Prepare for 1.1.0-pre5 release

Reviewed-by: Rich Salz <rsalz@openssl.org>

.gitignore

@@ -37,14 +37,15 @@ Makefile
 
 # Links under apps
 /apps/CA.pl
+/apps/tsget
 /apps/md4.c
 
 
 # Auto generated headers
 /crypto/buildinf.h
-/openssl/include/opensslconf.h
 /crypto/include/internal/*_conf.h
-util/domd
+/openssl/include/opensslconf.h
+/util/domd
 
 # Auto generated assembly language source files
 *.s
@@ -59,6 +60,7 @@ util/domd
 /test/sha256t
 /test/sha512t
 /test/gost2814789t
+/test/ssltest_old
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
@@ -87,7 +89,7 @@ Makefile.save
 *.bak
 /tags
 /TAGS
-cscope.out
+cscope.*
 *.d
 /crypto.map
 /ssl.map
@@ -103,6 +105,7 @@ cscope.out
 /out32dll.dbg
 /inc32
 /MINFO
+/ms/.rnd
 /ms/bcb.mak
 /ms/libeay32.def
 /ms/nt.mak

.travis-create-release.sh

@@ -4,9 +4,8 @@
 
 ./Configure dist
 if [ "$1" == osx ]; then
-    make NAME='_srcdist' TARFLAGS='-n' TARFILE='_srcdist.tar' \
-	 TAR_COMMAND='$(TAR) $(TARFLAGS) -s "|^|$(NAME)/|" -T $(TARFILE).list -cvf -' \
-	 SHELL='sh -vx' tar
+    make NAME='_srcdist' TARFILE='_srcdist.tar' \
+         TAR_COMMAND='$(TAR) $(TARFLAGS) -cvf -' tar
 else
-    make TARFILE='_srcdist.tar' NAME='_srcdist' SHELL='sh -v' dist
+    make TARFILE='_srcdist.tar' NAME='_srcdist' dist
 fi

.travis.yml

@@ -1,8 +1,10 @@
 language: c
+cache: ccache
 
 addons:
     apt:
         packages:
+            - ccache
             - clang-3.6
             - gcc-5
             - binutils-mingw-w64
@@ -18,97 +20,86 @@ os:
 
 compiler:
     - clang
-    - clang-3.6
     - gcc
-    - gcc-5
-    - i686-w64-mingw32-gcc
-    - x86_64-w64-mingw32-gcc
 
 env:
     - CONFIG_OPTS=""
-    - CONFIG_OPTS="shared"
-    - CONFIG_OPTS="no-asm"
-    - CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-    - CONFIG_OPTS="--unified"
-    - CONFIG_OPTS="--unified shared"
-    - CONFIG_OPTS="--unified no-asm"
-    - CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="--debug no-shared enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="--strict-warnings no-shared" BUILDONLY="yes"
+    - CONFIG_OPTS="--classic no-shared" BUILDONLY="yes"
+    - CONFIG_OPTS="--classic" BUILDONLY="yes"
+    - CONFIG_OPTS="no-pic --strict-warnings" BUILDONLY="yes"
+    - CONFIG_OPTS="no-engine no-shared --strict-warnings" BUILDONLY="yes"
 
 matrix:
     include:
         - os: linux
           compiler: clang-3.6
-          env: CONFIG_OPTS="-fsanitize=address"
+          env: CONFIG_OPTS="-fsanitize=address no-shared"
         - os: linux
           compiler: clang-3.6
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-shared no-asm -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2 -fno-sanitize=alignment"
         - os: linux
           compiler: gcc-5
-          env: CONFIG_OPTS="-fsanitize=address"
+          env: CONFIG_OPTS="no-shared -fsanitize=address"
         - os: linux
           compiler: gcc-5
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-shared no-asm -fno-sanitize-recover -DPEDANTIC -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
+        - os: linux
+          compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-pic"
+        - os: linux
+          compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-pic"
     exclude:
-        - os: osx
-          compiler: clang-3.6
+        - os: linux
+          compiler: clang
         - os: osx
           compiler: gcc
-        - os: osx
-          compiler: gcc-5
-        - os: osx
-          compiler: i686-w64-mingw32-gcc
-        - os: osx
-          compiler: x86_64-w64-mingw32-gcc
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="shared"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="shared"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="no-asm"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="no-asm"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified shared"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified shared"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified no-asm"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified no-asm"
-    allow_failures:
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
 
 before_script:
     - sh .travis-create-release.sh $TRAVIS_OS_NAME
     - tar -xvzf _srcdist.tar.gz
-    - cd _srcdist
+    - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then
+          srcdir=.;
+          cd _srcdist;
+      else
+          srcdir=../_srcdist;
+          mkdir _build;
+          cd _build;
+      fi
     - if [ "$CC" == i686-w64-mingw32-gcc ]; then
           export CROSS_COMPILE=${CC%%gcc}; unset CC;
-          ./Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
+          $srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
       elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
           export CROSS_COMPILE=${CC%%gcc}; unset CC;
-          ./Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
+          $srcdir/Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
       else
-          ./config $CONFIG_OPTS;
+          if which ccache >/dev/null && [ "$CC" != clang-3.6 ]; then
+              CC="ccache $CC";
+          fi;
+          $srcdir/config $CONFIG_OPTS;
       fi
     - cd ..
 
 script:
-    - cd _srcdist
-    - make
-    - if [ -n "$CROSS_COMPILE" ]; then
-          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
+    - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then
+          cd _srcdist;
+      else
+          cd _build;
+      fi
+    - make
+    - if [ -z "$BUILDONLY" ]; then
+          if [ -n "$CROSS_COMPILE" ]; then
+              export EXE_SHELL="wine" WINEPREFIX=`pwd`;
+          fi;
+          HARNESS_VERBOSE=yes make test;
+      else
+          make build_tests;
       fi
-    - HARNESS_VERBOSE=yes make test
     - cd ..
 
 notifications:
     email:
         - openssl-commits@openssl.org
+

CHANGES

@@ -2,7 +2,196 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
+
+  *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
+     X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
+     X509_CERT_FILE_CTX was removed.
+     [Rich Salz]
+
+  *) "shared" builds are now the default. To create only static libraries use
+     the "no-shared" Configure option.
+     [Matt Caswell]
+
+  *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
+     All of these option have not worked for some while and are fundamental
+     algorithms.
+     [Matt Caswell]
+
+  *) Make various cleanup routines no-ops and mark them as deprecated. Most
+     global cleanup functions are no longer required because they are handled
+     via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
+     Explicitly de-initing can cause problems (e.g. where a library that uses
+     OpenSSL de-inits, but an application is still using it). The affected
+     functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
+     EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
+     RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
+     COMP_zlib_cleanup().
+     [Matt Caswell]
+
+  *) --strict-warnings no longer enables runtime debugging options
+     such as REF_DEBUG. Instead, debug options are automatically
+     enabled with '--debug' builds.
+     [Andy Polyakov, Emilia Käsper]
+
+  *) Made DH and DH_METHOD opaque. The structures for managing DH objects
+     have been moved out of the public header files. New functions for managing
+     these have been added.
+     [Matt Caswell]
+
+  *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
+     objects have been moved out of the public header files. New
+     functions for managing these have been added.
+     [Richard Levitte]
+
+  *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
+     have been moved out of the public header files. New functions for managing
+     these have been added.
+     [Matt Caswell]
+
+  *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
+     moved out of the public header files. New functions for managing these
+     have been added.
+     [Matt Caswell]
+
+  *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
+     [Matt Caswell]
+
+  *) Removed the mk1mf build scripts.
+     [Richard Levitte]
+
+  *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
+     it is always safe to #include a header now.
+     [Rich Salz]
+
+  *) Removed the aged BC-32 config and all its supporting scripts
+     [Richard Levitte]
+
+  *) Removed support for Ultrix, Netware, and OS/2.
+     [Rich Salz]
+
+  *) Add support for HKDF.
+     [Alessandro Ghedini]
+
+  *) Add support for blake2b and blake2s
+     [Bill Cox]
+
+  *) Added support for "pipelining". Ciphers that have the
+     EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
+     encryptions/decryptions simultaneously. There are currently no built-in
+     ciphers with this property but the expectation is that engines will be able
+     to offer it to significantly improve throughput. Support has been extended
+     into libssl so that multiple records for a single connection can be
+     processed in one go (for >=TLS 1.1).
+     [Matt Caswell]
+
+  *) Added the AFALG engine. This is an async capable engine which is able to
+     offload work to the Linux kernel. In this initial version it only supports
+     AES128-CBC. The kernel must be version 4.1.0 or greater.
+     [Catriona Lucey]
+
+  *) OpenSSL now uses a new threading API. It is no longer necessary to
+     set locking callbacks to use OpenSSL in a multi-threaded environment. There
+     are two supported threading models: pthreads and windows threads. It is
+     also possible to configure OpenSSL at compile time for "no-threads". The
+     old threading API should no longer be used. The functions have been
+     replaced with "no-op" compatibility macros.
+     [Alessandro Ghedini, Matt Caswell]
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
+     [Todd Short]
+
+  *) Add SSL_CIPHER queries for authentication and key-exchange.
+     [Todd Short]
+
+  *) Changes to the DEFAULT cipherlist:
+       - Prefer (EC)DHE handshakes over plain RSA.
+       - Prefer AEAD ciphers over legacy ciphers.
+       - Prefer ECDSA over RSA when both certificates are available.
+       - Prefer TLSv1.2 ciphers/PRF.
+       - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+         default cipherlist.
+     [Emilia Käsper]
+
+  *) Change the ECC default curve list to be this, in order: x25519,
+     secp256r1, secp521r1, secp384r1.
+     [Rich Salz]
+
+  *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+     disabled by default. They can be re-enabled using the
+     enable-weak-ssl-ciphers option to Configure.
+     [Matt Caswell]
+
+  *) If the server has ALPN configured, but supports no protocols that the
+     client advertises, send a fatal "no_application_protocol" alert.
+     This behaviour is SHALL in RFC 7301, though it isn't universally
+     implemented by other servers.
+     [Emilia Käsper]
+
+  *) Add X25519 support.
+     Integrate support for X25519 into EC library. This includes support
+     for public and private key encoding using the format documented in
+     draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
+     OID from that draft, encodes public keys using little endian
+     format in the ECPoint structure and private keys using
+     little endian form in the privateKey field of the ECPrivateKey
+     structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
+     and uses X25519(29).
+
+     Note: the current version supports key generation, public and
+     private key encoding and ECDH key agreement using the EC API.
+     Low level point operations such as EC_POINT_add(), EC_POINT_mul()
+     are NOT supported.
+     [Steve Henson]
+
+  *) Deprecate SRP_VBASE_get_by_user.
+     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+     In order to fix an unavoidable memory leak (CVE-2016-0798),
+     SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+     seed, even if the seed is configured.
+
+     Users should use SRP_VBASE_get1_by_user instead. Note that in
+     SRP_VBASE_get1_by_user, caller must free the returned value. Note
+     also that even though configuring the SRP seed attempts to hide
+     invalid usernames by continuing the handshake with fake
+     credentials, this behaviour is not constant time and no strong
+     guarantees are made that the handshake is indistinguishable from
+     that of a valid user.
+     [Emilia Käsper]
+
+  *) Configuration change; it's now possible to build dynamic engines
+     without having to build shared libraries and vice versa.  This
+     only applies to the engines in engines/, those in crypto/engine/
+     will always be built into libcrypto (i.e. "static").
+
+     Building dynamic engines is enabled by default; to disable, use
+     the configuration option "disable-dynamic-engine".
+
+     The only requirements for building dynamic engines are the
+     presence of the DSO module and building with position independent
+     code, so they will also automatically be disabled if configuring
+     with "disable-dso" or "disable-pic".
+
+     The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
+     are also taken away from openssl/opensslconf.h, as they are
+     irrelevant.
+     [Richard Levitte]
+
+  *) Configuration change; if there is a known flag to compile
+     position independent code, it will always be applied on the
+     libcrypto and libssl object files, and never on the application
+     object files.  This means other libraries that use routines from
+     libcrypto / libssl can be made into shared libraries regardless
+     of how OpenSSL was configured.
+
+     If this isn't desirable, the configuration options "disable-pic"
+     or "no-pic" can be used to disable the use of PIC.  This will
+     also disable building shared libraries and dynamic engines.
+     [Richard Levitte]
+
+  *) Removed JPAKE code.  It was experimental and has no wide use.
+     [Rich Salz]
 
   *) The INSTALL_PREFIX Makefile variable has been renamed to
      DESTDIR.  That makes for less confusion on what this variable
@@ -23,7 +212,7 @@
      The "unified" build system is aimed to be a common system for all
      platforms we support.  With it comes new support for VMS.
 
-     This system builds supports building in a differnt directory tree
+     This system builds supports building in a different directory tree
      than the source tree.  It produces one Makefile (for unix family
      or lookalikes), or one descrip.mms (for VMS).
 
@@ -275,7 +464,7 @@
      [Rich Salz]
 
   *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
-     and sureware.
+     sureware and ubsec.
      [Matt Caswell, Rich Salz]
 
   *) New ASN.1 embed macro.
@@ -794,6 +983,143 @@
      whose return value is often ignored. 
      [Steve Henson]
 
+  *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+     These allow SCTs (signed certificate timestamps) to be requested and
+     validated when establishing a connection.
+     [Rob Percival <robpercival@google.com>]
+
+ Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
+
+  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+    Builds that are not configured with "enable-weak-ssl-ciphers" will not
+    provide any "EXPORT" or "LOW" strength ciphers.
+    [Viktor Dukhovni]
+
+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+    is by default disabled at build-time.  Builds that are not configured with
+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+    will need to explicitly call either of:
+
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+    or
+        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+    as appropriate.  Even if either of those is used, or the application
+    explicitly uses the version-specific SSLv2_method() or its client and
+    server variants, SSLv2 ciphers vulnerable to exhaustive search key
+    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
+    ciphers, and SSLv2 56-bit DES are no longer available.
+    (CVE-2016-0800)
+    [Viktor Dukhovni]
+
+  *) Fix a double-free in DSA code
+
+     A double free bug was discovered when OpenSSL parses malformed DSA private
+     keys and could lead to a DoS attack or memory corruption for applications
+     that receive DSA private keys from untrusted sources.  This scenario is
+     considered rare.
+
+     This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2016-0705)
+     [Stephen Henson]
+
+  *) Disable SRP fake user seed to address a server memory leak.
+
+     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+     In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+     was changed to ignore the "fake user" SRP seed, even if the seed
+     is configured.
+
+     Users should use SRP_VBASE_get1_by_user instead. Note that in
+     SRP_VBASE_get1_by_user, caller must free the returned value. Note
+     also that even though configuring the SRP seed attempts to hide
+     invalid usernames by continuing the handshake with fake
+     credentials, this behaviour is not constant time and no strong
+     guarantees are made that the handshake is indistinguishable from
+     that of a valid user.
+     (CVE-2016-0798)
+     [Emilia Käsper]
+
+  *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+     In the BN_hex2bn function the number of hex digits is calculated using an
+     int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+     large values of |i| this can result in |bn_expand| not allocating any
+     memory because |i * 4| is negative. This can leave the internal BIGNUM data
+     field as NULL leading to a subsequent NULL ptr deref. For very large values
+     of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+     In this case memory is allocated to the internal BIGNUM data field, but it
+     is insufficiently sized leading to heap corruption. A similar issue exists
+     in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+     is ever called by user applications with very large untrusted hex/dec data.
+     This is anticipated to be a rare occurrence.
+
+     All OpenSSL internal usage of these functions use data that is not expected
+     to be untrusted, e.g. config file data or application command line
+     arguments. If user developed applications generate config file data based
+     on untrusted data then it is possible that this could also lead to security
+     consequences. This is also anticipated to be rare.
+
+     This issue was reported to OpenSSL by Guido Vranken.
+     (CVE-2016-0797)
+     [Matt Caswell]
+
+  *) Fix memory issues in BIO_*printf functions
+
+     The internal |fmtstr| function used in processing a "%s" format string in
+     the BIO_*printf functions could overflow while calculating the length of a
+     string and cause an OOB read when printing very long strings.
+
+     Additionally the internal |doapr_outch| function can attempt to write to an
+     OOB memory location (at an offset from the NULL pointer) in the event of a
+     memory allocation failure. In 1.0.2 and below this could be caused where
+     the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+     could be in processing a very long "%s" format string. Memory leaks can
+     also occur.
+
+     The first issue may mask the second issue dependent on compiler behaviour.
+     These problems could enable attacks where large amounts of untrusted data
+     is passed to the BIO_*printf functions. If applications use these functions
+     in this way then they could be vulnerable. OpenSSL itself uses these
+     functions when printing out human-readable dumps of ASN.1 data. Therefore
+     applications that print this data could be vulnerable if the data is from
+     untrusted sources. OpenSSL command line applications could also be
+     vulnerable where they print out ASN.1 data, or if untrusted data is passed
+     as command line arguments.
+
+     Libssl is not considered directly vulnerable. Additionally certificates etc
+     received via remote connections via libssl are also unlikely to be able to
+     trigger these issues because of message size limits enforced within libssl.
+
+     This issue was reported to OpenSSL Guido Vranken.
+     (CVE-2016-0799)
+     [Matt Caswell]
+
+  *) Side channel attack on modular exponentiation
+
+     A side-channel attack was found which makes use of cache-bank conflicts on
+     the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+     of RSA keys.  The ability to exploit this issue is limited as it relies on
+     an attacker who has control of code in a thread running on the same
+     hyper-threaded core as the victim thread which is performing decryptions.
+
+     This issue was reported to OpenSSL by Yuval Yarom, The University of
+     Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+     Nadia Heninger, University of Pennsylvania with more information at
+     http://cachebleed.info.
+     (CVE-2016-0702)
+     [Andy Polyakov]
+
+  *) Change the req app to generate a 2048-bit RSA/DSA key by default,
+     if no keysize is specified with default_bits. This fixes an
+     omission in an earlier change that changed all RSA/DSA key generation
+     apps to use 2048 bits by default.
+     [Emilia Käsper]
+
  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
   *) DH small subgroups
 

Configurations/00-base-templates.conf

@@ -1,19 +1,16 @@
 # -*- Mode: perl -*-
 %targets=(
-    BASE => {
+    DEFAULTS => {
 	template	=> 1,
 
 	cflags		=> "",
 	defines		=> [],
-	debug_cflags	=> "",
-	debug_defines	=> [],
-	release_cflags	=> "",
-	release_defines => [],
-	thread_cflags	=> "",
+	thread_scheme	=> "(unknown)", # Assume we don't know
 	thread_defines	=> [],
 
-	apps_extra_src	=> "",
+	apps_aux_src	=> "",
 	cpuid_asm_src	=> "mem_clr.c",
+	uplink_aux_src	=> "",
 	bn_asm_src	=> "bn_asm.c",
 	ec_asm_src	=> "",
 	des_asm_src	=> "des_enc.c fcrypt_b.c",
@@ -34,11 +31,99 @@
 	unistd		=> "<unistd.h>",
 	shared_target	=> "",
 	shared_cflag	=> "",
+	shared_defines	=> [],
 	shared_ldflag	=> "",
 	shared_rcflag	=> "",
 	shared_extension	=> "",
-	build_scheme	=> "unixmake",
-	build_file      => "Makefile",
+
+        build_scheme    => [ "unified", "unix" ],
+        build_file      => "Makefile",
+    },
+
+    BASE_common => {
+	template	=> 1,
+	defines		=>
+	    sub {
+                my @defs = ();
+                push @defs, "ZLIB" unless $disabled{zlib};
+                push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+                return [ @defs ];
+            },
+    },
+
+    BASE_unix => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        ex_libs         =>
+            sub {
+                unless ($disabled{zlib}) {
+                    if (defined($disabled{"zlib-dynamic"})) {
+                        if (defined($withargs{zlib_lib})) {
+                            return "-L".$withargs{zlib_lib}." -lz";
+                        } else {
+                            return "-lz";
+                        }
+                    }
+                }
+                return (); },
+
+        build_scheme    => [ "unified", "unix" ],
+        build_file      => "Makefile",
+    },
+
+    BASE_Windows => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        ex_libs         =>
+            sub {
+                unless ($disabled{zlib}) {
+                    if (defined($disabled{"zlib-dynamic"})) {
+                        return $withargs{zlib_lib};
+                    }
+                }
+                return (); },
+
+        ld              => "link",
+        lflags          => "/nologo",
+        loutflag        => "/out:",
+        ar              => "lib",
+        arflags         => "/nologo",
+        aroutflag       => "/out:",
+
+        build_file      => "makefile",
+        build_scheme    => [ "unified", "windows" ],
+    },
+
+    BASE_VMS => {
+        inherit_from    => [ "BASE_common" ],
+        template        => 1,
+
+        build_file       => "descrip.mms",
+        build_scheme     => [ "unified", "VMS" ],
+    },
+
+    uplink_common => {
+	template	=> 1,
+	apps_aux_src	=> add("../ms/applink.c"),
+	uplink_aux_src	=> add("../ms/uplink.c"),
+	defines		=> add("OPENSSL_USE_APPLINK"),
+    },
+    x86_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-x86.s"),
+    },
+    x86_64_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-x86_64.s"),
+    },
+    ia64_uplink => {
+	inherit_from	=> [ "uplink_common" ],
+	template	=> 1,
+	uplink_aux_src	=> add("uplink-ia64.s"),
     },
 
     x86_asm => {
@@ -97,14 +182,14 @@
     sparcv9_asm => {
 	template	=> 1,
 	cpuid_asm_src   => "sparcv9cap.c sparccpuid.S",
-	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.s sparcv9a-mont.s vis3-mont.s sparct4-mont.S sparcv9-gf2m.S",
+	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.S sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S",
 	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-sparcv9.S",
-	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.s",
-	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.s aest4-sparcv9.s",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.S aest4-sparcv9.S",
 	md5_asm_src     => "md5-sparcv9.S",
 	sha1_asm_src    => "sha1-sparcv9.S sha256-sparcv9.S sha512-sparcv9.S",
-	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.s",
-	modes_asm_src   => "ghash-sparcv9.s",
+	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.S",
+	modes_asm_src   => "ghash-sparcv9.S",
 	poly1305_asm_src=> "poly1305-sparcv9.S",
 	perlasm_scheme	=> "void"
     },
@@ -136,7 +221,7 @@
     },
     s390x_asm => {
 	template	=> 1,
-	cpuid_asm_src   => "s390xcap.c s390xcpuid.s",
+	cpuid_asm_src   => "s390xcap.c s390xcpuid.S",
 	bn_asm_src      => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
 	aes_asm_src     => "aes-s390x.S aes-ctr.fake aes-xts.fake",
 	sha1_asm_src    => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",

Configurations/90-team.conf

@@ -1,30 +1,27 @@
 ## -*- mode: perl; -*-
 ## Build configuration targets for openssl-team members
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "purify" => {
         cc               => "purify gcc",
         cflags           => "-g -Wall",
-        thread_cflag     => "(unknown)",
-        ex_libs          => "-lsocket -lnsl",
+        thread_scheme    => "(unknown)",
+        ex_libs          => add(" ","-lsocket -lnsl"),
     },
     "debug" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
-        thread_cflag     => "(unknown)",
-        ex_libs          => "-lefence",
+        thread_scheme    => "(unknown)",
+        ex_libs          => add(" ","-lefence"),
     },
     "debug-erbridge" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -36,28 +33,31 @@
     "debug-linux-pentium" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
     },
     "debug-linux-ppro" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
     },
     "debug-linux-elf-noefence" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -65,9 +65,9 @@
     },
     "debug-linux-ia32-aes" => {
         cc               => "gcc",
-        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
         cpuid_asm_src    => "x86cpuid.s",
         bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
@@ -83,6 +83,7 @@
         wp_asm_src       => "wp_block.s wp-mmx.s",
         modes_asm_src    => "ghash-x86.s",
         padlock_asm_src  => "e_padlock-x86.s",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -92,14 +93,15 @@
     "dist" => {
         cc               => "cc",
         cflags           => "-O",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-test-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -109,10 +111,11 @@
     "darwin64-debug-test-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         sys_id           => "MACOSX",
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "macosx",
         dso_scheme       => "dlfcn",
         shared_target    => "darwin-shared",

Configurations/99-personal-ben.conf

@@ -1,37 +1,34 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-ben" => {
         cc               => "gcc",
         cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-openbsd" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-openbsd-debug" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-debug" => {
         cc               => "gcc",
         cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-debug-64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -41,9 +38,10 @@
     "debug-ben-debug-64-clang" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "clang",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -53,9 +51,10 @@
     "debug-ben-debug-64-noopt" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
-        thread_cflag     => "${BSDthreads}",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
+                                    threads("${BSDthreads}")),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "bsd-gcc-shared",
@@ -65,26 +64,27 @@
     "debug-ben-macos" => {
         cc               => "cc",
         cflags           => "$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-no-opt" => {
         cc               => "gcc",
         cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -Werror -DL_ENDIAN -Wall -g3",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-strict" => {
         cc               => "gcc",
         cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
     },
     "debug-ben-darwin64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "cc",
-        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
-        thread_cflag     => "-D_REENTRANT",
+        cflags           => combine("$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
+                                    threads("-D_REENTRANT")),
         sys_id           => "MACOSX",
         plib_lflags      => "-Wl,-search_paths_first",
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "macosx",
         dso_scheme       => "dlfcn",
         shared_target    => "darwin-shared",

Configurations/99-personal-bodo.conf

@@ -1,18 +1,15 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-bodo" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",

Configurations/99-personal-geoff.conf

@@ -1,17 +1,14 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-geoff32" => {
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -19,10 +16,11 @@
     },
     "debug-geoff64" => {
         cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",

Configurations/99-personal-levitte.conf

@@ -1,22 +1,20 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "levitte-linux-elf" => {
         inherit_from     => [ "linux-elf" ],
-        debug_cflags     => add("-ggdb -g3"),
-        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        cflags           => add(picker(debug => "-ggdb -g3")),
+        defines          => add(picker(debug => "LEVITTE_DEBUG"),
+                                { separator => undef }),
         build_scheme     => [ "unified", "unix" ],
         build_file       => "Makefile",
     },
     "levitte-linux-x86_64" => {
         inherit_from     => [ "linux-x86_64" ],
-        debug_cflags     => add("-ggdb -g3"),
-        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        cflags           => add(picker(debug => "-ggdb -g3")),
+        defines          => add(picker(debug => "LEVITTE_DEBUG"),
+                                { separator => undef }),
         build_scheme     => [ "unified", "unix" ],
         build_file       => "Makefile",
     },

Configurations/99-personal-rse.conf

@@ -1,16 +1,12 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-rse" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "cc",
         cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
-        thread_cflag     => "(unknown)",
+        thread_scheme    => "(unknown)",
         bn_ops           => "BN_LLONG",
     },
 );

Configurations/99-personal-steve.conf

@@ -1,18 +1,15 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
-##
-## If you edit this file, run this command before committing
-##	make -f Makefile.in TABLE
-## This file is interpolated by the Configure script.
 
 %targets = (
     "debug-steve64" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
@@ -23,11 +20,12 @@
     "debug-steve32" => {
         inherit_from     => [ "x86_elf_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
+        cflags           => combine("$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
         lflags           => "-rdynamic",
-        ex_libs          => "-ldl",
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "BN_LLONG",
+        thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",
         shared_cflag     => "-fPIC",
@@ -37,10 +35,11 @@
     "debug-steve-opt" => {
         inherit_from     => [ "x86_64_asm" ],
         cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
-        thread_cflag     => "-D_REENTRANT",
-        ex_libs          => "-ldl",
+        cflags           => combine("$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+                                    threads("-D_REENTRANT")),
+        ex_libs          => add(" ","-ldl"),
         bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        thread_scheme    => "pthreads",
         perlasm_scheme   => "elf",
         dso_scheme       => "dlfcn",
         shared_target    => "linux-shared",

Configurations/INTERNALS.Configure

@@ -0,0 +1,136 @@
+Configure Internals
+===================
+
+[ note: this file uses markdown for formatting ]
+
+Intro
+-----
+
+This is a collection of notes that are hopefully of interest to those
+who decide to dive into Configure and what it does.  This is a living
+document and anyone is encouraged to add to it and submit changes.
+There's no claim for this document to be complete at any time, but it
+will hopefully reach such a point in time.
+
+
+----------------------------------------------------------------------
+
+Parsing build.info files, processing conditions
+-----------------------------------------------
+
+Processing conditions in build.info files is done with the help of a
+condition stack that tell if a build.info should be processed or if it
+should just be skipped over.  The possible states of the stack top are
+expressed in the following comment from Configure:
+
+    # The top item of this stack has the following values
+    # -2 positive already run and we found ELSE (following ELSIF should fail)
+    # -1 positive already run (skip until ENDIF)
+    # 0 negatives so far (if we're at a condition, check it)
+    # 1 last was positive (don't skip lines until next ELSE, ELSIF or ENDIF)
+    # 2 positive ELSE (following ELSIF should fail)
+
+Ground rule is that non-condition lines are skipped over if the
+stack top is > 0.  Condition lines (IF, ELSIF, ELSE and ENDIF
+statements) need to be processed either way to keep track of the skip
+stack states, so they are a little more intricate.
+
+Instead of trying to describe in words, here are some example of what
+the skip stack should look like after each line is processed:
+
+Example 1:
+
+| IF[1]                     |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[1]                   |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSIF[1]                |  1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ELSIF[1]                  | -1        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[1]                   | -1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                | -1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    | -1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   | -1        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ENDIF                     |           |                               |
+
+Example 2:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[1]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[1]                   |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSIF[1]                |  1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+
+Example 3:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[0]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[0]                   |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+
+Example 4:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[0]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[0]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[0]                   |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[0]                |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1  2     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+

Configurations/README

@@ -28,30 +28,6 @@ In each table entry, the following keys are significant:
                            given here, they MUST be as an array of the
                            string such as "MACRO=value", or just
                            "MACRO" for definitions without value.
-        debug_cflags    => Extra compilation flags used when making a
-                           debug build (when Configure receives the
-                           --debug option).  Typically something like
-                           "-g -O0".
-        debug_defines   => Similarly to `debug_cflags', this gets
-                           combined with `defines' during a debug
-                           build.  The value here MUST also be an
-                           array of the same form as for `defines'.
-        release_cflags  => Extra compilation flags used when making a
-                           release build (when Configure receives the
-                           --release option, or doesn't receive the
-                           --debug option).  Typically something like
-                           "-O" or "-O3".
-        release_defines => Similarly to `release_cflags', this gets
-                           combined with `defines' during a release
-                           build.  The value here MUST also be an
-                           array of the same form as for `defines'.
-        thread_cflags   => Extra compilation flags used when
-                           compiling with threading enabled.
-                           Explained further below.  [2]
-        thread_defines  => Similarly to `thread_cflags', this gets
-                           combined with `defines' when threading is
-                           enabled.  The value here MUST also be an
-                           array of the same form as for `defines'.
         shared_cflag    => Extra compilation flags used when
                            compiling for shared libraries, typically
                            something like "-fPIC".
@@ -70,9 +46,6 @@ In each table entry, the following keys are significant:
         ex_libs         => Extra libraries that are needed when
                            linking.
 
-        debug_lflags    => Like debug_cflags, but used when linking.
-        release_lflags  => Like release_cflags, but used when linking.
-
         ar              => The library archive command, the default is
                            "ar".
                            (NOTE: this is here for future use, it's
@@ -97,6 +70,14 @@ In each table entry, the following keys are significant:
                            this is here for future use, it's not
                            implemented yet)
 
+        thread_scheme   => The type of threads is used on the
+                           configured platform.  Currently known
+                           values are "(unknown)", "pthreads",
+                           "uithreads" (a.k.a solaris threads) and
+                           "winthreads".  Except for "(unknown)", the
+                           actual value is currently ignored but may
+                           be used in the future.  See further notes
+                           below [2].
         dso_scheme      => The type of dynamic shared objects to build
                            for.  This mostly comes into play with
                            engines, but can be used for other purposes
@@ -119,7 +100,7 @@ In each table entry, the following keys are significant:
                            string in the list is the name of the build
                            scheme.
                            Currently recognised build schemes are
-                           "mk1mf" and "unixmake" and "unified".
+                           "unixmake" and "unified".
                            For the "unified" build scheme, this item
                            *must* be an array with the first being the
                            word "unified" and the second being a word
@@ -216,7 +197,7 @@ In each table entry, the following keys are significant:
     'inherit_from' that indicate what other configurations to inherit
     data from.  These are resolved recursively.
 
-    Inheritance works as a set of default values that can be overriden
+    Inheritance works as a set of default values that can be overridden
     by corresponding key values in the inheriting configuration.
 
     Note 1: any configuration table can be used as a template.
@@ -265,7 +246,7 @@ In each table entry, the following keys are significant:
         }
 
 [2] OpenSSL is built with threading capabilities unless the user
-    specifies 'no-threads'.  The value of the key 'thread_cflags' may
+    specifies 'no-threads'.  The value of the key 'thread_scheme' may
     be "(unknown)", in which case the user MUST give some compilation
     flags to Configure.
 
@@ -377,13 +358,32 @@ sense at all to just have a rename like that (why not just use
 "libbar" everywhere?), it does make sense when it can be used
 conditionally.  See a little further below for an example.
 
+In some cases, it's desirable to include some source files in the
+shared form of a library only:
+
+    SHARED_SOURCE[libfoo]=dllmain.c
+
 For any file to be built, it's also possible to tell what extra
 include paths the build of their source files should use:
 
     INCLUDE[foo]=include
 
-It's possible to have raw build file lines, between BEGINRAW and
-ENDRAW lines as follows:
+In some cases, one might want to generate some source files from
+others, that's done as follows:
+
+    GENERATE[foo.s]=asm/something.pl $(CFLAGS)
+    GENERATE[bar.s]=asm/bar.S
+
+The value of each GENERATE line is a command line or part of it.
+Configure places no rules on the command line, except the the first
+item muct be the generator file.  It is, however, entirely up to the
+build file template to define exactly how those command lines should
+be handled, how the output is captured and so on.
+
+NOTE: GENERATE lines are limited to one command only per GENERATE.
+
+As a last resort, it's possible to have raw build file lines, between
+BEGINRAW and ENDRAW lines as follows:
 
     BEGINRAW[Makefile(unix)]
     haha.h: {- $builddir -}/Makefile
@@ -409,6 +409,18 @@ configuration items:
    build hoho.h: echo "/* hoho */" > hoho.h
    ENDRAW[build.ninja(unix)]
 
+Should it be needed because the recipes within a RAW section might
+clash with those generated by Configure, it's possible to tell it
+not to generate them with the use of OVERRIDES, for example:
+
+    SOURCE[libfoo]=foo.c bar.c
+    
+    OVERRIDES=bar.o
+    BEGINRAW[Makefile(unix)]
+    bar.o: bar.c
+    	$(CC) $(CFLAGS) -DSPECIAL -c -o $@ $<
+    ENDRAW[Makefile(unix)]
+
 See the documentation further up for more information on configuration
 items.
 
@@ -430,7 +442,7 @@ example, the above would have "something" used, since 1 is true.
 Together with the use of Text::Template, this can be used as
 conditions based on something in the passed variables, for example:
 
-    IF[{- $config{no_shared} -}]
+    IF[{- $disabled{shared} -}]
       LIBS=libcrypto
       SOURCE[libcrypto]=...
     ELSE
@@ -480,25 +492,25 @@ The build-file template is expected to define at least the following
 perl functions in a perl code fragment enclosed with "{-" and "-}".
 They are all expected to return a string with the lines they produce.
 
-    src2dep     - function that produces build file lines to get the
-                  dependencies for an object file into a dependency
-                  file.
+    generatesrc - function that produces build file lines to generate
+                  a source file from some input.
 
                   It's called like this:
 
-                        src2dep(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                        generatesrc(src => "PATH/TO/tobegenerated",
+                                    generator => [ "generatingfile", ... ]
+                                    deps => [ "dep1", ... ],
+                                    intent => one of "libs", "dso", "bin" );
 
-                  'obj' has the dependent object file as well as
-                  object file the dependencies are for; it's *without*
-                  extension, src2dep() is expected to add that.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.
+                  'src' has the name of the file to be generated.
+                  'generator' is the command or part of command to
+                  generate the file, of which the first item is
+                  expected to be the file to generate from.
+                  generatesrc() is expected to analyse and figure out
+                  exactly how to apply that file and how to capture
+                  the result.  'deps' is a list of explicit
+                  dependencies.  'intent' indicates what the generated
+                  file is going to be used for.
 
     src2obj     - function that produces build file lines to build an
                   object file from source files and associated data.
@@ -508,7 +520,8 @@ They are all expected to return a string with the lines they produce.
                         src2obj(obj => "PATH/TO/objectfile",
                                 srcs => [ "PATH/TO/sourcefile", ... ],
                                 deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                                incs => [ "INCL/PATH", ... ]
+                                intent => one of "lib", "dso", "bin" );
 
                   'obj' has the intended object file *without*
                   extension, src2obj() is expected to add that.
@@ -516,7 +529,9 @@ They are all expected to return a string with the lines they produce.
                   object file, with the first item being the source
                   file that directly corresponds to the object file.
                   'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.
+                  is a list of include file directories.  Finally,
+                  'intent' indicates what this object file is going
+                  to be used for.
 
     obj2lib     - function that produces build file lines to build a
                   static library file ("libfoo.a" in Unix terms) from
@@ -547,7 +562,7 @@ They are all expected to return a string with the lines they produce.
 
                   'lib' has the intended library file name *without*
                   extension, libobj2shlib is expected to add that.
-                  'shlib' has the correcponding shared library name
+                  'shlib' has the corresponding shared library name
                   *without* extension.  'deps' has the list of other
                   libraries (also *without* extension) this library
                   needs to be linked with.  'objs' has the list of
@@ -562,16 +577,15 @@ They are all expected to return a string with the lines they produce.
                   corresponding static library as input to make the
                   shared library, or the list of object files.
 
-    obj2dynlib  - function that produces build file lines to build a
-                  dynamically loadable library file ("libfoo.so" on
-                  Unix) from object files.
+    obj2dso     - function that produces build file lines to build a
+                  dynamic shared object file from object files.
 
                   called like this:
 
-                        obj2dynlib(lib => "PATH/TO/libfile",
-                                   objs => [ "PATH/TO/objectfile", ... ],
-                                   deps => [ "PATH/TO/otherlibfile",
-                                   ... ]);
+                        obj2dso(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/otherlibfile",
+                                ... ]);
 
                   This is almost the same as libobj2shlib, but the
                   intent is to build a shareable library that can be
@@ -614,7 +628,7 @@ the build file actions run with the build tree top as current working
 directory.
 
 Make sure to end the section with these functions with a string that
-you thing is apropriate for the resulting build file.  If nothing
+you thing is appropriate for the resulting build file.  If nothing
 else, end it like this:
 
       "";       # Make sure no lingering values end up in the Makefile

Configurations/README.design

@@ -28,11 +28,11 @@ information needed to build output files, and therefore only (with a
 few possible exceptions [1]) have information about end products (such
 as scripts, library files and programs) and source files (such as C
 files, C header files, assembler files, etc).  Intermediate files such
-as object files are rarely directly refered to in build.info files (and
+as object files are rarely directly referred to in build.info files (and
 when they are, it's always with the file name extension .o), they are
-infered by Configure.  By the same rule of minimalism, end product
+inferred by Configure.  By the same rule of minimalism, end product
 file name extensions (such as .so, .a, .exe, etc) are never mentioned
-in build.info.  Their file name extensions will be infered by the
+in build.info.  Their file name extensions will be inferred by the
 build-file templates, adapted for the platform they are meant for (see
 sections on %unified_info and build-file templates further down).
 
@@ -89,11 +89,8 @@ depends on the library 'libssl' to function properly.
     SOURCE[../libcrypto]=aes.c evp.c cversion.c
     DEPEND[cversion.o]=buildinf.h
     
-    BEGINRAW[Makefile(unix)]
-    crypto/buildinf.h : Makefile
-    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
-    	    > crypto/buildinf.h
-    ENDRAW[Makefile(unix)]
+    GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
+    DEPEND[buildinf.h]=../Makefile
 
 This is the build.info file in 'crypto', and it tells us a little more
 about what's needed to produce 'libcrypto'.  LIBS is used again to
@@ -112,7 +109,7 @@ Unix-like operating systems.
 
 Two things are worth an extra note:
 
-'DEPEND[cversion.o]' mentiones an object file.  DEPEND indexes is the
+'DEPEND[cversion.o]' mentions an object file.  DEPEND indexes is the
 only location where it's valid to mention them
 
 Lines in 'BEGINRAW'..'ENDRAW' sections must always mention files as
@@ -161,11 +158,8 @@ information comes down to this:
     DEPEND[engines/libossltest]=libcrypto
     INCLUDE[engines/libossltest]=include
     
-    BEGINRAW[Makefile(unix)]
-    crypto/buildinf.h : Makefile
-    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
-    	    > crypto/buildinf.h
-    ENDRAW[Makefile(unix)]
+    GENERATE[crypto/buildinf.h]=util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
+    DEPEND[crypto/buildinf.h]=Makefile
 
 
 A few notes worth mentioning:
@@ -180,7 +174,7 @@ The indexes for SOURCE, INCLUDE and ORDINALS must only be end product
 files, such as libraries, programs or engines.  The values of SOURCE
 variables must only be source files (possibly generated)
 
-DEPEND shows a relationship between different end product files, such
+DEPEND shows a relationship between different produced files, such
 as a program depending on a library, or between an object file and
 some extra source file.
 
@@ -239,6 +233,10 @@ indexes:
                SOURCE variables, and AS source files for programs and
                libraries.
 
+  shared_sources =>
+               a hash table just like 'sources', but only as source
+               files (object files) for building shared libraries.
+
 As an example, here is how the build.info files example from the
 section above would be digested into a %unified_info table:
 
@@ -296,12 +294,12 @@ section above would be digested into a %unified_info table:
                 "libcrypto" =>
                     [
                         "crypto",
-                        "util/libeay.num",
+                        "util/libcrypto.num",
                     ],
                 "libssl" =>
                     [
                         "ssl",
-                        "util/ssleay.num",
+                        "util/libssl.num",
                     ],
             },
         "programs" =>
@@ -361,7 +359,7 @@ section above would be digested into a %unified_info table:
             },
     );
 
-As can be seen, everything in %unified_info is fairly simple nuggest
+As can be seen, everything in %unified_info is fairly simple suggest
 of information.  Still, it tells us that to build all programs, we
 must build 'apps/openssl', and to build the latter, we will need to
 build all its sources ('apps/openssl.o' in this case) and all the
@@ -384,24 +382,6 @@ build static libraries from object files, to build shared libraries
 from static libraries, to programs from object files and libraries,
 etc.
 
-    src2dep     - function that produces build file lines to get the
-                  dependencies for an object file into a dependency
-                  file.
-
-                  It's called like this:
-
-                        src2dep(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                incs => [ "INCL/PATH", ... ]);
-
-                  'obj' has the dependent object file as well as
-                  object file the dependencies are for; it's *without*
-                  extension, src2dep() is expected to add that.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'incs' is a list of include file directories.
-
     src2obj     - function that produces build file lines to build an
                   object file from source files and associated data.
 
@@ -410,15 +390,18 @@ etc.
                         src2obj(obj => "PATH/TO/objectfile",
                                 srcs => [ "PATH/TO/sourcefile", ... ],
                                 deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]);
+                                incs => [ "INCL/PATH", ... ]
+                                intent => one of "lib", "dso", "bin" );
 
                   'obj' has the intended object file *without*
                   extension, src2obj() is expected to add that.
                   'srcs' has the list of source files to build the
                   object file, with the first item being the source
                   file that directly corresponds to the object file.
-                  'deps' is a list of dependencies.  'incs' is a list
-                  of include file directories.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.  Finally,
+                  'intent' indicates what this object file is going
+                  to be used for.
 
     obj2lib     - function that produces build file lines to build a
                   static library file ("libfoo.a" in Unix terms) from
@@ -449,7 +432,7 @@ etc.
 
                   'lib' has the intended library file name *without*
                   extension, libobj2shlib is expected to add that.
-                  'shlib' has the correcponding shared library name
+                  'shlib' has the corresponding shared library name
                   *without* extension.  'deps' has the list of other
                   libraries (also *without* extension) this library
                   needs to be linked with.  'objs' has the list of
@@ -457,7 +440,7 @@ etc.
                   this library.  'ordinals' MAY be present, and when
                   it is, its value is an array where the word is
                   "crypto" or "ssl" and the file is one of the ordinal
-                  files util/libeay.num or util/ssleay.num in the
+                  files util/libcrypto.num or util/libssl.num in the
                   source directory.
 
                   This function has a choice; it can use the
@@ -530,7 +513,7 @@ following calls:
                  lib => "libssl",
                  objs => [ "ssl/tls.o" ],
                  deps => [ "libcrypto" ]
-                 ordinals => [ "ssl", "util/ssleay.num" ]);
+                 ordinals => [ "ssl", "util/libssl.num" ]);
 
     obj2lib(lib => "libssl"
             objs => [ "ssl/tls.o" ]);

Configurations/common.tmpl

@@ -1,6 +1,7 @@
 {- # -*- Mode: perl -*-
 
-     my $a;
+     # A cache of objects for which a recipe has already been generated
+     my %cache;
 
  # resolvedepends and reducedepends work in tandem to make sure
  # there are no duplicate dependencies and that they are in the
@@ -31,24 +32,50 @@
      @newlist;
  }
 
+ # dogenerate is responsible for producing all the recipes that build
+ # generated source files.  It recurses in case a dependency is also a
+ # generated source file.
+ sub dogenerate {
+     my $src = shift;
+     return "" if $cache{$src};
+     my $obj = shift;
+     my $bin = shift;
+     my %opts = @_;
+     if ($unified_info{generate}->{$src}) {
+         $OUT .= generatesrc(src => $src,
+                             generator => $unified_info{generate}->{$src},
+                             deps => $unified_info{depends}->{$src},
+                             incs => [ @{$unified_info{includes}->{$bin}},
+                                       @{$unified_info{includes}->{$obj}} ],
+                             %opts);
+         foreach (@{$unified_info{depends}->{$src}}) {
+             dogenerate($_, $obj, $bin, %opts);
+         }
+     }
+     $cache{$src} = 1;
+ }
+
  # doobj is responsible for producing all the recipes that build
  # object files as well as dependency files.
  sub doobj {
      my $obj = shift;
+     return "" if $cache{$obj};
      (my $obj_no_o = $obj) =~ s|\.o$||;
      my $bin = shift;
+     my %opts = @_;
      if (@{$unified_info{sources}->{$obj}}) {
          $OUT .= src2obj(obj => $obj_no_o,
                          srcs => $unified_info{sources}->{$obj},
-                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         deps => $unified_info{depends}->{$obj},
                          incs => [ @{$unified_info{includes}->{$bin}},
-                                   @{$unified_info{includes}->{$obj}} ]);
-         $OUT .= src2dep(obj => $obj_no_o,
-                         srcs => $unified_info{sources}->{$obj},
-                         deps => [ reducedepends(resolvedepends($obj)) ],
-                         incs => [ @{$unified_info{includes}->{$bin}},
-                                   @{$unified_info{includes}->{$obj}} ]);
+                                   @{$unified_info{includes}->{$obj}} ],
+                         %opts);
+         foreach ((@{$unified_info{sources}->{$obj}},
+                   @{$unified_info{depends}->{$obj}})) {
+             dogenerate($_, $obj, $bin, %opts);
+         }
      }
+     $cache{$obj} = 1;
  }
 
  # dolib is responsible for building libraries.  It will call
@@ -57,63 +84,86 @@
  # built.
  sub dolib {
      my $lib = shift;
-     if (!$config{no_shared}) {
+     return "" if $cache{$lib};
+     unless ($disabled{shared}) {
          my %ordinals =
              $unified_info{ordinals}->{$lib}
              ? (ordinals => $unified_info{ordinals}->{$lib}) : ();
          $OUT .= libobj2shlib(shlib => $unified_info{sharednames}->{$lib},
                               lib => $lib,
                               objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
-                                        @{$unified_info{sources}->{$lib}} ],
+                                        (@{$unified_info{sources}->{$lib}},
+                                         @{$unified_info{shared_sources}->{$lib}}) ],
                               deps => [ reducedepends(resolvedepends($lib)) ],
                               %ordinals);
+         foreach (@{$unified_info{shared_sources}->{$lib}}) {
+             doobj($_, $lib, intent => "lib");
+         }
      }
      $OUT .= obj2lib(lib => $lib,
                      objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                                @{$unified_info{sources}->{$lib}} ]);
-     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+     foreach (@{$unified_info{sources}->{$lib}}) {
+         doobj($_, $lib, intent => "lib");
+     }
+     $cache{$lib} = 1;
  }
 
  # doengine is responsible for building engines.  It will call
- # obj2dynlib, and also makes sure all object files for the library
+ # obj2dso, and also makes sure all object files for the library
  # are built.
  sub doengine {
      my $lib = shift;
-     $OUT .= obj2dynlib(lib => $lib,
-                        objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
-                                  @{$unified_info{sources}->{$lib}} ],
-                        deps => [ resolvedepends($lib) ]);
-     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+     return "" if $cache{$lib};
+     $OUT .= obj2dso(lib => $lib,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               (@{$unified_info{sources}->{$lib}},
+                                @{$unified_info{shared_sources}->{$lib}}) ],
+                     deps => [ resolvedepends($lib) ]);
+     foreach ((@{$unified_info{sources}->{$lib}},
+               @{$unified_info{shared_sources}->{$lib}})) {
+         doobj($_, $lib, intent => "dso");
+     }
+     $cache{$lib} = 1;
  }
 
  # dobin is responsible for building programs.  It will call obj2bin,
  # and also makes sure all object files for the library are built.
  sub dobin {
      my $bin = shift;
+     return "" if $cache{$bin};
      my $deps = [ reducedepends(resolvedepends($bin)) ];
      $OUT .= obj2bin(bin => $bin,
                      objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                                @{$unified_info{sources}->{$bin}} ],
                      deps => $deps);
-     map { doobj($_, $bin, intent => "bin") } @{$unified_info{sources}->{$bin}};
+     foreach (@{$unified_info{sources}->{$bin}}) {
+         doobj($_, $bin, intent => "bin");
+     }
+     $cache{$bin} = 1;
  }
 
  # dobin is responsible for building scripts from templates.  It will
  # call in2script.
  sub doscript {
      my $script = shift;
+     return "" if $cache{$script};
      $OUT .= in2script(script => $script,
                        sources => $unified_info{sources}->{$script});
+     $cache{$script} = 1;
  }
 
+ # Start with populating the cache with all the overrides
+ %cache = map { $_ => 1 } @{$unified_info{overrides}};
+
  # Build all known libraries, engines, programs and scripts.
  # Everything else will be handled as a consequence.
- map { dolib($_) } @{$unified_info{libraries}};
- map { doengine($_) } @{$unified_info{engines}};
- map { dobin($_) } @{$unified_info{programs}};
- map { doscript($_) } @{$unified_info{scripts}};
+ foreach (@{$unified_info{libraries}}) { dolib($_);    }
+ foreach (@{$unified_info{engines}})   { doengine($_); }
+ foreach (@{$unified_info{programs}})  { dobin($_);    }
+ foreach (@{$unified_info{scripts}})   { doscript($_); }
 
  # Finally, should there be any applicable BEGINRAW/ENDRAW sections,
  # they are added here.
- $OUT .= $_."\n" foreach(@{$unified_info{rawlines}});
+ $OUT .= $_."\n" foreach @{$unified_info{rawlines}};
 -}

Configurations/descrip.mms.tmpl

@@ -50,15 +50,13 @@
   }
   my $sd1 = sourcedir("ssl","record");
   my $sd2 = sourcedir("ssl","statem");
-  $unified_info{before}->{"[.crypto.ct]ct_lib.OBJ"}
-      = $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
-      = $unified_info{before}->{"[.test]ssltest.OBJ"}
+  $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
+      = $unified_info{before}->{"[.test]ssltest_old.OBJ"}
       = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
         define record 'record'
         statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
         define statem 'statem');
-  $unified_info{after}->{"[.crypto.ct]ct_lib.OBJ"}
-      = $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
+  $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
       = $unified_info{after}->{"[.test]ssltest.OBJ"}
       = qq(deassign statem
         deassign record);
@@ -105,6 +103,12 @@ ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{engines}}) -}
 PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } grep { !m|^\[\.test\]| } @{$unified_info{programs}}) -}
 TESTPROGS={- join(", ", map { "-\n\t".$_.".EXE" } grep { m|^\[\.test\]| } @{$unified_info{programs}}) -}
 SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
+{- output_off() if $disabled{makedepend}; "" -}
+DEPS={- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+                    grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                    keys %{$unified_info{sources}};
+        join(", ", map { "-\n\t".$_ } @deps); -}
+{- output_on() if $disabled{makedepend}; "" -}
 
 # DESTDIR is for package builders so that they can configure for, say,
 # SYS$COMMON:[OPENSSL] and yet have everything installed in STAGING:[USER].
@@ -115,19 +119,24 @@ SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
 DESTDIR=
 
 # Do not edit this manually. Use Configure --prefix=DIR to change this!
-INSTALLTOP={- catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-\$(MAJOR).\$(MINOR)]" -}
+INSTALLTOP={- (my $x = $config{version}) =~ s|\.|_|g;
+              our $installtop =
+                  catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-$x]";
+              $installtop -}
+SYSTARTUP={- catdir($installtop, '[.SYS$STARTUP]'); -}
 # This is the standard central area to store certificates, private keys...
 OPENSSLDIR={- catdir($config{openssldir}) ||
-              $config{prefix} ? catdir($config{prefix},"SSL")
-                              : "SYS\$COMMON:[SSL]" -}
+              $config{prefix} ? catdir($config{prefix},"COMMON")
+                              : "SYS\$COMMON:[OPENSSL-COMMON]" -}
 # Where installed engines reside
 ENGINESDIR={- $osslprefix -}ENGINES:
 
 CC= {- $target{cc} -}
-CFLAGS= /DEFINE=({- join(",", @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $config{cflags} -}
+CFLAGS= /DEFINE=({- join(",", @{$target{defines}}, @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $target{cflags} -} {- $config{cflags} -}
+CFLAGS_Q=$(CFLAGS)
 DEPFLAG= /DEFINE=({- join(",", @{$config{depdefines}}) -})
-LDFLAGS= {- $config{lflags} -}
-EX_LIBS= {- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
+LDFLAGS= {- $target{lflags} -}
+EX_LIBS= {- $target{ex_libs} ? ",".$target{ex_libs} : "" -}{- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
 
