Rerun util/openssl-format-source -v -c .

Reviewed-by: Tim Hudson <tjh@openssl.org>

.cvsignore

@@ -0,0 +1,22 @@
+openssl.pc
+libcrypto.pc
+libssl.pc
+MINFO
+makefile.one
+tmp
+out
+outinc
+rehash.time
+testlog
+make.log
+maketest.log
+cctest
+cctest.c
+cctest.a
+*.flc
+semantic.cache
+Makefile
+*.dll*
+*.so*
+*.sl*
+*.dylib*

.gitignore

@@ -11,15 +11,10 @@
 # Top level excludes
 /Makefile.bak
 /Makefile
-/MINFO
 /*.a
 /include
 /*.pc
 /rehash.time
-/inc.*
-/makefile.*
-/out.*
-/tmp.*
 
 # Most *.c files under test/ are symlinks
 /test/*.c
@@ -30,7 +25,6 @@
 !/test/igetest.c
 !/test/r160test.c
 !/test/fips_algvs.c
-!/test/testutil.c
 
 /test/*.ss
 /test/*.srl
@@ -74,7 +68,6 @@ crypto/sha/asm/sha512-sse2.asm
 /apps/openssl
 /test/sha256t
 /test/sha512t
-/test/gost2814789t
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
@@ -100,8 +93,6 @@ Makefile.save
 *.bak
 tags
 TAGS
-cscope.out
-*.d
 
 # Windows
 /tmp32dll

CHANGES

@@ -2,680 +2,40 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.1l and 1.0.1m [xx XXX xxxx]
 
-  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
-     Access to deprecated functions can be re-enabled by running config with
-     "enable-deprecated". In addition applications wishing to use deprecated
-     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
-     will, by default, disable some transitive includes that previously existed
-     in the header files (e.g. ec.h will no longer, by default, include bn.h)
+  *)
+
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+  *) Build fixes for the Windows and OpenVMS platforms
+     [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+     dtls1_buffer_record function under certain conditions. In particular this
+     could occur if an attacker sent repeated DTLS records with the same
+     sequence number but for the next epoch. The memory leak could be exploited
+     by an attacker in a Denial of Service attack through memory exhaustion.
+     Thanks to Chris Mueller for reporting this issue.
+     (CVE-2015-0206)
      [Matt Caswell]
 
-  *) Added support for OCB mode. OpenSSL has been granted a patent license
-     compatible with the OpenSSL license for use of OCB. Details are available
-     at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
-     for OCB can be removed by calling config with no-ocb.
-     [Matt Caswell]
-
-  *) SSLv2 support has been removed.  It still supports receiving a SSLv2
-     compatible client hello.
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
      [Kurt Roeckx]
 
-  *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
-     done while fixing the error code for the key-too-small case.
-     [Annie Yousar <a.yousar@informatik.hu-berlin.de>]
-
-  *) Remove various unsupported platforms:
-	Sony NEWS4
-	BEOS and BEOS_R5
-	NeXT
-	SUNOS
-	MPE/iX
-	Sinix/ReliantUNIX RM400
-	DGUX
-	NCR
-	Tandem
-	Cray
-	WIN16
-     [Rich Salz]
-
-  *) Start cleaning up OPENSSL_NO_xxx #define's
-	OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
-	OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
-     [Rich Salz]
-
-  *) Experimental support for a new, fast, unbiased prime candidate generator,
-     bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
-     [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
-
-  *) New output format NSS in the sess_id command line tool. This allows
-     exporting the session id and the master key in NSS keylog format.
-     [Martin Kaiser <martin@kaiser.cx>]
-
-  *) Harmonize version and its documentation. -f flag is used to display
-     compilation flags.
-     [mancha <mancha1@zoho.com>]
-
-  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
-     in i2d_ECPrivateKey.
-     [mancha <mancha1@zoho.com>]
-
-  *) Fix some double frees. These are not thought to be exploitable.
-     [mancha <mancha1@zoho.com>]
-
-  *) A missing bounds check in the handling of the TLS heartbeat extension
-     can be used to reveal up to 64k of memory to a connected client or
-     server.
-
-     Thanks for Neel Mehta of Google Security for discovering this bug and to
-     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
-     preparing the fix (CVE-2014-0160)
-     [Adam Langley, Bodo Moeller]
-
-  *) Fix for the attack described in the paper "Recovering OpenSSL
-     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
-     by Yuval Yarom and Naomi Benger. Details can be obtained from:
-     http://eprint.iacr.org/2014/140
-
-     Thanks to Yuval Yarom and Naomi Benger for discovering this
-     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
-     [Yuval Yarom and Naomi Benger]
-
-  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
-     this fixes a limitation in previous versions of OpenSSL.
-     [Steve Henson]
-
-  *) Experimental encrypt-then-mac support.
-    
-     Experimental support for encrypt then mac from
-     draft-gutmann-tls-encrypt-then-mac-02.txt
-
-     To enable it set the appropriate extension number (0x42 for the test
-     server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
- 
-     For non-compliant peers (i.e. just about everything) this should have no
-     effect.
-
-     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
-
-     [Steve Henson]
-
-  *) Add EVP support for key wrapping algorithms, to avoid problems with
-     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
-     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
-     algorithms and include tests cases.
-     [Steve Henson]
-
-  *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
-     enveloped data.
-     [Steve Henson]
-
-  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
-     MGF1 digest and OAEP label.
-     [Steve Henson]
-
-  *) Make openssl verify return errors.
-     [Chris Palmer <palmer@google.com> and Ben Laurie]
-
-  *) New function ASN1_TIME_diff to calculate the difference between two
-     ASN1_TIME structures or one structure and the current time.
-     [Steve Henson]
-
-  *) Update fips_test_suite to support multiple command line options. New
-     test to induce all self test errors in sequence and check expected
-     failures.
-     [Steve Henson]
-
-  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
-     sign or verify all in one operation.
-     [Steve Henson]
-
-  *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
-     test programs and fips_test_suite. Includes functionality to parse
-     the minimal script output of fipsalgest.pl directly.
-     [Steve Henson]
-
-  *) Add authorisation parameter to FIPS_module_mode_set().
-     [Steve Henson]
-
-  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
-     [Steve Henson]
-
-  *) Use separate DRBG fields for internal and external flags. New function
-     FIPS_drbg_health_check() to perform on demand health checking. Add
-     generation tests to fips_test_suite with reduced health check interval to 
-     demonstrate periodic health checking. Add "nodh" option to
-     fips_test_suite to skip very slow DH test.
-     [Steve Henson]
-
-  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
-     based on NID.
-     [Steve Henson]
-
-  *) More extensive health check for DRBG checking many more failure modes.
-     New function FIPS_selftest_drbg_all() to handle every possible DRBG
-     combination: call this in fips_test_suite.
-     [Steve Henson]
-
-  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
-     and POST to handle Dual EC cases.
-     [Steve Henson]
-
-  *) Add support for canonical generation of DSA parameter 'g'. See 
-     FIPS 186-3 A.2.3.
-
-  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
-     POST to handle HMAC cases.
-     [Steve Henson]
-
-  *) Add functions FIPS_module_version() and FIPS_module_version_text()
-     to return numerical and string versions of the FIPS module number.
-     [Steve Henson]
-
-  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
-     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
-     outside the validated module in the FIPS capable OpenSSL.
-     [Steve Henson]
-
-  *) Minor change to DRBG entropy callback semantics. In some cases
-     there is no multiple of the block length between min_len and
-     max_len. Allow the callback to return more than max_len bytes
-     of entropy but discard any extra: it is the callback's responsibility
-     to ensure that the extra data discarded does not impact the
-     requested amount of entropy.
-     [Steve Henson]
-
-  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
-     information in FIPS186-3, SP800-57 and SP800-131A.
-     [Steve Henson]
-
-  *) CCM support via EVP. Interface is very similar to GCM case except we
-     must supply all data in one chunk (i.e. no update, final) and the
-     message length must be supplied if AAD is used. Add algorithm test
-     support.
-     [Steve Henson]
-
-  *) Initial version of POST overhaul. Add POST callback to allow the status
-     of POST to be monitored and/or failures induced. Modify fips_test_suite
-     to use callback. Always run all selftests even if one fails.
-     [Steve Henson]
-
-  *) XTS support including algorithm test driver in the fips_gcmtest program.
-     Note: this does increase the maximum key length from 32 to 64 bytes but
-     there should be no binary compatibility issues as existing applications
-     will never use XTS mode.
-     [Steve Henson]
-
-  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
-     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
-     performs algorithm blocking for unapproved PRNG types. Also do not
-     set PRNG type in FIPS_mode_set(): leave this to the application.
-     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
-     the standard OpenSSL PRNG: set additional data to a date time vector.
-     [Steve Henson]
-
-  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
-     This shouldn't present any incompatibility problems because applications
-     shouldn't be using these directly and any that are will need to rethink
-     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
-     [Steve Henson]
-
-  *) Extensive self tests and health checking required by SP800-90 DRBG.
-     Remove strength parameter from FIPS_drbg_instantiate and always
-     instantiate at maximum supported strength.
-     [Steve Henson]
-
-  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
-     [Steve Henson]
-
-  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
-     [Steve Henson]
-
-  *) New function DH_compute_key_padded() to compute a DH key and pad with
-     leading zeroes if needed: this complies with SP800-56A et al.
-     [Steve Henson]
-
-  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
-     anything, incomplete, subject to change and largely untested at present.
-     [Steve Henson]
-
-  *) Modify fipscanisteronly build option to only build the necessary object
-     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
-     [Steve Henson]
-
-  *) Add experimental option FIPSSYMS to give all symbols in
-     fipscanister.o and FIPS or fips prefix. This will avoid
-     conflicts with future versions of OpenSSL. Add perl script
-     util/fipsas.pl to preprocess assembly language source files
-     and rename any affected symbols.
-     [Steve Henson]
-
-  *) Add selftest checks and algorithm block of non-fips algorithms in
-     FIPS mode. Remove DES2 from selftests.
-     [Steve Henson]
-
-  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
-     return internal method without any ENGINE dependencies. Add new
-     tiny fips sign and verify functions.
-     [Steve Henson]
-
-  *) New build option no-ec2m to disable characteristic 2 code.
-     [Steve Henson]
-
-  *) New build option "fipscanisteronly". This only builds fipscanister.o
-     and (currently) associated fips utilities. Uses the file Makefile.fips
-     instead of Makefile.org as the prototype.
-     [Steve Henson]
-
-  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
-     Update fips_gcmtest to use IV generator.
-     [Steve Henson]
-
-  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
-     setting output buffer to NULL. The *Final function must be
-     called although it will not retrieve any additional data. The tag
-     can be set or retrieved with a ctrl. The IV length is by default 12
-     bytes (96 bits) but can be set to an alternative value. If the IV
-     length exceeds the maximum IV length (currently 16 bytes) it cannot be
-     set before the key. 
-     [Steve Henson]
-
-  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
-     underlying do_cipher function handles all cipher semantics itself
-     including padding and finalisation. This is useful if (for example)
-     an ENGINE cipher handles block padding itself. The behaviour of
-     do_cipher is subtly changed if this flag is set: the return value
-     is the number of characters written to the output buffer (zero is
-     no longer an error code) or a negative error code. Also if the
-     input buffer is NULL and length 0 finalisation should be performed.
-     [Steve Henson]
-
-  *) If a candidate issuer certificate is already part of the constructed
-     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
-     [Steve Henson]
-
-  *) Improve forward-security support: add functions
-
-       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
-       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
-
-     for use by SSL/TLS servers; the callback function will be called whenever a
-     new session is created, and gets to decide whether the session may be
-     cached to make it resumable (return 0) or not (return 1).  (As by the
-     SSL/TLS protocol specifications, the session_id sent by the server will be
-     empty to indicate that the session is not resumable; also, the server will
-     not generate RFC 4507 (RFC 5077) session tickets.)
-
-     A simple reasonable callback implementation is to return is_forward_secure.
-     This parameter will be set to 1 or 0 depending on the ciphersuite selected
-     by the SSL/TLS server library, indicating whether it can provide forward
-     security.
-     [Emilia K<>sper <emilia.kasper@esat.kuleuven.be> (Google)]
-
-  *) New -verify_name option in command line utilities to set verification
-     parameters by name.
-     [Steve Henson]
-
-  *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
-     Add CMAC pkey methods.
-     [Steve Henson]
-
-  *) Experimental renegotiation in s_server -www mode. If the client 
-     browses /reneg connection is renegotiated. If /renegcert it is
-     renegotiated requesting a certificate.
-     [Steve Henson]
-
-  *) Add an "external" session cache for debugging purposes to s_server. This
-     should help trace issues which normally are only apparent in deployed
-     multi-process servers.
-     [Steve Henson]
-
-  *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
-     return value is ignored. NB. The functions RAND_add(), RAND_seed(),
-     BIO_set_cipher() and some obscure PEM functions were changed so they
-     can now return an error. The RAND changes required a change to the
-     RAND_METHOD structure.
-     [Steve Henson]
-
-  *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
-     a gcc attribute to warn if the result of a function is ignored. This
-     is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
-     whose return value is often ignored. 
-     [Steve Henson]
-
- Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
-
-  *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
-     ARMv5 through ARMv8, as opposite to "locking" it to single one.
-     So far those who have to target multiple plaforms would compromise
-     and argue that binary targeting say ARMv5 would still execute on
-     ARMv8. "Universal" build resolves this compromise by providing
-     near-optimal performance even on newer platforms.
-     [Andy Polyakov]
-
-  *) Accelerated NIST P-256 elliptic curve implementation for x86_64
-     (other platforms pending).
-     [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
-
-  *) Add support for the SignedCertificateTimestampList certificate and
-     OCSP response extensions from RFC6962.
-     [Rob Stradling]
-
-  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
-     for corner cases. (Certain input points at infinity could lead to
-     bogus results, with non-infinity inputs mapped to infinity too.)
-     [Bodo Moeller]
-
-  *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
-     This covers AES, SHA256/512 and GHASH. "Initial" means that most
-     common cases are optimized and there still is room for further
-     improvements. Vector Permutation AES for Altivec is also added.
-     [Andy Polyakov]
-
-  *) Add support for little-endian ppc64 Linux target.
-     [Marcelo Cerri (IBM)]
-
-  *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
-     SHA1, SHA256 and GHASH. "Initial" means that most common cases
-     are optimized and there still is room for further improvements.
-     Both 32- and 64-bit modes are supported.
-     [Andy Polyakov, Ard Biesheuvel (Linaro)]
-
-  *) Improved ARMv7 NEON support.
-     [Andy Polyakov]
-
-  *) Support for SPARC Architecture 2011 crypto extensions, first
-     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
-     SHA256/512, MD5, GHASH and modular exponentiation.
-     [Andy Polyakov, David Miller]
-
-  *) Accelerated modular exponentiation for Intel processors, a.k.a.
-     RSAZ.
-     [Shay Gueron & Vlad Krasnov (Intel Corp)]
-
-  *) Support for new and upcoming Intel processors, including AVX2,
-     BMI and SHA ISA extensions. This includes additional "stitched"
-     implementations, AESNI-SHA256 and GCM, and multi-buffer support
-     for TLS encrypt.
-
-     This work was sponsored by Intel Corp.
-     [Andy Polyakov]
-
-  *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
-     supports both DTLS 1.2 and 1.0 and should use whatever version the peer
-     supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
-     [Steve Henson]
-
-  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
-     this fixes a limiation in previous versions of OpenSSL.
-     [Steve Henson]
-
-  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
-     MGF1 digest and OAEP label.
-     [Steve Henson]
-
-  *) Add EVP support for key wrapping algorithms, to avoid problems with
-     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
-     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
-     algorithms and include tests cases.
-     [Steve Henson]
-
-  *) Add functions to allocate and set the fields of an ECDSA_METHOD
-     structure.
-     [Douglas E. Engert, Steve Henson]
-
-  *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
-     difference in days and seconds between two tm or ASN1_TIME structures.
-     [Steve Henson]
-
-  *) Add -rev test option to s_server to just reverse order of characters
-     received by client and send back to server. Also prints an abbreviated
-     summary of the connection parameters.
-     [Steve Henson]
-
-  *) New option -brief for s_client and s_server to print out a brief summary
-     of connection parameters.
-     [Steve Henson]
-
-  *) Add callbacks for arbitrary TLS extensions.
-     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
-
-  *) New option -crl_download in several openssl utilities to download CRLs
-     from CRLDP extension in certificates.
-     [Steve Henson]
-
-  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
-     [Steve Henson]
-
-  *) New function X509_CRL_diff to generate a delta CRL from the difference
-     of two full CRLs. Add support to "crl" utility.
-     [Steve Henson]
-
-  *) New functions to set lookup_crls function and to retrieve
-     X509_STORE from X509_STORE_CTX.
-     [Steve Henson]
-
-  *) Print out deprecated issuer and subject unique ID fields in
-     certificates.
-     [Steve Henson]
-
-  *) Extend OCSP I/O functions so they can be used for simple general purpose
-     HTTP as well as OCSP. New wrapper function which can be used to download
-     CRLs using the OCSP API.
-     [Steve Henson]
-
-  *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
-     [Steve Henson]
-
-  *) SSL_CONF* functions. These provide a common framework for application
-     configuration using configuration files or command lines.
-     [Steve Henson]
-
-  *) SSL/TLS tracing code. This parses out SSL/TLS records using the
-     message callback and prints the results. Needs compile time option
-     "enable-ssl-trace". New options to s_client and s_server to enable
-     tracing.
-     [Steve Henson]
-
-  *) New ctrl and macro to retrieve supported points extensions.
-     Print out extension in s_server and s_client.
-     [Steve Henson]
-
-  *) New functions to retrieve certificate signature and signature
-     OID NID.
-     [Steve Henson]
-
-  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
-     client to OpenSSL.
-     [Steve Henson]
-
-  *) New Suite B modes for TLS code. These use and enforce the requirements
-     of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
-     only use Suite B curves. The Suite B modes can be set by using the
-     strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
-     [Steve Henson]
-
-  *) New chain verification flags for Suite B levels of security. Check
-     algorithms are acceptable when flags are set in X509_verify_cert.
-     [Steve Henson]
-
-  *) Make tls1_check_chain return a set of flags indicating checks passed
-     by a certificate chain. Add additional tests to handle client
-     certificates: checks for matching certificate type and issuer name
-     comparison.
-     [Steve Henson]
-
-  *) If an attempt is made to use a signature algorithm not in the peer
-     preference list abort the handshake. If client has no suitable
-     signature algorithms in response to a certificate request do not
-     use the certificate.
-     [Steve Henson]
-
-  *) If server EC tmp key is not in client preference list abort handshake.
-     [Steve Henson]
-
-  *) Add support for certificate stores in CERT structure. This makes it
-     possible to have different stores per SSL structure or one store in
-     the parent SSL_CTX. Include distint stores for certificate chain
-     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
-     to build and store a certificate chain in CERT structure: returing
-     an error if the chain cannot be built: this will allow applications
-     to test if a chain is correctly configured.
-
-     Note: if the CERT based stores are not set then the parent SSL_CTX
-     store is used to retain compatibility with existing behaviour.
-
-     [Steve Henson]
-
-  *) New function ssl_set_client_disabled to set a ciphersuite disabled
-     mask based on the current session, check mask when sending client
-     hello and checking the requested ciphersuite.
-     [Steve Henson]
-
-  *) New ctrls to retrieve and set certificate types in a certificate
-     request message. Print out received values in s_client. If certificate
-     types is not set with custom values set sensible values based on
-     supported signature algorithms.
-     [Steve Henson]
-
-  *) Support for distinct client and server supported signature algorithms.
-     [Steve Henson]
-
-  *) Add certificate callback. If set this is called whenever a certificate
-     is required by client or server. An application can decide which
-     certificate chain to present based on arbitrary criteria: for example
-     supported signature algorithms. Add very simple example to s_server.
-     This fixes many of the problems and restrictions of the existing client
-     certificate callback: for example you can now clear an existing
-     certificate and specify the whole chain.
-     [Steve Henson]
-
-  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
-     the certificate can be used for (if anything). Set valid_flags field 
-     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
-     to have similar checks in it.
-
-     Add new "cert_flags" field to CERT structure and include a "strict mode".
-     This enforces some TLS certificate requirements (such as only permitting
-     certificate signature algorithms contained in the supported algorithms
-     extension) which some implementations ignore: this option should be used
-     with caution as it could cause interoperability issues.
-     [Steve Henson]
-
-  *) Update and tidy signature algorithm extension processing. Work out
-     shared signature algorithms based on preferences and peer algorithms
-     and print them out in s_client and s_server. Abort handshake if no
-     shared signature algorithms.
-     [Steve Henson]
-
-  *) Add new functions to allow customised supported signature algorithms
-     for SSL and SSL_CTX structures. Add options to s_client and s_server
-     to support them.
-     [Steve Henson]
-
-  *) New function SSL_certs_clear() to delete all references to certificates
-     from an SSL structure. Before this once a certificate had been added
-     it couldn't be removed.
-     [Steve Henson]
-
-  *) Integrate hostname, email address and IP address checking with certificate
-     verification. New verify options supporting checking in opensl utility.
-     [Steve Henson]
-
-  *) Fixes and wildcard matching support to hostname and email checking
-     functions. Add manual page.
-     [Florian Weimer (Red Hat Product Security Team)]
-
-  *) New functions to check a hostname email or IP address against a
-     certificate. Add options x509 utility to print results of checks against
-     a certificate.
-     [Steve Henson]
-
-  *) Fix OCSP checking.
-     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
-
-  *) Initial experimental support for explicitly trusted non-root CAs. 
-     OpenSSL still tries to build a complete chain to a root but if an
-     intermediate CA has a trust setting included that is used. The first
-     setting is used: whether to trust (e.g., -addtrust option to the x509
-     utility) or reject.
-     [Steve Henson]
-
-  *) Add -trusted_first option which attempts to find certificates in the
-     trusted store even if an untrusted chain is also supplied.
-     [Steve Henson]
-
-  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
-     platform support for Linux and Android.
-     [Andy Polyakov]
-
-  *) Support for linux-x32, ILP32 environment in x86_64 framework.
-     [Andy Polyakov]
-
-  *) Experimental multi-implementation support for FIPS capable OpenSSL.
-     When in FIPS mode the approved implementations are used as normal,
-     when not in FIPS mode the internal unapproved versions are used instead.
-     This means that the FIPS capable OpenSSL isn't forced to use the
-     (often lower performance) FIPS implementations outside FIPS mode.
-     [Steve Henson]
-
-  *) Transparently support X9.42 DH parameters when calling
-     PEM_read_bio_DHparameters. This means existing applications can handle
-     the new parameter format automatically.
-     [Steve Henson]
-
-  *) Initial experimental support for X9.42 DH parameter format: mainly
-     to support use of 'q' parameter for RFC5114 parameters.
-     [Steve Henson]
-
-  *) Add DH parameters from RFC5114 including test data to dhtest.
-     [Steve Henson]
-
-  *) Support for automatic EC temporary key parameter selection. If enabled
-     the most preferred EC parameters are automatically used instead of
-     hardcoded fixed parameters. Now a server just has to call:
-     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
-     support ECDH and use the most appropriate parameters.
-     [Steve Henson]
-
-  *) Enhance and tidy EC curve and point format TLS extension code. Use
-     static structures instead of allocation if default values are used.
-     New ctrls to set curves we wish to support and to retrieve shared curves.
-     Print out shared curves in s_server. New options to s_server and s_client
-     to set list of supported curves.
-     [Steve Henson]
-
-  *) New ctrls to retrieve supported signature algorithms and 
-     supported curve values as an array of NIDs. Extend openssl utility
-     to print out received values.
-     [Steve Henson]
-
-  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
-     between NIDs and the more common NIST names such as "P-256". Enhance
-     ecparam utility and ECC method to recognise the NIST names for curves.
-     [Steve Henson]
-
-  *) Enhance SSL/TLS certificate chain handling to support different
-     chains for each certificate instead of one chain in the parent SSL_CTX.
-     [Steve Henson]
-
-  *) Support for fixed DH ciphersuite client authentication: where both
-     server and client use DH certificates with common parameters.
-     [Steve Henson]
-
-  *) Support for fixed DH ciphersuites: those requiring DH server
-     certificates.
-     [Steve Henson]
-
-  *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
-     the certificate.
-     Note: Related 1.0.2-beta specific macros X509_get_cert_info,
-     X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
-     X509_CINF_get_signature were reverted post internal team review.
-
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
-
   *) Abort handshake if server key exchange message is omitted for ephemeral
      ECDH ciphersuites.
 
