,6 +212,7 @@ SHARED_LDFLAG={- $target{shared_ldflag}
                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
 SHARED_RCFLAG={- $target{shared_rcflag} -}
+DYNAMIC_ENGINES={- $config{dynamic_engines} -}
 
 GENERAL=        Makefile
 BASENAME=       openssl
@@ -224,6 +231,8 @@ INSTALLDIRS=	\
 		$(DESTDIR)$(OPENSSLDIR)/certs \
 		$(DESTDIR)$(OPENSSLDIR)/private
 
+ENGDIRS={- join(" ", @{$config{engdirs}}) -}
+
 all: Makefile build_all_but_tests
 
 # as we stick to -e, CLEARENV ensures that local variables in lower
@@ -246,30 +255,34 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		CC='$(CC)' CFLAG='$(CFLAG)' CFLAG_Q='$(CFLAG_Q)'	\
+		SHARED_CFLAG='$(SHARED_CFLAG)'				\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)'	\
+		CROSS_COMPILE='$(CROSS_COMPILE)'		\
+		PERL='$(PERL)' DYNAMIC_ENGINES='$(DYNAMIC_ENGINES)'	\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		DESTDIR='$(DESTDIR)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
-		DEPFLAG='$(DEPFLAG)'                    	\
 		SHARED_LDFLAG='$(SHARED_LDFLAG)'		\
 		SHARED_RCFLAG='$(SHARED_RCFLAG)'		\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
-		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
+		SHLIB_EXT='$(SHLIB_EXT)' DSO_EXT='$(DSO_EXT)'	\
+		SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		LDFLAG='$(LDFLAG)'				\
 		PLIB_LDFLAG='$(PLIB_LDFLAG)' EX_LIBS='$(EX_LIBS)'	\
+		APPS_OBJ='$(APPS_OBJ)' UPLINK_OBJ='$(UPLINK_OBJ)'	\
 		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
 		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
+		ENGDIRS='$(ENGDIRS)'    \
 		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
 		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
+		BLAKE2_OBJ='$(BLAKE2_OBJ)'                      \
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)'		\
@@ -374,7 +387,7 @@ do_$(SHLIB_TARGET):
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
-			link_a.$(SHLIB_TARGET); \
+			link_shlib.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
 		case "$(PLATFORM)" in \
 		Cygwin*) \
@@ -384,14 +397,15 @@ do_$(SHLIB_TARGET):
 			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll test/; \
 			;; \
 		mingw*) \
-			case $$i in \
-				crypto) i=libeay32;; \
-				ssl) i=ssleay32;; \
-			esac; \
-			rm -f apps/$$i.dll; \
-			rm -f test/$$i.dll; \
-			cp $$i.dll apps/; \
-			cp $$i.dll test/; \
+			arch=; \
+		        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+				arch=-x64; \
+			fi; \
+			rm -f apps/lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll; \
+			rm -f test/lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll; \
+			cp lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll apps/; \
+			cp lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll test/; \
+			;; \
 		esac; \
 	done
 
@@ -443,7 +457,7 @@ libclean:
 	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
 
 clean:	libclean
-	rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -f */*/*.o */*.o *.o core a.out fluff testlog make.log cctest cctest.c
 	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS) tags TAGS
@@ -463,22 +477,9 @@ gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 
-rehash: rehash.time
-rehash.time: certs build_apps build_tools
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
-		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$$OPENSSL rehash certs/demo \
-		|| $(PERL) tools/c_rehash certs/demo) && \
-		touch rehash.time; \
-	else :; fi
-
 test:   files tests
 
-
-tests:  build_tests rehash
+tests:  build_tests 
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
@@ -513,12 +514,11 @@ errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)
 
-ordinals: util/libeay.num util/ssleay.num test_ordinals TABLE
-util/libeay.num::
+ordinals: util/libcrypto.num util/libssl.num test_ordinals TABLE
+util/libcrypto.num::
 	$(PERL) util/mkdef.pl crypto update
-util/ssleay.num::
+util/libssl.num::
 	$(PERL) util/mkdef.pl ssl update
 test_ordinals:
 	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals
@@ -585,30 +585,40 @@ install_sw:
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
-			(       echo installing $$i; \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+				case "$(PLATFORM)" in \
+				Cygwin*) \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+					echo installing $$c; \
 					cp $$c $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$c.new $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
+					echo installing $$i.a; \
+					cp $$i.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				mingw*) \
+					arch=; \
+				        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+						arch=-x64; \
+					fi; \
+					m=`echo $$i | sed -e 's/\.dll$$/-$(SHLIB_MAJOR)_$(SHLIB_MINOR)'"$$arch"'.dll/'`; \
+					echo installing $$m; \
+					cp $$m $(DESTDIR)$(INSTALLTOP)/bin/$$m.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$m.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$m.new $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					echo installing $$i.a; \
+					cp $$i.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+			        *) \
+					echo installing $$i; \
 					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi ); \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-				(	case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo installing $$i; \
-					cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
-				fi; \
+					;; \
+				esac; \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
@@ -639,31 +649,37 @@ uninstall_sw:
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+				case "$(PLATFORM)" in \
+				Cygwin*) \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
 					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				mingw*) \
+					arch=; \
+				        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+						arch=-x64; \
+					fi; \
+					m=`echo $$i | sed -e 's/\.dll$$/-$(SHLIB_MAJOR)_$(SHLIB_MINOR)'"$$arch"'.dll/'`; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				*) \
 					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
-					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi; \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-					case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-				fi; \
+					;; \
+				esac; \
 			fi; \
 		done; \
 	fi
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
-	@target=uninstall; $(RECURSIVE_BUILD_CMD)
+	@target=uninstall; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 
 install_html_docs:
 	here="`pwd`"; \

Makefile.shared

@@ -50,8 +50,8 @@ OBJECTS=
 # For example, if a second library, say libbar.a needs to be linked into
 # libfoo.so, you need to do the following:
 #LIBEXTRAS=libbar.a
-# Note that this MUST be used when using the link_o targets, to hold the
-# names of all object files that go into the target library.
+# Note that this MUST be used when using the link_dso targets, to hold the
+# names of all object files that go into the target shared object.
 LIBEXTRAS=
 
 # LIBVERSION contains the current version of the library.
@@ -143,17 +143,17 @@ SYMLINK_SO=	\
 		fi; \
 	fi
 
-LINK_SO_A=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
-LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_SHLIB=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_DSO=	INHIBIT_SYMLINKS=yes; SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
 
-LINK_SO_A_VIA_O=	\
+LINK_SO_SHLIB_VIA_O=	\
   SHOBJECTS=$(DSTDIR)/lib$(LIBNAME).o; \
   ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
   ( echo ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL lib$(LIBNAME).a $(LIBEXTRAS); \
     ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL $(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS) ); \
   $(LINK_SO) && ( echo rm -f $$SHOBJECTS; rm -f $$SHOBJECTS )
 
-LINK_SO_A_UNPACKED=	\
+LINK_SO_SHLIB_UNPACKED=	\
   UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
   (cd $$UNPACKDIR; ar x ../$(DSTDIR)/lib$(LIBNAME).a) && \
   ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
@@ -162,13 +162,19 @@ LINK_SO_A_UNPACKED=	\
 
 DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 
-DO_GNU_SO=$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
+DO_GNU_SO_COMMON=\
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+DO_GNU_DSO=\
+	SHLIB=$(LIBNAME).so; \
+	SHLIB_SOVER=; \
 	SHLIB_SUFFIX=; \
+	$(DO_GNU_SO_COMMON)
+DO_GNU_SO=\
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
+	$(DO_GNU_SO_COMMON)
 DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
 
 #This is rather special.  It's a special target with which one can link
@@ -179,25 +185,29 @@ DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
 link_app.:
 	$(LINK_APP)
 
-link_o.gnu:
-	@ $(DO_GNU_SO); $(LINK_SO_O)
-link_a.gnu:
-	@ $(DO_GNU_SO); $(LINK_SO_A)
+link_dso.gnu:
+	@ $(DO_GNU_DSO); $(LINK_SO_DSO)
+link_shlib.gnu:
+	@ $(DO_GNU_SO); $(LINK_SO_SHLIB)
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
 
-link_a.linux-shared:
-	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then $(DO_GNU_SO); else \
-	$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
+link_shlib.linux-shared:
+	@$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+	$(DO_GNU_SO); \
 	ALLSYMSFLAGS='-Wl,--whole-archive,--version-script=$(LIBNAME).map'; \
-	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; $(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 
-link_o.bsd:
+link_dso.bsd:
+	@if $(DETECT_GNU_LD); then $(DO_GNU_DSO); else \
+	SHLIB=$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	LIBDEPS=" "; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
+	fi; $(LINK_SO_DSO)
+link_shlib.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
@@ -206,27 +216,17 @@ link_o.bsd:
 	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
 	NOALLSYMSFLAGS=; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
-	fi; $(LINK_SO_O)
-link_a.bsd:
-	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
-	LIBDEPS=" "; \
-	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
-	NOALLSYMSFLAGS=; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
-	fi; $(LINK_SO_A)
+	fi; $(LINK_SO_SHLIB)
 link_app.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBPATH)"; \
 	fi; $(LINK_APP)
 
 # For Darwin AKA Mac OS/X (dyld)
-# Originally link_o.darwin produced .so, because it was hard-coded
+# Originally link_dso.darwin produced .so, because it was hard-coded
 # in dso_dlfcn module. At later point dso_dlfcn switched to .dylib
 # extension in order to allow for run-time linking with vendor-
-# supplied shared libraries such as libz, so that link_o.darwin had
+# supplied shared libraries such as libz, so that link_dso.darwin had
 # to be harmonized with it. This caused minor controversy, because
 # it was believed that dlopen can't be used to dynamically load
 # .dylib-s, only so called bundle modules (ones linked with -bundle
@@ -239,21 +239,14 @@ link_app.bsd:
 # It works, because dlopen is [and always was] extension-agnostic.
 # Alternative to this heuristic approach is to develop specific
 # MacOS X dso module relying on whichever "native" dyld interface.
-link_o.darwin:
-	@ $(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME); \
+link_dso.darwin:
+	@ SHLIB=$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
-	ALLSYMSFLAGS='-all_load'; \
+	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS="$(CFLAGS) `echo $(SHARED_LDFLAGS) | sed s/dynamiclib/bundle/`"; \
-	if [ -n "$(LIBVERSION)" ]; then \
-		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
-	fi; \
-	if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
-		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
-	fi; \
-	$(LINK_SO_O)
-link_a.darwin:
+	$(LINK_SO_DSO)
+link_shlib.darwin:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
@@ -267,65 +260,73 @@ link_a.darwin:
 		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
 	fi; \
 	SHAREDFLAGS="$$SHAREDFLAGS -install_name $(INSTALLTOP)/$(LIBDIR)/$$SHLIB$(SHLIB_EXT)"; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.darwin:	# is there run-path on darwin?
 	$(LINK_APP)
 
-link_o.cygwin:
-	@ $(CALC_VERSIONS); \
-	INHIBIT_SYMLINKS=yes; \
-	SHLIB=cyg$(LIBNAME); \
-	base=-Wl,--enable-auto-image-base; \
-	deffile=; \
-	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-		SHLIB=$(LIBNAME)eay32; base=; \
-		if test -f $(LIBNAME)eay32.def; then \
-			deffile=$(LIBNAME)eay32.def; \
-		fi; \
-	fi; \
+link_dso.cygwin:
+	@SHLIB=$(LIBNAME); \
 	SHLIB_SUFFIX=.dll; \
-	LIBVERSION="$(LIBVERSION)"; \
-	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
-	ALLSYMSFLAGS='-Wl,--whole-archive'; \
-	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
-	$(LINK_SO_O)
-#for mingw target if def-file is in use dll-name should match library-name
-link_a.cygwin:
+	ALLSYMSFLAGS=''; \
+	NOALLSYMSFLAGS=''; \
+	base=-Wl,--enable-auto-image-base; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic"; \
+	$(LINK_SO_DSO)
+link_shlib.cygwin:
 	@ $(CALC_VERSIONS); \
 	INHIBIT_SYMLINKS=yes; \
 	SHLIB=cyg$(LIBNAME); SHLIB_SOVER=-$(LIBVERSION); SHLIB_SUFFIX=.dll; \
-	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \
-	base=-Wl,--enable-auto-image-base; \
-	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-		case $(LIBNAME) in \
-			crypto) SHLIB=libeay;; \
-			ssl) SHLIB=ssleay;; \
-		esac; \
-		SHLIB_SOVER=32; \
-		extras="$(LIBNAME).def"; \
-		$(PERL) $(SRCDIR)/util/mkdef.pl 32 $$SHLIB > $$extras; \
-		base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
-	fi; \
 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
 	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
 		     "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
 	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
 		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
-	extras="$$extras rc.o"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
-	$(LINK_SO_A) || exit 1; \
-	rm $$extras
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a rc.o"; \
+	$(LINK_SO_SHLIB) || exit 1; \
+	rm rc.o
 link_app.cygwin:
-	@if expr "$(CFLAGS)" : '.*OPENSSL_USE_APPLINK' > /dev/null; then \
-		LIBDEPS="$(SRCDIR)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
-		export LIBDEPS; \
-	fi; \
 	$(LINK_APP)
 
-link_o.alpha-osf1:
+# link_dso.mingw-shared and link_app.mingw-shared are mapped to the
+# corresponding cygwin targets, as they do the exact same thing.
+link_shlib.mingw:
+	@ $(CALC_VERSIONS); \
+	INHIBIT_SYMLINKS=yes; \
+	arch=; \
+	if expr $(PLATFORM) : mingw64 > /dev/null; then arch=-x64; fi; \
+	sover=`echo $(LIBVERSION) | sed -e 's/\./_/g'` ; \
+	SHLIB=lib$(LIBNAME); \
+	SHLIB_SOVER=-$$sover$$arch; \
+	SHLIB_SUFFIX=.dll; \
+	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
+	base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
+	$(PERL) $(SRCDIR)/util/mkdef.pl 32 $(LIBNAME) \
+		| sed -e 's|^\(LIBRARY  *\)$(LIBNAME)32|\1'"$$dll_name"'|' \
+		> $(LIBNAME).def; \
+	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
+		"$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
+	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
+		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $(LIBNAME).def rc.o"; \
+	$(LINK_SO_SHLIB) || exit 1; \
+	rm $(LIBNAME).def rc.o
+
+link_dso.alpha-osf1:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.alpha-osf1:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -345,28 +346,7 @@ link_o.alpha-osf1:
 			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
 		fi; \
 	fi; \
-	$(LINK_SO_O)
-link_a.alpha-osf1:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
-		fi; \
-	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.alpha-osf1:
 	@if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
@@ -375,39 +355,31 @@ link_app.alpha-osf1:
 	fi; \
 	$(LINK_APP)
 
-link_o.solaris:
+link_dso.solaris:
 	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
+		$(DO_GNU_DSO); \
 	else \
 		$(CALC_VERSIONS); \
-		MINUSZ='-z '; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		SHLIB=lib$(LIBNAME).so; \
+		SHLIB=$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
-		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		ALLSYMSFLAGS=""; \
+		NOALLSYMSFLAGS=""; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.solaris:
+	$(LINK_SO_DSO)
+link_shlib.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
 		$(CALC_VERSIONS); \
-		MINUSZ='-z '; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=;\
-		if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then \
-			ALLSYMSFLAGS="$${MINUSZ}allextract"; \
-		else \
-			$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
-			ALLSYMSFLAGS="$${MINUSZ}allextract,-M,$(LIBNAME).map"; \
-		fi; \
-		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+		ALLSYMSFLAGS="-Wl,-z,allextract,-M,$(LIBNAME).map"; \
+		NOALLSYMSFLAGS="-Wl,-z,defaultextract"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
@@ -417,7 +389,19 @@ link_app.solaris:
 	$(LINK_APP)
 
 # OpenServer 5 native compilers used
-link_o.svr3:
+link_dso.svr3:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.svr3:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -428,25 +412,26 @@ link_o.svr3:
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.svr3:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS=''; \
-		NOALLSYMSFLAGS=''; \
-		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; \
-	$(LINK_SO_A_UNPACKED)
+	$(LINK_SO_SHLIB_UNPACKED)
 link_app.svr3:
 	@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
 	$(LINK_APP)
 
 # UnixWare 7 and OpenUNIX 8 native compilers used
-link_o.svr5:
+link_dso.svr5:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHARE_FLAG='-G'; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.svr5:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -459,26 +444,23 @@ link_o.svr5:
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.svr5:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHARE_FLAG='-G'; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS=''; \
-		NOALLSYMSFLAGS=''; \
-		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; \
-	$(LINK_SO_A_UNPACKED)
+	$(LINK_SO_SHLIB_UNPACKED)
 link_app.svr5:
 	@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
 	$(LINK_APP)
 
-link_o.irix:
+link_dso.irix:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=""; \
+		NOALLSYMSFLAGS=""; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SUFFIX,-B,symbolic"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.irix:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -491,21 +473,7 @@ link_o.irix:
 		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.irix:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		MINUSWL=""; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
-		ALLSYMSFLAGS="$${MINUSWL}-all"; \
-		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
-	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.irix:
 	@LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
 	$(LINK_APP)
@@ -518,20 +486,19 @@ link_app.irix:
 # editor context only [it's simply ignored in other cases, which are all
 # ELFs by the way].
 #
-link_o.hpux:
-	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).sl; \
-	expr "$(CFLAGS)" : '.*DSO_DLFCN' > /dev/null && SHLIB=lib$(LIBNAME).so; \
+link_dso.hpux:
+	@if $(DETECT_GNU_LD); then $(DO_GNU_DSO); else \
+	SHLIB=$(LIBNAME).sl; \
+	expr "$(CFLAGS)" : '.*DSO_DLFCN' > /dev/null && SHLIB=$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	ALLSYMSFLAGS='-Wl,-Fl'; \
+	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
 	fi; \
-	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
-	$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
-link_a.hpux:
+	rm -f $$SHLIB$$SHLIB_SUFFIX || :; \
+	$(LINK_SO_DSO) && chmod a=rx $$SHLIB$$SHLIB_SUFFIX
+link_shlib.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).sl; \
@@ -543,24 +510,23 @@ link_a.hpux:
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
 	fi; \
 	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
-	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
+	$(LINK_SO_SHLIB) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_app.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)
 
-link_o.aix:
-	@ $(CALC_VERSIONS); \
-	OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
+link_dso.aix:
+	@OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
-	SHLIB=lib$(LIBNAME).so; \
+	SHLIB=$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
-	$(LINK_SO_O);
-link_a.aix:
+	$(LINK_SO_DSO);
+link_shlib.aix:
 	@ $(CALC_VERSIONS); \
 	OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
@@ -569,7 +535,7 @@ link_a.aix:
 	ALLSYMSFLAGS='-bnogc'; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
-	$(LINK_SO_A_VIA_O)
+	$(LINK_SO_SHLIB_VIA_O)
 link_app.aix:
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
@@ -595,54 +561,59 @@ symlink.hpux:
 symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
 
 # Compatibility targets
-link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
-link_a.bsd-gcc-shared link_a.gnu-shared: link_a.gnu
+link_dso.bsd-gcc-shared link_dso.linux-shared link_dso.gnu-shared: link_dso.gnu
+link_shlib.bsd-gcc-shared: link_shlib.linux-shared
+link_shlib.gnu-shared: link_shlib.gnu
 link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
 symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
-link_o.bsd-shared: link_o.bsd
-link_a.bsd-shared: link_a.bsd
+link_dso.bsd-shared: link_dso.bsd
+link_shlib.bsd-shared: link_shlib.bsd
 link_app.bsd-shared: link_app.bsd
-link_o.darwin-shared: link_o.darwin
-link_a.darwin-shared: link_a.darwin
+link_dso.darwin-shared: link_dso.darwin
+link_shlib.darwin-shared: link_shlib.darwin
 link_app.darwin-shared: link_app.darwin
 symlink.darwin-shared: symlink.darwin
-link_o.cygwin-shared: link_o.cygwin
-link_a.cygwin-shared: link_a.cygwin
+link_dso.cygwin-shared: link_dso.cygwin
+link_shlib.cygwin-shared: link_shlib.cygwin
 link_app.cygwin-shared: link_app.cygwin
 symlink.cygwin-shared: symlink.cygwin
-link_o.alpha-osf1-shared: link_o.alpha-osf1
-link_a.alpha-osf1-shared: link_a.alpha-osf1
+link_dso.mingw-shared: link_dso.cygwin
+link_shlib.mingw-shared: link_shlib.mingw
+link_app.mingw-shared: link_app.cygwin
+symlink.mingw-shared: symlink.cygwin
+link_dso.alpha-osf1-shared: link_dso.alpha-osf1
+link_shlib.alpha-osf1-shared: link_shlib.alpha-osf1
 link_app.alpha-osf1-shared: link_app.alpha-osf1
 symlink.alpha-osf1-shared: symlink.alpha-osf1
-link_o.tru64-shared: link_o.tru64
-link_a.tru64-shared: link_a.tru64
+link_dso.tru64-shared: link_dso.tru64
+link_shlib.tru64-shared: link_shlib.tru64
 link_app.tru64-shared: link_app.tru64
 symlink.tru64-shared: symlink.tru64
-link_o.tru64-shared-rpath: link_o.tru64-rpath
-link_a.tru64-shared-rpath: link_a.tru64-rpath
+link_dso.tru64-shared-rpath: link_dso.tru64-rpath
+link_shlib.tru64-shared-rpath: link_shlib.tru64-rpath
 link_app.tru64-shared-rpath: link_app.tru64-rpath
 symlink.tru64-shared-rpath: symlink.tru64-rpath
-link_o.solaris-shared: link_o.solaris
-link_a.solaris-shared: link_a.solaris
+link_dso.solaris-shared: link_dso.solaris
+link_shlib.solaris-shared: link_shlib.solaris
 link_app.solaris-shared: link_app.solaris
 symlink.solaris-shared: symlink.solaris
-link_o.svr3-shared: link_o.svr3
-link_a.svr3-shared: link_a.svr3
+link_dso.svr3-shared: link_dso.svr3
+link_shlib.svr3-shared: link_shlib.svr3
 link_app.svr3-shared: link_app.svr3
 symlink.svr3-shared: symlink.svr3
-link_o.svr5-shared: link_o.svr5
-link_a.svr5-shared: link_a.svr5
+link_dso.svr5-shared: link_dso.svr5
+link_shlib.svr5-shared: link_shlib.svr5
 link_app.svr5-shared: link_app.svr5
 symlink.svr5-shared: symlink.svr5
-link_o.irix-shared: link_o.irix
-link_a.irix-shared: link_a.irix
+link_dso.irix-shared: link_dso.irix
+link_shlib.irix-shared: link_shlib.irix
 link_app.irix-shared: link_app.irix
 symlink.irix-shared: symlink.irix
-link_o.hpux-shared: link_o.hpux
-link_a.hpux-shared: link_a.hpux
+link_dso.hpux-shared: link_dso.hpux
+link_shlib.hpux-shared: link_shlib.hpux
 link_app.hpux-shared: link_app.hpux
 symlink.hpux-shared: symlink.hpux
-link_o.aix-shared: link_o.aix
-link_a.aix-shared: link_a.aix
+link_dso.aix-shared: link_dso.aix
+link_shlib.aix-shared: link_shlib.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix

NEWS

@@ -5,8 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.2g and OpenSSL 1.1.0 [in pre-release]
 
+      o Added support for "pipelining"
+      o Added the AFALG engine
+      o New threading API implemented
       o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
       o Support for extended master secret
       o CCM ciphersuites
@@ -34,6 +37,26 @@
         the directory for certs, private key and openssl.cnf exclusively.
       o Reworked BIO networking library, with full support for IPv6.
       o New "unified" build system
+      o New security levels
+      o Support for scrypt algorithm
+      o Support for X25519
+      o Extended SSL_CONF support using configuration files
+      o KDF algorithm support. Implement TLS PRF as a KDF.
+      o Support for Certificate Transparency
+      o HKDF support.
+
+  Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
+
+      o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+      o Disable SSLv2 default build, default negotiation and weak ciphers
+        (CVE-2016-0800)
+      o Fix a double-free in DSA code (CVE-2016-0705)
+      o Disable SRP fake user seed to address a server memory leak
+        (CVE-2016-0798)
+      o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+        (CVE-2016-0797)
+      o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
+      o Fix side channel attack on modular exponentiation (CVE-2016-0702)
 
   Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
 

NOTES.VMS

@@ -0,0 +1,47 @@
+
+ NOTES FOR THE OPENVMS PLATFORM
+ ==============================
+
+ Requirement details
+ -------------------
+
+ In addition to the requirements listed in INSTALL, these are required
+ as well:
+
+  * At least ODS-5 disk organization for source and build.
+    Installation can be done on any existing disk organization.
+
+
+ About ANSI C compiler
+ ---------------------
+
+ An ANSI C compiled is needed among other things.  This means that VAX C
+ is not and will not be supported.
+
+ We have only tested with DEC C (a.k.a HP VMS C / VSI C), compiling with
+ a different ANSI C compiler may require some work.
+
+
+ Checking the distribution
+ -------------------------
+
+ There have been reports of places where the distribution didn't quite
+ get through, for example if you've copied the tree from a NFS-mounted
+ Unix mount point.
+
+ The easiest way to check if everything got through as it should is to
+ check for one of the following files:
+
+   [.crypto]opensslconf^.h.in
+
+ The best way to get a correct distribution is to download the gzipped
+ tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress
+ it and VMSTAR to unpack the resulting tar file.
+
+ Gzip and VMSTAR are available here:
+
+   http://antinode.info/dec/index.html#Software
+
+ Should you need it, you can find UnZip for VMS here:
+
+   http://www.info-zip.org/UnZip.html

NOTES.WIN

@@ -0,0 +1,174 @@
+
+ NOTES FOR THE WINDOWS PLATFORMS
+ ===============================
+
+ [Notes for Windows CE can be found in INSTALL.WCE]
+
+ Requirement details for native (Visual C++) builds
+ --------------------------------------------------
+
+ - You need Perl.  We recommend ActiveState Perl, available from
+   http://www.activestate.com/ActivePerl.
+   You also need the perl module Text::Template, available on CPAN.
+   Please read README.PERL for more information.
+
+ - You need a C compiler.  OpenSSL has been tested to build with these:
+
+   * Visual C++
+
+ - Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
+   is required if you intend to utilize assembler modules. Note that NASM
+   is the only supported assembler. The Microsoft provided assembler is NOT
+   supported.
+
+
+ GNU C (Cygwin)
+ --------------
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
+ Windows subsystem and provides a bash shell and GNU tools environment.
+ Consequently, a make of OpenSSL with Cygwin is virtually identical to the
+ Unix procedure.
+
+ To build OpenSSL using Cygwin, you need to:
+
+ * Install Cygwin (see http://cygwin.com/)
+
+ * Install Cygwin Perl and ensure it is in the path. Recall that
+   as least 5.10.0 is required.
+
+ * Run the Cygwin bash shell
+
+ Apart from that, follow the Unix instructions in INSTALL.
+
+ NOTE: "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ It is also possible to create "conventional" Windows binaries that use
+ the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using MinGW
+ development add-on for Cygwin. MinGW is supported even as a standalone
+ setup as described in the following section. In the context you should
+ recognize that binaries targeting Cygwin itself are not interchangeable
+ with "conventional" Windows binaries you generate with/for MinGW.
+
+ GNU C (MinGW/MSYS)
+ -------------
+
+ * Compiler and shell environment installation:
+
+   MinGW and MSYS are available from http://www.mingw.org/, both are
+   required. Run the installers and do whatever magic they say it takes
+   to start MSYS bash shell with GNU tools and matching Perl on its PATH.
+   "Matching Perl" refers to chosen "shell environment", i.e. if built
+   under MSYS, then Perl compiled for MSYS is highly recommended.
+
+   Alternativelly, one can use MSYS2 from http://msys2.github.io/,
+   which includes MingW (32-bit and 64-bit).
+
+ * It is also possible to cross-compile it on Linux by configuring
+   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'.
+   Other possible cross compile prefixes include x86_64-w64-mingw32-
+   and i686-w64-mingw32-.
+
+
+ "Classic" builds (Visual C++)
+ ----------------
+
+ [OpenSSL was classically built using a script called mk1mf.  This is
+  still available by configuring with --classic.  The notes below are
+  using this flag, and are tentative.  Use with care.
+
+  NOTE: this won't be available for long.]
+
+ If you want to compile in the assembly language routines with Visual
+ C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
+ be available on your %PATH%.
+
+ Firstly you should run Configure and generate the Makefiles. If you don't want
+ the assembly language files then add the "no-asm" option (without quotes) to
+ the Configure lines below.
+
+ For Win32:
+
+ > perl Configure VC-WIN32 --classic --prefix=c:\some\openssl\dir
+ > ms\do_nasm
+
+ Note: replace the last line above with the following if not using the assembly
+ language files:
+
+ > ms\do_ms
+
+ For Win64/x64:
+
+ > perl Configure VC-WIN64A --classic --prefix=c:\some\openssl\dir
+ > ms\do_win64a
+
+ For Win64/IA64:
+
+ > perl Configure VC-WIN64I --classic --prefix=c:\some\openssl\dir
+ > ms\do_win64i
+
+ Where the prefix argument specifies where OpenSSL will be installed to.
+
+ Then from the VC++ environment at a prompt do the following. Note, your %PATH%
+ and other environment variables should be set up for 32-bit or 64-bit
+ development as appropriate.
+
+ > nmake -f ms\ntdll.mak
+
+ If all is well it should compile and you will have some DLLs and
+ executables in out32dll. If you want to try the tests then do:
+
+ > nmake -f ms\ntdll.mak test
+
+ To install OpenSSL to the specified location do:
+
+ > nmake -f ms\ntdll.mak install
+
+ Tweaks:
+
+ There are various changes you can make to the Windows compile
+ environment. By default the library is not compiled with debugging
+ symbols. If you add --debug to the Configure lines above then debugging symbols
+ will be compiled in.
+
+ By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
+ libraries. If you specify the "enable-static-engine" option on the command line
+ to Configure the shared library build (ms\ntdll.mak) will compile the engines
+ into libcrypto32.dll instead.
+
+ You can also build a static version of the library using the Makefile
+ ms\nt.mak
+
+ Linking your application
+ ------------------------
+
+ This section applies to non-Cygwin builds.
+
+ If you link with static OpenSSL libraries then you're expected to
+ additionally link your application with WS2_32.LIB, ADVAPI32.LIB,
+ GDI32.LIB and USER32.LIB. Those developing non-interactive service
+ applications might feel concerned about linking with the latter two,
+ as they are justly associated with interactive desktop, which is not
+ available to service processes. The toolkit is designed to detect in
+ which context it's currently executed, GUI, console app or service,
+ and act accordingly, namely whether or not to actually make GUI calls.
+ Additionally those who wish to /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL
+ and actually keep them off service process should consider
+ implementing and exporting from .exe image in question own
+ _OPENSSL_isservice not relying on USER32.DLL.
+ E.g., on Windows Vista and later you could:
+
+	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+	{   DWORD sess;
+	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
+	        return sess==0;
+	    return FALSE;
+	}
+
+ If you link with OpenSSL .DLLs, then you're expected to include into
+ your application code small "shim" snippet, which provides glue between
+ OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
+ manual page for further details.

PROBLEMS

@@ -1,213 +0,0 @@
-* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
-
-
-    NOTE: The problem described here only applies when OpenSSL isn't built
-    with shared library support (i.e. without the "shared" configuration
-    option).  If you build with shared library support, you will have no
-    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
-
-
-This is really a misfeature in ld, which seems to look for .dylib libraries
-along the whole library path before it bothers looking for .a libraries.  This
-means that -L switches won't matter unless OpenSSL is built with shared
-library support.
-
-The workaround may be to change the following lines in apps/Makefile and
-test/Makefile:
-
-  LIBCRYPTO=-L.. -lcrypto
-  LIBSSL=-L.. -lssl
-
-to:
-
-  LIBCRYPTO=../libcrypto.a
-  LIBSSL=../libssl.a
-
-It's possible that something similar is needed for shared library support
-as well.  That hasn't been well tested yet.
-
-
-Another solution that many seem to recommend is to move the libraries
-/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
-directory, build and install OpenSSL and anything that depends on your
-build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
-original places.  Note that the version numbers on those two libraries
-may differ on your machine.
-
-
-As long as Apple doesn't fix the problem with ld, this problem building
-OpenSSL will remain as is. Well, the problem was addressed in 0.9.8f by
-passing -Wl,-search_paths_first, but it's unknown if the flag was
-supported from the initial MacOS X release.
-
-
-* Parallell make leads to errors
-
-While running tests, running a parallell make is a bad idea.  Many test
-scripts use the same name for output and input files, which means different
-will interfere with each other and lead to test failure.
-
-The solution is simple for now: don't run parallel make when testing.
-
-
-* Bugs in gcc triggered
-
-- According to a problem report, there are bugs in gcc 3.0 that are
-  triggered by some of the code in OpenSSL, more specifically in
-  PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
-
-	header+=11;
-	if (*header != '4') return(0); header++;
-	if (*header != ',') return(0); header++;
-
-  What happens is that gcc might optimize a little too agressively, and
-  you end up with an extra incrementation when *header != '4'.
-
-  We recommend that you upgrade gcc to as high a 3.x version as you can.
-
-- According to multiple problem reports, some of our message digest
-  implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64
-  and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while
-  latter - SHA one.
-
-  The recomendation is to upgrade your compiler. This naturally applies to
-  other similar cases.
-
-- There is a subtle Solaris x86-specific gcc run-time environment bug, which
-  "falls between" OpenSSL [0.9.8 and later], Solaris ld and GCC. The bug
-  manifests itself as Segmentation Fault upon early application start-up.
-  The problem can be worked around by patching the environment according to
-  http://www.openssl.org/~appro/values.c.
-
-* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
-
-As subject suggests SHA-1 might perform poorly (4 times slower)
-if compiled with WorkShop 6 compiler and -xarch=v9. The cause for
-this seems to be the fact that compiler emits multiplication to
-perform shift operations:-( To work the problem around configure
-with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'.
-
-* Problems with hp-parisc2-cc target when used with "no-asm" flag
-
-When using the hp-parisc2-cc target, wrong bignum code is generated.
-This is due to the SIXTY_FOUR_BIT build being compiled with the +O3
-aggressive optimization.
-The problem manifests itself by the BN_kronecker test hanging in an
-endless loop. Reason: the BN_kronecker test calls BN_generate_prime()
-which itself hangs. The reason could be tracked down to the bn_mul_comba8()
-function in bn_asm.c. At some occasions the higher 32bit value of r[7]
-is off by 1 (meaning: calculated=shouldbe+1). Further analysis failed,
-as no debugger support possible at +O3 and additional fprintf()'s
-introduced fixed the bug, therefore it is most likely a bug in the
-optimizer.
-The bug was found in the BN_kronecker test but may also lead to
-failures in other parts of the code.
-(See Ticket #426.)
-
-Workaround: modify the target to +O2 when building with no-asm.
-
-* Problems building shared libraries on SCO OpenServer Release 5.0.6
-  with gcc 2.95.3
-
-The symptoms appear when running the test suite, more specifically
-test/ectest, with the following result:
-
-OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest
-ectest.c:186: ABORT
-
-The cause of the problem seems to be that isxdigit(), called from
-BN_hex2bn(), returns 0 on a perfectly legitimate hex digit.  Further
-investigation shows that any of the isxxx() macros return 0 on any
-input.  A direct look in the information array that the isxxx() use,
-called __ctype, shows that it contains all zeroes...
-
-Taking a look at the newly created libcrypto.so with nm, one can see
-that the variable __ctype is defined in libcrypto's .bss (which
-explains why it is filled with zeroes):
-
-$ nm -Pg libcrypto.so | grep __ctype
-__ctype B 0011659c
-__ctype2 U         
-
-Curiously, __ctype2 is undefined, in spite of being declared in
-/usr/include/ctype.h in exactly the same way as __ctype.
-
-Any information helping to solve this issue would be deeply
-appreciated.
-
-NOTE: building non-shared doesn't come with this problem.
-
-* ULTRIX build fails with shell errors, such as "bad substitution"
-  and "test: argument expected"
-
-The problem is caused by ULTRIX /bin/sh supporting only original
-Bourne shell syntax/semantics, and the trouble is that the vast
-majority is so accustomed to more modern syntax, that very few
-people [if any] would recognize the ancient syntax even as valid.
-This inevitably results in non-trivial scripts breaking on ULTRIX,
-and OpenSSL isn't an exclusion. Fortunately there is workaround,
-hire /bin/ksh to do the job /bin/sh fails to do.
-
-1. Trick make(1) to use /bin/ksh by setting up following environ-
-   ment variables *prior* you execute ./Configure and make:
-
-	PROG_ENV=POSIX
-	MAKESHELL=/bin/ksh
-	export PROG_ENV MAKESHELL
-
-   or if your shell is csh-compatible:
-
-	setenv PROG_ENV POSIX
-	setenv MAKESHELL /bin/ksh
-
-2. Trick /bin/sh to use alternative expression evaluator. Create
-   following 'test' script for example in /tmp:
-
-	#!/bin/ksh
-	${0##*/} "$@"
-
-   Then 'chmod a+x /tmp/test; ln /tmp/test /tmp/[' and *prepend*
-   your $PATH with chosen location, e.g. PATH=/tmp:$PATH. Alter-
-   natively just replace system /bin/test and /bin/[ with the
-   above script.
-
-* hpux64-ia64-cc fails blowfish test.
-
-Compiler bug, presumably at particular patch level. It should be noted
-that same compiler generates correct 32-bit code, a.k.a. hpux-ia64-cc
-target. Drop optimization level to +O2 when compiling 64-bit bf_skey.o.
-
-* no-engines generates errors.
-
-Unfortunately, the 'no-engines' configuration option currently doesn't
-work properly.  Use 'no-hw' and you'll will at least get no hardware
-support.  We'll see how we fix that on OpenSSL versions past 0.9.8.
-
-* 'make test' fails in BN_sqr [commonly with "error 139" denoting SIGSEGV]
-  if elder GNU binutils were deployed to link shared libcrypto.so.
-
-As subject suggests the failure is caused by a bug in elder binutils,
-either as or ld, and was observed on FreeBSD and Linux. There are two
-options. First is naturally to upgrade binutils, the second one - to
-reconfigure with additional no-sse2 [or 386] option passed to ./config.
-
-* If configured with ./config no-dso, toolkit still gets linked with -ldl,
-  which most notably poses a problem when linking with dietlibc.
-
-We don't have framework to associate -ldl with no-dso, therefore the only
-way is to edit Makefile right after ./config no-dso and remove -ldl from
-EX_LIBS line.
-
-* hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
-
-Compiler bug, presumably at particular patch level. Remaining
-hpux*-parisc*-cc configurations can be affected too. Drop optimization
-level to +O2 when compiling bn_nist.o.
-
-* solaris64-sparcv9-cc link failure
-
-Solaris 8 ar can fail to maintain symbol table in .a, which results in
-link failures. Apply 109147-09 or later or modify Makefile generated
-by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
-
-	RANLIB= /usr/ccs/bin/ar rs

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.0-pre3 (alpha) 15 Feb 2016
+ OpenSSL 1.1.0-pre4 (beta) 16 Mar 2016
 
  Copyright (c) 1998-2016 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

README.ENGINE

@@ -13,11 +13,10 @@
   There are currently built-in ENGINE implementations for the following
   crypto devices:
 
-      o CryptoSwift
-      o Compaq Atalla
+      o Cryptodev
+      o Microsoft CryptoAPI
+      o VIA Padlock
       o nCipher CHIL
-      o Nuron
-      o Broadcom uBSec
 
   In addition, dynamic binding to external ENGINE implementations is now
   provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"

VMS/openssl_shutdown.com.in

@@ -39,7 +39,7 @@ $	DEAS OSSL$LIB'v'
 $	DEAS OSSL$SHARE'v'
 $	DEAS OSSL$ENGINES'v'
 $	DEAS OSSL$EXE'v'
-$       {- output_off() if $config{no_shared} -}
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$       ", map { "DEAS $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	IF P2 .NES. "NOALIASES"
@@ -51,7 +51,7 @@ $	    DEAS OSSL$SHARE
 $	    DEAS OSSL$ENGINES
 $	    DEAS OSSL$EXE
 $	    DEAS OPENSSL
-$           {- output_off() if $config{no_shared} -}
+$           {- output_off() if $disabled{shared} -}
 $           {- join("\n\$           ", map { "DEAS $_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $           {- output_on() -}
 $	ENDIF

VMS/openssl_startup.com.in

@@ -88,7 +88,7 @@ $	DEF  OSSL$LIB'v'	OSSL$INSTROOT:['arch'.LIB]
 $	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:['arch'.LIB]
 $	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:['arch'.ENGINES]
 $	DEF  OSSL$EXE'v'	OSSL$INSTROOT:['arch'.EXE]
-$       {- output_off() if $config{no_shared} -}
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$       ", map { "DEF  $_'v' OSSL\$SHARE:$_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	IF P2 .NES. "NOALIASES"
@@ -100,7 +100,7 @@ $	    DEF OSSL$SHARE	OSSL$SHARE'v'
 $	    DEF OSSL$ENGINES	OSSL$ENGINES'v'
 $	    DEF OSSL$EXE	OSSL$EXE'v'
 $	    DEF OPENSSL		OSSL$INCLUDE:[OPENSSL]
-$       {- output_off() if $config{no_shared} -}
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$           ", map { "DEF  $_ $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	ENDIF

apps/Makefile.in

@@ -15,6 +15,8 @@ PLIB_LDFLAG=
 EX_LIBS= 
 EXE_EXT= 
 
+APPS_OBJ=
+
 SHLIB_TARGET=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
@@ -28,6 +30,7 @@ LIBSSL=-L.. -lssl
 
 SCRIPTS=CA.pl tsget
 EXE= openssl$(EXE_EXT)
+CONFS=openssl.cnf ct_log_list.cnf
 
 COMMANDS= \
 	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
@@ -52,7 +55,7 @@ SRC	= \
 	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
 	srp.c ts.c verify.c version.c x509.c rehash.c
 
-EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
+EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ) $(APPS_OBJ)
 EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
 
 HEADER=	apps.h progs.h s_apps.h \
@@ -78,40 +81,48 @@ files:
 install:
 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@set -e; for i in $(EXE); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-	 chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-	 mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
-	 done;
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+	done
 	@set -e; for i in $(SCRIPTS); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i ); \
-	 done
-	@cp openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+		chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
+	done
+	@set -e; for i in $(CONFS); \
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+		chmod 644 $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/$$i.new $(DESTDIR)$(OPENSSLDIR)/$$i; \
+	done
 
 uninstall:
 	@set -e; for i in $(EXE); \
-	do  \
+	do \
 		echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-	done;
+	done
 	@set -e; for i in $(SCRIPTS); \
-	do  \
+	do \
 		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
 		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
 	done
-	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	@set -e; for i in $(CONFS); \
+	do \
+		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+	done
 
 generate: openssl-vms.cnf progs.h
 
 depend:
-	$(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
+	$(TOP)/util/domd $(CFLAG) $(INCLUDES) -- $(EXE_SRC)
 
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)

apps/apps.c

@@ -141,9 +141,6 @@
 # include <openssl/rsa.h>
 #endif
 #include <openssl/bn.h>
-#ifndef OPENSSL_NO_JPAKE
-# include <openssl/jpake.h>
-#endif
 #include <openssl/ssl.h>
 
 #include "apps.h"
@@ -238,6 +235,19 @@ int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
     return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
 }
 
+#ifndef OPENSSL_NO_CT
+
+int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
+{
+    if (path == NULL) {
+        return SSL_CTX_set_default_ctlog_list_file(ctx);
+    }
+
+    return SSL_CTX_set_ctlog_list_file(ctx, path);
+}
+
+#endif
+
 int dump_cert_text(BIO *out, X509 *x)
 {
     char *p;
@@ -630,7 +640,8 @@ static int load_pkcs12(BIO *in, const char *desc,
     return ret;
 }
 
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
+#ifndef OPENSSL_NO_OCSP
+static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
 {
     char *host = NULL, *port = NULL, *path = NULL;
     BIO *bio = NULL;
@@ -676,15 +687,17 @@ int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
     }
     return rv;
 }
+#endif
 
-X509 *load_cert(const char *file, int format,
-                const char *pass, ENGINE *e, const char *cert_descrip)
+X509 *load_cert(const char *file, int format, const char *cert_descrip)
 {
     X509 *x = NULL;
     BIO *cert;
 
     if (format == FORMAT_HTTP) {
+#ifndef OPENSSL_NO_OCSP
         load_cert_crl_http(file, &x, NULL);
+#endif
         return x;
     }
 
@@ -723,7 +736,9 @@ X509_CRL *load_crl(const char *infile, int format)
     BIO *in = NULL;
 
     if (format == FORMAT_HTTP) {
+#ifndef OPENSSL_NO_OCSP
         load_cert_crl_http(infile, NULL, &x);
+#endif
         return x;
     }
 
@@ -907,7 +922,7 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
 }
 
 static int load_certs_crls(const char *file, int format,
-                           const char *pass, ENGINE *e, const char *desc,
+                           const char *pass, const char *desc,
                            STACK_OF(X509) **pcerts,
                            STACK_OF(X509_CRL) **pcrls)
 {
@@ -1005,18 +1020,18 @@ void* app_malloc(int sz, const char *what)
  * Initialize or extend, if *certs != NULL,  a certificate stack.
  */
 int load_certs(const char *file, STACK_OF(X509) **certs, int format,
-               const char *pass, ENGINE *e, const char *desc)
+               const char *pass, const char *desc)
 {
-    return load_certs_crls(file, format, pass, e, desc, certs, NULL);
+    return load_certs_crls(file, format, pass, desc, certs, NULL);
 }
 