 PERL={- $config{perl} -}
 
@@ -152,33 +161,34 @@ ASFLAG={- $target{asflags} -}
 NODEBUG=@
 .FIRST :
         $(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
-        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","a.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc1 = F$PARSE("[.crypto.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) internal_inc3 = F$PARSE("{- catdir($config{sourcedir},"[.crypto.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
         $(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
         $(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2','internal_inc3'
         $(NODEBUG) staging_dir = "$(DESTDIR)"
+        $(NODEBUG) staging_instdir = ""
+        $(NODEBUG) staging_datadir = ""
         $(NODEBUG) IF staging_dir .NES. "" THEN -
-                staging_dir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY") - "A.;"
+                staging_instdir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY")
+        $(NODEBUG) IF staging_instdir - "]A.;" .NES. staging_instdir THEN -
+                staging_instdir = staging_instdir - "]A.;" + ".OPENSSL-INSTALL]"
+        $(NODEBUG) IF staging_instdir - "A.;" .NES. staging_instdir THEN -
+                staging_instdir = staging_instdir - "A.;" + "[OPENSSL-INSTALL]"
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_datadir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY")
+        $(NODEBUG) IF staging_datadir - "]A.;" .NES. staging_datadir THEN -
+                staging_datadir = staging_datadir - "]A.;" + ".OPENSSL-COMMON]"
+        $(NODEBUG) IF staging_datadir - "A.;" .NES. staging_datadir THEN -
+                staging_datadir = staging_datadir - "A.;" + "[OPENSSL-COMMON]"
         $(NODEBUG) !
         $(NODEBUG) ! Installation logical names
         $(NODEBUG) !
-        $(NODEBUG) installtop_dev = F$PARSE(staging_dir,"$(INSTALLTOP)",,"DEVICE","SYNTAX_ONLY")
-        $(NODEBUG) ! Because there are no routines to merge directories, we have to
-        $(NODEBUG) ! do it ourselves
-        $(NODEBUG) IF staging_dir .NES. "" THEN -
-                staging_dir = F$PARSE(staging_dir,"[000000]",,"DIRECTORY","SYNTAX_ONLY")
-        $(NODEBUG) installtop_dir = F$PARSE("$(INSTALLTOP)","[000000]",,"DIRECTORY","SYNTAX_ONLY")
-        $(NODEBUG) IF staging_dir .NES. "" .AND. staging_dir .NES. "[000000]" THEN -
-                installtop_dir = staging_dir - "]" + "." + (installtop_dir - "[")
-        $(NODEBUG) installtop_dir = installtop_dir - "]" + ".]"
-        $(NODEBUG) DEFINE ossl_installroot 'installtop_dev''installtop_dir'
-        $(NODEBUG) !
-        $(NODEBUG) datatop = F$PARSE("$(OPENSSLDIR)","[000000]A.;",,,"SYNTAX_ONLY") -
-                - "]A.;" + ".]"
-        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN -
-                DEFINE ossl_dataroot 'datatop'
+        $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) DEFINE ossl_installroot 'installtop'
+        $(NODEBUG) DEFINE ossl_dataroot 'datatop'
         $(NODEBUG) !
         $(NODEBUG) ! Figure out the architecture
         $(NODEBUG) !
@@ -191,7 +201,7 @@ NODEBUG=@
 
 .LAST :
         $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
-        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN DEASSIGN ossl_dataroot
+        $(NODEBUG) DEASSIGN ossl_dataroot
         $(NODEBUG) DEASSIGN ossl_installroot
         $(NODEBUG) DEASSIGN internal
         $(NODEBUG) DEASSIGN openssl
@@ -200,21 +210,35 @@ NODEBUG=@
 
 # The main targets ###################################################
 
-all : descrip.mms, build_libs, build_engines, build_apps
+all : configdata.pm, -
+      build_libs_nodep, build_engines_nodep, build_apps_nodep, -
+      depend
 
-build_libs : $(LIBS)
-build_engines : $(ENGINES)
-build_apps : $(PROGRAMS), $(SCRIPTS)
-build_tests : $(TESTPROGS)
+build_libs : configdata.pm, build_libs_nodep, depend
+build_libs_nodep : $(LIBS)
+build_engines : configdata.pm, build_engines_nodep, depend
+build_engines_nodep : $(ENGINES)
+build_apps : configdata.pm, build_apps_nodep, depend
+build_apps_nodep : $(PROGRAMS), $(SCRIPTS)
+build_tests : configdata.pm, build_tests_nodep, depend
+build_tests_nodep : $(TESTPROGS)
 
-test tests : build_apps, build_engines, build_tests, rehash
+test tests : configdata.pm, -
+             build_apps_nodep, build_engines_nodep, build_tests_nodep, -
+             depend
+        @ ! {- output_off() if $disabled{tests}; "" -}
         SET DEFAULT [.test]{- move("test") -}
         DEFINE SRCTOP {- sourcedir() -}
         DEFINE BLDTOP {- builddir() -}
+        DEFINE OPENSSL_ENGINES {- builddir("engines") -}
         $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
+        DEASSIGN OPENSSL_ENGINES
         DEASSIGN BLDTOP
         DEASSIGN SRCTOP
         SET DEFAULT [-]{- move("..") -}
+        @ ! {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+        @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
+        @ ! {- output_on() if !$disabled{tests}; "" -}
 
 list-tests :
         @ TOP=$(SRCDIR) PERL=$(PERL) $(PERL) {- catfile($config{sourcedir},"test", "run_tests.pl") -} list
@@ -229,6 +253,29 @@ libclean :
         - DELETE []CXX$DEMANGLER_DB.;*
 
 install : install_sw install_docs
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "######################################################################"
+        @ WRITE SYS$OUTPUT ""
+        @ IF "$(DESTDIR)" .EQS. "" THEN -
+             PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names" ; -
+                    WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands" ; -
+                    WRITE SYS$OUTPUT "" )
+        @ IF "$(DESTDIR)" .NES. "" THEN -
+             PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
+                    WRITE SYS$OUTPUT staging_instdir ; -
+                    WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
+                    WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
+                    WRITE SYS$OUTPUT staging_datadir ; -
+                    WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "When in its final destination," ; -
+                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup to set up logical names" ; -
+                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils to define commands" ; -
+                    WRITE SYS$OUTPUT "" )
 
 uninstall : uninstall_docs uninstall_sw
 
@@ -242,37 +289,24 @@ clean : libclean
         - DELETE [.test]*.LOG;*
         - DELETE []*.MAP;*
 
-DCLEAN_CMD=$(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }"
-dclean :
-        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
-        RENAME descrip.mms.new descrip.mms
-        PURGE descrip.mms
-
-{- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
-               grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
-               keys %{$unified_info{sources}};
-   ""; -}
-depend : {- join(",-\n\t", @deps); -}
-        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
-        OPEN/APPEND DESCRIP descrip.mms.new
-        WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
-        {- join("\n\t", map { "TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
-        CLOSE DESCRIP
-        RENAME descrip.mms.new descrip.mms
-        PURGE descrip.mms
+depend : descrip.mms
+descrip.mms : FORCE
+	@ ! {- output_off() if $disabled{makedepend}; "" -}
+        @ $(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }" -
+                < descrip.mms > descrip.mms-new
+        @ OPEN/APPEND DESCRIP descrip.mms-new
+        @ WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
+        {- join("\n\t", map { "\@ IF F\$SEARCH(\"$_\") .NES. \"\" THEN TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
+        @ CLOSE DESCRIP
+        @ PIPE ( $(PERL) -e "use File::Compare qw/compare_text/; my $x = compare_text(""descrip.mms"",""descrip.mms-new""); exit(0x10000000 + ($x == 0));" || -
+                 RENAME descrip.mms-new descrip.mms )
+        @ IF F$SEARCH("descrip.mms-new") .NES. "" THEN DELETE descrip.mms-new;*
+        -@ SPAWN/OUTPUT=NLA0: PURGE/NOLOG descrip.mms
+	@ ! {- output_on() if $disabled{makedepend}; "" -}
 
 # Install helper targets #############################################
 
 install_sw : all install_dev install_engines install_runtime install_config
-        @ WRITE SYS$OUTPUT ""
-        @ WRITE SYS$OUTPUT "######################################################################"
-        @ WRITE SYS$OUTPUT ""
-        @ WRITE SYS$OUTPUT "Installation complete"
-        @ WRITE SYS$OUTPUT ""
-        @ IF "$(DESTDIR)" .NES. "" THEN EXIT 1
-        @ WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names"
-        @ WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands"
-        @ WRITE SYS$OUTPUT ""
 
 uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime uninstall_config
 
@@ -283,49 +317,52 @@ uninstall_docs : uninstall_man_docs uninstall_html_docs
 install_dev : check_INSTALLTOP
         @ WRITE SYS$OUTPUT "*** Installing development files"
         @ ! Install header files
-        CREATE/DIR ossl_installroot:[include.openssl]
+        - CREATE/DIR ossl_installroot:[include.openssl]
         COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
         @ ! Install libraries
-        CREATE/DIR ossl_installroot:['arch'.LIB]
+        - CREATE/DIR ossl_installroot:[LIB.'arch']
         {- join("\n        ",
-                map { "COPY/PROT=W:R $_.OLB ossl_installroot:['arch'.LIB]" }
+                map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" }
                 @{$unified_info{libraries}}) -}
-        @ {- output_off() if $config{no_shared}; "" -} !
+        @ {- output_off() if $disabled{shared}; "" -} !
         {- join("\n        ",
-                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:['arch'.LIB]" }
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[LIB.'arch']" }
                 map { $unified_info{sharednames}->{$_} || () }
                 @{$unified_info{libraries}}) -}
-        @ {- output_on() if $config{no_shared}; "" -} !
+        @ {- output_on() if $disabled{shared}; "" -} !
 
 install_runtime : check_INSTALLTOP
+        @ ! {- output_off() if $disabled{apps}; "" -}
         @ WRITE SYS$OUTPUT "*** Installing runtime files"
         @ ! Install the main program
-        CREATE/DIR ossl_installroot:['arch'.EXE]
-        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:['arch'.EXE]
+        - CREATE/DIR ossl_installroot:[EXE.'arch']
+        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:[EXE.'arch']
         @ ! Install scripts
-        CREATE/DIR ossl_installroot:[EXE]
+        - CREATE/DIR ossl_installroot:[EXE]
         COPY/PROT=W:RE [.APPS]CA.pl ossl_installroot:[EXE]
         COPY/PROT=W:RE [.TOOLS]c_rehash. ossl_installroot:[EXE]c_rehash.pl
+        @ ! {- output_on() if $disabled{apps}; "" -}
         @ ! Install configuration file
+        - CREATE/DIR ossl_dataroot:[000000]
         COPY/PROT=W:RE {- sourcefile("apps", "openssl-vms.cnf") -} -
-                ossl_installroot:[000000]openssl.cnf
+                ossl_dataroot:[000000]openssl.cnf
 
 install_engines : check_INSTALLTOP
-        @ {- output_off() if $config{no_shared}; "" -} !
+        @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} !
         @ WRITE SYS$OUTPUT "*** Installing engines"
-        CREATE/DIR ossl_installroot:['arch'.ENGINES]
-        COPY/PROT=W:RE [.ENGINES]*.EXE ossl_installroot:['arch'.ENGINES]
-        @ {- output_on() if $config{no_shared}; "" -} !
+        - CREATE/DIR ossl_installroot:[ENGINES.'arch']
+        {- join("\n        ",
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES.'arch']" }
+                grep(!m|ossltest$|i, @{$unified_info{engines}})) -}
+        @ {- output_on() unless scalar @{$unified_info{engines}}; "" -} !
 
 install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                  check_INSTALLTOP
-        IF "$(DESTDIR)" .EQS. "" THEN -
-                IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
+        IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
                 CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[CERTS]
-        IF "$(DESTDIR)" .EQS. "" THEN -
-                IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
-                CREATE/DIR/PROT=(S:RWED,O:RWE,G:,W:) OSSL_DATAROOT:[PRIVATE]
-        CREATE/DIR ossl_installroot:[SYS$STARTUP]
+        IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G,W) OSSL_DATAROOT:[PRIVATE]
+        - CREATE/DIR ossl_installroot:[SYS$STARTUP]
         COPY/PROT=W:RE -
                 [.VMS]openssl_startup.com,openssl_shutdown.com -
                 ossl_installroot:[SYS$STARTUP]
@@ -334,28 +371,28 @@ install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                 ossl_installroot:[SYS$STARTUP]
 
 [.VMS]openssl_startup.com : vmsconfig.pm
-        CREATE/DIR [.VMS]
+        - CREATE/DIR [.VMS]
         $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
                 {- sourcefile("VMS", "openssl_startup.com.in") -} -
                 > [.VMS]openssl_startup.com
 
 [.VMS]openssl_shutdown.com : vmsconfig.pm
-        CREATE/DIR [.VMS]
+        - CREATE/DIR [.VMS]
         $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
                 {- sourcefile("VMS", "openssl_shutdown.com.in") -} -
                 > [.VMS]openssl_shutdown.com
 
-vmsconfig.pm : descrip.mms
+vmsconfig.pm : configdata.pm
         OPEN/WRITE/SHARE=READ CONFIG []vmsconfig.pm
         WRITE CONFIG "package vmsconfig;"
         WRITE CONFIG "use strict; use warnings;"
         WRITE CONFIG "use Exporter;"
         WRITE CONFIG "our @ISA = qw(Exporter);"
-        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info);"
+        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info %disabled);"
         WRITE CONFIG "our %config = ("
         WRITE CONFIG "  target => '{- $config{target} -}',"
         WRITE CONFIG "  version => '$(MAJOR).$(MINOR)',"
-        WRITE CONFIG "  no_shared => '","{- $config{no_shared} -}","',"
+        WRITE CONFIG "  no_shared => '","{- $disabled{shared} -}","',"
         WRITE CONFIG "  INSTALLTOP => '$(INSTALLTOP)',"
         WRITE CONFIG "  OPENSSLDIR => '$(OPENSSLDIR)',"
         WRITE CONFIG "  pointersize => '","{- $target{pointersize} -}","',"
@@ -364,6 +401,7 @@ vmsconfig.pm : descrip.mms
         WRITE CONFIG "  ],"
         WRITE CONFIG ");"
         WRITE CONFIG "our %target = ();"
+        WRITE CONFIG "our %disabled = ();"
         WRITE CONFIG "our %withargs = ();"
         WRITE CONFIG "our %unified_info = ();"
         WRITE CONFIG "1;"
@@ -377,16 +415,6 @@ check_INSTALLTOP :
 
 # Helper targets #####################################################
 
-rehash : [.apps]openssl.exe, copy-certs
-        !MCR [.apps]openssl.exe rehash {- builddir("certs", "demo") -}
-        $(PERL) [.tools]c_rehash. [.certs.demo]
-
-copy-certs :
-        @ IF F$SEARCH("{- buildfile("certs.dir") -}") .EQS. "" THEN -
-             CREATE/DIR {- builddir("certs") -}
-        -@ IF "{- sourcedir("certs") -}" .NES. "{- builddir("certs") -}" THEN -
-             COPY {- tree(sourcedir("certs")) -}*.* {- tree(builddir("certs")) -}
-
 # Developer targets ##################################################
 
 debug_logicals :
@@ -396,8 +424,7 @@ debug_logicals :
 
 # Building targets ###################################################
 
-descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Configure ! $(SRCDIR)config.com
-        @ WRITE SYS$OUTPUT "descrip.mms is older than $?."
+configdata.pm : {- join(" ", sourcefile("Configurations", "descrip.mms.tmpl"), sourcefile("Configurations", "common.tmpl")) -} $(SRCDIR)Configure $(SRCDIR)config.com {- join(" ", @{$config{build_infos}}) -}
         @ WRITE SYS$OUTPUT "Reconfiguring..."
         perl $(SRCDIR)Configure reconf
         @ WRITE SYS$OUTPUT "*************************************************"
@@ -405,48 +432,27 @@ descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Co
         @ WRITE SYS$OUTPUT "***   Please run the same mms command again   ***"
         @ WRITE SYS$OUTPUT "***                                           ***"
         @ WRITE SYS$OUTPUT "*************************************************"
-        @ exit %10000000
+        @ PIPE ( EXIT %X10000000 )
 
 {-
   use File::Basename;
   use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
-  sub src2dep {
+
+  sub generatesrc {
       my %args = @_;
-      my $dep = $args{obj};
-      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+      my $generator = join(" ", @{$args{generator}});
+      my $deps = join(", -\n\t\t", @{$args{deps}});
 
-      # Because VMS C isn't very good at combining a /INCLUDE path with
-      # #includes having a relative directory (like '#include "../foo.h"),
-      # the best choice is to move to the first source file's intended
-      # directory before compiling, and make sure to write the object file
-      # in the correct position (important when the object tree is other
-      # than the source tree).
-      my $forward = dirname($args{srcs}->[0]);
-      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
-      my $depd = abs2rel(rel2abs(dirname($dep)), rel2abs($forward));
-      my $depn = basename($dep);
-      my $srcs =
-          join(", ",
-               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
-      my $incs =
-          "/INCLUDE=(".join(",",
-                            map {
-                               file_name_is_absolute($_)
-                               ? $_ : catdir($backward,$_)
-                            } @{$args{incs}}).")";
-      my $before = $unified_info{before}->{$dep.".OBJ"} || "\@ !";
-      my $after = $unified_info{after}->{$dep.".OBJ"} || "\@ !";
-
-      return <<"EOF";
-$dep.MMS : $deps
-        ${before}
-        SET DEFAULT $forward
-        \$(CC) \$(CFLAGS)${incs} /MMS=(TARGET=.OBJ)/OBJECT=${depd}${depn}.MMS $srcs
-        SET DEFAULT $backward
-        ${after}
-        - PURGE $dep.MMS
+      if ($args{src} !~ /\.[sS]$/) {
+          return <<"EOF";
+$args{src} : $args{generator}->[0] $deps
+	\$(PERL) $generator > \$@
 EOF
+      } else {
+          die "No method to generate assembler source present.\n";
+      }
   }
+
   sub src2obj {
       my %args = @_;
       my $obj = $args{obj};
@@ -465,22 +471,43 @@ EOF
       my $srcs =
           join(", ",
                map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
-      my $incs =
-          "/INCLUDE=(".join(",",
-                            map {
-                               file_name_is_absolute($_)
-                               ? $_ : catdir($backward,$_)
-                            } @{$args{incs}}).")";
+      my $incs_on = "\@ !";
+      my $incs_off = "\@ !";
+      my $incs = "";
+      my @incs = ();
+      push @incs, @{$args{incs}} if @{$args{incs}};
+      unless ($disabled{zlib}) {
+          # GNV$ZLIB_INCLUDE is the standard logical name for later zlib
+          # incarnations.
+          push @incs, ($withargs{zlib_include} || 'GNV$ZLIB_INCLUDE:');
+      }
+      if (@incs) {
+          $incs_on =
+              "DEFINE tmp_includes "
+              .join(",-\n\t\t\t", map {
+                                      file_name_is_absolute($_)
+                                      ? $_ : catdir($backward,$_)
+                                  } @incs);
+          $incs_off = "DEASSIGN tmp_includes";
+          $incs = " /INCLUDE=(tmp_includes:)";
+      }
       my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
       my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
+      my $depbuild = $disabled{makedepend} ? ""
+          : " /MMS=(FILE=${objd}${objn}.tmp-MMS,TARGET=$obj.OBJ)";
 
       return <<"EOF";
 $obj.OBJ : $deps
         ${before}
         SET DEFAULT $forward
-        \$(CC) \$(CFLAGS)${incs} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        $incs_on
+        \$(CC) \$(CFLAGS)${incs}${depbuild} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        $incs_off
         SET DEFAULT $backward
         ${after}
+        \@ PIPE ( \$(PERL) -e "use File::Compare qw/compare_text/; my \$x = compare_text(""$obj.MMS"",""$obj.tmp-MMS""); exit(0x10000000 + (\$x == 0));" || -
+                 RENAME $obj.tmp-MMS $obj.mms )
+        \@ IF F\$SEARCH("$obj.tmp-MMS") .NES. "" THEN DELETE $obj.tmp-MMS;*
         - PURGE $obj.OBJ
 EOF
   }
@@ -492,10 +519,10 @@ EOF
       my $libn = basename($lib);
       (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib//i;
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @deps);
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
       my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
                                                "VMS", "engine.opt")),
@@ -513,7 +540,7 @@ EOF
       my $write_opt =
           join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
                              $x =~ s|(\.EXE)|$1/SHARE|;
-                             $x =~ s|(\.LIB)|$1/LIB|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
                              "WRITE OPT_FILE \"$x\"" } @deps)
           || "\@ !";
       return <<"EOF";
@@ -536,7 +563,7 @@ $shlib.EXE : $lib.OLB $deps $ordinalsfile
         - PURGE $shlib.EXE,$shlib.OPT,$shlib.MAP
 EOF
   }
-  sub obj2dynlib {
+  sub obj2dso {
       my %args = @_;
       my $lib = $args{lib};
       my $libd = dirname($lib);
@@ -544,10 +571,10 @@ EOF
       (my $libn_nolib = $libn) =~ s/^lib//;
       my @objs = map { "$_.OBJ" } @{$args{objs}};
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @objs, @deps);
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
                                                "VMS", "engine.opt")),
                                rel2abs($config{builddir}));
@@ -561,7 +588,7 @@ EOF
           "\"\n\t".
           join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
                              $x =~ s|(\.EXE)|$1/SHARE|;
-                             $x =~ s|(\.LIB)|$1/LIB|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
                              "WRITE OPT_FILE \"$x\"" } @deps)
           || "\@ !";
       return <<"EOF";
@@ -594,7 +621,7 @@ EOF
       my $binn = basename($bin);
       my @objs = map { "$_.OBJ" } @{$args{objs}};
       my @deps = map {
-          $config{no_shared} ? $_.".OLB"
+          $disabled{shared} ? $_.".OLB"
               : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
       my $deps = join(", -\n\t\t", @objs, @deps);
       # The "[]" hack is because in .OPT files, each line inherits the

Configurations/unix-Makefile.tmpl

@@ -3,11 +3,60 @@
 ##
 ## {- join("\n## ", @autowarntext) -}
 {-
+     our $objext = $target{obj_extension} || ".o";
+     our $depext = $target{dep_extension} || ".d";
+     our $exeext = $target{exe_extension} || "";
+     our $libext = $target{lib_extension} || ".a";
+     our $shlibext = $target{shared_extension} || ".so";
+     our $shlibextsimple = $target{shared_extension_simple} || ".so";
+     our $shlibextimport = $target{shared_import_extension} || "";
+     our $dsoext = $target{dso_extension} || ".so";
+
      sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
-     sub shlib_ext { $target{shared_extension} || ".so" }
-     sub shlib_ext_simple { (my $x = $target{shared_extension})
-                                =~ s/\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\)//;
-                            $x }
+
+     # shlib and shlib_simple both take a static library name and figure
+     # out what the shlib name should be.
+     #
+     # When OpenSSL is configured "no-shared", these functions will just
+     # return empty lists, making them suitable to join().
+     #
+     # With Windows DLL producers, shlib($libname) will return the shared
+     # library name (which usually is different from the static library
+     # name) with the default shared extension appended to it, while
+     # shlib_simple($libname) will return the static library name with
+     # the shared extension followed by ".a" appended to it.  The former
+     # result is used as the runtime shared library while the latter is
+     # used as the DLL import library.
+     #
+     # On all Unix systems, shlib($libname) will return the library name
+     # with the default shared extension, while shlib_simple($libname)
+     # will return the name from shlib($libname) with any SO version number
+     # removed.  On some systems, they may therefore return the exact same
+     # string.
+     sub shlib {
+         return () if $disabled{shared};
+         my $lib = shift;
+         return $unified_info{sharednames}->{$lib} . $shlibext;
+     }
+     sub shlib_simple {
+         return () if $disabled{shared};
+
+         my $lib = shift;
+         if (windowsdll()) {
+             return $lib . $shlibextimport;
+         }
+         return $lib .  $shlibextsimple;
+     }
+
+     # dso is a complement to shlib / shlib_simple that returns the
+     # given libname with the simple shared extension (possible SO version
+     # removed).  This differs from shlib_simple() by being unconditional.
+     sub dso {
+         my $engine = shift;
+
+         return $engine . $dsoext;
+     }
+     '';
 -}
 PLATFORM={- $config{target} -}
 OPTIONS={- $config{options} -}
@@ -24,23 +73,27 @@ SHLIB_MAJOR={- $config{shlib_major} -}
 SHLIB_MINOR={- $config{shlib_minor} -}
 SHLIB_TARGET={- $target{shared_target} -}
 
-EXE_EXT={- $target{exe_extension} || "" -}
-LIB_EXT={- $target{lib_extension} || ".a" -}
-SHLIB_EXT={- shlib_ext() -}
-SHLIB_EXT_SIMPLE={- shlib_ext_simple() -}
-OBJ_EXT={- $target{obj_extension} || ".o" -}
-DEP_EXT={- $target{dep_extension} || ".d" -}
-
-LIBS={- join(" ", map { $_."\$(LIB_EXT)" } @{$unified_info{libraries}}) -}
-SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
-ENGINES={- join(" ", map { $_."\$(SHLIB_EXT_SIMPLE)" } @{$unified_info{engines}}) -}
-PROGRAMS={- join(" ", map { $_."\$(EXE_EXT)" } grep { !m|^test/| } @{$unified_info{programs}}) -}
-TESTPROGS={- join(" ", map { $_."\$(EXE_EXT)" } grep { m|^test/| } @{$unified_info{programs}}) -}
+LIBS={- join(" ", map { $_.$libext } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { dso($_) } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test/| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_.$exeext } grep { m|^test/| } @{$unified_info{programs}}) -}
 SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+{- output_off() if $disabled{makedepend}; "" -}
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+{- output_on() if $disabled{makedepend}; "" -}
+GENERATED={- join(" ", map { (my $x = $_) =~ s|\.S$|\.s|; $x } keys %{$unified_info{generate}}) -}
+
+{- output_off() if $disabled{apps}; "" -}
 BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
 MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \
 	     $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \
-	     $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget
+	     $(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget
+{- output_on() if $disabled{apps}; "" -}
+
+SHLIB_INFO={- join(" ", map { "\"".shlib($_).";".shlib_simple($_)."\"" } @{$unified_info{libraries}}) -}
 
 # DESTDIR is for package builders so that they can configure for, say,
 # /usr/ and yet have everything installed to /tmp/somedir/usr/.
@@ -83,7 +136,8 @@ ENGINESDIR={- use File::Spec::Functions;
               catdir($prefix,$libdir,"engines") -}
 
 MANDIR=$(INSTALLTOP)/share/man
-HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
+DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
+HTMLDIR=$(DOCDIR)/html
 
 # MANSUFFIX is for the benefit of anyone who may want to have a suffix
 # appended after the manpage file section number.  "ssl" is popular,
@@ -95,27 +149,30 @@ HTMLSUFFIX=html
 
 CROSS_COMPILE= {- $config{cross_compile_prefix} -}
 CC= $(CROSS_COMPILE){- $target{cc} -}
-CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
 CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
-DEPFLAGS= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
-LDFLAGS= {- $config{lflags} -}
-PLIB_LDFLAGS= {- $config{plib_lflags} -}
-EX_LIBS= {- $config{ex_libs} -}
-SHARED_LDFLAGS={- $target{shared_ldflag}
-                  # Unlike other OSes (like Solaris, Linux, Tru64,
-                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
-                  # and FreeBSD) "demand" RPATH set on .so objects.
-                  # Apparently application RPATH is not global and
-                  # does not apply to .so linked with other .so.
-                  # Problem manifests itself when libssl.so fails to
-                  # load libcrypto.so. One can argue that we should
-                  # engrave this into Makefile.shared rules or into
-                  # BSD-* config lines above. Meanwhile let's try to
-                  # be cautious and pass -rpath to linker only when
-                  # $prefix is not /usr.
-                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
-                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
-SHARED_RCFLAGS={- $target{shared_rcflag} -}
+LDFLAGS= {- $target{lflags} -}
+PLIB_LDFLAGS= {- $target{plib_lflags} -}
+EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
+LIB_CFLAGS={- $target{shared_cflag} || "" -}
+LIB_LDFLAGS={- $target{shared_ldflag}." ".$config{shared_ldflag}
+               # Unlike other OSes (like Solaris, Linux, Tru64,
+               # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+               # and FreeBSD) "demand" RPATH set on .so objects.
+               # Apparently application RPATH is not global and
+               # does not apply to .so linked with other .so.
+               # Problem manifests itself when libssl.so fails to
+               # load libcrypto.so. One can argue that we should
+               # engrave this into Makefile.shared rules or into
+               # BSD-* config lines above. Meanwhile let's try to
+               # be cautious and pass -rpath to linker only when
+               # $prefix is not /usr.
+               . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                  ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+RCFLAGS={- $target{shared_rcflag} -}
+DSO_CFLAGS={- $target{shared_cflag} || "" -}
+DSO_LDFLAGS=$(LIB_LDFLAGS)
+BIN_CFLAGS={- "" -}
 
 PERL={- $config{perl} -}
 
@@ -124,8 +181,10 @@ AR=$(CROSS_COMPILE){- $target{ar} || "ar" -} $(ARFLAGS) r
 RANLIB= {- $target{ranlib} -}
 NM= $(CROSS_COMPILE){- $target{nm} || "nm" -}
 RM= rm -f
+RMDIR= rmdir
 TAR= {- $target{tar} || "tar" -}
 TARFLAGS= {- $target{tarflags} -}
+MAKEDEPEND={- $config{makedepprog} -}
 
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
@@ -146,64 +205,93 @@ PROCESSOR= {- $config{processor} -}
 
 # The main targets ###################################################
 
-all: build_libs build_engines build_apps link-utils
+all: configdata.pm build_libs_nodep build_engines_nodep build_apps_nodep \
+     depend link-utils
 
-# The pkg-config files depend on the libraries as well as Makefile
-build_libs: libcrypto.pc libssl.pc openssl.pc
-build_engines: $(ENGINES)
-build_apps: $(PROGRAMS) $(SCRIPTS)
-build_tests: $(TESTPROGS)
+build_libs: configdata.pm build_libs_nodep depend
+build_libs_nodep: libcrypto.pc libssl.pc openssl.pc
+build_engines: configdata.pm build_engines_nodep depend
+build_engines_nodep: $(ENGINES)
+build_apps: configdata.pm build_apps_nodep depend
+build_apps_nodep: $(PROGRAMS) $(SCRIPTS)
+build_tests: configdata.pm build_tests_nodep depend
+build_tests_nodep: $(TESTPROGS)
 
-test tests: build_tests build_apps build_engines rehash
+test tests: build_tests_nodep build_apps_nodep build_engines_nodep \
+            depend link-utils
+	@ : {- output_off() if $disabled{tests}; "" -}
 	( cd test; \
 	  SRCTOP=../$(SRCDIR) \
 	  BLDTOP=../$(BLDDIR) \
+	  EXE_EXT={- $exeext -} \
+	  OPENSSL_ENGINES=../$(BLDDIR)/engines \
 	    $(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
+	@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@echo "Tests are not supported with your chosen Configure options"
+	@ : {- output_on() if !$disabled{tests}; "" -}
 
 list-tests:
 	@TOP=$(SRCDIR) PERL=$(PERL) $(PERL) $(SRCDIR)/test/run_tests.pl list
 
 libclean:
-	-rm -f `find $(BLDDIR) -name '*$(LIB_EXT)' -o -name '*$(SHLIB_EXT)'`
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		echo $(RM) $$s1; \
+		$(RM) $$s1; \
+		if [ "$$s1" != "$$s2" ]; then \
+			echo $(RM) $$s2; \
+			$(RM) $$s2; \
+		fi; \
+	done
+	$(RM) $(LIBS)
 
 install: install_sw install_ssldirs install_docs
 
 uninstall: uninstall_docs uninstall_sw
 
 clean: libclean
-	rm -f $(PROGRAMS) $(TESTPROGS)
-	rm -f `find $(BLDDIR) -name '*$(DEP_EXT)'`
-	rm -f `find $(BLDDIR) -name '*$(OBJ_EXT)'`
-	rm -f $(BLDDIR)/core $(BLDDIR)/rehash.time
-	rm -f $(BLDDIR)/tags $(BLDDIR)/TAGS
-	rm -f $(BLDDIR)/openssl.pc $(BLDDIR)/libcrypto.pc $(BLDDIR)/libssl.pc
-	-rm -f `find $(BLDDIR) -type l`
+	rm -f $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
+	rm -f $(GENERATED)
+	-rm -f `find . -name '*{- $depext -}'`
+	-rm -f `find . -name '*{- $objext -}'`
+	rm -f core
+	rm -f tags TAGS
+	rm -f openssl.pc libcrypto.pc libssl.pc
+	-rm -f `find . -type l`
 	rm -f $(TARFILE)
 
-DCLEAN_CMD=sed -e '/^DO NOT DELETE.*/,$$d'
-dclean:
-	$(DCLEAN_CMD) < Makefile >Makefile.new
-	mv -f Makefile.new Makefile
-
-DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
-                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
-                  keys %{$unified_info{sources}}); -}
-depend: $(DEPS)
-	( $(DCLEAN_CMD) < Makefile; \
-	  echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
-	  echo; \
-	  cat `find . -name '*$(DEP_EXT)'` ) > Makefile.new
-	mv -f Makefile.new Makefile
+# This exists solely for those who still type 'make depend'
+#
+# We check if any depfile is newer than Makefile and decide to
+# concatenate only if that is true.
+depend:
+	@: {- output_off() if $disabled{makedepend}; "" -}
+	@if [ -n "`find $(DEPS) -newer Makefile 2>/dev/null; exit 0`" ]; then \
+	  ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \
+	    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
+	    echo; \
+	    for f in $(DEPS); do \
+	      if [ -f $$f ]; then cat $$f; fi; \
+	    done ) > Makefile.new; \
+	  if cmp Makefile.new Makefile >/dev/null 2>&1; then \
+	    rm -f Makefile.new; \
+	  else \
+	    mv -f Makefile.new Makefile; \
+	  fi; \
+	fi
+	@: {- output_on() if $disabled{makedepend}; "" -}
 
 # Install helper targets #############################################
 
 install_sw: all install_dev install_engines install_runtime
 
-uninstall_sw: uninstall_dev uninstall_engines uninstall_runtime
+uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
 
 install_docs: install_man_docs install_html_docs
 
 uninstall_docs: uninstall_man_docs uninstall_html_docs
+	$(RM) -r -v $(DESTDIR)$(DOCDIR)
 
 install_ssldirs:
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
@@ -230,28 +318,31 @@ install_dev:
 		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
 	done
-	@ : {- output_off() if $config{no_shared}; "" -}
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$s`; \
-		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-		cp $$s $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
-		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
-		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
-		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
-			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
-			ln -sf $$fn $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+	@ : {- output_off() if $disabled{shared}; "" -}
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		fn1=`basename $$s1`; \
+		fn2=`basename $$s2`; \
+		: {- output_off() if windowsdll(); "" -}; \
+		echo "install $$s1 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+		cp $$s1 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1; \
+		if [ "$$fn1" != "$$fn2" ]; then \
+			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+			ln -sf $$fn1 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		fi; \
-		: {- output_off() unless windowsdll(); "" -}; \
-		echo "install $$s.a -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
-		cp $$s.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
-		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
-		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new \
-		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
+		echo "install $$s2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+		cp $$s2 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		: {- output_on() unless windowsdll(); "" -}; \
 	done
-	@ : {- output_on() if $config{no_shared}; "" -}
+	@ : {- output_on() if $disabled{shared}; "" -}
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
 	@echo "install libcrypto.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
 	@cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
@@ -271,39 +362,49 @@ uninstall_dev:
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
 	done
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include
 	@set -e; for l in $(LIBS); do \
 		fn=`basename $$l`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
 	done
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$s`; \
-		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
-			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+	@ : {- output_off() if $disabled{shared}; "" -}
+	@set -e; for s in $(SHLIB_INFO); do \
+		s1=`echo "$$s" | cut -f1 -d";"`; \
+		s2=`echo "$$s" | cut -f2 -d";"`; \
+		fn1=`basename $$s1`; \
+		fn2=`basename $$s2`; \
+		: {- output_off() if windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn1; \
+		if [ "$$fn1" != "$$fn2" ]; then \
 			echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
 			$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		fi; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
-		: {- output_off() unless windowsdll(); "" -}; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
-		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
 		: {- output_on() unless windowsdll(); "" -}; \
 	done
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
-	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	@ : {- output_on() if $disabled{shared}; "" -}
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
 
 install_engines:
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/
 	@echo "*** Installing engines"
-	@set -e; for e in $(ENGINES); do \
+	@set -e; for e in dummy $(ENGINES); do \
+		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
-		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
+			continue; \
+		fi; \
+		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \
 		cp $$e $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
 		chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
 		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \
@@ -312,11 +413,16 @@ install_engines:
 
 uninstall_engines:
 	@echo "*** Uninstalling engines"
-	@set -e; for e in $(ENGINES); do \
+	@set -e; for e in dummy $(ENGINES); do \
+		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
-		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
+			continue; \
+		fi; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
 	done
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines
 
 install_runtime:
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@@ -324,8 +430,9 @@ install_runtime:
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
 	@echo "*** Installing runtime files"
 	: {- output_off() unless windowsdll(); "" -};
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$i`; \
+	@set -e; for s in dummy $(SHLIBS); do \
+		if [ "$$s" = "dummy" ]; then continue; fi; \
+		fn=`basename $$s`; \
 		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
 		chmod 644 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -333,7 +440,8 @@ install_runtime:
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
 	: {- output_on() unless windowsdll(); "" -};
-	@set -e; for x in $(PROGRAMS); do \
+	@set -e; for x in dummy $(PROGRAMS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -341,7 +449,8 @@ install_runtime:
 		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(BIN_SCRIPTS); do \
+	@set -e; for x in dummy $(BIN_SCRIPTS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -349,7 +458,8 @@ install_runtime:
 		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(MISC_SCRIPTS); do \
+	@set -e; for x in dummy $(MISC_SCRIPTS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
 		cp $$x $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
@@ -364,40 +474,46 @@ install_runtime:
 
 uninstall_runtime:
 	@echo "*** Uninstalling runtime files"
-	@set -e; for x in $(PROGRAMS); \
+	@set -e; for x in dummy $(PROGRAMS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done;
-	@set -e; for x in $(BIN_SCRIPTS); \
+	@set -e; for x in dummy $(BIN_SCRIPTS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(MISC_SCRIPTS); \
+	@set -e; for x in dummy $(MISC_SCRIPTS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
 		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
 	done
 	: {- output_off() unless windowsdll(); "" -};
-	@set -e; for s in $(SHLIBS); do \
-		fn=`basename $$i`; \
+	@set -e; for s in dummy $(SHLIBS); do \
+		if [ "$$s" = "dummy" ]; then continue; fi; \
+		fn=`basename $$s`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
 	: {- output_on() unless windowsdll(); "" -};
 	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
+	-$(RMDIR) $(DESTDIR)$(OPENSSLDIR)/misc
 
 # A method to extract all names from a .pod file
 # The first sed extracts everything between "=head1 NAME" and the next =head1
-# The second sed joins all the lines into one
-# The third sed removes the description and turns all commas into spaces
+# The perl command joins all the lines into one
+# The second sed removes the description and turns all commas into spaces
 # Voilà, you have a space separated list of names!
 EXTRACT_NAMES=sed -e '1,/^=head1  *NAME *$$/d;/^=head1/,$$d' | \
-              sed -e ':a;{N;s/\n/ /;ba}' | \
+              $(PERL) -p -0 -e 's/\n/ /g; END {print "\n"}' | \
               sed -e 's/ - .*$$//;s/,/ /g'
 PROCESS_PODS=\
 	set -e; \
@@ -462,6 +578,7 @@ UNINSTALL_DOCS=\
 			$(RM) $$top/man$$SEC/$$n$$suf; \
 		    fi; \
 		done; \
+		( $(RMDIR) $$top/man$$SEC 2>/dev/null || exit 0 ); \
 	    done; \
 	done
 
@@ -517,13 +634,35 @@ generate: generate_apps generate_crypto_bn generate_crypto_objects
 lint:
 	lint -DLINT $(INCLUDES) $(SRCS)
 
-generate_apps: $(SRCDIR)/apps/openssl-vms.cnf $(SRCDIR)/apps/progs.h
+{- # because the program apps/openssl has object files as sources, and
+   # they then have the corresponding C files as source, we need to chain
+   # the lookups in %unified_info
+   my $apps_openssl = catfile("apps","openssl");
+   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
+                         @{$unified_info{sources}->{$apps_openssl}};
+   ""; -}
+generate_apps:
+	( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
+				< apps/openssl.cnf > apps/openssl-vms.cnf )
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b apps/progs.pl \
+					{- join(" ", @openssl_source) -} \
+					> apps/progs.h )
 
-generate_crypto_bn: $(SRCDIR)/crypto/bn/bn_prime.h
+generate_crypto_bn:
+	( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
 
-generate_crypto_objects: $(SRCDIR)/crypto/objects/obj_dat.h \
-                         $(SRCDIR)/include/openssl/obj_mac.h \
-                         $(SRCDIR)/crypto/objects/obj_xref.h
+generate_crypto_objects:
+	( cd $(SRCDIR); $(PERL) crypto/objects/obj_dat.pl \
+				include/openssl/obj_mac.h \
+				crypto/objects/obj_dat.h )
+	( cd $(SRCDIR); $(PERL) crypto/objects/objects.pl \
+				crypto/objects/objects.txt \
+				crypto/objects/obj_mac.num \
+				include/openssl/obj_mac.h )
+	( cd $(SRCDIR); $(PERL) crypto/objects/objxref.pl \
+				crypto/objects/obj_mac.num \
+				crypto/objects/obj_xref.txt \
+				> crypto/objects/obj_xref.h )
 
 errors:
 	( cd $(SRCDIR); $(PERL) util/ck_errf.pl -strict */*.c */*/*.c )
@@ -533,8 +672,6 @@ errors:
 	      $(PERL) ../util/mkerr.pl -conf $$e \
 		      -nostatic -staticloader -write *.c; \
 	  done )
-	( cd $(SRCDIR)/crypto/ct; \
-	  $(PERL) ../../util/mkerr.pl -conf ct.ec -hprefix internal/ -write *.c )
 
 ordinals:
 	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
@@ -553,9 +690,11 @@ tags TAGS: FORCE
 
 # Release targets (note: only available on Unix) #####################
 
+TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - 
+PREPARE_CMD=:
 tar:
 	TMPDIR=/var/tmp/openssl-copy.$$$$; \
-	DISTDIR=openssl-$(VERSION); \
+	DISTDIR=$(NAME); \
 	mkdir -p $$TMPDIR/$$DISTDIR; \
 	(cd $(SRCDIR); \
 	 git ls-tree -r --name-only --full-tree HEAD \
@@ -564,11 +703,11 @@ tar:
 	       cp $$F $$TMPDIR/$$DISTDIR/$$F; \
 	   done); \
 	(cd $$TMPDIR; \
-	 [ -n "$(PREPARE_CMD)" ] && $(PREPARE_CMD); \
+	 $(PREPARE_CMD); \
 	 find $$TMPDIR/$$DISTDIR -type d -print | xargs chmod 755; \
 	 find $$TMPDIR/$$DISTDIR -type f -print | xargs chmod a+r; \
 	 find $$TMPDIR/$$DISTDIR -type f -perm -0100 -print | xargs chmod a+x; \
-	 $(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - $$DISTDIR) \
+	 $(TAR_COMMAND) $$DISTDIR) \
 	| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
 	rm -rf $$TMPDIR
 	cd $(SRCDIR); ls -l $(TARFILE).gz
@@ -578,83 +717,23 @@ dist:
 
 # Helper targets #####################################################
 
-rehash: link-utils copy-certs build_apps
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
-		(OPENSSL="$(BLDDIR)/util/shlib_wrap.sh apps/openssl"; \
-		[ -x "$(BLDDIR)/openssl.exe" ] && OPENSSL="$(BLDDIR)/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$$OPENSSL rehash certs/demo \
-		|| $(PERL) tools/c_rehash certs/demo) && \
-		touch rehash.time; \
-	else :; fi
-
 link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh
 
-$(BLDDIR)/util/opensslwrap.sh: Makefile
+$(BLDDIR)/util/opensslwrap.sh: configdata.pm
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/util"; \
 	    ln -sf "../$(SRCDIR)/util/opensslwrap.sh" "$(BLDDIR)/util"; \
 	fi
-$(BLDDIR)/util/shlib_wrap.sh: Makefile
+$(BLDDIR)/util/shlib_wrap.sh: configdata.pm
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/util"; \
 	    ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \
 	fi
-
-copy-certs: FORCE
-	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
-	    cp -R "$(SRCDIR)/certs" "$(BLDDIR)/"; \
-	fi
-
-$(SRCDIR)/apps/openssl-vms.cnf: $(SRCDIR)/apps/openssl.cnf
-	$(PERL) $(SRCDIR)/VMS/VMSify-conf.pl \
-                < $(SRCDIR)/apps/openssl.cnf > $(SRCDIR)/apps/openssl-vms.cnf
-
-{- # because the program apps/openssl has object files as sources, and
-   # they then have the corresponding C files as source, we need to chain
-   # the lookups in %unified_info
-   my $apps_openssl = catfile("apps","openssl");
-   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
-                         @{$unified_info{sources}->{$apps_openssl}};
-   ""; -}
-$(SRCDIR)/apps/progs.h:
-	$(RM) $@
-	$(PERL) $(SRCDIR)/apps/progs.pl {- join(" ", @openssl_source) -} > $@
-
-$(SRCDIR)/crypto/bn/bn_prime.h: $(SRCDIR)/crypto/bn/bn_prime.pl
-	$(PERL) $(SRCDIR)/crypto/bn/bn_prime.pl > $(SRCDIR)/crypto/bn/bn_prime.h
-
-$(SRCDIR)/crypto/objects/obj_dat.h: $(SRCDIR)/crypto/objects/obj_dat.pl \
-                                    $(SRCDIR)/include/openssl/obj_mac.h
-	$(PERL) $(SRCDIR)/crypto/objects/obj_dat.pl \
-                $(SRCDIR)/include/openssl/obj_mac.h \
-                $(SRCDIR)/crypto/objects/obj_dat.h
-
-# objects.pl both reads and writes obj_mac.num
-$(SRCDIR)/include/openssl/obj_mac.h: $(SRCDIR)/crypto/objects/objects.pl \
-                                     $(SRCDIR)/crypto/objects/objects.txt \
-                                     $(SRCDIR)/crypto/objects/obj_mac.num
-	$(PERL) $(SRCDIR)/crypto/objects/objects.pl \
-                $(SRCDIR)/crypto/objects/objects.txt \
-                $(SRCDIR)/crypto/objects/obj_mac.num \
-                $(SRCDIR)/include/openssl/obj_mac.h
-	@sleep 1; touch $(SRCDIR)/include/openssl/obj_mac.h; sleep 1
-
-$(SRCDIR)/crypto/objects/obj_xref.h: $(SRCDIR)/crypto/objects/objxref.pl \
-                                     $(SRCDIR)/crypto/objects/obj_xref.txt \
-                                     $(SRCDIR)/crypto/objects/obj_mac.num
-	$(PERL) $(SRCDIR)/crypto/objects/objxref.pl \
-                $(SRCDIR)/crypto/objects/obj_mac.num \
-                $(SRCDIR)/crypto/objects/obj_xref.txt \
-                > $(SRCDIR)/crypto/objects/obj_xref.h
-	@sleep 1; touch $(SRCDIR)/crypto/objects/obj_xref.h; sleep 1
-
-FORCE :
+FORCE:
 
 # Building targets ###################################################
 
-libcrypto.pc libssl.pc openssl.pc: Makefile $(LIBS)
+libcrypto.pc libssl.pc openssl.pc: configdata.pm $(LIBS)
 libcrypto.pc:
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
@@ -697,8 +776,8 @@ openssl.pc:
 # wasn't passed down automatically.  It's quite safe to use it like we do
 # below; if it doesn't exist, the result will be empty and 'make' will pick
 # up $(MAKEFLAGS) which is passed down as an environment variable.
-Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/config
-	@echo "Makefile is older than {- $config{build_file_template} -}, $(SRCDIR)/Configure or $(SRCDIR)/config."
+configdata.pm: $(SRCDIR)/Configurations/unix-Makefile.tmpl $(SRCDIR)/Configurations/common.tmpl $(SRCDIR)/Configure $(SRCDIR)/config {- join(" ", @{$config{build_infos}}) -}
+	@echo "Detected changed: $?"
 	@echo "Reconfiguring..."
 	$(SRCDIR)/Configure reconf
 	@echo "**************************************************"
@@ -715,56 +794,121 @@ Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/confi
   # Helper function to figure out dependencies on libraries
   # It takes a list of library names and outputs a list of dependencies
   sub compute_lib_depends {
-      if ($config{no_shared}) {
-          return map { $_."\$(LIB_EXT)" } @_;
+      if ($disabled{shared}) {
+          return map { $_.$libext } @_;
       }
 
       # Depending on shared libraries:
       # On Windows POSIX layers, we depend on {libname}.dll.a
       # On Unix platforms, we depend on {shlibname}.so
-      return map { if (windowsdll()) {
-                       "$_\$(SHLIB_EXT_SIMPLE).a"
-		   } else {
-		       my $libname =
-		           $unified_info{sharednames}->{$_} || $_;
-		       "$libname\$(SHLIB_EXT_SIMPLE)"
-		   } } @_;
+      return map { shlib_simple($_) } @_;
   }
 
-  sub src2dep {
+  sub generatesrc {
       my %args = @_;
-      my $dep = $args{obj}.'$(DEP_EXT)';
-      my $obj = $args{obj}.'$(OBJ_EXT)';
-      my $srcs = join(" ", @{$args{srcs}});
-      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
-      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
-      my $makedepprog = $config{makedepprog};
-      if ($makedepprog eq "makedepend") {
+      my $generator = join(" ", @{$args{generator}});
+      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+      my $deps = join(" ", @{$args{deps}});
+
+      if ($args{src} !~ /\.[sS]$/) {
           return <<"EOF";
-$dep : $deps
-	rm -f \$\@.tmp; touch \$\@.tmp
-	\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj"\
-	    -- -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs \
-	    -- $srcs
-	sed -e 's/^.*|//' -e 's/ \\/\\(\\\\.\\|[^ ]\\)*//g' -e '/: *\$/d' -e '/^\\(#.*\\| *\\)\$/d' \$\@.tmp > \$\@
-	rm \$\@.tmp
+$args{src}: $args{generator}->[0] $deps
+	\$(PERL) $generator > \$@
+EOF
+      } else {
+          if ($args{generator}->[0] =~ /\.pl$/) {
+              $generator = 'CC="$(CC)" $(PERL) '.$generator;
+          } elsif ($args{generator}->[0] =~ /\.m4$/) {
+              $generator = 'm4 -B 8192 '.$generator.' >'
+          } elsif ($args{generator}->[0] =~ /\.S$/) {
+              $generator = undef;
+          } else {
+              die "Generator type for $args{src} unknown: $generator\n";
+          }
+
+          if (defined($generator)) {
+              # If the target is named foo.S in build.info, we want to
+              # end up generating foo.s in two steps.
+              if ($args{src} =~ /\.S$/) {
+                   (my $target = $args{src}) =~ s|\.S$|.s|;
+                   return <<"EOF";
+$target: $args{generator}->[0] $deps
+	( trap "rm -f \$@.*" INT 0; \\
+	  $generator \$@.S; \\
+	  \$(CC) \$(CFLAGS) $incs -E -P \$@.S > \$@.i && mv -f \$@.i \$@ )
+EOF
+              }
+              # Otherwise....
+              return <<"EOF";
+$args{src}: $args{generator}->[0] $deps
+	$generator \$@
+EOF
+          }
+          return <<"EOF";
+$args{src}: $args{generator}->[0] $deps
+	\$(CC) \$(CFLAGS) $incs -E -P \$< > \$@
 EOF
       }
-      return <<"EOF";
-$dep : $deps Makefile
-	\$(CC) -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs -MM -MF \$\@ -MQ $obj $srcs
-EOF
   }
+
+  # Should one wonder about the end of the Perl snippet, it's because this
+  # second regexp eats up line endings as well, if the removed path is the
+  # last in the line.  We may therefore need to put back a line ending.
   sub src2obj {
       my %args = @_;
-      my $obj = $args{obj}.'$(OBJ_EXT)';
-      my $srcs = join(" ", @{$args{srcs}});
-      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
-      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
-      return <<"EOF";
-$obj : $deps
-	\$(CC) \$(CFLAGS)$incs -c -o \$\@ $srcs
+      my $obj = $args{obj};
+      my @srcs = map { if ($unified_info{generate}->{$_}) {
+                           (my $x = $_) =~ s/\.S$/.s/; $x
+                       } else {
+                           $_
+                       }
+                     } ( @{$args{srcs}} );
+      my $srcs = join(" ",  @srcs);
+      my $deps = join(" ", @srcs, @{$args{deps}});
+      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+      unless ($disabled{zlib}) {
+          if ($withargs{zlib_include}) {
+              $incs .= " -I".$withargs{zlib_include};
+          }
+      }
+      my $ecflags = { lib => '$(LIB_CFLAGS)',
+                      dso => '$(DSO_CFLAGS)',
+                      bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
+      my $makedepprog = $config{makedepprog};
+      my $recipe = "";
+      if (!$disabled{makedepend} && $makedepprog =~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$depext: $deps
+	-\$(MAKEDEPEND) -f- -o"|$obj$objext" -- \$(CFLAGS) $ecflags$incs -- $srcs \\
+	    >\$\@.tmp 2>/dev/null
+	-\$(PERL) -i -pe 's/^.*\\|//; s/ \\/(\\\\.|[^ ])*//; \$\$_ = undef if (/: *\$\$/ || /^(#.*| *)\$\$/); \$\$_.="\\n" unless !defined(\$\$_) or /\\R\$\$/g;' \$\@.tmp
+	\@if cmp \$\@.tmp \$\@ > /dev/null 2> /dev/null; then \\
+		rm -f \$\@.tmp; \\
+	else \\
+		mv \$\@.tmp \$\@; \\
+	fi
 EOF
+          $deps = $obj.$depext;
+      }
+      if ($disabled{makedepend} || $makedepprog =~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -c -o \$\@ $srcs
+EOF
+      }
+      if (!$disabled{makedepend} && $makedepprog !~ /\/makedepend/) {
+          $recipe .= <<"EOF";
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs
+	\@touch $obj$depext.tmp
+	\@if cmp $obj$depext.tmp $obj$depext > /dev/null 2> /dev/null; then \\
+		rm -f $obj$depext.tmp; \\
+	else \\
+		mv $obj$depext.tmp $obj$depext; \\
+	fi
+EOF
+      }
+      return $recipe;
   }
   # On Unix, we build shlibs from static libs, so we're ignoring the
   # object file array.  We *know* this routine is only called when we've
@@ -783,38 +927,37 @@ EOF
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $shlib_target = $target{shared_target};
       my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
-      my $shlibtarget = windowsdll() ?
-	  "$lib\$(SHLIB_EXT_SIMPLE).a" : "$shlib\$(SHLIB_EXT_SIMPLE)";
+      my $target = shlib_simple($lib);
       return <<"EOF"
 # With a build on a Windows POSIX layer (Cygwin or Mingw), we know for a fact
 # that two files get produced, {shlibname}.dll and {libname}.dll.a.
 # With all other Unix platforms, we often build a shared library with the
 # SO version built into the file name and a symlink without the SO version
 # It's not necessary to have both as targets.  The choice falls on the
-# simplest, {libname}\$(SHLIB_EXT_SIMPLE).a for Windows POSIX layers and
-# {libname}\$(SHLIB_EXT_SIMPLE) for the Unix platforms.
-$shlibtarget : $lib\$(LIB_EXT) $deps $ordinalsfile
+# simplest, {libname}$shlibextimport for Windows POSIX layers and
+# {libname}$shlibextsimple for the Unix platforms.
+$target: $lib$libext $deps $ordinalsfile
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PLATFORM=\$(PLATFORM) \\
-		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
-		INSTALLTOP="\$(INSTALLTOP)" LIBDIR="\$(LIBDIR)" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		PERL=\$(PERL) SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
+		INSTALLTOP='\$(INSTALLTOP)' LIBDIR='\$(LIBDIR)' \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$linklibs"' \$(EX_LIBS)' \\
 		LIBNAME=$libname LIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
-		LIBCOMPATVERSIONS=";\$(SHLIB_VERSION_HISTORY)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
-		CROSS_COMPILE="\$(CROSS_COMPILE)" \\
-		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" SHLIB_EXT=\$(SHLIB_EXT) \\
-		SHARED_RCFLAGS="\$(SHARED_RCFLAGS)" \\
-		link_a.$shlib_target
+		LIBCOMPATVERSIONS=';\$(SHLIB_VERSION_HISTORY)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(LIB_CFLAGS)' \\
+		CROSS_COMPILE='\$(CROSS_COMPILE)' LDFLAGS='\$(LDFLAGS)' \\
+		SHARED_LDFLAGS='\$(LIB_LDFLAGS)' SHLIB_EXT=$shlibext \\
+		SHARED_RCFLAGS='\$(RCFLAGS)' \\
+		link_shlib.$shlib_target
 EOF
 	  . (windowsdll() ? <<"EOF" : "");
-	rm -f apps/$shlib\$(SHLIB_EXT)
-	rm -f test/$shlib\$(SHLIB_EXT)
-	cp -p $shlib\$(SHLIB_EXT) apps/
-	cp -p $shlib\$(SHLIB_EXT) test/
+	rm -f apps/$shlib$shlibext
+	rm -f test/$shlib$shlibext
+	cp -p $shlib$shlibext apps/
+	cp -p $shlib$shlibext test/
 EOF
   }
-  sub obj2dynlib {
+  sub obj2dso {
       my %args = @_;
       my $lib = $args{lib};
       my $libd = dirname($lib);
@@ -826,28 +969,29 @@ EOF
                                      " -L$d -l$l" } @{$args{deps}});
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $shlib_target = $target{shared_target};
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
+      my $target = dso($lib);
       return <<"EOF";
-$lib\$(SHLIB_EXT_SIMPLE): $objs $deps
+$target: $objs $deps
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PLATFORM=\$(PLATFORM) \\
-		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $shlibdeps \$(EX_LIBS)" \\
-		LIBNAME=$libname LDFLAGS="\$(LDFLAGS)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" \\
-		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" \\
-		SHLIB_EXT=\$(SHLIB_EXT_SIMPLE) \\
+		PERL=\$(PERL) SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$shlibdeps"' \$(EX_LIBS)' \\
+		LIBNAME=$libname LDFLAGS='\$(LDFLAGS)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(DSO_CFLAGS)' \\
+		SHARED_LDFLAGS='\$(DSO_LDFLAGS)' \\
+		SHLIB_EXT=$dsoext \\
 		LIBEXTRAS="$objs" \\
-		link_o.$shlib_target
+		link_dso.$shlib_target
 EOF
   }
   sub obj2lib {
       my %args = @_;
       my $lib = $args{lib};
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
       return <<"EOF";
-$lib\$(LIB_EXT) : $objs
-	\$(AR) \$\@ $objs
+$lib$libext: $objs
+	\$(AR) \$\@ \$\?
 	\$(RANLIB) \$\@ || echo Never mind.
 EOF
   }
@@ -856,23 +1000,23 @@ EOF
       my $bin = $args{bin};
       my $bind = dirname($bin);
       my $binn = basename($bin);
-      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
       my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
       my $linklibs = join("", map { my $d = dirname($_);
                                     my $f = basename($_);
                                     $d = "." if $d eq $f;
                                     (my $l = $f) =~ s/^lib//;
                                     " -L$d -l$l" } @{$args{deps}});
-      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
       return <<"EOF";
-$bin\$(EXE_EXT) : $objs $deps
-	\$(RM) $bin\$(EXE_EXT)
+$bin$exeext: $objs $deps
+	\$(RM) $bin$exeext
 	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
 		PERL=\$(PERL) SRCDIR=\$(SRCDIR) \\
-		APPNAME=$bin OBJECTS="$objs" \\
-		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
-		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
-		LIBRPATH="\$(INSTALLTOP)/\$(LIBDIR)" \\
+		APPNAME=$bin$exeext OBJECTS="$objs" \\
+		LIBDEPS='\$(PLIB_LDFLAGS) '"$linklibs"' \$(EX_LIBS)' \\
+		CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(BIN_CFLAGS)' \\
+		LDFLAGS='\$(LDFLAGS)' LIBRPATH='\$(INSTALLTOP)/\$(LIBDIR)' \\
 		link_app.$shlib_target
 EOF
   }
@@ -884,7 +1028,7 @@ EOF
                                            "util", "dofile.pl")),
                            rel2abs($config{builddir}));
       return <<"EOF";
-$script : $sources
+$script: $sources
 	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
 	    "-o$target{build_file}" $sources > "$script"
 	chmod a+x $script