@@ -693,6 +53,17 @@
      (CVE-2015-0204)
      [Steve Henson]
 
+  *) Fixed issue where DH client certificates are accepted without verification.
+     An OpenSSL server will accept a DH certificate for client authentication
+     without the certificate verify message. This effectively allows a client to
+     authenticate without the use of a private key. This only affects servers
+     which trust a client certificate authority which issues certificates
+     containing DH keys: these are extremely rare and hardly ever encountered.
+     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+     this issue.
+     (CVE-2015-0205)
+     [Steve Henson]
+
   *) Ensure that the session ID context of an SSL is updated when its
      SSL_CTX is updated via SSL_set_SSL_CTX.
 
@@ -737,6 +108,17 @@
      (CVE-2014-8275)
      [Steve Henson]
 
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
    *) Do not resume sessions on the server if the negotiated protocol
       version does not match the session's version. Resuming with a different
       version, while not strictly forbidden by the RFC, is of questionable
@@ -1125,7 +507,7 @@
 
   *) Some servers which support TLS 1.0 can choke if we initially indicate
      support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
-     encrypted premaster secret. As a workaround use the maximum permitted
+     encrypted premaster secret. As a workaround use the maximum pemitted
      client version in client hello, this should keep such servers happy
      and still work with previous versions of OpenSSL.
      [Steve Henson]
@@ -1255,7 +637,7 @@
   *) Add GCM support to TLS library. Some custom code is needed to split
      the IV between the fixed (from PRF) and explicit (from TLS record)
      portions. This adds all GCM ciphersuites supported by RFC5288 and 
-     RFC5289. Generalise some AES* cipherstrings to include GCM and
+     RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
      add a special AESGCM string for GCM only.
      [Steve Henson]
 
@@ -1269,9 +651,9 @@
      [Steve Henson]
 
   *) For FIPS capable OpenSSL interpret a NULL default public key method
-     as unset and return the appropriate default but do *not* set the default.
-     This means we can return the appropriate method in applications that
-     switch between FIPS and non-FIPS modes.
+     as unset and return the appopriate default but do *not* set the default.
+     This means we can return the appopriate method in applications that
+     swicth between FIPS and non-FIPS modes.
      [Steve Henson]
 
   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
@@ -2225,7 +1607,7 @@
   *) Add a ctrl to asn1 method to allow a public key algorithm to express
      a default digest type to use. In most cases this will be SHA1 but some
      algorithms (such as GOST) need to specify an alternative digest. The
-     return value indicates how strong the preference is 1 means optional and
+     return value indicates how strong the prefernce is 1 means optional and
      2 is mandatory (that is it is the only supported type). Modify
      ASN1_item_sign() to accept a NULL digest argument to indicate it should
      use the default md. Update openssl utilities to use the default digest
@@ -2270,7 +1652,7 @@
      manual pages.
      [Oliver Tappe <zooey@hirschkaefer.de>]
 
-  *) New utility "genpkey" this is analogous to "genrsa" etc except it can
+  *) New utility "genpkey" this is analagous to "genrsa" etc except it can
      generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
      support key and parameter generation and add initial key generation
      functionality for RSA.
@@ -2369,7 +1751,7 @@
      '-key2 ...', '-servername_fatal' (subject to change).  This allows
      testing the HostName extension for a specific single host name ('-cert'
      and '-key' remain fallbacks for handshakes without HostName
-     negotiation).  If the unrecognized_name alert has to be sent, this by
+     negotiation).  If the unrecogninzed_name alert has to be sent, this by
      default is a warning; it becomes fatal with the '-servername_fatal'
      option.
 