 /*
  * Initialize or extend, if *crls != NULL,  a certificate stack.
  */
 int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
-              const char *pass, ENGINE *e, const char *desc)
+              const char *pass, const char *desc)
 {
-    return load_certs_crls(file, format, pass, e, desc, NULL, crls);
+    return load_certs_crls(file, format, pass, desc, NULL, crls);
 }
 
 #define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
@@ -1303,7 +1318,7 @@ X509_STORE *setup_verify(char *CAfile, char *CApath, int noCAfile, int noCApath)
 
 #ifndef OPENSSL_NO_ENGINE
 /* Try to load an engine in a shareable library */
-static ENGINE *try_load_engine(const char *engine, int debug)
+static ENGINE *try_load_engine(const char *engine)
 {
     ENGINE *e = ENGINE_by_id("dynamic");
     if (e) {
@@ -1327,7 +1342,7 @@ ENGINE *setup_engine(const char *engine, int debug)
             return NULL;
         }
         if ((e = ENGINE_by_id(engine)) == NULL
-            && (e = try_load_engine(engine, debug)) == NULL) {
+            && (e = try_load_engine(engine)) == NULL) {
             BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
             ERR_print_errors(bio_err);
             return NULL;
@@ -1465,9 +1480,6 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
         j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
 #endif
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
-#endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
         ERR_print_errors(bio_err);
@@ -1506,17 +1518,10 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
 #else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               serialfile, buf[1]);
 #endif
     if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1528,10 +1533,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               buf[0], serialfile);
-#endif
     if (rename(buf[0], serialfile) < 0) {
         BIO_printf(bio_err,
                    "unable to rename %s to %s\n", buf[0], serialfile);
@@ -1607,10 +1608,6 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
     if (dbattr_conf) {
         char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
         if (p) {
-#ifdef RL_DEBUG
-            BIO_printf(bio_err,
-                       "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
-#endif
             retdb->attributes.unique_subject = parse_yesno(p, 1);
         }
     }
@@ -1657,21 +1654,12 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
-#else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
 #else
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
 #endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
@@ -1685,9 +1673,6 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
         goto err;
 
     out = BIO_new_file(buf[1], "w");
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
-#endif
     if (out == NULL) {
         perror(buf[2]);
         BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
@@ -1718,31 +1703,16 @@ int rotate_index(const char *dbfile, const char *new_suffix,
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
 #else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
-#else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
-#else
+    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
     j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
 #endif
     if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1753,18 +1723,12 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
-#endif
     if (rename(buf[0], dbfile) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
         perror("reason");
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
-#endif
     if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
         && errno != ENOTDIR
@@ -1776,9 +1740,6 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
-#endif
     if (rename(buf[2], buf[4]) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
         perror("reason");
@@ -1990,229 +1951,6 @@ void policies_print(X509_STORE_CTX *ctx)
     nodes_print("User", X509_policy_tree_get0_user_policies(tree));
 }
 
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-
-static JPAKE_CTX *jpake_init(const char *us, const char *them,
-                             const char *secret)
-{
-    BIGNUM *p = NULL;
-    BIGNUM *g = NULL;
-    BIGNUM *q = NULL;
-    BIGNUM *bnsecret = BN_new();
-    JPAKE_CTX *ctx;
-
-    /* Use a safe prime for p (that we found earlier) */
-    BN_hex2bn(&p,
-              "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
-    g = BN_new();
-    BN_set_word(g, 2);
-    q = BN_new();
-    BN_rshift1(q, p);
-
-    BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
-
-    ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
-    BN_free(bnsecret);
-    BN_free(q);
-    BN_free(g);
-    BN_free(p);
-
-    return ctx;
-}
-
-static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
-{
-    BN_print(conn, p->gx);
-    BIO_puts(conn, "\n");
-    BN_print(conn, p->zkpx.gr);
-    BIO_puts(conn, "\n");
-    BN_print(conn, p->zkpx.b);
-    BIO_puts(conn, "\n");
-}
-
-static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP1 s1;
-
-    JPAKE_STEP1_init(&s1);
-    JPAKE_STEP1_generate(&s1, ctx);
-    jpake_send_part(bconn, &s1.p1);
-    jpake_send_part(bconn, &s1.p2);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP2 s2;
-
-    JPAKE_STEP2_init(&s2);
-    JPAKE_STEP2_generate(&s2, ctx);
-    jpake_send_part(bconn, &s2);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP3A s3a;
-
-    JPAKE_STEP3A_init(&s3a);
-    JPAKE_STEP3A_generate(&s3a, ctx);
-    BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP3B s3b;
-
-    JPAKE_STEP3B_init(&s3b);
-    JPAKE_STEP3B_generate(&s3b, ctx);
-    BIO_write(bconn, s3b.hk, sizeof s3b.hk);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP3B_release(&s3b);
-}
-
-static void readbn(BIGNUM **bn, BIO *bconn)
-{
-    char buf[10240];
-    int l;
-
-    l = BIO_gets(bconn, buf, sizeof buf);
-    assert(l > 0);
-    assert(buf[l - 1] == '\n');
-    buf[l - 1] = '\0';
-    BN_hex2bn(bn, buf);
-}
-
-static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
-{
-    readbn(&p->gx, bconn);
-    readbn(&p->zkpx.gr, bconn);
-    readbn(&p->zkpx.b, bconn);
-}
-
-static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP1 s1;
-
-    JPAKE_STEP1_init(&s1);
-    jpake_receive_part(&s1.p1, bconn);
-    jpake_receive_part(&s1.p2, bconn);
-    if (!JPAKE_STEP1_process(ctx, &s1)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP2 s2;
-
-    JPAKE_STEP2_init(&s2);
-    jpake_receive_part(&s2, bconn);
-    if (!JPAKE_STEP2_process(ctx, &s2)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP3A s3a;
-    int l;
-
-    JPAKE_STEP3A_init(&s3a);
-    l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
-    assert(l == sizeof s3a.hhk);
-    if (!JPAKE_STEP3A_process(ctx, &s3a)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP3B s3b;
-    int l;
-
-    JPAKE_STEP3B_init(&s3b);
-    l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
-    assert(l == sizeof s3b.hk);
-    if (!JPAKE_STEP3B_process(ctx, &s3b)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP3B_release(&s3b);
-}
-
-void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
-{
-    JPAKE_CTX *ctx;
-    BIO *bconn;
-
-    BIO_puts(out, "Authenticating with JPAKE\n");
-
-    ctx = jpake_init("client", "server", secret);
-
-    bconn = BIO_new(BIO_f_buffer());
-    BIO_push(bconn, conn);
-
-    jpake_send_step1(bconn, ctx);
-    jpake_receive_step1(ctx, bconn);
-    jpake_send_step2(bconn, ctx);
-    jpake_receive_step2(ctx, bconn);
-    jpake_send_step3a(bconn, ctx);
-    jpake_receive_step3b(ctx, bconn);
-
-    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
-    OPENSSL_free(psk_key);
-    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
-    BIO_pop(bconn);
-    BIO_free(bconn);
-
-    JPAKE_CTX_free(ctx);
-}
-
-void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
-{
-    JPAKE_CTX *ctx;
-    BIO *bconn;
-
-    BIO_puts(out, "Authenticating with JPAKE\n");
-
-    ctx = jpake_init("server", "client", secret);
-
-    bconn = BIO_new(BIO_f_buffer());
-    BIO_push(bconn, conn);
-
-    jpake_receive_step1(ctx, bconn);
-    jpake_send_step1(bconn, ctx);
-    jpake_receive_step2(ctx, bconn);
-    jpake_send_step2(bconn, ctx);
-    jpake_receive_step3a(ctx, bconn);
-    jpake_send_step3b(bconn, ctx);
-
-    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
-    OPENSSL_free(psk_key);
-    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
-    BIO_pop(bconn);
-    BIO_free(bconn);
-
-    JPAKE_CTX_free(ctx);
-}
-
-#endif
-
 /*-
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -2222,7 +1960,7 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
  *
  *   returns: a malloced buffer or NULL on failure.
  */
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+unsigned char *next_protos_parse(size_t *outlen, const char *in)
 {
     size_t len;
     unsigned char *out;
@@ -2913,15 +2651,27 @@ BIO *bio_open_default_quiet(const char *filename, char mode, int format)
 
 void wait_for_async(SSL *s)
 {
-    int width, fd;
+    int width = 0;
     fd_set asyncfds;
+    OSSL_ASYNC_FD *fds;
+    size_t numfds;
 
-    fd = SSL_get_async_wait_fd(s);
-    if (fd < 0)
+    if (!SSL_get_all_async_fds(s, NULL, &numfds))
         return;
+    if (numfds == 0)
+        return;
+    fds = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD) * numfds);
+    if (!SSL_get_all_async_fds(s, fds, &numfds)) {
+        OPENSSL_free(fds);
+    }
 
-    width = fd + 1;
     FD_ZERO(&asyncfds);
-    openssl_fdset(fd, &asyncfds);
+    while (numfds > 0) {
+        if (width <= (int)*fds)
+            width = (int)*fds + 1;
+        openssl_fdset((int)*fds, &asyncfds);
+        numfds--;
+        fds++;
+    }
     select(width, (void *)&asyncfds, NULL, NULL, NULL);
 }

apps/apps.h

@@ -138,17 +138,6 @@
 #  define openssl_fdset(a,b) FD_SET(a, b)
 # endif
 
-# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
-     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
-int opt_imax(const char *value, intmax_t *result);
-int opt_umax(const char *value, uintmax_t *result);
-# else
-#  define opt_imax opt_long
-#  define opt_umax opt_ulong
-#  define intmax_t long
-#  define uintmax_t unsigned long
-# endif
-
 /*
  * quick macro when you need to pass an unsigned char instead of a char.
  * this is true for some implementations of the is*() functions, for
@@ -427,7 +416,7 @@ typedef struct string_int_pair_st {
 char *opt_progname(const char *argv0);
 char *opt_getprog(void);
 char *opt_init(int ac, char **av, const OPTIONS * o);
-int opt_next();
+int opt_next(void);
 int opt_format(const char *s, unsigned long flags, int *result);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
@@ -436,6 +425,11 @@ int opt_long(const char *arg, long *result);
     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
 int opt_imax(const char *arg, intmax_t *result);
 int opt_umax(const char *arg, uintmax_t *result);
+#else
+# define opt_imax opt_long
+# define opt_umax opt_ulong
+# define intmax_t long
+# define uintmax_t unsigned long
 #endif
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
@@ -449,7 +443,6 @@ int opt_num_rest(void);
 int opt_verify(int i, X509_VERIFY_PARAM *vpm);
 void opt_help(const OPTIONS * list);
 int opt_format_error(const char *s, unsigned long flags);
-int opt_next(void);
 
 typedef struct args_st {
     int size;
@@ -482,22 +475,33 @@ int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
 int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(CONF *conf);
-X509 *load_cert(const char *file, int format,
-                const char *pass, ENGINE *e, const char *cert_descrip);
+X509 *load_cert(const char *file, int format, const char *cert_descrip);
 X509_CRL *load_crl(const char *infile, int format);
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                       const char *pass, ENGINE *e, const char *key_descrip);
 int load_certs(const char *file, STACK_OF(X509) **certs, int format,
-               const char *pass, ENGINE *e, const char *cert_descrip);
+               const char *pass, const char *cert_descrip);
 int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
-              const char *pass, ENGINE *e, const char *cert_descrip);
+              const char *pass, const char *cert_descrip);
 X509_STORE *setup_verify(char *CAfile, char *CApath,
                          int noCAfile, int noCApath);
-int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
-                             const char *CApath, int noCAfile, int noCApath);
+__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                                    const char *CApath, int noCAfile,
+                                    int noCApath);
+
+#ifndef OPENSSL_NO_CT
+
+/*
+ * Sets the file to load the Certificate Transparency log list from.
+ * If path is NULL, loads from the default file path.
+ * Returns 1 on success, 0 otherwise.
+ */
+__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
+
+#endif
+
 # ifdef OPENSSL_NO_ENGINE
 #  define setup_engine(engine, debug) NULL
 # else
@@ -571,12 +575,8 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
 # ifndef OPENSSL_NO_PSK
 extern char *psk_key;
 # endif
-# ifndef OPENSSL_NO_JPAKE
-void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
-void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
-# endif
 
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+unsigned char *next_protos_parse(size_t *outlen, const char *in);
 
 void print_cert_checks(BIO *bio, X509 *x,
                        const char *checkhost,

apps/asn1pars.c

@@ -184,7 +184,8 @@ int asn1parse_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (oidfile != NULL) {
         in = bio_open_default(oidfile, 'r', FORMAT_TEXT);

apps/build.info

@@ -10,7 +10,7 @@ SOURCE[openssl]=\
         srp.c ts.c verify.c version.c x509.c rehash.c \
         apps.c opt.c s_cb.c s_socket.c \
         app_rand.c \
-        {- $target{apps_extra_src} -}
+        {- $target{apps_aux_src} -}
 INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
 DEPEND[openssl]=../libssl
 

apps/ca.c

@@ -153,8 +153,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         int multirdn, int email_dn, char *startdate,
                         char *enddate, long days, int batch, char *ext_sect,
                         CONF *conf, int verbose, unsigned long certopt,
-                        unsigned long nameopt, int default_op, int ext_copy,
-                        ENGINE *e);
+                        unsigned long nameopt, int default_op, int ext_copy);
 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
                          X509 *x509, const EVP_MD *dgst,
                          STACK_OF(OPENSSL_STRING) *sigopts,
@@ -607,7 +606,7 @@ end_of_options:
             lookup_fail(section, ENV_CERTIFICATE);
             goto end;
         }
-        x509 = load_cert(certfile, FORMAT_PEM, NULL, e, "CA certificate");
+        x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
         if (x509 == NULL)
             goto end;
 
@@ -964,7 +963,7 @@ end_of_options:
                              db, serial, subj, chtype, multirdn, email_dn,
                              startdate, enddate, days, batch, extensions,
                              conf, verbose, certopt, nameopt, default_op,
-                             ext_copy, e);
+                             ext_copy);
             if (j < 0)
                 goto end;
             if (j > 0) {
@@ -1265,7 +1264,7 @@ end_of_options:
             goto end;
         } else {
             X509 *revcert;
-            revcert = load_cert(infile, FORMAT_PEM, NULL, e, infile);
+            revcert = load_cert(infile, FORMAT_PEM, infile);
             if (revcert == NULL)
                 goto end;
             if (dorevoke == 2)
@@ -1391,15 +1390,14 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         int multirdn, int email_dn, char *startdate,
                         char *enddate, long days, int batch, char *ext_sect,
                         CONF *lconf, int verbose, unsigned long certopt,
-                        unsigned long nameopt, int default_op, int ext_copy,
-                        ENGINE *e)
+                        unsigned long nameopt, int default_op, int ext_copy)
 {
     X509 *req = NULL;
     X509_REQ *rreq = NULL;
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    if ((req = load_cert(infile, FORMAT_PEM, NULL, e, infile)) == NULL)
+    if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
         goto end;
     if (verbose)
         X509_print(bio_err, req);

apps/ciphers.c

@@ -126,6 +126,7 @@ int ciphers_main(int argc, char **argv)
     char *ciphers = NULL, *prog;
     char buf[512];
     OPTION_CHOICE o;
+    int min_version = 0, max_version = 0;
 
     prog = opt_init(argc, argv, ciphers_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -154,24 +155,20 @@ int ciphers_main(int argc, char **argv)
 #endif
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
@@ -191,6 +188,11 @@ int ciphers_main(int argc, char **argv)
     ctx = SSL_CTX_new(meth);
     if (ctx == NULL)
         goto err;
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto err;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto err;
+
 #ifndef OPENSSL_NO_PSK
     if (psk)
         SSL_CTX_set_psk_client_callback(ctx, dummy_psk);

apps/cms.c

@@ -550,7 +550,7 @@ int cms_main(int argc, char **argv)
             if (operation == SMIME_ENCRYPT) {
                 if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
                     goto end;
-                cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e,
+                cert = load_cert(opt_arg(), FORMAT_PEM,
                                  "recipient certificate file");
                 if (cert == NULL)
                     goto end;
@@ -725,7 +725,7 @@ int cms_main(int argc, char **argv)
             if ((encerts = sk_X509_new_null()) == NULL)
                 goto end;
         while (*argv) {
-            if ((cert = load_cert(*argv, FORMAT_PEM, NULL, e,
+            if ((cert = load_cert(*argv, FORMAT_PEM,
                                   "recipient certificate file")) == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
@@ -735,7 +735,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (certfile) {
-        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
                         "certificate file")) {
             ERR_print_errors(bio_err);
             goto end;
@@ -743,7 +743,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (recipfile && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile, FORMAT_PEM, NULL, e,
+        if ((recip = load_cert(recipfile, FORMAT_PEM,
                                "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -751,7 +751,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (operation == SMIME_SIGN_RECEIPT) {
-        if ((signer = load_cert(signerfile, FORMAT_PEM, NULL, e,
+        if ((signer = load_cert(signerfile, FORMAT_PEM,
                                 "receipt signer certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -968,8 +968,7 @@ int cms_main(int argc, char **argv)
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
 
-            signer = load_cert(signerfile, FORMAT_PEM, NULL,
-                               e, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
             if (!signer)
                 goto end;
             key = load_key(keyfile, keyform, 0, passin, e, "signing key file");

apps/crl.c

@@ -227,7 +227,8 @@ int crl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nmflag_set)
         nmflag = XN_FLAG_ONELINE;

apps/crl2p7.c

@@ -146,7 +146,8 @@ int crl2pkcs7_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nocrl) {
         in = bio_open_default(infile, 'r', informat);

apps/ct_log_list.cnf

@@ -0,0 +1,34 @@
+enabled_logs=pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
+
+[pilot]
+description = Google Pilot Log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==
+
+[aviator]
+description = Google Aviator log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi0I1JYP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/6Q==
+
+[rocketeer]
+description = Google Rocketeer log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==
+
+[digicert]
+description = DigiCert Log Server
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4+HCFRkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs6A==
+
+[certly]
+description = Certly.IO log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECyPLhWKYYUgEc+tUXfPQB4wtGS2MNvXrjwFCCnyYJifBtd2Sk7Cu+Js9DNhMTh35FftHaHu6ZrclnNBKwmbbSA==
+
+[izempe]
+description = Izempe log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ2Q5DC3cUBj4IQCiDu0s6j51up+TZAkAEcQRF6tczw90rLWXkJMAW7jr9yc92bIKgV8vDXU4lDeZHvYHduDuvg==
+
+[symantec]
+description = Symantec log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg==
+
+[venafi]
+description = Venafi log
+key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB
+

apps/dgst.c

@@ -73,7 +73,7 @@
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
-          const char *file, BIO *bmd);
+          const char *file);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -403,7 +403,7 @@ int dgst_main(int argc, char **argv)
     if (argc == 0) {
         BIO_set_fp(in, stdin, BIO_NOCLOSE);
         ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
-                    siglen, NULL, NULL, "stdin", bmd);
+                    siglen, NULL, NULL, "stdin");
     } else {
         const char *md_name = NULL, *sig_name = NULL;
         if (!out_bin) {
@@ -426,7 +426,7 @@ int dgst_main(int argc, char **argv)
                 continue;
             } else
                 r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
-                          siglen, sig_name, md_name, argv[i], bmd);
+                          siglen, sig_name, md_name, argv[i]);
             if (r)
                 ret = r;
             (void)BIO_reset(bmd);
@@ -448,7 +448,7 @@ int dgst_main(int argc, char **argv)
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
-          const char *file, BIO *bmd)
+          const char *file)
 {
     size_t len;
     int i;

apps/dsa.c

@@ -194,7 +194,9 @@ int dsa_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;

apps/ec.c

@@ -205,7 +205,9 @@ int ec_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = param_out || pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;

apps/ecparam.c

@@ -220,7 +220,9 @@ int ecparam_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = genkey ? 1 : 0;
 
     in = bio_open_default(infile, 'r', informat);

apps/enc.c

@@ -97,14 +97,15 @@ OPTIONS enc_options[] = {
     {"d", OPT_D, '-', "Decrypt"},
     {"p", OPT_P, '-', "Print the iv/key"},
     {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
-    {"v", OPT_V, '-'},
+    {"v", OPT_V, '-', "Verbose output"},
     {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
-    {"salt", OPT_SALT, '-'},
-    {"nosalt", OPT_NOSALT, '-'},
-    {"debug", OPT_DEBUG, '-'},
-    {"A", OPT_UPPER_A, '-'},
-    {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"},
-    {"base64", OPT_A, '-', "Base64 output as a single line"},
+    {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
+    {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
+    {"debug", OPT_DEBUG, '-', "Print debug info"},
+    {"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
+    {"base64", OPT_A, '-', "Same as option -a"},
+    {"A", OPT_UPPER_A, '-',
+     "Used with -[base64|a] to specify base64 buffer as a single line"},
     {"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
     {"k", OPT_K, 's', "Passphrase"},
     {"kfile", OPT_KFILE, '<', "Fead passphrase from file"},

apps/genpkey.c

@@ -170,7 +170,9 @@ int genpkey_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = do_param ? 0 : 1;
 
     if (ctx == NULL)
@@ -315,8 +317,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
 
     EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
 #ifndef OPENSSL_NO_ENGINE
-    if (tmpeng)
-        ENGINE_finish(tmpeng);
+    ENGINE_finish(tmpeng);
 #endif
     ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
 

apps/nseq.c

@@ -89,6 +89,7 @@ int nseq_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -107,7 +108,8 @@ int nseq_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', FORMAT_PEM);
     if (in == NULL)

apps/ocsp.c

@@ -115,8 +115,7 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
 
 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(const char *port);
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                       const char *path,
@@ -144,7 +143,8 @@ typedef enum OPTION_choice {
 OPTIONS ocsp_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"out", OPT_OUTFILE, '>', "Output filename"},
-    {"timeout", OPT_TIMEOUT, 'p'},
+    {"timeout", OPT_TIMEOUT, 'p',
+     "Connection timeout (in seconds) to the OCSP responder"},
     {"url", OPT_URL, 's', "Responder URL"},
     {"host", OPT_HOST, 's', "host:prot top to connect to"},
     {"port", OPT_PORT, 'p', "Port to run responder on"},
@@ -405,8 +405,7 @@ int ocsp_main(int argc, char **argv)
             path = opt_arg();
             break;
         case OPT_ISSUER:
-            issuer = load_cert(opt_arg(), FORMAT_PEM,
-                               NULL, NULL, "issuer certificate");
+            issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
             if (issuer == NULL)
                 goto end;
             if (issuers == NULL) {
@@ -417,8 +416,7 @@ int ocsp_main(int argc, char **argv)
             break;
         case OPT_CERT:
             X509_free(cert);
-            cert = load_cert(opt_arg(), FORMAT_PEM,
-                             NULL, NULL, "certificate");
+            cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
             if (cert == NULL)
                 goto end;
             if (cert_id_md == NULL)
@@ -490,7 +488,8 @@ int ocsp_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     /* Have we anything to do? */
     if (!req && !reqin && !respin && !(port && ridx_filename))
@@ -524,16 +523,14 @@ int ocsp_main(int argc, char **argv)
     if (rsignfile) {
         if (!rkeyfile)
             rkeyfile = rsignfile;
-        rsigner = load_cert(rsignfile, FORMAT_PEM,
-                            NULL, NULL, "responder certificate");
+        rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
         if (!rsigner) {
             BIO_printf(bio_err, "Error loading responder certificate\n");
             goto end;
         }
-        rca_cert = load_cert(rca_filename, FORMAT_PEM,
-                             NULL, NULL, "CA certificate");
+        rca_cert = load_cert(rca_filename, FORMAT_PEM, "CA certificate");
         if (rcertfile) {
-            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, NULL,
+            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL,
                             "responder other certificates"))
                 goto end;
         }
@@ -548,7 +545,7 @@ int ocsp_main(int argc, char **argv)
  redo_accept:
 
     if (acbio) {
-        if (!do_responder(&req, &cbio, acbio, port))
+        if (!do_responder(&req, &cbio, acbio))
             goto end;
         if (!req) {
             resp =
@@ -570,14 +567,13 @@ int ocsp_main(int argc, char **argv)
     if (signfile) {
         if (!keyfile)
             keyfile = signfile;
-        signer = load_cert(signfile, FORMAT_PEM,
-                           NULL, NULL, "signer certificate");
+        signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
         if (!signer) {
             BIO_printf(bio_err, "Error loading signer certificate\n");
             goto end;
         }
         if (sign_certfile) {
-            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, NULL,
+            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL,
                             "signer certificates"))
                 goto end;
         }
@@ -700,7 +696,7 @@ int ocsp_main(int argc, char **argv)
     if (vpmtouched)
         X509_STORE_set1_param(store, vpm);
     if (verify_certfile) {
-        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, NULL,
+        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL,
                         "validator certificate"))
             goto end;
     }
@@ -1076,8 +1072,7 @@ static int urldecode(char *p)
     return (int)(out - save);
 }
 
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port)
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio)
 {
     int len;
     OCSP_REQUEST *req = NULL;

apps/openssl.c

@@ -207,55 +207,6 @@ static char *make_config_name()
     return p;
 }
 
-static void lock_dbg_cb(int mode, int type, const char *file, int line)
-{
-    static int modes[CRYPTO_NUM_LOCKS];
-    const char *errstr = NULL;
-    int rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
-
-    if (rw != CRYPTO_READ && rw != CRYPTO_WRITE) {
-        errstr = "invalid mode";
-        goto err;
-    }
-
-    if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
-        errstr = "type out of bounds";
-        goto err;
-    }
-
-    if (mode & CRYPTO_LOCK) {
-        if (modes[type]) {
-            errstr = "already locked";
-            /* must not happen in a single-threaded program --> deadlock! */
-            goto err;
-        }
-        modes[type] = rw;
-    } else if (mode & CRYPTO_UNLOCK) {
-        if (!modes[type]) {
-            errstr = "not locked";
-            goto err;
-        }
-
-        if (modes[type] != rw) {
-            errstr = (rw == CRYPTO_READ) ?
-                "CRYPTO_r_unlock on write lock" :
-                "CRYPTO_w_unlock on read lock";
-        }
-
-        modes[type] = 0;
-    } else {
-        errstr = "invalid mode";
-        goto err;
-    }
-
- err:
-    if (errstr) {
-        BIO_printf(bio_err,
-                   "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
-                   errstr, mode, type, file, line);
-    }
-}
-
 #if defined( OPENSSL_SYS_VMS)
 extern char **copy_argv(int *argc, char **argv);
 #endif
@@ -288,7 +239,6 @@ int main(int argc, char *argv[])
     if (p != NULL && strcmp(p, "on") == 0)
         CRYPTO_set_mem_debug(1);
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-    CRYPTO_set_locking_callback(lock_dbg_cb);
 
     if (getenv("OPENSSL_FIPS")) {
 #ifdef OPENSSL_FIPS
@@ -700,6 +650,9 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_BF
     BIO_puts(bio_out, "BF\n");
 #endif
+#ifndef OPENSSL_NO_BLAKE2
+    BIO_puts(bio_out, "BLAKE2\n");
+#endif
 #ifdef OPENSSL_NO_CAMELLIA
     BIO_puts(bio_out, "CAMELLIA\n");
 #endif
@@ -757,9 +710,6 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_IDEA
     BIO_puts(bio_out, "IDEA\n");
 #endif
-#ifdef OPENSSL_NO_JPAKE
-    BIO_puts(bio_out, "JPAKE\n");
-#endif
 #ifdef OPENSSL_NO_MD2
     BIO_puts(bio_out, "MD2\n");
 #endif

apps/pkcs12.c

@@ -325,7 +325,9 @@ int pkcs12_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = 1;
 
     if (passarg) {
@@ -395,7 +397,7 @@ int pkcs12_main(int argc, char **argv)
 
         /* Load in all certs in input file */
         if (!(options & NOCERTS)) {
-            if (!load_certs(infile, &certs, FORMAT_PEM, NULL, e,
+            if (!load_certs(infile, &certs, FORMAT_PEM, NULL,
                             "certificates"))
                 goto export_end;
 
@@ -424,7 +426,7 @@ int pkcs12_main(int argc, char **argv)
 
         /* Add any more certificates asked for */
         if (certfile) {
-            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, e,
+            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL,
                             "certificates from certfile"))
                 goto export_end;
         }
@@ -658,7 +660,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
         p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
         if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
             return 0;
-        print_attribs(out, p8->attributes, "Key Attributes");
+        print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
         PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);
         break;
@@ -666,10 +668,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
     case NID_pkcs8ShroudedKeyBag:
         if (options & INFO) {
             X509_SIG *tp8;
+            X509_ALGOR *tp8alg;
 
             BIO_printf(bio_err, "Shrouded Keybag: ");
             tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
-            alg_print(tp8->algor);
+            X509_SIG_get0(&tp8alg, NULL, tp8);
+            alg_print(tp8alg);
         }
         if (options & NOKEYS)
             return 1;
@@ -680,7 +684,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
             PKCS8_PRIV_KEY_INFO_free(p8);
             return 0;
         }
-        print_attribs(out, p8->attributes, "Key Attributes");
+        print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
         PKCS8_PRIV_KEY_INFO_free(p8);
         PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);

apps/pkcs7.c

@@ -191,7 +191,8 @@ int pkcs7_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', informat);
     if (in == NULL)

apps/pkcs8.c

@@ -67,7 +67,7 @@
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
-    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
+    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT,
 #ifndef OPENSSL_NO_SCRYPT
     OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
 #endif
@@ -83,10 +83,6 @@ OPTIONS pkcs8_options[] = {
     {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
     {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
     {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
-    {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"},
-    {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"},
-    {"embed", OPT_EMBED, '-',
-     "Use (nonstandard) embedded DSA parameters format"},
     {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
     {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
     {"v2prf", OPT_V2PRF, 's'},
@@ -117,7 +113,7 @@ int pkcs8_main(int argc, char **argv)
     char *passinarg = NULL, *passoutarg = NULL, *prog;
     char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
     OPTION_CHOICE o;
-    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
+    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
     int private = 0;
 #ifndef OPENSSL_NO_SCRYPT
@@ -159,15 +155,6 @@ int pkcs8_main(int argc, char **argv)
         case OPT_NOCRYPT:
             nocrypt = 1;
             break;
-        case OPT_NOOCT:
-            p8_broken = PKCS8_NO_OCTET;
-            break;
-        case OPT_NSDB:
-            p8_broken = PKCS8_NS_DB;
-            break;
-        case OPT_EMBED:
-            p8_broken = PKCS8_EMBEDDED_PARAM;
-            break;
         case OPT_V2:
             if (!opt_cipher(opt_arg(), &cipher))
                 goto opthelp;
@@ -203,9 +190,9 @@ int pkcs8_main(int argc, char **argv)
             break;
 #ifndef OPENSSL_NO_SCRYPT
         case OPT_SCRYPT:
-            scrypt_N = 1024;
+            scrypt_N = 16384;
             scrypt_r = 8;
-            scrypt_p = 16;
+            scrypt_p = 1;
             if (cipher == NULL)
                 cipher = EVP_aes_256_cbc();
             break;
@@ -225,7 +212,9 @@ int pkcs8_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = 1;
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
@@ -247,7 +236,7 @@ int pkcs8_main(int argc, char **argv)
         pkey = load_key(infile, informat, 1, passin, e, "key");
         if (!pkey)
             goto end;
-        if ((p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)) == NULL) {
+        if ((p8inf = EVP_PKEY2PKCS8(pkey)) == NULL) {
             BIO_printf(bio_err, "Error converting key\n");
             ERR_print_errors(bio_err);
             goto end;
@@ -360,31 +349,6 @@ int pkcs8_main(int argc, char **argv)
         goto end;
     }
 
-    if (p8inf->broken) {
-        BIO_printf(bio_err, "Warning: broken key encoding: ");
-        switch (p8inf->broken) {
-        case PKCS8_NO_OCTET:
-            BIO_printf(bio_err, "No Octet String in PrivateKey\n");
-            break;
-
-        case PKCS8_EMBEDDED_PARAM:
-            BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
-            break;
-
-        case PKCS8_NS_DB:
-            BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
-            break;
-
-        case PKCS8_NEG_PRIVKEY:
-            BIO_printf(bio_err, "DSA private key value is negative\n");
-            break;
-
-        default:
-            BIO_printf(bio_err, "Unknown broken type\n");
-            break;
-        }
-    }
-
     assert(private);
     if (outformat == FORMAT_PEM)
         PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);

apps/pkey.c

@@ -159,7 +159,9 @@ int pkey_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = !noout && !pubout ? 1 : 0;
     if (text && !pubtext)
         private = 1;

apps/pkeyparam.c

@@ -92,6 +92,7 @@ int pkeyparam_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -116,7 +117,8 @@ int pkeyparam_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', FORMAT_PEM);
     if (in == NULL)

apps/pkeyutl.c

@@ -62,11 +62,12 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 
+#define KEY_NONE        0
 #define KEY_PRIVKEY     1
 #define KEY_PUBKEY      2
 #define KEY_CERT        3
 
-static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int impl);
@@ -84,7 +85,7 @@ typedef enum OPTION_choice {
     OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
     OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
     OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
-    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
+    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_KDF, OPT_KDFLEN
 } OPTION_CHOICE;
 
 OPTIONS pkeyutl_options[] = {
@@ -103,6 +104,8 @@ OPTIONS pkeyutl_options[] = {
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
     {"derive", OPT_DERIVE, '-', "Derive shared secret"},
+    {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
+    {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
     {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
     {"inkey", OPT_INKEY, 's', "Input private key file"},
     {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
@@ -135,6 +138,8 @@ int pkeyutl_main(int argc, char **argv)
     size_t buf_outlen;
     const char *inkey = NULL;
     const char *peerkey = NULL;
+    const char *kdfalg = NULL;
+    int kdflen = 0;
     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
 
     prog = opt_init(argc, argv, pkeyutl_options);
@@ -211,13 +216,21 @@ int pkeyutl_main(int argc, char **argv)
         case OPT_DERIVE:
             pkey_op = EVP_PKEY_OP_DERIVE;
             break;
+        case OPT_KDF:
+            pkey_op = EVP_PKEY_OP_DERIVE;
+            key_type = KEY_NONE;
+            kdfalg = opt_arg();
+            break;
+        case OPT_KDFLEN:
+            kdflen = atoi(opt_arg());
+            break;
         case OPT_REV:
             rev = 1;
             break;
         case OPT_PKEYOPT:
             if ((pkeyopts == NULL &&
                  (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
-                sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
+                sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
                 BIO_puts(bio_err, "out of memory\n");
                 goto end;
             }
@@ -225,13 +238,17 @@ int pkeyutl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
-
-    if (inkey == NULL ||
-        (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE))
+    if (argc != 0)
         goto opthelp;
 
-    ctx = init_ctx(&keysize, inkey, keyform, key_type,
+    if (kdfalg != NULL) {
+        if (kdflen == 0)
+            goto opthelp;
+    } else if ((inkey == NULL)
+            || (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE)) {
+        goto opthelp;
+    }
+    ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
                    passinarg, pkey_op, e, engine_impl);
     if (ctx == NULL) {
         BIO_printf(bio_err, "%s: Error initializing context\n", prog);
@@ -325,15 +342,21 @@ int pkeyutl_main(int argc, char **argv)
             BIO_puts(out, "Signature Verification Failure\n");
         goto end;
     }
-    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
-                  buf_in, (size_t)buf_inlen);
+    if (kdflen != 0) {
+        buf_outlen = kdflen;
+        rv = 1;
+    } else {
+        rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+                      buf_in, (size_t)buf_inlen);
+    }
     if (rv > 0 && buf_outlen != 0) {
         buf_out = app_malloc(buf_outlen, "buffer output");
         rv = do_keyop(ctx, pkey_op,
                       buf_out, (size_t *)&buf_outlen,
                       buf_in, (size_t)buf_inlen);
     }
-    if (rv < 0) {
+    if (rv <= 0) {
+        BIO_puts(bio_err, "Public Key operation error\n");
         ERR_print_errors(bio_err);
         goto end;
     }
@@ -358,7 +381,7 @@ int pkeyutl_main(int argc, char **argv)
     return ret;
 }
 
-static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int engine_impl)
@@ -371,7 +394,7 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
     X509 *x;
     if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
          || (pkey_op == EVP_PKEY_OP_DERIVE))
-        && (key_type != KEY_PRIVKEY)) {
+        && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
     }
@@ -389,28 +412,35 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, keyform, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyform, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);
         }
         break;
 
+    case KEY_NONE:
+        break;
+
     }
 
-    *pkeysize = EVP_PKEY_size(pkey);
-
-    if (!pkey)
-        goto end;
-
 #ifndef OPENSSL_NO_ENGINE
     if (engine_impl)
         impl = e;
 #endif
-    
-    ctx = EVP_PKEY_CTX_new(pkey, impl);
 
-    EVP_PKEY_free(pkey);
+    if (kdfalg) {
+        int kdfnid = OBJ_sn2nid(kdfalg);
+        if (kdfnid == NID_undef)
+            goto end;
+        ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+    } else {
+        if (pkey == NULL)
+            goto end;
+        *pkeysize = EVP_PKEY_size(pkey);
+        ctx = EVP_PKEY_CTX_new(pkey, impl);
+        EVP_PKEY_free(pkey);
+    }
 
     if (ctx == NULL)
         goto end;

apps/progs.h

@@ -225,6 +225,10 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_RMD160
     { FT_md, "rmd160", dgst_main},
 #endif
+#ifndef OPENSSL_NO_BLAKE2
+    { FT_md, "blake2b512", dgst_main},
+    { FT_md, "blake2s256", dgst_main},
+#endif
 #ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-128-cbc", enc_main, enc_options },
 #endif

apps/progs.pl

@@ -84,7 +84,7 @@ foreach (
 	"md2", "md4", "md5",
 	"md_ghost94",
 	"sha1", "sha224", "sha256", "sha384", "sha512",
-	"mdc2", "rmd160"
+	"mdc2", "rmd160", "blake2b", "blake2s"
 ) {
         printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
         printf "    { FT_md, \"".$_."\", dgst_main},\n";

apps/req.c

@@ -143,12 +143,12 @@ OPTIONS req_options[] = {
     {"config", OPT_CONFIG, '<', "Request template file"},
     {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
     {"passin", OPT_PASSIN, 's', "Private key password source"},
-    {"passout", OPT_PASSOUT, 's'},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
     {"rand", OPT_RAND, 's',
      "Load the file(s) into the random number generator"},
     {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
-    {"pkeyopt", OPT_PKEYOPT, 's'},
-    {"sigopt", OPT_SIGOPT, 's'},
+    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
+    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
     {"batch", OPT_BATCH, '-',
      "Do not ask anything during request generation"},
     {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
@@ -156,7 +156,7 @@ OPTIONS req_options[] = {
     {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
     {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
     {"noout", OPT_NOOUT, '-', "Do not output REQ"},
-    {"verbose", OPT_VERBOSE, '-'},
+    {"verbose", OPT_VERBOSE, '-', "Verbose output"},
     {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
     {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
     {"reqopt", OPT_REQOPT, 's', "Various request text options"},
@@ -177,7 +177,8 @@ OPTIONS req_options[] = {
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-    {"keygen_engine", OPT_KEYGEN_ENGINE, 's'},
+    {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
+     "Specify engine to be used for key generation operations"},
 #endif
     {NULL}
 };
@@ -197,7 +198,9 @@ int req_main(int argc, char **argv)
     char *extensions = NULL, *infile = NULL;
     char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
     char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
-    char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *nofree_passin = NULL, *nofree_passout = NULL;
+    char *req_exts = NULL, *subj = NULL;
     char *template = default_config_file, *keyout = NULL;
     const char *keyalg = NULL;
     OPTION_CHOICE o;
@@ -366,7 +369,8 @@ int req_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nmflag_set)
         nmflag = XN_FLAG_ONELINE;
@@ -434,15 +438,17 @@ int req_main(int argc, char **argv)
         }
     }
 
-    if (!passin) {
-        passin = NCONF_get_string(req_conf, SECTION, "input_password");
-        if (!passin)
+    if (passin == NULL) {
+        passin = nofree_passin =
+            NCONF_get_string(req_conf, SECTION, "input_password");
+        if (passin == NULL)
             ERR_clear_error();
     }
 
-    if (!passout) {
-        passout = NCONF_get_string(req_conf, SECTION, "output_password");
-        if (!passout)
+    if (passout == NULL) {
+        passout = nofree_passout =
+            NCONF_get_string(req_conf, SECTION, "output_password");
+        if (passout == NULL)
             ERR_clear_error();
     }
 
@@ -860,8 +866,10 @@ int req_main(int argc, char **argv)
     X509_REQ_free(req);
     X509_free(x509ss);
     ASN1_INTEGER_free(serial);
-    OPENSSL_free(passin);
-    OPENSSL_free(passout);
+    if (passin != nofree_passin)
+        OPENSSL_free(passin);
+    if (passout != nofree_passout)
+        OPENSSL_free(passout);
     OBJ_cleanup();
     return (ret);
 }
@@ -1118,7 +1126,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
                      STACK_OF(CONF_VALUE) *attr_sk, int attribs,
                      unsigned long chtype)
 {
-    int i;
+    int i, spec_char, plus_char;
     char *p, *q;
     char *type;
     CONF_VALUE *v;
@@ -1134,24 +1142,26 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
         /*
          * Skip past any leading X. X: X, etc to allow for multiple instances
          */
-        for (p = v->name; *p; p++)
+        for (p = v->name; *p; p++) {
 #ifndef CHARSET_EBCDIC
-            if ((*p == ':') || (*p == ',') || (*p == '.')) {
+            spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
 #else
-            if ((*p == os_toascii[':']) || (*p == os_toascii[','])
-                || (*p == os_toascii['.'])) {
+            spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
+                    || (*p == os_toascii['.']));
 #endif
+            if (spec_char) {
                 p++;
                 if (*p)
                     type = p;
                 break;
             }
+        }
 #ifndef CHARSET_EBCDIC
-        if (*p == '+')
+        plus_char = (*p == '+');
 #else
-        if (*p == os_toascii['+'])
+        plus_char = (*p == os_toascii['+']);
 #endif
-        {
+        if (plus_char) {
             p++;
             mval = -1;
         } else
@@ -1372,8 +1382,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
 
         EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
 #ifndef OPENSSL_NO_ENGINE
-        if (tmpeng)
-            ENGINE_finish(tmpeng);
+        ENGINE_finish(tmpeng);
 #endif
         if (*pkey_type == EVP_PKEY_RSA) {
             if (p) {
@@ -1430,8 +1439,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
         EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
         *palgnam = OPENSSL_strdup(anam);
 #ifndef OPENSSL_NO_ENGINE
-        if (tmpeng)
-            ENGINE_finish(tmpeng);
+        ENGINE_finish(tmpeng);
 #endif
     }
 

apps/rsa.c

@@ -252,7 +252,9 @@ int rsa_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {

apps/rsautl.c

@@ -98,10 +98,11 @@ OPTIONS rsautl_options[] = {
     {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
     {"sign", OPT_SIGN, '-', "Sign with private key"},
     {"verify", OPT_VERIFY, '-', "Verify with public key"},
-    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"asn1parse", OPT_ASN1PARSE, '-',
+     "Run output through asn1parse; useful with -verify"},
     {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
     {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
-    {"rev", OPT_REV, '-'},
+    {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
     {"passin", OPT_PASSIN, 's', "Pass phrase source"},
@@ -204,7 +205,8 @@ int rsautl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (need_priv && (key_type != KEY_PRIVKEY)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
@@ -229,7 +231,7 @@ int rsautl_main(int argc, char **argv)
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, keyformat, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyformat, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);

apps/s_apps.h

@@ -149,11 +149,11 @@ typedef fd_mask fd_set;
 #define PORT            "4433"
 #define PROTOCOL        "tcp"
 
+typedef int (*do_server_cb)(int s, int stype, unsigned char *context);
 int do_server(int *accept_sock, const char *host, const char *port,
               int family, int type,
-              int (*cb) (const char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept);
+              do_server_cb cb,
+              unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
@@ -195,8 +195,7 @@ int load_excert(SSL_EXCERT **pexc);
 void print_verify_detail(SSL *s, BIO *bio);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
-int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_jpake);
+int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                      int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,

apps/s_cb.c

@@ -711,6 +711,7 @@ static STRINT_PAIR tlsext_types[] = {
     {"heartbeat", TLSEXT_TYPE_heartbeat},
     {"session ticket", TLSEXT_TYPE_session_ticket},
     {"renegotiation info", TLSEXT_TYPE_renegotiate},
+    {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
     {"TLS padding", TLSEXT_TYPE_padding},
 #ifdef TLSEXT_TYPE_next_proto_neg
     {"next protocol", TLSEXT_TYPE_next_proto_neg},
@@ -972,7 +973,7 @@ int load_excert(SSL_EXCERT **pexc)
             return 0;
         }
         exc->cert = load_cert(exc->certfile, exc->certform,
-                              NULL, NULL, "Server Certificate");
+                              "Server Certificate");
         if (!exc->cert)
             return 0;
         if (exc->keyfile) {
@@ -986,7 +987,7 @@ int load_excert(SSL_EXCERT **pexc)
             return 0;
         if (exc->chainfile) {
             if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
-                            NULL, "Server Chain"))
+                            "Server Chain"))
                 return 0;
         }
     }
@@ -1061,11 +1062,12 @@ int args_excert(int opt, SSL_EXCERT **pexc)
 static void print_raw_cipherlist(SSL *s)
 {
     const unsigned char *rlist;
-    static const unsigned char scsv_id[] = { 0, 0, 0xFF };
+    static const unsigned char scsv_id[] = { 0, 0xFF };
     size_t i, rlistlen, num;
     if (!SSL_is_server(s))
         return;
     num = SSL_get0_raw_cipherlist(s, NULL);
+    OPENSSL_assert(num == 2);
     rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
     BIO_puts(bio_err, "Client cipher list: ");
     for (i = 0; i < rlistlen; i += num, rlist += num) {
@@ -1074,7 +1076,7 @@ static void print_raw_cipherlist(SSL *s)
             BIO_puts(bio_err, ":");
         if (c)
             BIO_puts(bio_err, SSL_CIPHER_get_name(c));
-        else if (!memcmp(rlist, scsv_id - num + 3, num))
+        else if (!memcmp(rlist, scsv_id, num))
             BIO_puts(bio_err, "SCSV");
         else {
             size_t j;
@@ -1198,7 +1200,7 @@ void print_ssl_summary(SSL *s)
 }
 