Configurations/windows-makefile.tmpl

@@ -0,0 +1,450 @@
+##
+## Makefile for OpenSSL
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+ our $objext = $target{obj_extension} || ".obj";
+ our $depext = $target{dep_extension} || ".d";
+ our $exeext = $target{exe_extension} || ".exe";
+ our $libext = $target{lib_extension} || ".lib";
+ our $shlibext = $target{shared_extension} || ".dll";
+ our $shlibextimport = $target{shared_import_extension} || ".lib";
+ our $dsoext = $target{dso_extension} || ".dll";
+
+ my $win_installenv =
+     $target{build_scheme}->[2] eq "VC-W32" ?
+     "ProgramFiles(x86)" : "ProgramW6432";
+ my $win_commonenv =
+     $target{build_scheme}->[2] eq "VC-W32"
+     ? "CommonProgramFiles(x86)" : "CommonProgramW6432";
+ our $win_installroot =
+     defined($ENV{$win_installenv})
+     ? '%'.$win_installenv.'%' : '%ProgramFiles%';
+ our $win_commonroot =
+     defined($ENV{$win_commonenv})
+     ? '%'.$win_commonenv.'%' : '%CommonProgramFiles%';
+
+ sub shlib {
+     return () if $disabled{shared};
+     my $lib = shift;
+     return $unified_info{sharednames}->{$lib} . $shlibext;
+ }
+
+ sub shlib_import {
+     return () if $disabled{shared};
+     my $lib = shift;
+     return $lib . $shlibextimport;
+ }
+
+ sub dso {
+     my $dso = shift;
+
+     return $dso . $dsoext;
+ }
+ '';
+-}
+
+PLATFORM={- $config{target} -}
+SRCDIR={- $config{sourcedir} -}
+BLDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+
+LIBS={- join(" ", map { $_.$libext } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { shlib($_) } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { dso($_) } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test\\| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_.$exeext } grep { m|^test\\| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+
+{- output_off() if $disabled{makedepend}; "" -}
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+{- output_on() if $disabled{makedepend}; "" -}
+
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "$win_installroot\\OpenSSL";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : "$win_commonroot\\SSL";
+              $openssldir -}
+LIBDIR={- our $libdir = $config{libdir} || "lib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              our $enginesdir = catdir($prefix,$libdir,"engines");
+	      $enginesdir -}
+
+CC={- $target{cc} -}
+CFLAGS={- join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}})) -} {- join(" ", quotify_l("-DENGINESDIR=\"$enginesdir\"", "-DOPENSSLDIR=\"$openssldir\"")) -} {- $target{cflags} -} {- $config{cflags} -}
+COUTFLAG={- $target{coutflag} || "/Fo" -}
+RC={- $target{rc} || "rc" -}
+RCOUTFLAG={- $target{rcoutflag} || "/fo" -}
+LD={- $target{ld} || "link" -}
+LDFLAGS={- $target{lflags} -}
+LDOUTFLAG={- $target{loutflag} || "/out:" -}
+EX_LIBS={- $target{ex_libs} -}
+LIB_CFLAGS={- join(" ", $target{lib_cflags}, $target{shared_cflag}) || "" -}
+LIB_LDFLAGS={- $target{shared_ldflag} || "" -}
+DSO_CFLAGS={- join(" ", $target{dso_cflags}, $target{shared_cflag}) || "" -}
+DSO_LDFLAGS={- join(" ", $target{dso_lflags}, $target{shared_ldflag}) || "" -}
+BIN_CFLAGS={- $target{bin_cflags} -}
+BIN_LDFLAGS={- $target{bin_lflags} -}
+
+PERL={- $config{perl} -}
+
+AR={- $target{ar} -}
+ARFLAGS= {- $target{arflags} -}
+AROUTFLAG={- $target{aroutflag} || "/out:" -}
+
+AS={- $target{as} -}
+ASFLAGS={- $target{asflags} -}
+ASOUTFLAG={- $target{asoutflag} -}
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}
+
+PROCESSOR= {- $config{processor} -}
+
+# The main targets ###################################################
+
+all: configdata.pm build_libs_nodep build_engines_nodep build_apps_nodep depend
+
+build_libs: configdata.pm build_libs_nodep depend
+build_libs_nodep: $(LIBS)
+build_engines: configdata.pm build_engines_nodep depend
+build_engines_nodep: $(ENGINES)
+build_apps: configdata.pm build_apps_nodep depend
+build_apps_nodep: $(PROGRAMS) $(SCRIPTS)
+build_tests: configdata.pm build_tests_nodep depend
+build_tests_nodep: $(TESTPROGS)
+
+test tests: build_tests_nodep build_apps_nodep build_engines_nodep depend
+	@rem {- output_off() if $disabled{tests}; "" -}
+	set SRCTOP=$(SRCDIR)
+	set BLDTOP=$(BLDDIR)
+	set PERL=$(PERL)
+	$(PERL) $(SRCDIR)\test\run_tests.pl $(TESTS)
+	@rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@echo "Tests are not supported with your chosen Configure options"
+	@rem {- output_on() if !$disabled{tests}; "" -}
+
+list-tests:
+	@set TOP=$(SRCDIR)
+	@set PERL=$(PERL)
+	@$(PERL) $(SRCDIR)\test\run_tests.pl list
+
+install: install_sw install_ssldirs install_docs
+
+uninstall: uninstall_docs uninstall_sw
+
+libclean:
+	$(PERL) -e "map { m/(.*)\.dll$$/; unlink glob """$$1.*""" } @ARGV" $(SHLIBS)
+	del /Q /F $(LIBS)
+	del lib.pdb
+
+clean: libclean
+	del /Q /F $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
+	del /Q /S /F *.asm
+	del /Q /S /F *.d
+	del /Q /S /F *.obj
+	del /Q /S /F *.pdb
+	del /Q /S /F *.exp
+	del /Q /S /F engines\*.ilk
+	del /Q /S /F engines\*.lib
+
+depend:
+
+# Install helper targets #############################################
+
+install_sw: all install_dev install_engines install_runtime
+
+uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+
+install_docs:
+
+uninstall_docs:
+
+install_ssldirs:
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)\certs"
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)\private"
+
+install_dev:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing development files
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(SRCDIR)\include\openssl\*.h \
+				       "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(BLDDIR)\include\openssl\*.h \
+				       "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\$(LIBDIR)"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(LIBS) \
+				       "$(DESTDIR)$(INSTALLTOP)\$(LIBDIR)"
+
+uninstall_dev:
+
+install_engines:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing engines
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)"
+	@if not "$(ENGINES)"=="" \
+	 $(PERL) $(SRCDIR)\util\copy.pl $(ENGINES) "$(DESTDIR)$(ENGINESDIR)"
+
+uninstall_engines:
+
+install_runtime:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing runtime files
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\bin"
+	@if not "$(SHLIBS)"=="" \
+	 $(PERL) $(SRCDIR)\util\copy.pl $(SHLIBS) "$(DESTDIR)$(INSTALLTOP)\bin"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(PROGRAMS) "$(DESTDIR)$(INSTALLTOP)\bin"
+
+uninstall_runtime:
+
+# Building targets ###################################################
+
+configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure
+	@echo "Detected changed: $?"
+	@echo "Reconfiguring..."
+	$(PERL) $(SRCDIR)\Configure reconf
+	@echo "**************************************************"
+	@echo "***                                            ***"
+	@echo "***   Please run the same make command again   ***"
+	@echo "***                                            ***"
+	@echo "**************************************************"
+	@exit 1
+
+{-
+ use File::Basename;
+ use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+ # Helper function to figure out dependencies on libraries
+ # It takes a list of library names and outputs a list of dependencies
+ sub compute_lib_depends {
+     if ($disabled{shared}) {
+	 return map { $_.$libext } @_;
+     }
+     return map { shlib_import($_) } @_;
+ }
+
+  sub generatesrc {
+      my %args = @_;
+      (my $target = $args{src}) =~ s/\.[sS]$/.asm/;
+      my $generator = join(" ", @{$args{generator}});
+      my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+      my $deps = join(" ", @{$args{deps}});
+
+      if ($target !~ /\.asm$/) {
+          return <<"EOF";
+$target: $args{generator}->[0] $deps
+	\$(PERL) $generator > \$@
+EOF
+      } else {
+          if ($args{generator}->[0] =~ /\.pl$/) {
+              $generator = '$(PERL) '.$generator;
+          } elsif ($args{generator}->[0] =~ /\.S$/) {
+              $generator = undef;
+          } else {
+              die "Generator type for $src unknown: $generator\n";
+          }
+
+          if (defined($generator)) {
+              # If the target is named foo.S in build.info, we want to
+              # end up generating foo.s in two steps.
+              if ($args{src} =~ /\.S$/) {
+                   return <<"EOF";
+$target: $args{generator}->[0] $deps
+	set ASM=\$(AS)
+	set CC=\$(CC)
+	$generator \$@.S
+	\$(CC) \$(CFLAGS) $incs /EP /C \$@.S > \$@.i && move /Y \$@.i \$@
+        del /Q \$@.S
+EOF
+              }
+              # Otherwise....
+              return <<"EOF";
+$target: $args{generator}->[0] $deps
+	set ASM=\$(AS)
+	set CC=\$(CC)
+	$generator \$@
+EOF
+          }
+          return <<"EOF";
+$target: $args{generator}->[0] $deps
+	\$(CC) \$(CFLAGS) $incs /EP /C $args{generator}->[0] > \$@.i && move /Y \$@.i \$@
+EOF
+      }
+  }
+
+ sub src2obj {
+     my %args = @_;
+     my $obj = $args{obj};
+     my @srcs = map { (my $x = $_) =~ s/\.s$/.asm/; $x
+                    } ( @{$args{srcs}} );
+     my $srcs = join(" ",  @srcs);
+     my $deps = join(" ", @srcs, @{$args{deps}});
+     my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+     unless ($disabled{zlib}) {
+         if ($withargs{zlib_include}) {
+             $incs .= " /I ".$withargs{zlib_include};
+         }
+     }
+     my $ecflags = { lib => '$(LIB_CFLAGS)',
+		     dso => '$(DSO_CFLAGS)',
+		     bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
+     my $makedepprog = $config{makedepprog};
+     if ($srcs[0] =~ /\.asm$/) {
+         return <<"EOF";
+$obj$objext: $deps
+	\$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs
+EOF
+     }
+     return <<"EOF"	if (!$disabled{makedepend});
+$obj$depext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\
+	    \$(PERL) -n << > $obj$depext
+chomp;
+s/^Note: including file: *//;
+\$\$collect{\$\$_} = 1;
+END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" }
+<<
+$obj$objext: $obj$depext
+	\$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ @<<
+$srcs
+<<
+EOF
+    return <<"EOF"	if ($disabled{makedepend});
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ $srcs
+EOF
+ }
+
+ # On Unix, we build shlibs from static libs, so we're ignoring the
+ # object file array.  We *know* this routine is only called when we've
+ # configure 'shared'.
+ sub libobj2shlib {
+     my %args = @_;
+     my $lib = $args{lib};
+     my $shlib = $args{shlib};
+     (my $mkdef_key = $lib) =~ s/^lib//i;
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+     my $mkdef_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+					    "util", "mkdef.pl")),
+			    rel2abs($config{builddir}));
+     my $mkrc_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+					   "util", "mkrc.pl")),
+			   rel2abs($config{builddir}));
+     my $target = shlib_import($lib);
+     return <<"EOF"
+$target: $deps $ordinalsfile $mkdef_pl
+	\$(PERL) $mkdef_pl "$mkdef_key" 32 > $shlib.def
+	\$(PERL) -i.tmp -pe "s|^LIBRARY\\s+${mkdef_key}32|LIBRARY $shlib|;" $shlib.def
+	DEL $shlib.def.tmp
+	\$(PERL) $mkrc_pl $shlib$shlibext > $shlib.rc
+	\$(RC) \$(RCOUTFLAG)$shlib.res $shlib.rc
+	\$(LD) \$(LDFLAGS) \$(LIB_LDFLAGS) \\
+		/implib:\$@ \$(LDOUTFLAG)$shlib$shlibext /def:$shlib.def @<< || (DEL /Q \$(\@B).* $shlib.* && EXIT 1)
+$objs $shlib.res$linklibs \$(EX_LIBS)
+<<
+	DEL /F apps\\$shlib$shlibext
+	DEL /F test\\$shlib$shlibext
+	COPY $shlib$shlibext apps
+	COPY $shlib$shlibext test
+EOF
+ }
+ sub obj2dso {
+     my %args = @_;
+     my $dso = $args{lib};
+     my $dso_n = basename($dso);
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     return <<"EOF";
+$dso$dsoext: $deps
+	\$(LD) \$(LDFLAGS) \$(DSO_LDFLAGS) \$(LDOUTFLAG)$dso$dsoext /def:<< @<<
+LIBRARY         $dso_n
+EXPORTS
+    bind_engine		@1
+    v_check		@2
+<<
+$objs$linklibs \$(EX_LIBS)
+<<
+EOF
+ }
+ sub obj2lib {
+     # Because static libs and import libs are both named the same in native
+     # Windows, we can't have both.  We skip the static lib in that case,
+     # as the shared libs are what we use anyway.
+     return "" unless $disabled{"shared"};
+
+     my %args = @_;
+     my $lib = $args{lib};
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $deps = join(" ", map { $_.$objext } @{$args{objs}});
+     return <<"EOF";
+$lib$libext: $deps
+	\$(AR) \$(ARFLAGS) \$(AROUTFLAG)$lib$libext @<<
+\$\?
+<<
+EOF
+ }
+ sub obj2bin {
+     my %args = @_;
+     my $bin = $args{bin};
+     my $objs = join("\n", map { $_.$objext } @{$args{objs}});
+     my $linklibs = join("",
+			 map { "\n$_" } compute_lib_depends(@{$args{deps}}));
+     my $deps = join(" ",
+		     (map { $_.$objext } @{$args{objs}}),
+		     compute_lib_depends(@{$args{deps}}));
+     return <<"EOF";
+$bin$exeext: $deps
+	\$(LD) \$(LDFLAGS) \$(BIN_LDFLAGS) \$(LDOUTFLAG)$bin$exeext @<<
+$objs setargv.obj$linklibs \$(EX_LIBS)
+<<
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script: $sources
+	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
+	    "-o$target{build_file}" $sources > "$script"
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}

GitConfigure

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-./Configure $@
-make files
-util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH init

GitMake

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH $@

INSTALL

@@ -1,13 +1,11 @@
 
- INSTALLATION ON THE UNIX PLATFORM
- ---------------------------------
+ OPENSSL INSTALLATION
+ --------------------
 
- [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
-  and NetWare is described in INSTALL.DJGPP, INSTALL.WIN, INSTALL.VMS,
-  INSTALL.MacOS and INSTALL.NW.
-  
-  This document describes installation on operating systems in the Unix
-  family.]
+ [This document describes installation on the main supported operating
+  systems, currently the Linux/Unix family, OpenVMS and Windows.
+  Installation on DOS (with djgpp), MacOS (before MacOS X)
+  is described in INSTALL.DJGPP or INSTALL.MacOS, respectively.]
 
  To install OpenSSL, you will need:
 
@@ -15,107 +13,349 @@
   * Perl 5 with core modules (please read README.PERL)
   * The perl module Text::Template (please read README.PERL)
   * an ANSI C compiler
-  * a development environment in form of development libraries and C
+  * a development environment in the form of development libraries and C
     header files
-  * a supported Unix operating system
+  * a supported operating system
+
+ For additional platform specific requirements and other details,
+ please read one of these:
+
+  * NOTES.VMS (OpenVMS)
+  * NOTES.WIN (any Windows except for Windows CE)
 
  Quick Start
  -----------
 
  If you want to just get on with it, do:
 
-  $ ./config
-  $ make
-  $ make test
-  $ make install
+  on Unix:
+
+    $ ./config
+    $ make
+    $ make test
+    $ make install
+
+  on OpenVMS:
+
+    $ @config
+    $ mms
+    $ mms test
+    $ mms install
+
+  on Windows (only pick one of the targets for configuration):
+
+    $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE }
+    $ nmake
+    $ nmake test
+    $ nmake install
 
  [If any of these steps fails, see section Installation in Detail below.]
 
- This will build and install OpenSSL in the default location, which is (for
- historical reasons) /usr/local/ssl. If you want to install it anywhere else,
- run config like this:
+ This will build and install OpenSSL in the default location, which is:
 
-  $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
+  Unix:    normal installation directories under /usr/local
+  OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
+           OpenSSL version number with underscores instead of periods.
+  Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
+
+ If you want to install it anywhere else, run config like this:
+
+  On Unix:
+
+    $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl
+
+  On OpenVMS:
+
+    $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
 
 
  Configuration Options
  ---------------------
 
  There are several options to ./config (or ./Configure) to customize
- the build:
+ the build (note that for Windows, the defaults for --prefix and
+ --openssldir depend in what configuration is used and what Windows
+ implementation OpenSSL is built on.  More notes on this in NOTES.WIN):
 
-  --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
-	        Configuration files used by OpenSSL will be in DIR/ssl
-                or the directory specified by --openssldir.
+  --prefix=DIR
+                   The top of the installation directory tree.  Defaults are:
 
-  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
-                the library files and binaries are also installed there.
+                   Unix:           /usr/local
+                   Windows:        C:\Program Files\OpenSSL
+                                or C:\Program Files (x86)\OpenSSL
+                   OpenVMS:        SYS$COMMON:[OPENSSL-'version']
 
-  no-autoalginit Don't automatically load all supported ciphers and digests.
-                Typically OpenSSL will make available all of its supported
-                ciphers and digests. For a statically linked application this
-                may be undesirable if small executable size is an objective.
-                This only affects libcrypto. Ciphers and digests will have to be
-                loaded manually using EVP_add_cipher() and EVP_add_digest() if
-                this option is used.
+  --openssldir=DIR
+                   Directory for OpenSSL configuration files, and also the
+                   default certificate and key store.  Defaults are:
 
-  no-autoerrinit Don't automatically load all libcrypto/libssl error strings.
-                Typically OpenSSL will automatically load human readable error
-                strings. For a statically linked application this may be
-                undesirable if small executable size is an objective.
+                   Unix:           /usr/local/ssl
+                   Windows:        C:\Program Files\Common Files\SSL
+                                or C:\Program Files (x86)\Common Files\SSL
+                   OpenVMS:        SYS$COMMON:[OPENSSL-COMMON]
 
-  no-threads    Don't try to build with support for multi-threaded
-                applications.
+  --api=x.y.z
+                   Don't build with support for deprecated APIs below the
+                   specified version number. For example "--api=1.1.0" will
+                   remove support for all APIS that were deprecated in OpenSSL
+                   version 1.1.0 or below.
 
-  threads       Build with support for multi-threaded applications.
-                This will usually require additional system-dependent options!
-                See "Note on multi-threading" below.
+  no-afalgeng
+                   Don't build the AFALG engine. This option will be forced if
+                   on a platform that does not support AFALG.
 
-  no-zlib       Don't try to build with support for zlib compression and
-                decompression.
+  no-asm
+                   Do not use assembler code. On some platforms a small amount
+                   of assembler code may still be used.
 
-  zlib          Build with support for zlib compression/decompression.
+  no-async
+                   Do not build support for async operations.
 
-  zlib-dynamic  Like "zlib", but has OpenSSL load the zlib library dynamically
-                when needed.  This is only supported on systems where loading
-                of shared libraries is supported.  This is the default choice.
+  no-autoalginit
+                   Don't automatically load all supported ciphers and digests.
+                   Typically OpenSSL will make available all of its supported
+                   ciphers and digests. For a statically linked application this
+                   may be undesirable if small executable size is an objective.
+                   This only affects libcrypto. Ciphers and digests will have to
+                   be loaded manually using EVP_add_cipher() and
+                   EVP_add_digest() if this option is used. This option will
+                   force a non-shared build.
 
-  no-shared     Don't try to create shared libraries.
+  no-autoerrinit
+                   Don't automatically load all libcrypto/libssl error strings.
+                   Typically OpenSSL will automatically load human readable
+                   error strings. For a statically linked application this may
+                   be undesirable if small executable size is an objective.
 
-  shared        In addition to the usual static libraries, create shared
-                libraries on platforms where it's supported.  See "Note on
-                shared libraries" below.
 
-  no-asm        Do not use assembler code.
+  no-capieng
+                   Don't build the CAPI engine. This option will be forced if
+                   on a platform that does not support CAPI.
 
-  386           Use the 80386 instruction set only (the default x86 code is
-                more efficient, but requires at least a 486). Note: Use
-                compiler flags for any other CPU specific configuration,
-                e.g. "-m32" to build x86 code on an x64 system.
+  no-cms
+                   Don't build support for CMS features
 
-  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extension is
-		detected at run-time, but the decision whether or not the
-		machine code will be executed is taken solely on CPU
-		capability vector. This means that if you happen to run OS
-		kernel which does not support SSE2 extension on Intel P4
-		processor, then your application might be exposed to
-		"illegal instruction" exception. There might be a way
-		to enable support in kernel, e.g. FreeBSD kernel can be
-		compiled with CPU_ENABLE_SSE, and there is a way to
-		disengage SSE2 code pathes upon application start-up,
-		but if you aim for wider "audience" running such kernel,
-		consider no-sse2. Both 386 and no-asm options above imply
-		no-sse2.
+  no-comp
+                   Don't build support for SSL/TLS compression. If this option
+                   is left enabled (the default), then compression will only
+                   work if the zlib or zlib-dynamic options are also chosen.
 
-  no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
-                hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
-                The crypto/<cipher> directory can be removed after running
-                "make depend".
+  enable-crypto-mdebug
+                   Build support for debugging memory allocated via
+                   OPENSSL_malloc() or OPENSSL_zalloc().
 
-  -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
-                be passed through to the compiler to allow you to
-                define preprocessor symbols, specify additional libraries,
-                library directories or other compiler options.
+  enable-crypto-mdebug-backtrace
+                   As for crypto-mdebug, but additionally provide backtrace
+                   information for allocated memory.
+
+  no-ct
+                   Don't build support for Certificate Transparency.
+
+  no-deprecated
+                   Don't build with support for any deprecated APIs. This is the
+                   same as using "--api" and supplying the latest version
+                   number.
+
+  no-dgram
+                   Don't build support for datagram based BIOs. Selecting this
+                   option will also force the disabling of DTLS.
+
+  no-dso
+                   Don't build support for loading Dynamic Shared Objects.
+
+  no-dynamic-engine
+                   Don't build the dynamically loaded engines. This only has an
+                   effect in a "shared" build
+
+  no-ec
+                   Don't build support for Elliptic Curves.
+
+  no-ec2m
+                   Don't build support for binary Elliptic Curves
+
+  enable-ec_nistp_64_gcc_128
+                   Enable support for optimised implementations of some commonly
+                   used NIST elliptic curves. This is only supported on some
+                   platforms.
+
+  enable-egd
+                   Build support for gathering entropy from EGD (Entropy
+                   Gathering Daemon).
+
+  no-engine
+                   Don't build support for loading engines.
+
+  no-err
+                   Don't compile in any error strings.
+
+  no-filenames
+                   Don't compile in filename and line number information (e.g.
+                   for errors and memory allocation).
+
+  no-gost
+                   Don't build support for GOST based ciphersuites. Note that
+                   if this feature is enabled then GOST ciphersuites are only
+                   available if the GOST algorithms are also available through
+                   loading an externally supplied engine.
+
+  enable-heartbeats
+                   Build support for DTLS heartbeats.
+
+  no-hw-padlock
+                   Don't build the padlock engine.
+
+  no-makedepend
+                   Don't generate dependencies.
+
+  no-multiblock
+                   Don't build support for writing multiple records in one
+                   go in libssl (Note: this is a different capability to the
+                   pipelining functionality).
+
+  no-nextprotoneg
+                   Don't build support for the NPN TLS extension.
+
+  no-ocsp
+                   Don't build support for OCSP.
+
+  no-pic
+                   Don't build with support for Position Independent Code.
+
+  no-posix-io
+                   Don't use POSIX IO capabilities.
+
+  no-psk
+                   Don't build support for Pre-Shared Key based ciphersuites.
+
+  no-rdrand
+                   Don't use hardware RDRAND capabilities.
+
+  no-rfc3779
+                   Don't build support for RFC3779 ("X.509 Extensions for IP
+                   Addresses and AS Identifiers")
+
+  no-sct
+                   ??
+
+  sctp
+                   Build support for SCTP
+
+  no-shared
+                   Do not create shared libraries, only static ones.  See "Note
+                   on shared libraries" below.
+
+  no-sock
+                   Don't build support for socket BIOs
+
+  no-srp
+                   Don't build support for SRP or SRP based ciphersuites.
+
+  no-srtp
+                   Don't build SRTP support
+
+  no-sse2
+                   Exclude SSE2 code paths. Normally SSE2 extension is
+                   detected at run-time, but the decision whether or not the
+                   machine code will be executed is taken solely on CPU
+                   capability vector. This means that if you happen to run OS
+                   kernel which does not support SSE2 extension on Intel P4
+                   processor, then your application might be exposed to
+                   "illegal instruction" exception. There might be a way
+                   to enable support in kernel, e.g. FreeBSD kernel can be
+                   compiled with CPU_ENABLE_SSE, and there is a way to
+                   disengage SSE2 code pathes upon application start-up,
+                   but if you aim for wider "audience" running such kernel,
+                   consider no-sse2. Both the 386 and no-asm options imply
+                   no-sse2.
+
+  enable-ssl-trace
+                   Build with the SSL Trace capabilities (adds the "-trace"
+                   option to s_client and s_server).
+
+  no-static-engine
+                   Don't build the statically linked engines. This only
+                   has an impact when not built "shared".
+
+  no-stdio
+                   Don't use any C "stdio" features. Only libcrypto and libssl
+                   can be built in this way. Using this option will suppress
+                   building the command line applications. Additionally since
+                   the OpenSSL tests also use the command line applications the
+                   tests will also be skipped.
+
+  no-threads
+                   Don't try to build with support for multi-threaded
+                   applications.
+
+  threads
+                   Build with support for multi-threaded applications. Most
+                   platforms will enable this by default. However if on a
+                   platform where this is not the case then this will usually
+                   require additional system-dependent options! See "Note on
+                   multi-threading" below.
+
+  no-ts
+                   Don't build Time Stamping Authority support.
+
+  no-ui
+                   Don't build with the "UI" capability (i.e. the set of
+                   features enabling text based prompts).
+
+  enable-unit-test
+                   Enable additional unit test APIs. This should not typically
+                   be used in production deployments.
+
+  enable-weak-ssl-ciphers
+                   Build support for SSL/TLS ciphers that are considered "weak"
+                   (e.g. RC4 based ciphersuites).
+
+  zlib
+                   Build with support for zlib compression/decompression.
+
+  zlib-dynamic
+                   Like "zlib", but has OpenSSL load the zlib library
+                   dynamically when needed.  This is only supported on systems
+                   where loading of shared libraries is supported.
+
+  386
+                   On Intel hardware, use the 80386 instruction set only
+                   (the default x86 code is more efficient, but requires at
+                   least a 486). Note: Use compiler flags for any other CPU
+                   specific configuration, e.g. "-m32" to build x86 code on
+                   an x64 system.
+
+  no-<prot>
+                   Don't build support for negotiating the specified SSL/TLS
+                   protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
+                   dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
+                   tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
+                   disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
+                   with "no-ssl3". Note this only affects version negotiation.
+                   OpenSSL will still provide the methods for applications to
+                   explicitly select the individual protocol versions.
+
+  no-<prot>-method
+                   As for no-<prot> but in addition do not build the methods for
+                   applications to explicitly select individual protocol
+                   versions.
+
+  enable-<alg>
+                   Build with support for the specified algorithm, where <alg>
+                   is one of: md2 or rc5.
+
+  no-<alg>
+                   Build without support for the specified algorithm, where
+                   <alg> is one of: bf, blake2, camellia, cast, chacha, cmac,
+                   des, dh, dsa, ecdh, ecdsa, idea, md4, md5, mdc2, ocb,
+                   ploy1305, rc2, rc4, rmd160, scrypt, seed or whirlpool. The
+                   "ripemd" algorithm is deprecated and if used is synonymous
+                   with rmd160.
+
+  -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx
+                   These system specific options will be passed through to the
+                   compiler to allow you to define preprocessor symbols, specify
+                   additional libraries, library directories or other compiler
+                   options.
 
 
  Installation in Detail
@@ -123,7 +363,16 @@
 
  1a. Configure OpenSSL for your operation system automatically:
 
-       $ ./config [options]
+     NOTE: This is not available on Windows.
+
+       $ ./config [options]                             # Unix
+
+       or
+
+       $ @config [options]                              ! OpenVMS
+
+     For the remainder of this text, the Unix form will be used in all
+     examples, please use the appropriate form for your platform.
 
      This guesses at your operating system (and compiler, if necessary) and
      configures OpenSSL based on this guess. Run ./config -t to see
@@ -140,42 +389,95 @@
      OpenSSL knows about a range of different operating system, hardware and
      compiler combinations. To see the ones it knows about, run
 
-       $ ./Configure
+       $ ./Configure                                    # Unix
+
+       or
+
+       $ perl Configure                                 # All other platforms
+
+     For the remainder of this text, the Unix form will be used in all
+     examples, please use the appropriate form for your platform.
 
      Pick a suitable name from the list that matches your system. For most
      operating systems there is a choice between using "cc" or "gcc".  When
      you have identified your system (and if necessary compiler) use this name
-     as the argument to ./Configure. For example, a "linux-elf" user would
+     as the argument to Configure. For example, a "linux-elf" user would
      run:
 
        $ ./Configure linux-elf [options]
 
-     If your system is not available, you will have to edit the Configure
-     program and add the correct configuration for your system. The
-     generic configurations "cc" or "gcc" should usually work on 32 bit
-     systems.
+     If your system isn't listed, you will have to create a configuration
+     file named Configurations/{something}.conf and add the correct
+     configuration for your system. See the available configs as examples
+     and read Configurations/README and Configurations/README.design for
+     more information.
 
-     Configure creates the file Makefile.ssl from Makefile.in and
+     The generic configurations "cc" or "gcc" should usually work on 32 bit
+     Unix-like systems.
+
+     Configure creates a build file ("Makefile" on Unix and "descrip.mms"
+     on OpenVMS) from a suitable template in Configurations, and
      defines various macros in crypto/opensslconf.h (generated from
      crypto/opensslconf.h.in).
 
+ 1c. Configure OpenSSL for building outside of the source tree.
+
+     OpenSSL can be configured to build in a build directory separate from
+     the directory with the source code.  It's done by placing yourself in
+     some other directory and invoking the configuration commands from
+     there.
+
+     Unix example:
+
+       $ mkdir /var/tmp/openssl-build
+       $ cd /var/tmp/openssl-build
+       $ /PATH/TO/OPENSSL/SOURCE/config [options]
+
+       or
+
+       $ /PATH/TO/OPENSSL/SOURCE/Configure [target] [options]
+
+     OpenVMS example:
+
+       $ set default sys$login:
+       $ create/dir [.tmp.openssl-build]
+       $ set default [.tmp.openssl-build]
+       $ @[PATH.TO.OPENSSL.SOURCE]config {options}
+
+       or
+
+       $ @[PATH.TO.OPENSSL.SOURCE]Configure {target} {options}
+
+     Windows example:
+
+       $ C:
+       $ mkdir \temp-openssl
+       $ cd \temp-openssl
+       $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {target} {options}
+
+     Paths can be relative just as well as absolute.  Configure will
+     do its best to translate them to relative paths whenever possible.
+
   2. Build OpenSSL by running:
 
-       $ make
+       $ make                                           # Unix
+       $ mms                                            ! (or mmk) OpenVMS
+       $ nmake                                          # Windows
 
-     This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
-     OpenSSL binary ("openssl"). The libraries will be built in the top-level
-     directory, and the binary will be in the "apps" directory.
+     This will build the OpenSSL libraries (libcrypto.a and libssl.a on
+     Unix, corresponding on other platforms) and the OpenSSL binary
+     ("openssl"). The libraries will be built in the top-level directory,
+     and the binary will be in the "apps" subdirectory.
 
-     If "make" fails, look at the output.  There may be reasons for
+     If the build fails, look at the output.  There may be reasons for
      the failure that aren't problems in OpenSSL itself (like missing
      standard headers).  If it is a problem with OpenSSL itself, please
-     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be recorded in the request tracker publicly readable
-     at https://www.openssl.org/community/index.html#bugs and will be
-     forwarded to a public mailing list). Include the output of "make
-     report" in your message.  Please check out the request tracker. Maybe
-     the bug was already reported or has already been fixed.
+     report the problem to <rt@openssl.org> (note that your message
+     will be recorded in the request tracker publicly readable at
+     https://www.openssl.org/community/index.html#bugs and will be
+     forwarded to a public mailing list). Please check out the request
+     tracker. Maybe the bug was already reported or has already been
+     fixed.
 
      [If you encounter assembler error messages, try the "no-asm"
      configuration option as an immediate fix.]
@@ -185,142 +487,130 @@
 
   3. After a successful build, the libraries should be tested. Run:
 
-       $ make test
+       $ make test                                      # Unix
+       $ mms test                                       ! OpenVMS
+       $ nmake test                                     # Windows
 
      If some tests fail, look at the output.  There may be reasons for
      the failure that isn't a problem in OpenSSL itself (like a
      malfunction with Perl).  You may want increased verbosity, that
      can be accomplished like this:
 
-       $ HARNESS_VERBOSE=yes make test
+       $ HARNESS_VERBOSE=yes make test                  # Unix
+
+       $ DEFINE HARNESS_VERBOSE YES
+       $ mms test                                       ! OpenVMS
+
+       $ set HARNESS_VERBOSE=yes
+       $ nmake test                                     # Windows
 
      If you want to run just one or a few specific tests, you can use
      the make variable TESTS to specify them, like this:
 
-       $ make TESTS='test_rsa test_dsa' test
+       $ make TESTS='test_rsa test_dsa' test            # Unix
+       $ mms/macro="TESTS=test_rsa test_dsa" test       ! OpenVMS
+       $ nmake TESTS='test_rsa test_dsa' test           # Windows
 
-     And of course, you can combine:
+     And of course, you can combine (Unix example shown):
        
        $ HARNESS_VERBOSE=yes make TESTS='test_rsa test_dsa' test
 
      You can find the list of available tests like this:
 
-       $ make list-tests
+       $ make list-tests                                # Unix
+       $ mms list-tests                                 ! OpenVMS
+       $ nmake list-tests                               # Windows
 
      Have a look at the manual for the perl module Test::Harness to
      see what other HARNESS_* variables there are.
 
      If you find a problem with OpenSSL itself, try removing any
-     compiler optimization flags from the CFLAG line in Makefile and
-     run "make clean; make".
+     compiler optimization flags from the CFLAGS line in Makefile and
+     run "make clean; make" or corresponding.
 
-     Please send a bug report to <openssl-bugs@openssl.org>, and when
-     you do, please run the following and include the output in your
-     report:
-
-       $ make report
+     Please send a bug reports to <rt@openssl.org>.
 
   4. If everything tests ok, install OpenSSL with
 
-       $ make install
+       $ make install                                   # Unix
+       $ mms install                                    ! OpenVMS
 
-     This will create the installation directory (if it does not exist) and
-     then the following subdirectories:
+     This will install all the software components in this directory
+     tree under PREFIX (the directory given with --prefix or its
+     default):
 
-       certs           Initially empty, this is the default location
-                       for certificate files.
-       man/man1        Manual pages for the 'openssl' command line tool
-       man/man3        Manual pages for the libraries (very incomplete)
-       misc            Various scripts.
-       private         Initially empty, this is the default location
-                       for private key files.
+       Unix:
 
-     If you didn't choose a different installation prefix, the
-     following additional subdirectories will be created:
+         bin/           Contains the openssl binary and a few other
+                        utility scripts.
+         include/openssl
+                        Contains the header files needed if you want
+                        to build your own programs that use libcrypto
+                        or libssl.
+         lib            Contains the OpenSSL library files.
+         lib/engines    Contains the OpenSSL dynamically loadable engines.
+         share/man/{man1,man3,man5,man7}
+                        Contains the OpenSSL man-pages.
+         share/doc/openssl/html/{man1,man3,man5,man7}
+                        Contains the HTML rendition of the man-pages.
 
-       bin             Contains the openssl binary and a few other 
-                       utility programs. 
-       include/openssl Contains the header files needed if you want to
-                       compile programs with libcrypto or libssl.
-       lib             Contains the OpenSSL library files themselves.
+       OpenVMS ('arch' is replaced with the architecture name, "Alpha"
+       or "ia64"):
 
-     Use "make install_sw" to install the software without documentation,
-     and "install_docs_html" to install HTML renditions of the manual
-     pages.
+         [.EXE.'arch']  Contains the openssl binary and a few other
+                        utility scripts.
+         [.include.openssl]
+                        Contains the header files needed if you want
+                        to build your own programs that use libcrypto
+                        or libssl.
+         [.LIB.'arch']  Contains the OpenSSL library files.
+         [.ENGINES.'arch']
+                        Contains the OpenSSL dynamically loadable engines.
+         [.SYS$STARTUP] Contains startup, login and shutdown scripts.
+                        These define appropriate logical names and
+                        command symbols.
+                        
+
+     Additionally, install will add the following directories under
+     OPENSSLDIR (the directory given with --openssldir or its default)
+     for you convenience:
+
+         certs          Initially empty, this is the default location
+                        for certificate files.
+         private        Initially empty, this is the default location
+                        for private key files.
+         misc           Various scripts.
 
      Package builders who want to configure the library for standard
      locations, but have the package installed somewhere else so that
      it can easily be packaged, can use
 
-       $ make DESTDIR=/tmp/package-root install
+       $ make DESTDIR=/tmp/package-root install         # Unix
+       $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
 
      The specified destination directory will be prepended to all
-     installation target filenames.
+     installation target paths.
 
-
-  NOTE: The header files used to reside directly in the include
-  directory, but have now been moved to include/openssl so that
-  OpenSSL can co-exist with other libraries which use some of the
-  same filenames.  This means that applications that use OpenSSL
-  should now use C preprocessor directives of the form
-
-       #include <openssl/ssl.h>
-
-  instead of "#include <ssl.h>", which was used with library versions
-  up to OpenSSL 0.9.2b.
-
-  If you install a new version of OpenSSL over an old library version,
-  you should delete the old header files in the include directory.
-
-  Compatibility issues:
+  Compatibility issues with previous OpenSSL versions:
 
   *  COMPILING existing applications
 
-     To compile an application that uses old filenames -- e.g.
-     "#include <ssl.h>" --, it will usually be enough to find
-     the CFLAGS definition in the application's Makefile and
-     add a C option such as
+     OpenSSL 1.1 hides a number of structures that were previously
+     open.  This includes all internal libssl structures and a number
+     of EVP types.  Accessor functions have been added to allow
+     controlled access to the structures' data.
 
-          -I/usr/local/ssl/include/openssl
+     This means that some software needs to be rewritten to adapt to
+     the new ways of doing things.  This often amounts to allocating
+     an instance of a structure explicitly where you could previously
+     allocate them on the stack as automatic variables, and using the
+     provided accessor functions where you would previously access a
+     structure's field directly.
 
-     to it.
+     <TBA>
 
-     But don't delete the existing -I option that points to
-     the ..../include directory!  Otherwise, OpenSSL header files
-     could not #include each other.
-
-  *  WRITING applications
-
-     To write an application that is able to handle both the new
-     and the old directory layout, so that it can still be compiled
-     with library versions up to OpenSSL 0.9.2b without bothering
-     the user, you can proceed as follows:
-
-     -  Always use the new filename of OpenSSL header files,
-        e.g. #include <openssl/ssl.h>.
-
-     -  Create a directory "incl" that contains only a symbolic
-        link named "openssl", which points to the "include" directory
-        of OpenSSL.
-        For example, your application's Makefile might contain the
-        following rule, if OPENSSLDIR is a pathname (absolute or
-        relative) of the directory where OpenSSL resides:
-
-        incl/openssl:
-        	-mkdir incl
-        	cd $(OPENSSLDIR) # Check whether the directory really exists
-        	-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
-
-        You will have to add "incl/openssl" to the dependencies
-        of those C files that include some OpenSSL header file.
-
-     -  Add "-Iincl" to your CFLAGS.
-
-     With these additions, the OpenSSL header files will be available
-     under both name variants if an old library version is used:
-     Your application can reach them under names like <openssl/foo.h>,
-     while the header files still are able to #include each other
-     with names of the form <foo.h>.
+     Some APIs have changed as well.  However, older APIs have been
+     preserved when possible.
 
 
  Note on multi-threading
@@ -347,18 +637,12 @@
  Note on shared libraries
  ------------------------
 
- Shared libraries have certain caveats.  Binary backward compatibility
- can't be guaranteed before OpenSSL version 1.0.  The only reason to
- use them would be to conserve memory on systems where several programs
- are using OpenSSL.
-
- For some systems, the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl.  On these systems,
- the shared libraries are currently not created by default, but giving
- the option "shared" will get them created.  This method supports Makefile
- targets for shared library creation, like linux-shared.  Those targets
- can currently be used on their own just as well, but this is expected
- to change in future versions of OpenSSL.
+ For most systems the OpenSSL Configure script knows what is needed to
+ build shared libraries for libcrypto and libssl. On these systems
+ the shared libraries will be created by default. This can be suppressed and
+ only static libraries created by using the "no-shared" option. On systems
+ where OpenSSL does not know how to build shared libraries the "no-shared"
+ option will be forced and only static libraries will be created.
 
  Note on random number generation
  --------------------------------
@@ -372,24 +656,3 @@
  Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
  and the FAQ for more information.
 
- Note on support for multiple builds
- -----------------------------------
-
- OpenSSL is usually built in its source tree.  Unfortunately, this doesn't
- support building for multiple platforms from the same source tree very well.
- It is however possible to build in a separate tree through the use of lots
- of symbolic links, which should be prepared like this:
-
-	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
-	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
-	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
-		mkdir -p `dirname $F`
-		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
-		echo $F '->' $OPENSSL_SOURCE/$F
-	done
-	make -f Makefile.in clean
-
- OPENSSL_SOURCE is an environment variable that contains the absolute (this
- is important!) path to the OpenSSL source tree.
-
- Also, operations like 'make update' should still be made in the source tree.

INSTALL.NW

@@ -1,454 +0,0 @@
-
-INSTALLATION ON THE NETWARE PLATFORM
-------------------------------------
-
-Notes about building OpenSSL for NetWare.
-
-
-BUILD PLATFORM:
----------------
-The build scripts (batch files, perl scripts, etc) have been developed and
-tested on W2K.  The scripts should run fine on other Windows platforms
-(NT, Win9x, WinXP) but they have not been tested.  They may require some
-modifications.
-
-
-Supported NetWare Platforms - NetWare 5.x, NetWare 6.x:
--------------------------------------------------------
-OpenSSL can either use the WinSock interfaces introduced in NetWare 5,
-or the BSD socket interface.  Previous versions of NetWare, 4.x and 3.x,
-are only supported if OpenSSL is build for CLIB and BSD sockets;
-WinSock builds only support NetWare 5 and up.
-
-On NetWare there are two c-runtime libraries.  There is the legacy CLIB 
-interfaces and the newer LIBC interfaces.  Being ANSI-C libraries, the 
-functionality in CLIB and LIBC is similar but the LIBC interfaces are built 
-using Novell Kernal Services (NKS) which is designed to leverage 
-multi-processor environments.
-
-The NetWare port of OpenSSL can be configured to build using CLIB or LIBC.
-The CLIB build was developed and tested using NetWare 5.0 sp6.0a.  The LIBC 
-build was developed and tested using the NetWare 6.0 FCS.  
-
-The necessary LIBC functionality ships with NetWare 6.  However, earlier 
-NetWare 5.x versions will require updates in order to run the OpenSSL LIBC
-build (NetWare 5.1 SP8 is known to work).
-
-As of June 2005, the LIBC build can be configured to use BSD sockets instead
-of WinSock sockets. Call Configure (usually through netware\build.bat) using
-a target of "netware-libc-bsdsock" instead of "netware-libc".
-
-As of June 2007, support for CLIB and BSD sockets is also now available
-using a target of "netware-clib-bsdsock" instead of "netware-clib";
-also gcc builds are now supported on both Linux and Win32 (post 0.9.8e).
-
-REQUIRED TOOLS:
----------------
-Based upon the configuration and build options used, some or all of the
-following tools may be required:
-
-* Perl for Win32 - required (http://www.activestate.com/ActivePerl)
-   Used to run the various perl scripts on the build platform.
-
-* Perl 5.8.0 for NetWare v3.20 (or later) - required 
-   (http://developer.novell.com) Used to run the test script on NetWare 
-   after building.
-
-* Compiler / Linker - required:
-   Metrowerks CodeWarrior PDK 2.1 (or later) for NetWare (commercial):
-      Provides command line tools used for building.
-      Tools:
-      mwccnlm.exe  - C/C++ Compiler for NetWare
-      mwldnlm.exe  - Linker for NetWare
-      mwasmnlm.exe - x86 assembler for NetWare (if using assembly option)
-
-   gcc / nlmconv Cross-Compiler, available from Novell Forge (free):
-         http://forge.novell.com/modules/xfmod/project/?aunixnw
-
-* Assemblers - optional:
-   If you intend to build using the assembly options you will need an
-   assembler.  Work has been completed to support two assemblers, Metrowerks
-   and NASM.  However, during development, a bug was found in the Metrowerks
-   assembler which generates incorrect code.  Until this problem is fixed,
-   the Metrowerks assembler cannot be used.
-
-   mwasmnlm.exe - Metrowerks x86 assembler - part of CodeWarrior tools.
-         (version 2.2 Built Aug 23, 1999 - not useable due to code
-          generation bug)
-
-   nasmw.exe - Netwide Assembler NASM
-         version 0.98 was used in development and testing
-
-* Make Tool - required:
-   In order to build you will need a make tool.  Two make tools are
-   supported, GNU make (gmake.exe) or Microsoft nmake.exe.
-
-   make.exe - GNU make for Windows (version 3.75 used for development)
-         http://gnuwin32.sourceforge.net/packages/make.htm
-
-   nmake.exe - Microsoft make (Version 6.00.8168.0 used for development)
-         http://support.microsoft.com/kb/132084/EN-US/
-
-* Novell Developer Kit (NDK) - required: (http://developer.novell.com)
-
-   CLIB - BUILDS:
-
-      WinSock2 Developer Components for NetWare:
-         For initial development, the October 27, 2000 version was used.
-         However, future versions should also work.
-
-         NOTE:  The WinSock2 components include headers & import files for
-         NetWare, but you will also need the winsock2.h and supporting
-         headers (pshpack4.h, poppack.h, qos.h) delivered in the
-         Microsoft SDK.  Note: The winsock2.h support headers may change
-         with various versions of winsock2.h.  Check the dependencies
-         section on the NDK WinSock2 download page for the latest
-         information on dependencies. These components are unsupported by
-         Novell. They are provided as a courtesy, but it is strongly
-         suggested that all development be done using LIBC, not CLIB.
-
-         As of June 2005, the WinSock2 components are available at:
-         http://forgeftp.novell.com//ws2comp/
-
-
-      NLM and NetWare libraries for C (including CLIB and XPlat):
-         If you are going to build a CLIB version of OpenSSL, you will
-         need the CLIB headers and imports.  The March, 2001 NDK release or 
-         later is recommended.
-
-         Earlier versions should work but haven't been tested.  In recent
-         versions the import files have been consolidated and function
-         names moved.  This means you may run into link problems
-         (undefined symbols) when using earlier versions.   The functions
-         are available in earlier versions, but you will have to modifiy
-         the make files to include additional import files (see
-         openssl\util\pl\netware.pl).
-
-
-   LIBC - BUILDS:
-   
-      Libraries for C (LIBC) - LIBC headers and import files
-         If you are going to build a LIBC version of OpenSSL, you will
-         need the LIBC headers and imports.  The March 14, 2002 NDK release or
-         later is required.  
-         
-         NOTE: The LIBC SDK includes the necessary WinSock2 support.
-         It is not necessary to download the WinSock2 NDK when building for
-         LIBC. The LIBC SDK also includes the appropriate BSD socket support
-         if configuring to use BSD sockets.
-
-
-BUILDING:
----------
-Before building, you will need to set a few environment variables.  You can
-set them manually or you can modify the "netware\set_env.bat" file.
-
-The set_env.bat file is a template you can use to set up the path
-and environment variables you will need to build.  Modify the
-various lines to point to YOUR tools and run set_env.bat.
-
-   netware\set_env.bat <target> [compiler]
-
-      target        - "netware-clib" - CLIB NetWare build
-                    - "netware-libc" - LIBC NetWare build
-
-      compiler      - "gnuc"         - GNU GCC Compiler
-                    - "codewarrior"  - MetroWerks CodeWarrior (default)
-
-If you don't use set_env.bat, you will need to set up the following
-environment variables:
-
-   PATH - Set PATH to point to the tools you will use.
-
-   INCLUDE - The location of the NDK include files.
-         
-            CLIB ex: set INCLUDE=c:\ndk\nwsdk\include\nlm
-            LIBC ex: set INCLUDE=c:\ndk\libc\include
-
-   PRELUDE - The absolute path of the prelude object to link with.  For
-            a CLIB build it is recommended you use the "clibpre.o" files shipped
-            with the Metrowerks PDK for NetWare.  For a LIBC build you should 
-            use the "libcpre.o" file delivered with the LIBC NDK components.
-
-            CLIB ex: set PRELUDE=c:\ndk\nwsdk\imports\clibpre.o
-            LIBC ex: set PRELUDE=c:\ndk\libc\imports\libcpre.o
-
-   IMPORTS - The locaton of the NDK import files.
-
-            CLIB ex: set IMPORTS=c:\ndk\nwsdk\imports
-            LIBC ex: set IMPORTS=c:\ndk\libc\imports
-
-
-In order to build, you need to run the Perl scripts to configure the build
-process and generate a make file.  There is a batch file,
-"netware\build.bat", to automate the process.
-
-Build.bat runs the build configuration scripts and generates a make file.
-If an assembly option is specified, it also runs the scripts to generate 
-the assembly code.  Always run build.bat from the "openssl" directory.
-
-   netware\build [target] [debug opts] [assembly opts] [configure opts]
-
-      target        - "netware-clib" - CLIB NetWare build (WinSock Sockets)
-                    - "netware-clib-bsdsock" - CLIB NetWare build (BSD Sockets)
-                    - "netware-libc" - LIBC NetWare build (WinSock Sockets)
-                    - "netware-libc-bsdsock" - LIBC NetWare build (BSD Sockets)
- 
-      debug opts    - "debug"  - build debug
-
-      assembly opts - "nw-mwasm" - use Metrowerks assembler
-                      "nw-nasm"  - use NASM assembler
-                      "no-asm"   - don't use assembly
-
-      configure opts- all unrecognized arguments are passed to the
-                      perl 'configure' script. See that script for
-                      internal documentation regarding options that
-                      are available.
-
-   examples:
-
-      CLIB build, debug, without assembly:
-         netware\build.bat netware-clib debug no-asm
-
-      LIBC build, non-debug, using NASM assembly, add mdc2 support:
-         netware\build.bat netware-libc nw-nasm enable-mdc2
-
-      LIBC build, BSD sockets, non-debug, without assembly:
-         netware\build.bat netware-libc-bsdsock no-asm
-
-Running build.bat generates a make file to be processed by your make 
-tool (gmake or nmake):
-
-   CLIB ex: gmake -f netware\nlm_clib_dbg.mak 
-   LIBC ex: gmake -f netware\nlm_libc.mak 
-   LIBC ex: gmake -f netware\nlm_libc_bsdsock.mak 
-
-
-You can also run the build scripts manually if you do not want to use the
-build.bat file.  Run the following scripts in the "\openssl"
-subdirectory (in the order listed below):
-
-   perl configure no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock]
-      configures no assembly build for specified netware environment
-      (CLIB or LIBC).
-
-   perl util\mkfiles.pl >MINFO
-      generates a listing of source files (used by mk1mf)
-
-   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock >netware\nlm.mak
-      generates the makefile for NetWare
-
-   gmake -f netware\nlm.mak
-      build with the make tool (nmake.exe also works)
-
-NOTE:  If you are building using the assembly option, you must also run the
-various Perl scripts to generate the assembly files.  See build.bat
-for an example of running the various assembly scripts.  You must use the
-"no-asm" option to build without assembly.  The configure and mk1mf scripts
-also have various other options.  See the scripts for more information.
-
-
-The output from the build is placed in the following directories:
-
-   CLIB Debug build:
-      out_nw_clib.dbg     - static libs & test nlm(s)
-      tmp_nw_clib.dbg     - temporary build files
-      outinc_nw_clib      - necessary include files
-
-   CLIB Non-debug build:
-      out_nw_clib         - static libs & test nlm(s)
-      tmp_nw_clib         - temporary build files
-      outinc_nw_clib      - necesary include files
-
-   LIBC Debug build:
-      out_nw_libc.dbg     - static libs & test nlm(s)
-      tmp_nw_libc.dbg     - temporary build files
-      outinc_nw_libc      - necessary include files
-
-   LIBC Non-debug build:
-      out_nw_libc         - static libs & test nlm(s)
-      tmp_nw_libc         - temporary build files
-      outinc_nw_libc      - necesary include files
-
-
-TESTING:
---------
-The build process creates the OpenSSL static libs ( crypto.lib, ssl.lib,
-rsaglue.lib ) and several test programs.  You should copy the test programs
-to your NetWare server and run the tests.
-
-The batch file "netware\cpy_tests.bat" will copy all the necessary files
-to your server for testing.  In order to run the batch file, you need a
-drive mapped to your target server.  It will create an "OpenSSL" directory
-on the drive and copy the test files to it.  CAUTION: If a directory with the
-name of "OpenSSL" already exists, it will be deleted.
-
-To run cpy_tests.bat:
-
-   netware\cpy_tests [output directory] [NetWare drive]
-
-      output directory - "out_nw_clib.dbg", "out_nw_libc", etc.
-      NetWare drive    - drive letter of mapped drive
-
-      CLIB ex: netware\cpy_tests out_nw_clib m:
-      LIBC ex: netware\cpy_tests out_nw_libc m:
-
-
-The Perl script, "do_tests.pl", in the "OpenSSL" directory on the server
-should be used to execute the tests.  Before running the script, make sure
-your SEARCH PATH includes the "OpenSSL" directory.  For example, if you
-copied the files to the "sys:" volume you use the command:
-
-   SEARCH ADD SYS:\OPENSSL
-
-
-To run do_tests.pl type (at the console prompt):
-
-   perl \openssl\do_tests.pl [options]
-
-      options:
-         -p    - pause after executing each test
-
-The do_tests.pl script generates a log file "\openssl\test_out\tests.log"
-which should be reviewed for errors.  Any errors will be denoted by the word
-"ERROR" in the log.
-
-DEVELOPING WITH THE OPENSSL SDK:
---------------------------------
-Now that everything is built and tested, you are ready to use the OpenSSL
-libraries in your development.
-
-There is no real installation procedure, just copy the static libs and
-headers to your build location.  The libs (crypto.lib & ssl.lib) are
-located in the appropriate "out_nw_XXXX" directory 
-(out_nw_clib, out_nw_libc, etc).  
-
-The headers are located in the appropriate "outinc_nw_XXX" directory 
-(outinc_nw_clib, outinc_nw_libc).  
-
-One suggestion is to create the following directory 
-structure for the OpenSSL SDK:
-
-   \openssl
-      |- bin
-      |   |- openssl.nlm
-      |   |- (other tests you want)
-      |
-      |- lib
-      |   | - crypto.lib
-      |   | - ssl.lib
-      |
-      |- include
-      |   | - openssl
-      |   |    | - (all the headers in "outinc_nw\openssl")
-
-
-The program "openssl.nlm" can be very useful.  It has dozens of
-options and you may want to keep it handy for debugging, testing, etc.
-
-When building your apps using OpenSSL, define "NETWARE".  It is needed by
-some of the OpenSSL headers.  One way to do this is with a compile option,
-for example "-DNETWARE".
-
-
-
-NOTES:
-------
-
-Resource leaks in Tests
-------------------------
-Some OpenSSL tests do not clean up resources and NetWare reports
-the resource leaks when the tests unload.  If this really bugs you,
-you can stop the messages by setting the developer option off at the console
-prompt (set developer option = off).  Or better yet, fix the tests to
-clean up the resources!
-
-
-Multi-threaded Development
----------------------------
-The NetWare version of OpenSSL is thread-safe, however multi-threaded
-applications must provide the necessary locking function callbacks.  This
-is described in doc\threads.doc.  The file "openssl-x.x.x\crypto\threads\mttest.c"
-is a multi-threaded test program and demonstrates the locking functions.
-
-
-What is openssl2.nlm?
----------------------
-The openssl program has numerous options and can be used for many different
-things.  Many of the options operate in an interactive mode requiring the
-user to enter data.  Because of this, a default screen is created for the
-program.  However, when running the test script it is not desirable to
-have a separate screen.  Therefore, the build also creates openssl2.nlm.
-Openssl2.nlm is functionally identical but uses the console screen.
-Openssl2 can be used when a non-interactive mode is desired.
-
-NOTE:  There are may other possibilities (command line options, etc)
-which could have been used to address the screen issue.  The openssl2.nlm
-option was chosen because it impacted only the build not the code.
-
-
-Why only static libraries?
---------------------------
-Globals, globals, and more globals.  The OpenSSL code uses many global
-variables that are allocated and initialized when used for the first time.
-
-On NetWare, most applications (at least historically) run in the kernel.
-When running in the kernel, there is one instance of global variables.
-For regular application type NLM(s) this isn't a problem because they are
-the only ones using the globals.  However, for a library NLM (an NLM which
-exposes functions and has no threads of execution), the globals cause
-problems.  Applications could inadvertently step on each other if they
-change some globals.  Even worse, the first application that triggers a
-global to be allocated and initialized has the allocated memory charged to
-itself.  Now when that application unloads, NetWare will clean up all the
-applicaton's memory.  The global pointer variables inside OpenSSL now
-point to freed memory.  An abend waiting to happen!
-
-To work correctly in the kernel, library NLM(s) that use globals need to
-provide a set of globals (instance data) for each application.  Another
-option is to require the library only be loaded in a protected address
-space along with the application using it.
-
-Modifying the OpenSSL code to provide a set of globals (instance data) for
-each application isn't technically difficult, but due to the large number
-globals it would require substantial code changes and it wasn't done.  Hence,
-the build currently only builds static libraries which are then linked
-into each application.
-
-NOTE:  If you are building a library NLM that uses the OpenSSL static
-libraries, you will still have to deal with the global variable issue.
-This is because when you link in the OpenSSL code you bring in all the
-globals.  One possible solution for the global pointer variables is to
-register memory functions with OpenSSL which allocate memory and charge it
-to your library NLM (see the function CRYPTO_set_mem_functions).  However,
-be aware that now all memory allocated by OpenSSL is charged to your NLM.
-
-
-CodeWarrior Tools and W2K
----------------------------
-There have been problems reported with the CodeWarrior Linker
-(mwldnlm.exe) in the PDK 2.1 for NetWare when running on Windows 2000.  The
-problems cause the link step to fail.  The only work around is to obtain an
-updated linker from Metrowerks.  It is expected Metrowerks will release
-PDK 3.0 (in beta testing at this time - May, 2001) in the near future which
-will fix these problems.
-
-
-Makefile "vclean"
-------------------
-The generated makefile has a "vclean" target which cleans up the build
-directories.  If you have been building successfully and suddenly
-experience problems, use "vclean" (gmake -f netware\nlm_xxxx.mak vclean) and retry.
-
-
-"Undefined Symbol" Linker errors
---------------------------------
-There have been linker errors reported when doing a CLIB build.  The problems
-occur because some versions of the CLIB SDK import files inadvertently 
-left out some symbols.  One symbol in particular is "_lrotl".  The missing
-functions are actually delivered in the binaries, but they were left out of
-the import files.  The issues should be fixed in the September 2001 release 
-of the NDK.  If you experience the problems you can temporarily
-work around it by manually adding the missing symbols to your version of 
-"clib.imp".
-

INSTALL.OS2

@@ -1,31 +0,0 @@
- 
- Installation on OS/2
- --------------------
-
- You need to have the following tools installed:
-
-  * EMX GCC
-  * PERL
-  * GNU make
-
-
- To build the makefile, run
-
- > os2\os2-emx
-
- This will configure OpenSSL and create OS2-EMX.mak which you then use to 
- build the OpenSSL libraries & programs by running
-
- > make -f os2-emx.mak
-
- If that finishes successfully you will find the libraries and programs in the
- "out" directory.
-
- Alternatively, you can make a dynamic build that puts the library code into
- crypto.dll and ssl.dll by running
-
- > make -f os2-emx-dll.mak
-
- This will build the above mentioned dlls and a matching pair of import
- libraries in the "out_dll" directory along with the set of test programs
- and the openssl application.