@@ -2822,7 +2204,7 @@
      processed after finishing the corresponding handshake. There is
      currently no limitation to this buffer allowing an attacker to perform
      a DOS attack with sending records with future epochs until there is no
-     memory left. This patch adds the pqueue_size() function to determine
+     memory left. This patch adds the pqueue_size() function to detemine
      the size of a buffer and limits the record buffer to 100 entries.
      (CVE-2009-1377)
      [Robin Seggelmann, discovered by Daniel Mentz] 	
@@ -2935,7 +2317,7 @@
      ChangeCipherSpec as first record (CVE-2009-1386).
      [PR #1679]
 
-  *) Fix a state transition in s3_srvr.c and d1_srvr.c
+  *) Fix a state transitition in s3_srvr.c and d1_srvr.c
      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
      [Nagendra Modadugu]
 
@@ -3205,7 +2587,7 @@
      '-key2 ...', '-servername_fatal' (subject to change).  This allows
      testing the HostName extension for a specific single host name ('-cert'
      and '-key' remain fallbacks for handshakes without HostName
-     negotiation).  If the unrecognized_name alert has to be sent, this by
+     negotiation).  If the unrecogninzed_name alert has to be sent, this by
      default is a warning; it becomes fatal with the '-servername_fatal'
      option.
 
@@ -3569,7 +2951,7 @@
      to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
      [Walter Goulet]
 
-  *) Remove buggy and incomplete DH cert support from
+  *) Remove buggy and incompletet DH cert support from
      ssl/ssl_rsa.c and ssl/s3_both.c
      [Nils Larsch]
 
@@ -3783,7 +3165,7 @@
      [Geoff Thorpe]
 
   *) Reorganise PKCS#7 code to separate the digest location functionality
-     into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
+     into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest().
      New function PKCS7_set_digest() to set the digest type for PKCS#7
      digestedData type. Add additional code to correctly generate the
      digestedData type and add support for this type in PKCS7 initialization
@@ -4055,7 +3437,7 @@
      [Geoff Thorpe and Richard Levitte]
 
   *) Add Makefile.shared, a helper makefile to build shared
-     libraries.  Adapt Makefile.org.
+     libraries.  Addapt Makefile.org.
      [Richard Levitte]
 
   *) Add version info to Win32 DLLs.
@@ -4759,7 +4141,7 @@
  Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
 
   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
-     via timing by performing a MAC computation even if incorrect
+     via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
      between bad padding and a MAC verification error. (CVE-2003-0078)
@@ -5180,7 +4562,7 @@
      default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
      [Steve Henson]
 
-  *) Preliminary ENGINE config module.
+  *) Prelminary ENGINE config module.
      [Steve Henson]
 
   *) New experimental application configuration code.
@@ -5355,7 +4737,7 @@
 
   *) New function SSL_renegotiate_pending().  This returns true once
      renegotiation has been requested (either SSL_renegotiate() call
-     or HelloRequest/ClientHello received from the peer) and becomes
+     or HelloRequest/ClientHello receveived from the peer) and becomes
      false once a handshake has been completed.
      (For servers, SSL_renegotiate() followed by SSL_do_handshake()
      sends a HelloRequest, but does not ensure that a handshake takes
@@ -6356,7 +5738,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      OCSP_SERVICELOC extension. Tidy up print OCSP format.
      [Steve Henson]
 
-  *) Make mkdef.pl parse some of the ASN1 macros and add appropriate
+  *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
      entries for variables.
      [Steve Henson]
 
@@ -6516,7 +5898,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 
 #if 0
-     The following entry accidentally appeared in the CHANGES file
+     The following entry accidentily appeared in the CHANGES file
      distributed with OpenSSL 0.9.7.  The modifications described in
      it do *not* apply to OpenSSL 0.9.7.
 
@@ -7100,7 +6482,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
 
   *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
-     should end in 'break', not 'goto end' which circumvents various
+     should end in 'break', not 'goto end' which circuments various
      cleanups done in state SSL_ST_OK.   But session related stuff
      must be disabled for SSL_ST_OK in the case that we just sent a
      HelloRequest.
@@ -7758,7 +7140,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Sven Uszpelkat <su@celocom.de>]
 
   *) Major change in util/mkdef.pl to include extra information
-     about each symbol, as well as presenting variables as well
+     about each symbol, as well as presentig variables as well
      as functions.  This change means that there's n more need
      to rebuild the .num files when some algorithms are excluded.
      [Richard Levitte]
@@ -8077,7 +7459,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) When some versions of IIS use the 'NET' form of private key the
      key derivation algorithm is different. Normally MD5(password) is
      used as a 128 bit RC4 key. In the modified case
-     MD5(MD5(password) + "SGCKEYSALT")  is used instead. Added some
+     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
      new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
      as the old Netscape_RSA functions except they have an additional
      'sgckey' parameter which uses the modified algorithm. Also added
@@ -8365,7 +7747,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      its own key.
      ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
      to parameters -- in previous versions (since OpenSSL 0.9.3) the
-     'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
+     'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
      you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
      [Bodo Moeller]
 
@@ -8605,7 +7987,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      include a #define from the old name to the new. The original intent
      was that statically linked binaries could for example just call
      SSLeay_add_all_ciphers() to just add ciphers to the table and not
-     link with digests. This never worked because SSLeay_add_all_digests()
+     link with digests. This never worked becayse SSLeay_add_all_digests()
      and SSLeay_add_all_ciphers() were in the same source file so calling
      one would link with the other. They are now in separate source files.
      [Steve Henson]
@@ -8744,7 +8126,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
   *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
      X509_*() to X509at_*() on the grounds that they don't handle X509
-     structures and behave in an analogous way to the X509v3 functions:
+     structures and behave in an analagous way to the X509v3 functions:
      they shouldn't be called directly but wrapper functions should be used
      instead.
 
@@ -10388,7 +9770,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
 
   *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
-     advapi32.lib to Win32 build and change the pem test comparison
+     advapi32.lib to Win32 build and change the pem test comparision
      to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
      suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
      and crypto/des/ede_cbcm_enc.c.
@@ -10443,7 +9825,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      other platforms details on the command line without having to patch the
      Configure script everytime: One now can use ``perl Configure
      <id>:<details>'', i.e. platform ids are allowed to have details appended
-     to them (separated by colons). This is treated as there would be a static
+     to them (seperated by colons). This is treated as there would be a static
      pre-configured entry in Configure's %table under key <id> with value
      <details> and ``perl Configure <id>'' is called.  So, when you want to
      perform a quick test-compile under FreeBSD 3.1 with pgcc and without
@@ -10473,7 +9855,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 
   *) General source tree makefile cleanups: Made `making xxx in yyy...'
      display consistent in the source tree and replaced `/bin/rm' by `rm'.
-     Additionally cleaned up the `make links' target: Remove unnecessary
+     Additonally cleaned up the `make links' target: Remove unnecessary
      semicolons, subsequent redundant removes, inline point.sh into mklink.sh
      to speed processing and no longer clutter the display with confusing
      stuff. Instead only the actually done links are displayed.
@@ -10784,7 +10166,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      error code, add initial support to X509_print() and x509 application.
      [Steve Henson]
 
-  *) Takes a deep breath and start adding X509 V3 extension support code. Add
+  *) Takes a deep breath and start addding X509 V3 extension support code. Add
      files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
      stuff is currently isolated and isn't even compiled yet.
      [Steve Henson]
@@ -10958,7 +10340,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fixed sk_insert which never worked properly.
      [Steve Henson]
 
-  *) Fix ASN1 macros so they can handle indefinite length constructed 
+  *) Fix ASN1 macros so they can handle indefinite length construted 
      EXPLICIT tags. Some non standard certificates use these: they can now
      be read in.
      [Steve Henson]
@@ -10966,7 +10348,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
      into a single doc/ssleay.txt bundle. This way the information is still
      preserved but no longer messes up this directory. Now it's new room for
-     the new set of documentation files.
+     the new set of documenation files.
      [Ralf S. Engelschall]
 
   *) SETs were incorrectly DER encoded. This was a major pain, because they

CHANGES.SSLeay

@@ -29,7 +29,7 @@ eric (about to go bushwalking for the 4 day easter break :-)
 7-Jan-98
     - Finally reworked the cipher string to ciphers again, so it
       works correctly
-    - All the app_data stuff is now ex_data with function calls to access.
+    - All the app_data stuff is now ex_data with funcion calls to access.
       The index is supplied by a function and 'methods' can be setup
       for the types that are called on XXX_new/XXX_free.  This lets
       applications get notified on creation and destruction.  Some of
@@ -937,7 +937,7 @@ Reasons to start playing with version 0.5.0
   certificate, it is my aim to use perl5/Tk but I don't have time to do
   this right now.  It will generate the certificates but the management
   scripts still need to be written.  This is not a hard task.
-- Things have been cleaned up a lot.
+- Things have been cleaned up alot.
 - Have a look at the enc and dgst programs in the apps directory.
 - It supports v3 of x509 certiticates.
 

Configure

@@ -3,8 +3,6 @@ eval 'exec perl -S $0 ${1+"$@"}'
     if $running_under_some_shell;
 ##
 ##  Configure -- OpenSSL source tree configuration script
-##  If editing this file, run this command before committing
-##	make -f Makefile.org TABLE
 ##
 
 require 5.000;
@@ -62,7 +60,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 # 386           generate 80386 code
 # no-sse2	disables IA-32 SSE2 code, above option implies no-sse2
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
-# -<xxx> +<xxx> compiler options are passed through
+# -<xxx> +<xxx> compiler options are passed through 
 #
 # DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
 #		provided to stack calls. Generates unique stack functions for
@@ -103,12 +101,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 # AES_ASM	ASE_[en|de]crypt is implemented in assembler
 
 # Minimum warning options... any contributions to OpenSSL should at least get
-# past these.
+# past these. 
 
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
 
-my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum";
-
 my $strict_warnings = 0;
 
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@@ -128,28 +124,27 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
 
-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:e_padlock-x86.o";
+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
 
 my $x86_elf_asm="$x86_asm:elf";
 
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:e_padlock-x86_64.o";
-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
-my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
-my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
-my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
-my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-my $ppc32_asm=$ppc64_asm;
-my $no_asm="::::::::::::::::void";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
+my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
+my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
+my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
+my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
+my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
+my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
+my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
+my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
+my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
+my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
+my $no_asm=":::::::::::::::void";
 
 # As for $BSDthreads. Idea is to maintain "collective" set of flags,
-# which would cover all BSD flavors. -pthread applies to them all,
+# which would cover all BSD flavors. -pthread applies to them all, 
 # but is treated differently. OpenBSD expands is as -D_POSIX_THREAD
 # -lc_r, which is sufficient. FreeBSD 4.x expands it as -lc_r,
 # which has to be accompanied by explicit -D_THREAD_SAFE and
@@ -157,7 +152,7 @@ my $no_asm="::::::::::::::::void";
 # seems to be sufficient?
 my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
 
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $ec_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
 
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -175,21 +170,19 @@ my %table=(
 "debug-ben",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -O2 -pipe::(unknown):::::",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc44:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe::(unknown)::::::",
 "debug-ben-debug-64",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-ben-debug-64-clang",	"clang:$gcc_devteam_warn -fsanitize=undefined -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-ben-debug-64-noopt",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-ben-macos",	"cc:$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::",
+"debug-ben-macos",	"cc:$gcc_devteam_warn -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::-Wl,-search_paths_first::::",
+"debug-ben-macos-gcc46",	"gcc-mp-4.6:$gcc_devteam_warn -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::",
+"debug-ben-darwin64","cc:$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
-"debug-ben-darwin64","cc:$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:$x86_64_asm:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"debug-erbridge",   "gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
 "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -200,13 +193,11 @@ my %table=(
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o:e_padlock-x86.o:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "dist",		"cc:-O::(unknown)::::::",
-"debug-test-64-clang",	"clang:$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"darwin64-debug-test-64-clang",  "clang:-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:MACOSX::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 # Basic configs that should work on any (32 and less bit) box
 "gcc",		"gcc:-O3::(unknown):::BN_LLONG:::",
@@ -232,9 +223,9 @@ my %table=(
 # compiler:-)
 #						<appro@fy.chalmers.se>
 "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
-
+ 
 #### Solaris x86 with Sun C setups
-"solaris-x86-cc","cc:-fast -xarch=generic -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 
 #### SPARC Solaris with GNU C setups
@@ -257,7 +248,11 @@ my %table=(
 "solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 ####
 "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
+
+#### SunOS configs, assuming sparc for the gcc one.
+#"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
 
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
@@ -305,7 +300,7 @@ my %table=(
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
 "hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
-"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o:::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@@ -323,7 +318,7 @@ my %table=(
 "hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/hpux64",
 # GCC builds...
 "hpux-ia64-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:-fpic:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/hpux32",
-"hpux64-ia64-gcc","gcc:-mlp64 -O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:-fpic:-mlp64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/hpux64",
+"hpux64-ia64-gcc","gcc:-mlp64 -O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:-fpic:-mlp64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/hpux64", 
 