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_jpake)
+               SSL_CTX *ctx)
 {
     int i;
 
@@ -1206,12 +1208,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
     for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
         const char *flag = sk_OPENSSL_STRING_value(str, i);
         const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
-#ifndef OPENSSL_NO_JPAKE
-        if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
-            BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
-            return 0;
-        }
-#endif
         if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
             if (arg)
                 BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
@@ -1222,15 +1218,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
             return 0;
         }
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (!no_jpake) {
-        if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
-            BIO_puts(bio_err, "Error setting cipher to PSK\n");
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
-#endif
     if (!SSL_CONF_CTX_finish(cctx)) {
         BIO_puts(bio_err, "Error finishing context\n");
         ERR_print_errors(bio_err);
@@ -1298,7 +1285,7 @@ int ssl_load_stores(SSL_CTX *ctx,
 typedef struct {
     BIO *out;
     int verbose;
-    int (*old_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+    int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
                    void *other, void *ex);
 } security_debug_ex;
 
@@ -1327,7 +1314,7 @@ static STRINT_PAIR callback_types[] = {
     {NULL}
 };
 
-static int security_callback_debug(SSL *s, SSL_CTX *ctx,
+static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
                                    int op, int bits, int nid,
                                    void *other, void *ex)
 {

apps/s_client.c

@@ -165,12 +165,16 @@ typedef unsigned int u_int;
 #ifndef OPENSSL_NO_SRP
 # include <openssl/srp.h>
 #endif
+#ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+#endif
 #include "s_apps.h"
 #include "timeouts.h"
 
-#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
-/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
-# undef FIONBIO
+#if defined(__has_feature)
+# if __has_feature(memory_sanitizer)
+#  include <sanitizer/msan_interface.h>
+# endif
 #endif
 
 #undef BUFSIZZ
@@ -184,6 +188,8 @@ extern int verify_quiet;
 
 static char *prog;
 static int async = 0;
+static unsigned int split_send_fragment = 0;
+static unsigned int max_pipelines = 0;
 static int c_nbio = 0;
 static int c_tlsextdebug = 0;
 static int c_status_req = 0;
@@ -439,7 +445,7 @@ static char *srtp_profiles = NULL;
 /* This the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
     unsigned char *data;
-    unsigned short len;
+    size_t len;
     int status;
 } tlsextnextprotoctx;
 
@@ -648,13 +654,16 @@ typedef enum OPTION_choice {
     OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
     OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
     OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
-    OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE,
+    OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME,
     OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
-    OPT_ASYNC,
+    OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
     OPT_V_ENUM,
     OPT_X_ENUM,
     OPT_S_ENUM,
     OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
+#ifndef OPENSSL_NO_CT
+    OPT_NOCT, OPT_REQUESTCT, OPT_REQUIRECT, OPT_CTLOG_FILE,
+#endif
     OPT_DANE_TLSA_RRDATA
 } OPTION_CHOICE;
 
@@ -692,7 +701,8 @@ OPTIONS s_client_options[] = {
     {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},
     {"debug", OPT_DEBUG, '-', "Extra output"},
     {"msg", OPT_MSG, '-', "Show protocol messages"},
-    {"msgfile", OPT_MSGFILE, '>'},
+    {"msgfile", OPT_MSGFILE, '>',
+     "File to send output of -msg or -trace, instead of stdout"},
     {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
     {"state", OPT_STATE, '-', "Print the ssl states"},
     {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
@@ -715,21 +725,31 @@ OPTIONS s_client_options[] = {
      "Export len bytes of keying material (default 20)"},
     {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
     {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
-    {"CRL", OPT_CRL, '<'},
-    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
-    {"CRLform", OPT_CRLFORM, 'F'},
-    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'},
-    {"verify_quiet", OPT_VERIFY_QUIET, '-'},
-    {"brief", OPT_BRIEF, '-'},
-    {"prexit", OPT_PREXIT, '-'},
-    {"security_debug", OPT_SECURITY_DEBUG, '-'},
-    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
-    {"cert_chain", OPT_CERT_CHAIN, '<'},
-    {"chainCApath", OPT_CHAINCAPATH, '/'},
-    {"verifyCApath", OPT_VERIFYCAPATH, '/'},
-    {"build_chain", OPT_BUILD_CHAIN, '-'},
-    {"chainCAfile", OPT_CHAINCAFILE, '<'},
-    {"verifyCAfile", OPT_VERIFYCAFILE, '<'},
+    {"CRL", OPT_CRL, '<', "CRL file to use"},
+    {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
+    {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
+    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+     "Close connection on verification error"},
+    {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
+    {"brief", OPT_BRIEF, '-',
+     "Restrict output to brief summary of connection parameters"},
+    {"prexit", OPT_PREXIT, '-',
+     "Print session information when the program exits"},
+    {"security_debug", OPT_SECURITY_DEBUG, '-',
+     "Enable security debug messages"},
+    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
+     "Output more security debug output"},
+    {"cert_chain", OPT_CERT_CHAIN, '<',
+     "Certificate chain file (in PEM format)"},
+    {"chainCApath", OPT_CHAINCAPATH, '/',
+     "Use dir as certificate store path to build CA certificate chain"},
+    {"verifyCApath", OPT_VERIFYCAPATH, '/',
+     "Use dir as certificate store path to verify CA certificate"},
+    {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
+    {"chainCAfile", OPT_CHAINCAFILE, '<',
+     "CA file for certificate chain (PEM format)"},
+    {"verifyCAfile", OPT_VERIFYCAFILE, '<',
+     "CA file for certificate verification (PEM format)"},
     {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
     {"servername", OPT_SERVERNAME, 's',
      "Set TLS extension servername in ClientHello"},
@@ -741,7 +761,13 @@ OPTIONS s_client_options[] = {
     {"alpn", OPT_ALPN, 's',
      "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
     {"async", OPT_ASYNC, '-', "Support asynchronous operation"},
-    {"ssl_config", OPT_SSL_CONFIG, 's'},
+    {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
+    {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+     "Size used to split data for encrypt pipelines"},
+    {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+     "Maximum number of encrypt/decrypt pipelines to be used"},
+    {"read_buf", OPT_READ_BUF, 'n',
+     "Default read buffer size to be used for connections"},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
@@ -758,31 +784,27 @@ OPTIONS s_client_options[] = {
     {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
 #endif
 #ifndef OPENSSL_NO_DTLS
-    {"dtls", OPT_DTLS, '-'},
-    {"timeout", OPT_TIMEOUT, '-'},
+    {"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
+    {"timeout", OPT_TIMEOUT, '-',
+     "Enable send/receive timeout on DTLS connections"},
     {"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
 #endif
 #ifndef OPENSSL_NO_DTLS1
     {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
-    {"dtls1_2", OPT_DTLS1_2, '-'},
+    {"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
 #endif
 #ifndef OPENSSL_NO_SSL_TRACE
-    {"trace", OPT_TRACE, '-'},
+    {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
 #endif
 #ifdef WATT32
     {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
 #endif
-#ifdef FIONBIO
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#endif
 #ifndef OPENSSL_NO_PSK
     {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
     {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-# ifndef OPENSSL_NO_JPAKE
-    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
-# endif
 #endif
 #ifndef OPENSSL_NO_SRP
     {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"},
@@ -799,7 +821,14 @@ OPTIONS s_client_options[] = {
 #endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-    {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'},
+    {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
+     "Specify engine to be used for client certificate operations"},
+#endif
+#ifndef OPENSSL_NO_CT
+    {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
+    {"requestct", OPT_REQUESTCT, '-', "Request SCTs (enables OCSP stapling)"},
+    {"requirect", OPT_REQUIRECT, '-', "Require at least 1 SCT (enables OCSP stapling)"},
+    {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
 #endif
     {NULL}
 };
@@ -853,7 +882,7 @@ int s_client_main(int argc, char **argv)
     char *inrand = NULL;
     char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
     char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
-    char *jpake_secret = NULL, *xmpphost = NULL;
+    char *xmpphost = NULL;
     const char *ehlo = "mail.example.com";
     struct sockaddr peer;
     struct timeval timeout, *timeoutp;
@@ -869,6 +898,7 @@ int s_client_main(int argc, char **argv)
     int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
     int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
     int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+    int read_buf_len = 0;
     int fallback_scsv = 0;
     long socket_mtu = 0, randamt = 0;
     OPTION_CHOICE o;
@@ -893,6 +923,21 @@ int s_client_main(int argc, char **argv)
     char *srppass = NULL;
     int srp_lateuser = 0;
     SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
+#endif
+#ifndef OPENSSL_NO_CT
+    char *ctlog_file = NULL;
+    ct_validation_cb ct_validation = NULL;
+#endif
+    int min_version = 0, max_version = 0;
+
+    FD_ZERO(&readfds);
+    FD_ZERO(&writefds);
+/* Known false-positive of MemorySanitizer. */
+#if defined(__has_feature)
+# if __has_feature(memory_sanitizer)
+    __msan_unpoison(&readfds, sizeof(readfds));
+    __msan_unpoison(&writefds, sizeof(writefds));
+# endif
 #endif
 
     prog = opt_progname(argv[0]);
@@ -1155,25 +1200,30 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
         case OPT_SRPUSER:
             srp_arg.srplogin = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRPPASS:
             srppass = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_STRENGTH:
             srp_arg.strength = atoi(opt_arg());
             BIO_printf(bio_err, "SRP minimal length for N is %d\n",
                        srp_arg.strength);
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_LATEUSER:
             srp_lateuser = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_MOREGROUPS:
             srp_arg.amp = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
 #else
         case OPT_SRPUSER:
@@ -1187,24 +1237,20 @@ int s_client_main(int argc, char **argv)
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1214,13 +1260,17 @@ int s_client_main(int argc, char **argv)
             break;
         case OPT_DTLS1:
 #ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
 #ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1274,6 +1324,20 @@ int s_client_main(int argc, char **argv)
         case OPT_NOCAFILE:
             noCAfile = 1;
             break;
+#ifndef OPENSSL_NO_CT
+        case OPT_NOCT:
+            ct_validation = NULL;
+            break;
+        case OPT_REQUESTCT:
+            ct_validation = CT_verify_no_bad_scts;
+            break;
+        case OPT_REQUIRECT:
+            ct_validation = CT_verify_at_least_one_good_sct;
+            break;
+        case OPT_CTLOG_FILE:
+            ctlog_file = opt_arg();
+            break;
+#endif
         case OPT_CHAINCAFILE:
             chCAfile = opt_arg();
             break;
@@ -1316,11 +1380,6 @@ int s_client_main(int argc, char **argv)
         case OPT_SERVERNAME:
             servername = opt_arg();
             break;
-        case OPT_JPAKE:
-#ifndef OPENSSL_NO_JPAKE
-            jpake_secret = opt_arg();
-#endif
-            break;
         case OPT_USE_SRTP:
             srtp_profiles = opt_arg();
             break;
@@ -1333,10 +1392,27 @@ int s_client_main(int argc, char **argv)
         case OPT_ASYNC:
             async = 1;
             break;
+        case OPT_SPLIT_SEND_FRAG:
+            split_send_fragment = atoi(opt_arg());
+            if (split_send_fragment == 0) {
+                /*
+                 * Not allowed - set to a deliberately bad value so we get an
+                 * error message below
+                 */
+                split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
+            }
+            break;
+        case OPT_MAX_PIPELINES:
+            max_pipelines = atoi(opt_arg());
+            break;
+        case OPT_READ_BUF:
+            read_buf_len = atoi(opt_arg());
+            break;
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (proxystr) {
         int res;
@@ -1378,15 +1454,16 @@ int s_client_main(int argc, char **argv)
                    "Can't use unix sockets and datagrams together\n");
         goto end;
     }
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-    if (jpake_secret) {
-        if (psk_key) {
-            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
-            goto end;
-        }
-        psk_identity = "JPAKE";
+
+    if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+        BIO_printf(bio_err, "Bad split send fragment size\n");
+        goto end;
+    }
+
+    if (max_pipelines > SSL_MAX_PIPELINES) {
+        BIO_printf(bio_err, "Bad max pipelines value\n");
+        goto end;
     }
-#endif
 
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
     next_proto.status = -1;
@@ -1419,8 +1496,7 @@ int s_client_main(int argc, char **argv)
     }
 
     if (cert_file) {
-        cert = load_cert(cert_file, cert_format,
-                         NULL, e, "client certificate file");
+        cert = load_cert(cert_file, cert_format, "client certificate file");
         if (cert == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -1428,7 +1504,7 @@ int s_client_main(int argc, char **argv)
     }
 
     if (chain_file) {
-        if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, e,
+        if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL,
                         "client certificate chain"))
             goto end;
     }
@@ -1496,6 +1572,11 @@ int s_client_main(int argc, char **argv)
         }
     }
 
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
+
     if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
         BIO_printf(bio_err, "Error setting verify params\n");
         ERR_print_errors(bio_err);
@@ -1505,8 +1586,18 @@ int s_client_main(int argc, char **argv)
     if (async) {
         SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
     }
+    if (split_send_fragment > 0) {
+        SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+    }
+    if (max_pipelines > 0) {
+        SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+    }
 
-    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
+    if (read_buf_len > 0) {
+        SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
+    }
+
+    if (!config_ctx(cctx, ssl_args, ctx))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
@@ -1528,10 +1619,10 @@ int s_client_main(int argc, char **argv)
 #endif
 
 #ifndef OPENSSL_NO_PSK
-    if (psk_key != NULL || jpake_secret) {
+    if (psk_key != NULL) {
         if (c_debug)
             BIO_printf(bio_c_out,
-                       "PSK key given or JPAKE in use, setting client callback\n");
+                       "PSK key given, setting client callback\n");
         SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
     }
 #endif
@@ -1554,7 +1645,7 @@ int s_client_main(int argc, char **argv)
         SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
 #endif
     if (alpn_in) {
-        unsigned short alpn_len;
+        size_t alpn_len;
         unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
 
         if (alpn == NULL) {
@@ -1583,6 +1674,28 @@ int s_client_main(int argc, char **argv)
     if (state)
         SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
 
+#ifndef OPENSSL_NO_CT
+    if (!SSL_CTX_set_ct_validation_callback(ctx, ct_validation, NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
+        if (ct_validation != NULL) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        /*
+         * If CT validation is not enabled, the log list isn't needed so don't
+         * show errors or abort. We try to load it regardless because then we
+         * can show the names of the logs any SCTs came from (SCTs may be seen
+         * even with validation disabled).
+         */
+        ERR_clear_error();
+    }
+#endif
+
     SSL_CTX_set_verify(ctx, verify, verify_callback);
 
     if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
@@ -1688,28 +1801,25 @@ int s_client_main(int argc, char **argv)
     if (init_client(&s, host, port, socket_family, socket_type) == 0)
     {
         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
-        SHUTDOWN(s);
+        BIO_closesocket(s);
         goto end;
     }
     BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
 
-#ifdef FIONBIO
     if (c_nbio) {
-        unsigned long l = 1;
-        BIO_printf(bio_c_out, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &l) < 0) {
+        if (!BIO_socket_nbio(s, 1)) {
             ERR_print_errors(bio_err);
             goto end;
         }
+        BIO_printf(bio_c_out, "Turned on non blocking io\n");
     }
-#endif
     if (socket_type == SOCK_DGRAM) {
 
         sbio = BIO_new_dgram(s, BIO_NOCLOSE);
         if (getsockname(s, &peer, (void *)&peerlen) < 0) {
             BIO_printf(bio_err, "getsockname:errno=%d\n",
                        get_last_socket_error());
-            SHUTDOWN(s);
+            BIO_closesocket(s);
             goto end;
         }
 
@@ -1774,10 +1884,6 @@ int s_client_main(int argc, char **argv)
         SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (jpake_secret)
-        jpake_client_auth(bio_c_out, sbio, jpake_secret);
-#endif
 
     SSL_set_bio(con, sbio, sbio);
     SSL_set_connect_state(con);
@@ -2095,13 +2201,13 @@ int s_client_main(int argc, char **argv)
                                "drop connection and then reconnect\n");
                     do_ssl_shutdown(con);
                     SSL_set_connect_state(con);
-                    SHUTDOWN(SSL_get_fd(con));
+                    BIO_closesocket(SSL_get_fd(con));
                     goto re_start;
                 }
             }
         }
 
-        ssl_pending = read_ssl && SSL_pending(con);
+        ssl_pending = read_ssl && SSL_has_pending(con);
 
         if (!ssl_pending) {
 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
@@ -2412,7 +2518,7 @@ int s_client_main(int argc, char **argv)
     if (in_init)
         print_stuff(bio_c_out, con, full_log);
     do_ssl_shutdown(con);
-    SHUTDOWN(SSL_get_fd(con));
+    BIO_closesocket(SSL_get_fd(con));
  end:
     if (con != NULL) {
         if (prexit != 0)
@@ -2461,6 +2567,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     const COMP_METHOD *comp, *expansion;
 #endif
     unsigned char *exportedkeymat;
+#ifndef OPENSSL_NO_CT
+    const STACK_OF(SCT) *scts;
+    const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
+#endif
 
     if (full) {
         int got_a_chain = 0;
@@ -2513,6 +2623,25 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         ssl_print_sigalgs(bio, s);
         ssl_print_tmp_key(bio, s);
 
+#ifndef OPENSSL_NO_CT
+        scts = SSL_get0_peer_scts(s);
+        BIO_printf(bio, "---\nSCTs present (%i)\n",
+                   scts != NULL ? sk_SCT_num(scts) : 0);
+
+        if (SSL_get_ct_validation_callback(s) == NULL) {
+          BIO_printf(bio, "Warning: CT validation is disabled, so not all "
+                     "SCTs may be displayed. Re-run with \"-requestct\".\n");
+        }
+
+        if (scts != NULL && sk_SCT_num(scts) > 0) {
+            const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+
+            BIO_printf(bio, "---\n");
+            SCT_LIST_print(scts, bio, 0, "\n---\n", log_store);
+            BIO_printf(bio, "\n");
+        }
+#endif
+
         BIO_printf(bio,
                    "---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n",
                    BIO_number_read(SSL_get_rbio(s)),

apps/s_server.c

@@ -185,18 +185,10 @@ typedef unsigned int u_int;
 #include "s_apps.h"
 #include "timeouts.h"
 
-#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
-/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
-# undef FIONBIO
-#endif
-
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(const char *hostname, int s, int stype,
-                   unsigned char *context);
-static int www_body(const char *hostname, int s, int stype,
-                    unsigned char *context);
-static int rev_body(const char *hostname, int s, int stype,
-                    unsigned char *context);
+static int sv_body(int s, int stype, unsigned char *context);
+static int www_body(int s, int stype, unsigned char *context);
+static int rev_body(int s, int stype, unsigned char *context);
 static void close_accept_socket(void);
 static int init_ssl_connection(SSL *s);
 static void print_stats(BIO *bp, SSL_CTX *ctx);
@@ -229,9 +221,7 @@ static const char *s_cert_file = TEST_CERT, *s_key_file =
 
 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
 static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
-#ifdef FIONBIO
 static int s_nbio = 0;
-#endif
 static int s_nbio_test = 0;
 static int s_crlf = 0;
 static SSL_CTX *ctx = NULL;
@@ -254,6 +244,8 @@ static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
 static int async = 0;
+static unsigned int split_send_fragment = 0;
+static unsigned int max_pipelines = 0;
 
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
@@ -355,6 +347,8 @@ typedef struct srpsrvparm_st {
 static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 {
     srpsrvparm *p = (srpsrvparm *) arg;
+    int ret = SSL3_AL_FATAL;
+
     if (p->login == NULL && p->user == NULL) {
         p->login = SSL_get_srp_username(s);
         BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
@@ -363,21 +357,25 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 
     if (p->user == NULL) {
         BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
-        return SSL3_AL_FATAL;
+        goto err;
     }
+
     if (SSL_set_srp_server_param
         (s, p->user->N, p->user->g, p->user->s, p->user->v,
          p->user->info) < 0) {
         *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL3_AL_FATAL;
+        goto err;
     }
     BIO_printf(bio_err,
                "SRP parameters set: username = \"%s\" info=\"%s\" \n",
                p->login, p->user->info);
-    /* need to check whether there are memory leaks */
+    ret = SSL_ERROR_NONE;
+
+err:
+    SRP_user_pwd_free(p->user);
     p->user = NULL;
     p->login = NULL;
-    return SSL_ERROR_NONE;
+    return ret;
 }
 
 #endif
@@ -406,6 +404,8 @@ static void s_server_init(void)
     s_quiet = 0;
     s_brief = 0;
     async = 0;
+    split_send_fragment = 0;
+    max_pipelines = 0;
 #ifndef OPENSSL_NO_ENGINE
     engine_id = NULL;
 #endif
@@ -743,7 +743,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data,
 /* This the context that we pass to alpn_cb */
 typedef struct tlsextalpnctx_st {
     unsigned char *data;
-    unsigned short len;
+    size_t len;
 } tlsextalpnctx;
 
 static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
@@ -753,7 +753,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
 
     if (!s_quiet) {
         /* We can assume that |in| is syntactically valid. */
-        unsigned i;
+        unsigned int i;
         BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
         for (i = 0; i < inlen;) {
             if (i)
@@ -785,7 +785,6 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
     return is_forward_secure;
 }
 