INSTALL.VMS

@@ -1,66 +0,0 @@
-
- INSTALLATION ON THE VMS PLATFORM
- --------------------------------
-
- Intro
- -----
-
- This file is divided in the following parts:
-
-   Requirements                 - Mandatory reading.
-   Cheking the distribution     - Mandatory reading.
-   Quick start
-   Test                         <TO BE ADDED>
-   Installation                 <TO BE ADDED>
-   Backward portability         <TO BE ADDED>
-   Possible bugs and quirks     <TO BE ADDED>
-
-
- Requirements
- ------------
-
- To build and install OpenSSL, you will need:
-
-  * Perl 5 with core modules (please read README.PERL)
-  * The perl module Text::Template (please read README.PERL)
-  * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
-    [Note: OpenSSL has only been tested with DEC C.  Compiling with 
-     a different ANSI C compiler may require some work]
-
- Checking the distribution
- -------------------------
-
- There have been reports of places where the distribution didn't quite
- get through, for example if you've copied the tree from a NFS-mounted
- Unix mount point.
-
- The easiest way to check if everything got through as it should is to
- check for one of the following files:
-
-  [.crypto]opensslconf^.h.in
-
- The best way to get a correct distribution is to download the gzipped
- tar file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress
- it and use VMSTAR to unpack the resulting tar file.
-
- GUNZIP is available {FIXME: where is it available?}
-
- VMSTAR is available {FIXME: where is it available?}
-
-
- Quick start
- -----------
-
- If you want to just get on with it, do this:
-
-  $ @config
-  $ mms
-  $ mms test
-  $ mmm install
-
- This will buidl and install OpenSSL in the default location, which is
- SYS$COMMON:[OPENSSL-'VERSION'].  If you want it to be anywhere else,
- run config.com like this:
-
-  $ @config --prefix=PROGRAM:[OPENSSL]
-

INSTALL.WIN

@@ -1,192 +0,0 @@
-
- INSTALLATION ON WINDOWS PLATFORMS
- ---------------------------------
-
- [Instructions for building for Windows CE can be found in INSTALL.WCE]
-
- Here are a few comments about building OpenSSL for Windows environments.
-
- - you need Perl.  Unless you will build on Cygwin, you will need
-   ActiveState Perl, available from http://www.activestate.com/ActivePerl.  
-   You also need the perl module Text::Template, available on CPAN.
-   Please read README.PERL for more information.
-
- - one of the following C compilers:
-
-  * Visual C++
-  * GNU C (Cygwin or MinGW)
-
-- Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
-  is required if you intend to utilize assembler modules. Note that NASM
-  is now the only supported assembler. Without this the "Configure" step below
-  must be done with the "no-asm" option. The Microsoft provided assembler is NOT
-  supported.
-
- Visual C++
- ----------
-
- If you want to compile in the assembly language routines with Visual
- C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
- be available on your %PATH%.
-
- Firstly you should run Configure and generate the Makefiles. If you don't want
- the assembly language files then add the "no-asm" option (without quotes) to
- the Configure lines below.
-
- For Win32:
-
- > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
- > ms\do_nasm
-
- Note: replace the last line above with the following if not using the assembly
- language files:
-
- > ms\do_ms
-
- For Win64/x64:
-
- > perl Configure VC-WIN64A --prefix=c:\some\openssl\dir
- > ms\do_win64a
-
- For Win64/IA64:
-
- > perl Configure VC-WIN64I --prefix=c:\some\openssl\dir
- > ms\do_win64i
-
- Where the prefix argument specifies where OpenSSL will be installed to.
-
- Then from the VC++ environment at a prompt do the following. Note, your %PATH%
- and other environment variables should be set up for 32-bit or 64-bit
- development as appropriate.
-
- > nmake -f ms\ntdll.mak
-
- If all is well it should compile and you will have some DLLs and
- executables in out32dll. If you want to try the tests then do:
-
- > nmake -f ms\ntdll.mak test
-
- To install OpenSSL to the specified location do:
-
- > nmake -f ms\ntdll.mak install
-
- Tweaks:
-
- There are various changes you can make to the Windows compile
- environment. By default the library is not compiled with debugging
- symbols. If you add --debug to the Configure lines above then debugging symbols
- will be compiled in.
-
- By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
- libraries. If you specify the "enable-static-engine" option on the command line
- to Configure the shared library build (ms\ntdll.mak) will compile the engines
- into libeay32.dll instead.
-
- You can also build a static version of the library using the Makefile
- ms\nt.mak
-
- GNU C (Cygwin)
- --------------
-
- Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
- Windows subsystem and provides a bash shell and GNU tools environment.
- Consequently, a make of OpenSSL with Cygwin is virtually identical to the
- Unix procedure. It is also possible to create Windows binaries that only
- use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
- MinGW. MinGW can be used in the Cygwin development environment or in a
- standalone setup as described in the following section.
-
- To build OpenSSL using Cygwin:
-
- * Install Cygwin (see http://cygwin.com/)
-
- * Install Perl and ensure it is in the path. Both Cygwin perl
-   (5.6.1-2 or newer) and ActivePerl work.
-
- * Run the Cygwin bash shell
-
- * $ tar zxvf openssl-x.x.x.tar.gz
-   $ cd openssl-x.x.x
-
-   To build the Cygwin version of OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
-   This will create a default install in /usr/local/ssl.
-
-   To build the MinGW version (native Windows) in Cygwin:
-
-   $ ./Configure mingw
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
- Cygwin Notes:
-
- "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
- stripping of carriage returns. To avoid this ensure that a binary
- mount is used, e.g. mount -b c:\somewhere /home.
-
- GNU C (MinGW/MSYS)
- -------------
-
- * Compiler and shell environment installation:
-
-   MinGW and MSYS are available from http://www.mingw.org/, both are
-   required. Run the installers and do whatever magic they say it takes
-   to start MSYS bash shell with GNU tools on its PATH.
-
- * Compile OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-
-   This will create the library and binaries in root source directory
-   and openssl.exe application in apps directory.
-
-   It is also possible to cross-compile it on Linux by configuring
-   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'. Other
-   possible targets include x86_64-w64-mingw32- and i686-w64-mingw32-.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
- Linking your application
- ------------------------
-
- If you link with static OpenSSL libraries [those built with ms/nt.mak],
- then you're expected to additionally link your application with
- WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about linking
- with the latter two, as they are justly associated with interactive
- desktop, which is not available to service processes. The toolkit is
- designed to detect in which context it's currently executed, GUI,
- console app or service, and act accordingly, namely whether or not to
- actually make GUI calls. Additionally those who wish to
- /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
- off service process should consider implementing and exporting from
- .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
- E.g., on Windows Vista and later you could:
-
-	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
-	{   DWORD sess;
-	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
-	        return sess==0;
-	    return FALSE;
-	}
-
- If you link with OpenSSL .DLLs, then you're expected to include into
- your application code small "shim" snippet, which provides glue between
- OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
- manual page for further details.

Makefile.in

@@ -10,7 +10,10 @@ SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
 SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
 SHLIB_MAJOR={- $config{shlib_major} -}
 SHLIB_MINOR={- $config{shlib_minor} -}
-SHLIB_EXT={- $target{shared_extension} -}
+SHLIB_EXT={- $target{shared_extension} || ".so" -}
+SHLIB_EXT_SIMPLE={- $target{shared_extension_simple} || ".so" -}
+SHLIB_EXT_IMPORT={- $target{shared_import_extension} || "" -}
+DSO_EXT={- $target{dso_extension} || ".so" -}
 PLATFORM={- $config{target} -}
 OPTIONS={- $config{options} -}
 CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
@@ -90,12 +93,11 @@ ENGINESDIR={- use File::Spec::Functions;
 
 CROSS_COMPILE= {- $config{cross_compile_prefix} -}
 CC= $(CROSS_COMPILE){- $target{cc} -}
-CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
 CFLAG_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
-DEPFLAG= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
-LDFLAG= {- $config{lflags} -}
-PLIB_LDFLAG= {- $config{plib_lflags} -}
-EX_LIBS= {- $config{ex_libs} -}
+LDFLAG= {- $target{lflags} -} {- $config{lflags} -}
+PLIB_LDFLAG= {- $target{plib_lflags} -} {- $config{plib_lflags} -}
+EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -}
 EXE_EXT= {- $target{exe_extension} -}
 ARFLAGS= {- $target{arflags} -}
 AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r
@@ -121,7 +123,9 @@ ASFLAG=$(CFLAG)
 PROCESSOR= {- $config{processor} -}
 
 # CPUID module collects small commonly used assembler snippets
+APPS_OBJ={- $target{apps_obj} -}
 CPUID_OBJ= {- $target{cpuid_obj} -}
+UPLINK_OBJ= {- $target{uplink_obj} -}
 BN_ASM= {- $target{bn_obj} -}
 EC_ASM= {- $target{ec_obj} -}
 DES_ENC= {- $target{des_obj} -}
@@ -133,6 +137,7 @@ RC5_ENC= {- $target{rc5_obj} -}
 MD5_ASM_OBJ= {- $target{md5_obj} -}
 SHA1_ASM_OBJ= {- $target{sha1_obj} -}
 RMD160_ASM_OBJ= {- $target{rmd160_obj} -}
+BLAKE2_OBJ= {- $target{blake2_obj} -}
 WP_ASM_OBJ= {- $target{wp_obj} -}
 CMLL_ENC= {- $target{cmll_obj} -}
 MODES_ASM_OBJ= {- $target{modes_obj} -}
@@ -190,8 +195,9 @@ TOP=    .
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS={- '$(SHARED_CRYPTO) $(SHARED_SSL)' if (!$config{no_shared}) -}
-SHARED_LDFLAG={- $target{shared_ldflag}
+SHARED_LIBS={- $disabled{shared} ? '' : '$(SHARED_CRYPTO) $(SHARED_SSL)'  -}
+SHARED_CFLAG={- $target{shared_cflag} -}
+SHARED_LDFLAG={- $target{shared_ldflag}." ".$config{shared_ldflag}
                  # Unlike other OSes (like Solaris, Linux, Tru64,
                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
                  # and FreeBSD) "demand" RPATH set on .so objects.
@@ -206,6 +212,7 @@ SHARED_LDFLAG={- $target{shared_ldflag}
                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
 SHARED_RCFLAG={- $target{shared_rcflag} -}
+DYNAMIC_ENGINES={- $config{dynamic_engines} -}
 
 GENERAL=        Makefile
 BASENAME=       openssl
@@ -224,6 +231,8 @@ INSTALLDIRS=	\
 		$(DESTDIR)$(OPENSSLDIR)/certs \
 		$(DESTDIR)$(OPENSSLDIR)/private
 
+ENGDIRS={- join(" ", @{$config{engdirs}}) -}
+
 all: Makefile build_all_but_tests
 
 # as we stick to -e, CLEARENV ensures that local variables in lower
@@ -246,30 +255,34 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		CC='$(CC)' CFLAG='$(CFLAG)' CFLAG_Q='$(CFLAG_Q)'	\
+		SHARED_CFLAG='$(SHARED_CFLAG)'				\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)'	\
+		CROSS_COMPILE='$(CROSS_COMPILE)'		\
+		PERL='$(PERL)' DYNAMIC_ENGINES='$(DYNAMIC_ENGINES)'	\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		DESTDIR='$(DESTDIR)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
-		DEPFLAG='$(DEPFLAG)'                    	\
 		SHARED_LDFLAG='$(SHARED_LDFLAG)'		\
 		SHARED_RCFLAG='$(SHARED_RCFLAG)'		\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
-		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
+		SHLIB_EXT='$(SHLIB_EXT)' DSO_EXT='$(DSO_EXT)'	\
+		SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		LDFLAG='$(LDFLAG)'				\
 		PLIB_LDFLAG='$(PLIB_LDFLAG)' EX_LIBS='$(EX_LIBS)'	\
+		APPS_OBJ='$(APPS_OBJ)' UPLINK_OBJ='$(UPLINK_OBJ)'	\
 		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
 		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
+		ENGDIRS='$(ENGDIRS)'    \
 		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
 		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
+		BLAKE2_OBJ='$(BLAKE2_OBJ)'                      \
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)'		\
@@ -374,7 +387,7 @@ do_$(SHLIB_TARGET):
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
-			link_a.$(SHLIB_TARGET); \
+			link_shlib.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
 		case "$(PLATFORM)" in \
 		Cygwin*) \
@@ -384,14 +397,15 @@ do_$(SHLIB_TARGET):
 			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll test/; \
 			;; \
 		mingw*) \
-			case $$i in \
-				crypto) i=libeay32;; \
-				ssl) i=ssleay32;; \
-			esac; \
-			rm -f apps/$$i.dll; \
-			rm -f test/$$i.dll; \
-			cp $$i.dll apps/; \
-			cp $$i.dll test/; \
+			arch=; \
+		        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+				arch=-x64; \
+			fi; \
+			rm -f apps/lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll; \
+			rm -f test/lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll; \
+			cp lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll apps/; \
+			cp lib$$i-$(SHLIB_MAJOR)_$(SHLIB_MINOR)$$arch.dll test/; \
+			;; \
 		esac; \
 	done
 
@@ -443,7 +457,7 @@ libclean:
 	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
 
 clean:	libclean
-	rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -f */*/*.o */*.o *.o core a.out fluff testlog make.log cctest cctest.c
 	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS) tags TAGS
@@ -451,34 +465,13 @@ clean:	libclean
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 
-makefile.one: files
-	$(PERL) util/mk1mf.pl >makefile.one; \
-	sh util/do_ms.sh
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
-
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 
-rehash: rehash.time
-rehash.time: certs build_apps build_tools
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
-		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
-		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$$OPENSSL rehash certs/demo \
-		|| $(PERL) tools/c_rehash certs/demo) && \
-		touch rehash.time; \
-	else :; fi
+test:   tests
 
-test:   files tests
-
-
-tests:  build_tests rehash
+tests:  build_tests 
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
@@ -513,12 +506,11 @@ errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)
 
-ordinals: util/libeay.num util/ssleay.num test_ordinals TABLE
-util/libeay.num::
+ordinals: util/libcrypto.num util/libssl.num test_ordinals TABLE
+util/libcrypto.num::
 	$(PERL) util/mkdef.pl crypto update
-util/ssleay.num::
+util/libssl.num::
 	$(PERL) util/mkdef.pl ssl update
 test_ordinals:
 	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals
@@ -585,30 +577,40 @@ install_sw:
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
-			(       echo installing $$i; \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+				case "$(PLATFORM)" in \
+				Cygwin*) \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+					echo installing $$c; \
 					cp $$c $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$c.new $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
+					echo installing $$i.a; \
+					cp $$i.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				mingw*) \
+					arch=; \
+				        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+						arch=-x64; \
+					fi; \
+					m=`echo $$i | sed -e 's/\.dll$$/-$(SHLIB_MAJOR)_$(SHLIB_MINOR)'"$$arch"'.dll/'`; \
+					echo installing $$m; \
+					cp $$m $(DESTDIR)$(INSTALLTOP)/bin/$$m.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$m.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$m.new $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					echo installing $$i.a; \
+					cp $$i.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+			        *) \
+					echo installing $$i; \
 					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi ); \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-				(	case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo installing $$i; \
-					cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
-				fi; \
+					;; \
+				esac; \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
@@ -639,31 +641,37 @@ uninstall_sw:
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
+				case "$(PLATFORM)" in \
+				Cygwin*) \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
 					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				mingw*) \
+					arch=; \
+				        if expr $(PLATFORM) : mingw64 > /dev/null; then \
+						arch=-x64; \
+					fi; \
+					m=`echo $$i | sed -e 's/\.dll$$/-$(SHLIB_MAJOR)_$(SHLIB_MINOR)'"$$arch"'.dll/'`; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$m; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.a; \
+					;; \
+				*) \
 					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
-					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi; \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-					case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-				fi; \
+					;; \
+				esac; \
 			fi; \
 		done; \
 	fi
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
 	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
-	@target=uninstall; $(RECURSIVE_BUILD_CMD)
+	@target=uninstall; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 
 install_html_docs:
 	here="`pwd`"; \

Makefile.shared

@@ -50,8 +50,8 @@ OBJECTS=
 # For example, if a second library, say libbar.a needs to be linked into
 # libfoo.so, you need to do the following:
 #LIBEXTRAS=libbar.a
-# Note that this MUST be used when using the link_o targets, to hold the
-# names of all object files that go into the target library.
+# Note that this MUST be used when using the link_dso targets, to hold the
+# names of all object files that go into the target shared object.
 LIBEXTRAS=
 
 # LIBVERSION contains the current version of the library.
@@ -143,17 +143,17 @@ SYMLINK_SO=	\
 		fi; \
 	fi
 
-LINK_SO_A=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
-LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_SHLIB=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_DSO=	INHIBIT_SYMLINKS=yes; SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
 
-LINK_SO_A_VIA_O=	\
+LINK_SO_SHLIB_VIA_O=	\
   SHOBJECTS=$(DSTDIR)/lib$(LIBNAME).o; \
   ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
   ( echo ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL lib$(LIBNAME).a $(LIBEXTRAS); \
     ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL $(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS) ); \
   $(LINK_SO) && ( echo rm -f $$SHOBJECTS; rm -f $$SHOBJECTS )
 
-LINK_SO_A_UNPACKED=	\
+LINK_SO_SHLIB_UNPACKED=	\
   UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
   (cd $$UNPACKDIR; ar x ../$(DSTDIR)/lib$(LIBNAME).a) && \
   ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
@@ -162,13 +162,19 @@ LINK_SO_A_UNPACKED=	\
 
 DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 
-DO_GNU_SO=$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
+DO_GNU_SO_COMMON=\
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+DO_GNU_DSO=\
+	SHLIB=$(LIBNAME).so; \
+	SHLIB_SOVER=; \
 	SHLIB_SUFFIX=; \
+	$(DO_GNU_SO_COMMON)
+DO_GNU_SO=\
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
+	$(DO_GNU_SO_COMMON)
 DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
 
 #This is rather special.  It's a special target with which one can link
@@ -179,25 +185,29 @@ DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
 link_app.:
 	$(LINK_APP)
 
-link_o.gnu:
-	@ $(DO_GNU_SO); $(LINK_SO_O)
-link_a.gnu:
-	@ $(DO_GNU_SO); $(LINK_SO_A)
+link_dso.gnu:
+	@ $(DO_GNU_DSO); $(LINK_SO_DSO)
+link_shlib.gnu:
+	@ $(DO_GNU_SO); $(LINK_SO_SHLIB)
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
 
-link_a.linux-shared:
-	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then $(DO_GNU_SO); else \
-	$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
+link_shlib.linux-shared:
+	@$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+	$(DO_GNU_SO); \
 	ALLSYMSFLAGS='-Wl,--whole-archive,--version-script=$(LIBNAME).map'; \
-	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; $(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 
-link_o.bsd:
+link_dso.bsd:
+	@if $(DETECT_GNU_LD); then $(DO_GNU_DSO); else \
+	SHLIB=$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	LIBDEPS=" "; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
+	fi; $(LINK_SO_DSO)
+link_shlib.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
@@ -206,27 +216,17 @@ link_o.bsd:
 	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
 	NOALLSYMSFLAGS=; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
-	fi; $(LINK_SO_O)
-link_a.bsd:
-	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
-	LIBDEPS=" "; \
-	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
-	NOALLSYMSFLAGS=; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
-	fi; $(LINK_SO_A)
+	fi; $(LINK_SO_SHLIB)
 link_app.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBPATH)"; \
 	fi; $(LINK_APP)
 
 # For Darwin AKA Mac OS/X (dyld)
-# Originally link_o.darwin produced .so, because it was hard-coded
+# Originally link_dso.darwin produced .so, because it was hard-coded
 # in dso_dlfcn module. At later point dso_dlfcn switched to .dylib
 # extension in order to allow for run-time linking with vendor-
-# supplied shared libraries such as libz, so that link_o.darwin had
+# supplied shared libraries such as libz, so that link_dso.darwin had
 # to be harmonized with it. This caused minor controversy, because
 # it was believed that dlopen can't be used to dynamically load
 # .dylib-s, only so called bundle modules (ones linked with -bundle
@@ -239,21 +239,14 @@ link_app.bsd:
 # It works, because dlopen is [and always was] extension-agnostic.
 # Alternative to this heuristic approach is to develop specific
 # MacOS X dso module relying on whichever "native" dyld interface.
-link_o.darwin:
-	@ $(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME); \
+link_dso.darwin:
+	@ SHLIB=$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
-	ALLSYMSFLAGS='-all_load'; \
+	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS="$(CFLAGS) `echo $(SHARED_LDFLAGS) | sed s/dynamiclib/bundle/`"; \
-	if [ -n "$(LIBVERSION)" ]; then \
-		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
-	fi; \
-	if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
-		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
-	fi; \
-	$(LINK_SO_O)
-link_a.darwin:
+	$(LINK_SO_DSO)
+link_shlib.darwin:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
@@ -267,65 +260,73 @@ link_a.darwin:
 		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
 	fi; \
 	SHAREDFLAGS="$$SHAREDFLAGS -install_name $(INSTALLTOP)/$(LIBDIR)/$$SHLIB$(SHLIB_EXT)"; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.darwin:	# is there run-path on darwin?
 	$(LINK_APP)
 
-link_o.cygwin:
-	@ $(CALC_VERSIONS); \
-	INHIBIT_SYMLINKS=yes; \
-	SHLIB=cyg$(LIBNAME); \
-	base=-Wl,--enable-auto-image-base; \
-	deffile=; \
-	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-		SHLIB=$(LIBNAME)eay32; base=; \
-		if test -f $(LIBNAME)eay32.def; then \
-			deffile=$(LIBNAME)eay32.def; \
-		fi; \
-	fi; \
+link_dso.cygwin:
+	@SHLIB=$(LIBNAME); \
 	SHLIB_SUFFIX=.dll; \
-	LIBVERSION="$(LIBVERSION)"; \
-	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
-	ALLSYMSFLAGS='-Wl,--whole-archive'; \
-	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
-	$(LINK_SO_O)
-#for mingw target if def-file is in use dll-name should match library-name
-link_a.cygwin:
+	ALLSYMSFLAGS=''; \
+	NOALLSYMSFLAGS=''; \
+	base=-Wl,--enable-auto-image-base; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic"; \
+	$(LINK_SO_DSO)
+link_shlib.cygwin:
 	@ $(CALC_VERSIONS); \
 	INHIBIT_SYMLINKS=yes; \
 	SHLIB=cyg$(LIBNAME); SHLIB_SOVER=-$(LIBVERSION); SHLIB_SUFFIX=.dll; \
-	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \
-	base=-Wl,--enable-auto-image-base; \
-	if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-		case $(LIBNAME) in \
-			crypto) SHLIB=libeay;; \
-			ssl) SHLIB=ssleay;; \
-		esac; \
-		SHLIB_SOVER=32; \
-		extras="$(LIBNAME).def"; \
-		$(PERL) $(SRCDIR)/util/mkdef.pl 32 $$SHLIB > $$extras; \
-		base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
-	fi; \
 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
 	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
 		     "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
 	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
 		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
-	extras="$$extras rc.o"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
-	$(LINK_SO_A) || exit 1; \
-	rm $$extras
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a rc.o"; \
+	$(LINK_SO_SHLIB) || exit 1; \
+	rm rc.o
 link_app.cygwin:
-	@if expr "$(CFLAGS)" : '.*OPENSSL_USE_APPLINK' > /dev/null; then \
-		LIBDEPS="$(SRCDIR)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
-		export LIBDEPS; \
-	fi; \
 	$(LINK_APP)
 
-link_o.alpha-osf1:
+# link_dso.mingw-shared and link_app.mingw-shared are mapped to the
+# corresponding cygwin targets, as they do the exact same thing.
+link_shlib.mingw:
+	@ $(CALC_VERSIONS); \
+	INHIBIT_SYMLINKS=yes; \
+	arch=; \
+	if expr $(PLATFORM) : mingw64 > /dev/null; then arch=-x64; fi; \
+	sover=`echo $(LIBVERSION) | sed -e 's/\./_/g'` ; \
+	SHLIB=lib$(LIBNAME); \
+	SHLIB_SOVER=-$$sover$$arch; \
+	SHLIB_SUFFIX=.dll; \
+	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
+	base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
+	$(PERL) $(SRCDIR)/util/mkdef.pl 32 $(LIBNAME) \
+		| sed -e 's|^\(LIBRARY  *\)$(LIBNAME)32|\1'"$$dll_name"'|' \
+		> $(LIBNAME).def; \
+	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
+		"$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
+	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
+		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $(LIBNAME).def rc.o"; \
+	$(LINK_SO_SHLIB) || exit 1; \
+	rm $(LIBNAME).def rc.o
+
+link_dso.alpha-osf1:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.alpha-osf1:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -345,28 +346,7 @@ link_o.alpha-osf1:
 			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
 		fi; \
 	fi; \
-	$(LINK_SO_O)
-link_a.alpha-osf1:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
-		fi; \
-	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.alpha-osf1:
 	@if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
@@ -375,39 +355,31 @@ link_app.alpha-osf1:
 	fi; \
 	$(LINK_APP)
 
-link_o.solaris:
+link_dso.solaris:
 	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
+		$(DO_GNU_DSO); \
 	else \
 		$(CALC_VERSIONS); \
-		MINUSZ='-z '; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		SHLIB=lib$(LIBNAME).so; \
+		SHLIB=$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
-		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		ALLSYMSFLAGS=""; \
+		NOALLSYMSFLAGS=""; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.solaris:
+	$(LINK_SO_DSO)
+link_shlib.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
 		$(CALC_VERSIONS); \
-		MINUSZ='-z '; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=;\
-		if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then \
-			ALLSYMSFLAGS="$${MINUSZ}allextract"; \
-		else \
-			$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
-			ALLSYMSFLAGS="$${MINUSZ}allextract,-M,$(LIBNAME).map"; \
-		fi; \
-		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
+		$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+		ALLSYMSFLAGS="-Wl,-z,allextract,-M,$(LIBNAME).map"; \
+		NOALLSYMSFLAGS="-Wl,-z,defaultextract"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
@@ -417,7 +389,19 @@ link_app.solaris:
 	$(LINK_APP)
 
 # OpenServer 5 native compilers used
-link_o.svr3:
+link_dso.svr3:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		$(CALC_VERSIONS); \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.svr3:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -428,25 +412,26 @@ link_o.svr3:
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.svr3:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS=''; \
-		NOALLSYMSFLAGS=''; \
-		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; \
-	$(LINK_SO_A_UNPACKED)
+	$(LINK_SO_SHLIB_UNPACKED)
 link_app.svr3:
 	@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
 	$(LINK_APP)
 
 # UnixWare 7 and OpenUNIX 8 native compilers used
-link_o.svr5:
+link_dso.svr5:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHARE_FLAG='-G'; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=''; \
+		NOALLSYMSFLAGS=''; \
+		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SUFFIX"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.svr5:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -459,26 +444,23 @@ link_o.svr5:
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.svr5:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHARE_FLAG='-G'; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		ALLSYMSFLAGS=''; \
-		NOALLSYMSFLAGS=''; \
-		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-	fi; \
-	$(LINK_SO_A_UNPACKED)
+	$(LINK_SO_SHLIB_UNPACKED)
 link_app.svr5:
 	@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
 	$(LINK_APP)
 
-link_o.irix:
+link_dso.irix:
+	@ if $(DETECT_GNU_LD); then \
+		$(DO_GNU_DSO); \
+	else \
+		SHLIB=$(LIBNAME).so; \
+		SHLIB_SUFFIX=; \
+		ALLSYMSFLAGS=""; \
+		NOALLSYMSFLAGS=""; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SUFFIX,-B,symbolic"; \
+	fi; \
+	$(LINK_SO_DSO)
+link_shlib.irix:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_SO); \
 	else \
@@ -491,21 +473,7 @@ link_o.irix:
 		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
 	fi; \
-	$(LINK_SO_O)
-link_a.irix:
-	@ if $(DETECT_GNU_LD); then \
-		$(DO_GNU_SO); \
-	else \
-		$(CALC_VERSIONS); \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		MINUSWL=""; \
-		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
-		ALLSYMSFLAGS="$${MINUSWL}-all"; \
-		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
-	fi; \
-	$(LINK_SO_A)
+	$(LINK_SO_SHLIB)
 link_app.irix:
 	@LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
 	$(LINK_APP)
@@ -518,20 +486,19 @@ link_app.irix:
 # editor context only [it's simply ignored in other cases, which are all
 # ELFs by the way].
 #
-link_o.hpux:
-	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
-	$(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).sl; \
-	expr "$(CFLAGS)" : '.*DSO_DLFCN' > /dev/null && SHLIB=lib$(LIBNAME).so; \
+link_dso.hpux:
+	@if $(DETECT_GNU_LD); then $(DO_GNU_DSO); else \
+	SHLIB=$(LIBNAME).sl; \
+	expr "$(CFLAGS)" : '.*DSO_DLFCN' > /dev/null && SHLIB=$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	ALLSYMSFLAGS='-Wl,-Fl'; \
+	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
 	fi; \
-	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
-	$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
-link_a.hpux:
+	rm -f $$SHLIB$$SHLIB_SUFFIX || :; \
+	$(LINK_SO_DSO) && chmod a=rx $$SHLIB$$SHLIB_SUFFIX
+link_shlib.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).sl; \
@@ -543,24 +510,23 @@ link_a.hpux:
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
 	fi; \
 	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
-	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
+	$(LINK_SO_SHLIB) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_app.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)
 
-link_o.aix:
-	@ $(CALC_VERSIONS); \
-	OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
+link_dso.aix:
+	@OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
-	SHLIB=lib$(LIBNAME).so; \
+	SHLIB=$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=''; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
-	$(LINK_SO_O);
-link_a.aix:
+	$(LINK_SO_DSO);
+link_shlib.aix:
 	@ $(CALC_VERSIONS); \
 	OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
@@ -569,7 +535,7 @@ link_a.aix:
 	ALLSYMSFLAGS='-bnogc'; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
-	$(LINK_SO_A_VIA_O)
+	$(LINK_SO_SHLIB_VIA_O)
 link_app.aix:
 	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
@@ -595,54 +561,59 @@ symlink.hpux:
 symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
 
 # Compatibility targets
-link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
-link_a.bsd-gcc-shared link_a.gnu-shared: link_a.gnu
-link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
-symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
-link_o.bsd-shared: link_o.bsd
-link_a.bsd-shared: link_a.bsd
+link_dso.bsd-gcc-shared link_dso.linux-shared link_dso.gnu-shared link_dso.haiku-shared: link_dso.gnu
+link_shlib.bsd-gcc-shared: link_shlib.linux-shared
+link_shlib.gnu-shared link_shlib.haiku-shared: link_shlib.gnu
+link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared link_app.haiku-shared: link_app.gnu
+symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared symlink.haiku-shared: symlink.gnu
+link_dso.bsd-shared: link_dso.bsd
+link_shlib.bsd-shared: link_shlib.bsd
 link_app.bsd-shared: link_app.bsd
-link_o.darwin-shared: link_o.darwin
-link_a.darwin-shared: link_a.darwin
+link_dso.darwin-shared: link_dso.darwin
+link_shlib.darwin-shared: link_shlib.darwin
 link_app.darwin-shared: link_app.darwin
 symlink.darwin-shared: symlink.darwin
-link_o.cygwin-shared: link_o.cygwin
-link_a.cygwin-shared: link_a.cygwin
+link_dso.cygwin-shared: link_dso.cygwin
+link_shlib.cygwin-shared: link_shlib.cygwin
 link_app.cygwin-shared: link_app.cygwin
 symlink.cygwin-shared: symlink.cygwin
-link_o.alpha-osf1-shared: link_o.alpha-osf1
-link_a.alpha-osf1-shared: link_a.alpha-osf1
+link_dso.mingw-shared: link_dso.cygwin
+link_shlib.mingw-shared: link_shlib.mingw
+link_app.mingw-shared: link_app.cygwin
+symlink.mingw-shared: symlink.cygwin
+link_dso.alpha-osf1-shared: link_dso.alpha-osf1
+link_shlib.alpha-osf1-shared: link_shlib.alpha-osf1
 link_app.alpha-osf1-shared: link_app.alpha-osf1
 symlink.alpha-osf1-shared: symlink.alpha-osf1
-link_o.tru64-shared: link_o.tru64
-link_a.tru64-shared: link_a.tru64
+link_dso.tru64-shared: link_dso.tru64
+link_shlib.tru64-shared: link_shlib.tru64
 link_app.tru64-shared: link_app.tru64
 symlink.tru64-shared: symlink.tru64
-link_o.tru64-shared-rpath: link_o.tru64-rpath
-link_a.tru64-shared-rpath: link_a.tru64-rpath
+link_dso.tru64-shared-rpath: link_dso.tru64-rpath
+link_shlib.tru64-shared-rpath: link_shlib.tru64-rpath
 link_app.tru64-shared-rpath: link_app.tru64-rpath
 symlink.tru64-shared-rpath: symlink.tru64-rpath
-link_o.solaris-shared: link_o.solaris
-link_a.solaris-shared: link_a.solaris
+link_dso.solaris-shared: link_dso.solaris
+link_shlib.solaris-shared: link_shlib.solaris
 link_app.solaris-shared: link_app.solaris
 symlink.solaris-shared: symlink.solaris
-link_o.svr3-shared: link_o.svr3
-link_a.svr3-shared: link_a.svr3
+link_dso.svr3-shared: link_dso.svr3
+link_shlib.svr3-shared: link_shlib.svr3
 link_app.svr3-shared: link_app.svr3
 symlink.svr3-shared: symlink.svr3
-link_o.svr5-shared: link_o.svr5
-link_a.svr5-shared: link_a.svr5
+link_dso.svr5-shared: link_dso.svr5
+link_shlib.svr5-shared: link_shlib.svr5
 link_app.svr5-shared: link_app.svr5
 symlink.svr5-shared: symlink.svr5
-link_o.irix-shared: link_o.irix
-link_a.irix-shared: link_a.irix
+link_dso.irix-shared: link_dso.irix
+link_shlib.irix-shared: link_shlib.irix
 link_app.irix-shared: link_app.irix
 symlink.irix-shared: symlink.irix
-link_o.hpux-shared: link_o.hpux
-link_a.hpux-shared: link_a.hpux
+link_dso.hpux-shared: link_dso.hpux
+link_shlib.hpux-shared: link_shlib.hpux
 link_app.hpux-shared: link_app.hpux
 symlink.hpux-shared: symlink.hpux
-link_o.aix-shared: link_o.aix
-link_a.aix-shared: link_a.aix
+link_dso.aix-shared: link_dso.aix
+link_shlib.aix-shared: link_shlib.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix

NEWS

@@ -5,14 +5,18 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.2g and OpenSSL 1.1.0 [in pre-release]
 
+      o "shared" builds are now the default when possible
+      o Added support for "pipelining"
+      o Added the AFALG engine
+      o New threading API implemented
       o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
       o Support for extended master secret
       o CCM ciphersuites
       o Reworked test suite, now based on perl, Test::Harness and Test::More
-      o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
-        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
+      o *Most* libcrypto and libssl structures were made opaque including:
+        <TBA>
       o libssl internal structures made opaque
       o SSLv2 support removed
       o Kerberos ciphersuite support removed
@@ -34,6 +38,26 @@
         the directory for certs, private key and openssl.cnf exclusively.
       o Reworked BIO networking library, with full support for IPv6.
       o New "unified" build system
+      o New security levels
+      o Support for scrypt algorithm
+      o Support for X25519
+      o Extended SSL_CONF support using configuration files
+      o KDF algorithm support. Implement TLS PRF as a KDF.
+      o Support for Certificate Transparency
+      o HKDF support.
+
+  Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
+
+      o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+      o Disable SSLv2 default build, default negotiation and weak ciphers
+        (CVE-2016-0800)
+      o Fix a double-free in DSA code (CVE-2016-0705)
+      o Disable SRP fake user seed to address a server memory leak
+        (CVE-2016-0798)
+      o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+        (CVE-2016-0797)
+      o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
+      o Fix side channel attack on modular exponentiation (CVE-2016-0702)
 
   Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
 

NOTES.VMS

@@ -0,0 +1,63 @@
+
+ NOTES FOR THE OPENVMS PLATFORM
+ ==============================
+
+ Requirement details
+ -------------------
+
+ In addition to the requirements and instructions listed in INSTALL,
+ this are required as well:
+
+  * At least ODS-5 disk organization for source and build.
+    Installation can be done on any existing disk organization.
+
+
+ About ANSI C compiler
+ ---------------------
+
+ An ANSI C compiled is needed among other things.  This means that
+ VAX C is not and will not be supported.
+
+ We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
+ version 7.1 or later.  Compiling with a different ANSI C compiler may
+ require some work.
+
+ Please avoid using C RTL feature logical names DECC$* when building
+ and testing OpenSSL.  Most of all, they can be disruptive when
+ running the tests, as they affect the Perl interpreter.
+
+
+ About MMS and DCL
+ -----------------
+
+ MMS has certain limitations when it comes to line length, and DCL has
+ certain limitations when it comes to total command length.  We do
+ what we can to mitigate, but there is the possibility that it's not
+ enough.  Should you run into issues, a very simple solution is to set
+ yourself up a few logical names for the directory trees you're going
+ to use.
+
+
+ Checking the distribution
+ -------------------------
+
+ There have been reports of places where the distribution didn't quite
+ get through, for example if you've copied the tree from a NFS-mounted
+ Unix mount point.
+
+ The easiest way to check if everything got through as it should is to
+ check for one of the following files:
+
+   [.crypto]opensslconf^.h.in
+
+ The best way to get a correct distribution is to download the gzipped
+ tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress
+ it and VMSTAR to unpack the resulting tar file.
+
+ Gzip and VMSTAR are available here:
+
+   http://antinode.info/dec/index.html#Software
+
+ Should you need it, you can find UnZip for VMS here:
+
+   http://www.info-zip.org/UnZip.html

NOTES.WIN

@@ -0,0 +1,131 @@
+
+ NOTES FOR THE WINDOWS PLATFORMS
+ ===============================
+
+ [Notes for Windows CE can be found in INSTALL.WCE]
+
+ Requirement details for native (Visual C++) builds
+ --------------------------------------------------
+
+ - You need Perl.  We recommend ActiveState Perl, available from
+   http://www.activestate.com/ActivePerl.
+   You also need the perl module Text::Template, available on CPAN.
+   Please read README.PERL for more information.
+
+ - You need a C compiler.  OpenSSL has been tested to build with these:
+
+   * Visual C++
+
+ - Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
+   is required if you intend to utilize assembler modules. Note that NASM
+   is the only supported assembler. The Microsoft provided assembler is NOT
+   supported.
+
+
+ Visual C++ (native Windows)
+ ---------------------------
+
+ Installation directories
+
+ The default installation directories are derived from environment
+ variables.
+
+ For VC-WIN32, the following defaults are use:
+
+     PREFIX:      %ProgramFiles(86)%\OpenSSL
+     OPENSSLDIR:  %CommonProgramFiles(86)%\SSL
+
+ For VC-WIN32, the following defaults are use:
+
+     PREFIX:      %ProgramW6432%\OpenSSL
+     OPENSSLDIR:  %CommonProgramW6432%\SSL
+
+ Should those environment variables not exist (on a pure Win32
+ installation for examples), these fallbacks are used:
+
+     PREFIX:      %ProgramFiles%\OpenSSL
+     OPENSSLDIR:  %CommonProgramFiles%\SSL
+
+
+ GNU C (Cygwin)
+ --------------
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
+ Windows subsystem and provides a bash shell and GNU tools environment.
+ Consequently, a make of OpenSSL with Cygwin is virtually identical to the
+ Unix procedure.
+
+ To build OpenSSL using Cygwin, you need to:
+
+ * Install Cygwin (see http://cygwin.com/)
+
+ * Install Cygwin Perl and ensure it is in the path. Recall that
+   as least 5.10.0 is required.
+
+ * Run the Cygwin bash shell
+
+ Apart from that, follow the Unix instructions in INSTALL.
+
+ NOTE: "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ It is also possible to create "conventional" Windows binaries that use
+ the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using MinGW
+ development add-on for Cygwin. MinGW is supported even as a standalone
+ setup as described in the following section. In the context you should
+ recognize that binaries targeting Cygwin itself are not interchangeable
+ with "conventional" Windows binaries you generate with/for MinGW.
+
+
+ GNU C (MinGW/MSYS)
+ ------------------
+
+ * Compiler and shell environment installation:
+
+   MinGW and MSYS are available from http://www.mingw.org/, both are
+   required. Run the installers and do whatever magic they say it takes
+   to start MSYS bash shell with GNU tools and matching Perl on its PATH.
+   "Matching Perl" refers to chosen "shell environment", i.e. if built
+   under MSYS, then Perl compiled for MSYS is highly recommended.
+
+   Alternativelly, one can use MSYS2 from http://msys2.github.io/,
+   which includes MingW (32-bit and 64-bit).
+
+ * It is also possible to cross-compile it on Linux by configuring
+   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'.
+   Other possible cross compile prefixes include x86_64-w64-mingw32-
+   and i686-w64-mingw32-.
+
+
+ Linking your application
+ ------------------------
+
+ This section applies to non-Cygwin builds.
+
+ If you link with static OpenSSL libraries then you're expected to
+ additionally link your application with WS2_32.LIB, ADVAPI32.LIB,
+ GDI32.LIB and USER32.LIB. Those developing non-interactive service
+ applications might feel concerned about linking with the latter two,
+ as they are justly associated with interactive desktop, which is not
+ available to service processes. The toolkit is designed to detect in
+ which context it's currently executed, GUI, console app or service,
+ and act accordingly, namely whether or not to actually make GUI calls.
+ Additionally those who wish to /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL
+ and actually keep them off service process should consider
+ implementing and exporting from .exe image in question own
+ _OPENSSL_isservice not relying on USER32.DLL.
+ E.g., on Windows Vista and later you could:
+
+	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+	{   DWORD sess;
+	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
+	        return sess==0;
+	    return FALSE;
+	}
+
+ If you link with OpenSSL .DLLs, then you're expected to include into
+ your application code small "shim" snippet, which provides glue between
+ OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
+ manual page for further details.