 # Legacy HPUX 9.X configs...
 "hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -352,57 +347,20 @@ my %table=(
 # throw in -D[BL]_ENDIAN, whichever appropriate...
 "linux-generic32","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
-#######################################################################
-# Note that -march is not among compiler options in below linux-armv4
-# target line. Not specifying one is intentional to give you choice to:
-#
-# a) rely on your compiler default by not specifying one;
-# b) specify your target platform explicitly for optimal performance,
-#    e.g. -march=armv6 or -march=armv7-a;
-# c) build "universal" binary that targets *range* of platforms by
-#    specifying minimum and maximum supported architecture;
-#
-# As for c) option. It actually makes no sense to specify maximum to be
-# less than ARMv7, because it's the least requirement for run-time
-# switch between platform-specific code paths. And without run-time
-# switch performance would be equivalent to one for minimum. Secondly,
-# there are some natural limitations that you'd have to accept and
-# respect. Most notably you can *not* build "universal" binary for
-# big-endian platform. This is because ARMv7 processor always picks
-# instructions in little-endian order. Another similar limitation is
-# that -mthumb can't "cross" -march=armv6t2 boundary, because that's
-# where it became Thumb-2. Well, this limitation is a bit artificial,
-# because it's not really impossible, but it's deemed too tricky to
-# support. And of course you have to be sure that your binutils are
-# actually up to the task of handling maximum target platform. With all
-# this in mind here is an example of how to configure "universal" build:
-#
-#       ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
-#
+# It's believed that majority of ARM toolchains predefine appropriate -march.
+# If you compiler does not, do complement config command line with one!
 "linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aarch64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# Configure script adds minimally required -march for assembly support,
-# if no -march was specified at command line. mips32 and mips64 below
-# refer to contemporary MIPS Architecture specifications, MIPS32 and
-# MIPS64, rather than to kernel bitness.
-"linux-mips32",	"gcc:-mabi=32 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-mips64",   "gcc:-mabi=n32 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
-"linux64-mips64",   "gcc:-mabi=64 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### IA-32 targets...
-"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
 ####
 "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-x86_64-clang",	"clang: -m64 -DL_ENDIAN -DTERMIO -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-x86_64-icc", "icc:-DL_ENDIAN -DTERMIO -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-x32",	"gcc:-mx32 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32:",
 "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@@ -444,15 +402,11 @@ my %table=(
 "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-#
-# TI_CGT_C6000_7.3.x is a requirement
-"linux-c64xplus","cl6x:--linux -ea=.s -eo=.o -mv6400+ -o2 -ox -ms -pden -DOPENSSL_SMALL_FOOTPRINT::-D_REENTRANT:::BN_LLONG:c64xpluscpuid.o:bn-c64xplus.o c64xplus-gf2m.o:::aes-c64xplus.o aes_cbc.o aes_ctr.o:::sha1-c64xplus.o sha256-c64xplus.o sha512-c64xplus.o::rc4-c64xplus.o:::::ghash-c64xplus.o::void:dlfcn:linux-shared:--pic:-z --sysv --shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):true",
 
 # Android: linux-* but without -DTERMIO and pointers to headers and libs.
 "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### *BSD [do see comment about ${BSDthreads} above!]
 "BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -474,11 +428,18 @@ my %table=(
 "nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 
+# NCR MP-RAS UNIX ver 02.03.01
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl -lc89:${x86_gcc_des} ${x86_gcc_opts}:::",
+
 # QNX
 "qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
 "QNX6",       "gcc:-DTERMIOS::::-lsocket::${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "QNX6-i386",  "gcc:-DL_ENDIAN -DTERMIOS -O2 -Wall::::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
+# BeOS
+"beos-x86-r5",   "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT:BEOS:-lbe -lnet:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:beos:beos-shared:-fPIC -DPIC:-shared:.so",
+"beos-x86-bone", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT:BEOS:-lbe -lbind -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:beos:beos-shared:-fPIC:-shared:.so",
+
 #### SCO/Caldera targets.
 #
 # Originally we had like unixware-*, unixware-*-pentium, unixware-*-p6, etc.
@@ -493,20 +454,57 @@ my %table=(
 # UnixWare 2.0x fails destest with -O.
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}-1:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
-"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### IBM's AIX.
 "aix3-cc",  "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
-"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
+"aix-gcc",  "gcc:-O -DB_ENDIAN::-pthread:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X32",
+"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
 # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
 # at build time. $OBJECT_MODE is respected at ./config stage!
-"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:$ppc32_asm:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:$ppc64_asm:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+
+#
+# Cray T90 and similar (SDSC)
+# It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT
+# defined.  The T90 ints and longs are 8 bytes long, and apparently the
+# B_ENDIAN code assumes 4 byte ints.  Fortunately, the non-B_ENDIAN and
+# non L_ENDIAN code aligns the bytes in each word correctly.
+#
+# The BIT_FIELD_LIMITS define is to avoid two fatal compiler errors:
+#'Taking the address of a bit field is not allowed. '
+#'An expression with bit field exists as the operand of "sizeof" '
+# (written by Wayne Schroeder <schroede@SDSC.EDU>)
+#
+# j90 is considered the base machine type for unicos machines,
+# so this configuration is now called "cray-j90" ...
+"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",
+
+#
+# Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
+#
+# The BIT_FIELD_LIMITS define was written for the C90 (it seems).  I added
+# another use.  Basically, the problem is that the T3E uses some bit fields
+# for some st_addr stuff, and then sizeof and address-of fails
+# I could not use the ams/alpha.o option because the Cray assembler, 'cam'
+# did not like it.
+"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::",
+
+# DGUX, 88100.
+"dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):::RC4_INDEX DES_UNROLL:::",
+"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
+"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+
+# Sinix/ReliantUNIX RM400
+# NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:${no_asm}:dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
+"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
 
 # SIEMENS BS2000/OSD: an EBCDIC-based mainframe
 "BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
@@ -520,9 +518,9 @@ my %table=(
 # Visual C targets
 #
 # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
-"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
+"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
 "VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
-"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
+"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
 "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
 # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
@@ -545,13 +543,12 @@ my %table=(
 # with itself, Applink is never engaged and can as well be omitted.
 "mingw64", "gcc:-mno-cygwin -DL_ENDIAN -O3 -Wall -DWIN32_LEAN_AND_MEAN -DUNICODE -D_UNICODE::-D_MT:MINGW64:-lws2_32 -lgdi32 -lcrypt32:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${x86_64_asm}:mingw64:win32:cygwin-shared:-D_WINDLL:-mno-cygwin:.dll.a",
 
-# UWIN
+# UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
 
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:coff:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
-"Cygwin-x86_64", "gcc:-DTERMIOS -DL_ENDIAN -O3 -Wall:::CYGWIN32::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:mingw64:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
 "debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
 
 # NetWare from David Ward (dsward@novell.com)
@@ -578,35 +575,23 @@ my %table=(
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
 
-##### MacOS X (a.k.a. Darwin) setup
+##### MacOS X (a.k.a. Rhapsody or Darwin) setup
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
 "darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 # iPhoneOS/iOS
-#
-# It takes three prior-set environment variables to make it work:
-#
-# CROSS_COMPILE=/where/toolchain/is/usr/bin/ [note ending slash]
-# CROSS_TOP=/where/SDKs/are
-# CROSS_SDK=iPhoneOSx.y.sdk
-#
-# Exact paths vary with Xcode releases, but for couple of last ones
-# they would look like this:
-#
-# CROSS_COMPILE=`xcode-select --print-path`/Toolchains/XcodeDefault.xctoolchain/usr/bin/
-# CROSS_TOP=`xcode-select --print-path`/Platforms/iPhoneOS.platform/Developer
-# CROSS_SDK=iPhoneOS7.0.sdk
-#
-"iphoneos-cross","cc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"ios64-cross","cc:-O3 -arch arm64 -mios-version-min=7.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR -RC4_CHUNK DES_INT DES_UNROLL -BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 
+##### Sony NEWS-OS 4.x
+"newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
+
 ##### GNU Hurd
 "hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
 
@@ -623,6 +608,9 @@ my %table=(
 "vxworks-simlinux","ccpentium:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DL_ENDIAN -DCPU=SIMLINUX -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/h -I\$(WIND_BASE)/target/h/wrn/coreip -DOPENSSL_NO_HW_PADLOCK:::VXWORKS:-r::${no_asm}::::::ranlibpentium:",
 "vxworks-mips","ccmips:-mrtp -mips2 -O -G 0 -B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DCPU=MIPS32 -msoft-float -mno-branch-likely -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/h/wrn/coreip::-D_REENTRANT:VXWORKS:-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/mips/MIPSI32/sfcommon::${mips32_asm}:o32::::::ranlibmips:",
 
+##### Compaq Non-Stop Kernel (Tandem)
+"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
+
 # uClinux
 "uClinux-dist","$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):BN_LLONG:${no_asm}:$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::",
 "uClinux-dist64","$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):SIXTY_FOUR_BIT_LONG:${no_asm}:$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::",
@@ -632,7 +620,7 @@ my %table=(
 my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
 		    debug-VC-WIN64I debug-VC-WIN64A
 		    VC-NT VC-CE VC-WIN32 debug-VC-WIN32
-		    BC-32
+		    BC-32 
 		    netware-clib netware-clib-bsdsock
 		    netware-libc netware-libc-bsdsock);
 
@@ -646,7 +634,6 @@ my $idx_lflags = $idx++;
 my $idx_bn_ops = $idx++;
 my $idx_cpuid_obj = $idx++;
 my $idx_bn_obj = $idx++;
-my $idx_ec_obj = $idx++;
 my $idx_des_obj = $idx++;
 my $idx_aes_obj = $idx++;
 my $idx_bf_obj = $idx++;
@@ -676,8 +663,8 @@ my $openssldir="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";
-my $fipslibdir="/usr/local/ssl/fips-2.0/lib/";
-my $nofipscanistercheck=0;
+my $fipsdir="/usr/local/ssl/fips-2.0";
+my $fipslibdir="";
 my $baseaddr="0xFB00000";
 my $no_threads=0;
 my $threads=0;
@@ -715,10 +702,15 @@ my $default_ranlib;
 my $perl;
 my $fips=0;
 
+if (exists $ENV{FIPSDIR})
+	{
+	$fipsdir = $ENV{FIPSDIR};
+	$fipsdir =~ s/\/$//;
+	}
+
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 my %disabled = ( # "what"         => "comment" [or special keyword "experimental"]
-		 "deprecated" => "default",
 		 "ec_nistp_64_gcc_128" => "default",
 		 "gmp"		  => "default",
 		 "jpake"          => "experimental",
@@ -727,7 +719,6 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "rfc3779"	  => "default",
 		 "sctp"       => "default",
 		 "shared"         => "default",
-		 "ssl-trace"	  => "default",
 		 "store"	  => "experimental",
 		 "unit-test"	  => "default",
 		 "zlib"           => "default",
@@ -737,7 +728,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -806,6 +797,7 @@ PROCESS_ARGS:
 				{
 				if ($1 eq "ssl")
 					{
+					$disabled{"ssl2"} = "option(ssl)";
 					$disabled{"ssl3"} = "option(ssl)";
 					}
 				elsif ($1 eq "tls")
@@ -821,7 +813,7 @@ PROCESS_ARGS:
 					{
 					$disabled{$1} = "option";
 					}
-				}
+				}			
 			}
 		elsif (/^enable-(.+)$/ || /^experimental-(.+)$/)
 			{
@@ -879,14 +871,18 @@ PROCESS_ARGS:
 			# The check for the option is there so scripts aren't
 			# broken
 			}
-		elsif (/^nofipscanistercheck$/)
-			{
-			$fips = 1;
-			$nofipscanistercheck = 1;
-			}
 		elsif (/^[-+]/)
 			{
-			if (/^--prefix=(.*)$/)
+			if (/^-[lL](.*)$/ or /^-Wl,/)
+				{
+				$libs.=$_." ";
+				}
+			elsif (/^-[^-]/ or /^\+/)
+				{
+				$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
+				$flags.=$_." ";
+				}
+			elsif (/^--prefix=(.*)$/)
 				{
 				$prefix=$1;
 				}
@@ -914,9 +910,13 @@ PROCESS_ARGS:
 				{
 				$withargs{"zlib-include"}="-I$1";
 				}
+			elsif (/^--with-fipsdir=(.*)$/)
+				{
+				$fipsdir="$1";
+				}
 			elsif (/^--with-fipslibdir=(.*)$/)
 				{
-				$fipslibdir="$1/";
+				$fipslibdir="$1";
 				}
 			elsif (/^--with-baseaddr=(.*)$/)
 				{
@@ -926,14 +926,10 @@ PROCESS_ARGS:
 				{
 				$cross_compile_prefix=$1;
 				}
-			elsif (/^-[lL](.*)$/ or /^-Wl,/)
+			else
 				{
-				$libs.=$_." ";
-				}
-			else	# common if (/^[-+]/), just pass down...
-				{
-				$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
-				$flags.=$_." ";
+				print STDERR $usage;
+				exit(1);
 				}
 			}
 		elsif ($_ =~ /^([^:]+):(.+)$/)
@@ -994,6 +990,23 @@ if (defined($disabled{"ec"}))
 	$disabled{"ecdh"} = "forced";
 	}
 
+# SSL 2.0 requires MD5 and RSA
+if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
+	{
+	$disabled{"ssl2"} = "forced";
+	}
+
+if ($fips && $fipslibdir eq "")
+	{
+	$fipslibdir = $fipsdir . "/lib/";
+	}
+
+# RSAX ENGINE sets default non-FIPS RSA method.
+if ($fips)
+	{
+	$disabled{"rsax"} = "forced";
+	}
+
 # SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
 if (defined($disabled{"md5"}) || defined($disabled{"sha"})
     || (defined($disabled{"rsa"})
@@ -1044,10 +1057,6 @@ print "Configuring for $target\n";
 
 &usage if (!defined($table{$target}));
 
-if ($fips)
-	{
-	delete $disabled{"shared"} if ($disabled{"shared"} eq "default");
-	}
 
 foreach (sort (keys %disabled))
 	{
@@ -1080,7 +1089,7 @@ foreach (sort (keys %disabled))
 			{
 			$openssl_other_defines .= "#define OPENSSL_NO_$ALGO\n";
 			print " OPENSSL_NO_$ALGO";
-
+		
 			if (/^err$/)	{ $flags .= "-DOPENSSL_NO_ERR "; }
 			elsif (/^asm$/)	{ $no_asm = 1; }
 			}
@@ -1107,7 +1116,6 @@ foreach (sort (keys %disabled))
 	}
 
 my $exp_cflags = "";
-
 foreach (sort @experimental)
 	{
 	my $ALGO;
@@ -1123,24 +1131,7 @@ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
 $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target =~ /^mingw/);
 $exe_ext=".nlm" if ($target =~ /netware/);
 $exe_ext=".pm"  if ($target =~ /vos/);
-if ($openssldir eq "" and $prefix eq "")
-	{
-	if ($fips)
-		{
-		if (exists $ENV{FIPSDIR})
-			{
-			$openssldir="$ENV{FIPSDIR}";
-			}
-		else
-			{
-			$openssldir="/usr/local/ssl/fips-2.0";
-			}
-		}
-	else
-		{
-		$openssldir="/usr/local/ssl";
-		}
-	}
+$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
 