-static char *jpake_secret = NULL;
 #ifndef OPENSSL_NO_SRP
 static srpsrvparm srp_callback_parm;
 #endif
@@ -810,11 +809,11 @@ typedef enum OPTION_choice {
     OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
-    OPT_SSL_CONFIG, OPT_SSL3,
-    OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
+    OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
+    OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN,
     OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
-    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE,
+    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
     OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
     OPT_S_ENUM,
     OPT_V_ENUM,
@@ -943,18 +942,19 @@ OPTIONS s_server_options[] = {
     {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
     {"ssl_config", OPT_SSL_CONFIG, 's', \
      "Configure SSL_CTX using the configuration 'val'"},
+    {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+     "Size used to split data for encrypt pipelines"},
+    {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+     "Maximum number of encrypt/decrypt pipelines to be used"},
+    {"read_buf", OPT_READ_BUF, 'n',
+     "Default read buffer size to be used for connections"},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
-#ifdef FIONBIO
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#endif
 #ifndef OPENSSL_NO_PSK
     {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
     {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-# ifndef OPENSSL_NO_JPAKE
-    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
-# endif
 #endif
 #ifndef OPENSSL_NO_SRP
     {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
@@ -997,9 +997,9 @@ OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_SRTP
     {"use_srtp", OPT_SRTP_PROFILES, 's',
      "Offer SRTP key management with a colon-separated profile list"},
+#endif
     {"alpn", OPT_ALPN, 's',
      "Set the advertised protocols for the ALPN extension (comma-separated list)"},
-#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -1031,8 +1031,7 @@ int s_server_main(int argc, char *argv[])
 #ifdef AF_UNIX
     int unlink_unix_path = 0;
 #endif
-    int (*server_cb) (const char *hostname, int s, int stype,
-                      unsigned char *context);
+    do_server_cb server_cb;
     int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
 #ifndef OPENSSL_NO_DH
     int no_dhe = 0;
@@ -1052,6 +1051,7 @@ int s_server_main(int argc, char *argv[])
     X509 *s_cert2 = NULL;
     tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
     const char *ssl_config = NULL;
+    int read_buf_len = 0;
 #ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
     tlsextnextprotoctx next_proto = { NULL, 0 };
@@ -1066,6 +1066,7 @@ int s_server_main(int argc, char *argv[])
     char *srpuserseed = NULL;
     char *srp_verifier_file = NULL;
 #endif
+    int min_version = 0, max_version = 0;
 
     local_argc = argc;
     local_argv = argv;
@@ -1343,9 +1344,8 @@ int s_server_main(int argc, char *argv[])
         case OPT_TRACE:
 #ifndef OPENSSL_NO_SSL_TRACE
             s_msg = 2;
-#else
-            break;
 #endif
+            break;
         case OPT_SECURITY_DEBUG:
             sdebug = 1;
             break;
@@ -1390,13 +1390,15 @@ int s_server_main(int argc, char *argv[])
         case OPT_SRPVFILE:
 #ifndef OPENSSL_NO_SRP
             srp_verifier_file = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_SRPUSERSEED:
 #ifndef OPENSSL_NO_SRP
             srpuserseed = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_REV:
@@ -1415,24 +1417,20 @@ int s_server_main(int argc, char *argv[])
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_server_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_server_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_server_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_server_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1441,14 +1439,18 @@ int s_server_main(int argc, char *argv[])
 #endif
             break;
         case OPT_DTLS1:
-#ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
-#ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1501,16 +1503,10 @@ int s_server_main(int argc, char *argv[])
         case OPT_ALPN:
             alpn_in = opt_arg();
             break;
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-        case OPT_JPAKE:
-            jpake_secret = opt_arg();
-            break;
-#else
-        case OPT_JPAKE:
-            goto opthelp;
-#endif
         case OPT_SRTP_PROFILES:
+#ifndef OPENSSL_NO_SRTP
             srtp_profiles = opt_arg();
+#endif
             break;
         case OPT_KEYMATEXPORT:
             keymatexportlabel = opt_arg();
@@ -1521,6 +1517,23 @@ int s_server_main(int argc, char *argv[])
         case OPT_ASYNC:
             async = 1;
             break;
+        case OPT_SPLIT_SEND_FRAG:
+            split_send_fragment = atoi(opt_arg());
+            if (split_send_fragment == 0) {
+                /*
+                 * Not allowed - set to a deliberately bad value so we get an
+                 * error message below
+                 */
+                split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
+            }
+            break;
+        case OPT_MAX_PIPELINES:
+            max_pipelines = atoi(opt_arg());
+            break;
+        case OPT_READ_BUF:
+            read_buf_len = atoi(opt_arg());
+            break;
+
         }
     }
     argc = opt_num_rest();
@@ -1545,15 +1558,16 @@ int s_server_main(int argc, char *argv[])
         goto end;
     }
 #endif
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-    if (jpake_secret) {
-        if (psk_key) {
-            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
-            goto end;
-        }
-        psk_identity = "JPAKE";
+
+    if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+        BIO_printf(bio_err, "Bad split send fragment size\n");
+        goto end;
+    }
+
+    if (max_pipelines > SSL_MAX_PIPELINES) {
+        BIO_printf(bio_err, "Bad max pipelines value\n");
+        goto end;
     }
-#endif
 
     if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
         BIO_printf(bio_err, "Error getting password\n");
@@ -1578,14 +1592,14 @@ int s_server_main(int argc, char *argv[])
         }
 
         s_cert = load_cert(s_cert_file, s_cert_format,
-                           NULL, e, "server certificate file");
+                           "server certificate file");
 
         if (!s_cert) {
             ERR_print_errors(bio_err);
             goto end;
         }
         if (s_chain_file) {
-            if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e,
+            if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL,
                             "server certificate chain"))
                 goto end;
         }
@@ -1599,7 +1613,7 @@ int s_server_main(int argc, char *argv[])
             }
 
             s_cert2 = load_cert(s_cert_file2, s_cert_format,
-                                NULL, e, "second server certificate file");
+                                "second server certificate file");
 
             if (!s_cert2) {
                 ERR_print_errors(bio_err);
@@ -1609,7 +1623,7 @@ int s_server_main(int argc, char *argv[])
     }
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto_neg_in) {
-        unsigned short len;
+        size_t len;
         next_proto.data = next_protos_parse(&len, next_proto_neg_in);
         if (next_proto.data == NULL)
             goto end;
@@ -1620,7 +1634,7 @@ int s_server_main(int argc, char *argv[])
 #endif
     alpn_ctx.data = NULL;
     if (alpn_in) {
-        unsigned short len;
+        size_t len;
         alpn_ctx.data = next_protos_parse(&len, alpn_in);
         if (alpn_ctx.data == NULL)
             goto end;
@@ -1657,14 +1671,14 @@ int s_server_main(int argc, char *argv[])
         }
 
         s_dcert = load_cert(s_dcert_file, s_dcert_format,
-                            NULL, e, "second server certificate file");
+                            "second server certificate file");
 
         if (!s_dcert) {
             ERR_print_errors(bio_err);
             goto end;
         }
         if (s_dchain_file) {
-            if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e,
+            if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL,
                             "second server certificate chain"))
                 goto end;
         }
@@ -1717,6 +1731,10 @@ int s_server_main(int argc, char *argv[])
         goto end;
         }
     }
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (session_id_prefix) {
         if (strlen(session_id_prefix) >= 32)
@@ -1745,6 +1763,16 @@ int s_server_main(int argc, char *argv[])
     if (async) {
         SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
     }
+    if (split_send_fragment > 0) {
+        SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+    }
+    if (max_pipelines > 0) {
+        SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+    }
+
+    if (read_buf_len > 0) {
+        SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
+    }
 
 #ifndef OPENSSL_NO_SRTP
     if (srtp_profiles != NULL) {
@@ -1768,7 +1796,7 @@ int s_server_main(int argc, char *argv[])
     }
 
     ssl_ctx_add_crls(ctx, crls, 0);
-    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
+    if (!config_ctx(cctx, ssl_args, ctx))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
@@ -1831,7 +1859,7 @@ int s_server_main(int argc, char *argv[])
         }
 
         ssl_ctx_add_crls(ctx2, crls, 0);
-        if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL))
+        if (!config_ctx(cctx, ssl_args, ctx2))
             goto end;
     }
 #ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1917,15 +1945,10 @@ int s_server_main(int argc, char *argv[])
                                                        not_resumable_sess_cb);
     }
 #ifndef OPENSSL_NO_PSK
-# ifdef OPENSSL_NO_JPAKE
-    if (psk_key != NULL)
-# else
-    if (psk_key != NULL || jpake_secret)
-# endif
-    {
+    if (psk_key != NULL) {
         if (s_debug)
             BIO_printf(bio_s_out,
-                       "PSK key given or JPAKE in use, setting server callback\n");
+                       "PSK key given, setting server callback\n");
         SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
     }
 
@@ -2079,8 +2102,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
                SSL_CTX_sess_get_cache_size(ssl_ctx));
 }
 
-static int sv_body(const char *hostname, int s, int stype,
-                   unsigned char *context)
+static int sv_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     fd_set readfds;
@@ -2097,16 +2119,12 @@ static int sv_body(const char *hostname, int s, int stype,
 #endif
 
     buf = app_malloc(bufsize, "server buffer");
-#ifdef FIONBIO
     if (s_nbio) {
-        unsigned long sl = 1;
-
-        if (!s_quiet)
-            BIO_printf(bio_err, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+        if (!BIO_socket_nbio(s, 1))
             ERR_print_errors(bio_err);
+        else if (!s_quiet)
+            BIO_printf(bio_err, "Turned on non blocking io\n");
     }
-#endif
 
     if (con == NULL) {
         con = SSL_new(ctx);
@@ -2175,10 +2193,6 @@ static int sv_body(const char *hostname, int s, int stype,
         test = BIO_new(BIO_f_nbio_test());
         sbio = BIO_push(test, sbio);
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (jpake_secret)
-        jpake_server_auth(bio_s_out, sbio, jpake_secret);
-#endif
 
     SSL_set_bio(con, sbio, sbio);
     SSL_set_accept_state(con);
@@ -2209,7 +2223,7 @@ static int sv_body(const char *hostname, int s, int stype,
         int read_from_sslcon;
 
         read_from_terminal = 0;
-        read_from_sslcon = SSL_pending(con)
+        read_from_sslcon = SSL_has_pending(con)
                            || (async && SSL_waiting_for_async(con));
 
         if (!read_from_sslcon) {
@@ -2286,7 +2300,7 @@ static int sv_body(const char *hostname, int s, int stype,
                 if ((i <= 0) || (buf[0] == 'Q')) {
                     BIO_printf(bio_s_out, "DONE\n");
                     (void)BIO_flush(bio_s_out);
-                    SHUTDOWN(s);
+                    BIO_closesocket(s);
                     close_accept_socket();
                     ret = -11;
                     goto err;
@@ -2295,7 +2309,7 @@ static int sv_body(const char *hostname, int s, int stype,
                     BIO_printf(bio_s_out, "DONE\n");
                     (void)BIO_flush(bio_s_out);
                     if (SSL_version(con) != DTLS1_VERSION)
-                        SHUTDOWN(s);
+                        BIO_closesocket(s);
                     /*
                      * close_accept_socket(); ret= -11;
                      */
@@ -2360,9 +2374,10 @@ static int sv_body(const char *hostname, int s, int stype,
 #ifndef OPENSSL_NO_SRP
                 while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during write\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2428,9 +2443,10 @@ static int sv_body(const char *hostname, int s, int stype,
 #ifndef OPENSSL_NO_SRP
                 while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2445,7 +2461,7 @@ static int sv_body(const char *hostname, int s, int stype,
                     ascii2ebcdic(buf, buf, i);
 #endif
                     raw_write_stdout(buf, (unsigned int)i);
-                    if (SSL_pending(con))
+                    if (SSL_has_pending(con))
                         goto again;
                     break;
                 case SSL_ERROR_WANT_ASYNC:
@@ -2490,7 +2506,7 @@ static void close_accept_socket(void)
 {
     BIO_printf(bio_err, "shutdown accept socket\n");
     if (accept_socket >= 0) {
-        SHUTDOWN2(accept_socket);
+        BIO_closesocket(accept_socket);
     }
 }
 
@@ -2555,9 +2571,10 @@ static int init_ssl_connection(SSL *con)
         while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
             BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
                        srp_callback_parm.login);
+            SRP_user_pwd_free(srp_callback_parm.user);
             srp_callback_parm.user =
-                SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                      srp_callback_parm.login);
+                SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                       srp_callback_parm.login);
             if (srp_callback_parm.user)
                 BIO_printf(bio_s_out, "LOOKUP done %s\n",
                            srp_callback_parm.user->info);
@@ -2601,6 +2618,7 @@ static int init_ssl_connection(SSL *con)
         X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
         BIO_printf(bio_s_out, "issuer=%s\n", buf);
         X509_free(peer);
+        peer = NULL;
     }
 
     if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
@@ -2673,8 +2691,7 @@ static DH *load_dh_param(const char *dhfile)
 }
 #endif
 
-static int www_body(const char *hostname, int s, int stype,
-                    unsigned char *context)
+static int www_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     int ret = 1;
@@ -2697,16 +2714,12 @@ static int www_body(const char *hostname, int s, int stype,
     if ((io == NULL) || (ssl_bio == NULL))
         goto err;
 
-#ifdef FIONBIO
     if (s_nbio) {
-        unsigned long sl = 1;
-
-        if (!s_quiet)
-            BIO_printf(bio_err, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+        if (!BIO_socket_nbio(s, 1))
             ERR_print_errors(bio_err);
+        else if (!s_quiet)
+            BIO_printf(bio_err, "Turned on non blocking io\n");
     }
-#endif
 
     /* lets make the output buffer a reasonable size */
     if (!BIO_set_write_buffer_size(io, bufsize))
@@ -2768,9 +2781,10 @@ static int www_body(const char *hostname, int s, int stype,
                 if (BIO_should_io_special(io)
                     && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2795,7 +2809,7 @@ static int www_body(const char *hostname, int s, int stype,
         if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
             ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
             char *p;
-            X509 *peer;
+            X509 *peer = NULL;
             STACK_OF(SSL_CIPHER) *sk;
             static const char *space = "                          ";
 
@@ -2824,7 +2838,7 @@ static int www_body(const char *hostname, int s, int stype,
                     goto err;
                 }
                 /*
-                 * We're not acutally expecting any data here and we ignore
+                 * We're not actually expecting any data here and we ignore
                  * any that is sent. This is just to force the handshake that
                  * we're expecting to come from the client. If they haven't
                  * sent one there's not much we can do.
@@ -2836,7 +2850,7 @@ static int www_body(const char *hostname, int s, int stype,
                      "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
             BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
             BIO_puts(io, "<pre>\n");
-/*                      BIO_puts(io,OpenSSL_version(OPENSSL_VERSION));*/
+            /* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
             BIO_puts(io, "\n");
             for (i = 0; i < local_argc; i++) {
                 const char *myp;
@@ -2915,6 +2929,8 @@ static int www_body(const char *hostname, int s, int stype,
                 BIO_printf(io, "Client certificate\n");
                 X509_print(io, peer);
                 PEM_write_bio_X509(io, peer);
+                X509_free(peer);
+                peer = NULL;
             } else
                 BIO_puts(io, "no client certificate available\n");
             BIO_puts(io, "</BODY></HTML>\r\n\r\n");
@@ -3061,8 +3077,7 @@ static int www_body(const char *hostname, int s, int stype,
     return (ret);
 }
 
-static int rev_body(const char *hostname, int s, int stype,
-                    unsigned char *context)
+static int rev_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     int i;
@@ -3130,9 +3145,10 @@ static int rev_body(const char *hostname, int s, int stype,
         if (BIO_should_io_special(io)
             && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
             BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
+            SRP_user_pwd_free(srp_callback_parm.user);
             srp_callback_parm.user =
-                SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                      srp_callback_parm.login);
+                SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                       srp_callback_parm.login);
             if (srp_callback_parm.user)
                 BIO_printf(bio_s_out, "LOOKUP done %s\n",
                            srp_callback_parm.user->info);
@@ -3158,9 +3174,10 @@ static int rev_body(const char *hostname, int s, int stype,
                 if (BIO_should_io_special(io)
                     && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);

apps/s_socket.c

@@ -167,9 +167,9 @@ int init_client(int *sock, const char *host, const char *port,
 
     ret = 0;
     for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
-        /* Admitedly, these checks are quite paranoid, we should
-           not get anything in the BIO_ADDRINFO chain that we haven't
-           asked for */
+        /* Admittedly, these checks are quite paranoid, we should not get
+         * anything in the BIO_ADDRINFO chain that we haven't
+         * asked for. */
         OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
                        && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
 
@@ -221,10 +221,8 @@ int init_client(int *sock, const char *host, const char *port,
  * 0 on failure, something other on success.
  */
 int do_server(int *accept_sock, const char *host, const char *port,
-              int family, int type,
-              int (*cb) (const char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept)
+              int family, int type, do_server_cb cb,
+              unsigned char *context, int naccept)
 {
     int asock = 0;
     int sock;
@@ -240,9 +238,8 @@ int do_server(int *accept_sock, const char *host, const char *port,
         return 0;
     }
 
-    /* Admitedly, these checks are quite paranoid, we should
-       not get anything in the BIO_ADDRINFO chain that we haven't
-       asked for */
+    /* Admittedly, these checks are quite paranoid, we should not get
+     * anything in the BIO_ADDRINFO chain that we haven't asked for */
     OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
                    && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
 
@@ -258,54 +255,30 @@ int do_server(int *accept_sock, const char *host, const char *port,
     }
 
     BIO_ADDRINFO_free(res);
+    res = NULL;
 
-    if (accept_sock != NULL) {
+    if (accept_sock != NULL)
         *accept_sock = asock;
-    }
     for (;;) {
-        BIO_ADDR *accepted_addr = NULL;
-        char *name = NULL;
         if (type == SOCK_STREAM) {
-            if ((accepted_addr = BIO_ADDR_new()) == NULL) {
-                BIO_closesocket(asock);
-                return 0;
-            }
-         redoit:
-            sock = BIO_accept_ex(asock, accepted_addr, 0);
+            do {
+                sock = BIO_accept_ex(asock, NULL, 0);
+            } while (sock < 0 && BIO_sock_should_retry(ret));
             if (sock < 0) {
-                if (BIO_sock_should_retry(ret)) {
-                    goto redoit;
-                } else {
-                    ERR_print_errors(bio_err);
-                    BIO_ADDR_free(accepted_addr);
-                    SHUTDOWN(asock);
-                    break;
-                }
+                ERR_print_errors(bio_err);
+                BIO_closesocket(asock);
+                break;
             }
+            i = (*cb)(sock, type, context);
+            BIO_closesocket(sock);
         } else {
-            sock = asock;
+            i = (*cb)(asock, type, context);
         }
 
-        /* accepted_addr is NULL if we're dealing with SOCK_DGRAM
-         * this means that for SOCK_DGRAM, name will be NULL
-         */
-        if (accepted_addr != NULL) {
-#ifdef AF_UNIX
-            if (family == AF_UNIX)
-                name = BIO_ADDR_path_string(accepted_addr);
-            else
-#endif
-                name = BIO_ADDR_hostname_string(accepted_addr, 0);
-        }
-        i = (*cb) (name, sock, type, context);
-        OPENSSL_free(name);
-        BIO_ADDR_free(accepted_addr);
-        if (type == SOCK_STREAM)
-            SHUTDOWN2(sock);
         if (naccept != -1)
             naccept--;
         if (i < 0 || naccept == 0) {
-            SHUTDOWN2(asock);
+            BIO_closesocket(asock);
             ret = i;
             break;
         }

apps/s_time.c

@@ -132,7 +132,7 @@ OPTIONS s_time_options[] = {
     {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
     {"verify", OPT_VERIFY, 'p',
      "Turn on peer certificate verification, set depth"},
-    {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR},
+    {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
     {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 #ifndef OPENSSL_NO_SSL3
     {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
@@ -162,6 +162,7 @@ int s_time_main(int argc, char **argv)
         0, ver;
     long bytes_read = 0, finishtime = 0;
     OPTION_CHOICE o;
+    int max_version = 0;
 
     meth = TLS_client_method();
     verify_depth = 0;
@@ -230,14 +231,13 @@ int s_time_main(int argc, char **argv)
             }
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            max_version = SSL3_VERSION;
             break;
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (cipher == NULL)
         cipher = getenv("SSL_CIPHER");
@@ -250,6 +250,8 @@ int s_time_main(int argc, char **argv)
         goto end;
 
     SSL_CTX_set_quiet_shutdown(ctx, 1);
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (st_bugs)
         SSL_CTX_set_options(ctx, SSL_OP_ALL);
@@ -291,7 +293,7 @@ int s_time_main(int argc, char **argv)
 #else
         SSL_shutdown(scon);
 #endif
-        SHUTDOWN2(SSL_get_fd(scon));
+        BIO_closesocket(SSL_get_fd(scon));
 
         nConn += 1;
         if (SSL_session_reused(scon))
@@ -348,7 +350,7 @@ int s_time_main(int argc, char **argv)
 #else
     SSL_shutdown(scon);
 #endif
-    SHUTDOWN2(SSL_get_fd(scon));
+    BIO_closesocket(SSL_get_fd(scon));
 
     nConn = 0;
     totalTime = 0.0;
@@ -379,7 +381,7 @@ int s_time_main(int argc, char **argv)
 #else
         SSL_shutdown(scon);
 #endif
-        SHUTDOWN2(SSL_get_fd(scon));
+        BIO_closesocket(SSL_get_fd(scon));
 
         nConn += 1;
         if (SSL_session_reused(scon))

apps/sess_id.c

@@ -139,7 +139,8 @@ int sess_id_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     x = load_sess_id(infile, informat);
     if (x == NULL) {

apps/smime.c

@@ -458,7 +458,7 @@ int smime_main(int argc, char **argv)
             goto end;
         while (*argv) {
             cert = load_cert(*argv, FORMAT_PEM,
-                             NULL, e, "recipient certificate file");
+                             "recipient certificate file");
             if (cert == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
@@ -468,7 +468,7 @@ int smime_main(int argc, char **argv)
     }
 
     if (certfile) {
-        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
                         "certificate file")) {
             ERR_print_errors(bio_err);
             goto end;
@@ -476,8 +476,8 @@ int smime_main(int argc, char **argv)
     }
 
     if (recipfile && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile, FORMAT_PEM, NULL,
-                                e, "recipient certificate file")) == NULL) {
+        if ((recip = load_cert(recipfile, FORMAT_PEM,
+                               "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
         }
@@ -572,8 +572,8 @@ int smime_main(int argc, char **argv)
         for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
-            signer = load_cert(signerfile, FORMAT_PEM, NULL,
-                               e, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_PEM,
+                               "signer certificate");
             if (!signer)
                 goto end;
             key = load_key(keyfile, keyform, 0, passin, e, "signing key file");

apps/spkac.c

@@ -112,6 +112,7 @@ int spkac_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -154,7 +155,8 @@ int spkac_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");

apps/ts.c

@@ -110,22 +110,25 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
 /* Verify related functions. */
 static int verify_command(char *data, char *digest, char *queryfile,
                           char *in, int token_in,
-                          char *CApath, char *CAfile, char *untrusted);
+                          char *CApath, char *CAfile, char *untrusted,
+                          X509_VERIFY_PARAM *vpm);
 static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                                         char *queryfile,
                                         char *CApath, char *CAfile,
-                                        char *untrusted);
-static X509_STORE *create_cert_store(char *CApath, char *CAfile);
+                                        char *untrusted,
+                                        X509_VERIFY_PARAM *vpm);
+static X509_STORE *create_cert_store(char *CApath, char *CAfile,
+                                     X509_VERIFY_PARAM *vpm);
 static int verify_cb(int ok, X509_STORE_CTX *ctx);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
-    OPT_DIGEST, OPT_RAND, OPT_POLICY, OPT_NO_NONCE, OPT_CERT,
+    OPT_DIGEST, OPT_RAND, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
     OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
     OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
     OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED,
-    OPT_MD
+    OPT_MD, OPT_V_ENUM
 } OPTION_CHOICE;
 