Netware/build.bat

@@ -1,235 +0,0 @@
-@echo off
-
-rem ========================================================================
-rem   Batch file to automate building OpenSSL for NetWare.
-rem
-rem   usage:
-rem      build [target] [debug opts] [assembly opts] [configure opts]
-rem
-rem      target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
-rem                    - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
-rem                    - "netware-libc" - LibC NetWare build (WinSock Sockets)
-rem                    - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
-rem 
-rem      debug opts    - "debug"  - build debug
-rem
-rem      assembly opts - "nw-mwasm" - use Metrowerks assembler
-rem                    - "nw-nasm"  - use NASM assembler
-rem                    - "no-asm"   - don't use assembly
-rem
-rem      configure opts- all unrecognized arguments are passed to the
-rem                       perl configure script
-rem
-rem   If no arguments are specified the default is to build non-debug with
-rem   no assembly.  NOTE: there is no default BLD_TARGET.
-rem
-
-
-
-rem   No assembly is the default - Uncomment section below to change
-rem   the assembler default
-set ASM_MODE=
-set ASSEMBLER=
-set NO_ASM=no-asm
-
-rem   Uncomment to default to the Metrowerks assembler
-rem set ASM_MODE=nw-mwasm
-rem set ASSEMBLER=Metrowerks
-rem set NO_ASM=
-
-rem   Uncomment to default to the NASM assembler
-rem set ASM_MODE=nw-nasm
-rem set ASSEMBLER=NASM
-rem set NO_ASM=
-
-rem   No default Bld target
-set BLD_TARGET=no_target
-rem set BLD_TARGET=netware-clib
-rem set BLD_TARGET=netware-libc
-
-
-rem   Default to build non-debug
-set DEBUG=
-                                    
-rem   Uncomment to default to debug build
-rem set DEBUG=debug
-
-
-set CONFIG_OPTS=
-set ARG_PROCESSED=NO
-
-
-rem   Process command line args
-:opts
-if "a%1" == "a" goto endopt
-if "%1" == "no-asm"   set NO_ASM=no-asm
-if "%1" == "no-asm"   set ARG_PROCESSED=YES
-if "%1" == "debug"    set DEBUG=debug
-if "%1" == "debug"    set ARG_PROCESSED=YES
-if "%1" == "nw-nasm"  set ASM_MODE=nw-nasm
-if "%1" == "nw-nasm"  set ASSEMBLER=NASM
-if "%1" == "nw-nasm"  set NO_ASM=
-if "%1" == "nw-nasm"  set ARG_PROCESSED=YES
-if "%1" == "nw-mwasm" set ASM_MODE=nw-mwasm
-if "%1" == "nw-mwasm" set ASSEMBLER=Metrowerks
-if "%1" == "nw-mwasm" set NO_ASM=
-if "%1" == "nw-mwasm" set ARG_PROCESSED=YES
-if "%1" == "netware-clib" set BLD_TARGET=netware-clib
-if "%1" == "netware-clib" set ARG_PROCESSED=YES
-if "%1" == "netware-clib-bsdsock" set BLD_TARGET=netware-clib-bsdsock
-if "%1" == "netware-clib-bsdsock" set ARG_PROCESSED=YES
-if "%1" == "netware-libc" set BLD_TARGET=netware-libc
-if "%1" == "netware-libc" set ARG_PROCESSED=YES
-if "%1" == "netware-libc-bsdsock" set BLD_TARGET=netware-libc-bsdsock
-if "%1" == "netware-libc-bsdsock" set ARG_PROCESSED=YES
-
-rem   If we didn't recognize the argument, consider it an option for config
-if "%ARG_PROCESSED%" == "NO" set CONFIG_OPTS=%CONFIG_OPTS% %1
-if "%ARG_PROCESSED%" == "YES" set ARG_PROCESSED=NO
-
-shift
-goto opts
-:endopt
-
-rem make sure a valid BLD_TARGET was specified
-if "%BLD_TARGET%" == "no_target" goto no_target
-
-rem build the nlm make file name which includes target and debug info
-set NLM_MAKE=
-if "%BLD_TARGET%" == "netware-clib" set NLM_MAKE=netware\nlm_clib
-if "%BLD_TARGET%" == "netware-clib-bsdsock" set NLM_MAKE=netware\nlm_clib_bsdsock
-if "%BLD_TARGET%" == "netware-libc" set NLM_MAKE=netware\nlm_libc
-if "%BLD_TARGET%" == "netware-libc-bsdsock" set NLM_MAKE=netware\nlm_libc_bsdsock
-if "%DEBUG%" == "" set NLM_MAKE=%NLM_MAKE%.mak
-if "%DEBUG%" == "debug" set NLM_MAKE=%NLM_MAKE%_dbg.mak
-
-if "%NO_ASM%" == "no-asm" set ASM_MODE=
-if "%NO_ASM%" == "no-asm" set ASSEMBLER=
-if "%NO_ASM%" == "no-asm" set CONFIG_OPTS=%CONFIG_OPTS% no-asm
-if "%NO_ASM%" == "no-asm" goto do_config
-
-
-rem ==================================================
-echo Generating x86 for %ASSEMBLER% assembler
-
-echo Bignum
-cd crypto\bn\asm
-rem perl x86.pl %ASM_MODE% > bn-nw.asm
-perl bn-586.pl %ASM_MODE% > bn-nw.asm
-perl co-586.pl %ASM_MODE% > co-nw.asm
-cd ..\..\..
-
-echo AES
-cd crypto\aes\asm
-perl aes-586.pl %ASM_MODE% > a-nw.asm
-cd ..\..\..
-
-echo DES
-cd crypto\des\asm
-perl des-586.pl %ASM_MODE% > d-nw.asm
-cd ..\..\..
-
-echo "crypt(3)"
-
-cd crypto\des\asm
-perl crypt586.pl %ASM_MODE% > y-nw.asm
-cd ..\..\..
-
-echo Blowfish
-
-cd crypto\bf\asm
-perl bf-586.pl %ASM_MODE% > b-nw.asm
-cd ..\..\..
-
-echo CAST5
-cd crypto\cast\asm
-perl cast-586.pl %ASM_MODE% > c-nw.asm
-cd ..\..\..
-
-echo RC4
-cd crypto\rc4\asm
-perl rc4-586.pl %ASM_MODE% > r4-nw.asm
-cd ..\..\..
-
-echo MD5
-cd crypto\md5\asm
-perl md5-586.pl %ASM_MODE% > m5-nw.asm
-cd ..\..\..
-
-echo SHA1
-cd crypto\sha\asm
-perl sha1-586.pl %ASM_MODE% > s1-nw.asm
-perl sha256-586.pl %ASM_MODE% > sha256-nw.asm
-perl sha512-586.pl %ASM_MODE% > sha512-nw.asm
-cd ..\..\..
-
-echo RIPEMD160
-cd crypto\ripemd\asm
-perl rmd-586.pl %ASM_MODE% > rm-nw.asm
-cd ..\..\..
-
-echo RC5\32
-cd crypto\rc5\asm
-perl rc5-586.pl %ASM_MODE% > r5-nw.asm
-cd ..\..\..
-
-echo WHIRLPOOL
-cd crypto\whrlpool\asm
-perl wp-mmx.pl %ASM_MODE% > wp-nw.asm
-cd ..\..\..
-
-echo CPUID
-cd crypto
-perl x86cpuid.pl %ASM_MODE% > x86cpuid-nw.asm
-cd ..\
-
-rem ===============================================================
-rem
-:do_config
-
-echo .
-echo configure options: %CONFIG_OPTS% %BLD_TARGET%
-echo .
-perl configure %CONFIG_OPTS% %BLD_TARGET%
-
-perl util\mkfiles.pl >MINFO
-
-echo .
-echo mk1mf.pl options: %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET%
-echo .
-perl util\mk1mf.pl %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET% >%NLM_MAKE%
-
-make -f %NLM_MAKE% vclean
-echo .
-echo The makefile "%NLM_MAKE%" has been created use your maketool to
-echo build (ex: make -f %NLM_MAKE%)
-goto end
-
-rem ===============================================================
-rem
-:no_target
-echo .
-echo .  No build target specified!!!
-echo .
-echo .  usage: build [target] [debug opts] [assembly opts] [configure opts]
-echo .
-echo .     target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
-echo .                   - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
-echo .                   - "netware-libc" - LibC NetWare build (WinSock Sockets)
-echo .                   - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
-echo .
-echo .     debug opts    - "debug"  - build debug
-echo .
-echo .     assembly opts - "nw-mwasm" - use Metrowerks assembler
-echo .                     "nw-nasm"  - use NASM assembler
-echo .                     "no-asm"   - don't use assembly
-echo .
-echo .     configure opts- all unrecognized arguments are passed to the
-echo .                      perl configure script
-echo .
-echo .  If no debug or assembly opts are specified the default is to build
-echo .  non-debug without assembly
-echo .
-
-        
-:end        

Netware/cpy_tests.bat

@@ -1,113 +0,0 @@
-@echo off
-
-rem   Batch file to copy OpenSSL stuff to a NetWare server for testing
-
-rem   This batch file will create an "opensssl" directory at the root of the
-rem   specified NetWare drive and copy the required files to run the tests.
-rem   It should be run from inside the "openssl\netware" subdirectory.
-
-rem   Usage:
-rem      cpy_tests.bat <test subdirectory> <NetWare drive>
-rem          <test subdirectory> - out_nw.dbg | out_nw
-rem          <NetWare drive> - any mapped drive letter
-rem
-rem      example ( copy from debug build to m: dirve ):
-rem              cpy_tests.bat out_nw.dbg m:
-rem
-rem      CAUTION:  If a directory named OpenSSL exists on the target drive
-rem                it will be deleted first.
-
-
-if "%1" == "" goto usage
-if "%2" == "" goto usage
-
-rem   Assume running in \openssl directory unless cpy_tests.bat exists then
-rem   it must be the \openssl\netware directory
-set loc=.
-if exist cpy_tests.bat set loc=..
-
-rem   make sure the local build subdirectory specified is valid
-if not exist %loc%\%1\NUL goto invalid_dir
-
-rem   make sure target drive is valid
-if not exist %2\NUL goto invalid_drive
-
-rem   If an OpenSSL directory exists on the target drive, remove it
-if exist %2\openssl\NUL goto remove_openssl
-goto do_copy
-
-:remove_openssl
-echo .
-echo OpenSSL directory exists on %2 - it will be removed!
-pause
-rmdir %2\openssl /s /q
-
-:do_copy
-rem   make an "openssl" directory and others at the root of the NetWare drive
-mkdir %2\openssl
-mkdir %2\openssl\test_out
-mkdir %2\openssl\apps
-mkdir %2\openssl\certs
-mkdir %2\openssl\test
-
-
-rem   copy the test nlms
-copy %loc%\%1\*.nlm %2\openssl\
-
-rem   copy the test perl script
-copy %loc%\netware\do_tests.pl %2\openssl\
-
-rem   copy the certs directory stuff
-xcopy %loc%\certs\*.*         %2\openssl\certs\ /s
-
-rem   copy the test directory stuff
-copy %loc%\test\CAss.cnf      %2\openssl\test\
-copy %loc%\test\Uss.cnf       %2\openssl\test\
-copy %loc%\test\pkcs7.pem     %2\openssl\test\
-copy %loc%\test\pkcs7-1.pem   %2\openssl\test\
-copy %loc%\test\testcrl.pem   %2\openssl\test\
-copy %loc%\test\testp7.pem    %2\openssl\test\
-copy %loc%\test\testreq2.pem  %2\openssl\test\
-copy %loc%\test\testrsa.pem   %2\openssl\test\
-copy %loc%\test\testsid.pem   %2\openssl\test\
-copy %loc%\test\testx509.pem  %2\openssl\test\
-copy %loc%\test\v3-cert1.pem  %2\openssl\test\
-copy %loc%\test\v3-cert2.pem  %2\openssl\test\
-copy %loc%\crypto\evp\evptests.txt %2\openssl\test\
-
-rem   copy the apps directory stuff
-copy %loc%\apps\client.pem    %2\openssl\apps\
-copy %loc%\apps\server.pem    %2\openssl\apps\
-copy %loc%\apps\openssl.cnf   %2\openssl\apps\
-
-echo .
-echo Tests copied
-echo Run the test script at the console by typing:
-echo     "Perl \openssl\do_tests.pl"
-echo .
-echo Make sure the Search path includes the OpenSSL subdirectory
-
-goto end
-
-:invalid_dir
-echo.
-echo Invalid build directory specified: %1
-echo.
-goto usage
-
-:invalid_drive
-echo.
-echo Invalid drive: %2
-echo.
-goto usage
-
-:usage
-echo.
-echo usage: cpy_tests.bat [test subdirectory] [NetWare drive]
-echo     [test subdirectory] - out_nw_clib.dbg, out_nw_libc.dbg, etc. 
-echo     [NetWare drive]     - any mapped drive letter
-echo.
-echo example: cpy_test out_nw_clib.dbg M:
-echo  (copy from clib debug build area to M: drive)
-
-:end

Netware/do_tests.pl

@@ -1,592 +0,0 @@
-# perl script to run OpenSSL tests
-
-
-my $base_path      = "\\openssl";
-
-my $output_path    = "$base_path\\test_out";
-my $cert_path      = "$base_path\\certs";
-my $test_path      = "$base_path\\test";
-my $app_path       = "$base_path\\apps";
-
-my $tmp_cert       = "$output_path\\cert.tmp";
-my $OpenSSL_config = "$app_path\\openssl.cnf";
-my $log_file       = "$output_path\\tests.log";
-
-my $pause = 0;
-
-
-#  process the command line args to see if they wanted us to pause
-#  between executing each command
-foreach $i (@ARGV)
-{
-   if ($i =~ /^-p$/)
-   { $pause=1; }
-}
-
-
-
-main();
-
-
-############################################################################
-sub main()
-{
-   # delete all the output files in the output directory
-   unlink <$output_path\\*.*>;
-
-   # open the main log file
-   open(OUT, ">$log_file") || die "unable to open $log_file\n";
-
-   print( OUT "========================================================\n");
-   my $outFile = "$output_path\\version.out";
-   system("openssl2 version (CLIB_OPT)/>$outFile");
-   log_output("CHECKING FOR OPENSSL VERSION:", $outFile);
-
-   algorithm_tests();
-   encryption_tests();
-   evp_tests();
-   pem_tests();
-   verify_tests();
-   ca_tests();
-   ssl_tests();
-
-   close(OUT);
-
-   print("\nCompleted running tests.\n\n");
-   print("Check log file for errors: $log_file\n");
-}
-
-############################################################################
-sub algorithm_tests
-{
-   my $i;
-   my $outFile;
-   my @tests = ( rsa_test, destest, ideatest, bftest, bntest, shatest, sha1test,
-                 sha256t, sha512t, dsatest, md2test, md4test, md5test, mdc2test,
-                 rc2test, rc4test, rc5test, randtest, rmdtest, dhtest, ecdhtest,
-                 ecdsatest, ectest, exptest, casttest, hmactest );
-
-   print( "\nRUNNING CRYPTO ALGORITHM TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "CRYPTO ALGORITHM TESTS:\n\n");
-
-   foreach $i (@tests)
-   {
-      if (-e "$base_path\\$i.nlm")
-      {
-         $outFile = "$output_path\\$i.out";
-         system("$i (CLIB_OPT)/>$outFile");
-         log_desc("Test: $i\.nlm:");
-         log_output("", $outFile );
-      }
-      else
-      {
-         log_desc("Test: $i\.nlm: file not found");
-      }
-   }
-}
-
-############################################################################
-sub encryption_tests
-{
-   my $i;
-   my $outFile;
-   my @enc_tests = ( "enc", "rc4", "des-cfb", "des-ede-cfb", "des-ede3-cfb",
-                     "des-ofb", "des-ede-ofb", "des-ede3-ofb",
-                     "des-ecb", "des-ede", "des-ede3", "des-cbc",
-                     "des-ede-cbc", "des-ede3-cbc", "idea-ecb", "idea-cfb",
-                     "idea-ofb", "idea-cbc", "rc2-ecb", "rc2-cfb",
-                     "rc2-ofb", "rc2-cbc", "bf-ecb", "bf-cfb",
-                     "bf-ofb", "bf-cbc" );
-
-   my $input = "$base_path\\do_tests.pl";
-   my $cipher = "$output_path\\cipher.out";
-   my $clear = "$output_path\\clear.out";
-
-   print( "\nRUNNING ENCRYPTION & DECRYPTION TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "FILE ENCRYPTION & DECRYPTION TESTS:\n\n");
-
-   foreach $i (@enc_tests)
-   {
-      log_desc("Testing: $i");
-
-      # do encryption
-      $outFile = "$output_path\\enc.out";
-      system("openssl2 $i -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile" );
-      log_output("Encrypting: $input --> $cipher", $outFile);
-
-      # do decryption
-      $outFile = "$output_path\\dec.out";
-      system("openssl2 $i -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
-      log_output("Decrypting: $cipher --> $clear", $outFile);
-
-      # compare files
-      $x = compare_files( $input, $clear, 1);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $clear\n");
-         print( OUT "SUCCESS - files match: $input, $clear\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-
-      do_wait();
-
-      # Now do the same encryption but use Base64
-
-      # do encryption B64
-      $outFile = "$output_path\\B64enc.out";
-      system("openssl2 $i -a -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile");
-      log_output("Encrypting(B64): $cipher --> $clear", $outFile);
-
-      # do decryption B64
-      $outFile = "$output_path\\B64dec.out";
-      system("openssl2 $i -a -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
-      log_output("Decrypting(B64): $cipher --> $clear", $outFile);
-
-      # compare files
-      $x = compare_files( $input, $clear, 1);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $clear\n");
-         print( OUT "SUCCESS - files match: $input, $clear\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-
-      do_wait();
-
-   } # end foreach
-
-   # delete the temporary files
-   unlink($cipher);
-   unlink($clear);
-}
-
-
-############################################################################
-sub pem_tests
-{
-   my $i;
-   my $tmp_out;
-   my $outFile = "$output_path\\pem.out";
-
-   my %pem_tests = (
-         "crl"      => "testcrl.pem",
-          "pkcs7"   => "testp7.pem",
-          "req"     => "testreq2.pem",
-          "rsa"     => "testrsa.pem",
-          "x509"    => "testx509.pem",
-          "x509"    => "v3-cert1.pem",
-          "sess_id" => "testsid.pem"  );
-
-
-   print( "\nRUNNING PEM TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "PEM TESTS:\n\n");
-
-   foreach $i (keys(%pem_tests))
-   {
-      log_desc( "Testing: $i");
-
-      my $input = "$test_path\\$pem_tests{$i}";
-
-      $tmp_out = "$output_path\\$pem_tests{$i}";
-
-      if ($i ne "req" )
-      {
-         system("openssl2 $i -in $input -out $tmp_out (CLIB_OPT)/>$outFile");
-         log_output( "openssl2 $i -in $input -out $tmp_out", $outFile);
-      }
-      else
-      {
-         system("openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config (CLIB_OPT)/>$outFile");
-         log_output( "openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config", $outFile );
-      }
-
-      $x = compare_files( $input, $tmp_out);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $tmp_out\n");
-         print( OUT "SUCCESS - files match: $input, $tmp_out\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-      do_wait();
-
-   } # end foreach
-}
-
-
-############################################################################
-sub verify_tests
-{
-   my $i;
-   my $outFile = "$output_path\\verify.out";
-
-   $cert_path =~ s/\\/\//g;
-   my @cert_files = <$cert_path/*.pem>;
-
-   print( "\nRUNNING VERIFY TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "VERIFY TESTS:\n\n");
-
-   make_tmp_cert_file();
-
-   foreach $i (@cert_files)
-   {
-      system("openssl2 verify -CAfile $tmp_cert $i (CLIB_OPT)/>$outFile");
-      log_desc("Verifying cert: $i");
-      log_output("openssl2 verify -CAfile $tmp_cert $i", $outFile);
-   }
-}
-
-
-############################################################################
-sub ssl_tests
-{
-   my $outFile = "$output_path\\ssl_tst.out";
-   my($CAcert) = "$output_path\\certCA.ss";
-   my($Ukey)   = "$output_path\\keyU.ss";
-   my($Ucert)  = "$output_path\\certU.ss";
-   my($ssltest)= "ssltest -key $Ukey -cert $Ucert -c_key $Ukey -c_cert $Ucert -CAfile $CAcert";
-
-   print( "\nRUNNING SSL TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "SSL TESTS:\n\n");
-
-   system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3:");
-   log_output("ssltest -ssl3", $outFile);
-
-   system("$ssltest -ssl3 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with server authentication:");
-   log_output("$ssltest -ssl3 -server_auth", $outFile);
-
-   system("$ssltest -ssl3 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with client authentication:");
-   log_output("$ssltest -ssl3 -client_auth", $outFile);
-
-   system("$ssltest -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with both client and server authentication:");
-   log_output("$ssltest -ssl3 -server_auth -client_auth", $outFile);
-
-   system("ssltest (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3:");
-   log_output("ssltest", $outFile);
-
-   system("$ssltest -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with server authentication:");
-   log_output("$ssltest -server_auth", $outFile);
-
-   system("$ssltest -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with client authentication:");
-   log_output("$ssltest -client_auth ", $outFile);
-
-   system("$ssltest -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with both client and server authentication:");
-   log_output("$ssltest -server_auth -client_auth", $outFile);
-
-   system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
-   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
-
-   system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 via BIO pair:");
-   log_output("ssltest -bio_pair -ssl3", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with client authentication  via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -server_auth -client_auth", $outFile);
-
-   system("ssltest -bio_pair (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 via BIO pair:");
-   log_output("ssltest -bio_pair", $outFile);
-
-   system("$ssltest -bio_pair -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with client authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -server_auth -client_auth", $outFile);
-}
-
-
-############################################################################
-sub ca_tests
-{
-   my $outFile = "$output_path\\ca_tst.out";
-
-   my($CAkey)     = "$output_path\\keyCA.ss";
-   my($CAcert)    = "$output_path\\certCA.ss";
-   my($CAserial)  = "$output_path\\certCA.srl";
-   my($CAreq)     = "$output_path\\reqCA.ss";
-   my($CAreq2)    = "$output_path\\req2CA.ss";
-
-   my($CAconf)    = "$test_path\\CAss.cnf";
-
-   my($Uconf)     = "$test_path\\Uss.cnf";
-
-   my($Ukey)      = "$output_path\\keyU.ss";
-   my($Ureq)      = "$output_path\\reqU.ss";
-   my($Ucert)     = "$output_path\\certU.ss";
-
-   print( "\nRUNNING CA TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "CA TESTS:\n");
-
-   system("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new (CLIB_OPT)/>$outFile");
-   log_desc("Make a certificate request using req:");
-   log_output("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new", $outFile);
-
-   system("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey (CLIB_OPT)/>$outFile");
-   log_desc("Convert the certificate request into a self signed certificate using x509:");
-   log_output("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey", $outFile);
-
-   system("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 (CLIB_OPT)/>$outFile");
-   log_desc("Convert a certificate into a certificate request using 'x509':");
-   log_output("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2", $outFile);
-
-   system("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout (CLIB_OPT)/>$outFile");
-   log_output("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout", $outFile);
-
-   system("openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout (CLIB_OPT)/>$outFile");
-   log_output( "openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout", $outFile);
-
-   system("openssl2 verify -CAfile $CAcert $CAcert (CLIB_OPT)/>$outFile");
-   log_output("openssl2 verify -CAfile $CAcert $CAcert", $outFile);
-
-   system("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new (CLIB_OPT)/>$outFile");
-   log_desc("Make another certificate request using req:");
-   log_output("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new", $outFile);
-
-   system("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial (CLIB_OPT)/>$outFile");
-   log_desc("Sign certificate request with the just created CA via x509:");
-   log_output("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial", $outFile);
-
-   system("openssl2 verify -CAfile $CAcert $Ucert (CLIB_OPT)/>$outFile");
-   log_output("openssl2 verify -CAfile $CAcert $Ucert", $outFile);
-
-   system("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert (CLIB_OPT)/>$outFile");
-   log_desc("Certificate details");
-   log_output("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert", $outFile);
-
-   print(OUT "--\n");
-   print(OUT "The generated CA certificate is $CAcert\n");
-   print(OUT "The generated CA private key is $CAkey\n");
-   print(OUT "The current CA signing serial number is in $CAserial\n");
-
-   print(OUT "The generated user certificate is $Ucert\n");
-   print(OUT "The generated user private key is $Ukey\n");
-   print(OUT "--\n");
-}
-
-############################################################################
-sub evp_tests
-{
-   my $i = 'evp_test';
-
-   print( "\nRUNNING EVP TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "EVP TESTS:\n\n");
-
-   if (-e "$base_path\\$i.nlm")
-   {
-       my $outFile = "$output_path\\$i.out";
-       system("$i $test_path\\evptests.txt (CLIB_OPT)/>$outFile");
-       log_desc("Test: $i\.nlm:");
-       log_output("", $outFile );
-   }
-   else
-   {
-       log_desc("Test: $i\.nlm: file not found");
-   }
-}
-
-############################################################################
-sub log_output( $ $ )
-{
-   my( $desc, $file ) = @_;
-   my($error) = 0;
-   my($key);
-   my($msg);
-
-   if ($desc)
-   {
-      print("\r$desc\n");
-      print(OUT "$desc\n");
-   }
-
-      # loop waiting for test program to complete
-   while ( stat($file) == 0)
-      { print(". "); sleep(1); }
-
-
-      # copy test output to log file
-   open(IN, "<$file");
-   while (<IN>)
-   {
-      print(OUT $_);
-      if ( $_ =~ /ERROR/ )
-      {
-         $error = 1;
-      }
-   }
-      # close and delete the temporary test output file
-   close(IN);
-   unlink($file);
-
-   if ( $error == 0 )
-   {
-      $msg = "Test Succeeded";
-   }
-   else
-   {
-      $msg = "Test Failed";
-   }
-
-   print(OUT "$msg\n");
-
-   if ($pause)
-   {
-      print("$msg - press ENTER to continue...");
-      $key = getc;
-      print("\n");
-   }
-
-      # Several of the testing scripts run a loop loading the
-      # same NLM with different options.
-      # On slow NetWare machines there appears to be some delay in the
-      # OS actually unloading the test nlms and the OS complains about.
-      # the NLM already being loaded.  This additional pause is to
-      # to help provide a little more time for unloading before trying to
-      # load again.
-   sleep(1);
-}
-
-
-############################################################################
-sub log_desc( $ )
-{
-   my( $desc ) = @_;
-
-   print("\n");
-   print("$desc\n");
-
-   print(OUT "\n");
-   print(OUT "$desc\n");
-   print(OUT "======================================\n");
-}
-
-############################################################################
-sub compare_files( $ $ $ )
-{
-   my( $file1, $file2, $binary ) = @_;
-   my( $n1, $n2, $b1, $b2 );
-   my($ret) = 1;
-
-   open(IN0, $file1) || die "\nunable to open $file1\n";
-   open(IN1, $file2) || die "\nunable to open $file2\n";
-
-  if ($binary)
-  {
-      binmode IN0;
-      binmode IN1;
-  }
-
-   for (;;)
-   {
-      $n1 = read(IN0, $b1, 512);
-      $n2 = read(IN1, $b2, 512);
-
-      if ($n1 != $n2) {last;}
-      if ($b1 != $b2) {last;}
-
-      if ($n1 == 0)
-      {
-         $ret = 0;
-         last;
-      }
-   }
-   close(IN0);
-   close(IN1);
-   return($ret);
-}
-
-############################################################################
-sub do_wait()
-{
-   my($key);
-
-   if ($pause)
-   {
-      print("Press ENTER to continue...");
-      $key = getc;
-      print("\n");
-   }
-}
-
-
-############################################################################
-sub make_tmp_cert_file()
-{
-   my @cert_files = <$cert_path/*.pem>;
-
-      # delete the file if it already exists
-   unlink($tmp_cert);
-
-   open( TMP_CERT, ">$tmp_cert") || die "\nunable to open $tmp_cert\n";
-
-   print("building temporary cert file\n");
-
-   # create a temporary cert file that contains all the certs
-   foreach $i (@cert_files)
-   {
-      open( IN_CERT, $i ) || die "\nunable to open $i\n";
-
-      for(;;)
-      {
-         $n = sysread(IN_CERT, $data, 1024);
-
-         if ($n == 0)
-         {
-            close(IN_CERT);
-            last;
-         };
-
-         syswrite(TMP_CERT, $data, $n);
-      }
-   }
-
-   close( TMP_CERT );
-}

Netware/globals.txt

@@ -1,254 +0,0 @@
-An initial review of the OpenSSL code was done to determine how many 
-global variables where present.  The idea was to determine the amount of 
-work required to pull the globals into an instance data structure in 
-order to build a Library NLM for NetWare.  This file contains the results 
-of the review.  Each file is listed along with the globals in the file.  
-The initial review was done very quickly so this list is probably
-not a comprehensive list.
-
-
-cryptlib.c
-===========================================
-
-static STACK *app_locks=NULL;
-
-static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
-
-static void (MS_FAR *locking_callback)(int mode,int type,
-   const char *file,int line)=NULL;
-static int (MS_FAR *add_lock_callback)(int *pointer,int amount,
-   int type,const char *file,int line)=NULL;
-static unsigned long (MS_FAR *id_callback)(void)=NULL;
-static struct CRYPTO_dynlock_value *(MS_FAR *dynlock_create_callback)
-   (const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_lock_callback)(int mode,
-   struct CRYPTO_dynlock_value *l, const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_destroy_callback)(struct CRYPTO_dynlock_value *l,
-   const char *file,int line)=NULL;
-
-
-mem.c
-===========================================
-static int allow_customize = 1;      /* we provide flexible functions for */
-static int allow_customize_debug = 1;/* exchanging memory-related functions at
-
-/* may be changed as long as `allow_customize' is set */
-static void *(*malloc_locked_func)(size_t)  = malloc;
-static void (*free_locked_func)(void *)     = free;
-static void *(*malloc_func)(size_t)         = malloc;
-static void *(*realloc_func)(void *, size_t)= realloc;
-static void (*free_func)(void *)            = free;
-
-/* use default functions from mem_dbg.c */
-static void (*malloc_debug_func)(void *,int,const char *,int,int)
-   = CRYPTO_dbg_malloc;
-static void (*realloc_debug_func)(void *,void *,int,const char *,int,int)
-   = CRYPTO_dbg_realloc;
-static void (*free_debug_func)(void *,int) = CRYPTO_dbg_free;
-static void (*set_debug_options_func)(long) = CRYPTO_dbg_set_options;
-static long (*get_debug_options_func)(void) = CRYPTO_dbg_get_options;
-
-
-mem_dbg.c
-===========================================
-static int mh_mode=CRYPTO_MEM_CHECK_OFF;
-static unsigned long order = 0; /* number of memory requests */
-static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
-
-static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's */
-static long options =             /* extra information to be recorded */
-static unsigned long disabling_thread = 0;
-
-
-err.c
-===========================================
-static LHASH *error_hash=NULL;
-static LHASH *thread_hash=NULL;
-
-several files have routines with static "init" to track if error strings
-   have been loaded ( may not want separate error strings for each process )
-   The "init" variable can't be left "global" because the error has is a ptr
-   that is malloc'ed.  The malloc'ed error has is dependant on the "init"
-   vars.
-
-   files:
-      pem_err.c
-      cpt_err.c
-      pk12err.c
-      asn1_err.c
-      bio_err.c
-      bn_err.c
-      buf_err.c
-      comp_err.c
-      conf_err.c
-      cpt_err.c
-      dh_err.c
-      dsa_err.c
-      dso_err.c
-      evp_err.c
-      obj_err.c
-      pkcs7err.c
-      rand_err.c
-      rsa_err.c
-      rsar_err.c
-      ssl_err.c
-      x509_err.c
-      v3err.c
-		err.c
-
-These file have similar "init" globals but they are for other stuff not
-error strings:
-
-		bn_lib.c
-		ecc_enc.c
-		s23_clnt.c
-		s23_meth.c
-		s23_srvr.c
-		s2_clnt.c
-		s2_lib.c
-		s2_meth.c
-		s2_srvr.c
-		s3_clnt.c
-		s3_lib.c
-		s3_srvr.c
-		t1_clnt.c
-		t1_meth.c
-		t1_srvr.c
-
-rand_lib.c
-===========================================
-static RAND_METHOD *rand_meth= &rand_ssleay_meth;
-
-md_rand.c
-===========================================
-static int state_num=0,state_index=0;
-static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
-static unsigned char md[MD_DIGEST_LENGTH];
-static long md_count[2]={0,0};
-static double entropy=0;
-static int initialized=0;
-
-/* This should be set to 1 only when ssleay_rand_add() is called inside
-   an already locked state, so it doesn't try to lock and thereby cause
-   a hang.  And it should always be reset back to 0 before unlocking. */
-static int add_do_not_lock=0;
-
-obj_dat.c
-============================================
-static int new_nid=NUM_NID;
-static LHASH *added=NULL;
-
-b_sock.c
-===========================================
-static unsigned long BIO_ghbn_hits=0L;
-static unsigned long BIO_ghbn_miss=0L;
-static struct ghbn_cache_st
-   {
-   char name[129];
-   struct hostent *ent;
-   unsigned long order;
-   } ghbn_cache[GHBN_NUM];
-
-static int wsa_init_done=0;
-
-
-bio_lib.c
-===========================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
-static int bio_meth_num=0;
-
-
-bn_lib.c
-========================================
-static int bn_limit_bits=0;
-static int bn_limit_num=8;        /* (1<<bn_limit_bits) */
-static int bn_limit_bits_low=0;
-static int bn_limit_num_low=8;    /* (1<<bn_limit_bits_low) */
-static int bn_limit_bits_high=0;
-static int bn_limit_num_high=8;   /* (1<<bn_limit_bits_high) */
-static int bn_limit_bits_mont=0;
-static int bn_limit_num_mont=8;   /* (1<<bn_limit_bits_mont) */
-
-conf_lib.c
-========================================
-static CONF_METHOD *default_CONF_method=NULL;
-
-dh_lib.c
-========================================
-static DH_METHOD *default_DH_method;
-static int dh_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
-
-dsa_lib.c
-========================================
-static DSA_METHOD *default_DSA_method;
-static int dsa_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
-
-dso_lib.c
-========================================
-static DSO_METHOD *default_DSO_meth = NULL;
-
-rsa_lib.c
-========================================
-static RSA_METHOD *default_RSA_meth=NULL;
-static int rsa_meth_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
-
-x509_trs.c
-=======================================
-static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
-static STACK_OF(X509_TRUST) *trtable = NULL;
-
-x509_req.c
-=======================================
-static int *ext_nids = ext_nid_list;
-
-o_names.c
-======================================
-static LHASH *names_lh=NULL;
-static STACK_OF(NAME_FUNCS) *name_funcs_stack;
-static int free_type;
-static int names_type_num=OBJ_NAME_TYPE_NUM;
-
-
-th-lock.c - NEED to add support for locking for NetWare
-==============================================
-static long *lock_count;
-(other platform specific globals)
-
-x_x509.c
-==============================================
-static int x509_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
-
-
-evp_pbe.c
-============================================
-static STACK *pbe_algs;
-
-evp_key.c
-============================================
-static char prompt_string[80];
-
-ssl_ciph.c
-============================================
-static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
-
-ssl_lib.c
-=============================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
-static int ssl_meth_num=0;
-static int ssl_ctx_meth_num=0;
-
-ssl_sess.c
-=============================================
-static int ssl_session_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
-
-x509_vfy.c
-============================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-

Netware/readme.txt

@@ -1,19 +0,0 @@
-
-Contents of the openssl\netware directory
-==========================================
-
-Regular files:
-
-readme.txt     - this file
-do_tests.pl    - perl script used to run the OpenSSL tests on NetWare
-cpy_tests.bat  - batch to to copy test stuff to NetWare server
-build.bat      - batch file to help with builds
-set_env.bat    - batch file to help setup build environments
-globals.txt    - results of initial code review to identify OpenSSL global variables
-
-
-The following files are generated by the various scripts.  They are
-recreated each time and it is okay to delete them.
-
-*.def - command files used by Metrowerks linker
-*.mak - make files generated by mk1mf.pl

Netware/set_env.bat

@@ -1,112 +0,0 @@
-@echo off
-
-rem ========================================================================
-rem   Batch file to assist in setting up the necessary environment for
-rem   building OpenSSL for NetWare.
-rem
-rem   usage:
-rem      set_env [target]
-rem
-rem      target      - "netware-clib" - Clib build
-rem                  - "netware-libc" - LibC build
-rem
-rem
-
-if "a%1" == "a" goto usage
-               
-set LIBC_BUILD=
-set CLIB_BUILD=
-set GNUC=
-
-if "%1" == "netware-clib" set CLIB_BUILD=Y
-if "%1" == "netware-clib" set LIBC_BUILD=
-
-if "%1" == "netware-libc" set LIBC_BUILD=Y
-if "%1" == "netware-libc" set CLIB_BUILD=
-
-if "%2" == "gnuc" set GNUC=Y
-if "%2" == "codewarrior" set GNUC=
-
-rem   Location of tools (compiler, linker, etc)
-if "%NDKBASE%" == "" set NDKBASE=c:\Novell
-
-rem   If Perl for Win32 is not already in your path, add it here
-set PERL_PATH=
-
-rem   Define path to the Metrowerks command line tools
-rem   or GNU Crosscompiler gcc / nlmconv
-rem   ( compiler, assembler, linker)
-if "%GNUC%" == "Y" set COMPILER_PATH=c:\usr\i586-netware\bin;c:\usr\bin
-if "%GNUC%" == "" set COMPILER_PATH=c:\prg\cwcmdl40
-
-rem   If using gnu make define path to utility
-rem set GNU_MAKE_PATH=%NDKBASE%\gnu
-set GNU_MAKE_PATH=c:\prg\tools
-
-rem   If using ms nmake define path to nmake
-rem set MS_NMAKE_PATH=%NDKBASE%\msvc\600\bin
-
-rem   If using NASM assembler define path
-rem set NASM_PATH=%NDKBASE%\nasm
-set NASM_PATH=c:\prg\tools
-
-rem   Update path to include tool paths
-set path=%path%;%COMPILER_PATH%
-if not "%GNU_MAKE_PATH%" == "" set path=%path%;%GNU_MAKE_PATH%
-if not "%MS_NMAKE_PATH%" == "" set path=%path%;%MS_NMAKE_PATH%
-if not "%NASM_PATH%"     == "" set path=%path%;%NASM_PATH%
-if not "%PERL_PATH%"     == "" set path=%path%;%PERL_PATH%
-
-rem   Set INCLUDES to location of Novell NDK includes
-if "%LIBC_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\libc\include;%NDKBASE%\ndk\libc\include\winsock
-if "%CLIB_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\nwsdk\include\nlm;%NDKBASE%\ws295sdk\include
-
-rem   Set Imports to location of Novell NDK import files
-if "%LIBC_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\libc\imports
-if "%CLIB_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\nwsdk\imports
-
-rem   Set PRELUDE to the absolute path of the prelude object to link with in
-rem   the Metrowerks NetWare PDK - NOTE: for Clib builds "clibpre.o" is 
-rem   recommended, for LibC NKS builds libcpre.o must be used
-if "%GNUC%" == "Y" goto gnuc
-if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.o
-rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.o
-if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.o
-echo using MetroWerks CodeWarrior 
-goto info
-
-:gnuc
-if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.gcc.o
-rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.gcc.o
-if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.gcc.o
-echo using GNU GCC Compiler 
-
-:info
-echo.
-
-if "%LIBC_BUILD%" == "Y" echo Environment configured for LibC build
-if "%LIBC_BUILD%" == "Y" echo use "netware\build.bat netware-libc ..." 
-
-if "%CLIB_BUILD%" == "Y" echo Environment configured for CLib build
-if "%CLIB_BUILD%" == "Y" echo use "netware\build.bat netware-clib ..." 
-
-goto end
-
-:usage
-rem ===============================================================
-echo.
-echo No target build specified!
-echo.
-echo usage: set_env [target] [compiler]
-echo.
-echo target      - "netware-clib" - Clib build
-echo             - "netware-libc" - LibC build
-echo.
-echo compiler    - "gnuc"         - GNU GCC Compiler
-echo             - "codewarrior"  - MetroWerks CodeWarrior (default)
-echo.
-
-:end
-echo.
-
-

PROBLEMS

@@ -1,213 +0,0 @@
-* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
-
-
-    NOTE: The problem described here only applies when OpenSSL isn't built
-    with shared library support (i.e. without the "shared" configuration
-    option).  If you build with shared library support, you will have no
-    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
-
-
-This is really a misfeature in ld, which seems to look for .dylib libraries
-along the whole library path before it bothers looking for .a libraries.  This
-means that -L switches won't matter unless OpenSSL is built with shared
-library support.
-
-The workaround may be to change the following lines in apps/Makefile and
-test/Makefile:
-
-  LIBCRYPTO=-L.. -lcrypto
-  LIBSSL=-L.. -lssl
-
-to:
-
-  LIBCRYPTO=../libcrypto.a
-  LIBSSL=../libssl.a
-
-It's possible that something similar is needed for shared library support
-as well.  That hasn't been well tested yet.
-
-
-Another solution that many seem to recommend is to move the libraries
-/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
-directory, build and install OpenSSL and anything that depends on your
-build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
-original places.  Note that the version numbers on those two libraries
-may differ on your machine.
-
-
-As long as Apple doesn't fix the problem with ld, this problem building
-OpenSSL will remain as is. Well, the problem was addressed in 0.9.8f by
-passing -Wl,-search_paths_first, but it's unknown if the flag was
-supported from the initial MacOS X release.
-
-
-* Parallell make leads to errors
-
-While running tests, running a parallell make is a bad idea.  Many test
-scripts use the same name for output and input files, which means different
-will interfere with each other and lead to test failure.
-
-The solution is simple for now: don't run parallel make when testing.
-
-
-* Bugs in gcc triggered
-
-- According to a problem report, there are bugs in gcc 3.0 that are
-  triggered by some of the code in OpenSSL, more specifically in
-  PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
-
-	header+=11;
-	if (*header != '4') return(0); header++;
-	if (*header != ',') return(0); header++;
-
-  What happens is that gcc might optimize a little too agressively, and
-  you end up with an extra incrementation when *header != '4'.
-
-  We recommend that you upgrade gcc to as high a 3.x version as you can.
-
-- According to multiple problem reports, some of our message digest
-  implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64
-  and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while
-  latter - SHA one.
-
-  The recomendation is to upgrade your compiler. This naturally applies to
-  other similar cases.
-
-- There is a subtle Solaris x86-specific gcc run-time environment bug, which
-  "falls between" OpenSSL [0.9.8 and later], Solaris ld and GCC. The bug
-  manifests itself as Segmentation Fault upon early application start-up.
-  The problem can be worked around by patching the environment according to
-  http://www.openssl.org/~appro/values.c.
-
-* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
-
-As subject suggests SHA-1 might perform poorly (4 times slower)
-if compiled with WorkShop 6 compiler and -xarch=v9. The cause for
-this seems to be the fact that compiler emits multiplication to
-perform shift operations:-( To work the problem around configure
-with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'.
-
-* Problems with hp-parisc2-cc target when used with "no-asm" flag
-
-When using the hp-parisc2-cc target, wrong bignum code is generated.
-This is due to the SIXTY_FOUR_BIT build being compiled with the +O3
-aggressive optimization.
-The problem manifests itself by the BN_kronecker test hanging in an
-endless loop. Reason: the BN_kronecker test calls BN_generate_prime()
-which itself hangs. The reason could be tracked down to the bn_mul_comba8()
-function in bn_asm.c. At some occasions the higher 32bit value of r[7]
-is off by 1 (meaning: calculated=shouldbe+1). Further analysis failed,
-as no debugger support possible at +O3 and additional fprintf()'s
-introduced fixed the bug, therefore it is most likely a bug in the
-optimizer.
-The bug was found in the BN_kronecker test but may also lead to
-failures in other parts of the code.
-(See Ticket #426.)
-
-Workaround: modify the target to +O2 when building with no-asm.
-
-* Problems building shared libraries on SCO OpenServer Release 5.0.6
-  with gcc 2.95.3
-
-The symptoms appear when running the test suite, more specifically
-test/ectest, with the following result:
-
-OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest
-ectest.c:186: ABORT
-
-The cause of the problem seems to be that isxdigit(), called from
-BN_hex2bn(), returns 0 on a perfectly legitimate hex digit.  Further
-investigation shows that any of the isxxx() macros return 0 on any
-input.  A direct look in the information array that the isxxx() use,
-called __ctype, shows that it contains all zeroes...
-
-Taking a look at the newly created libcrypto.so with nm, one can see
-that the variable __ctype is defined in libcrypto's .bss (which
-explains why it is filled with zeroes):
-
-$ nm -Pg libcrypto.so | grep __ctype
-__ctype B 0011659c
-__ctype2 U         
-
-Curiously, __ctype2 is undefined, in spite of being declared in
-/usr/include/ctype.h in exactly the same way as __ctype.
-
-Any information helping to solve this issue would be deeply
-appreciated.
-
-NOTE: building non-shared doesn't come with this problem.
-
-* ULTRIX build fails with shell errors, such as "bad substitution"
-  and "test: argument expected"
-
-The problem is caused by ULTRIX /bin/sh supporting only original
-Bourne shell syntax/semantics, and the trouble is that the vast
-majority is so accustomed to more modern syntax, that very few
-people [if any] would recognize the ancient syntax even as valid.
-This inevitably results in non-trivial scripts breaking on ULTRIX,
-and OpenSSL isn't an exclusion. Fortunately there is workaround,
-hire /bin/ksh to do the job /bin/sh fails to do.
-
-1. Trick make(1) to use /bin/ksh by setting up following environ-
-   ment variables *prior* you execute ./Configure and make:
-
-	PROG_ENV=POSIX
-	MAKESHELL=/bin/ksh
-	export PROG_ENV MAKESHELL
-
-   or if your shell is csh-compatible:
-
-	setenv PROG_ENV POSIX
-	setenv MAKESHELL /bin/ksh
-
-2. Trick /bin/sh to use alternative expression evaluator. Create
-   following 'test' script for example in /tmp:
-
-	#!/bin/ksh
-	${0##*/} "$@"
-
-   Then 'chmod a+x /tmp/test; ln /tmp/test /tmp/[' and *prepend*
-   your $PATH with chosen location, e.g. PATH=/tmp:$PATH. Alter-
-   natively just replace system /bin/test and /bin/[ with the
-   above script.
-
-* hpux64-ia64-cc fails blowfish test.
-
-Compiler bug, presumably at particular patch level. It should be noted
-that same compiler generates correct 32-bit code, a.k.a. hpux-ia64-cc
-target. Drop optimization level to +O2 when compiling 64-bit bf_skey.o.
-
-* no-engines generates errors.
-
-Unfortunately, the 'no-engines' configuration option currently doesn't
-work properly.  Use 'no-hw' and you'll will at least get no hardware
-support.  We'll see how we fix that on OpenSSL versions past 0.9.8.
-
-* 'make test' fails in BN_sqr [commonly with "error 139" denoting SIGSEGV]
-  if elder GNU binutils were deployed to link shared libcrypto.so.
-
-As subject suggests the failure is caused by a bug in elder binutils,
-either as or ld, and was observed on FreeBSD and Linux. There are two
-options. First is naturally to upgrade binutils, the second one - to
-reconfigure with additional no-sse2 [or 386] option passed to ./config.
-
-* If configured with ./config no-dso, toolkit still gets linked with -ldl,
-  which most notably poses a problem when linking with dietlibc.
-
-We don't have framework to associate -ldl with no-dso, therefore the only
-way is to edit Makefile right after ./config no-dso and remove -ldl from
-EX_LIBS line.
-
-* hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
-
-Compiler bug, presumably at particular patch level. Remaining
-hpux*-parisc*-cc configurations can be affected too. Drop optimization
-level to +O2 when compiling bn_nist.o.
-
-* solaris64-sparcv9-cc link failure
-
-Solaris 8 ar can fail to maintain symbol table in .a, which results in
-link failures. Apply 109147-09 or later or modify Makefile generated
-by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
-
-	RANLIB= /usr/ccs/bin/ar rs

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.0-pre3 (alpha) 15 Feb 2016
+ OpenSSL 1.1.0-pre5 (beta) 19 Apr 2016
 
  Copyright (c) 1998-2016 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -27,10 +27,10 @@
 
  The OpenSSL toolkit includes:
 
- libssl.a:
+ libssl (with platform specific naming):
      Provides the client and server-side implementations for SSLv3 and TLS.
 
- libcrypto.a:
+ libcrypto (with platform specific naming):
      Provides general cryptographic and X.509 support needed by SSL/TLS but
      not logically part of it.
 
@@ -48,12 +48,8 @@
  ------------
 
  See the appropriate file:
-        INSTALL         Linux, Unix, etc.
+        INSTALL         Linux, Unix, Windows, OpenVMS
         INSTALL.DJGPP   DOS platform with DJGPP
-        INSTALL.NW      Netware
-        INSTALL.OS2     OS/2
-        INSTALL.VMS     VMS
-        INSTALL.WIN     Windows
         INSTALL.WCE     Windows CE
 
  SUPPORT

README.ENGINE

@@ -13,11 +13,10 @@
   There are currently built-in ENGINE implementations for the following
   crypto devices:
 
-      o CryptoSwift
-      o Compaq Atalla
+      o Cryptodev
+      o Microsoft CryptoAPI
+      o VIA Padlock
       o nCipher CHIL
-      o Nuron
-      o Broadcom uBSec
 
   In addition, dynamic binding to external ENGINE implementations is now
   provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"

VMS/openssl_shutdown.com.in

@@ -39,7 +39,7 @@ $	DEAS OSSL$LIB'v'
 $	DEAS OSSL$SHARE'v'
 $	DEAS OSSL$ENGINES'v'
 $	DEAS OSSL$EXE'v'
-$       {- output_off() if $config{no_shared} -}
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$       ", map { "DEAS $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	IF P2 .NES. "NOALIASES"
@@ -51,7 +51,7 @@ $	    DEAS OSSL$SHARE
 $	    DEAS OSSL$ENGINES
 $	    DEAS OSSL$EXE
 $	    DEAS OPENSSL
-$           {- output_off() if $config{no_shared} -}
+$           {- output_off() if $disabled{shared} -}
 $           {- join("\n\$           ", map { "DEAS $_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $           {- output_on() -}
 $	ENDIF

VMS/openssl_startup.com.in

@@ -46,7 +46,7 @@ $	IF F$GETSYI("CPU") .LT. 128
 $	THEN
 $	    arch := VAX
 $	ELSE
-$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    arch = F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
 $	    IF arch .EQS. "" THEN GOTO unknown_arch
 $	ENDIF
 $
@@ -54,23 +54,25 @@ $	! Generated information
 $	VERSION := {- $config{version} -}
 $	INSTALLTOP := {- $config{INSTALLTOP} -}
 $	OPENSSLDIR := {- $config{OPENSSLDIR} -}
-$	POINTER_SIZE = {- $config{pointersize} -}
+$	POINTER_SIZE := {- $config{pointersize} -}
 $
 $	! Make sure that INSTALLTOP and OPENSSLDIR become something one
 $	! can build concealed logical names on
-$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") - "A.;" -
-		     - ".][000000" - "[000000." - "][" - "]" + ".]"
-$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - "A.;" -
-		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") -
+		     - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") -
+		     - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
 $	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_INSTALLTOP 'INSTALLTOP_'
+$	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_OPENSSLDIR 'OPENSSLDIR_'
 $
 $	! Check that things are in place, and specifically, the stuff
 $	! belonging to this architecture
 $	IF F$SEARCH("WRK_INSTALLTOP:[000000]INCLUDE.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]''arch'.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']LIB.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']EXE.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]openssl.cnf;1") .EQS. ""
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]LIB.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]EXE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[LIB]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[EXE]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_OPENSSLDIR:[000000]openssl.cnf") .EQS. ""
 $	THEN
 $	    WRITE SYS$ERROR "''INSTALLTOP' doesn't look like an OpenSSL installation for ''arch'"
 $	    status = %x00018292 ! RMS$_FNF, file not found
@@ -84,11 +86,11 @@ $	v    =  VERSION - "." - "."
 $
 $	DEFT OSSL$INSTROOT'v'	'INSTALLTOP_'
 $	DEFT OSSL$INCLUDE'v'	OSSL$INSTROOT:[INCLUDE.]
-$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:['arch'.LIB]
-$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:['arch'.LIB]
-$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:['arch'.ENGINES]
-$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:['arch'.EXE]
-$       {- output_off() if $config{no_shared} -}
+$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:[LIB.'arch']
+$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:[LIB.'arch']
+$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:[ENGINES.'arch']
+$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:[EXE.'arch']
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$       ", map { "DEF  $_'v' OSSL\$SHARE:$_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	IF P2 .NES. "NOALIASES"
@@ -100,7 +102,7 @@ $	    DEF OSSL$SHARE	OSSL$SHARE'v'
 $	    DEF OSSL$ENGINES	OSSL$ENGINES'v'
 $	    DEF OSSL$EXE	OSSL$EXE'v'
 $	    DEF OPENSSL		OSSL$INCLUDE:[OPENSSL]
-$       {- output_off() if $config{no_shared} -}
+$       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$           ", map { "DEF  $_ $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
 $	ENDIF

apps/Makefile.in

@@ -15,6 +15,8 @@ PLIB_LDFLAG=
 EX_LIBS= 
 EXE_EXT= 
 
+APPS_OBJ=
+
 SHLIB_TARGET=
 
 CFLAGS= $(INCLUDES) $(CFLAG)
@@ -28,6 +30,7 @@ LIBSSL=-L.. -lssl
 
 SCRIPTS=CA.pl tsget
 EXE= openssl$(EXE_EXT)
+CONFS=openssl.cnf ct_log_list.cnf
 
 COMMANDS= \
 	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
@@ -52,7 +55,7 @@ SRC	= \
 	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
 	srp.c ts.c verify.c version.c x509.c rehash.c
 
-EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
+EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ) $(APPS_OBJ)
 EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
 
 HEADER=	apps.h progs.h s_apps.h \
@@ -72,46 +75,51 @@ scripts: $(SCRIPTS)
 openssl-vms.cnf: openssl.cnf
 	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
 
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
 install:
 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@set -e; for i in $(EXE); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-	 chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
-	 mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
-	 done;
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+	done
 	@set -e; for i in $(SCRIPTS); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i ); \
-	 done
-	@cp openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+		chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
+	done
+	@set -e; for i in $(CONFS); \
+	do \
+		echo installing $$i; \
+		cp $$i $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+		chmod 644 $(DESTDIR)$(OPENSSLDIR)/$$i.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/$$i.new $(DESTDIR)$(OPENSSLDIR)/$$i; \
+	done
 
 uninstall:
 	@set -e; for i in $(EXE); \
-	do  \
+	do \
 		echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
-	done;
+	done
 	@set -e; for i in $(SCRIPTS); \
-	do  \
+	do \
 		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
 		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
 	done
-	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+	@set -e; for i in $(CONFS); \
+	do \
+		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/$$i; \
+	done
 
 generate: openssl-vms.cnf progs.h
 
 depend:
-	$(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
+	$(TOP)/util/domd $(CFLAG) $(INCLUDES) -- $(EXE_SRC)
 
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
@@ -143,5 +151,9 @@ CA.pl: CA.pl.in
 	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile CA.pl.in > CA.pl.new
 	mv CA.pl.new CA.pl
 
+tsget:	tsget.in
+	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile tsget.in > tsget.new
+	mv tsget.new tsget
+
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.

apps/apps.c

@@ -141,9 +141,6 @@
 # include <openssl/rsa.h>
 #endif
 #include <openssl/bn.h>
-#ifndef OPENSSL_NO_JPAKE
-# include <openssl/jpake.h>
-#endif
 #include <openssl/ssl.h>
 
 #include "apps.h"
@@ -238,6 +235,19 @@ int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
     return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
 }
 
+#ifndef OPENSSL_NO_CT
+
+int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
+{
+    if (path == NULL) {
+        return SSL_CTX_set_default_ctlog_list_file(ctx);
+    }
+
+    return SSL_CTX_set_ctlog_list_file(ctx, path);
+}
+
+#endif
+
 int dump_cert_text(BIO *out, X509 *x)
 {
     char *p;
@@ -256,6 +266,7 @@ int dump_cert_text(BIO *out, X509 *x)
     return 0;
 }
 
+#ifndef OPENSSL_NO_UI
 static int ui_open(UI *ui)
 {
     return UI_method_get_opener(UI_OpenSSL())(ui);
@@ -325,20 +336,25 @@ void destroy_ui_method(void)
         ui_method = NULL;
     }
 }
+#endif
 
 int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
 {
-    UI *ui = NULL;
     int res = 0;
+#ifndef OPENSSL_NO_UI
+    UI *ui = NULL;
     const char *prompt_info = NULL;
+#endif
     const char *password = NULL;
     PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
 
     if (cb_data) {
         if (cb_data->password)
             password = cb_data->password;
+#ifndef OPENSSL_NO_UI
         if (cb_data->prompt_info)
             prompt_info = cb_data->prompt_info;
+#endif
     }
 
     if (password) {
@@ -349,6 +365,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         return res;
     }
 
+#ifndef OPENSSL_NO_UI
     ui = UI_new_method(ui_method);
     if (ui) {
         int ok = 0;
@@ -398,6 +415,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
         UI_free(ui);
         OPENSSL_free(prompt);
     }
+#endif
     return res;
 }
 
@@ -630,7 +648,8 @@ static int load_pkcs12(BIO *in, const char *desc,
     return ret;
 }
 
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
+static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
 {
     char *host = NULL, *port = NULL, *path = NULL;
     BIO *bio = NULL;
@@ -676,15 +695,17 @@ int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
     }
     return rv;
 }
+#endif
 
-X509 *load_cert(const char *file, int format,
-                const char *pass, ENGINE *e, const char *cert_descrip)
+X509 *load_cert(const char *file, int format, const char *cert_descrip)
 {
     X509 *x = NULL;
     BIO *cert;
 
     if (format == FORMAT_HTTP) {
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
         load_cert_crl_http(file, &x, NULL);
+#endif
         return x;
     }
 
@@ -723,7 +744,9 @@ X509_CRL *load_crl(const char *infile, int format)
     BIO *in = NULL;
 
     if (format == FORMAT_HTTP) {
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
         load_cert_crl_http(infile, NULL, &x);
+#endif
         return x;
     }
 
@@ -907,7 +930,7 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
 }
 
 static int load_certs_crls(const char *file, int format,
-                           const char *pass, ENGINE *e, const char *desc,
+                           const char *pass, const char *desc,
                            STACK_OF(X509) **pcerts,
                            STACK_OF(X509_CRL) **pcrls)
 {
@@ -1005,18 +1028,18 @@ void* app_malloc(int sz, const char *what)
  * Initialize or extend, if *certs != NULL,  a certificate stack.
  */
 int load_certs(const char *file, STACK_OF(X509) **certs, int format,
-               const char *pass, ENGINE *e, const char *desc)
+               const char *pass, const char *desc)
 {
-    return load_certs_crls(file, format, pass, e, desc, certs, NULL);
+    return load_certs_crls(file, format, pass, desc, certs, NULL);
 }
 
 /*
  * Initialize or extend, if *crls != NULL,  a certificate stack.
  */
 int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
-              const char *pass, ENGINE *e, const char *desc)
+              const char *pass, const char *desc)
 {
-    return load_certs_crls(file, format, pass, e, desc, NULL, crls);
+    return load_certs_crls(file, format, pass, desc, NULL, crls);
 }
 
 #define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
@@ -1303,7 +1326,7 @@ X509_STORE *setup_verify(char *CAfile, char *CApath, int noCAfile, int noCApath)
 
 #ifndef OPENSSL_NO_ENGINE
 /* Try to load an engine in a shareable library */
-static ENGINE *try_load_engine(const char *engine, int debug)
+static ENGINE *try_load_engine(const char *engine)
 {
     ENGINE *e = ENGINE_by_id("dynamic");
     if (e) {
@@ -1327,7 +1350,7 @@ ENGINE *setup_engine(const char *engine, int debug)
             return NULL;
         }
         if ((e = ENGINE_by_id(engine)) == NULL
-            && (e = try_load_engine(engine, debug)) == NULL) {
+            && (e = try_load_engine(engine)) == NULL) {
             BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
             ERR_print_errors(bio_err);
             return NULL;
@@ -1465,9 +1488,6 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
         j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
 #endif
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
-#endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
         ERR_print_errors(bio_err);
@@ -1506,17 +1526,10 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
 #else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               serialfile, buf[1]);
 #endif
     if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1528,10 +1541,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               buf[0], serialfile);
-#endif
     if (rename(buf[0], serialfile) < 0) {
         BIO_printf(bio_err,
                    "unable to rename %s to %s\n", buf[0], serialfile);
@@ -1607,10 +1616,6 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
     if (dbattr_conf) {
         char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
         if (p) {
-#ifdef RL_DEBUG
-            BIO_printf(bio_err,
-                       "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
-#endif
             retdb->attributes.unique_subject = parse_yesno(p, 1);
         }
     }
@@ -1657,21 +1662,12 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
-#else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
 #else
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
 #endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
@@ -1685,9 +1681,6 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
         goto err;
 
     out = BIO_new_file(buf[1], "w");
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
-#endif
     if (out == NULL) {
         perror(buf[2]);
         BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
@@ -1718,31 +1711,16 @@ int rotate_index(const char *dbfile, const char *new_suffix,
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
 #else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
-#else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
-#else
+    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
     j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
 #endif
     if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1753,18 +1731,12 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
-#endif
     if (rename(buf[0], dbfile) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
         perror("reason");
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
-#endif
     if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
         && errno != ENOTDIR
@@ -1776,9 +1748,6 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
-#endif
     if (rename(buf[2], buf[4]) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
         perror("reason");
@@ -1990,229 +1959,6 @@ void policies_print(X509_STORE_CTX *ctx)
     nodes_print("User", X509_policy_tree_get0_user_policies(tree));
 }
 