 $default_ranlib= &which("ranlib") or $default_ranlib="true";
@@ -1148,10 +1139,6 @@ $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
 my $make = $ENV{'MAKE'} || "make";
 
-my $fips_auth_key = $ENV{'FIPS_AUTH_KEY'};
-my $fips_auth_officer = $ENV{'FIPS_AUTH_OFFICER'};
-my $fips_auth_user = $ENV{'FIPS_AUTH_USER'};
-
 $cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
 
 chop $openssldir if $openssldir =~ /\/$/;
@@ -1177,7 +1164,6 @@ my $lflags = $fields[$idx_lflags];
 my $bn_ops = $fields[$idx_bn_ops];
 my $cpuid_obj = $fields[$idx_cpuid_obj];
 my $bn_obj = $fields[$idx_bn_obj];
-my $ec_obj = $fields[$idx_ec_obj];
 my $des_obj = $fields[$idx_des_obj];
 my $aes_obj = $fields[$idx_aes_obj];
 my $bf_obj = $fields[$idx_bf_obj];
@@ -1223,12 +1209,6 @@ if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
 	$shared_ldflag =~ s/\-mno\-cygwin\s*//;
 	}
 
-if ($target =~ /linux.*\-mips/ && !$no_asm && $flags !~ /\-m(ips|arch=)/) {
-	# minimally required architecture flags for assembly modules
-	$cflags="-mips2 $cflags" if ($target =~ /mips32/);
-	$cflags="-mips3 $cflags" if ($target =~ /mips64/);
-}
-
 my $no_shared_warn=0;
 my $no_user_cflags=0;
 
@@ -1349,21 +1329,15 @@ else
 #			$thread_defines .= "#define $def\n";
 #			}
 #		}
-	}
+	}	
 
 $lflags="$libs$lflags" if ($libs ne "");
 
 if ($no_asm)
 	{
-	$cpuid_obj=$bn_obj=$ec_obj=
+	$cpuid_obj=$bn_obj=
 	$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
 	$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
-	$cflags=~s/\-D[BL]_ENDIAN//		if ($fips);
-	$thread_cflags=~s/\-D[BL]_ENDIAN//	if ($fips);
-	}
-elsif (defined($disabled{ec2m}))
-	{
-	$bn_obj =~ s/\w+-gf2m.o//;
 	}
 
 if (!$no_shared)
@@ -1397,17 +1371,11 @@ if ($zlib)
 		}
 	}
 
-#Build the library with OPENSSL_USE_DEPRECATED if deprecation is not disabled
-if(!defined($disabled{"deprecated"}))
-	{
-	$cflags = "-DOPENSSL_USE_DEPRECATED $cflags";
-	}
-
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
 if ($shared_target eq "")
 	{
-	$no_shared_warn = 1 if !$no_shared && !$fips;
+	$no_shared_warn = 1 if !$no_shared;
 	$no_shared = 1;
 	}
 if (!$no_shared)
@@ -1448,7 +1416,6 @@ if ($target =~ /\-icc$/)	# Intel C compiler
 		}
 	if ($iccver>=8)
 		{
-		$cflags=~s/\-KPIC/-fPIC/;
 		# Eliminate unnecessary dependency from libirc.a. This is
 		# essential for shared library support, as otherwise
 		# apps/openssl can end up in endless loop upon startup...
@@ -1456,17 +1423,12 @@ if ($target =~ /\-icc$/)	# Intel C compiler
 		}
 	if ($iccver>=9)
 		{
-		$lflags.=" -i-static";
-		$lflags=~s/\-no_cpprt/-no-cpprt/;
+		$cflags.=" -i-static";
+		$cflags=~s/\-no_cpprt/-no-cpprt/;
 		}
 	if ($iccver>=10)
 		{
-		$lflags=~s/\-i\-static/-static-intel/;
-		}
-	if ($iccver>=11)
-		{
-		$cflags.=" -no-intel-extensions";	# disable Cilk
-		$lflags=~s/\-no\-cpprt/-no-cxxlib/;
+		$cflags=~s/\-i\-static/-static-intel/;
 		}
 	}
 
@@ -1513,6 +1475,7 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($bn_obj =~ /-gf2m/);
 if ($fips)
 	{
 	$openssl_other_defines.="#define OPENSSL_FIPS\n";
+	$cflags .= " -I\$(FIPSDIR)/include";
 	}
 
 $cpuid_obj="mem_clr.o"	unless ($cpuid_obj =~ /\.o$/);
@@ -1546,11 +1509,11 @@ if ($rmd160_obj =~ /\.o$/)
 	}
 if ($aes_obj =~ /\.o$/)
 	{
-	$cflags.=" -DAES_ASM" if ($aes_obj =~ m/\baes\-/);;
+	$cflags.=" -DAES_ASM";
 	# aes-ctr.o is not a real file, only indication that assembler
 	# module implements AES_ctr32_encrypt...
 	$cflags.=" -DAES_CTR_ASM" if ($aes_obj =~ s/\s*aes\-ctr\.o//);
-	# aes-xts.o indicates presence of AES_xts_[en|de]crypt...
+	# aes-xts.o indicates presense of AES_xts_[en|de]crypt...
 	$cflags.=" -DAES_XTS_ASM" if ($aes_obj =~ s/\s*aes\-xts\.o//);
 	$aes_obj =~ s/\s*(vpaes|aesni)\-x86\.o//g if ($no_sse2);
 	$cflags.=" -DVPAES_ASM" if ($aes_obj =~ m/vpaes/);
@@ -1568,14 +1531,10 @@ else	{
 	$wp_obj="wp_block.o";
 	}
 $cmll_obj=$cmll_enc	unless ($cmll_obj =~ /.o$/);
-if ($modes_obj =~ /ghash\-/)
+if ($modes_obj =~ /ghash/)
 	{
 	$cflags.=" -DGHASH_ASM";
 	}
-if ($ec_obj =~ /ecp_nistz256/)
-	{
-	$cflags.=" -DECP_NISTZ256_ASM";
-	}
 
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
@@ -1616,19 +1575,18 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 if ($strict_warnings)
 	{
 	my $wopt;
-	die "ERROR --strict-warnings requires gcc or clang" unless ($cc =~ /gcc$/ or $cc =~ /clang$/);
+	die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
 	foreach $wopt (split /\s+/, $gcc_devteam_warn)
 		{
 		$cflags .= " $wopt" unless ($cflags =~ /$wopt/)
 		}
 	}
 
-open(IN,"<Makefile.org") || die "unable to read Makefile.org:$!\n";
+open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
 unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
 open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
-
 while (<IN>)
 	{
 	chomp;
@@ -1641,7 +1599,6 @@ while (<IN>)
 			}
 		}
 	$sdirs = 0 unless /\\$/;
-        s/fips // if (/^DIRS=/ && !$fips);
         s/engines // if (/^DIRS=/ && $disabled{"engine"});
 	s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"});
 	s/^VERSION=.*/VERSION=$version/;
@@ -1672,7 +1629,7 @@ while (<IN>)
 		s/^CC=.*$/CC= $cc/;
 		s/^AR=\s*ar/AR= $ar/;
 		s/^RANLIB=.*/RANLIB= $ranlib/;
-		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc" || ($cc eq 'cc' && $target =~ /darwin/);
+		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
 		}
 	s/^CFLAG=.*$/CFLAG= $cflags/;
 	s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
@@ -1681,7 +1638,6 @@ while (<IN>)
 	s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
 	s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
-	s/^EC_ASM=.*$/EC_ASM= $ec_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
 	s/^AES_ENC=.*$/AES_ENC= $aes_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
@@ -1703,11 +1659,12 @@ while (<IN>)
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+
+	s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
 	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
 	s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
-	s/^SHARED_FIPS=.*/SHARED_FIPS=/;
-	s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
 	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@@ -1742,7 +1699,6 @@ print "CFLAG         =$cflags\n";
 print "EX_LIBS       =$lflags\n";
 print "CPUID_OBJ     =$cpuid_obj\n";
 print "BN_ASM        =$bn_obj\n";
-print "EC_ASM        =$ec_obj\n";
 print "DES_ENC       =$des_obj\n";
 print "AES_ENC       =$aes_obj\n";
 print "BF_ENC        =$bf_obj\n";
@@ -1952,8 +1908,8 @@ print "RC4_CHUNK is unsigned long long\n" if $rc4_chunk==2;
 print "MD2 uses u$type[$md2_int]\n" if $md2_int != $def_int;
 print "IDEA uses u$type[$idea_int]\n" if $idea_int != $def_int;
 print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int;
-print "BF_PTR used\n" if $bf_ptr == 1;
-print "BF_PTR2 used\n" if $bf_ptr == 2;
+print "BF_PTR used\n" if $bf_ptr == 1; 
+print "BF_PTR2 used\n" if $bf_ptr == 2; 
 
 if($IsMK1MF) {
 	open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h";
@@ -1973,7 +1929,7 @@ EOF
 	$make_targets .= " links" if $symlink;
 	$make_targets .= " depend" if $depflags ne $default_depflags && $make_depend;
 	$make_targets .= " gentests" if $symlink;
-	(system $make_command.$make_targets) == 0 or die "make $make_targets failed"
+	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
@@ -2026,16 +1982,9 @@ BEGIN
     BEGIN
 	BLOCK "040904b0"
 	BEGIN
-#if defined(FIPS)
-	    VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0"
-#endif
-	    // Required:
+	    // Required:	    
 	    VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
-#if defined(FIPS)
-	    VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0"
-#else
 	    VALUE "FileDescription", "OpenSSL Shared Library\\0"
-#endif
 	    VALUE "FileVersion", "$version\\0"
 #if defined(CRYPTO)
 	    VALUE "InternalName", "libeay32\\0"
@@ -2043,9 +1992,6 @@ BEGIN
 #elif defined(SSL)
 	    VALUE "InternalName", "ssleay32\\0"
 	    VALUE "OriginalFilename", "ssleay32.dll\\0"
-#elif defined(FIPS)
-	    VALUE "InternalName", "libosslfips\\0"
-	    VALUE "OriginalFilename", "libosslfips.dll\\0"
 #endif
 	    VALUE "ProductName", "The OpenSSL Toolkit\\0"
 	    VALUE "ProductVersion", "$version\\0"
@@ -2065,7 +2011,7 @@ END
 EOF
 	close(OUT);
   }
-
+  
 print <<EOF;
 
 Configured for $target.
@@ -2160,14 +2106,14 @@ sub print_table_entry
 	{
 	my $target = shift;
 
-	my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
-	    $bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
-	    $md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
-	    $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
-	    $perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
-	    $shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
+	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
+	my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
+	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
+	my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
+	my $perlasm_scheme,my $dso_scheme,my $shared_target,my $shared_cflag,
+	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags,my $multilib)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
-
+			
 	print <<EOF
 
 *** $target
@@ -2180,7 +2126,6 @@ sub print_table_entry
 \$bn_ops       = $bn_ops
 \$cpuid_obj    = $cpuid_obj
 \$bn_obj       = $bn_obj
-\$ec_obj       = $ec_obj
 \$des_obj      = $des_obj
 \$aes_obj      = $aes_obj
 \$bf_obj       = $bf_obj

FAQ

@@ -35,7 +35,6 @@ OpenSSL  -  Frequently Asked Questions
 * What is a "128 bit certificate"? Can I create one with OpenSSL?
 * Why does OpenSSL set the authority key identifier extension incorrectly?
 * How can I set up a bundle of commercial root CA certificates?
-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
 
 [BUILD] Questions about building and testing OpenSSL
 
@@ -76,7 +75,6 @@ OpenSSL  -  Frequently Asked Questions
 * Why does Valgrind complain about the use of uninitialized data?
 * Why doesn't a memory BIO work when a file does?
 * Where are the declarations and implementations of d2i_X509() etc?
-* When debugging I observe SIGILL during OpenSSL initialization: why?
 
 ===============================================================================
 
@@ -85,6 +83,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
+OpenSSL 1.0.1e was released on Feb 11th, 2013.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -133,7 +132,7 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/about/binaries.html> .
+<URL: http://www.openssl.org/related/binaries.html> .
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
@@ -185,18 +184,14 @@ Therefore the answer to the common question "when will feature X be
 backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
 in the next minor release.
 
-* What happens when the letter release reaches z?
-
-It was decided after the release of OpenSSL 0.9.8y the next version should
-be 0.9.8za then 0.9.8zb and so on.
-
-
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?
 
-For information on intellectual property rights, please consult a lawyer.
-The OpenSSL team does not offer legal advice.
+The patents section of the README file lists patents that may apply to
+you if you want to use OpenSSL.  For information on intellectual
+property rights, please consult a lawyer.  The OpenSSL team does not
+offer legal advice.
 
 You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
  ./config no-idea no-mdc2 no-rc5
@@ -412,7 +407,7 @@ whatever name they choose.
 The ways to print out the oneline format of the DN (Distinguished Name) have
 been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
 interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" command line tool for details. The old behaviour
+page of the "openssl x509" commandline tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
 
 * What is a "128 bit certificate"? Can I create one with OpenSSL?
@@ -434,7 +429,7 @@ software from the US only weak encryption algorithms could be freely exported
 inadequate. A relaxation of the rules allowed the use of strong encryption but
 only to an authorised server.
 
-Two slightly different techniques were developed to support this, one used by
+Two slighly different techniques were developed to support this, one used by
 Netscape was called "step up", the other used by MSIE was called "Server Gated
 Cryptography" (SGC). When a browser initially connected to a server it would
 check to see if the certificate contained certain extensions and was issued by
@@ -485,16 +480,6 @@ bundle used by Mozilla and/or modssl as described in this article:
   <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
 
 
-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
-
-OpenSSL 1.0.1 is the first release to support TLS 1.2, among other things,
-this increases the size of the default ClientHello message to more than
-255 bytes in length. Some software cannot handle this and hangs. For more
-details and workarounds see:
-
-  <URL: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
-
-
 [BUILD] =======================================================================
 
 * Why does the linker complain about undefined symbols?
@@ -623,8 +608,8 @@ valid for the current DOS session.
 * What is special about OpenSSL on Redhat?
 
 Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
-MDC2 in this version. The same may apply to other Linux distributions.
+version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
+is disabled in this version. The same may apply to other Linux distributions.
 Users may therefore wish to install more or all of the features left out.
 
 To do this you MUST ensure that you do not overwrite the openssl that is in
@@ -647,6 +632,11 @@ relevant updates in packages up to and including 0.9.6b.
 A possible way around this is to persuade Red Hat to produce a non-US
 version of Red Hat Linux.
 
+FYI: Patent numbers and expiry dates of US patents:
+MDC-2: 4,908,861 13/03/2007
+IDEA:  5,214,703 25/05/2010
+RC5:   5,724,428 03/03/2015
+
 
 * Why does the OpenSSL compilation fail on MacOS X?
 
@@ -709,7 +699,7 @@ working across wider range of *BSD branches, not just OpenBSD.
 If the test program in question fails withs SIGILL, Illegal Instruction
 exception, then you more than likely to run SSE2-capable CPU, such as
 Intel P4, under control of kernel which does not support SSE2
-instruction extensions. See accompanying INSTALL file and
+instruction extentions. See accompanying INSTALL file and
 OPENSSL_ia32cap(3) documentation page for further information.
 
 * Why does compiler fail to compile sha512.c?
@@ -723,15 +713,15 @@ possible alternative might be to switch to GCC.
 
 * Test suite still fails, what to do?
 
-Another common reason for test failures is bugs in the toolchain
-or run-time environment.  Known cases of this are documented in the
-PROBLEMS file, please review it before you beat the drum. Even if you
-don't find anything in that file, please do consider the possibility
-of a compiler bug. Compiler bugs often appear in rather bizarre ways,
-they never make sense, and tend to emerge when you least expect
-them. One thing to try is to reduce the level of optimization (such
-as by editing the CFLAG variable line in the top-level Makefile),
-and then recompile and re-run the test.
+Another common reason for failure to complete some particular test is
+simply bad code generated by a buggy component in toolchain or deficiency
+in run-time environment. There are few cases documented in PROBLEMS file,
+consult it for possible workaround before you beat the drum. Even if you
+don't find solution or even mention there, do reserve for possibility of
+a compiler bug. Compiler bugs might appear in rather bizarre ways, they
+never make sense, and tend to emerge when you least expect them. In order
+to identify one, drop optimization level, e.g. by editing CFLAG line in
+top-level Makefile, recompile and re-run the test.
 
 * I think I've found a bug, what should I do?
 
@@ -741,16 +731,9 @@ documentation and the mailing lists for similar queries. If you are still
 unsure whether it is a bug or not submit a query to the openssl-users mailing
 list.
 
-If you think you have found a bug based on the output of static analysis tools
-then please manually check the issue is genuine. Such tools can produce a
-LOT of false positives.
-
 
 * I'm SURE I've found a bug, how do I report it?
 
-To avoid duplicated reports check the mailing lists and release notes for the
-relevant version of OpenSSL to see if the problem has been reported already.
-
 Bug reports with no security implications should be sent to the request
 tracker. This can be done by mailing the report to <rt@openssl.org> (or its
 alias <openssl-bugs@openssl.org>), please note that messages sent to the
@@ -778,9 +761,7 @@ See also <URL: http://www.openssl.org/support/rt.html>
 If you think your bug has security implications then please send it to
 openssl-security@openssl.org if you don't get a prompt reply at least 
 acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve). If you wish to use PGP to send
-in a report please use one or more of the keys of the team members listed
-at <URL: http://www.openssl.org/about/>
+more active team members (e.g. Steve).
 
 Note that bugs only present in the openssl utility are not in general
 considered to be security issues. 
@@ -881,7 +862,7 @@ The opposite assumes we already have len bytes in buf:
  p = buf;
  p7 = d2i_PKCS7(NULL, &p, len);
 
-At this point p7 contains a valid PKCS7 structure or NULL if an error
+At this point p7 contains a valid PKCS7 structure of NULL if an error
 occurred. If an error occurred ERR_print_errors(bio) should give more
 information.
 
@@ -893,21 +874,6 @@ that has been read or written. This may well be uninitialized data
 and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.
 
-Memory allocation and encoding can also be combined in a single
-operation by the ASN1 routines:
-
- unsigned char *buf = NULL;	/* mandatory */
- int len;
- len = i2d_PKCS7(p7, &buf);
- if (len < 0)
-	/* Error */
- /* Do some things with 'buf' */
- /* Finished with buf: free it */
- OPENSSL_free(buf);
-
-In this special case the "buf" parameter is *not* incremented, it points
-to the start of the encoding.
-
 
 * OpenSSL uses DER but I need BER format: does OpenSSL support BER?
 
@@ -1069,20 +1035,5 @@ These are defined and implemented by macros of the form:
 The implementation passes an ASN1 "template" defining the structure into an
 ASN1 interpreter using generalised functions such as ASN1_item_d2i().
 
-* When debugging I observe SIGILL during OpenSSL initialization: why?
-
-OpenSSL adapts to processor it executes on and for this reason has to
-query its capabilities. Unfortunately on some processors the only way
-to achieve this for non-privileged code is to attempt instructions
-that can cause Illegal Instruction exceptions. The initialization
-procedure is coded to handle these exceptions to manipulate corresponding
-bits in capabilities vector. This normally appears transparent, except
-when you execute it under debugger, which stops prior delivering signal
-to handler. Simply resuming execution does the trick, but when debugging
-a lot it might feel counterproductive. Two options. Either set explicit
-capability environment variable in order to bypass the capability query
-(see corresponding crypto/*cap.c for details). Or configure debugger not
-to stop upon SIGILL exception, e.g. in gdb case add 'handle SIGILL nostop'
-to your .gdbinit.
 
 ===============================================================================

GitConfigure

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-./Configure $@ no-symlinks
-make files
-util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH init

GitMake

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-BRANCH=`git rev-parse --abbrev-ref HEAD`
-
-MAKE=make
-which bsdmake > /dev/null && MAKE=bsdmake
-$MAKE -f makefile.$BRANCH $@

INSTALL

@@ -79,7 +79,7 @@
                 compiler flags for any other CPU specific configuration,
                 e.g. "-m32" to build x86 code on an x64 system.
 
-  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extension is
+  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is
 		detected at run-time, but the decision whether or not the
 		machine code will be executed is taken solely on CPU
 		capability vector. This means that if you happen to run OS
@@ -103,6 +103,12 @@
                 define preprocessor symbols, specify additional libraries,
                 library directories or other compiler options.
 
+  -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
+		BSD. Useful if you are running ocf-linux or something
+		similar. Once enabled you can also enable the use of
+		cryptodev digests, which is usually slower unless you have
+		large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force
+		it.
 
  Installation in Detail
  ----------------------

INSTALL.MacOS

@@ -0,0 +1,72 @@
+OpenSSL - Port To The Macintosh OS 9 or Earlier
+===============================================
+
+Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
+X) is now provided. "Initial" means that unlike other platforms where you
+get an SDK and a "swiss army" openssl application, on Macintosh you only
+get one sample application which fetches a page over HTTPS(*) and dumps it
+in a window. We don't even build the test applications so that we can't
+guarantee that all algorithms are operational.
+
+Required software:
+
+- StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
+- Scriptable Finder;
+- CodeWarrior Pro 5;
+
+Installation procedure:
+
+- fetch the source at ftp://ftp.openssl.org/ (well, you probably already
+  did, huh?)
+- unpack the .tar.gz file:
+	- if you have StuffIt Expander then just drag it over it;
+	- otherwise uncompress it with MacGzip and then unpack with SUNtar;
+- locate MacOS folder in OpenSSL source tree and open it;
+- unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
+  "in-place", i.e. unpacked files should end-up in the very same folder;
+- execute mklinks.as;
+- open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
+- that's it for now;
+
+(*)	URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
+        to 42, change appropriately.
+(**)	If you use SUNtar, then it might have already unbinhexed the files
+	in question.
+(***)	The project file was saved with CW Pro 5.3. If you have an earlier
+	version and it refuses to open it, then download
+	http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
+	overwriting the original OpenSSL.mcp.
+(****)	Other targets are works in progress. If you feel like giving 'em a
+	shot, then you should know that OpenSSL* and Lib* targets are
+	supposed to be built with the GUSI, MacOS library which mimics
+	BSD sockets and some other POSIX APIs. The GUSI distribution is
+	expected to be found in the same directory as the openssl source tree,
+	i.e., in the parent directory to the one where this very file,
+	namely INSTALL.MacOS, resides. For more information about GUSI, see
+	http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
+
+Finally some essential comments from our generous contributor:-)
+
+"I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
+hack, but it works for what I'm doing. If you don't like the way I've done
+it, then feel free to change what I've done. I freely admit that I've done
+some less-than-ideal things in my port, and if you don't like the way I've
+done something, then feel free to change it-- I won't be offended!
+
+... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
+library I wrote. My MacSocket library is a wrapper around OpenTransport,
+handling stuff like endpoint creation, reading, writing, etc. It is not
+designed as a high-performance package such as you'd use in a webserver,
+but is fine for lots of other applications. MacSocket also uses some other
+code libraries I've written to deal with string manipulations and error
+handling. Feel free to use these things in your own code, but give me
+credit and/or send me free stuff in appreciation! :-)
+
+...
+
+If you have any questions, feel free to email me as the following:
+
+roy@centricsystems.ca
+
+-Roy Wood"
+

INSTALL.NW

@@ -378,7 +378,7 @@ The openssl program has numerous options and can be used for many different
 things.  Many of the options operate in an interactive mode requiring the
 user to enter data.  Because of this, a default screen is created for the
 program.  However, when running the test script it is not desirable to
-have a separate screen.  Therefore, the build also creates openssl2.nlm.
+have a seperate screen.  Therefore, the build also creates openssl2.nlm.
 Openssl2.nlm is functionally identical but uses the console screen.
 Openssl2 can be used when a non-interactive mode is desired.
 

INSTALL.VMS

@@ -134,7 +134,7 @@ Currently, the logical names supported are:
                         will not be implemented.  Supported algorithms to
                         do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
                         SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
-                        SSL3.  So, for example, having the logical name
+                        SSL2.  So, for example, having the logical name
                         OPENSSL_NO_RSA with the value YES means that the
                         LIBCRYPTO.OLB library will not contain an RSA
                         implementation.

MacOS/GUSI_Init.cpp

@@ -0,0 +1,62 @@
+/**************** BEGIN GUSI CONFIGURATION ****************************
+ *
+ * GUSI Configuration section generated by GUSI Configurator
+ * last modified: Wed Jan  5 20:33:51 2000
+ *
+ * This section will be overwritten by the next run of Configurator.
+ */
+
+#define GUSI_SOURCE
+#include <GUSIConfig.h>
+#include <sys/cdefs.h>
+
+/* Declarations of Socket Factories */
+
+__BEGIN_DECLS
+void GUSIwithInetSockets();
+void GUSIwithLocalSockets();
+void GUSIwithMTInetSockets();
+void GUSIwithMTTcpSockets();
+void GUSIwithMTUdpSockets();
+void GUSIwithOTInetSockets();
+void GUSIwithOTTcpSockets();
+void GUSIwithOTUdpSockets();
+void GUSIwithPPCSockets();
+void GUSISetupFactories();
+__END_DECLS
+
+/* Configure Socket Factories */
+
+void GUSISetupFactories()
+{
+#ifdef GUSISetupFactories_BeginHook
+	GUSISetupFactories_BeginHook
+#endif
+	GUSIwithInetSockets();
+#ifdef GUSISetupFactories_EndHook
+	GUSISetupFactories_EndHook
+#endif
+}
+
+/* Declarations of File Devices */
+
+__BEGIN_DECLS
+void GUSIwithDConSockets();
+void GUSIwithNullSockets();
+void GUSISetupDevices();
+__END_DECLS
+
+/* Configure File Devices */
+
+void GUSISetupDevices()
+{
+#ifdef GUSISetupDevices_BeginHook
+	GUSISetupDevices_BeginHook
+#endif
+	GUSIwithNullSockets();
+#ifdef GUSISetupDevices_EndHook
+	GUSISetupDevices_EndHook
+#endif
+}
+
+/**************** END GUSI CONFIGURATION *************************/