 OPTIONS ts_options[] = {
@@ -137,7 +140,7 @@ OPTIONS ts_options[] = {
     {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
     {"rand", OPT_RAND, 's',
      "Load the file(s) into the random number generator"},
-    {"policy", OPT_POLICY, 's', "Policy OID to use"},
+    {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
     {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
     {"cert", OPT_CERT, '-', "Put cert request into query"},
     {"in", OPT_IN, '<', "Input file"},
@@ -159,6 +162,9 @@ OPTIONS ts_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+    {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
+    OPT_V_OPTIONS,
+    {OPT_HELP_STR, 1, '-', "\n"},
     {NULL}
 };
 
@@ -168,13 +174,13 @@ OPTIONS ts_options[] = {
 static char* opt_helplist[] = {
     "Typical uses:",
     "ts -query [-rand file...] [-config file] [-data file]",
-    "          [-digest hexstring] [-policy oid] [-no_nonce] [-cert]",
+    "          [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
     "          [-in file] [-out file] [-text]",
     "  or",
     "ts -reply [-config file] [-section tsa_section]",
     "          [-queryfile file] [-passin password]",
     "          [-signer tsa_cert.pem] [-inkey private_key.pem]",
-    "          [-chain certs_file.pem] [-policy oid]",
+    "          [-chain certs_file.pem] [-tspolicy oid]",
     "          [-in file] [-token_in] [-out file] [-token_out]",
 #ifndef OPENSSL_NO_ENGINE
     "          [-text]",
@@ -185,6 +191,7 @@ static char* opt_helplist[] = {
     "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
     "           [-data file] [-digest hexstring]",
     "           [-queryfile file] -in file [-token_in]",
+    "           [[options specific to 'ts -verify']]",
     NULL,
 };
 
@@ -200,11 +207,16 @@ int ts_main(int argc, char **argv)
     const EVP_MD *md = NULL;
     OPTION_CHOICE o, mode = OPT_ERR;
     int ret = 1, no_nonce = 0, cert = 0, text = 0;
+    int vpmtouched = 0;
+    X509_VERIFY_PARAM *vpm = NULL;
     /* Input is ContentInfo instead of TimeStampResp. */
     int token_in = 0;
     /* Output is ContentInfo instead of TimeStampResp. */
     int token_out = 0;
 
+    if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+        goto end;
+
     prog = opt_init(argc, argv, ts_options);
     while ((o = opt_next()) != OPT_EOF) {
         switch (o) {
@@ -241,7 +253,7 @@ int ts_main(int argc, char **argv)
         case OPT_RAND:
             rnd = opt_arg();
             break;
-        case OPT_POLICY:
+        case OPT_TSPOLICY:
             policy = opt_arg();
             break;
         case OPT_NO_NONCE:
@@ -296,6 +308,11 @@ int ts_main(int argc, char **argv)
             if (!opt_md(opt_unknown(), &md))
                 goto opthelp;
             break;
+        case OPT_V_CASES:
+            if (!opt_verify(o, vpm))
+                goto end;
+            vpmtouched++;
+            break;
         }
     }
     argc = opt_num_rest();
@@ -329,12 +346,16 @@ int ts_main(int argc, char **argv)
     case OPT_ERR:
         goto opthelp;
     case OPT_QUERY:
+        if (vpmtouched)
+            goto opthelp;
         if ((data != NULL) && (digest != NULL))
             goto opthelp;
         ret = !query_command(data, digest, md, policy, no_nonce, cert,
                              in, out, text);
         break;
     case OPT_REPLY:
+        if (vpmtouched)
+            goto opthelp;
         if ((in != NULL) && (queryfile != NULL))
             goto opthelp;
         if (in == NULL) {
@@ -349,10 +370,12 @@ int ts_main(int argc, char **argv)
         if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
             goto opthelp;
         ret = !verify_command(data, digest, queryfile, in, token_in,
-                              CApath, CAfile, untrusted);
+                              CApath, CAfile, untrusted, 
+                              vpmtouched ? vpm : NULL);
     }
 
  end:
+    X509_VERIFY_PARAM_free(vpm);
     app_RAND_write_file(NULL);
     NCONF_free(conf);
     OPENSSL_free(password);
@@ -847,7 +870,8 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
 
 static int verify_command(char *data, char *digest, char *queryfile,
                           char *in, int token_in,
-                          char *CApath, char *CAfile, char *untrusted)
+                          char *CApath, char *CAfile, char *untrusted,
+                          X509_VERIFY_PARAM *vpm)
 {
     BIO *in_bio = NULL;
     PKCS7 *token = NULL;
@@ -866,7 +890,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
     }
 
     if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
-                                        CApath, CAfile, untrusted)) == NULL)
+                                        CApath, CAfile, untrusted,
+                                        vpm)) == NULL)
         goto end;
 
     ret = token_in
@@ -892,7 +917,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
 static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                                         char *queryfile,
                                         char *CApath, char *CAfile,
-                                        char *untrusted)
+                                        char *untrusted,
+                                        X509_VERIFY_PARAM *vpm)
 {
     TS_VERIFY_CTX *ctx = NULL;
     BIO *input = NULL;
@@ -932,7 +958,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
 
     /* Initialising the X509_STORE object. */
-    if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile))
+    if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm))
             == NULL)
         goto err;
 
@@ -952,7 +978,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
     return ctx;
 }
 
-static X509_STORE *create_cert_store(char *CApath, char *CAfile)
+static X509_STORE *create_cert_store(char *CApath, char *CAfile, X509_VERIFY_PARAM *vpm)
 {
     X509_STORE *cert_ctx = NULL;
     X509_LOOKUP *lookup = NULL;
@@ -985,6 +1011,10 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
             goto err;
         }
     }
+
+    if (vpm != NULL) 
+        X509_STORE_set1_param(cert_ctx, vpm);
+
     return cert_ctx;
 
  err:

apps/verify.c

@@ -68,7 +68,7 @@
 static int cb(int ok, X509_STORE_CTX *ctx);
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain);
+                 STACK_OF(X509_CRL) *crls, int show_chain);
 static int v_verbose = 0, vflags = 0;
 
 typedef enum OPTION_choice {
@@ -108,7 +108,6 @@ OPTIONS verify_options[] = {
 
 int verify_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
     STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
     STACK_OF(X509_CRL) *crls = NULL;
     X509_STORE *store = NULL;
@@ -167,7 +166,7 @@ int verify_main(int argc, char **argv)
             break;
         case OPT_UNTRUSTED:
             /* Zero or more times */
-            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e,
+            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL,
                             "untrusted certificates"))
                 goto end;
             break;
@@ -175,26 +174,28 @@ int verify_main(int argc, char **argv)
             /* Zero or more times */
             noCAfile = 1;
             noCApath = 1;
-            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e,
+            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL,
                             "trusted certificates"))
                 goto end;
             break;
         case OPT_CRLFILE:
             /* Zero or more times */
-            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e,
+            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL,
                            "other CRLs"))
                 goto end;
             break;
         case OPT_CRL_DOWNLOAD:
             crl_download = 1;
             break;
+        case OPT_ENGINE:
+            if (setup_engine(opt_arg(), 0) == NULL) {
+                /* Failure message already displayed */
+                goto end;
+            }
+            break;
         case OPT_SHOW_CHAIN:
             show_chain = 1;
             break;
-        case OPT_ENGINE:
-            /* Specify *before* -trusted/-untrusted/-CRLfile */
-            e = setup_engine(opt_arg(), 0);
-            break;
         case OPT_VERBOSE:
             v_verbose = 1;
             break;
@@ -223,11 +224,11 @@ int verify_main(int argc, char **argv)
 
     ret = 0;
     if (argc < 1) {
-        if (check(store, NULL, untrusted, trusted, crls, e, show_chain) != 1)
+        if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)
             ret = -1;
     } else {
         for (i = 0; i < argc; i++)
-            if (check(store, argv[i], untrusted, trusted, crls, e,
+            if (check(store, argv[i], untrusted, trusted, crls,
                       show_chain) != 1)
                 ret = -1;
     }
@@ -243,7 +244,7 @@ int verify_main(int argc, char **argv)
 
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain)
+                 STACK_OF(X509_CRL) *crls, int show_chain)
 {
     X509 *x = NULL;
     int i = 0, ret = 0;
@@ -251,7 +252,7 @@ static int check(X509_STORE *ctx, char *file,
     STACK_OF(X509) *chain = NULL;
     int num_untrusted;
 
-    x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");
+    x = load_cert(file, FORMAT_PEM, "certificate file");
     if (x == NULL)
         goto end;
 

apps/x509.c

@@ -89,10 +89,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                         char *section, ASN1_INTEGER *sno, int reqfile);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-static int force_version = 2;
-#endif
-
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
@@ -108,7 +104,6 @@ typedef enum OPTION_choice {
     OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
     OPT_SUBJECT_HASH_OLD,
     OPT_ISSUER_HASH_OLD,
-    OPT_FORCE_VERSION,
     OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
 } OPTION_CHOICE;
 
@@ -189,9 +184,6 @@ OPTIONS x509_options[] = {
     {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
      "Print old-style (MD5) subject hash value"},
 #endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    {"force_version", OPT_FORCE_VERSION, 'p'},
-#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -288,11 +280,6 @@ int x509_main(int argc, char **argv)
             if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
                 goto opthelp;
             break;
-        case OPT_FORCE_VERSION:
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            force_version = atoi(opt_arg()) - 1;
-#endif
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
             break;
@@ -625,12 +612,12 @@ int x509_main(int argc, char **argv)
             EVP_PKEY_free(pkey);
         }
     } else
-        x = load_cert(infile, informat, NULL, e, "Certificate");
+        x = load_cert(infile, informat, "Certificate");
 
     if (x == NULL)
         goto end;
     if (CA_flag) {
-        xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
+        xca = load_cert(CAfile, CAformat, "CA Certificate");
         if (xca == NULL)
             goto end;
     }
@@ -1046,11 +1033,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 
     if (conf) {
         X509V3_CTX ctx2;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx2, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1123,11 +1106,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
     }
     if (conf) {
         X509V3_CTX ctx;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))

appveyor.yml

@@ -4,52 +4,36 @@ platform:
 
 environment:
     matrix:
-        - VSVER: 9
-        - VSVER: 10
-        - VSVER: 11
-        - VSVER: 12
         - VSVER: 14
 
 configuration:
     - plain
     - shared
 
-matrix:
-    allow_failures:
-        - platform: x64
-          VSVER: 9
-        - platform: x64
-          VSVER: 10
-        - platform: x64
-          VSVER: 11
-
 before_build:
     - ps: >-
         If ($env:Platform -Match "x86") {
             $env:VCVARS_PLATFORM="x86"
             $env:TARGET="VC-WIN32"
-            $env:DO="do_ms"
         } Else {
             $env:VCVARS_PLATFORM="amd64"
             $env:TARGET="VC-WIN64A"
-            $env:DO="do_win64a"
         }
     - ps: >-
-        If ($env:Configuration -Like "*shared*") {
-            $env:MAK="ntdll.mak"
+        If ($env:Configuration -Match "shared") {
+            $env:SHARED="shared"
         } Else {
-            $env:MAK="nt.mak"
+            $env:SHARED=""
         }
     - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
     - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
-    - perl Configure %TARGET% no-asm
-    - call ms\%DO%
+    - perl Configure %TARGET% no-asm %SHARED%
 
 build_script:
-    - nmake /f ms\%MAK%
+    - nmake
 
 test_script:
-    - nmake /f ms\%MAK% test
+    - nmake test
 
 notifications:
     - provider: Email

build.info

@@ -10,8 +10,11 @@ IF[{- $config{target} =~ /^Cygwin/ -}]
  SHARED_NAME[libcrypto]=cygcrypto-{- $config{shlib_major}.".".$config{shlib_minor} -}
  SHARED_NAME[libssl]=cygssl-{- $config{shlib_major}.".".$config{shlib_minor} -}
 ELSIF[{- $config{target} =~ /^mingw/ -}]
- SHARED_NAME[libcrypto]=libeay32
- SHARED_NAME[libssl]=ssleay32
+ SHARED_NAME[libcrypto]=libcrypto-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
+ SHARED_NAME[libssl]=libssl-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
+ELSIF[{- $config{target} =~ /^VC-/ -}]
+ SHARED_NAME[libcrypto]=libcrypto-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} =~ /^VC-WIN64/ ? "-x64" : "" -}
+ SHARED_NAME[libssl]=libssl-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} =~ /^VC-WIN64/ ? "-x64" : "" -}
 ENDIF
 
 # VMS has a cultural standard where all libraries are prefixed.

certs/README.RootCerts

@@ -1,4 +0,0 @@
-The OpenSSL project does not (any longer) include root CA certificates.
-
-Please check out the FAQ:
-  * How can I set up a bundle of commercial root CA certificates?

certs/demo/ca-cert.pem

@@ -1,32 +0,0 @@
-issuer= C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
-subject= C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICMDCCAZkCCQC7xcpM4/Y5pTANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJB
-VTETMBEGA1UECAwKUXVlZW5zbGFuZDEaMBgGA1UECgwRQ3J5cHRTb2Z0IFB0eSBM
-dGQxHDAaBgNVBAMME1Rlc3QgUENBICgxMDI0IGJpdCkwIBcNMTYwMTEzMjE1MTA0
-WhgPMjExNjAxMTQyMTUxMDRaMFsxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVl
-bnNsYW5kMRowGAYDVQQKDBFDcnlwdFNvZnQgUHR5IEx0ZDEbMBkGA1UEAwwSVGVz
-dCBDQSAoMTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+LUDc
-isuFNs1+pSGbzkQdXnZsDMCIEgeHIKBRAqxuaYsc2MSmrmZAMChvf/i+AwfKl0Y3
-11nL2n3DlA5WKUUTspCe8BpIqpqm2cq8WPA1o5OWWUF4kroWDgCQfhcn29dSWVev
-grwUF/9YPr4Sa9/RpqeqAHrKGK4/dHnKMwpZpwIDAQABMA0GCSqGSIb3DQEBCwUA
-A4GBAHzNks+UQzxQG9gvct4nGFaR86YW28mW9oUpVevokvEaGqEGtb9uMbzJf5ER
-HJ0GPtjIRIPuHPcACPN2gvh8kipGb4Hj2bJMIgWwoj7adViiJot4slHOINIXrQAq
-+fFYyHYHLTcUpJEe9BZNmEJ5I8U1tWlVdubfQwPb8/ZRqkYg
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL4tQNyKy4U2zX6l
-IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
-DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
-vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAECgYA3j6sSg+5f9hnldUMzbPjTh8Sb
-XsJlPrc6UFrmMBzGiUleXSpe9Dbla+x0XvQCN4pwMvAN4nnWp/f0Su5BV/9Y93nb
-im5ijGNrfN9i6QrnqGCr+MMute+4E8HR2pCScX0mBLDDf40SmDvMzCaxtd21keyr
-9DqHgInQZNEi6NKlkQJBAPCbUTFg6iQ6VTCQ8CsEf5q2xHhuTK23fJ999lvWVxN7
-QsvWb9RP9Ng34HVtvB7Pl6P7FyHLQYiDJhhvYR0L0+kCQQDKV/09Kt6Wjf5Omp1I
-wd3A+tFnipdqnPw+qNHGjevv0hYiEIWQOYbx00zXgaX+WN/pzV9eeNN2XAxlNJ++
-dxcPAkBrzeuPKFFAcjKBVC+H1rgl5gYZv7Hzk+buv02G0H6rZ+sB0c7BXiHiTwbv
-Fn/XfkP/YR14Ms3mEH0dLaphjU8hAkEAh3Ar/rRiN04mCcEuRFQXtaNtZSv8PA2G
-Pf7MI2Y9pdHupLCAZlBLRjTUO2/5hu1AO4QPMPIZQSFN3rRBtMCL+wJAMp/m2hvI
-TmtbMp/IrKGfma09e3yFiCmoNn7cHLJ7jLvXcacV2XNzpr9YHfBxiZo0g9FqZKvv
-PZoQ5B2XJ7bhTQ==
------END PRIVATE KEY-----

certs/demo/dsa-ca.pem

@@ -1,47 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBugIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
-PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
-u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
-Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
-hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
-SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
-Mu0OArgCgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuHvSLw9YUrJahcBHmbpvt4
-94lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUqAylOVFJJJXuirVJ+o+0T
-tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
-J6zsFbSEHaQGUmfSeoM=
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE REQUEST-----
-MIICVzCCAhMCAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0Ew
-ggG2MIIBKwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9
-hpazFeBTLo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhu
-zmaua4g2++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82A
-EeRwlVtQzUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ
-5WhvMONp4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeo
-epEJnbbxTZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJ
-bEEXlZLrAbVzpWp+2DLtDgK4A4GEAAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfs
-i4e9IvD1hSslqFwEeZum+3j3iUXiALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj2
-5SoDKU5UUkkle6KtUn6j7RO04UMhMQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17
-ry7d6fGGqcMZoAAwCwYJYIZIAWUDBAMCAzEAMC4CFQCRILcFM8uPOMS9A3ISHIHn
-DinR1gIVAIm8wedax7I6YgQ1iJukchwZnsO1
------END CERTIFICATE REQUEST-----
------BEGIN CERTIFICATE-----
-MIIDLzCCAuygAwIBAgIBAjALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNTczOFoYDzIxMTYwMTE0MjE1
-NzM4WjBSMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDDAJDQTCCAbYwggEr
-BgcqhkjOOAQBMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMu
-j+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb7
-7Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DN
-SQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh
-5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFN
-nFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusB
-tXOlan7YMu0OArgDgYQAAoGAGqZZeoqs/V62RZZNhglXAfioocVpx+yLh70i8PWF
-KyWoXAR5m6b7ePeJReIAucN1jzPr1yaH27rJOBqEBBLEDTA2moeJuPblKgMpTlRS
-SSV7oq1SfqPtE7ThQyExAJfmGWWq4lzg+7XTkjpfUSzDwuvnWhykvXuvLt3p8Yap
-wxmjUDBOMB0GA1UdDgQWBBTMZcORcBEVlqO/CD4pf4V6N1NM1zAfBgNVHSMEGDAW
-gBTGjwJ33uvjSa20RNrMKWoGptOLdDAMBgNVHRMEBTADAQH/MAsGCWCGSAFlAwQD
-AgMwADAtAhUA0NuSQB0Odv7ZToHGhHWQn9+2InICFHYweVbdh+GXaV7ulMrvK7+d
-ghUP
------END CERTIFICATE-----

certs/demo/dsa-pca.pem

@@ -1,47 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBvAIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
-PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
-u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
-Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
-hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
-SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
-Mu0OArgCgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
-umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
-29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUCFQDNvrBz
-6TicfImU7UFRn9h00j0lJQ==
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE REQUEST-----
-MIICWDCCAhUCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDUENB
-MIIBtzCCASsGByqGSM44BAEwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7F
-PYaWsxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmI
-bs5mrmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/N
-gBHkcJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYl
-meVobzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEn
-qHqRCZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/Xk
-CWxBF5WS6wG1c6Vqftgy7Q4CuAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYg
-rB7o1kQxeDf34dDVRM9OZ8tkumz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQ
-lNnKvbtlmMDULpqkZJD0bO7A29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgT
-mvTPT2j9TPjq7RWgADALBglghkgBZQMEAwIDMAAwLQIUIBpERkvZqoeQ03rJkgyg
-hIdRhAICFQCJIHDcjc1sBoSDGTPkrejqfQRgHQ==
------END CERTIFICATE REQUEST-----
------BEGIN CERTIFICATE-----
-MIIDMTCCAu6gAwIBAgIBATALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNTczN1oYDzIxMTYwMTE0MjE1
-NzM3WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDDANQQ0EwggG3MIIB
-KwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9hpazFeBT
-Lo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhuzmaua4g2
-++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82AEeRwlVtQ
-zUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ5WhvMONp
-4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeoepEJnbbx
-TZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJbEEXlZLr
-AbVzpWp+2DLtDgK4A4GFAAKBgQCm7bkeQHVviAowhXtosY1IiSczNiCsHujWRDF4
-N/fh0NVEz05ny2S6bPq2X6JRw17kSjF2xhXUhdJ12M6LTws4uxmrsBCU2cq9u2WY
-wNQumqRkkPRs7sDb2eKwl8rLVRGoAEvDkOB9w+HVkte2YN9SAm+aOBOa9M9PaP1M
-+OrtFaNQME4wHQYDVR0OBBYEFMaPAnfe6+NJrbRE2swpagam04t0MB8GA1UdIwQY
-MBaAFMaPAnfe6+NJrbRE2swpagam04t0MAwGA1UdEwQFMAMBAf8wCwYJYIZIAWUD
-BAMCAzAAMC0CFQC7Vz9FtzDUMURr3BW91+5FAZodbgIULxZ2l5jCqnwVjKuruM4o
-FdkQZUQ=
------END CERTIFICATE-----

certs/demo/pca-cert.pem

@@ -1,32 +0,0 @@
-issuer= C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
-subject= C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICMTCCAZoCCQCDpmqfcg3yQzANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJB
-VTETMBEGA1UECAwKUXVlZW5zbGFuZDEaMBgGA1UECgwRQ3J5cHRTb2Z0IFB0eSBM
-dGQxHDAaBgNVBAMME1Rlc3QgUENBICgxMDI0IGJpdCkwIBcNMTYwMTEzMjE1MTA0
-WhgPMjExNjAxMTQyMTUxMDRaMFwxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApRdWVl
-bnNsYW5kMRowGAYDVQQKDBFDcnlwdFNvZnQgUHR5IEx0ZDEcMBoGA1UEAwwTVGVz
-dCBQQ0EgKDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAthiO
-O2kuz+V+Q8XEAVnhXcd7mZkVuwRqQr1sDZ9BqvKt5HDJ+FtdsMkfIFX5zjEjl9ua
-ZV3a3+6ziTisyEawG0vz1KoIQeE8mksXLCJBWYlMCMA1itaRkrm5H/75iZnLO4t8
-8csG624rpwUYpfDc01OjGNiigx/SZp3as9fdwpMCAwEAATANBgkqhkiG9w0BAQsF
-AAOBgQBTi1otT7r7eplhrk/bjuxs8Gq3DCmd+kyr50kXgmWPFPEexDAQ1I49NUEO
-wYbPxgxMoqYTGvoQm59BSvr8zl+G/Y4ghlb3wK8N+be+IKYHMofYBC04CYsd5oMI
-AUDVWBv7CUTM+B7HLIkd8kCCqUQIEHJPXcXtS745EHH+EUmVpA==
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYYjjtpLs/lfkPF
-xAFZ4V3He5mZFbsEakK9bA2fQaryreRwyfhbXbDJHyBV+c4xI5fbmmVd2t/us4k4
-rMhGsBtL89SqCEHhPJpLFywiQVmJTAjANYrWkZK5uR/++YmZyzuLfPHLButuK6cF
-GKXw3NNToxjYooMf0mad2rPX3cKTAgMBAAECgYBvrJ+Nz/Pli9jjt2V9bqHH4Y7r
-o/avuwVv6Ltbn0+mhy4d6w3yQhYzVSTBr/iDe59YglUt1WFl8/4nKZrNOIzHJlav
-Sw4hd3fYBHxbT+DgZMQ9ikjHECWRdDffrnlTLsSJAcxnpMJBPe3dKCRDMUrqWUvB
-IIKaxyqmXJms5Y/wAQJBAPFL9NMKJcWBftMKXCasxsV0ZGjgqHGZODYjtGFN9jJO
-6AbZrxfCcapTWG4RCC2o/EDEMN8aArEhfdrYY3lhXGsCQQDBMRzFevkD7SYXTw5G
-NA/gJOAsFMYbt7tebcCRsHT7t3ymVfO2QwK7ZF0f/SYvi7cMAPraHvO7s3kFdGTB
-kDx5AkAHBICASsFCdzurA5gef9PgFjx9WFtNwnkCChPK6KuKVwUkfdw7wqnvnDDs
-Mo6cVVfQwmPxeR4u7JxuavCprQ01AkEAp5ZGAh1J9Jj9CQ1AMbAp8WOrvzGKJTM9
-641Dll4/LLif/d7j2kDJFuvaSMyeGnKVqGkVMq/U+QeYPR4Z5TuM6QJAWK05qFed
-wYgTZyVN0MY53ZOMAIWwjz0cr24TvDfmsZqIvguGL616GKQZKdKDZQyQHg+dCzqJ
-HgIoacuFDKz5CA==
------END PRIVATE KEY-----

certs/expired/ICE.crl

@@ -1,9 +0,0 @@
------BEGIN X509 CRL-----
-MIIBNDCBnjANBgkqhkiG9w0BAQIFADBFMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0Ut
-VEVMIFByb2plY3QxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05
-NzA2MDkxNDQyNDNaFw05NzA3MDkxNDQyNDNaMCgwEgIBChcNOTcwMzAzMTQ0MjU0
-WjASAgEJFw05NjEwMDIxMjI5MjdaMA0GCSqGSIb3DQEBAgUAA4GBAH4vgWo2Tej/
-i7kbiw4Imd30If91iosjClNpBFwvwUDBclPEeMuYimHbLOk4H8Nofc0fw11+U/IO
-KSNouUDcqG7B64oY7c4SXKn+i1MWOb5OJiWeodX3TehHjBlyWzoNMWCnYA8XqFP1
-mOKp8Jla1BibEZf14+/HqCi2hnZUiEXh
------END X509 CRL-----

config

@@ -33,7 +33,7 @@ case "$i" in
 -t*) TEST="true";;
 -h*) TEST="true"; cat <<EOF
 Usage: config [options]
- -d	Add a debug- prefix to machine choice.
+ -d	Build with debugging when possible.
  -t	Test mode, do not run the Configure perl script.
  -h	This help.
 