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-
-static JPAKE_CTX *jpake_init(const char *us, const char *them,
-                             const char *secret)
-{
-    BIGNUM *p = NULL;
-    BIGNUM *g = NULL;
-    BIGNUM *q = NULL;
-    BIGNUM *bnsecret = BN_new();
-    JPAKE_CTX *ctx;
-
-    /* Use a safe prime for p (that we found earlier) */
-    BN_hex2bn(&p,
-              "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
-    g = BN_new();
-    BN_set_word(g, 2);
-    q = BN_new();
-    BN_rshift1(q, p);
-
-    BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
-
-    ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
-    BN_free(bnsecret);
-    BN_free(q);
-    BN_free(g);
-    BN_free(p);
-
-    return ctx;
-}
-
-static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
-{
-    BN_print(conn, p->gx);
-    BIO_puts(conn, "\n");
-    BN_print(conn, p->zkpx.gr);
-    BIO_puts(conn, "\n");
-    BN_print(conn, p->zkpx.b);
-    BIO_puts(conn, "\n");
-}
-
-static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP1 s1;
-
-    JPAKE_STEP1_init(&s1);
-    JPAKE_STEP1_generate(&s1, ctx);
-    jpake_send_part(bconn, &s1.p1);
-    jpake_send_part(bconn, &s1.p2);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP2 s2;
-
-    JPAKE_STEP2_init(&s2);
-    JPAKE_STEP2_generate(&s2, ctx);
-    jpake_send_part(bconn, &s2);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP3A s3a;
-
-    JPAKE_STEP3A_init(&s3a);
-    JPAKE_STEP3A_generate(&s3a, ctx);
-    BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
-{
-    JPAKE_STEP3B s3b;
-
-    JPAKE_STEP3B_init(&s3b);
-    JPAKE_STEP3B_generate(&s3b, ctx);
-    BIO_write(bconn, s3b.hk, sizeof s3b.hk);
-    (void)BIO_flush(bconn);
-    JPAKE_STEP3B_release(&s3b);
-}
-
-static void readbn(BIGNUM **bn, BIO *bconn)
-{
-    char buf[10240];
-    int l;
-
-    l = BIO_gets(bconn, buf, sizeof buf);
-    assert(l > 0);
-    assert(buf[l - 1] == '\n');
-    buf[l - 1] = '\0';
-    BN_hex2bn(bn, buf);
-}
-
-static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
-{
-    readbn(&p->gx, bconn);
-    readbn(&p->zkpx.gr, bconn);
-    readbn(&p->zkpx.b, bconn);
-}
-
-static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP1 s1;
-
-    JPAKE_STEP1_init(&s1);
-    jpake_receive_part(&s1.p1, bconn);
-    jpake_receive_part(&s1.p2, bconn);
-    if (!JPAKE_STEP1_process(ctx, &s1)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP1_release(&s1);
-}
-
-static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP2 s2;
-
-    JPAKE_STEP2_init(&s2);
-    jpake_receive_part(&s2, bconn);
-    if (!JPAKE_STEP2_process(ctx, &s2)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP2_release(&s2);
-}
-
-static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP3A s3a;
-    int l;
-
-    JPAKE_STEP3A_init(&s3a);
-    l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
-    assert(l == sizeof s3a.hhk);
-    if (!JPAKE_STEP3A_process(ctx, &s3a)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP3A_release(&s3a);
-}
-
-static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
-{
-    JPAKE_STEP3B s3b;
-    int l;
-
-    JPAKE_STEP3B_init(&s3b);
-    l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
-    assert(l == sizeof s3b.hk);
-    if (!JPAKE_STEP3B_process(ctx, &s3b)) {
-        ERR_print_errors(bio_err);
-        exit(1);
-    }
-    JPAKE_STEP3B_release(&s3b);
-}
-
-void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
-{
-    JPAKE_CTX *ctx;
-    BIO *bconn;
-
-    BIO_puts(out, "Authenticating with JPAKE\n");
-
-    ctx = jpake_init("client", "server", secret);
-
-    bconn = BIO_new(BIO_f_buffer());
-    BIO_push(bconn, conn);
-
-    jpake_send_step1(bconn, ctx);
-    jpake_receive_step1(ctx, bconn);
-    jpake_send_step2(bconn, ctx);
-    jpake_receive_step2(ctx, bconn);
-    jpake_send_step3a(bconn, ctx);
-    jpake_receive_step3b(ctx, bconn);
-
-    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
-    OPENSSL_free(psk_key);
-    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
-    BIO_pop(bconn);
-    BIO_free(bconn);
-
-    JPAKE_CTX_free(ctx);
-}
-
-void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
-{
-    JPAKE_CTX *ctx;
-    BIO *bconn;
-
-    BIO_puts(out, "Authenticating with JPAKE\n");
-
-    ctx = jpake_init("server", "client", secret);
-
-    bconn = BIO_new(BIO_f_buffer());
-    BIO_push(bconn, conn);
-
-    jpake_receive_step1(ctx, bconn);
-    jpake_send_step1(bconn, ctx);
-    jpake_receive_step2(ctx, bconn);
-    jpake_send_step2(bconn, ctx);
-    jpake_receive_step3a(ctx, bconn);
-    jpake_send_step3b(bconn, ctx);
-
-    BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
-
-    OPENSSL_free(psk_key);
-    psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
-
-    BIO_pop(bconn);
-    BIO_free(bconn);
-
-    JPAKE_CTX_free(ctx);
-}
-
-#endif
-
 /*-
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -2222,7 +1968,7 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
  *
  *   returns: a malloced buffer or NULL on failure.
  */
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+unsigned char *next_protos_parse(size_t *outlen, const char *in)
 {
     size_t len;
     unsigned char *out;
@@ -2465,30 +2211,6 @@ double app_tminterval(int stop, int usertime)
 
     return (ret);
 }
-#elif defined(OPENSSL_SYS_NETWARE)
-# include <time.h>
-
-double app_tminterval(int stop, int usertime)
-{
-    static clock_t tmstart;
-    static int warning = 1;
-    double ret = 0;
-
-    if (usertime && warning) {
-        BIO_printf(bio_err, "To get meaningful results, run "
-                   "this program on idle system.\n");
-        warning = 0;
-    }
-
-    if (stop == TM_START)
-        tmstart = clock();
-    else
-        ret = (clock() - tmstart) / (double)CLOCKS_PER_SEC;
-
-    return (ret);
-}
-
-
 #elif defined(OPENSSL_SYSTEM_VXWORKS)
 # include <time.h>
 
@@ -2618,45 +2340,6 @@ int app_access(const char* name, int flag)
 #endif
 }
 
-int app_hex(char c)
-{
-    switch (c) {
-    default:
-    case '0':
-        return 0;
-    case '1':
-        return 1;
-    case '2':
-        return 2;
-    case '3':
-        return 3;
-    case '4':
-          return 4;
-    case '5':
-          return 5;
-    case '6':
-          return 6;
-    case '7':
-          return 7;
-    case '8':
-          return 8;
-    case '9':
-          return 9;
-    case 'a': case 'A':
-          return 0x0A;
-    case 'b': case 'B':
-          return 0x0B;
-    case 'c': case 'C':
-          return 0x0C;
-    case 'd': case 'D':
-          return 0x0D;
-    case 'e': case 'E':
-          return 0x0E;
-    case 'f': case 'F':
-          return 0x0F;
-    }
-}
-
 /* app_isdir section */
 #ifdef _WIN32
 int app_isdir(const char *name)
@@ -2772,9 +2455,34 @@ BIO *dup_bio_out(int format)
     return b;
 }
 
+BIO *dup_bio_err(int format)
+{
+    BIO *b = BIO_new_fp(stderr,
+                        BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
+#ifdef OPENSSL_SYS_VMS
+    if (istext(format))
+        b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
+#endif
+    return b;
+}
+
 void unbuffer(FILE *fp)
 {
+/*
+ * On VMS, setbuf() will only take 32-bit pointers, and a compilation
+ * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
+ * However, we trust that the C RTL will never give us a FILE pointer
+ * above the first 4 GB of memory, so we simply turn off the warning
+ * temporarily.
+ */
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma environment save
+# pragma message disable maylosedata2
+#endif
     setbuf(fp, NULL);
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma environment restore
+#endif
 }
 
 static const char *modestr(char mode, int format)
@@ -2913,15 +2621,27 @@ BIO *bio_open_default_quiet(const char *filename, char mode, int format)
 
 void wait_for_async(SSL *s)
 {
-    int width, fd;
+    int width = 0;
     fd_set asyncfds;
+    OSSL_ASYNC_FD *fds;
+    size_t numfds;
 
-    fd = SSL_get_async_wait_fd(s);
-    if (fd < 0)
+    if (!SSL_get_all_async_fds(s, NULL, &numfds))
         return;
+    if (numfds == 0)
+        return;
+    fds = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD) * numfds);
+    if (!SSL_get_all_async_fds(s, fds, &numfds)) {
+        OPENSSL_free(fds);
+    }
 
-    width = fd + 1;
     FD_ZERO(&asyncfds);
-    openssl_fdset(fd, &asyncfds);
+    while (numfds > 0) {
+        if (width <= (int)*fds)
+            width = (int)*fds + 1;
+        openssl_fdset((int)*fds, &asyncfds);
+        numfds--;
+        fds++;
+    }
     select(width, (void *)&asyncfds, NULL, NULL, NULL);
 }

apps/apps.h

@@ -121,16 +121,10 @@
 # include <openssl/lhash.h>
 # include <openssl/conf.h>
 # include <openssl/txt_db.h>
-# ifndef OPENSSL_NO_ENGINE
-#  include <openssl/engine.h>
-# endif
-# ifndef OPENSSL_NO_OCSP
-#  include <openssl/ocsp.h>
-# endif
+# include <openssl/engine.h>
+# include <openssl/ocsp.h>
 # include <openssl/ossl_typ.h>
-# ifndef OPENSSL_SYS_NETWARE
-#  include <signal.h>
-# endif
+# include <signal.h>
 
 # if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
 #  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
@@ -138,17 +132,6 @@
 #  define openssl_fdset(a,b) FD_SET(a, b)
 # endif
 
-# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
-     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
-int opt_imax(const char *value, intmax_t *result);
-int opt_umax(const char *value, uintmax_t *result);
-# else
-#  define opt_imax opt_long
-#  define opt_umax opt_ulong
-#  define intmax_t long
-#  define uintmax_t unsigned long
-# endif
-
 /*
  * quick macro when you need to pass an unsigned char instead of a char.
  * this is true for some implementations of the is*() functions, for
@@ -173,6 +156,7 @@ extern BIO *bio_out;
 extern BIO *bio_err;
 BIO *dup_bio_in(int format);
 BIO *dup_bio_out(int format);
+BIO *dup_bio_err(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
@@ -196,6 +180,7 @@ void wait_for_async(SSL *s);
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
         OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
+        OPT_V_VERIFY_AUTH_LEVEL, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -203,8 +188,10 @@ void wait_for_async(SSL *s);
         { "purpose", OPT_V_PURPOSE, 's', \
             "certificate chain purpose"}, \
         { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
-        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
-            "chain depth limit"}, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
+            "chain depth limit" }, \
+        { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
+            "chain authentication security level" }, \
         { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
         { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
             "expected peer hostname" }, \
@@ -251,6 +238,7 @@ void wait_for_async(SSL *s);
         case OPT_V_PURPOSE: \
         case OPT_V_VERIFY_NAME: \
         case OPT_V_VERIFY_DEPTH: \
+        case OPT_V_VERIFY_AUTH_LEVEL: \
         case OPT_V_ATTIME: \
         case OPT_V_VERIFY_HOSTNAME: \
         case OPT_V_VERIFY_EMAIL: \
@@ -427,7 +415,7 @@ typedef struct string_int_pair_st {
 char *opt_progname(const char *argv0);
 char *opt_getprog(void);
 char *opt_init(int ac, char **av, const OPTIONS * o);
-int opt_next();
+int opt_next(void);
 int opt_format(const char *s, unsigned long flags, int *result);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
@@ -436,6 +424,11 @@ int opt_long(const char *arg, long *result);
     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
 int opt_imax(const char *arg, intmax_t *result);
 int opt_umax(const char *arg, uintmax_t *result);
+#else
+# define opt_imax opt_long
+# define opt_umax opt_ulong
+# define intmax_t long
+# define uintmax_t unsigned long
 #endif
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
@@ -449,7 +442,6 @@ int opt_num_rest(void);
 int opt_verify(int i, X509_VERIFY_PARAM *vpm);
 void opt_help(const OPTIONS * list);
 int opt_format_error(const char *s, unsigned long flags);
-int opt_next(void);
 
 typedef struct args_st {
     int size;
@@ -457,6 +449,14 @@ typedef struct args_st {
     char **argv;
 } ARGS;
 
+/*
+ * VMS C only for now, implemented in vms_decc_init.c
+ * If other C compilers forget to terminate argv with NULL, this function
+ * can be re-used.
+ */
+char **copy_argv(int *argc, char *argv[]);
+
+
 # define PW_MIN_LENGTH 4
 typedef struct pw_cb_data {
     const void *password;
@@ -482,22 +482,33 @@ int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
 int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(CONF *conf);
-X509 *load_cert(const char *file, int format,
-                const char *pass, ENGINE *e, const char *cert_descrip);
+X509 *load_cert(const char *file, int format, const char *cert_descrip);
 X509_CRL *load_crl(const char *infile, int format);
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                       const char *pass, ENGINE *e, const char *key_descrip);
 int load_certs(const char *file, STACK_OF(X509) **certs, int format,
-               const char *pass, ENGINE *e, const char *cert_descrip);
+               const char *pass, const char *cert_descrip);
 int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
-              const char *pass, ENGINE *e, const char *cert_descrip);
+              const char *pass, const char *cert_descrip);
 X509_STORE *setup_verify(char *CAfile, char *CApath,
                          int noCAfile, int noCApath);
-int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
-                             const char *CApath, int noCAfile, int noCApath);
+__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                                    const char *CApath, int noCAfile,
+                                    int noCApath);
+
+#ifndef OPENSSL_NO_CT
+
+/*
+ * Sets the file to load the Certificate Transparency log list from.
+ * If path is NULL, loads from the default file path.
+ * Returns 1 on success, 0 otherwise.
+ */
+__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
+
+#endif
+
 # ifdef OPENSSL_NO_ENGINE
 #  define setup_engine(engine, debug) NULL
 # else
@@ -571,12 +582,8 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
 # ifndef OPENSSL_NO_PSK
 extern char *psk_key;
 # endif
-# ifndef OPENSSL_NO_JPAKE
-void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
-void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
-# endif
 
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+unsigned char *next_protos_parse(size_t *outlen, const char *in);
 
 void print_cert_checks(BIO *bio, X509 *x,
                        const char *checkhost,
@@ -617,7 +624,6 @@ void store_setup_crl_download(X509_STORE *st);
 
 # define SERIAL_RAND_BITS        64
 
-int app_hex(char);
 int app_isdir(const char *);
 int app_access(const char *, int flag);
 int raw_read_stdin(void *, int);

apps/asn1pars.c

@@ -184,7 +184,8 @@ int asn1parse_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (oidfile != NULL) {
         in = bio_open_default(oidfile, 'r', FORMAT_TEXT);
@@ -326,7 +327,6 @@ int asn1parse_main(int argc, char **argv)
         OPENSSL_free(str);
     ASN1_TYPE_free(at);
     sk_OPENSSL_STRING_free(osk);
-    OBJ_cleanup();
     return (ret);
 }
 

apps/build.info

@@ -1,18 +1,21 @@
 {- use File::Spec::Functions qw/catdir rel2abs/; -}
-PROGRAMS=openssl
-SOURCE[openssl]=\
-        openssl.c \
-        asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
-        dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
-        genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
-        pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
-        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
-        srp.c ts.c verify.c version.c x509.c rehash.c \
-        apps.c opt.c s_cb.c s_socket.c \
-        app_rand.c \
-        {- $target{apps_extra_src} -}
-INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
-DEPEND[openssl]=../libssl
+IF[{- !$disabled{apps} -}]
+  PROGRAMS=openssl
+  SOURCE[openssl]=\
+          openssl.c \
+          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+          dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+          genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+          s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+          srp.c ts.c verify.c version.c x509.c rehash.c \
+          apps.c opt.c s_cb.c s_socket.c \
+          app_rand.c \
+          {- $target{apps_aux_src} -}
+  INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
+  DEPEND[openssl]=../libssl
 
-SCRIPTS=CA.pl
-SOURCE[CA.pl]=CA.pl.in
+  SCRIPTS=CA.pl tsget
+  SOURCE[CA.pl]=CA.pl.in
+  SOURCE[tsget]=tsget.in
+ENDIF

apps/ca.c

@@ -81,7 +81,7 @@
 #  else
 #   include <unixlib.h>
 #  endif
-# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
 #  include <sys/file.h>
 # endif
 #endif
@@ -153,8 +153,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         int multirdn, int email_dn, char *startdate,
                         char *enddate, long days, int batch, char *ext_sect,
                         CONF *conf, int verbose, unsigned long certopt,
-                        unsigned long nameopt, int default_op, int ext_copy,
-                        ENGINE *e);
+                        unsigned long nameopt, int default_op, int ext_copy);
 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
                          X509 *x509, const EVP_MD *dgst,
                          STACK_OF(OPENSSL_STRING) *sigopts,
@@ -607,7 +606,7 @@ end_of_options:
             lookup_fail(section, ENV_CERTIFICATE);
             goto end;
         }
-        x509 = load_cert(certfile, FORMAT_PEM, NULL, e, "CA certificate");
+        x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
         if (x509 == NULL)
             goto end;
 
@@ -964,7 +963,7 @@ end_of_options:
                              db, serial, subj, chtype, multirdn, email_dn,
                              startdate, enddate, days, batch, extensions,
                              conf, verbose, certopt, nameopt, default_op,
-                             ext_copy, e);
+                             ext_copy);
             if (j < 0)
                 goto end;
             if (j > 0) {
@@ -1265,7 +1264,7 @@ end_of_options:
             goto end;
         } else {
             X509 *revcert;
-            revcert = load_cert(infile, FORMAT_PEM, NULL, e, infile);
+            revcert = load_cert(infile, FORMAT_PEM, infile);
             if (revcert == NULL)
                 goto end;
             if (dorevoke == 2)
@@ -1308,7 +1307,6 @@ end_of_options:
     X509_CRL_free(crl);
     NCONF_free(conf);
     NCONF_free(extconf);
-    OBJ_cleanup();
     return (ret);
 }
 
@@ -1352,12 +1350,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
         ok = 0;
         goto end;
     }
-    if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
+    if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
         BIO_printf(bio_err, "error unpacking public key\n");
         goto end;
     }
     i = X509_REQ_verify(req, pktmp);
-    EVP_PKEY_free(pktmp);
+    pktmp = NULL;
     if (i < 0) {
         ok = 0;
         BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1391,15 +1389,14 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         int multirdn, int email_dn, char *startdate,
                         char *enddate, long days, int batch, char *ext_sect,
                         CONF *lconf, int verbose, unsigned long certopt,
-                        unsigned long nameopt, int default_op, int ext_copy,
-                        ENGINE *e)
+                        unsigned long nameopt, int default_op, int ext_copy)
 {
     X509 *req = NULL;
     X509_REQ *rreq = NULL;
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    if ((req = load_cert(infile, FORMAT_PEM, NULL, e, infile)) == NULL)
+    if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
         goto end;
     if (verbose)
         X509_print(bio_err, req);
@@ -1790,9 +1787,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     if (!X509_set_subject_name(ret, subject))
         goto end;
 
-    pktmp = X509_REQ_get_pubkey(req);
+    pktmp = X509_REQ_get0_pubkey(req);
     i = X509_set_pubkey(ret, pktmp);
-    EVP_PKEY_free(pktmp);
     if (!i)
         goto end;
 
@@ -2074,6 +2070,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
 
     j = NETSCAPE_SPKI_verify(spki, pktmp);
     if (j <= 0) {
+        EVP_PKEY_free(pktmp);
         BIO_printf(bio_err,
                    "signature verification failed on SPKAC public key\n");
         goto end;

apps/ciphers.c

@@ -126,6 +126,7 @@ int ciphers_main(int argc, char **argv)
     char *ciphers = NULL, *prog;
     char buf[512];
     OPTION_CHOICE o;
+    int min_version = 0, max_version = 0;
 
     prog = opt_init(argc, argv, ciphers_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -154,24 +155,20 @@ int ciphers_main(int argc, char **argv)
 #endif
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
@@ -191,6 +188,11 @@ int ciphers_main(int argc, char **argv)
     ctx = SSL_CTX_new(meth);
     if (ctx == NULL)
         goto err;
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto err;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto err;
+
 #ifndef OPENSSL_NO_PSK
     if (psk)
         SSL_CTX_set_psk_client_callback(ctx, dummy_psk);

apps/cms.c

@@ -214,11 +214,9 @@ OPTIONS cms_options[] = {
     {"receipt_request_to", OPT_RR_TO, 's'},
     {"", OPT_CIPHER, '-', "Any supported cipher"},
     OPT_V_OPTIONS,
-# ifndef OPENSSL_NO_AES
     {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
     {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
     {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
-# endif
 # ifndef OPENSSL_NO_DES
     {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
 # endif
@@ -455,7 +453,7 @@ int cms_main(int argc, char **argv)
             noout = print = 1;
             break;
         case OPT_SECRETKEY:
-            secret_key = string_to_hex(opt_arg(), &ltmp);
+            secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
             if (secret_key == NULL) {
                 BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
                 goto end;
@@ -463,7 +461,7 @@ int cms_main(int argc, char **argv)
             secret_keylen = (size_t)ltmp;
             break;
         case OPT_SECRETKEYID:
-            secret_keyid = string_to_hex(opt_arg(), &ltmp);
+            secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
             if (secret_keyid == NULL) {
                 BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
                 goto opthelp;
@@ -550,7 +548,7 @@ int cms_main(int argc, char **argv)
             if (operation == SMIME_ENCRYPT) {
                 if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL)
                     goto end;
-                cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e,
+                cert = load_cert(opt_arg(), FORMAT_PEM,
                                  "recipient certificate file");
                 if (cert == NULL)
                     goto end;
@@ -603,7 +601,6 @@ int cms_main(int argc, char **argv)
             wrap_cipher = EVP_des_ede3_wrap();
 # endif
             break;
-# ifndef OPENSSL_NO_AES
         case OPT_AES128_WRAP:
             wrap_cipher = EVP_aes_128_wrap();
             break;
@@ -613,12 +610,6 @@ int cms_main(int argc, char **argv)
         case OPT_AES256_WRAP:
             wrap_cipher = EVP_aes_256_wrap();
             break;
-# else
-        case OPT_AES128_WRAP:
-        case OPT_AES192_WRAP:
-        case OPT_AES256_WRAP:
-            break;
-# endif
         }
     }
     argc = opt_num_rest();
@@ -725,7 +716,7 @@ int cms_main(int argc, char **argv)
             if ((encerts = sk_X509_new_null()) == NULL)
                 goto end;
         while (*argv) {
-            if ((cert = load_cert(*argv, FORMAT_PEM, NULL, e,
+            if ((cert = load_cert(*argv, FORMAT_PEM,
                                   "recipient certificate file")) == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
@@ -735,7 +726,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (certfile) {
-        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
                         "certificate file")) {
             ERR_print_errors(bio_err);
             goto end;
@@ -743,7 +734,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (recipfile && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile, FORMAT_PEM, NULL, e,
+        if ((recip = load_cert(recipfile, FORMAT_PEM,
                                "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -751,7 +742,7 @@ int cms_main(int argc, char **argv)
     }
 
     if (operation == SMIME_SIGN_RECEIPT) {
-        if ((signer = load_cert(signerfile, FORMAT_PEM, NULL, e,
+        if ((signer = load_cert(signerfile, FORMAT_PEM,
                                 "receipt signer certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -968,8 +959,7 @@ int cms_main(int argc, char **argv)
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
 
-            signer = load_cert(signerfile, FORMAT_PEM, NULL,
-                               e, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_PEM, "signer certificate");
             if (!signer)
                 goto end;
             key = load_key(keyfile, keyform, 0, passin, e, "signing key file");

apps/crl.c

@@ -112,9 +112,9 @@ int crl_main(int argc, char **argv)
     X509_CRL *x = NULL;
     BIO *out = NULL;
     X509_STORE *store = NULL;
-    X509_STORE_CTX ctx;
+    X509_STORE_CTX *ctx = NULL;
     X509_LOOKUP *lookup = NULL;
-    X509_OBJECT xobj;
+    X509_OBJECT *xobj = NULL;
     EVP_PKEY *pkey;
     const EVP_MD *digest = EVP_sha1();
     unsigned long nmflag = 0;
@@ -227,7 +227,8 @@ int crl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nmflag_set)
         nmflag = XN_FLAG_ONELINE;
@@ -242,24 +243,26 @@ int crl_main(int argc, char **argv)
         lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
         if (lookup == NULL)
             goto end;
-        if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
+        ctx = X509_STORE_CTX_new();
+        if (!X509_STORE_CTX_init(ctx, store, NULL, NULL)) {
             BIO_printf(bio_err, "Error initialising X509 store\n");
             goto end;
         }
 
-        i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
-                                      X509_CRL_get_issuer(x), &xobj);
-        if (i <= 0) {
+        xobj = X509_STORE_get_X509_by_subject(ctx, X509_LU_X509,
+                                              X509_CRL_get_issuer(x));
+        if (xobj == NULL) {
             BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
             goto end;
         }
-        pkey = X509_get0_pubkey(xobj.data.x509);
-        X509_OBJECT_free_contents(&xobj);
+        pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
+        X509_OBJECT_free(xobj);
         if (!pkey) {
             BIO_printf(bio_err, "Error getting CRL issuer public key\n");
             goto end;
         }
         i = X509_CRL_verify(x, pkey);
+        EVP_PKEY_free(pkey);
         if (i < 0)
             goto end;
         if (i == 0)
@@ -387,9 +390,7 @@ int crl_main(int argc, char **argv)
         ERR_print_errors(bio_err);
     BIO_free_all(out);
     X509_CRL_free(x);
-    if (store) {
-        X509_STORE_CTX_cleanup(&ctx);
-        X509_STORE_free(store);
-    }
+    X509_STORE_CTX_free(ctx);
+    X509_STORE_free(store);
     return (ret);
 }

apps/crl2p7.c

@@ -146,7 +146,8 @@ int crl2pkcs7_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nocrl) {
         in = bio_open_default(infile, 'r', informat);

apps/ct_log_list.cnf

@@ -0,0 +1,34 @@
+enabled_logs=pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
+
+[pilot]
+description = Google Pilot Log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA==
+
+[aviator]
+description = Google Aviator log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi0I1JYP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/6Q==
+
+[rocketeer]
+description = Google Rocketeer log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg==
+
+[digicert]
+description = DigiCert Log Server
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4+HCFRkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs6A==
+
+[certly]
+description = Certly.IO log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECyPLhWKYYUgEc+tUXfPQB4wtGS2MNvXrjwFCCnyYJifBtd2Sk7Cu+Js9DNhMTh35FftHaHu6ZrclnNBKwmbbSA==
+
+[izempe]
+description = Izempe log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ2Q5DC3cUBj4IQCiDu0s6j51up+TZAkAEcQRF6tczw90rLWXkJMAW7jr9yc92bIKgV8vDXU4lDeZHvYHduDuvg==
+
+[symantec]
+description = Symantec log
+key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg==
+
+[venafi]
+description = Venafi log
+key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB
+

apps/dgst.c

@@ -73,7 +73,7 @@
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
-          const char *file, BIO *bmd);
+          const char *file);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -403,7 +403,7 @@ int dgst_main(int argc, char **argv)
     if (argc == 0) {
         BIO_set_fp(in, stdin, BIO_NOCLOSE);
         ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
-                    siglen, NULL, NULL, "stdin", bmd);
+                    siglen, NULL, NULL, "stdin");
     } else {
         const char *md_name = NULL, *sig_name = NULL;
         if (!out_bin) {
@@ -426,7 +426,7 @@ int dgst_main(int argc, char **argv)
                 continue;
             } else
                 r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
-                          siglen, sig_name, md_name, argv[i], bmd);
+                          siglen, sig_name, md_name, argv[i]);
             if (r)
                 ret = r;
             (void)BIO_reset(bmd);
@@ -448,7 +448,7 @@ int dgst_main(int argc, char **argv)
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
-          const char *file, BIO *bmd)
+          const char *file)
 {
     size_t len;
     int i;

apps/dhparam.c

@@ -171,7 +171,10 @@ int dhparam_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL;
     DH *dh = NULL;
     char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
-    int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0;
+#ifndef OPENSSL_NO_DSA
+    int dsaparam = 0;
+#endif
+    int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
     OPTION_CHOICE o;
 
@@ -211,7 +214,9 @@ int dhparam_main(int argc, char **argv)
             text = 1;
             break;
         case OPT_DSAPARAM:
+#ifndef OPENSSL_NO_DSA
             dsaparam = 1;
+#endif
             break;
         case OPT_C:
             C = 1;
@@ -379,40 +384,50 @@ int dhparam_main(int argc, char **argv)
     if (C) {
         unsigned char *data;
         int len, bits;
+        BIGNUM *pbn, *gbn;
 
-        len = BN_num_bytes(dh->p);
-        bits = BN_num_bits(dh->p);
+        len = DH_size(dh);
+        bits = DH_bits(dh);
+        DH_get0_pqg(dh, &pbn, NULL, &gbn);
         data = app_malloc(len, "print a BN");
         BIO_printf(out, "#ifndef HEADER_DH_H\n"
                         "# include <openssl/dh.h>\n"
                         "#endif\n"
                         "\n");
         BIO_printf(out, "DH *get_dh%d()\n{\n", bits);
-        print_bignum_var(out, dh->p, "dhp", bits, data);
-        print_bignum_var(out, dh->g, "dhg", bits, data);
-        BIO_printf(out, "    DH *dh = DN_new();\n"
+        print_bignum_var(out, pbn, "dhp", bits, data);
+        print_bignum_var(out, gbn, "dhg", bits, data);
+        BIO_printf(out, "    DH *dh = DH_new();\n"
+                        "    BIGNUM *dhp_bn, *dhg_bn;\n"
                         "\n"
                         "    if (dh == NULL)\n"
                         "        return NULL;\n");
-        BIO_printf(out, "    dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
-               bits, bits);
-        BIO_printf(out, "    dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
-               bits, bits);
-        BIO_printf(out, "    if (!dh->p || !dh->g) {\n"
+        BIO_printf(out, "    dhp_bn = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
+                   bits, bits);
+        BIO_printf(out, "    dhg_bn = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
+                   bits, bits);
+        BIO_printf(out, "    if (dhp_bn == NULL || dhg_bn == NULL\n"
+                        "            || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {\n"
                         "        DH_free(dh);\n"
+                        "        BN_free(dhp_bn);\n"
+                        "        BN_free(dhg_bn);\n"
                         "        return NULL;\n"
                         "    }\n");
-        if (dh->length)
+        if (DH_get_length(dh) > 0)
             BIO_printf(out,
-                        "    dh->length = %ld;\n", dh->length);
+                        "    if (!DH_set_length(dh, %ld)) {\n"
+                        "        DH_free(dh);\n"
+                        "    }\n", DH_get_length(dh));
         BIO_printf(out, "    return dh;\n}\n");
         OPENSSL_free(data);
     }
 
     if (!noout) {
+        BIGNUM *q;
+        DH_get0_pqg(dh, NULL, &q, NULL);
         if (outformat == FORMAT_ASN1)
             i = i2d_DHparams_bio(out, dh);
-        else if (dh->q)
+        else if (q != NULL)
             i = PEM_write_bio_DHxparams(out, dh);
         else
             i = PEM_write_bio_DHparams(out, dh);

apps/dsa.c

@@ -116,7 +116,10 @@ int dsa_main(int argc, char **argv)
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
-    int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
+# ifndef OPENSSL_NO_RC4
+    int pvk_encr = 2;
+# endif
     int private = 0;
 
     prog = opt_init(argc, argv, dsa_options);
@@ -194,7 +197,9 @@ int dsa_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;
@@ -238,8 +243,10 @@ int dsa_main(int argc, char **argv)
     }
 
     if (modulus) {
+        BIGNUM *pub_key = NULL;
+        DSA_get0_key(dsa, &pub_key, NULL);
         BIO_printf(out, "Public Key=");
-        BN_print(out, dsa->pub_key);
+        BN_print(out, pub_key);
         BIO_printf(out, "\n");
     }
 

apps/dsaparam.c

@@ -263,14 +263,20 @@ int dsaparam_main(int argc, char **argv)
     }
 
     if (C) {
-        int len = BN_num_bytes(dsa->p);
-        int bits_p = BN_num_bits(dsa->p);
-        unsigned char *data = app_malloc(len + 20, "BN space");
+        BIGNUM *p = NULL, *q = NULL, *g = NULL;
+        unsigned char *data;
+        int len, bits_p;
+
+        DSA_get0_pqg(dsa, &p, &q, &g);
+        len = BN_num_bytes(p);
+        bits_p = BN_num_bits(p);
+
+        data = app_malloc(len + 20, "BN space");
 
         BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p);
-        print_bignum_var(bio_out, dsa->p, "dsap", len, data);
-        print_bignum_var(bio_out, dsa->q, "dsaq", len, data);
-        print_bignum_var(bio_out, dsa->g, "dsag", len, data);
+        print_bignum_var(bio_out, p, "dsap", len, data);
+        print_bignum_var(bio_out, q, "dsaq", len, data);
+        print_bignum_var(bio_out, g, "dsag", len, data);
         BIO_printf(bio_out, "    DSA *dsa = DSA_new();\n"
                             "\n");
         BIO_printf(bio_out, "    if (dsa == NULL)\n"

apps/ec.c

@@ -205,7 +205,9 @@ int ec_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = param_out || pubin || pubout ? 0 : 1;
     if (text && !pubin)
         private = 1;

apps/ecparam.c

@@ -220,7 +220,9 @@ int ecparam_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = genkey ? 1 : 0;
 
     in = bio_open_default(infile, 'r', informat);

apps/enc.c

@@ -97,14 +97,15 @@ OPTIONS enc_options[] = {
     {"d", OPT_D, '-', "Decrypt"},
     {"p", OPT_P, '-', "Print the iv/key"},
     {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
-    {"v", OPT_V, '-'},
+    {"v", OPT_V, '-', "Verbose output"},
     {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
-    {"salt", OPT_SALT, '-'},
-    {"nosalt", OPT_NOSALT, '-'},
-    {"debug", OPT_DEBUG, '-'},
-    {"A", OPT_UPPER_A, '-'},
-    {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"},
-    {"base64", OPT_A, '-', "Base64 output as a single line"},
+    {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
+    {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
+    {"debug", OPT_DEBUG, '-', "Print debug info"},
+    {"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
+    {"base64", OPT_A, '-', "Same as option -a"},
+    {"A", OPT_UPPER_A, '-',
+     "Used with -[base64|a] to specify base64 buffer as a single line"},
     {"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
     {"k", OPT_K, 's', "Passphrase"},
     {"kfile", OPT_KFILE, '<', "Fead passphrase from file"},
@@ -312,23 +313,19 @@ int enc_main(int argc, char **argv)
     if (verbose)
         BIO_printf(bio_err, "bufsize=%d\n", bsize);
 
-    if (base64) {
-        if (enc)
-            outformat = FORMAT_BASE64;
-        else
-            informat = FORMAT_BASE64;
-    }
+#ifdef ZLIB
+    if (!do_zlib)
+#endif
+        if (base64) {
+            if (enc)
+                outformat = FORMAT_BASE64;
+            else
+                informat = FORMAT_BASE64;
+        }
 
     strbuf = app_malloc(SIZE, "strbuf");
     buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
 
-    if (debug) {
-        BIO_set_callback(in, BIO_debug_callback);
-        BIO_set_callback(out, BIO_debug_callback);
-        BIO_set_callback_arg(in, (char *)bio_err);
-        BIO_set_callback_arg(out, (char *)bio_err);
-    }
-
     if (infile == NULL) {
         unbuffer(stdin);
         in = dup_bio_in(informat);
@@ -346,26 +343,33 @@ int enc_main(int argc, char **argv)
     }
 
     if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
-        for (;;) {
-            char prompt[200];
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            for (;;) {
+                char prompt[200];
 
-            BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
-                         OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
-                         (enc) ? "encryption" : "decryption");
-            strbuf[0] = '\0';
-            i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
-            if (i == 0) {
-                if (strbuf[0] == '\0') {
-                    ret = 1;
+                BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
+                             OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+                             (enc) ? "encryption" : "decryption");
+                strbuf[0] = '\0';
+                i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
+                if (i == 0) {
+                    if (strbuf[0] == '\0') {
+                        ret = 1;
+                        goto end;
+                    }
+                    str = strbuf;
+                    break;
+                }
+                if (i < 0) {
+                    BIO_printf(bio_err, "bad password read\n");
                     goto end;
                 }
-                str = strbuf;
-                break;
-            }
-            if (i < 0) {
-                BIO_printf(bio_err, "bad password read\n");
-                goto end;
             }
+        } else {
+#endif
+            BIO_printf(bio_err, "password required\n");
+            goto end;
         }
     }
 
@@ -373,6 +377,13 @@ int enc_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
+    if (debug) {
+        BIO_set_callback(in, BIO_debug_callback);
+        BIO_set_callback(out, BIO_debug_callback);
+        BIO_set_callback_arg(in, (char *)bio_err);
+        BIO_set_callback_arg(out, (char *)bio_err);
+    }
+
     rbio = in;
     wbio = out;
 
@@ -380,6 +391,10 @@ int enc_main(int argc, char **argv)
     if (do_zlib) {
         if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
             goto end;
+        if (debug) {
+            BIO_set_callback(bzl, BIO_debug_callback);
+            BIO_set_callback_arg(bzl, (char *)bio_err);
+        }
         if (enc)
             wbio = BIO_push(bzl, wbio);
         else
@@ -621,7 +636,7 @@ static int set_hex(char *in, unsigned char *out, int size)
             BIO_printf(bio_err, "non-hex digit\n");
             return (0);
         }
-        j = (unsigned char)app_hex(j);
+        j = (unsigned char)OPENSSL_hexchar2int(j);
         if (i & 1)
             out[i / 2] |= j;
         else

apps/gendsa.c

@@ -101,6 +101,7 @@ int gendsa_main(int argc, char **argv)
     char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
     OPTION_CHOICE o;
     int ret = 1, private = 0;
+    BIGNUM *p = NULL;
 
     prog = opt_init(argc, argv, gendsa_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -168,7 +169,8 @@ int gendsa_main(int argc, char **argv)
         BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                    app_RAND_load_files(inrand));
 
-    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p));
+    DSA_get0_pqg(dsa, &p, NULL, NULL);
+    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
     if (!DSA_generate_key(dsa))
         goto end;
 

apps/genpkey.c

@@ -170,7 +170,9 @@ int genpkey_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = do_param ? 0 : 1;
 
     if (ctx == NULL)
@@ -315,8 +317,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
 
     EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
 #ifndef OPENSSL_NO_ENGINE
-    if (tmpeng)
-        ENGINE_finish(tmpeng);
+    ENGINE_finish(tmpeng);
 #endif
     ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
 

apps/genrsa.c

@@ -104,9 +104,10 @@ int genrsa_main(int argc, char **argv)
 {
     BN_GENCB *cb = BN_GENCB_new();
     PW_CB_DATA cb_data;
-    ENGINE *e = NULL;
+    ENGINE *eng = NULL;
     BIGNUM *bn = BN_new();
     BIO *out = NULL;
+    BIGNUM *e;
     RSA *rsa = NULL;
     const EVP_CIPHER *enc = NULL;
     int ret = 1, num = DEFBITS, private = 0;
@@ -141,7 +142,7 @@ int genrsa_main(int argc, char **argv)
             outfile = opt_arg();
             break;
         case OPT_ENGINE:
-            e = setup_engine(opt_arg(), 0);
+            eng = setup_engine(opt_arg(), 0);
             break;
         case OPT_RAND:
             inrand = opt_arg();
@@ -182,7 +183,7 @@ int genrsa_main(int argc, char **argv)
 
     BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
                num);
-    rsa = e ? RSA_new_method(e) : RSA_new();
+    rsa = eng ? RSA_new_method(eng) : RSA_new();
     if (rsa == NULL)
         goto end;
 
@@ -191,8 +192,9 @@ int genrsa_main(int argc, char **argv)
 
     app_RAND_write_file(NULL);
 
-    hexe = BN_bn2hex(rsa->e);
-    dece = BN_bn2dec(rsa->e);
+    RSA_get0_key(rsa, NULL, &e, NULL);
+    hexe = BN_bn2hex(e);
+    dece = BN_bn2dec(e);
     if (hexe && dece) {
         BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
     }

apps/nseq.c

@@ -89,6 +89,7 @@ int nseq_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -107,7 +108,8 @@ int nseq_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', FORMAT_PEM);
     if (in == NULL)

apps/ocsp.c

@@ -55,8 +55,12 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-#ifndef OPENSSL_NO_OCSP
 
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_OCSP
+NON_EMPTY_TRANSLATION_UNIT
+#else
 # ifdef OPENSSL_SYS_VMS
 #  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
                                  * on OpenVMS */
@@ -69,8 +73,9 @@
 # include <string.h>
 # include <time.h>
 # include <ctype.h>
-# include "apps.h"              /* needs to be included before the openssl
-                                 * headers! */
+
+/* Needs to be included before the openssl headers */
+# include "apps.h"
 # include <openssl/e_os2.h>
 # include <openssl/crypto.h>
 # include <openssl/err.h>
@@ -115,13 +120,15 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
 
 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(const char *port);
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+
+# ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                       const char *path,
                                       const STACK_OF(CONF_VALUE) *headers,
                                       OCSP_REQUEST *req, int req_timeout);
+# endif
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -144,7 +151,8 @@ typedef enum OPTION_choice {
 OPTIONS ocsp_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"out", OPT_OUTFILE, '>', "Output filename"},
-    {"timeout", OPT_TIMEOUT, 'p'},
+    {"timeout", OPT_TIMEOUT, 'p',
+     "Connection timeout (in seconds) to the OCSP responder"},
     {"url", OPT_URL, 's', "Responder URL"},
     {"host", OPT_HOST, 's', "host:prot top to connect to"},
     {"port", OPT_PORT, 'p', "Port to run responder on"},
@@ -244,7 +252,10 @@ int ocsp_main(int argc, char **argv)
     int noCAfile = 0, noCApath = 0;
     int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
     int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
-    int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
+    int req_text = 0, resp_text = 0, ret = 1;
+#ifndef OPENSSL_NO_SOCK
+    int req_timeout = -1;
+#endif
     long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
     unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
     OPTION_CHOICE o;
@@ -275,7 +286,9 @@ int ocsp_main(int argc, char **argv)
             outfile = opt_arg();
             break;
         case OPT_TIMEOUT:
+#ifndef OPENSSL_NO_SOCK
             req_timeout = atoi(opt_arg());
+#endif
             break;
         case OPT_URL:
             OPENSSL_free(thost);
@@ -405,8 +418,7 @@ int ocsp_main(int argc, char **argv)
             path = opt_arg();
             break;
         case OPT_ISSUER:
-            issuer = load_cert(opt_arg(), FORMAT_PEM,
-                               NULL, NULL, "issuer certificate");
+            issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
             if (issuer == NULL)
                 goto end;
             if (issuers == NULL) {
@@ -417,8 +429,7 @@ int ocsp_main(int argc, char **argv)
             break;
         case OPT_CERT:
             X509_free(cert);
-            cert = load_cert(opt_arg(), FORMAT_PEM,
-                             NULL, NULL, "certificate");
+            cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
             if (cert == NULL)
                 goto end;
             if (cert_id_md == NULL)
@@ -490,7 +501,8 @@ int ocsp_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     /* Have we anything to do? */
     if (!req && !reqin && !respin && !(port && ridx_filename))
@@ -524,16 +536,14 @@ int ocsp_main(int argc, char **argv)
     if (rsignfile) {
         if (!rkeyfile)
             rkeyfile = rsignfile;
-        rsigner = load_cert(rsignfile, FORMAT_PEM,
-                            NULL, NULL, "responder certificate");
+        rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
         if (!rsigner) {
             BIO_printf(bio_err, "Error loading responder certificate\n");
             goto end;
         }
-        rca_cert = load_cert(rca_filename, FORMAT_PEM,
-                             NULL, NULL, "CA certificate");
+        rca_cert = load_cert(rca_filename, FORMAT_PEM, "CA certificate");
         if (rcertfile) {
-            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, NULL,
+            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL,
                             "responder other certificates"))
                 goto end;
         }
@@ -548,7 +558,7 @@ int ocsp_main(int argc, char **argv)
  redo_accept:
 
     if (acbio) {
-        if (!do_responder(&req, &cbio, acbio, port))
+        if (!do_responder(&req, &cbio, acbio))
             goto end;
         if (!req) {
             resp =
@@ -570,14 +580,13 @@ int ocsp_main(int argc, char **argv)
     if (signfile) {
         if (!keyfile)
             keyfile = signfile;
-        signer = load_cert(signfile, FORMAT_PEM,
-                           NULL, NULL, "signer certificate");
+        signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
         if (!signer) {
             BIO_printf(bio_err, "Error loading signer certificate\n");
             goto end;
         }
         if (sign_certfile) {
-            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, NULL,
+            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL,
                             "signer certificates"))
                 goto end;
         }
@@ -700,7 +709,7 @@ int ocsp_main(int argc, char **argv)
     if (vpmtouched)
         X509_STORE_set1_param(store, vpm);
     if (verify_certfile) {
-        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, NULL,
+        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL,
                         "validator certificate"))
             goto end;
     }
@@ -1066,7 +1075,9 @@ static int urldecode(char *p)
         if (*p != '%')
             *out++ = *p;
         else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
-            *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]);
+            /* Don't check, can't fail because of ixdigit() call. */
+            *out++ = (OPENSSL_hexchar2int(p[1]) << 4)
+                   | OPENSSL_hexchar2int(p[2]);
             p += 2;
         }
         else
@@ -1076,8 +1087,7 @@ static int urldecode(char *p)
     return (int)(out - save);
 }
 
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port)
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio)
 {
     int len;
     OCSP_REQUEST *req = NULL;
@@ -1175,6 +1185,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
     return 1;
 }
 
+# ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                       const char *path,
                                       const STACK_OF(CONF_VALUE) *headers,
@@ -1305,5 +1316,6 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
     SSL_CTX_free(ctx);
     return resp;
 }
+# endif
 
 #endif

apps/openssl.c

@@ -176,14 +176,18 @@ static int apps_startup()
                              | OPENSSL_INIT_LOAD_CONFIG, NULL))
         return 0;
 
+#ifndef OPENSSL_NO_UI
     setup_ui_method();
+#endif
 
     return 1;
 }
 
 static void apps_shutdown()
 {
+#ifndef OPENSSL_NO_UI
     destroy_ui_method();
+#endif
 }
 
 static char *make_config_name()
@@ -207,59 +211,6 @@ static char *make_config_name()
     return p;
 }
 
-static void lock_dbg_cb(int mode, int type, const char *file, int line)
-{
-    static int modes[CRYPTO_NUM_LOCKS];
-    const char *errstr = NULL;
-    int rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
-
-    if (rw != CRYPTO_READ && rw != CRYPTO_WRITE) {
-        errstr = "invalid mode";
-        goto err;
-    }
-
-    if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
-        errstr = "type out of bounds";
-        goto err;
-    }
-
-    if (mode & CRYPTO_LOCK) {
-        if (modes[type]) {
-            errstr = "already locked";
-            /* must not happen in a single-threaded program --> deadlock! */
-            goto err;
-        }
-        modes[type] = rw;
-    } else if (mode & CRYPTO_UNLOCK) {
-        if (!modes[type]) {
-            errstr = "not locked";
-            goto err;
-        }
-
-        if (modes[type] != rw) {
-            errstr = (rw == CRYPTO_READ) ?
-                "CRYPTO_r_unlock on write lock" :
-                "CRYPTO_w_unlock on read lock";
-        }
-
-        modes[type] = 0;
-    } else {
-        errstr = "invalid mode";
-        goto err;
-    }
-
- err:
-    if (errstr) {
-        BIO_printf(bio_err,
-                   "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
-                   errstr, mode, type, file, line);
-    }
-}
-
-#if defined( OPENSSL_SYS_VMS)
-extern char **copy_argv(int *argc, char **argv);
-#endif
-
 int main(int argc, char *argv[])
 {
     FUNCTION f, *fp;
@@ -278,9 +229,9 @@ int main(int argc, char *argv[])
     default_config_file = make_config_name();
     bio_in = dup_bio_in(FORMAT_TEXT);
     bio_out = dup_bio_out(FORMAT_TEXT);
-    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    bio_err = dup_bio_err(FORMAT_TEXT);
 
-#if defined( OPENSSL_SYS_VMS)
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
     copied_argv = argv = copy_argv(&argc, argv);
 #endif
 
@@ -288,7 +239,6 @@ int main(int argc, char *argv[])
     if (p != NULL && strcmp(p, "on") == 0)
         CRYPTO_set_mem_debug(1);
     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-    CRYPTO_set_locking_callback(lock_dbg_cb);
 
     if (getenv("OPENSSL_FIPS")) {
 #ifdef OPENSSL_FIPS
@@ -694,12 +644,12 @@ static int SortFnByName(const void *_f1, const void *_f2)
 static void list_disabled(void)
 {
     BIO_puts(bio_out, "Disabled algorithms:\n");
-#ifdef OPENSSL_NO_AES
-    BIO_puts(bio_out, "AES\n");
-#endif
 #ifdef OPENSSL_NO_BF
     BIO_puts(bio_out, "BF\n");
 #endif
+#ifndef OPENSSL_NO_BLAKE2
+    BIO_puts(bio_out, "BLAKE2\n");
+#endif
 #ifdef OPENSSL_NO_CAMELLIA
     BIO_puts(bio_out, "CAMELLIA\n");
 #endif
@@ -751,15 +701,9 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_HEARTBEATS
     BIO_puts(bio_out, "HEARTBEATS\n");
 #endif
-#ifdef OPENSSL_NO_HMAC
-    BIO_puts(bio_out, "HMAC\n");
-#endif
 #ifdef OPENSSL_NO_IDEA
     BIO_puts(bio_out, "IDEA\n");
 #endif
-#ifdef OPENSSL_NO_JPAKE
-    BIO_puts(bio_out, "JPAKE\n");
-#endif
 #ifdef OPENSSL_NO_MD2
     BIO_puts(bio_out, "MD2\n");
 #endif
@@ -808,9 +752,6 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_SEED
     BIO_puts(bio_out, "SEED\n");
 #endif
-#ifdef OPENSSL_NO_SHA
-    BIO_puts(bio_out, "SHA\n");
-#endif
 #ifdef OPENSSL_NO_SOCK
     BIO_puts(bio_out, "SOCK\n");
 #endif

apps/opt.c

@@ -78,7 +78,7 @@ static char prog[40];
 /*
  * Return the simple name of the program; removing various platform gunk.
  */
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WIN32)
 char *opt_progname(const char *argv0)
 {
     size_t i, n;
@@ -97,11 +97,6 @@ char *opt_progname(const char *argv0)
     if (n > 4 &&
         (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
         n -= 4;
-#if defined(OPENSSL_SYS_NETWARE)
-    if (n > 4 &&
-        (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0))
-        n -= 4;
-#endif
 
     /* Copy over the name, in lowercase. */
     if (n > sizeof prog - 1)
@@ -168,8 +163,8 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
     unknown = NULL;
 
     for (; o->name; ++o) {
-        const OPTIONS *next;
 #ifndef NDEBUG
+        const OPTIONS *next;
         int duplicated, i;
 #endif
 
@@ -378,6 +373,7 @@ int opt_long(const char *value, long *result)
     long l;
     char *endp;
 
+    errno = 0;
     l = strtol(value, &endp, 0);
     if (*endp
             || endp == value
@@ -403,6 +399,7 @@ int opt_imax(const char *value, intmax_t *result)
     intmax_t m;
     char *endp;
 
+    errno = 0;
     m = strtoimax(value, &endp, 0);
     if (*endp
             || endp == value
@@ -425,6 +422,7 @@ int opt_umax(const char *value, uintmax_t *result)
     uintmax_t m;
     char *endp;
 
+    errno = 0;
     m = strtoumax(value, &endp, 0);
     if (*endp
             || endp == value
@@ -450,6 +448,7 @@ int opt_ulong(const char *value, unsigned long *result)
     char *endptr;
     unsigned long l;
 
+    errno = 0;
     l = strtoul(value, &endptr, 0);
     if (*endptr
             || endptr == value
@@ -531,6 +530,11 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         if (i >= 0)
             X509_VERIFY_PARAM_set_depth(vpm, i);
         break;
+    case OPT_V_VERIFY_AUTH_LEVEL:
+        i = atoi(opt_arg());
+        if (i >= 0)
+            X509_VERIFY_PARAM_set_auth_level(vpm, i);
+        break;
     case OPT_V_ATTIME:
         if (!opt_imax(opt_arg(), &t))
             return 0;

apps/passwd.c

@@ -118,7 +118,10 @@ int passwd_main(int argc, char **argv)
     char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
     char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
     OPTION_CHOICE o;
-    int in_stdin = 0, in_noverify = 0, pw_source_defined = 0;
+    int in_stdin = 0, pw_source_defined = 0;
+#ifndef OPENSSL_NO_UI
+    int in_noverify = 0;
+#endif
     int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
     int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0;
     size_t passwd_malloc_size = 0, pw_maxlen = 256;
@@ -142,7 +145,9 @@ int passwd_main(int argc, char **argv)
             pw_source_defined = 1;
             break;
         case OPT_NOVERIFY:
+#ifndef OPENSSL_NO_UI
             in_noverify = 1;
+#endif
             break;
         case OPT_QUIET:
             quiet = 1;
@@ -201,14 +206,20 @@ int passwd_main(int argc, char **argv)
         goto opthelp;
 # endif
 
-    if (infile && in_stdin) {
+    if (infile != NULL && in_stdin) {
         BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
         goto end;
     }
 
-    in = bio_open_default(infile, 'r', FORMAT_TEXT);
-    if (in == NULL)
-        goto end;
+    if (infile != NULL || in_stdin) {
+        /*
+         * If in_stdin is true, we know that infile is NULL, and that
+         * bio_open_default() will give us back an alias for stdin.
+         */
+        in = bio_open_default(infile, 'r', FORMAT_TEXT);
+        if (in == NULL)
+            goto end;
+    }
 
     if (usecrypt)
         pw_maxlen = 8;
@@ -226,18 +237,26 @@ int passwd_main(int argc, char **argv)
     }
 
     if ((in == NULL) && (passwds == NULL)) {
-        /* build a null-terminated list */
-        static char *passwds_static[2] = { NULL, NULL };
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            /* build a null-terminated list */
+            static char *passwds_static[2] = { NULL, NULL };
 
-        passwds = passwds_static;
-        if (in == NULL)
-            if (EVP_read_pw_string
-                (passwd_malloc, passwd_malloc_size, "Password: ",
-                 !(passed_salt || in_noverify)) != 0)
-                goto end;
-        passwds[0] = passwd_malloc;
+            passwds = passwds_static;
+            if (in == NULL)
+                if (EVP_read_pw_string
+                    (passwd_malloc, passwd_malloc_size, "Password: ",
+                     !(passed_salt || in_noverify)) != 0)
+                    goto end;
+            passwds[0] = passwd_malloc;
+        } else {
+#endif
+            BIO_printf(bio_err, "password required\n");
+            goto end;
+        }
     }
 
+
     if (in == NULL) {
         assert(passwds != NULL);
         assert(*passwds != NULL);

apps/pkcs12.c

@@ -57,7 +57,9 @@
  */
 
 #include <openssl/opensslconf.h>
-#if !defined(OPENSSL_NO_DES)
+#if defined(OPENSSL_NO_DES)
+NON_EMPTY_TRANSLATION_UNIT
+#else
 