MacOS/GetHTTPS.src/CPStringUtils.hpp

@@ -0,0 +1,104 @@
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void CopyPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void CopyPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void CopyCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void ConcatPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxCStrLength);
+
+void ConcatCharToCStr(const char theChar,char *theDstCStr,const int maxCStrLength);
+void ConcatCharToPStr(const char theChar,unsigned char *theDstPStr,const int maxPStrLength);
+
+int ComparePStrs(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase = true);
+int CompareCStrs(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+int CompareCStrToPStr(const char *theCStr,const unsigned char *thePStr,const Boolean ignoreCase = true);
+
+Boolean CStrsAreEqual(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+Boolean PStrsAreEqual(const unsigned char *theFirstCStr,const unsigned char *theSecondCStr,const Boolean ignoreCase = true);
+
+void CopyLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyUnsignedLongIntToCStr(const unsigned long theNum,char *theCStr,const int maxCStrLength);
+void ConcatLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyCStrAndConcatLongIntToCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+
+void CopyLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+void ConcatLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+
+long CStrLength(const char *theCString);
+long PStrLength(const unsigned char *thePString);
+
+OSErr CopyCStrToExistingHandle(const char *theCString,Handle theHandle);
+OSErr CopyLongIntToExistingHandle(const long inTheLongInt,Handle theHandle);
+
+OSErr CopyCStrToNewHandle(const char *theCString,Handle *theHandle);
+OSErr CopyPStrToNewHandle(const unsigned char *thePString,Handle *theHandle);
+OSErr CopyLongIntToNewHandle(const long inTheLongInt,Handle *theHandle);
+
+OSErr AppendCStrToHandle(const char *theCString,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendCharsToHandle(const char *theChars,const int numChars,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendPStrToHandle(const unsigned char *thePString,Handle theHandle,long *currentLength = nil);
+OSErr AppendLongIntToHandle(const long inTheLongInt,Handle theHandle,long *currentLength = nil);
+
+void ZeroMem(void *theMemPtr,const unsigned long numBytes);
+
+char *FindCharInCStr(const char theChar,const char *theCString);
+long FindCharOffsetInCStr(const char theChar,const char *theCString,const Boolean inIgnoreCase = false);
+long FindCStrOffsetInCStr(const char *theCSubstring,const char *theCString,const Boolean inIgnoreCase = false);
+
+void CopyCSubstrToCStr(const char *theSrcCStr,const int maxCharsToCopy,char *theDstCStr,const int maxDstStrLength);
+void CopyCSubstrToPStr(const char *theSrcCStr,const int maxCharsToCopy,unsigned char *theDstPStr,const int maxDstStrLength);
+
+void InsertCStrIntoCStr(const char *theSrcCStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+void InsertPStrIntoCStr(const unsigned char *theSrcPStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+OSErr InsertCStrIntoHandle(const char *theCString,Handle theHandle,const long inInsertOffset);
+
+void CopyCStrAndInsertCStrIntoCStr(const char *theSrcCStr,const char *theInsertCStr,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrsLongIntsIntoCStr(const char *theSrcCStr,const char **theInsertCStrs,const long *theLongInts,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsert1LongIntIntoCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert2LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert3LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,const long long3,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrLongIntIntoCStr(const char *theSrcCStr,const char *theInsertCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+OSErr CopyCStrAndInsertCStrLongIntIntoHandle(const char *theSrcCStr,const char *theInsertCStr,const long theNum,Handle *theHandle);
+
+
+OSErr CopyIndexedWordToCStr(char *theSrcCStr,int whichWord,char *theDstCStr,int maxDstCStrLength);
+OSErr CopyIndexedWordToNewHandle(char *theSrcCStr,int whichWord,Handle *outTheHandle);
+
+OSErr CopyIndexedLineToCStr(const char *theSrcCStr,int inWhichLine,int *lineEndIndex,Boolean *gotLastLine,char *theDstCStr,const int maxDstCStrLength);
+OSErr CopyIndexedLineToNewHandle(const char *theSrcCStr,int inWhichLine,Handle *outNewHandle);
+
+OSErr ExtractIntFromCStr(const char *theSrcCStr,int *outInt,Boolean skipLeadingSpaces = true);
+OSErr ExtractIntFromPStr(const unsigned char *theSrcPStr,int *outInt,Boolean skipLeadingSpaces = true);
+
+
+void ConvertCStrToUpperCase(char *theSrcCStr);
+
+
+int CountOccurencesOfCharInCStr(const char inChar,const char *inSrcCStr);
+int CountWordsInCStr(const char *inSrcCStr);
+
+OSErr CountDigits(const char *inCStr,int *outNumIntegerDigits,int *outNumFractDigits);
+
+void ExtractCStrItemFromCStr(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,char *outDstCharPtr,const int inDstCharPtrMaxLength,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+OSErr ExtractCStrItemFromCStrIntoNewHandle(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,Handle *outNewHandle,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+
+
+OSErr ExtractFloatFromCStr(const char *inCString,extended80 *outFloat);
+OSErr CopyFloatToCStr(const extended80 *theFloat,char *theCStr,const int maxCStrLength,const int inMaxNumIntDigits = -1,const int inMaxNumFractDigits = -1);
+
+void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL = false);
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/GetHTTPS.src/ErrorHandling.cpp

@@ -1,12 +1,12 @@
 /* ====================================================================
- * Copyright (c) 1998-2014 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -51,73 +51,120 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+ 
+ 
+ 
+ #include "ErrorHandling.hpp"
+#include "CPStringUtils.hpp"
 
-#ifndef HEADER_BN_INT_H
-# define HEADER_BN_INT_H
-
-# include <openssl/bn.h>
-
-#ifdef  __cplusplus
-extern "C" {
+#ifdef __EXCEPTIONS_ENABLED__
+	#include "CMyException.hpp"
 #endif
 
-# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-        (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
-BIGNUM *bn_wexpand(BIGNUM *a, int words);
-BIGNUM *bn_expand2(BIGNUM *a, int words);
 
-void bn_correct_top(BIGNUM *a);
+static char					gErrorMessageBuffer[512];
 
-/*
- * Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array r[] of values that are either zero or odd with an
- * absolute value less than 2^w satisfying scalar = \sum_j r[j]*2^j where at
- * most one of any w+1 consecutive digits is non-zero with the exception that
- * the most significant digit may be only w-1 zeros away from that next
- * non-zero digit.
- */
-signed char *bn_compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len);
-
-int bn_get_top(const BIGNUM *a);
-
-void bn_set_top(BIGNUM *a, int top);
-
-int bn_get_dmax(const BIGNUM *a);
-
-/* Set all words to zero */
-void bn_set_all_zero(BIGNUM *a);
-
-/*
- * Copy the internal BIGNUM words into out which holds size elements (and size
- * must be bigger than top)
- */
-int bn_copy_words(BN_ULONG *out, const BIGNUM *in, int size);
-
-BN_ULONG *bn_get_words(const BIGNUM *a);
-
-/*
- * Set the internal data words in a to point to words which contains size
- * elements. The BN_FLG_STATIC_DATA flag is set
- */
-void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size);
-
-/*
- * Copy data into the BIGNUM. The caller must check that dmax is sufficient to
- * hold the data
- */
-void bn_set_data(BIGNUM *a, const void *data, size_t size);
-
-size_t bn_sizeof_BIGNUM(void);
-
-/*
- * Return element el from an array of BIGNUMs starting at base (required
- * because callers do not know the size of BIGNUM at compilation time)
- */
-BIGNUM *bn_array_el(BIGNUM *base, int el);
+char 						*gErrorMessage = gErrorMessageBuffer;
+int							gErrorMessageMaxLength = sizeof(gErrorMessageBuffer);
 
 
-#ifdef  __cplusplus
+
+void SetErrorMessage(const char *theErrorMessage)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrAndConcatLongIntToCStr(theErrorMessage,theLongInt,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,theLongInt,gErrorMessage,gErrorMessageMaxLength);
+	}
+
+}
+
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,-1,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+
+void AppendCStrToErrorMessage(const char *theErrorMessage)
+{
+	if (theErrorMessage != nil)
+	{
+		ConcatCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+
+void AppendLongIntToErrorMessage(const long theLongInt)
+{
+	ConcatLongIntToCStr(theLongInt,gErrorMessage,gErrorMessageMaxLength);
+}
+
+
+
+char *GetErrorMessage(void)
+{
+	return gErrorMessage;
+}
+
+
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = CopyCStrToNewHandle(gErrorMessage,inoutHandle);
+	
+	return(errCode);
+}
+
+
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = CopyCStrToExistingHandle(gErrorMessage,inoutHandle);
+	
+	return(errCode);
+}
+
+
+
+OSErr AppendErrorMessageToHandle(Handle inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = AppendCStrToHandle(gErrorMessage,inoutHandle,nil);
+	
+	return(errCode);
+}
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+
+void ThrowErrorMessageException(void)
+{
+	ThrowDescriptiveException(gErrorMessage);
 }
-#endif
 
 #endif

MacOS/GetHTTPS.src/ErrorHandling.hpp

@@ -0,0 +1,147 @@
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef kGenericError
+	#define kGenericError		-1
+#endif
+
+extern char	*gErrorMessage;
+
+
+void SetErrorMessage(const char *theErrorMessage);
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt);
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt);
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr);
+void AppendCStrToErrorMessage(const char *theErrorMessage);
+void AppendLongIntToErrorMessage(const long theLongInt);
+
+
+char *GetErrorMessage(void);
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle);
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle);
+OSErr AppendErrorMessageToHandle(Handle inoutHandle);
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+	void ThrowErrorMessageException(void);
+#endif
+
+
+
+//	A bunch of evil macros that would be unnecessary if I were always using C++ !
+
+#define SetErrorMessageAndBailIfNil(theArg,theMessage)								\
+{																					\
+	if (theArg == nil)																\
+	{																				\
+		SetErrorMessage(theMessage);												\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndBail(theMessage)											\
+{																					\
+		SetErrorMessage(theMessage);												\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+}
+
+
+#define SetErrorMessageAndLongIntAndBail(theMessage,theLongInt)						\
+{																					\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfError(theErrCode,theMessage,theLongInt)	\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageCStrLongIntAndBailIfError(theErrCode,theMessage,theCStr,theLongInt)	\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessageAndCStrAndLongInt(theMessage,theCStr,theLongInt);			\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndCStrAndBail(theMessage,theCStr)							\
+{																					\
+	SetErrorMessageAndCStr(theMessage,theCStr);										\
+	errCode = kGenericError;														\
+	goto EXITPOINT;																	\
+}
+
+
+#define SetErrorMessageAndBailIfError(theErrCode,theMessage)						\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessage(theMessage);												\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfNil(theArg,theMessage,theLongInt)			\
+{																					\
+	if (theArg == nil)																\
+	{																				\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define BailIfError(theErrCode)														\
+{																					\
+	if ((theErrCode) != noErr)														\
+	{																				\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrCodeAndBail(theErrCode)												\
+{																					\
+	errCode = theErrCode;															\
+																					\
+	goto EXITPOINT;																	\
+}
+
+
+#define SetErrorCodeAndMessageAndBail(theErrCode,theMessage)						\
+{																					\
+	SetErrorMessage(theMessage);													\
+	errCode = theErrCode;															\
+	goto EXITPOINT;																	\
+}
+
+
+#define BailNow()																	\
+{																					\
+	errCode = kGenericError;														\
+	goto EXITPOINT;																	\
+}
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/GetHTTPS.src/GetHTTPS.cpp

@@ -0,0 +1,209 @@
+/*
+ *	An demo illustrating how to retrieve a URI from a secure HTTP server.
+ *
+ *	Author: 	Roy Wood
+ *	Date:		September 7, 1999
+ *	Comments:	This relies heavily on my MacSockets library.
+ *				This project is also set up so that it expects the OpenSSL source folder (0.9.4 as I write this)
+ *				to live in a folder called "OpenSSL-0.9.4" in this project's parent folder.  For example:
+ *
+ *					Macintosh HD:
+ *						Development:
+ *							OpenSSL-0.9.4:
+ *								(OpenSSL sources here)
+ *							OpenSSL Example:
+ *								(OpenSSL example junk here)
+ *
+ *
+ *				Also-- before attempting to compile this, make sure the aliases in "OpenSSL-0.9.4:include:openssl" 
+ *				are installed!  Use the AppleScript applet in the "openssl-0.9.4" folder to do this!
+ */
+/* modified to seed the PRNG */
+/* modified to use CRandomizer for seeding */
+
+
+//	Include some funky libs I've developed over time
+
+#include "CPStringUtils.hpp"
+#include "ErrorHandling.hpp"
+#include "MacSocket.h"
+#include "Randomizer.h"
+
+//	We use the OpenSSL implementation of SSL....
+//	This was a lot of work to finally get going, though you wouldn't know it by the results!
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+#include <timer.h>
+
+//	Let's try grabbing some data from here:
+
+#define kHTTPS_DNS		"www.apache-ssl.org"
+#define kHTTPS_Port		443
+#define kHTTPS_URI		"/"
+
+
+//	Forward-declare this
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr);
+
+//	My idle-wait callback.  Doesn't do much, does it?  Silly cooperative multitasking.
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
+{
+#pragma unused(inUserRefPtr)
+
+EventRecord		theEvent;
+	::EventAvail(everyEvent,&theEvent);
+	
+	CRandomizer *randomizer = (CRandomizer*)inUserRefPtr;
+	if (randomizer)
+		randomizer->PeriodicAction();
+
+	return(noErr);
+}
+
+
+//	Finally!
+
+void main(void)
+{
+	OSErr				errCode;
+	int					theSocket = -1;
+	int					theTimeout = 30;
+
+	SSL_CTX				*ssl_ctx = nil;
+	SSL					*ssl = nil;
+
+	char				tempString[256];
+	UnsignedWide		microTickCount;
+
+
+	CRandomizer randomizer;
+	
+	printf("OpenSSL Demo by Roy Wood, roy@centricsystems.ca\n\n");
+	
+	BailIfError(errCode = MacSocket_Startup());
+
+
+
+	//	Create a socket-like object
+	
+	BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,&randomizer));
+
+	
+	//	Set up the connect string and try to connect
+	
+	CopyCStrAndInsertCStrLongIntIntoCStr("%s:%ld",kHTTPS_DNS,kHTTPS_Port,tempString,sizeof(tempString));
+	
+	printf("Connecting to %s....\n",tempString);
+
+	BailIfError(errCode = MacSocket_connect(theSocket,tempString));
+	
+	
+	//	Init SSL stuff
+	
+	SSL_load_error_strings();
+	
+	SSLeay_add_ssl_algorithms();
+	
+	
+	//	Pick the SSL method
+	
+//	ssl_ctx = SSL_CTX_new(SSLv2_client_method());
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+//	ssl_ctx = SSL_CTX_new(SSLv3_client_method());
+			
+
+	//	Create an SSL thingey and try to negotiate the connection
+	
+	ssl = SSL_new(ssl_ctx);
+	
+	SSL_set_fd(ssl,theSocket);
+	
+	errCode = SSL_connect(ssl);
+	
+	if (errCode < 0)
+	{
+		SetErrorMessageAndLongIntAndBail("OpenSSL: Can't initiate SSL connection, SSL_connect() = ",errCode);
+	}
+	
+	//	Request the URI from the host
+	
+	CopyCStrToCStr("GET ",tempString,sizeof(tempString));
+	ConcatCStrToCStr(kHTTPS_URI,tempString,sizeof(tempString));
+	ConcatCStrToCStr(" HTTP/1.0\r\n\r\n",tempString,sizeof(tempString));
+
+	
+	errCode = SSL_write(ssl,tempString,CStrLength(tempString));
+	
+	if (errCode < 0)
+	{
+		SetErrorMessageAndLongIntAndBail("OpenSSL: Error writing data via ssl, SSL_write() = ",errCode);
+	}
+	
+
+	for (;;)
+	{
+	char	tempString[256];
+	int		bytesRead;
+		
+
+		//	Read some bytes and dump them to the console
+		
+		bytesRead = SSL_read(ssl,tempString,sizeof(tempString) - 1);
+		
+		if (bytesRead == 0 && MacSocket_RemoteEndIsClosing(theSocket))
+		{
+			break;
+		}
+		
+		else if (bytesRead < 0)
+		{
+			SetErrorMessageAndLongIntAndBail("OpenSSL: Error reading data via ssl, SSL_read() = ",bytesRead);
+		}
+		
+		
+		tempString[bytesRead] = '\0';
+		
+		printf("%s", tempString);
+	}
+	
+	printf("\n\n\n");
+	
+	//	All done!
+	
+	errCode = noErr;
+	
+	
+EXITPOINT:
+
+	//	Clean up and go home
+	
+	if (theSocket >= 0)
+	{
+		MacSocket_close(theSocket);
+	}
+	
+	if (ssl != nil)
+	{
+		SSL_free(ssl);
+	}
+	
+	if (ssl_ctx != nil)
+	{
+		SSL_CTX_free(ssl_ctx);
+	}
+	
+	
+	if (errCode != noErr)
+	{
+		printf("An error occurred:\n");
+		
+		printf("%s",GetErrorMessage());
+	}
+	
+	
+	MacSocket_Shutdown();
+}