@@ -480,7 +480,7 @@ case "$GUESSOS" in
 	echo "         invoke '$THERE/Configure irix64-mips4-$CC' *manually*."
 	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "         You have about 5 seconds to press Ctrl-C to abort."
-	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
         #CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
         #CPU=${CPU:-0}
@@ -499,7 +499,7 @@ case "$GUESSOS" in
 	    echo "         invoke '$THERE/Configure darwin64-ppc-cc' *manually*."
 	    if [ "$TEST" = "false" -a -t 1 ]; then
 	      echo "         You have about 5 seconds to press Ctrl-C to abort."
-	      (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	      (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	    fi
 	fi
 	if [ "$ISA64" = "1" -a "$KERNEL_BITS" = "64" ]; then
@@ -552,7 +552,7 @@ case "$GUESSOS" in
 	    echo "         invoke '$THERE/Configure linux-ppc64' *manually*."
 	    if [ "$TEST" = "false" -a -t 1 ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
-		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	    fi
 	fi
 	if [ "$KERNEL_BITS" = "64" ]; then
@@ -569,7 +569,7 @@ case "$GUESSOS" in
 	echo "         invoke '$THERE/Configure linux64-mips64' *manually*."
 	if [ "$TEST" = "false" -a -t 1 ]; then
 	    echo "         You have about 5 seconds to press Ctrl-C to abort."
-	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	    (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
 	OUT="linux-mips64"
 	;;
@@ -586,7 +586,7 @@ case "$GUESSOS" in
 	echo "         invoke '$THERE/Configure linux64-sparcv9' *manually*."
 	if [ "$TEST" = "false" -a -t 1 ]; then
 	  echo "          You have about 5 seconds to press Ctrl-C to abort."
-	  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
 	OUT="linux-sparcv9" ;;
   sparc-*-linux2)
@@ -634,7 +634,7 @@ case "$GUESSOS" in
 	#  echo "         have to invoke './Configure linux32-s390x' *manually*."
 	#  if [ "$TEST" = "false" -a -t -1 ]; then
 	#    echo "         You have about 5 seconds to press Ctrl-C to abort."
-	#    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+	#    (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	#  fi
 	#fi
 	OUT="linux64-s390x"
@@ -663,7 +663,7 @@ case "$GUESSOS" in
 		echo "         invoke '$THERE/Configure solaris64-sparcv9-cc' *manually*."
 		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then
 		# $GCC_ARCH denotes default ABI chosen by compiler driver
@@ -675,7 +675,7 @@ case "$GUESSOS" in
 		echo "         invoke '$THERE/Configure solaris-sparcv9-gcc' *manually*."
 		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    elif [ "$GCC_ARCH" = "-m32" ]; then
 		echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI"
@@ -683,7 +683,7 @@ case "$GUESSOS" in
 		echo "        invoke '$THERE/Configure solaris64-sparcv9-gcc' *manually*."
 		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    fi
 	fi
@@ -764,11 +764,16 @@ case "$GUESSOS" in
 		echo "         invoke '$THERE/Configure hpux64-parisc2-cc' *manually*."
 		if [ "$TEST" = "false" -a -t 1 ]; then
 		  echo "         You have about 5 seconds to press Ctrl-C to abort."
-		  (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		  (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	     fi
+	     # PA-RISC 2.0 is no longer supported as separate 32-bit
+	     # target. This is compensated for by run-time detection
+	     # in most critical assembly modules and taking advantage
+	     # of 2.0 architectire in PA-RISC 1.1 build.
+	     OUT="hpux-parisc1_1-${CC}"
 	elif [ $CPU_VERSION -ge 528 ]; then	# PA-RISC 1.1+ CPU
-	     OUT="hpux-parisc-${CC}"
+	     OUT="hpux-parisc1_1-${CC}"
 	elif [ $CPU_VERSION -ge 523 ]; then	# PA-RISC 1.0 CPU
 	     OUT="hpux-parisc-${CC}"
 	else					# Motorola(?) CPU
@@ -796,7 +801,7 @@ case "$GUESSOS" in
 		echo "         invoke '$THERE/Configure aix64-cc' *manually*."
 		if [ "$TEST" = "false" -a -t 1 ]; then
 		    echo "         You have ~5 seconds to press Ctrl-C to abort."
-		    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+		    (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
 		fi
 	    fi
 	fi
@@ -812,7 +817,9 @@ case "$GUESSOS" in
   x86pc-*-qnx6) OUT="QNX6-i386" ;;
   *-*-qnx6) OUT="QNX6" ;;
   x86-*-android|i?86-*-android) OUT="android-x86" ;;
-  armv[7-9]*-*-android) OUT="android-armv7" ;;
+  armv[7-9]*-*-android)
+      OUT="android-armeabi"; options="$options -march=armv7-a" ;;
+  arm*-*-android) OUT="android-armeabi" ;;
   *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 

config.com

@@ -2,14 +2,15 @@ $	! OpenSSL config: determine the architecture and run Configure
 $	!
 $	! Very simple for the moment, it will take the following arguments:
 $	!
-$	! 32		sets /POINTER_SIZE=32
-$	! 64		sets /POINTER_SIZE=64
-$	! DEBUG		sets debugging
-$	! HELP		prints a usage and exits
+$	! -32 or 32	sets /POINTER_SIZE=32
+$	! -64 or 64	sets /POINTER_SIZE=64
+$	! -d		sets debugging
+$	! -h		prints a usage and exits
+$	! -t		test mode, doesn't run Configure
 $
 $	arch == f$edit( f$getsyi( "arch_name"), "lowercase")
 $	pointer_size = ""
-$	debug = ""
+$	test = 0
 $	here = F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"),,,"SYNTAX_ONLY") - "A.;"
 $
 $	collected_args = ""
@@ -17,24 +18,47 @@ $	P_index = 0
 $	LOOP1:
 $	    P_index = P_index + 1
 $	    IF P_index .GT. 8 THEN GOTO ENDLOOP1
-$	    P1 = F$EDIT(P1,"TRIM")
-$	    IF P1 .EQS. "HELP" THEN GOTO USAGE
-$	    IF P1 .EQS. "32"
+$	    P = F$EDIT(P1,"TRIM,LOWERCASE")
+$	    IF P .EQS. "-h"
+$           THEN
+$               TEST = 1
+$               P = ""
+$               TYPE SYS$INPUT
+$               DECK
+Usage: @config [options]
+
+  -32 or 32	Build with 32-bit pointer size.
+  -64 or 64	Build with 64-bit pointer size.
+  -d		Build with debugging.
+  -t            Test mode, do not run the Configure perl script.
+  -h		This help.
+
+Any other text will be passed to the Configure perl script.
+See INSTALL for instructions.
+
+$               EOD
+$           ENDIF
+$	    IF P .EQS. "-t"
+$	    THEN
+$		test = 1
+$		P = ""
+$	    ENDIF
+$	    IF P .EQS. "-32" .OR. P .EQS. "32"
 $	    THEN
 $		pointer_size = "-P32"
-$		P1 = ""
+$		P = ""
 $	    ENDIF
-$	    IF P1 .EQS. "64"
+$	    IF P .EQS. "-64" .OR. P .EQS. "64"
 $	    THEN
 $		pointer_size = "-P64"
-$		P1 = ""
+$		P = ""
 $	    ENDIF
-$	    IF P1 .EQS. "DEBUG"
+$	    IF P .EQS. "-d"
 $	    THEN
-$		debug = "--debug"
-$		P1 = ""
+$               collected_args = collected_args + " --debug"
+$		P = ""
 $	    ENDIF
-$	    IF P1 .NES. "" THEN -
+$	    IF P .NES. "" THEN -
 	       collected_args = collected_args + " " + P1
 $	    P1 = P2
 $	    P2 = P3
@@ -48,18 +72,12 @@ $	    GOTO LOOP1
 $	ENDLOOP1:
 $
 $	target = "vms-''arch'''pointer_size'"
-$	PERL 'here'Configure "''target'" 'debug' 'collected_args'
-$	EXIT $STATUS
+$       IF test
+$       THEN
+$           WRITE SYS$OUTPUT "PERL ''here'Configure ""''target'""''collected_args'"
+$       ELSE
+$           PERL 'here'Configure "''target'" 'debug' 'collected_args'
+$       ENDIF
+$       EXIT $STATUS
 $
 $ USAGE:
-$	TYPE SYS$INPUT
-$	DECK
-usage: @config [options]
-
-  32		build with 32-bit pointer size
-  64		build with 64-bit pointer size
-  DEBUG		build with debugging
-  HELP		this text
-
-Any other option is simply passed to Configure.
-$	EOD

crypto/Makefile.in

@@ -21,10 +21,11 @@ RECURSIVE_MAKE=	[ -n "$(SDIRS)" ] && for i in $(SDIRS) ; do \
 PLIB_LDFLAG=
 EX_LIBS=
 
-CFLAGS= $(INCLUDE) $(CFLAG)
-ASFLAGS= $(INCLUDE) $(ASFLAG)
+CFLAGS= $(INCLUDE) $(CFLAG) $(SHARED_CFLAG)
+ASFLAGS= $(INCLUDE) $(ASFLAG) $(SHARED_CFLAG)
 AFLAGS=$(ASFLAGS)
 CPUID_OBJ=mem_clr.o
+UPLINK_OBJ=
 
 LIBS=
 
@@ -33,11 +34,13 @@ GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-	ebcdic.c uid.c o_time.c o_str.c o_dir.c thr_id.c lock.c \
+	ebcdic.c uid.c o_time.c o_str.c o_dir.c \
+	threads_pthread.c threads_win.c threads_none.c \
 	o_init.c o_fips.c mem_sec.c init.c
 LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
-	ebcdic.o uid.o o_time.o o_str.o o_dir.o thr_id.o lock.o \
-	o_init.o o_fips.o mem_sec.o init.o $(CPUID_OBJ)
+	ebcdic.o uid.o o_time.o o_str.o o_dir.o \
+	threads_pthread.o threads_win.o threads_none.o \
+	o_init.o o_fips.o mem_sec.o init.o $(CPUID_OBJ) $(UPLINK_OBJ)
 
 SRC= $(LIBSRC)
 
@@ -61,7 +64,7 @@ buildinf.h: ../Makefile
 	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS_Q)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
-	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@
 
 applink.o:	$(TOP)/ms/applink.c
 	$(CC) $(CFLAGS) -c -o $@ $(TOP)/ms/applink.c
@@ -70,18 +73,18 @@ uplink.o:	$(TOP)/ms/uplink.c applink.o
 	$(CC) $(CFLAGS) -c -o $@ $(TOP)/ms/uplink.c
 
 uplink-x86.s:	$(TOP)/ms/uplink-x86.pl
-	$(PERL) $(TOP)/ms/uplink-x86.pl $(PERLASM_SCHEME) > $@
+	$(PERL) $(TOP)/ms/uplink-x86.pl $(PERLASM_SCHEME) $@
 
-x86_64cpuid.s:	x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
+x86_64cpuid.s:	x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) $@
 ia64cpuid.s:	ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
 	(preproc=$$$$.$@.S; trap "rm $$preproc" INT; \
-	$(PERL) alphacpuid.pl > $$preproc && \
+	$(PERL) alphacpuid.pl $$preproc && \
 	$(CC) -E -P $$preproc > $@ && rm $$preproc)
-arm64cpuid.S:	arm64cpuid.pl;	$(PERL) arm64cpuid.pl $(PERLASM_SCHEME) > $@
-armv4cpuid.S:	armv4cpuid.pl;	$(PERL) armv4cpuid.pl $(PERLASM_SCHEME) > $@
+arm64cpuid.S:	arm64cpuid.pl;	$(PERL) arm64cpuid.pl $(PERLASM_SCHEME) $@
+armv4cpuid.S:	armv4cpuid.pl;	$(PERL) armv4cpuid.pl $(PERLASM_SCHEME) $@
 
 subdirs:
 	@target=all; $(RECURSIVE_MAKE)
@@ -107,7 +110,7 @@ libs:
 
 depend:
 	@[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist
-	@[ -z "$(THIS)" ] || $(TOP)/util/domd $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@[ -z "$(THIS)" ] || $(TOP)/util/domd $(CFLAG) $(INCLUDE) -- $(PROGS) $(LIBSRC)
 	@[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h
 	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi

crypto/aes/Makefile.in

@@ -13,8 +13,8 @@ AR=		ar r
 
 AES_ENC=aes_core.o aes_cbc.o
 
-CFLAGS= $(INCLUDES) $(CFLAG)
-ASFLAGS= $(INCLUDES) $(ASFLAG)
+CFLAGS= $(INCLUDES) $(CFLAG) $(SHARED_CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG) $(SHARED_CFLAG)
 AFLAGS= $(ASFLAGS)
 
 GENERAL=Makefile
@@ -45,31 +45,31 @@ aes-ia64.s: asm/aes-ia64.S
 	$(CC) $(CFLAGS) -E asm/aes-ia64.S > $@
 
 aes-586.s:	asm/aes-586.pl ../perlasm/x86asm.pl
-	$(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+	$(PERL) asm/aes-586.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@
 vpaes-x86.s:	asm/vpaes-x86.pl ../perlasm/x86asm.pl
-	$(PERL) asm/vpaes-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+	$(PERL) asm/vpaes-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@
 aesni-x86.s:	asm/aesni-x86.pl ../perlasm/x86asm.pl
-	$(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
+	$(PERL) asm/aesni-x86.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) $@
 
 aes-x86_64.s: asm/aes-x86_64.pl
-	$(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/aes-x86_64.pl $(PERLASM_SCHEME) $@
 vpaes-x86_64.s:	asm/vpaes-x86_64.pl
-	$(PERL) asm/vpaes-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/vpaes-x86_64.pl $(PERLASM_SCHEME) $@
 bsaes-x86_64.s:	asm/bsaes-x86_64.pl
-	$(PERL) asm/bsaes-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/bsaes-x86_64.pl $(PERLASM_SCHEME) $@
 aesni-x86_64.s: asm/aesni-x86_64.pl
-	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) $@
 aesni-sha1-x86_64.s:	asm/aesni-sha1-x86_64.pl
-	$(PERL) asm/aesni-sha1-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/aesni-sha1-x86_64.pl $(PERLASM_SCHEME) $@
 aesni-sha256-x86_64.s:	asm/aesni-sha256-x86_64.pl
-	$(PERL) asm/aesni-sha256-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/aesni-sha256-x86_64.pl $(PERLASM_SCHEME) $@
 aesni-mb-x86_64.s:	asm/aesni-mb-x86_64.pl
-	$(PERL) asm/aesni-mb-x86_64.pl $(PERLASM_SCHEME) > $@
+	$(PERL) asm/aesni-mb-x86_64.pl $(PERLASM_SCHEME) $@
 
-aes-sparcv9.s: asm/aes-sparcv9.pl
-	$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
-aest4-sparcv9.s: asm/aest4-sparcv9.pl ../perlasm/sparcv9_modes.pl
-	$(PERL) asm/aest4-sparcv9.pl $(CFLAGS) > $@
+aes-sparcv9.S: asm/aes-sparcv9.pl
+	$(PERL) asm/aes-sparcv9.pl $(PERLASM_SCHEME) $@
+aest4-sparcv9.S: asm/aest4-sparcv9.pl ../perlasm/sparcv9_modes.pl
+	$(PERL) asm/aest4-sparcv9.pl $(PERLASM_SCHEME) $@
 
 aes-ppc.s:	asm/aes-ppc.pl
 	$(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
@@ -101,7 +101,7 @@ files:
 	$(PERL) $(TOP)/util/files.pl "AES_ENC=$(AES_ENC)" Makefile >> $(TOP)/MINFO
 
 depend:
-	$(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	$(TOP)/util/domd $(CFLAG) $(INCLUDES) -- $(PROGS) $(LIBSRC)
 
 clean:
 	rm -f *.s *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff

crypto/aes/asm/aes-586.pl

@@ -191,6 +191,10 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 push(@INC,"${dir}","${dir}../../perlasm");
 require "x86asm.pl";
 
+$output = pop;
+open OUT,">$output";
+*STDOUT=*OUT;
+
 &asm_init($ARGV[0],"aes-586.pl",$x86only = $ARGV[$#ARGV] eq "386");
 &static_label("AES_Te");
 &static_label("AES_Td");
@@ -2985,3 +2989,5 @@ sub deckey()
 &asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>");
 
 &asm_finish();
+
+close STDOUT;

crypto/aes/asm/aes-armv4.pl

@@ -33,8 +33,8 @@
 # improvement on Cortex A8 core and ~21.5 cycles per byte.
 
 $flavour = shift;
-if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
-else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
 
 if ($flavour && $flavour ne "void") {
     $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;

crypto/aes/asm/aes-mips.pl

@@ -81,13 +81,13 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2;
 
 $big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
-for (@ARGV) {	$output=$_ if (/^\w[\w\-]*\.\w+$/);	}
+for (@ARGV) {	$output=$_ if (/\w[\w\-]*\.\w+$/);	}
 open STDOUT,">$output";
 
 if (!defined($big_endian))
 {    $big_endian=(unpack('L',pack('N',1))==1);   }
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
 open STDOUT,">$output";
 
 my ($MSB,$LSB)=(0,3);	# automatically converted to little-endian

crypto/aes/asm/aes-s390x.pl

@@ -92,7 +92,7 @@ if ($flavour =~ /3[12]/) {
 	$g="g";
 }
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
 open STDOUT,">$output";
 
 $softonly=0;	# allow hardware support

crypto/aes/asm/aes-sparcv9.pl

@@ -30,10 +30,11 @@
 # optimal decrypt procedure]. Compared to GNU C generated code both
 # procedures are more than 60% faster:-)
 
-$bits=32;
-for (@ARGV)	{ $bits=64 if (/\-m64/ || /\-xarch\=v9/); }
-if ($bits==64)	{ $bias=2047; $frame=192; }
-else		{ $bias=0;    $frame=112; }
+$output = pop;
+open STDOUT,">$output";
+
+$frame="STACK_FRAME";
+$bias="STACK_BIAS";
 $locals=16;
 
 $acc0="%l0";
@@ -74,11 +75,13 @@ sub _data_word()
     while(defined($i=shift)) { $code.=sprintf"\t.long\t0x%08x,0x%08x\n",$i,$i; }
 }
 
-$code.=<<___ if ($bits==64);
+$code.=<<___;
+#include "sparc_arch.h"
+
+#ifdef  __arch64__
 .register	%g2,#scratch
 .register	%g3,#scratch
-___
-$code.=<<___;
+#endif
 .section	".text",#alloc,#execinstr
 
 .align	256

crypto/aes/asm/aesni-x86.pl

@@ -67,6 +67,10 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 push(@INC,"${dir}","${dir}../../perlasm");
 require "x86asm.pl";
 
+$output = pop;
+open OUT,">$output";
+*STDOUT=*OUT;
+
 &asm_init($ARGV[0],$0);
 
 &external_label("OPENSSL_ia32cap_P");
@@ -3398,3 +3402,5 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
 &asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
 
 &asm_finish();
+
+close STDOUT;

crypto/aes/asm/aest4-sparcv9.pl

@@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 push(@INC,"${dir}","${dir}../../perlasm");
 require "sparcv9_modes.pl";
 
-&asm_init(@ARGV);
+$output = pop;
+open STDOUT,">$output";
 
 $::evp=1;	# if $evp is set to 0, script generates module with
 # AES_[en|de]crypt, AES_set_[en|de]crypt_key and AES_cbc_encrypt entry
@@ -83,12 +84,14 @@ $::evp=1;	# if $evp is set to 0, script generates module with
 {
 my ($inp,$out,$key,$rounds,$tmp,$mask)=map("%o$_",(0..5));
 
-$code.=<<___ if ($::abibits==64);
+$code.=<<___;
+#include "sparc_arch.h"
+
+#ifdef	__arch64__
 .register	%g2,#scratch
 .register	%g3,#scratch
+#endif
 
-___
-$code.=<<___;
 .text
 
 .globl	aes_t4_encrypt

crypto/aes/asm/bsaes-armv7.pl

@@ -48,8 +48,8 @@
 #					<ard.biesheuvel@linaro.org>
 
 $flavour = shift;
-if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
-else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
 
 if ($flavour && $flavour ne "void") {
     $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;

crypto/aes/asm/vpaes-armv8.pl

@@ -30,7 +30,7 @@
 # (***)	presented for reference/comparison purposes;
 
 $flavour = shift;
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
 
 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or