 # include <stdio.h>
 # include <stdlib.h>
@@ -174,7 +176,8 @@ int pkcs12_main(int argc, char **argv)
     int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 # endif
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-    int ret = 1, macver = 1, noprompt = 0, add_lmk = 0, private = 0;
+    int ret = 1, macver = 1, add_lmk = 0, private = 0;
+    int noprompt = 0;
     char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
     char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
     char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL;
@@ -325,7 +328,9 @@ int pkcs12_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = 1;
 
     if (passarg) {
@@ -363,9 +368,16 @@ int pkcs12_main(int argc, char **argv)
     }
 
     if (twopass) {
-        if (EVP_read_pw_string
-            (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
-            BIO_printf(bio_err, "Can't read Password\n");
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            if (EVP_read_pw_string
+                (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
+                BIO_printf(bio_err, "Can't read Password\n");
+                goto end;
+            }
+        } else {
+#endif
+            BIO_printf(bio_err, "Unsupported option -twopass\n");
             goto end;
         }
     }
@@ -395,7 +407,7 @@ int pkcs12_main(int argc, char **argv)
 
         /* Load in all certs in input file */
         if (!(options & NOCERTS)) {
-            if (!load_certs(infile, &certs, FORMAT_PEM, NULL, e,
+            if (!load_certs(infile, &certs, FORMAT_PEM, NULL,
                             "certificates"))
                 goto export_end;
 
@@ -424,7 +436,7 @@ int pkcs12_main(int argc, char **argv)
 
         /* Add any more certificates asked for */
         if (certfile) {
-            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, e,
+            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL,
                             "certificates from certfile"))
                 goto export_end;
         }
@@ -473,12 +485,21 @@ int pkcs12_main(int argc, char **argv)
         if (add_lmk && key)
             EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
 
-        if (!noprompt &&
-            EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
-                               1)) {
-            BIO_printf(bio_err, "Can't read Password\n");
-            goto export_end;
+        if (!noprompt) {
+            if (1) {
+#ifndef OPENSSL_NO_UI
+                if (EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
+                                       1)) {
+                    BIO_printf(bio_err, "Can't read Password\n");
+                    goto export_end;
+                }
+            } else {
+#endif
+                BIO_printf(bio_err, "Password required\n");
+                goto export_end;
+            }
         }
+
         if (!twopass)
             OPENSSL_strlcpy(macpass, pass, sizeof macpass);
 
@@ -530,11 +551,19 @@ int pkcs12_main(int argc, char **argv)
         goto end;
     }
 
-    if (!noprompt
-        && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
-                              0)) {
-        BIO_printf(bio_err, "Can't read Password\n");
-        goto end;
+    if (!noprompt) {
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            if (EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
+                                   0)) {
+                BIO_printf(bio_err, "Can't read Password\n");
+                goto end;
+            }
+        } else {
+#endif
+            BIO_printf(bio_err, "Password required\n");
+            goto end;
+        }
     }
 
     if (!twopass)
@@ -658,7 +687,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
         p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
         if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
             return 0;
-        print_attribs(out, p8->attributes, "Key Attributes");
+        print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
         PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);
         break;
@@ -666,10 +695,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
     case NID_pkcs8ShroudedKeyBag:
         if (options & INFO) {
             X509_SIG *tp8;
+            X509_ALGOR *tp8alg;
 
             BIO_printf(bio_err, "Shrouded Keybag: ");
             tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
-            alg_print(tp8->algor);
+            X509_SIG_get0(&tp8alg, NULL, tp8);
+            alg_print(tp8alg);
         }
         if (options & NOKEYS)
             return 1;
@@ -680,7 +711,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
             PKCS8_PRIV_KEY_INFO_free(p8);
             return 0;
         }
-        print_attribs(out, p8->attributes, "Key Attributes");
+        print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes");
         PKCS8_PRIV_KEY_INFO_free(p8);
         PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);
@@ -727,21 +758,28 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 static int get_cert_chain(X509 *cert, X509_STORE *store,
                           STACK_OF(X509) **chain)
 {
-    X509_STORE_CTX store_ctx;
+    X509_STORE_CTX *store_ctx = NULL;
     STACK_OF(X509) *chn = NULL;
     int i = 0;
 
-    if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
-        *chain = NULL;
-        return X509_V_ERR_UNSPECIFIED;
+    store_ctx = X509_STORE_CTX_new();
+    if (store_ctx == NULL) {
+        i =  X509_V_ERR_UNSPECIFIED;
+        goto end;
+    }
+    if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) {
+        i =  X509_V_ERR_UNSPECIFIED;
+        goto end;
     }
 
-    if (X509_verify_cert(&store_ctx) > 0)
-        chn = X509_STORE_CTX_get1_chain(&store_ctx);
-    else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+
+    if (X509_verify_cert(store_ctx) > 0)
+        chn = X509_STORE_CTX_get1_chain(store_ctx);
+    else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0)
         i = X509_V_ERR_UNSPECIFIED;
 
-    X509_STORE_CTX_cleanup(&store_ctx);
+end:
+    X509_STORE_CTX_free(store_ctx);
     *chain = chn;
     return i;
 }

apps/pkcs7.c

@@ -191,7 +191,8 @@ int pkcs7_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', informat);
     if (in == NULL)

apps/pkcs8.c

@@ -67,7 +67,7 @@
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
-    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
+    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT,
 #ifndef OPENSSL_NO_SCRYPT
     OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
 #endif
@@ -83,10 +83,6 @@ OPTIONS pkcs8_options[] = {
     {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
     {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
     {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
-    {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"},
-    {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"},
-    {"embed", OPT_EMBED, '-',
-     "Use (nonstandard) embedded DSA parameters format"},
     {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
     {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
     {"v2prf", OPT_V2PRF, 's'},
@@ -115,9 +111,12 @@ int pkcs8_main(int argc, char **argv)
     const EVP_CIPHER *cipher = NULL;
     char *infile = NULL, *outfile = NULL;
     char *passinarg = NULL, *passoutarg = NULL, *prog;
-    char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
+#ifndef OPENSSL_NO_UI
+    char pass[50];
+#endif
+    char *passin = NULL, *passout = NULL, *p8pass = NULL;
     OPTION_CHOICE o;
-    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
+    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
     int private = 0;
 #ifndef OPENSSL_NO_SCRYPT
@@ -159,15 +158,6 @@ int pkcs8_main(int argc, char **argv)
         case OPT_NOCRYPT:
             nocrypt = 1;
             break;
-        case OPT_NOOCT:
-            p8_broken = PKCS8_NO_OCTET;
-            break;
-        case OPT_NSDB:
-            p8_broken = PKCS8_NS_DB;
-            break;
-        case OPT_EMBED:
-            p8_broken = PKCS8_EMBEDDED_PARAM;
-            break;
         case OPT_V2:
             if (!opt_cipher(opt_arg(), &cipher))
                 goto opthelp;
@@ -203,9 +193,9 @@ int pkcs8_main(int argc, char **argv)
             break;
 #ifndef OPENSSL_NO_SCRYPT
         case OPT_SCRYPT:
-            scrypt_N = 1024;
+            scrypt_N = 16384;
             scrypt_r = 8;
-            scrypt_p = 16;
+            scrypt_p = 1;
             if (cipher == NULL)
                 cipher = EVP_aes_256_cbc();
             break;
@@ -225,7 +215,9 @@ int pkcs8_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = 1;
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
@@ -247,7 +239,7 @@ int pkcs8_main(int argc, char **argv)
         pkey = load_key(infile, informat, 1, passin, e, "key");
         if (!pkey)
             goto end;
-        if ((p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)) == NULL) {
+        if ((p8inf = EVP_PKEY2PKCS8(pkey)) == NULL) {
             BIO_printf(bio_err, "Error converting key\n");
             ERR_print_errors(bio_err);
             goto end;
@@ -283,13 +275,18 @@ int pkcs8_main(int argc, char **argv)
             }
             if (passout)
                 p8pass = passout;
-            else {
+            else if (1) {
+#ifndef OPENSSL_NO_UI
                 p8pass = pass;
                 if (EVP_read_pw_string
                     (pass, sizeof pass, "Enter Encryption Password:", 1)) {
                     X509_ALGOR_free(pbe);
                     goto end;
                 }
+            } else {
+#endif
+                BIO_printf(bio_err, "Password required\n");
+                goto end;
             }
             app_RAND_load_file(NULL, 0);
             p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe);
@@ -341,9 +338,14 @@ int pkcs8_main(int argc, char **argv)
         }
         if (passin)
             p8pass = passin;
-        else {
+        else if (1) {
+#ifndef OPENSSL_NO_UI
             p8pass = pass;
             EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
+        } else {
+#endif
+            BIO_printf(bio_err, "Password required\n");
+            goto end;
         }
         p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
     }
@@ -360,31 +362,6 @@ int pkcs8_main(int argc, char **argv)
         goto end;
     }
 
-    if (p8inf->broken) {
-        BIO_printf(bio_err, "Warning: broken key encoding: ");
-        switch (p8inf->broken) {
-        case PKCS8_NO_OCTET:
-            BIO_printf(bio_err, "No Octet String in PrivateKey\n");
-            break;
-
-        case PKCS8_EMBEDDED_PARAM:
-            BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
-            break;
-
-        case PKCS8_NS_DB:
-            BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
-            break;
-
-        case PKCS8_NEG_PRIVKEY:
-            BIO_printf(bio_err, "DSA private key value is negative\n");
-            break;
-
-        default:
-            BIO_printf(bio_err, "Unknown broken type\n");
-            break;
-        }
-    }
-
     assert(private);
     if (outformat == FORMAT_PEM)
         PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);

apps/pkey.c

@@ -159,7 +159,9 @@ int pkey_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = !noout && !pubout ? 1 : 0;
     if (text && !pubtext)
         private = 1;

apps/pkeyparam.c

@@ -92,6 +92,7 @@ int pkeyparam_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -116,7 +117,8 @@ int pkeyparam_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     in = bio_open_default(infile, 'r', FORMAT_PEM);
     if (in == NULL)

apps/pkeyutl.c

@@ -62,11 +62,12 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 
+#define KEY_NONE        0
 #define KEY_PRIVKEY     1
 #define KEY_PUBKEY      2
 #define KEY_CERT        3
 
-static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int impl);
@@ -84,7 +85,7 @@ typedef enum OPTION_choice {
     OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
     OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
     OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
-    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
+    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_KDF, OPT_KDFLEN
 } OPTION_CHOICE;
 
 OPTIONS pkeyutl_options[] = {
@@ -103,6 +104,8 @@ OPTIONS pkeyutl_options[] = {
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
     {"derive", OPT_DERIVE, '-', "Derive shared secret"},
+    {"kdf", OPT_KDF, 's', "Use KDF algorithm"},
+    {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"},
     {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
     {"inkey", OPT_INKEY, 's', "Input private key file"},
     {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
@@ -135,6 +138,8 @@ int pkeyutl_main(int argc, char **argv)
     size_t buf_outlen;
     const char *inkey = NULL;
     const char *peerkey = NULL;
+    const char *kdfalg = NULL;
+    int kdflen = 0;
     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
 
     prog = opt_init(argc, argv, pkeyutl_options);
@@ -211,13 +216,21 @@ int pkeyutl_main(int argc, char **argv)
         case OPT_DERIVE:
             pkey_op = EVP_PKEY_OP_DERIVE;
             break;
+        case OPT_KDF:
+            pkey_op = EVP_PKEY_OP_DERIVE;
+            key_type = KEY_NONE;
+            kdfalg = opt_arg();
+            break;
+        case OPT_KDFLEN:
+            kdflen = atoi(opt_arg());
+            break;
         case OPT_REV:
             rev = 1;
             break;
         case OPT_PKEYOPT:
             if ((pkeyopts == NULL &&
                  (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
-                sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
+                sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) {
                 BIO_puts(bio_err, "out of memory\n");
                 goto end;
             }
@@ -225,13 +238,17 @@ int pkeyutl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
-
-    if (inkey == NULL ||
-        (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE))
+    if (argc != 0)
         goto opthelp;
 
-    ctx = init_ctx(&keysize, inkey, keyform, key_type,
+    if (kdfalg != NULL) {
+        if (kdflen == 0)
+            goto opthelp;
+    } else if ((inkey == NULL)
+            || (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE)) {
+        goto opthelp;
+    }
+    ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type,
                    passinarg, pkey_op, e, engine_impl);
     if (ctx == NULL) {
         BIO_printf(bio_err, "%s: Error initializing context\n", prog);
@@ -325,15 +342,21 @@ int pkeyutl_main(int argc, char **argv)
             BIO_puts(out, "Signature Verification Failure\n");
         goto end;
     }
-    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
-                  buf_in, (size_t)buf_inlen);
+    if (kdflen != 0) {
+        buf_outlen = kdflen;
+        rv = 1;
+    } else {
+        rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+                      buf_in, (size_t)buf_inlen);
+    }
     if (rv > 0 && buf_outlen != 0) {
         buf_out = app_malloc(buf_outlen, "buffer output");
         rv = do_keyop(ctx, pkey_op,
                       buf_out, (size_t *)&buf_outlen,
                       buf_in, (size_t)buf_inlen);
     }
-    if (rv < 0) {
+    if (rv <= 0) {
+        BIO_puts(bio_err, "Public Key operation error\n");
         ERR_print_errors(bio_err);
         goto end;
     }
@@ -358,7 +381,7 @@ int pkeyutl_main(int argc, char **argv)
     return ret;
 }
 
-static EVP_PKEY_CTX *init_ctx(int *pkeysize,
+static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
                               const char *keyfile, int keyform, int key_type,
                               char *passinarg, int pkey_op, ENGINE *e,
                               const int engine_impl)
@@ -371,7 +394,7 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
     X509 *x;
     if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
          || (pkey_op == EVP_PKEY_OP_DERIVE))
-        && (key_type != KEY_PRIVKEY)) {
+        && (key_type != KEY_PRIVKEY && kdfalg == NULL)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
     }
@@ -389,28 +412,35 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, keyform, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyform, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);
         }
         break;
 
+    case KEY_NONE:
+        break;
+
     }
 
-    *pkeysize = EVP_PKEY_size(pkey);
-
-    if (!pkey)
-        goto end;
-
 #ifndef OPENSSL_NO_ENGINE
     if (engine_impl)
         impl = e;
 #endif
-    
-    ctx = EVP_PKEY_CTX_new(pkey, impl);
 
-    EVP_PKEY_free(pkey);
+    if (kdfalg) {
+        int kdfnid = OBJ_sn2nid(kdfalg);
+        if (kdfnid == NID_undef)
+            goto end;
+        ctx = EVP_PKEY_CTX_new_id(kdfnid, impl);
+    } else {
+        if (pkey == NULL)
+            goto end;
+        *pkeysize = EVP_PKEY_size(pkey);
+        ctx = EVP_PKEY_CTX_new(pkey, impl);
+        EVP_PKEY_free(pkey);
+    }
 
     if (ctx == NULL)
         goto end;

apps/progs.h

@@ -1,7 +1,12 @@
 /*
  * Automatically generated by progs.pl for openssl.c
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
- * See the openssl.c for copyright details.
+ * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
  */
 
 typedef enum FUNC_TYPE {
@@ -120,7 +125,7 @@ extern OPTIONS x509_options[];
 static FUNCTION functions[] = {
     { FT_general, "asn1parse", asn1parse_main, asn1parse_options },
     { FT_general, "ca", ca_main, ca_options },
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
     { FT_general, "ciphers", ciphers_main, ciphers_options },
 #endif
 #ifndef OPENSSL_NO_CMS
@@ -164,7 +169,7 @@ static FUNCTION functions[] = {
     { FT_general, "ocsp", ocsp_main, ocsp_options },
 #endif
     { FT_general, "passwd", passwd_main, passwd_options },
-#if !defined(OPENSSL_NO_DES)
+#ifndef OPENSSL_NO_DES
     { FT_general, "pkcs12", pkcs12_main, pkcs12_options },
 #endif
     { FT_general, "pkcs7", pkcs7_main, pkcs7_options },
@@ -176,19 +181,17 @@ static FUNCTION functions[] = {
     { FT_general, "rand", rand_main, rand_options },
     { FT_general, "rehash", rehash_main, rehash_options },
     { FT_general, "req", req_main, req_options },
-#ifndef OPENSSL_NO_RSA
     { FT_general, "rsa", rsa_main, rsa_options },
-#endif
 #ifndef OPENSSL_NO_RSA
     { FT_general, "rsautl", rsautl_main, rsautl_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
     { FT_general, "s_client", s_client_main, s_client_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
     { FT_general, "s_server", s_server_main, s_server_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
     { FT_general, "s_time", s_time_main, s_time_options },
 #endif
     { FT_general, "sess_id", sess_id_main, sess_id_options },
@@ -198,7 +201,9 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_SRP
     { FT_general, "srp", srp_main, srp_options },
 #endif
+#ifndef OPENSSL_NO_TS
     { FT_general, "ts", ts_main, ts_options },
+#endif
     { FT_general, "verify", verify_main, verify_options },
     { FT_general, "version", version_main, version_options },
     { FT_general, "x509", x509_main, x509_options },
@@ -211,38 +216,42 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_MD5
     { FT_md, "md5", dgst_main},
 #endif
-#ifndef OPENSSL_NO_MD_GHOST94
-    { FT_md, "md_ghost94", dgst_main},
+#ifndef OPENSSL_NO_GOST
+    { FT_md, "gost", dgst_main},
 #endif
+#ifndef OPENSSL_NO_SHA
     { FT_md, "sha1", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
     { FT_md, "sha224", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
     { FT_md, "sha256", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
     { FT_md, "sha384", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
     { FT_md, "sha512", dgst_main},
+#endif
 #ifndef OPENSSL_NO_MDC2
     { FT_md, "mdc2", dgst_main},
 #endif
 #ifndef OPENSSL_NO_RMD160
     { FT_md, "rmd160", dgst_main},
 #endif
-#ifndef OPENSSL_NO_AES
+#ifndef OPENSSL_NO_BLAKE2
+    { FT_md, "blake2b512", dgst_main},
+#endif
+#ifndef OPENSSL_NO_BLAKE2
+    { FT_md, "blake2s256", dgst_main},
+#endif
     { FT_cipher, "aes-128-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-128-ecb", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-192-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-192-ecb", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-256-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
     { FT_cipher, "aes-256-ecb", enc_main, enc_options },
-#endif
 #ifndef OPENSSL_NO_CAMELLIA
     { FT_cipher, "camellia-128-cbc", enc_main, enc_options },
 #endif

apps/progs.pl

@@ -1,9 +1,19 @@
 #!/usr/bin/perl
+
+# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL licenses, (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# https://www.openssl.org/source/license.html
+# or in the file LICENSE in the source distribution.
+
 # Generate progs.h file by looking for command mains in list of C files
 # passed on the command line.
 
 use strict;
 use warnings;
+use configdata qw/@disablables/;
 
 my %commands = ();
 my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
@@ -22,8 +32,13 @@ foreach my $filename (@ARGV) {
 print <<'EOF';
 /*
  * Automatically generated by progs.pl for openssl.c
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
- * See the openssl.c for copyright details.
+ * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
  */
 
 typedef enum FUNC_TYPE {
@@ -51,47 +66,64 @@ print "\n";
 foreach (@ARGV) {
 	printf "extern OPTIONS %s_options[];\n", $_;
 }
+
 print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
 print "static FUNCTION functions[] = {\n";
-foreach (@ARGV) {
-	my $str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
-	if (/^s_/ || /^ciphers$/) {
-		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
-	} elsif (/^engine$/) {
-		print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n";
-	} elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) {
-		print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";
-	} elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) {
-		print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n";
-	} elsif (/^ec$/ || /^ecparam$/) {
-		print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";
-	} elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) {
-		print "#ifndef OPENSSL_NO_DH\n${str}#endif\n";
-	} elsif (/^pkcs12$/) {
-		print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n";
-	} elsif (/^cms$/) {
-		print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n";
-	} elsif (/^ocsp$/) {
-		print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n";
-	} elsif (/^srp$/) {
-		print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n";
+my %cmd_disabler = (
+    ciphers  => "sock",
+    genrsa   => "rsa",
+    rsautl   => "rsa",
+    gendsa   => "dsa",
+    dsaparam => "dsa",
+    gendh    => "dh",
+    dhparam  => "dh",
+    ecparam  => "ec",
+    pkcs12   => "des",
+    );
+foreach my $cmd (@ARGV) {
+	my $str="    { FT_general, \"$cmd\", ${cmd}_main, ${cmd}_options },\n";
+	if ($cmd =~ /^s_/) {
+		print "#ifndef OPENSSL_NO_SOCK\n${str}#endif\n";
+	} elsif (grep { $cmd eq $_ } @disablables) {
+		print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+	} elsif (my $disabler = $cmd_disabler{$cmd}) {
+		print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
 
-foreach (
+my %md_disabler = (
+    sha1       => "sha",
+    sha224     => "sha",
+    sha256     => "sha",
+    sha384     => "sha",
+    sha512     => "sha",
+    blake2b512 => "blake2",
+    blake2s256 => "blake2",
+    );
+foreach my $cmd (
 	"md2", "md4", "md5",
-	"md_ghost94",
+	"gost",
 	"sha1", "sha224", "sha256", "sha384", "sha512",
-	"mdc2", "rmd160"
+	"mdc2", "rmd160", "blake2b512", "blake2s256"
 ) {
-        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
-        printf "    { FT_md, \"".$_."\", dgst_main},\n";
-        printf "#endif\n" if ! /sha/;
+        my $str = "    { FT_md, \"".$cmd."\", dgst_main},\n";
+        if (grep { $cmd eq $_ } @disablables) {
+                print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+        } elsif (my $disabler = $md_disabler{$cmd}) {
+                print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
+        } else {
+                print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+        }
 }
 
-foreach (
+my %cipher_disabler = (
+    des3  => "des",
+    desx  => "des",
+    cast5 => "cast",
+    );
+foreach my $cmd (
 	"aes-128-cbc", "aes-128-ecb",
 	"aes-192-cbc", "aes-192-ecb",
 	"aes-256-cbc", "aes-256-ecb",
@@ -112,33 +144,18 @@ foreach (
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
 	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
 ) {
-	my $str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
-	if (/des/) {
-		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
-	} elsif (/aes/) {
-		printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n";
-	} elsif (/camellia/) {
-		printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n";
-	} elsif (/idea/) {
-		printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n";
-	} elsif (/seed/) {
-		printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n";
-	} elsif (/rc4/) {
-		printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n";
-	} elsif (/rc2/) {
-		printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n";
-	} elsif (/bf/) {
-		printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n";
-	} elsif (/cast/) {
-		printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n";
-	} elsif (/rc5/) {
-		printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n";
-	} elsif (/zlib/) {
-		printf "#ifdef ZLIB\n${str}#endif\n";
+	my $str="    { FT_cipher, \"$cmd\", enc_main, enc_options },\n";
+	(my $algo= $cmd) =~ s/-.*//g;
+        if ($cmd eq "zlib") {
+                print "#ifdef ZLIB\n${str}#endif\n";
+        } elsif (grep { $algo eq $_ } @disablables) {
+                print "#ifndef OPENSSL_NO_".uc($algo)."\n${str}#endif\n";
+        } elsif (my $disabler = $cipher_disabler{$algo}) {
+                print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
 
 print "    { 0, NULL, NULL}\n};\n";
-printf "#endif\n";
+print "#endif\n";

apps/rehash.c

@@ -210,7 +210,7 @@ static int handle_symlink(const char *filename, const char *fullpath)
         if (!isxdigit(ch))
             return -1;
         hash <<= 4;
-        hash += app_hex(ch);
+        hash += OPENSSL_hexchar2int(ch);
     }
     if (filename[i++] != '.')
         return -1;

apps/req.c

@@ -143,12 +143,12 @@ OPTIONS req_options[] = {
     {"config", OPT_CONFIG, '<', "Request template file"},
     {"keyout", OPT_KEYOUT, '>', "File to send the key to"},
     {"passin", OPT_PASSIN, 's', "Private key password source"},
-    {"passout", OPT_PASSOUT, 's'},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
     {"rand", OPT_RAND, 's',
      "Load the file(s) into the random number generator"},
     {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"},
-    {"pkeyopt", OPT_PKEYOPT, 's'},
-    {"sigopt", OPT_SIGOPT, 's'},
+    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
+    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
     {"batch", OPT_BATCH, '-',
      "Do not ask anything during request generation"},
     {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"},
@@ -156,7 +156,7 @@ OPTIONS req_options[] = {
     {"verify", OPT_VERIFY, '-', "Verify signature on REQ"},
     {"nodes", OPT_NODES, '-', "Don't encrypt the output key"},
     {"noout", OPT_NOOUT, '-', "Do not output REQ"},
-    {"verbose", OPT_VERBOSE, '-'},
+    {"verbose", OPT_VERBOSE, '-', "Verbose output"},
     {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
     {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
     {"reqopt", OPT_REQOPT, 's', "Various request text options"},
@@ -177,7 +177,8 @@ OPTIONS req_options[] = {
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-    {"keygen_engine", OPT_KEYGEN_ENGINE, 's'},
+    {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
+     "Specify engine to be used for key generation operations"},
 #endif
     {NULL}
 };
@@ -197,7 +198,9 @@ int req_main(int argc, char **argv)
     char *extensions = NULL, *infile = NULL;
     char *outfile = NULL, *keyfile = NULL, *inrand = NULL;
     char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
-    char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL;
+    char *passin = NULL, *passout = NULL;
+    char *nofree_passin = NULL, *nofree_passout = NULL;
+    char *req_exts = NULL, *subj = NULL;
     char *template = default_config_file, *keyout = NULL;
     const char *keyalg = NULL;
     OPTION_CHOICE o;
@@ -366,11 +369,13 @@ int req_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!nmflag_set)
         nmflag = XN_FLAG_ONELINE;
 
+    /* TODO: simplify this as pkey is still always NULL here */ 
     private = newreq && (pkey == NULL) ? 1 : 0;
 
     if (!app_passwd(passargin, passargout, &passin, &passout)) {
@@ -434,15 +439,17 @@ int req_main(int argc, char **argv)
         }
     }
 
-    if (!passin) {
-        passin = NCONF_get_string(req_conf, SECTION, "input_password");
-        if (!passin)
+    if (passin == NULL) {
+        passin = nofree_passin =
+            NCONF_get_string(req_conf, SECTION, "input_password");
+        if (passin == NULL)
             ERR_clear_error();
     }
 
-    if (!passout) {
-        passout = NCONF_get_string(req_conf, SECTION, "output_password");
-        if (!passout)
+    if (passout == NULL) {
+        passout = nofree_passout =
+            NCONF_get_string(req_conf, SECTION, "output_password");
+        if (passout == NULL)
             ERR_clear_error();
     }
 
@@ -660,10 +667,9 @@ int req_main(int argc, char **argv)
             if (!X509_set_subject_name
                 (x509ss, X509_REQ_get_subject_name(req)))
                 goto end;
-            tmppkey = X509_REQ_get_pubkey(req);
+            tmppkey = X509_REQ_get0_pubkey(req);
             if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
                 goto end;
-            EVP_PKEY_free(tmppkey);
 
             /* Set up V3 context struct */
 
@@ -733,20 +739,15 @@ int req_main(int argc, char **argv)
     }
 
     if (verify && !x509) {
-        int tmp = 0;
+        EVP_PKEY *tpubkey = pkey;
 
-        if (pkey == NULL) {
-            pkey = X509_REQ_get_pubkey(req);
-            tmp = 1;
-            if (pkey == NULL)
+        if (tpubkey == NULL) {
+            tpubkey = X509_REQ_get0_pubkey(req);
+            if (tpubkey == NULL)
                 goto end;
         }
 
-        i = X509_REQ_verify(req, pkey);
-        if (tmp) {
-            EVP_PKEY_free(pkey);
-            pkey = NULL;
-        }
+        i = X509_REQ_verify(req, tpubkey);
 
         if (i < 0) {
             goto end;
@@ -810,9 +811,11 @@ int req_main(int argc, char **argv)
         }
         fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
-            BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
-        else
+        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
+            BIGNUM *n;
+            RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
+            BN_print(out, n);
+        } else
 #endif
             fprintf(stdout, "Wrong Algorithm type");
         EVP_PKEY_free(tpubkey);
@@ -860,9 +863,10 @@ int req_main(int argc, char **argv)
     X509_REQ_free(req);
     X509_free(x509ss);
     ASN1_INTEGER_free(serial);
-    OPENSSL_free(passin);
-    OPENSSL_free(passout);
-    OBJ_cleanup();
+    if (passin != nofree_passin)
+        OPENSSL_free(passin);
+    if (passout != nofree_passout)
+        OPENSSL_free(passout);
     return (ret);
 }
 
@@ -1118,7 +1122,7 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
                      STACK_OF(CONF_VALUE) *attr_sk, int attribs,
                      unsigned long chtype)
 {
-    int i;
+    int i, spec_char, plus_char;
     char *p, *q;
     char *type;
     CONF_VALUE *v;
@@ -1134,24 +1138,26 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
         /*
          * Skip past any leading X. X: X, etc to allow for multiple instances
          */
-        for (p = v->name; *p; p++)
+        for (p = v->name; *p; p++) {
 #ifndef CHARSET_EBCDIC
-            if ((*p == ':') || (*p == ',') || (*p == '.')) {
+            spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
 #else
-            if ((*p == os_toascii[':']) || (*p == os_toascii[','])
-                || (*p == os_toascii['.'])) {
+            spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
+                    || (*p == os_toascii['.']));
 #endif
+            if (spec_char) {
                 p++;
                 if (*p)
                     type = p;
                 break;
             }
+        }
 #ifndef CHARSET_EBCDIC
-        if (*p == '+')
+        plus_char = (*p == '+');
 #else
-        if (*p == os_toascii['+'])
+        plus_char = (*p == os_toascii['+']);
 #endif
-        {
+        if (plus_char) {
             p++;
             mval = -1;
         } else
@@ -1372,8 +1378,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
 
         EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth);
 #ifndef OPENSSL_NO_ENGINE
-        if (tmpeng)
-            ENGINE_finish(tmpeng);
+        ENGINE_finish(tmpeng);
 #endif
         if (*pkey_type == EVP_PKEY_RSA) {
             if (p) {
@@ -1430,8 +1435,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
         EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
         *palgnam = OPENSSL_strdup(anam);
 #ifndef OPENSSL_NO_ENGINE
-        if (tmpeng)
-            ENGINE_finish(tmpeng);
+        ENGINE_finish(tmpeng);
 #endif
     }
 
@@ -1515,13 +1519,9 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
 
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
     if (rv > 0)
         rv = X509_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }
 
@@ -1531,13 +1531,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
     int rv;
     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_REQ_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
     if (rv > 0)
         rv = X509_REQ_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }
 
@@ -1547,12 +1543,8 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
     int rv;
     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
     rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_CRL_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
     if (rv > 0)
         rv = X509_CRL_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
     return rv > 0 ? 1 : 0;
 }

apps/rsa.c

@@ -167,7 +167,10 @@ int rsa_main(int argc, char **argv)
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     int i, private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
-    int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
+# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+    int pvk_encr = 2;
+#endif
     OPTION_CHOICE o;
 
     prog = opt_init(argc, argv, rsa_options);
@@ -217,7 +220,7 @@ int rsa_main(int argc, char **argv)
         case OPT_RSAPUBKEY_OUT:
             pubout = 2;
             break;
-#ifndef OPENSSL_NO_RC4
+# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
         case OPT_PVK_STRONG:
             pvk_encr = 2;
             break;
@@ -252,7 +255,9 @@ int rsa_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
+
     private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
 
     if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
@@ -305,8 +310,10 @@ int rsa_main(int argc, char **argv)
     }
 
     if (modulus) {
+        BIGNUM *n;
+        RSA_get0_key(rsa, &n, NULL, NULL);
         BIO_printf(out, "Modulus=");
-        BN_print(out, rsa->n);
+        BN_print(out, n);
         BIO_printf(out, "\n");
     }
 

apps/rsautl.c

@@ -98,10 +98,11 @@ OPTIONS rsautl_options[] = {
     {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
     {"sign", OPT_SIGN, '-', "Sign with private key"},
     {"verify", OPT_VERIFY, '-', "Verify with public key"},
-    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"asn1parse", OPT_ASN1PARSE, '-',
+     "Run output through asn1parse; useful with -verify"},
     {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
     {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
-    {"rev", OPT_REV, '-'},
+    {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
     {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
     {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
     {"passin", OPT_PASSIN, 's', "Pass phrase source"},
@@ -204,7 +205,8 @@ int rsautl_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (need_priv && (key_type != KEY_PRIVKEY)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
@@ -229,7 +231,7 @@ int rsautl_main(int argc, char **argv)
         break;
 
     case KEY_CERT:
-        x = load_cert(keyfile, keyformat, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyformat, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);

apps/s_apps.h

@@ -107,10 +107,6 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-/* conflicts with winsock2 stuff on netware */
-#if !defined(OPENSSL_SYS_NETWARE)
-# include <sys/types.h>
-#endif
 #include <openssl/opensslconf.h>
 
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
@@ -149,11 +145,11 @@ typedef fd_mask fd_set;
 #define PORT            "4433"
 #define PROTOCOL        "tcp"
 
+typedef int (*do_server_cb)(int s, int stype, unsigned char *context);
 int do_server(int *accept_sock, const char *host, const char *port,
               int family, int type,
-              int (*cb) (const char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept);
+              do_server_cb cb,
+              unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
@@ -195,8 +191,7 @@ int load_excert(SSL_EXCERT **pexc);
 void print_verify_detail(SSL *s, BIO *bio);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
-int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_jpake);
+int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                      int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,

apps/s_cb.c

@@ -131,8 +131,10 @@ int verify_depth = 0;
 int verify_quiet = 0;
 int verify_error = X509_V_OK;
 int verify_return_error = 0;
+#ifndef OPENSSL_NO_SOCK
 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
 static int cookie_initialized = 0;
+#endif
 
 static const char *lookup(int val, const STRINT_PAIR* list, const char* def)
 {
@@ -505,12 +507,12 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,
 
     if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
         BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
         BIO_dump(out, argp, (int)ret);
         return (ret);
     } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
         BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
         BIO_dump(out, argp, (int)ret);
     }
     return (ret);
@@ -711,6 +713,7 @@ static STRINT_PAIR tlsext_types[] = {
     {"heartbeat", TLSEXT_TYPE_heartbeat},
     {"session ticket", TLSEXT_TYPE_session_ticket},
     {"renegotiation info", TLSEXT_TYPE_renegotiate},
+    {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
     {"TLS padding", TLSEXT_TYPE_padding},
 #ifdef TLSEXT_TYPE_next_proto_neg
     {"next protocol", TLSEXT_TYPE_next_proto_neg},
@@ -740,6 +743,7 @@ void tlsext_cb(SSL *s, int client_server, int type,
     (void)BIO_flush(bio);
 }
 
+#ifndef OPENSSL_NO_SOCK
 int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                              unsigned int *cookie_len)
 {
@@ -802,6 +806,7 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
 
     return 0;
 }
+#endif
 
 /*
  * Example of extended certificate handling. Where the standard support of
@@ -972,7 +977,7 @@ int load_excert(SSL_EXCERT **pexc)
             return 0;
         }
         exc->cert = load_cert(exc->certfile, exc->certform,
-                              NULL, NULL, "Server Certificate");
+                              "Server Certificate");
         if (!exc->cert)
             return 0;
         if (exc->keyfile) {
@@ -986,7 +991,7 @@ int load_excert(SSL_EXCERT **pexc)
             return 0;
         if (exc->chainfile) {
             if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
-                            NULL, "Server Chain"))
+                            "Server Chain"))
                 return 0;
         }
     }
@@ -1061,11 +1066,12 @@ int args_excert(int opt, SSL_EXCERT **pexc)
 static void print_raw_cipherlist(SSL *s)
 {
     const unsigned char *rlist;
-    static const unsigned char scsv_id[] = { 0, 0, 0xFF };
+    static const unsigned char scsv_id[] = { 0, 0xFF };
     size_t i, rlistlen, num;
     if (!SSL_is_server(s))
         return;
     num = SSL_get0_raw_cipherlist(s, NULL);
+    OPENSSL_assert(num == 2);
     rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
     BIO_puts(bio_err, "Client cipher list: ");
     for (i = 0; i < rlistlen; i += num, rlist += num) {
@@ -1074,7 +1080,7 @@ static void print_raw_cipherlist(SSL *s)
             BIO_puts(bio_err, ":");
         if (c)
             BIO_puts(bio_err, SSL_CIPHER_get_name(c));
-        else if (!memcmp(rlist, scsv_id - num + 3, num))
+        else if (!memcmp(rlist, scsv_id, num))
             BIO_puts(bio_err, "SCSV");
         else {
             size_t j;
@@ -1104,7 +1110,7 @@ static char *hexencode(const unsigned char *data, size_t len)
     }
     cp = out = app_malloc(ilen, "TLSA hex data buffer");
 
-    while (ilen-- > 0) {
+    while (len-- > 0) {
         *cp++ = hex[(*data >> 4) & 0x0f];
         *cp++ = hex[*data++ & 0x0f];
     }
@@ -1198,7 +1204,7 @@ void print_ssl_summary(SSL *s)
 }
 
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
-               SSL_CTX *ctx, int no_jpake)
+               SSL_CTX *ctx)
 {
     int i;
 
@@ -1206,12 +1212,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
     for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
         const char *flag = sk_OPENSSL_STRING_value(str, i);
         const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
-#ifndef OPENSSL_NO_JPAKE
-        if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
-            BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
-            return 0;
-        }
-#endif
         if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
             if (arg)
                 BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
@@ -1222,15 +1222,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
             return 0;
         }
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (!no_jpake) {
-        if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
-            BIO_puts(bio_err, "Error setting cipher to PSK\n");
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
-#endif
     if (!SSL_CONF_CTX_finish(cctx)) {
         BIO_puts(bio_err, "Error finishing context\n");
         ERR_print_errors(bio_err);
@@ -1298,7 +1289,7 @@ int ssl_load_stores(SSL_CTX *ctx,
 typedef struct {
     BIO *out;
     int verbose;
-    int (*old_cb) (SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+    int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
                    void *other, void *ex);
 } security_debug_ex;
 
@@ -1327,7 +1318,7 @@ static STRINT_PAIR callback_types[] = {
     {NULL}
 };
 
-static int security_callback_debug(SSL *s, SSL_CTX *ctx,
+static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
                                    int op, int bits, int nid,
                                    void *other, void *ex)
 {
@@ -1380,7 +1371,7 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
     case SSL_SECOP_OTHER_DH:
         {
             DH *dh = other;
-            BIO_printf(sdb->out, "%d", BN_num_bits(dh->p));
+            BIO_printf(sdb->out, "%d", DH_bits(dh));
             break;
         }
 #endif

apps/s_client.c

@@ -141,6 +141,8 @@
 #include <errno.h>
 #include <openssl/e_os2.h>
 
+#ifndef OPENSSL_NO_SOCK
+
 /*
  * With IPv6, it looks like Digital has mixed up the proper order of
  * recursive header file inclusion, resulting in the compiler complaining
@@ -165,12 +167,16 @@ typedef unsigned int u_int;
 #ifndef OPENSSL_NO_SRP
 # include <openssl/srp.h>
 #endif
+#ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+#endif
 #include "s_apps.h"
 #include "timeouts.h"
 
-#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
-/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
-# undef FIONBIO
+#if defined(__has_feature)
+# if __has_feature(memory_sanitizer)
+#  include <sanitizer/msan_interface.h>
+# endif
 #endif
 
 #undef BUFSIZZ
@@ -184,6 +190,8 @@ extern int verify_quiet;
 
 static char *prog;
 static int async = 0;
+static unsigned int split_send_fragment = 0;
+static unsigned int max_pipelines = 0;
 static int c_nbio = 0;
 static int c_tlsextdebug = 0;
 static int c_status_req = 0;
@@ -199,7 +207,9 @@ static int c_ign_eof = 0;
 static int c_brief = 0;
 
 static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
 
 static int saved_errno;
 
@@ -439,7 +449,7 @@ static char *srtp_profiles = NULL;
 /* This the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
     unsigned char *data;
-    unsigned short len;
+    size_t len;
     int status;
 } tlsextnextprotoctx;
 
@@ -648,13 +658,16 @@ typedef enum OPTION_choice {
     OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
     OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
     OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
-    OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE,
+    OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME,
     OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
-    OPT_ASYNC,
+    OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
     OPT_V_ENUM,
     OPT_X_ENUM,
     OPT_S_ENUM,
     OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
+#ifndef OPENSSL_NO_CT
+    OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
+#endif
     OPT_DANE_TLSA_RRDATA
 } OPTION_CHOICE;
 
@@ -692,7 +705,8 @@ OPTIONS s_client_options[] = {
     {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},
     {"debug", OPT_DEBUG, '-', "Extra output"},
     {"msg", OPT_MSG, '-', "Show protocol messages"},
-    {"msgfile", OPT_MSGFILE, '>'},
+    {"msgfile", OPT_MSGFILE, '>',
+     "File to send output of -msg or -trace, instead of stdout"},
     {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
     {"state", OPT_STATE, '-', "Print the ssl states"},
     {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
@@ -715,33 +729,51 @@ OPTIONS s_client_options[] = {
      "Export len bytes of keying material (default 20)"},
     {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
     {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
-    {"CRL", OPT_CRL, '<'},
-    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
-    {"CRLform", OPT_CRLFORM, 'F'},
-    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'},
-    {"verify_quiet", OPT_VERIFY_QUIET, '-'},
-    {"brief", OPT_BRIEF, '-'},
-    {"prexit", OPT_PREXIT, '-'},
-    {"security_debug", OPT_SECURITY_DEBUG, '-'},
-    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
-    {"cert_chain", OPT_CERT_CHAIN, '<'},
-    {"chainCApath", OPT_CHAINCAPATH, '/'},
-    {"verifyCApath", OPT_VERIFYCAPATH, '/'},
-    {"build_chain", OPT_BUILD_CHAIN, '-'},
-    {"chainCAfile", OPT_CHAINCAFILE, '<'},
-    {"verifyCAfile", OPT_VERIFYCAFILE, '<'},
+    {"CRL", OPT_CRL, '<', "CRL file to use"},
+    {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
+    {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
+    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+     "Close connection on verification error"},
+    {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
+    {"brief", OPT_BRIEF, '-',
+     "Restrict output to brief summary of connection parameters"},
+    {"prexit", OPT_PREXIT, '-',
+     "Print session information when the program exits"},
+    {"security_debug", OPT_SECURITY_DEBUG, '-',
+     "Enable security debug messages"},
+    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
+     "Output more security debug output"},
+    {"cert_chain", OPT_CERT_CHAIN, '<',
+     "Certificate chain file (in PEM format)"},
+    {"chainCApath", OPT_CHAINCAPATH, '/',
+     "Use dir as certificate store path to build CA certificate chain"},
+    {"verifyCApath", OPT_VERIFYCAPATH, '/',
+     "Use dir as certificate store path to verify CA certificate"},
+    {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
+    {"chainCAfile", OPT_CHAINCAFILE, '<',
+     "CA file for certificate chain (PEM format)"},
+    {"verifyCAfile", OPT_VERIFYCAFILE, '<',
+     "CA file for certificate verification (PEM format)"},
     {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
     {"servername", OPT_SERVERNAME, 's',
      "Set TLS extension servername in ClientHello"},
     {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
      "Hex dump of all TLS extensions received"},
+#ifndef OPENSSL_NO_OCSP
     {"status", OPT_STATUS, '-', "Request certificate status from server"},
+#endif
     {"serverinfo", OPT_SERVERINFO, 's',
      "types  Send empty ClientHello extensions (comma-separated numbers)"},
     {"alpn", OPT_ALPN, 's',
      "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
     {"async", OPT_ASYNC, '-', "Support asynchronous operation"},
-    {"ssl_config", OPT_SSL_CONFIG, 's'},
+    {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
+    {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+     "Size used to split data for encrypt pipelines"},
+    {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+     "Maximum number of encrypt/decrypt pipelines to be used"},
+    {"read_buf", OPT_READ_BUF, 'n',
+     "Default read buffer size to be used for connections"},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
@@ -758,31 +790,27 @@ OPTIONS s_client_options[] = {
     {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
 #endif
 #ifndef OPENSSL_NO_DTLS
-    {"dtls", OPT_DTLS, '-'},
-    {"timeout", OPT_TIMEOUT, '-'},
+    {"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
+    {"timeout", OPT_TIMEOUT, '-',
+     "Enable send/receive timeout on DTLS connections"},
     {"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
 #endif
 #ifndef OPENSSL_NO_DTLS1
     {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
-    {"dtls1_2", OPT_DTLS1_2, '-'},
+    {"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
 #endif
 #ifndef OPENSSL_NO_SSL_TRACE
-    {"trace", OPT_TRACE, '-'},
+    {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
 #endif
 #ifdef WATT32
     {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
 #endif
-#ifdef FIONBIO
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#endif
 #ifndef OPENSSL_NO_PSK
     {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
     {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-# ifndef OPENSSL_NO_JPAKE
-    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
-# endif
 #endif
 #ifndef OPENSSL_NO_SRP
     {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"},
@@ -799,7 +827,13 @@ OPTIONS s_client_options[] = {
 #endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-    {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'},
+    {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
+     "Specify engine to be used for client certificate operations"},
+#endif
+#ifndef OPENSSL_NO_CT
+    {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
+    {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
+    {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
 #endif
     {NULL}
 };
@@ -853,30 +887,34 @@ int s_client_main(int argc, char **argv)
     char *inrand = NULL;
     char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
     char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
-    char *jpake_secret = NULL, *xmpphost = NULL;
+    char *xmpphost = NULL;
     const char *ehlo = "mail.example.com";
-    struct sockaddr peer;
     struct timeval timeout, *timeoutp;
     fd_set readfds, writefds;
     int noCApath = 0, noCAfile = 0;
     int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
     int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
     int prexit = 0;
-    int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer;
+    int sdebug = 0;
     int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
     int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
     int sbuf_len, sbuf_off, cmdletters = 1;
     int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
     int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
     int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+    int read_buf_len = 0;
     int fallback_scsv = 0;
-    long socket_mtu = 0, randamt = 0;
+    long randamt = 0;
     OPTION_CHOICE o;
+#ifndef OPENSSL_NO_DTLS
+    int enable_timeouts = 0;
+    long socket_mtu = 0;
+#endif
 #ifndef OPENSSL_NO_ENGINE
     ENGINE *ssl_client_engine = NULL;
 #endif
     ENGINE *e = NULL;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
     struct timeval tv;
 #endif
     char *servername = NULL;
@@ -893,6 +931,21 @@ int s_client_main(int argc, char **argv)
     char *srppass = NULL;
     int srp_lateuser = 0;
     SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
+#endif
+#ifndef OPENSSL_NO_CT
+    char *ctlog_file = NULL;
+    int ct_validation = 0;
+#endif
+    int min_version = 0, max_version = 0;
+
+    FD_ZERO(&readfds);
+    FD_ZERO(&writefds);
+/* Known false-positive of MemorySanitizer. */
+#if defined(__has_feature)
+# if __has_feature(memory_sanitizer)
+    __msan_unpoison(&readfds, sizeof(readfds));
+    __msan_unpoison(&writefds, sizeof(writefds));
+# endif
 #endif
 
     prog = opt_progname(argv[0]);
@@ -1155,25 +1208,30 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
         case OPT_SRPUSER:
             srp_arg.srplogin = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRPPASS:
             srppass = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_STRENGTH:
             srp_arg.strength = atoi(opt_arg());
             BIO_printf(bio_err, "SRP minimal length for N is %d\n",
                        srp_arg.strength);
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_LATEUSER:
             srp_lateuser = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_MOREGROUPS:
             srp_arg.amp = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
 #else
         case OPT_SRPUSER:
@@ -1187,24 +1245,20 @@ int s_client_main(int argc, char **argv)
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1214,13 +1268,17 @@ int s_client_main(int argc, char **argv)
             break;
         case OPT_DTLS1:
 #ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
 #ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1274,6 +1332,17 @@ int s_client_main(int argc, char **argv)
         case OPT_NOCAFILE:
             noCAfile = 1;
             break;
+#ifndef OPENSSL_NO_CT
+        case OPT_NOCT:
+            ct_validation = 0;
+            break;
+        case OPT_CT:
+            ct_validation = 1;
+            break;
+        case OPT_CTLOG_FILE:
+            ctlog_file = opt_arg();
+            break;
+#endif
         case OPT_CHAINCAFILE:
             chCAfile = opt_arg();
             break;
@@ -1293,7 +1362,9 @@ int s_client_main(int argc, char **argv)
             }
             break;
         case OPT_NEXTPROTONEG:
+#ifndef OPENSSL_NO_NEXTPROTONEG
             next_proto_neg_in = opt_arg();
+#endif
             break;
         case OPT_ALPN:
             alpn_in = opt_arg();
@@ -1316,11 +1387,6 @@ int s_client_main(int argc, char **argv)
         case OPT_SERVERNAME:
             servername = opt_arg();
             break;
-        case OPT_JPAKE:
-#ifndef OPENSSL_NO_JPAKE
-            jpake_secret = opt_arg();
-#endif
-            break;
         case OPT_USE_SRTP:
             srtp_profiles = opt_arg();
             break;
@@ -1333,10 +1399,27 @@ int s_client_main(int argc, char **argv)
         case OPT_ASYNC:
             async = 1;
             break;
+        case OPT_SPLIT_SEND_FRAG:
+            split_send_fragment = atoi(opt_arg());
+            if (split_send_fragment == 0) {
+                /*
+                 * Not allowed - set to a deliberately bad value so we get an
+                 * error message below
+                 */
+                split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
+            }
+            break;
+        case OPT_MAX_PIPELINES:
+            max_pipelines = atoi(opt_arg());
+            break;
+        case OPT_READ_BUF:
+            read_buf_len = atoi(opt_arg());
+            break;
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (proxystr) {
         int res;
@@ -1378,15 +1461,16 @@ int s_client_main(int argc, char **argv)
                    "Can't use unix sockets and datagrams together\n");
         goto end;
     }
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-    if (jpake_secret) {
-        if (psk_key) {
-            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
-            goto end;
-        }
-        psk_identity = "JPAKE";
+
+    if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+        BIO_printf(bio_err, "Bad split send fragment size\n");
+        goto end;
+    }
+
+    if (max_pipelines > SSL_MAX_PIPELINES) {
+        BIO_printf(bio_err, "Bad max pipelines value\n");
+        goto end;
     }
-#endif
 
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
     next_proto.status = -1;
@@ -1419,8 +1503,7 @@ int s_client_main(int argc, char **argv)
     }
 
     if (cert_file) {
-        cert = load_cert(cert_file, cert_format,
-                         NULL, e, "client certificate file");
+        cert = load_cert(cert_file, cert_format, "client certificate file");
         if (cert == NULL) {
             ERR_print_errors(bio_err);
             goto end;
@@ -1428,7 +1511,7 @@ int s_client_main(int argc, char **argv)
     }
 
     if (chain_file) {
-        if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, e,
+        if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL,
                         "client certificate chain"))
             goto end;
     }
@@ -1496,6 +1579,11 @@ int s_client_main(int argc, char **argv)
         }
     }
 
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
+
     if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
         BIO_printf(bio_err, "Error setting verify params\n");
         ERR_print_errors(bio_err);
@@ -1505,8 +1593,18 @@ int s_client_main(int argc, char **argv)
     if (async) {
         SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
     }
+    if (split_send_fragment > 0) {
+        SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+    }
+    if (max_pipelines > 0) {
+        SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+    }
 
-    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
+    if (read_buf_len > 0) {
+        SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
+    }
+
+    if (!config_ctx(cctx, ssl_args, ctx))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
@@ -1528,10 +1626,10 @@ int s_client_main(int argc, char **argv)
 #endif
 
 #ifndef OPENSSL_NO_PSK
-    if (psk_key != NULL || jpake_secret) {
+    if (psk_key != NULL) {
         if (c_debug)
             BIO_printf(bio_c_out,
-                       "PSK key given or JPAKE in use, setting client callback\n");
+                       "PSK key given, setting client callback\n");
         SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
     }
 #endif
@@ -1554,7 +1652,7 @@ int s_client_main(int argc, char **argv)
         SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
 #endif
     if (alpn_in) {
-        unsigned short alpn_len;
+        size_t alpn_len;
         unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
 
         if (alpn == NULL) {
@@ -1583,6 +1681,30 @@ int s_client_main(int argc, char **argv)
     if (state)
         SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
 
+#ifndef OPENSSL_NO_CT
+    /* Enable SCT processing, without early connection termination */
+    if (ct_validation &&
+        !SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
+        if (ct_validation) {
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+
+        /*
+         * If CT validation is not enabled, the log list isn't needed so don't
+         * show errors or abort. We try to load it regardless because then we
+         * can show the names of the logs any SCTs came from (SCTs may be seen
+         * even with validation disabled).
+         */
+        ERR_clear_error();
+    }
+#endif
+
     SSL_CTX_set_verify(ctx, verify, verify_callback);
 
     if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
@@ -1688,28 +1810,28 @@ int s_client_main(int argc, char **argv)
     if (init_client(&s, host, port, socket_family, socket_type) == 0)
     {
         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
-        SHUTDOWN(s);
+        BIO_closesocket(s);
         goto end;
     }
     BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
 
-#ifdef FIONBIO
     if (c_nbio) {
-        unsigned long l = 1;
-        BIO_printf(bio_c_out, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &l) < 0) {
+        if (!BIO_socket_nbio(s, 1)) {
             ERR_print_errors(bio_err);
             goto end;
         }
+        BIO_printf(bio_c_out, "Turned on non blocking io\n");
     }
-#endif
+#ifndef OPENSSL_NO_DTLS
     if (socket_type == SOCK_DGRAM) {
+        struct sockaddr peer;
+        int peerlen = sizeof peer;
 
         sbio = BIO_new_dgram(s, BIO_NOCLOSE);
         if (getsockname(s, &peer, (void *)&peerlen) < 0) {
             BIO_printf(bio_err, "getsockname:errno=%d\n",
                        get_last_socket_error());
-            SHUTDOWN(s);
+            BIO_closesocket(s);
             goto end;
         }
 
@@ -1742,6 +1864,7 @@ int s_client_main(int argc, char **argv)
             /* want to do MTU discovery */
             BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
     } else
+#endif /* OPENSSL_NO_DTLS */
         sbio = BIO_new_socket(s, BIO_NOCLOSE);
 
     if (nbio_test) {
@@ -1769,14 +1892,12 @@ int s_client_main(int argc, char **argv)
         SSL_set_tlsext_debug_callback(con, tlsext_cb);
         SSL_set_tlsext_debug_arg(con, bio_c_out);
     }
+#ifndef OPENSSL_NO_OCSP
     if (c_status_req) {
         SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
         SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (jpake_secret)
-        jpake_client_auth(bio_c_out, sbio, jpake_secret);
 #endif
 
     SSL_set_bio(con, sbio, sbio);
@@ -1959,7 +2080,7 @@ int s_client_main(int argc, char **argv)
             BIO *fbio = BIO_new(BIO_f_buffer());
 
             BIO_push(fbio, sbio);
-            BIO_printf(fbio, "CONNECT %s\r\n\r\n", connectstr);
+            BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr);
             (void)BIO_flush(fbio);
             /* wait for multi-line response to end CONNECT response */
             do {
@@ -2095,16 +2216,16 @@ int s_client_main(int argc, char **argv)
                                "drop connection and then reconnect\n");
                     do_ssl_shutdown(con);
                     SSL_set_connect_state(con);
-                    SHUTDOWN(SSL_get_fd(con));
+                    BIO_closesocket(SSL_get_fd(con));
                     goto re_start;
                 }
             }
         }
 
-        ssl_pending = read_ssl && SSL_pending(con);
+        ssl_pending = read_ssl && SSL_has_pending(con);
 
         if (!ssl_pending) {
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
             if (tty_on) {
                 if (read_tty)
                     openssl_fdset(fileno(stdin), &readfds);
@@ -2162,17 +2283,6 @@ int s_client_main(int argc, char **argv)
                     i = select(width, (void *)&readfds, (void *)&writefds,
                                NULL, timeoutp);
             }
-#elif defined(OPENSSL_SYS_NETWARE)
-            if (!write_tty) {
-                if (read_tty) {
-                    tv.tv_sec = 1;
-                    tv.tv_usec = 0;
-                    i = select(width, (void *)&readfds, (void *)&writefds,
-                               NULL, &tv);
-                } else
-                    i = select(width, (void *)&readfds, (void *)&writefds,
-                               NULL, timeoutp);
-            }
 #else
             i = select(width, (void *)&readfds, (void *)&writefds,
                        NULL, timeoutp);
@@ -2254,7 +2364,7 @@ int s_client_main(int argc, char **argv)
                 goto shut;
             }
         }
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
         /* Assume Windows/DOS/BeOS can always write */
         else if (!ssl_pending && write_tty)
 #else
@@ -2349,8 +2459,6 @@ int s_client_main(int argc, char **argv)
                  || (WAIT_OBJECT_0 ==
                      WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 # endif
-#elif defined (OPENSSL_SYS_NETWARE)
-        else if (_kbhit())
 #else
         else if (FD_ISSET(fileno(stdin), &readfds))
 #endif
@@ -2412,7 +2520,7 @@ int s_client_main(int argc, char **argv)
     if (in_init)
         print_stuff(bio_c_out, con, full_log);
     do_ssl_shutdown(con);
-    SHUTDOWN(SSL_get_fd(con));
+    BIO_closesocket(SSL_get_fd(con));
  end:
     if (con != NULL) {
         if (prexit != 0)
@@ -2461,6 +2569,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     const COMP_METHOD *comp, *expansion;
 #endif
     unsigned char *exportedkeymat;
+#ifndef OPENSSL_NO_CT
+    const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
+#endif
 
     if (full) {
         int got_a_chain = 0;
@@ -2513,6 +2624,39 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         ssl_print_sigalgs(bio, s);
         ssl_print_tmp_key(bio, s);
 
+#ifndef OPENSSL_NO_CT
+        /*
+         * When the SSL session is anonymous, or resumed via an abbreviated
+         * handshake, no SCTs are provided as part of the handshake.  While in
+         * a resumed session SCTs may be present in the session's certificate,
+         * no callbacks are invoked to revalidate these, and in any case that
+         * set of SCTs may be incomplete.  Thus it makes little sense to
+         * attempt to display SCTs from a resumed session's certificate, and of
+         * course none are associated with an anonymous peer.
+         */
+        if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
+            const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
+            int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
+
+            BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
+            if (sct_count > 0) {
+                const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+
+                BIO_printf(bio, "---\n");
+                for (i = 0; i < sct_count; ++i) {
+                    SCT *sct = sk_SCT_value(scts, i);
+
+                    BIO_printf(bio, "SCT validation status: %s\n",
+                               SCT_validation_status_string(sct));
+                    SCT_print(sct, bio, 0, log_store);
+                    if (i < sct_count - 1)
+                        BIO_printf(bio, "\n---\n");
+                }
+                BIO_printf(bio, "\n");
+            }
+        }
+#endif
+
         BIO_printf(bio,
                    "---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n",
                    BIO_number_read(SSL_get_rbio(s)),
@@ -2611,6 +2755,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     (void)BIO_flush(bio);
 }
 
+# ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
     const unsigned char *p;
@@ -2634,3 +2779,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
     OCSP_RESPONSE_free(rsp);
     return 1;
 }
+# endif
+
+#endif

apps/s_server.c

@@ -147,10 +147,7 @@
 
 #include <openssl/e_os2.h>
 
-/* conflicts with winsock2 stuff on netware */
-#if !defined(OPENSSL_SYS_NETWARE)
-# include <sys/types.h>
-#endif
+#ifndef OPENSSL_NO_SOCK
 
 /*
  * With IPv6, it looks like Digital has mixed up the proper order of
@@ -185,18 +182,10 @@ typedef unsigned int u_int;
 #include "s_apps.h"
 #include "timeouts.h"
 
-#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
-/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
-# undef FIONBIO
-#endif
-
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(const char *hostname, int s, int stype,
-                   unsigned char *context);
-static int www_body(const char *hostname, int s, int stype,
-                    unsigned char *context);
-static int rev_body(const char *hostname, int s, int stype,
-                    unsigned char *context);
+static int sv_body(int s, int stype, unsigned char *context);
+static int www_body(int s, int stype, unsigned char *context);
+static int rev_body(int s, int stype, unsigned char *context);
 static void close_accept_socket(void);
 static int init_ssl_connection(SSL *s);
 static void print_stats(BIO *bp, SSL_CTX *ctx);
@@ -229,9 +218,7 @@ static const char *s_cert_file = TEST_CERT, *s_key_file =
 
 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
 static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
-#ifdef FIONBIO
 static int s_nbio = 0;
-#endif
 static int s_nbio_test = 0;
 static int s_crlf = 0;
 static SSL_CTX *ctx = NULL;
@@ -243,7 +230,6 @@ static BIO *bio_s_msg = NULL;
 static int s_debug = 0;
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
-static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -254,6 +240,8 @@ static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
 static int async = 0;
+static unsigned int split_send_fragment = 0;
+static unsigned int max_pipelines = 0;
 
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id = NULL;
@@ -355,6 +343,8 @@ typedef struct srpsrvparm_st {
 static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 {
     srpsrvparm *p = (srpsrvparm *) arg;
+    int ret = SSL3_AL_FATAL;
+
     if (p->login == NULL && p->user == NULL) {
         p->login = SSL_get_srp_username(s);
         BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
@@ -363,21 +353,25 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 
     if (p->user == NULL) {
         BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
-        return SSL3_AL_FATAL;
+        goto err;
     }
+
     if (SSL_set_srp_server_param
         (s, p->user->N, p->user->g, p->user->s, p->user->v,
          p->user->info) < 0) {
         *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL3_AL_FATAL;
+        goto err;
     }
     BIO_printf(bio_err,
                "SRP parameters set: username = \"%s\" info=\"%s\" \n",
                p->login, p->user->info);
-    /* need to check whether there are memory leaks */
+    ret = SSL_ERROR_NONE;
+
+err:
+    SRP_user_pwd_free(p->user);
     p->user = NULL;
     p->login = NULL;
-    return SSL_ERROR_NONE;
+    return ret;
 }
 
 #endif
@@ -406,6 +400,8 @@ static void s_server_init(void)
     s_quiet = 0;
     s_brief = 0;
     async = 0;
+    split_send_fragment = 0;
+    max_pipelines = 0;
 #ifndef OPENSSL_NO_ENGINE
     engine_id = NULL;
 #endif
@@ -424,7 +420,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size);
 static int ebcdic_puts(BIO *bp, const char *str);
 
 # define BIO_TYPE_EBCDIC_FILTER  (18|0x0200)
-static BIO_METHOD methods_ebcdic = {
+static const BIO_METHOD methods_ebcdic = {
     BIO_TYPE_EBCDIC_FILTER,
     "EBCDIC/ASCII filter",
     ebcdic_write,
@@ -442,7 +438,7 @@ typedef struct {
     char buff[1];
 } EBCDIC_OUTBUFF;
 
-BIO_METHOD *BIO_f_ebcdic_filter()
+const BIO_METHOD *BIO_f_ebcdic_filter()
 {
     return (&methods_ebcdic);
 }
@@ -607,6 +603,7 @@ typedef struct tlsextstatusctx_st {
 
 static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };
 
+#ifndef OPENSSL_NO_OCSP
 /*
  * Certificate Status callback. This is called when a client includes a
  * certificate status request extension. This is a simplified version. It
@@ -625,8 +622,8 @@ static int cert_status_cb(SSL *s, void *arg)
     int rspderlen;
     STACK_OF(OPENSSL_STRING) *aia = NULL;
     X509 *x = NULL;
-    X509_STORE_CTX inctx;
-    X509_OBJECT obj;
+    X509_STORE_CTX *inctx = NULL;
+    X509_OBJECT *obj;
     OCSP_REQUEST *req = NULL;
     OCSP_RESPONSE *resp = NULL;
     OCSP_CERTID *id = NULL;
@@ -660,22 +657,24 @@ static int cert_status_cb(SSL *s, void *arg)
         use_ssl = srctx->use_ssl;
     }
 
-    if (!X509_STORE_CTX_init(&inctx,
+    inctx = X509_STORE_CTX_new();
+    if (inctx == NULL)
+        goto err;
+    if (!X509_STORE_CTX_init(inctx,
                              SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
                              NULL, NULL))
         goto err;
-    if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
-                                  X509_get_issuer_name(x), &obj) <= 0) {
+    obj = X509_STORE_get_X509_by_subject(inctx, X509_LU_X509,
+                                         X509_get_issuer_name(x));
+    if (obj == NULL) {
         BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
-        X509_STORE_CTX_cleanup(&inctx);
         goto done;
     }
     req = OCSP_REQUEST_new();
     if (req == NULL)
         goto err;
-    id = OCSP_cert_to_id(NULL, x, obj.data.x509);
-    X509_free(obj.data.x509);
-    X509_STORE_CTX_cleanup(&inctx);
+    id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
+    X509_OBJECT_free(obj);
     if (!id)
         goto err;
     if (!OCSP_request_add0_id(req, id))
@@ -703,6 +702,10 @@ static int cert_status_cb(SSL *s, void *arg)
         OCSP_RESPONSE_print(bio_err, resp, 2);
     }
     ret = SSL_TLSEXT_ERR_OK;
+    goto done;
+
+ err:
+    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  done:
     if (ret != SSL_TLSEXT_ERR_OK)
         ERR_print_errors(bio_err);
@@ -715,11 +718,10 @@ static int cert_status_cb(SSL *s, void *arg)
     OCSP_CERTID_free(id);
     OCSP_REQUEST_free(req);
     OCSP_RESPONSE_free(resp);
+    X509_STORE_CTX_free(inctx);
     return ret;
- err:
-    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-    goto done;
 }
+#endif
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* This is the context that we pass to next_proto_cb */
@@ -743,7 +745,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data,
 /* This the context that we pass to alpn_cb */
 typedef struct tlsextalpnctx_st {
     unsigned char *data;
-    unsigned short len;
+    size_t len;
 } tlsextalpnctx;
 
 static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
@@ -753,7 +755,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
 
     if (!s_quiet) {
         /* We can assume that |in| is syntactically valid. */
-        unsigned i;
+        unsigned int i;
         BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
         for (i = 0; i < inlen;) {
             if (i)
@@ -785,7 +787,6 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
     return is_forward_secure;
 }
 
-static char *jpake_secret = NULL;
 #ifndef OPENSSL_NO_SRP
 static srpsrvparm srp_callback_parm;
 #endif
@@ -810,11 +811,11 @@ typedef enum OPTION_choice {
     OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
     OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
     OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
-    OPT_SSL_CONFIG, OPT_SSL3,
-    OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
+    OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
+    OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
     OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN,
     OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
-    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE,
+    OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
     OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
     OPT_S_ENUM,
     OPT_V_ENUM,
@@ -923,12 +924,14 @@ OPTIONS s_server_options[] = {
      "CA file for certificate verification (PEM format)"},
     {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
     {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+#ifndef OPENSSL_NO_OCSP
     {"status", OPT_STATUS, '-', "Request certificate status from server"},
     {"status_verbose", OPT_STATUS_VERBOSE, '-',
      "Print more output in certificate status callback"},
     {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
      "Status request responder timeout"},
     {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
     {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@@ -943,18 +946,19 @@ OPTIONS s_server_options[] = {
     {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
     {"ssl_config", OPT_SSL_CONFIG, 's', \
      "Configure SSL_CTX using the configuration 'val'"},
+    {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+     "Size used to split data for encrypt pipelines"},
+    {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+     "Maximum number of encrypt/decrypt pipelines to be used"},
+    {"read_buf", OPT_READ_BUF, 'n',
+     "Default read buffer size to be used for connections"},
     OPT_S_OPTIONS,
     OPT_V_OPTIONS,
     OPT_X_OPTIONS,
-#ifdef FIONBIO
     {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#endif
 #ifndef OPENSSL_NO_PSK
     {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
     {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-# ifndef OPENSSL_NO_JPAKE
-    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
-# endif
 #endif
 #ifndef OPENSSL_NO_SRP
     {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
@@ -997,9 +1001,9 @@ OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_SRTP
     {"use_srtp", OPT_SRTP_PROFILES, 's',
      "Offer SRTP key management with a colon-separated profile list"},
+#endif
     {"alpn", OPT_ALPN, 's',
      "Set the advertised protocols for the ALPN extension (comma-separated list)"},
-#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -1031,8 +1035,7 @@ int s_server_main(int argc, char *argv[])
 #ifdef AF_UNIX
     int unlink_unix_path = 0;
 #endif
-    int (*server_cb) (const char *hostname, int s, int stype,
-                      unsigned char *context);
+    do_server_cb server_cb;
     int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
 #ifndef OPENSSL_NO_DH
     int no_dhe = 0;
@@ -1052,6 +1055,7 @@ int s_server_main(int argc, char *argv[])
     X509 *s_cert2 = NULL;
     tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
     const char *ssl_config = NULL;
+    int read_buf_len = 0;
 #ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
     tlsextnextprotoctx next_proto = { NULL, 0 };
@@ -1066,6 +1070,7 @@ int s_server_main(int argc, char *argv[])
     char *srpuserseed = NULL;
     char *srp_verifier_file = NULL;
 #endif
+    int min_version = 0, max_version = 0;
 
     local_argc = argc;
     local_argv = argv;
@@ -1325,6 +1330,7 @@ int s_server_main(int argc, char *argv[])
             tlscstatp.timeout = atoi(opt_arg());
             break;
         case OPT_STATUS_URL:
+#ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
             if (!OCSP_parse_url(opt_arg(),
                                 &tlscstatp.host,
@@ -1333,6 +1339,7 @@ int s_server_main(int argc, char *argv[])
                 BIO_printf(bio_err, "Error parsing URL\n");
                 goto end;
             }
+#endif
             break;
         case OPT_MSG:
             s_msg = 1;
@@ -1343,9 +1350,8 @@ int s_server_main(int argc, char *argv[])
         case OPT_TRACE:
 #ifndef OPENSSL_NO_SSL_TRACE
             s_msg = 2;
-#else
-            break;
 #endif
+            break;
         case OPT_SECURITY_DEBUG:
             sdebug = 1;
             break;
@@ -1390,13 +1396,15 @@ int s_server_main(int argc, char *argv[])
         case OPT_SRPVFILE:
 #ifndef OPENSSL_NO_SRP
             srp_verifier_file = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_SRPUSERSEED:
 #ifndef OPENSSL_NO_SRP
             srpuserseed = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_REV:
@@ -1415,24 +1423,20 @@ int s_server_main(int argc, char *argv[])
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_server_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_server_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_server_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_server_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1441,14 +1445,18 @@ int s_server_main(int argc, char *argv[])
 #endif
             break;
         case OPT_DTLS1:
-#ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
-#ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1501,16 +1509,10 @@ int s_server_main(int argc, char *argv[])
         case OPT_ALPN:
             alpn_in = opt_arg();
             break;
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-        case OPT_JPAKE:
-            jpake_secret = opt_arg();
-            break;
-#else
-        case OPT_JPAKE:
-            goto opthelp;
-#endif
         case OPT_SRTP_PROFILES:
+#ifndef OPENSSL_NO_SRTP
             srtp_profiles = opt_arg();
+#endif
             break;
         case OPT_KEYMATEXPORT:
             keymatexportlabel = opt_arg();
@@ -1521,6 +1523,23 @@ int s_server_main(int argc, char *argv[])
         case OPT_ASYNC:
             async = 1;
             break;
+        case OPT_SPLIT_SEND_FRAG:
+            split_send_fragment = atoi(opt_arg());
+            if (split_send_fragment == 0) {
+                /*
+                 * Not allowed - set to a deliberately bad value so we get an
+                 * error message below
+                 */
+                split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
+            }
+            break;
+        case OPT_MAX_PIPELINES:
+            max_pipelines = atoi(opt_arg());
+            break;
+        case OPT_READ_BUF:
+            read_buf_len = atoi(opt_arg());
+            break;
+
         }
     }
     argc = opt_num_rest();
@@ -1545,15 +1564,16 @@ int s_server_main(int argc, char *argv[])
         goto end;
     }
 #endif
-#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
-    if (jpake_secret) {
-        if (psk_key) {
-            BIO_printf(bio_err, "Can't use JPAKE and PSK together\n");
-            goto end;
-        }
-        psk_identity = "JPAKE";
+
+    if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+        BIO_printf(bio_err, "Bad split send fragment size\n");
+        goto end;
+    }
+
+    if (max_pipelines > SSL_MAX_PIPELINES) {
+        BIO_printf(bio_err, "Bad max pipelines value\n");
+        goto end;
     }
-#endif
 
     if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
         BIO_printf(bio_err, "Error getting password\n");
@@ -1578,14 +1598,14 @@ int s_server_main(int argc, char *argv[])
         }
 
         s_cert = load_cert(s_cert_file, s_cert_format,
-                           NULL, e, "server certificate file");
+                           "server certificate file");
 
         if (!s_cert) {
             ERR_print_errors(bio_err);
             goto end;
         }
         if (s_chain_file) {
-            if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e,
+            if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL,
                             "server certificate chain"))
                 goto end;
         }
@@ -1599,7 +1619,7 @@ int s_server_main(int argc, char *argv[])
             }
 
             s_cert2 = load_cert(s_cert_file2, s_cert_format,
-                                NULL, e, "second server certificate file");
+                                "second server certificate file");
 
             if (!s_cert2) {
                 ERR_print_errors(bio_err);
@@ -1609,7 +1629,7 @@ int s_server_main(int argc, char *argv[])
     }
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto_neg_in) {
-        unsigned short len;
+        size_t len;
         next_proto.data = next_protos_parse(&len, next_proto_neg_in);
         if (next_proto.data == NULL)
             goto end;
@@ -1620,7 +1640,7 @@ int s_server_main(int argc, char *argv[])
 #endif
     alpn_ctx.data = NULL;
     if (alpn_in) {
-        unsigned short len;
+        size_t len;
         alpn_ctx.data = next_protos_parse(&len, alpn_in);
         if (alpn_ctx.data == NULL)
             goto end;
@@ -1657,14 +1677,14 @@ int s_server_main(int argc, char *argv[])
         }
 
         s_dcert = load_cert(s_dcert_file, s_dcert_format,
-                            NULL, e, "second server certificate file");
+                            "second server certificate file");
 
         if (!s_dcert) {
             ERR_print_errors(bio_err);
             goto end;
         }
         if (s_dchain_file) {
-            if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e,
+            if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL,
                             "second server certificate chain"))
                 goto end;
         }
@@ -1717,6 +1737,10 @@ int s_server_main(int argc, char *argv[])
         goto end;
         }
     }
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (session_id_prefix) {
         if (strlen(session_id_prefix) >= 32)
@@ -1745,6 +1769,16 @@ int s_server_main(int argc, char *argv[])
     if (async) {
         SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
     }
+    if (split_send_fragment > 0) {
+        SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+    }
+    if (max_pipelines > 0) {
+        SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+    }
+
+    if (read_buf_len > 0) {
+        SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
+    }
 
 #ifndef OPENSSL_NO_SRTP
     if (srtp_profiles != NULL) {
@@ -1768,7 +1802,7 @@ int s_server_main(int argc, char *argv[])
     }
 
     ssl_ctx_add_crls(ctx, crls, 0);
-    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
+    if (!config_ctx(cctx, ssl_args, ctx))
         goto end;
 
     if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
@@ -1831,7 +1865,7 @@ int s_server_main(int argc, char *argv[])
         }
 
         ssl_ctx_add_crls(ctx2, crls, 0);
-        if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL))
+        if (!config_ctx(cctx, ssl_args, ctx2))
             goto end;
     }
 #ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1917,15 +1951,10 @@ int s_server_main(int argc, char *argv[])
                                                        not_resumable_sess_cb);
     }
 #ifndef OPENSSL_NO_PSK
-# ifdef OPENSSL_NO_JPAKE
-    if (psk_key != NULL)
-# else
-    if (psk_key != NULL || jpake_secret)
-# endif
-    {
+    if (psk_key != NULL) {
         if (s_debug)
             BIO_printf(bio_s_out,
-                       "PSK key given or JPAKE in use, setting server callback\n");
+                       "PSK key given, setting server callback\n");
         SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
     }
 
@@ -1989,6 +2018,7 @@ int s_server_main(int argc, char *argv[])
         if (ctx2)
             SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
     }
+#ifndef OPENSSL_NO_OCSP
     if (s_tlsextstatus) {
         SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
         SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
@@ -1997,6 +2027,7 @@ int s_server_main(int argc, char *argv[])
             SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
         }
     }
+#endif
 
     BIO_printf(bio_s_out, "ACCEPT\n");
     (void)BIO_flush(bio_s_out);
@@ -2079,8 +2110,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
                SSL_CTX_sess_get_cache_size(ssl_ctx));
 }
 
-static int sv_body(const char *hostname, int s, int stype,
-                   unsigned char *context)
+static int sv_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     fd_set readfds;
@@ -2090,23 +2120,19 @@ static int sv_body(const char *hostname, int s, int stype,
     SSL *con = NULL;
     BIO *sbio;
     struct timeval timeout;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
     struct timeval tv;
 #else
     struct timeval *timeoutp;
 #endif
 
     buf = app_malloc(bufsize, "server buffer");
-#ifdef FIONBIO
     if (s_nbio) {
-        unsigned long sl = 1;
-
-        if (!s_quiet)
-            BIO_printf(bio_err, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+        if (!BIO_socket_nbio(s, 1))
             ERR_print_errors(bio_err);
+        else if (!s_quiet)
+            BIO_printf(bio_err, "Turned on non blocking io\n");
     }
-#endif
 
     if (con == NULL) {
         con = SSL_new(ctx);
@@ -2175,10 +2201,6 @@ static int sv_body(const char *hostname, int s, int stype,
         test = BIO_new(BIO_f_nbio_test());
         sbio = BIO_push(test, sbio);
     }
-#ifndef OPENSSL_NO_JPAKE
-    if (jpake_secret)
-        jpake_server_auth(bio_s_out, sbio, jpake_secret);
-#endif
 
     SSL_set_bio(con, sbio, sbio);
     SSL_set_accept_state(con);
@@ -2209,12 +2231,12 @@ static int sv_body(const char *hostname, int s, int stype,
         int read_from_sslcon;
 
         read_from_terminal = 0;
-        read_from_sslcon = SSL_pending(con)
+        read_from_sslcon = SSL_has_pending(con)
                            || (async && SSL_waiting_for_async(con));
 
         if (!read_from_sslcon) {
             FD_ZERO(&readfds);
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
             openssl_fdset(fileno(stdin), &readfds);
 #endif
             openssl_fdset(s, &readfds);
@@ -2225,7 +2247,7 @@ static int sv_body(const char *hostname, int s, int stype,
              * if you do have a cast then you can either go for (int *) or
              * (void *).
              */
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
             /*
              * Under DOS (non-djgpp) and Windows we can't select on stdin:
              * only on sockets. As a workaround we timeout the select every
@@ -2286,7 +2308,7 @@ static int sv_body(const char *hostname, int s, int stype,
                 if ((i <= 0) || (buf[0] == 'Q')) {
                     BIO_printf(bio_s_out, "DONE\n");
                     (void)BIO_flush(bio_s_out);
-                    SHUTDOWN(s);
+                    BIO_closesocket(s);
                     close_accept_socket();
                     ret = -11;
                     goto err;
@@ -2295,7 +2317,7 @@ static int sv_body(const char *hostname, int s, int stype,
                     BIO_printf(bio_s_out, "DONE\n");
                     (void)BIO_flush(bio_s_out);
                     if (SSL_version(con) != DTLS1_VERSION)
-                        SHUTDOWN(s);
+                        BIO_closesocket(s);
                     /*
                      * close_accept_socket(); ret= -11;
                      */
@@ -2360,9 +2382,10 @@ static int sv_body(const char *hostname, int s, int stype,
 #ifndef OPENSSL_NO_SRP
                 while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during write\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2428,9 +2451,10 @@ static int sv_body(const char *hostname, int s, int stype,
 #ifndef OPENSSL_NO_SRP
                 while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2445,7 +2469,7 @@ static int sv_body(const char *hostname, int s, int stype,
                     ascii2ebcdic(buf, buf, i);
 #endif
                     raw_write_stdout(buf, (unsigned int)i);
-                    if (SSL_pending(con))
+                    if (SSL_has_pending(con))
                         goto again;
                     break;
                 case SSL_ERROR_WANT_ASYNC:
@@ -2490,7 +2514,7 @@ static void close_accept_socket(void)
 {
     BIO_printf(bio_err, "shutdown accept socket\n");
     if (accept_socket >= 0) {
-        SHUTDOWN2(accept_socket);
+        BIO_closesocket(accept_socket);
     }
 }
 
@@ -2555,9 +2579,10 @@ static int init_ssl_connection(SSL *con)
         while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
             BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
                        srp_callback_parm.login);
+            SRP_user_pwd_free(srp_callback_parm.user);
             srp_callback_parm.user =
-                SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                      srp_callback_parm.login);
+                SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                       srp_callback_parm.login);
             if (srp_callback_parm.user)
                 BIO_printf(bio_s_out, "LOOKUP done %s\n",
                            srp_callback_parm.user->info);
@@ -2601,6 +2626,7 @@ static int init_ssl_connection(SSL *con)
         X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
         BIO_printf(bio_s_out, "issuer=%s\n", buf);
         X509_free(peer);
+        peer = NULL;
     }
 
     if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
@@ -2673,8 +2699,7 @@ static DH *load_dh_param(const char *dhfile)
 }
 #endif
 
-static int www_body(const char *hostname, int s, int stype,
-                    unsigned char *context)
+static int www_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     int ret = 1;
@@ -2697,16 +2722,12 @@ static int www_body(const char *hostname, int s, int stype,
     if ((io == NULL) || (ssl_bio == NULL))
         goto err;
 
-#ifdef FIONBIO
     if (s_nbio) {
-        unsigned long sl = 1;
-
-        if (!s_quiet)
-            BIO_printf(bio_err, "turning on non blocking io\n");
-        if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
+        if (!BIO_socket_nbio(s, 1))
             ERR_print_errors(bio_err);
+        else if (!s_quiet)
+            BIO_printf(bio_err, "Turned on non blocking io\n");
     }
-#endif
 
     /* lets make the output buffer a reasonable size */
     if (!BIO_set_write_buffer_size(io, bufsize))
@@ -2768,9 +2789,10 @@ static int www_body(const char *hostname, int s, int stype,
                 if (BIO_should_io_special(io)
                     && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -2779,9 +2801,7 @@ static int www_body(const char *hostname, int s, int stype,
                     continue;
                 }
 #endif
-#if defined(OPENSSL_SYS_NETWARE)
-                delay(1000);
-#elif !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_MSDOS)
                 sleep(1);
 #endif
                 continue;
@@ -2795,7 +2815,7 @@ static int www_body(const char *hostname, int s, int stype,
         if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
             ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
             char *p;
-            X509 *peer;
+            X509 *peer = NULL;
             STACK_OF(SSL_CIPHER) *sk;
             static const char *space = "                          ";
 
@@ -2824,7 +2844,7 @@ static int www_body(const char *hostname, int s, int stype,
                     goto err;
                 }
                 /*
-                 * We're not acutally expecting any data here and we ignore
+                 * We're not actually expecting any data here and we ignore
                  * any that is sent. This is just to force the handshake that
                  * we're expecting to come from the client. If they haven't
                  * sent one there's not much we can do.
@@ -2836,7 +2856,7 @@ static int www_body(const char *hostname, int s, int stype,
                      "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
             BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
             BIO_puts(io, "<pre>\n");
-/*                      BIO_puts(io,OpenSSL_version(OPENSSL_VERSION));*/
+            /* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
             BIO_puts(io, "\n");
             for (i = 0; i < local_argc; i++) {
                 const char *myp;
@@ -2915,6 +2935,8 @@ static int www_body(const char *hostname, int s, int stype,
                 BIO_printf(io, "Client certificate\n");
                 X509_print(io, peer);
                 PEM_write_bio_X509(io, peer);
+                X509_free(peer);
+                peer = NULL;
             } else
                 BIO_puts(io, "no client certificate available\n");
             BIO_puts(io, "</BODY></HTML>\r\n\r\n");
@@ -3061,8 +3083,7 @@ static int www_body(const char *hostname, int s, int stype,
     return (ret);
 }
 
-static int rev_body(const char *hostname, int s, int stype,
-                    unsigned char *context)
+static int rev_body(int s, int stype, unsigned char *context)
 {
     char *buf = NULL;
     int i;
@@ -3130,9 +3151,10 @@ static int rev_body(const char *hostname, int s, int stype,
         if (BIO_should_io_special(io)
             && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
             BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
+            SRP_user_pwd_free(srp_callback_parm.user);
             srp_callback_parm.user =
-                SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                      srp_callback_parm.login);
+                SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                       srp_callback_parm.login);
             if (srp_callback_parm.user)
                 BIO_printf(bio_s_out, "LOOKUP done %s\n",
                            srp_callback_parm.user->info);
@@ -3158,9 +3180,10 @@ static int rev_body(const char *hostname, int s, int stype,
                 if (BIO_should_io_special(io)
                     && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
                     BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    SRP_user_pwd_free(srp_callback_parm.user);
                     srp_callback_parm.user =
-                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                              srp_callback_parm.login);
+                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                                               srp_callback_parm.login);
                     if (srp_callback_parm.user)
                         BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                    srp_callback_parm.user->info);
@@ -3169,9 +3192,7 @@ static int rev_body(const char *hostname, int s, int stype,
                     continue;
                 }
 #endif
-#if defined(OPENSSL_SYS_NETWARE)
-                delay(1000);
-#elif !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_MSDOS)
                 sleep(1);
 #endif
                 continue;
@@ -3355,3 +3376,5 @@ static void free_sessions(void)
     }
     first = NULL;
 }
+
+#endif

apps/s_socket.c

@@ -109,6 +109,7 @@
 #include <string.h>
 #include <errno.h>
 #include <signal.h>
+#include <openssl/opensslconf.h>
 
 /*
  * With IPv6, it looks like Digital has mixed up the proper order of
@@ -167,9 +168,9 @@ int init_client(int *sock, const char *host, const char *port,
 
     ret = 0;
     for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
-        /* Admitedly, these checks are quite paranoid, we should
-           not get anything in the BIO_ADDRINFO chain that we haven't
-           asked for */
+        /* Admittedly, these checks are quite paranoid, we should not get
+         * anything in the BIO_ADDRINFO chain that we haven't
+         * asked for. */
         OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
                        && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
 
@@ -221,10 +222,8 @@ int init_client(int *sock, const char *host, const char *port,
  * 0 on failure, something other on success.
  */
 int do_server(int *accept_sock, const char *host, const char *port,
-              int family, int type,
-              int (*cb) (const char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept)
+              int family, int type, do_server_cb cb,
+              unsigned char *context, int naccept)
 {
     int asock = 0;
     int sock;
@@ -240,9 +239,8 @@ int do_server(int *accept_sock, const char *host, const char *port,
         return 0;
     }
 
-    /* Admitedly, these checks are quite paranoid, we should
-       not get anything in the BIO_ADDRINFO chain that we haven't
-       asked for */
+    /* Admittedly, these checks are quite paranoid, we should not get
+     * anything in the BIO_ADDRINFO chain that we haven't asked for */
     OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
                    && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
 
@@ -258,54 +256,30 @@ int do_server(int *accept_sock, const char *host, const char *port,
     }
 
     BIO_ADDRINFO_free(res);
+    res = NULL;
 
-    if (accept_sock != NULL) {
+    if (accept_sock != NULL)
         *accept_sock = asock;
-    }
     for (;;) {
-        BIO_ADDR *accepted_addr = NULL;
-        char *name = NULL;
         if (type == SOCK_STREAM) {
-            if ((accepted_addr = BIO_ADDR_new()) == NULL) {
-                BIO_closesocket(asock);
-                return 0;
-            }
-         redoit:
-            sock = BIO_accept_ex(asock, accepted_addr, 0);
+            do {
+                sock = BIO_accept_ex(asock, NULL, 0);
+            } while (sock < 0 && BIO_sock_should_retry(ret));
             if (sock < 0) {
-                if (BIO_sock_should_retry(ret)) {
-                    goto redoit;
-                } else {
-                    ERR_print_errors(bio_err);
-                    BIO_ADDR_free(accepted_addr);
-                    SHUTDOWN(asock);
-                    break;
-                }
+                ERR_print_errors(bio_err);
+                BIO_closesocket(asock);
+                break;
             }
+            i = (*cb)(sock, type, context);
+            BIO_closesocket(sock);
         } else {
-            sock = asock;
+            i = (*cb)(asock, type, context);
         }
 
-        /* accepted_addr is NULL if we're dealing with SOCK_DGRAM
-         * this means that for SOCK_DGRAM, name will be NULL
-         */
-        if (accepted_addr != NULL) {
-#ifdef AF_UNIX
-            if (family == AF_UNIX)
-                name = BIO_ADDR_path_string(accepted_addr);
-            else
-#endif
-                name = BIO_ADDR_hostname_string(accepted_addr, 0);
-        }
-        i = (*cb) (name, sock, type, context);
-        OPENSSL_free(name);
-        BIO_ADDR_free(accepted_addr);
-        if (type == SOCK_STREAM)
-            SHUTDOWN2(sock);
         if (naccept != -1)
             naccept--;
         if (i < 0 || naccept == 0) {
-            SHUTDOWN2(asock);
+            BIO_closesocket(asock);
             ret = i;
             break;
         }

apps/s_time.c

@@ -66,6 +66,10 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SOCK
+
 #define USE_SOCKETS
 #include "apps.h"
 #include <openssl/x509.h>
@@ -132,7 +136,7 @@ OPTIONS s_time_options[] = {
     {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
     {"verify", OPT_VERIFY, 'p',
      "Turn on peer certificate verification, set depth"},
-    {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR},
+    {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
     {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 #ifndef OPENSSL_NO_SSL3
     {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
@@ -162,6 +166,7 @@ int s_time_main(int argc, char **argv)
         0, ver;
     long bytes_read = 0, finishtime = 0;
     OPTION_CHOICE o;
+    int max_version = 0;
 
     meth = TLS_client_method();
     verify_depth = 0;
@@ -230,14 +235,13 @@ int s_time_main(int argc, char **argv)
             }
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            max_version = SSL3_VERSION;
             break;
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (cipher == NULL)
         cipher = getenv("SSL_CIPHER");
@@ -250,6 +254,8 @@ int s_time_main(int argc, char **argv)
         goto end;
 
     SSL_CTX_set_quiet_shutdown(ctx, 1);
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (st_bugs)
         SSL_CTX_set_options(ctx, SSL_OP_ALL);
@@ -291,7 +297,7 @@ int s_time_main(int argc, char **argv)
 #else
         SSL_shutdown(scon);
 #endif
-        SHUTDOWN2(SSL_get_fd(scon));
+        BIO_closesocket(SSL_get_fd(scon));
 
         nConn += 1;
         if (SSL_session_reused(scon))
@@ -348,7 +354,7 @@ int s_time_main(int argc, char **argv)
 #else
     SSL_shutdown(scon);
 #endif
-    SHUTDOWN2(SSL_get_fd(scon));
+    BIO_closesocket(SSL_get_fd(scon));
 
     nConn = 0;
     totalTime = 0.0;
@@ -379,7 +385,7 @@ int s_time_main(int argc, char **argv)
 #else
         SSL_shutdown(scon);
 #endif
-        SHUTDOWN2(SSL_get_fd(scon));
+        BIO_closesocket(SSL_get_fd(scon));
 
         nConn += 1;
         if (SSL_session_reused(scon))
@@ -472,3 +478,4 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
 
     return serverCon;
 }
+#endif /* OPENSSL_NO_SOCK */

apps/sess_id.c

@@ -139,7 +139,8 @@ int sess_id_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     x = load_sess_id(infile, informat);
     if (x == NULL) {

apps/smime.c

@@ -458,7 +458,7 @@ int smime_main(int argc, char **argv)
             goto end;
         while (*argv) {
             cert = load_cert(*argv, FORMAT_PEM,
-                             NULL, e, "recipient certificate file");
+                             "recipient certificate file");
             if (cert == NULL)
                 goto end;
             sk_X509_push(encerts, cert);
@@ -468,7 +468,7 @@ int smime_main(int argc, char **argv)
     }
 
     if (certfile) {
-        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL,
                         "certificate file")) {
             ERR_print_errors(bio_err);
             goto end;
@@ -476,8 +476,8 @@ int smime_main(int argc, char **argv)
     }
 
     if (recipfile && (operation == SMIME_DECRYPT)) {
-        if ((recip = load_cert(recipfile, FORMAT_PEM, NULL,
-                                e, "recipient certificate file")) == NULL) {
+        if ((recip = load_cert(recipfile, FORMAT_PEM,
+                               "recipient certificate file")) == NULL) {
             ERR_print_errors(bio_err);
             goto end;
         }
@@ -572,8 +572,8 @@ int smime_main(int argc, char **argv)
         for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
-            signer = load_cert(signerfile, FORMAT_PEM, NULL,
-                               e, "signer certificate");
+            signer = load_cert(signerfile, FORMAT_PEM,
+                               "signer certificate");
             if (!signer)
                 goto end;
             key = load_key(keyfile, keyform, 0, passin, e, "signing key file");

apps/spkac.c

@@ -112,6 +112,7 @@ int spkac_main(int argc, char **argv)
         switch (o) {
         case OPT_EOF:
         case OPT_ERR:
+ opthelp:
             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
             goto end;
         case OPT_HELP:
@@ -154,7 +155,8 @@ int spkac_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
-    argv = opt_rest();
+    if (argc != 0)
+        goto opthelp;
 
     if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");

apps/srp.c

@@ -653,7 +653,6 @@ int srp_main(int argc, char **argv)
         app_RAND_write_file(randfile);
     NCONF_free(conf);
     free_index(db);
-    OBJ_cleanup();
     return (ret);
 }
 #endif

apps/testdsa.h

@@ -92,18 +92,35 @@ static unsigned char dsa512_g[] = {
 DSA *get_dsa512()
 {
     DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;
 
     if ((dsa = DSA_new()) == NULL)
         return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
-    dsa->p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
-    dsa->q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
-    dsa->g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
+    pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
+    p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
+    q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
+    g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }
 
 static unsigned char dsa1024_priv[] = {
@@ -161,18 +178,35 @@ static unsigned char dsa1024_g[] = {
 DSA *get_dsa1024()
 {
     DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;
 
     if ((dsa = DSA_new()) == NULL)
         return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
-    dsa->p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
-    dsa->q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
-    dsa->g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
+    pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
+    p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
+    q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
+    g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }
 
 static unsigned char dsa2048_priv[] = {
@@ -263,20 +297,34 @@ static unsigned char dsa2048_g[] = {
 DSA *get_dsa2048()
 {
     DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;
 
     if ((dsa = DSA_new()) == NULL)
         return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
-    dsa->p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
-    dsa->q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
-    dsa->g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
+    pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
+    p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
+    q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
+    g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }
 
-static const char rnd_seed[] =
-    "string to make the random number generator think it has entropy";
-static int rnd_fake = 0;

apps/ts.c

@@ -56,25 +56,29 @@
  *
  */
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "apps.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#include <openssl/rand.h>
-#include <openssl/ts.h>
-#include <openssl/bn.h>
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_TS
+NON_EMPTY_TRANSLATION_UNIT
+#else
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/pem.h>
+# include <openssl/rand.h>
+# include <openssl/ts.h>
+# include <openssl/bn.h>
 
 /* Request nonce length, in bits (must be a multiple of 8). */
-#define NONCE_LENGTH            64
+# define NONCE_LENGTH            64
 
 /* Name of config entry that defines the OID file. */
-#define ENV_OID_FILE            "oid_file"
+# define ENV_OID_FILE            "oid_file"
 
 /* Is |EXACTLY_ONE| of three pointers set? */
-#define EXACTLY_ONE(a, b, c) \
+# define EXACTLY_ONE(a, b, c) \
         (( a && !b && !c) || \
          ( b && !a && !c) || \
          ( c && !a && !b))
@@ -110,22 +114,25 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
 /* Verify related functions. */
 static int verify_command(char *data, char *digest, char *queryfile,
                           char *in, int token_in,
-                          char *CApath, char *CAfile, char *untrusted);
+                          char *CApath, char *CAfile, char *untrusted,
+                          X509_VERIFY_PARAM *vpm);
 static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                                         char *queryfile,
                                         char *CApath, char *CAfile,
-                                        char *untrusted);
-static X509_STORE *create_cert_store(char *CApath, char *CAfile);
+                                        char *untrusted,
+                                        X509_VERIFY_PARAM *vpm);
+static X509_STORE *create_cert_store(char *CApath, char *CAfile,
+                                     X509_VERIFY_PARAM *vpm);
 static int verify_cb(int ok, X509_STORE_CTX *ctx);
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
-    OPT_DIGEST, OPT_RAND, OPT_POLICY, OPT_NO_NONCE, OPT_CERT,
+    OPT_DIGEST, OPT_RAND, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
     OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
     OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
     OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED,
-    OPT_MD
+    OPT_MD, OPT_V_ENUM
 } OPTION_CHOICE;
 
 OPTIONS ts_options[] = {
@@ -137,7 +144,7 @@ OPTIONS ts_options[] = {
     {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
     {"rand", OPT_RAND, 's',
      "Load the file(s) into the random number generator"},
-    {"policy", OPT_POLICY, 's', "Policy OID to use"},
+    {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
     {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
     {"cert", OPT_CERT, '-', "Put cert request into query"},
     {"in", OPT_IN, '<', "Input file"},
@@ -156,9 +163,12 @@ OPTIONS ts_options[] = {
     {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
     {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
     {"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
+# endif
+    {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
+    OPT_V_OPTIONS,
+    {OPT_HELP_STR, 1, '-', "\n"},
     {NULL}
 };
 
@@ -168,23 +178,24 @@ OPTIONS ts_options[] = {
 static char* opt_helplist[] = {
     "Typical uses:",
     "ts -query [-rand file...] [-config file] [-data file]",
-    "          [-digest hexstring] [-policy oid] [-no_nonce] [-cert]",
+    "          [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
     "          [-in file] [-out file] [-text]",
     "  or",
     "ts -reply [-config file] [-section tsa_section]",
     "          [-queryfile file] [-passin password]",
     "          [-signer tsa_cert.pem] [-inkey private_key.pem]",
-    "          [-chain certs_file.pem] [-policy oid]",
+    "          [-chain certs_file.pem] [-tspolicy oid]",
     "          [-in file] [-token_in] [-out file] [-token_out]",
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
     "          [-text]",
-#else
+# else
     "          [-text] [-engine id]",
-#endif
+# endif
     "  or",
     "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
     "           [-data file] [-digest hexstring]",
     "           [-queryfile file] -in file [-token_in]",
+    "           [[options specific to 'ts -verify']]",
     NULL,
 };
 
@@ -200,11 +211,16 @@ int ts_main(int argc, char **argv)
     const EVP_MD *md = NULL;
     OPTION_CHOICE o, mode = OPT_ERR;
     int ret = 1, no_nonce = 0, cert = 0, text = 0;
+    int vpmtouched = 0;
+    X509_VERIFY_PARAM *vpm = NULL;
     /* Input is ContentInfo instead of TimeStampResp. */
     int token_in = 0;
     /* Output is ContentInfo instead of TimeStampResp. */
     int token_out = 0;
 
+    if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+        goto end;
+
     prog = opt_init(argc, argv, ts_options);
     while ((o = opt_next()) != OPT_EOF) {
         switch (o) {
@@ -241,7 +257,7 @@ int ts_main(int argc, char **argv)
         case OPT_RAND:
             rnd = opt_arg();
             break;
-        case OPT_POLICY:
+        case OPT_TSPOLICY:
             policy = opt_arg();
             break;
         case OPT_NO_NONCE:
@@ -296,6 +312,11 @@ int ts_main(int argc, char **argv)
             if (!opt_md(opt_unknown(), &md))
                 goto opthelp;
             break;
+        case OPT_V_CASES:
+            if (!opt_verify(o, vpm))
+                goto end;
+            vpmtouched++;
+            break;
         }
     }
     argc = opt_num_rest();
@@ -329,12 +350,16 @@ int ts_main(int argc, char **argv)
     case OPT_ERR:
         goto opthelp;
     case OPT_QUERY:
+        if (vpmtouched)
+            goto opthelp;
         if ((data != NULL) && (digest != NULL))
             goto opthelp;
         ret = !query_command(data, digest, md, policy, no_nonce, cert,
                              in, out, text);
         break;
     case OPT_REPLY:
+        if (vpmtouched)
+            goto opthelp;
         if ((in != NULL) && (queryfile != NULL))
             goto opthelp;
         if (in == NULL) {
@@ -349,14 +374,15 @@ int ts_main(int argc, char **argv)
         if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
             goto opthelp;
         ret = !verify_command(data, digest, queryfile, in, token_in,
-                              CApath, CAfile, untrusted);
+                              CApath, CAfile, untrusted, 
+                              vpmtouched ? vpm : NULL);
     }
 
  end:
+    X509_VERIFY_PARAM_free(vpm);
     app_RAND_write_file(NULL);
     NCONF_free(conf);
     OPENSSL_free(password);
-    OBJ_cleanup();
     return (ret);
 }
 
@@ -541,7 +567,7 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
         EVP_MD_CTX_free(md_ctx);
     } else {
         long digest_len;
-        *md_value = string_to_hex(digest, &digest_len);
+        *md_value = OPENSSL_hexstr2buf(digest, &digest_len);
         if (!*md_value || md_value_len != digest_len) {
             OPENSSL_free(*md_value);
             *md_value = NULL;
@@ -712,10 +738,10 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
         goto end;
     if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
         goto end;
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
     if (!TS_CONF_set_crypto_device(conf, section, engine))
         goto end;
-#endif
+# endif
     if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
         goto end;
     if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
@@ -847,7 +873,8 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
 
 static int verify_command(char *data, char *digest, char *queryfile,
                           char *in, int token_in,
-                          char *CApath, char *CAfile, char *untrusted)
+                          char *CApath, char *CAfile, char *untrusted,
+                          X509_VERIFY_PARAM *vpm)
 {
     BIO *in_bio = NULL;
     PKCS7 *token = NULL;
@@ -866,7 +893,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
     }
 
     if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
-                                        CApath, CAfile, untrusted)) == NULL)
+                                        CApath, CAfile, untrusted,
+                                        vpm)) == NULL)
         goto end;
 
     ret = token_in
@@ -892,7 +920,8 @@ static int verify_command(char *data, char *digest, char *queryfile,
 static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                                         char *queryfile,
                                         char *CApath, char *CAfile,
-                                        char *untrusted)
+                                        char *untrusted,
+                                        X509_VERIFY_PARAM *vpm)
 {
     TS_VERIFY_CTX *ctx = NULL;
     BIO *input = NULL;
@@ -910,7 +939,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                 goto err;
         } else if (digest != NULL) {
             long imprint_len;
-            unsigned char *hexstr = string_to_hex(digest, &imprint_len);
+            unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
             f |= TS_VFY_IMPRINT;
             if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
                 BIO_printf(bio_err, "invalid digest string\n");
@@ -932,7 +961,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
 
     /* Initialising the X509_STORE object. */
-    if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile))
+    if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm))
             == NULL)
         goto err;
 
@@ -952,7 +981,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
     return ctx;
 }
 
-static X509_STORE *create_cert_store(char *CApath, char *CAfile)
+static X509_STORE *create_cert_store(char *CApath, char *CAfile, X509_VERIFY_PARAM *vpm)
 {
     X509_STORE *cert_ctx = NULL;
     X509_LOOKUP *lookup = NULL;
@@ -985,6 +1014,10 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
             goto err;
         }
     }
+
+    if (vpm != NULL) 
+        X509_STORE_set1_param(cert_ctx, vpm);
+
     return cert_ctx;
 
  err:
@@ -996,3 +1029,4 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx)
 {
     return ok;
 }
+#endif

apps/tsget.in

@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!{- $config{perl} -}
 # Written by Zoltan Glozik <zglozik@stones.com>.
 # Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
 $::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';

apps/verify.c

@@ -68,7 +68,7 @@
 static int cb(int ok, X509_STORE_CTX *ctx);
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain);
+                 STACK_OF(X509_CRL) *crls, int show_chain);
 static int v_verbose = 0, vflags = 0;
 
 typedef enum OPTION_choice {
@@ -108,7 +108,6 @@ OPTIONS verify_options[] = {
 
 int verify_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
     STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
     STACK_OF(X509_CRL) *crls = NULL;
     X509_STORE *store = NULL;
@@ -167,7 +166,7 @@ int verify_main(int argc, char **argv)
             break;
         case OPT_UNTRUSTED:
             /* Zero or more times */
-            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e,
+            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL,
                             "untrusted certificates"))
                 goto end;
             break;
@@ -175,26 +174,28 @@ int verify_main(int argc, char **argv)
             /* Zero or more times */
             noCAfile = 1;
             noCApath = 1;
-            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e,
+            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL,
                             "trusted certificates"))
                 goto end;
             break;
         case OPT_CRLFILE:
             /* Zero or more times */
-            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e,
+            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL,
                            "other CRLs"))
                 goto end;
             break;
         case OPT_CRL_DOWNLOAD:
             crl_download = 1;
             break;
+        case OPT_ENGINE:
+            if (setup_engine(opt_arg(), 0) == NULL) {
+                /* Failure message already displayed */
+                goto end;
+            }
+            break;
         case OPT_SHOW_CHAIN:
             show_chain = 1;
             break;
-        case OPT_ENGINE:
-            /* Specify *before* -trusted/-untrusted/-CRLfile */
-            e = setup_engine(opt_arg(), 0);
-            break;
         case OPT_VERBOSE:
             v_verbose = 1;
             break;
@@ -223,11 +224,11 @@ int verify_main(int argc, char **argv)
 
     ret = 0;
     if (argc < 1) {
-        if (check(store, NULL, untrusted, trusted, crls, e, show_chain) != 1)
+        if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)
             ret = -1;
     } else {
         for (i = 0; i < argc; i++)
-            if (check(store, argv[i], untrusted, trusted, crls, e,
+            if (check(store, argv[i], untrusted, trusted, crls,
                       show_chain) != 1)
                 ret = -1;
     }
@@ -243,7 +244,7 @@ int verify_main(int argc, char **argv)
 
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain)
+                 STACK_OF(X509_CRL) *crls, int show_chain)
 {
     X509 *x = NULL;
     int i = 0, ret = 0;
@@ -251,7 +252,7 @@ static int check(X509_STORE *ctx, char *file,
     STACK_OF(X509) *chain = NULL;
     int num_untrusted;
 
-    x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file");
+    x = load_cert(file, FORMAT_PEM, "certificate file");
     if (x == NULL)
         goto end;
 
@@ -268,7 +269,7 @@ static int check(X509_STORE *ctx, char *file,
         goto end;
     }
     if (tchain)
-        X509_STORE_CTX_trusted_stack(csc, tchain);
+        X509_STORE_CTX_set0_trusted_stack(csc, tchain);
     if (crls)
         X509_STORE_CTX_set0_crls(csc, crls);
     i = X509_verify_cert(csc);

apps/version.c

@@ -190,7 +190,7 @@ int version_main(int argc, char **argv)
             dirty = version = 1;
             break;
         case OPT_A:
-            cflags = version = date = platform = dir = 1;
+            cflags = version = date = platform = dir = engdir = 1;
             break;
         }
     }
@@ -222,7 +222,7 @@ int version_main(int argc, char **argv)
         printf("%s ", DES_options());
 #endif
 #ifndef OPENSSL_NO_IDEA
-        printf("%s ", idea_options());
+        printf("%s ", IDEA_options());
 #endif
 #ifndef OPENSSL_NO_BF
         printf("%s ", BF_options());

apps/vms_decc_init.c

@@ -105,6 +105,7 @@ decc_feat_t decc_feat_array[] = {
     {(char *)NULL, 0}
 };
 
+
 char **copy_argv(int *argc, char *argv[])
 {
     /*-

apps/x509.c

@@ -89,10 +89,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                         char *section, ASN1_INTEGER *sno, int reqfile);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-static int force_version = 2;
-#endif
-
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
@@ -108,7 +104,6 @@ typedef enum OPTION_choice {
     OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
     OPT_SUBJECT_HASH_OLD,
     OPT_ISSUER_HASH_OLD,
-    OPT_FORCE_VERSION,
     OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
 } OPTION_CHOICE;
 
@@ -189,9 +184,6 @@ OPTIONS x509_options[] = {
     {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
      "Print old-style (MD5) subject hash value"},
 #endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    {"force_version", OPT_FORCE_VERSION, 'p'},
-#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -288,11 +280,6 @@ int x509_main(int argc, char **argv)
             if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
                 goto opthelp;
             break;
-        case OPT_FORCE_VERSION:
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            force_version = atoi(opt_arg()) - 1;
-#endif
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
             break;
@@ -575,12 +562,11 @@ int x509_main(int argc, char **argv)
             goto end;
         }
 
-        if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
+        if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) {
             BIO_printf(bio_err, "error unpacking public key\n");
             goto end;
         }
         i = X509_REQ_verify(req, pkey);
-        EVP_PKEY_free(pkey);
         if (i < 0) {
             BIO_printf(bio_err, "Signature verification error\n");
             ERR_print_errors(bio_err);
@@ -620,17 +606,16 @@ int x509_main(int argc, char **argv)
         if (fkey)
             X509_set_pubkey(x, fkey);
         else {
-            pkey = X509_REQ_get_pubkey(req);
+            pkey = X509_REQ_get0_pubkey(req);
             X509_set_pubkey(x, pkey);
-            EVP_PKEY_free(pkey);
         }
     } else
-        x = load_cert(infile, informat, NULL, e, "Certificate");
+        x = load_cert(infile, informat, "Certificate");
 
     if (x == NULL)
         goto end;
     if (CA_flag) {
-        xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
+        xca = load_cert(CAfile, CAformat, "CA Certificate");
         if (xca == NULL)
             goto end;
     }
@@ -742,16 +727,22 @@ int x509_main(int argc, char **argv)
                 }
                 BIO_printf(out, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
-                    BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
-                else
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
+                    BIGNUM *n;
+                    RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL);
+                    BN_print(out, n);
+                } else
 #endif
 #ifndef OPENSSL_NO_DSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
-                    BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
-                else
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) {
+                    BIGNUM *dsapub = NULL;
+                    DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL);
+                    BN_print(out, dsapub);
+                } else
 #endif
+                {
                     BIO_printf(out, "Wrong Algorithm type");
+                }
                 BIO_printf(out, "\n");
             } else if (pubkey == i) {
                 EVP_PKEY *pkey;
@@ -928,7 +919,6 @@ int x509_main(int argc, char **argv)
  end:
     if (need_rand)
         app_RAND_write_file(NULL);
-    OBJ_cleanup();
     NCONF_free(extconf);
     BIO_free_all(out);
     X509_STORE_free(ctx);
@@ -997,13 +987,14 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 {
     int ret = 0;
     ASN1_INTEGER *bs = NULL;
-    X509_STORE_CTX xsc;
+    X509_STORE_CTX *xsc = NULL;
     EVP_PKEY *upkey;
 
     upkey = X509_get0_pubkey(xca);
     EVP_PKEY_copy_parameters(upkey, pkey);
 
-    if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
+    xsc = X509_STORE_CTX_new();
+    if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) {
         BIO_printf(bio_err, "Error initialising X509 store\n");
         goto end;
     }
@@ -1016,9 +1007,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
      * NOTE: this certificate can/should be self signed, unless it was a
      * certificate request in which case it is not.
      */
-    X509_STORE_CTX_set_cert(&xsc, x);
-    X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
-    if (!reqfile && X509_verify_cert(&xsc) <= 0)
+    X509_STORE_CTX_set_cert(xsc, x);
+    X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
+    if (!reqfile && X509_verify_cert(xsc) <= 0)
         goto end;
 
     if (!X509_check_private_key(xca, pkey)) {
@@ -1046,11 +1037,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 
     if (conf) {
         X509V3_CTX ctx2;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx2, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1061,7 +1048,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
         goto end;
     ret = 1;
  end:
-    X509_STORE_CTX_cleanup(&xsc);
+    X509_STORE_CTX_free(xsc);
     if (!ret)
         ERR_print_errors(bio_err);
     if (!sno)
@@ -1123,11 +1110,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
     }
     if (conf) {
         X509V3_CTX ctx;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))