MacOS/GetHTTPS.src/MacSocket.h

@@ -0,0 +1,104 @@
+#pragma once
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum {
+    kMacSocket_TimeoutErr = -2
+};
+
+// Since MacSocket does busy waiting, I do a callback while waiting
+
+typedef OSErr(*MacSocket_IdleWaitCallback) (void *);
+
+// Call this before anything else!
+
+OSErr MacSocket_Startup(void);
+
+// Call this to cleanup before quitting
+
+OSErr MacSocket_Shutdown(void);
+
+// Call this to allocate a "socket" (reference number is returned in
+// outSocketNum)
+// Note that inDoThreadSwitching is pretty much irrelevant right now, since I
+// ignore it
+// The inTimeoutTicks parameter is applied during reads/writes of data
+// The inIdleWaitCallback parameter specifies a callback which is called
+// during busy-waiting periods
+// The inUserRefPtr parameter is passed back to the idle-wait callback
+
+OSErr MacSocket_socket(int *outSocketNum, const Boolean inDoThreadSwitching,
+                       const long inTimeoutTicks,
+                       MacSocket_IdleWaitCallback inIdleWaitCallback,
+                       void *inUserRefPtr);
+
+// Call this to connect to an IP/DNS address
+// Note that inTargetAddressAndPort is in "IP:port" format-- e.g.
+// 10.1.1.1:123
+
+OSErr MacSocket_connect(const int inSocketNum, char *inTargetAddressAndPort);
+
+// Call this to listen on a port
+// Since this a low-performance implementation, I allow a maximum of 1 (one!)
+// incoming request when I listen
+
+OSErr MacSocket_listen(const int inSocketNum, const int inPortNum);
+
+// Call this to close a socket
+
+OSErr MacSocket_close(const int inSocketNum);
+
+// Call this to receive data on a socket
+// Most parameters' purpose are obvious-- except maybe "inBlock" which
+// controls whether I wait for data or return immediately
+
+int MacSocket_recv(const int inSocketNum, void *outBuff, int outBuffLength,
+                   const Boolean inBlock);
+
+// Call this to send data on a socket
+
+int MacSocket_send(const int inSocketNum, const void *inBuff,
+                   int inBuffLength);
+
+// If zero bytes were read in a call to MacSocket_recv(), it may be that the
+// remote end has done a half-close
+// This function will let you check whether that's true or not
+
+Boolean MacSocket_RemoteEndIsClosing(const int inSocketNum);
+
+// Call this to see if the listen has completed after a call to
+// MacSocket_listen()
+
+Boolean MacSocket_ListenCompleted(const int inSocketNum);
+
+// These really aren't very useful anymore
+
+Boolean MacSocket_LocalEndIsOpen(const int inSocketNum);
+Boolean MacSocket_RemoteEndIsOpen(const int inSocketNum);
+
+// You may wish to change the userRefPtr for a socket callback-- use this to
+// do it
+
+void MacSocket_SetUserRefPtr(const int inSocketNum, void *inNewRefPtr);
+
+// Call these to get the socket's IP:port descriptor
+
+void MacSocket_GetLocalIPAndPort(const int inSocketNum, char *outIPAndPort,
+                                 const int inIPAndPortLength);
+void MacSocket_GetRemoteIPAndPort(const int inSocketNum, char *outIPAndPort,
+                                  const int inIPAndPortLength);
+
+// Call this to get error info from a socket
+
+void MacSocket_GetSocketErrorInfo(const int inSocketNum,
+                                  int *outSocketErrCode,
+                                  char *outSocketErrString,
+                                  const int inSocketErrStringMaxLength);
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/Randomizer.cpp

@@ -0,0 +1,476 @@
+/* 
+------- Strong random data generation on a Macintosh (pre - OS X) ------
+		
+--	GENERAL: We aim to generate unpredictable bits without explicit
+	user interaction. A general review of the problem may be found
+	in RFC 1750, "Randomness Recommendations for Security", and some
+	more discussion, of general and Mac-specific issues has appeared
+	in "Using and Creating Cryptographic- Quality Random Numbers" by
+	Jon Callas (www.merrymeet.com/jon/usingrandom.html).
+
+	The data and entropy estimates provided below are based on my
+	limited experimentation and estimates, rather than by any
+	rigorous study, and the entropy estimates tend to be optimistic.
+	They should not be considered absolute.
+
+	Some of the information being collected may be correlated in
+	subtle ways. That includes mouse positions, timings, and disk
+	size measurements. Some obvious correlations will be eliminated
+	by the programmer, but other, weaker ones may remain. The
+	reliability of the code depends on such correlations being
+	poorly understood, both by us and by potential interceptors.
+
+	This package has been planned to be used with OpenSSL, v. 0.9.5.
+	It requires the OpenSSL function RAND_add. 
+
+--	OTHER WORK: Some source code and other details have been
+	published elsewhere, but I haven't found any to be satisfactory
+	for the Mac per se:
+
+	* The Linux random number generator (by Theodore Ts'o, in
+	  drivers/char/random.c), is a carefully designed open-source
+	  crypto random number package. It collects data from a variety
+	  of sources, including mouse, keyboard and other interrupts.
+	  One nice feature is that it explicitly estimates the entropy
+	  of the data it collects. Some of its features (e.g. interrupt
+	  timing) cannot be reliably exported to the Mac without using
+	  undocumented APIs.
+
+	* Truerand by Don P. Mitchell and Matt Blaze uses variations
+	  between different timing mechanisms on the same system. This
+	  has not been tested on the Mac, but requires preemptive
+	  multitasking, and is hardware-dependent, and can't be relied
+	  on to work well if only one oscillator is present.
+
+	* Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann),
+	  gathers a lot of information about the machine and system
+	  environment. Unfortunately, much of it is constant from one
+	  startup to the next. In other words, the random seed could be
+	  the same from one day to the next. Some of the APIs are
+	  hardware-dependent, and not all are compatible with Carbon (OS
+	  X). Incidentally, the EGD library is based on the UNIX entropy
+	  gathering methods in cryptlib, and isn't suitable for MacOS
+	  either.
+
+	* Mozilla (and perhaps earlier versions of Netscape) uses the
+	  time of day (in seconds) and an uninitialized local variable
+	  to seed the random number generator. The time of day is known
+	  to an outside interceptor (to within the accuracy of the
+	  system clock). The uninitialized variable could easily be
+	  identical between subsequent launches of an application, if it
+	  is reached through the same path.
+
+	* OpenSSL provides the function RAND_screen(), by G. van
+	  Oosten, which hashes the contents of the screen to generate a
+	  seed. This is not useful for an extension or for an
+	  application which launches at startup time, since the screen
+	  is likely to look identical from one launch to the next. This
+	  method is also rather slow.
+
+	* Using variations in disk drive seek times has been proposed
+	  (Davis, Ihaka and Fenstermacher, world.std.com/~dtd/;
+	  Jakobsson, Shriver, Hillyer and Juels,
+	  www.bell-labs.com/user/shriver/random.html). These variations
+	  appear to be due to air turbulence inside the disk drive
+	  mechanism, and are very strongly unpredictable. Unfortunately
+	  this technique is slow, and some implementations of it may be
+	  patented (see Shriver's page above.) It of course cannot be
+	  used with a RAM disk.
+
+--	TIMING: On the 601 PowerPC the time base register is guaranteed
+	to change at least once every 10 addi instructions, i.e. 10
+	cycles. On a 60 MHz machine (slowest PowerPC) this translates to
+	a resolution of 1/6 usec. Newer machines seem to be using a 10
+	cycle resolution as well.
+	
+	For 68K Macs, the Microseconds() call may be used. See Develop
+	issue 29 on the Apple developer site
+	(developer.apple.com/dev/techsupport/develop/issue29/minow.html)
+	for information on its accuracy and resolution. The code below
+	has been tested only on PowerPC based machines.
+
+	The time from machine startup to the launch of an application in
+	the startup folder has a variance of about 1.6 msec on a new G4
+	machine with a defragmented and optimized disk, most extensions
+	off and no icons on the desktop. This can be reasonably taken as
+	a lower bound on the variance. Most of this variation is likely
+	due to disk seek time variability. The distribution of startup
+	times is probably not entirely even or uncorrelated. This needs
+	to be investigated, but I am guessing that it not a majpor
+	problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz
+	machine, ~16 bits for a 450 MHz machine.
+
+	User-launched application startup times will have a variance of
+	a second or more relative to machine startup time. Entropy >~22
+	bits.
+
+	Machine startup time is available with a 1-second resolution. It
+	is predictable to no better a minute or two, in the case of
+	people who show up punctually to work at the same time and
+	immediately start their computer. Using the scheduled startup
+	feature (when available) will cause the machine to start up at
+	the same time every day, making the value predictable. Entropy
+	>~7 bits, or 0 bits with scheduled startup.
+
+	The time of day is of course known to an outsider and thus has 0
+	entropy if the system clock is regularly calibrated.
+
+--	KEY TIMING: A  very fast typist (120 wpm) will have a typical
+	inter-key timing interval of 100 msec. We can assume a variance
+	of no less than 2 msec -- maybe. Do good typists have a constant
+	rhythm, like drummers? Since what we measure is not the
+	key-generated interrupt but the time at which the key event was
+	taken off the event queue, our resolution is roughly the time
+	between process switches, at best 1 tick (17 msec). I  therefore
+	consider this technique questionable and not very useful for
+	obtaining high entropy data on the Mac.
+
+--	MOUSE POSITION AND TIMING: The high bits of the mouse position
+	are far from arbitrary, since the mouse tends to stay in a few
+	limited areas of the screen. I am guessing that the position of
+	the mouse is arbitrary within a 6 pixel square. Since the mouse
+	stays still for long periods of time, it should be sampled only
+	after it was moved, to avoid correlated data. This gives an
+	entropy of log2(6*6) ~= 5 bits per measurement.
+
+	The time during which the mouse stays still can vary from zero
+	to, say, 5 seconds (occasionally longer). If the still time is
+	measured by sampling the mouse during null events, and null
+	events are received once per tick, its resolution is 1/60th of a
+	second, giving an entropy of log2 (60*5) ~= 8 bits per
+	measurement. Since the distribution of still times is uneven,
+	this estimate is on the high side.
+
+	For simplicity and compatibility across system versions, the
+	mouse is to be sampled explicitly (e.g. in the event loop),
+	rather than in a time manager task.
+
+--	STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k
+	from one startup to the next, with 'minimal' computer use. Won't
+	vary at all if machine is started again immediately after
+	startup (unless virtual memory is on), but any application which
+	uses the web and caches information to disk is likely to cause
+	this much variation or more. The variation is probably not
+	random, but I don't know in what way. File sizes tend to be
+	divisible by 4 bytes since file format fields are often
+	long-aligned. Entropy > log2 (20000/4) ~= 12 bits.
+	
+--	STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume
+	gets fragmented this could be anywhere in principle. In a
+	perfectly unfragmented volume this will be strongly correlated
+	with the total file size on the disk. With more fragmentation
+	comes less certainty. I took the variation in this value to be
+	1/8 of the total file size on the volume.
+
+--	SYSTEM REQUIREMENTS: The code here requires System 7.0 and above
+	(for Gestalt and Microseconds calls). All the calls used are
+	Carbon-compatible.
+*/
+
+/*------------------------------ Includes ----------------------------*/
+
+#include "Randomizer.h"
+
+// Mac OS API
+#include <Files.h>
+#include <Folders.h>
+#include <Events.h>
+#include <Processes.h>
+#include <Gestalt.h>
+#include <Resources.h>
+#include <LowMem.h>
+
+// Standard C library
+#include <stdlib.h>
+#include <math.h>
+
+/*---------------------- Function declarations -----------------------*/
+
+// declared in OpenSSL/crypto/rand/rand.h
+extern "C" void RAND_add (const void *buf, int num, double entropy);
+
+unsigned long GetPPCTimer (bool is601);	// Make it global if needed
+					// elsewhere
+
+/*---------------------------- Constants -----------------------------*/
+
+#define kMouseResolution 6		// Mouse position has to differ
+					// from the last one by this
+					// much to be entered
+#define kMousePositionEntropy 5.16	// log2 (kMouseResolution**2)
+#define kTypicalMouseIdleTicks 300.0	// I am guessing that a typical
+					// amount of time between mouse
+					// moves is 5 seconds
+#define kVolumeBytesEntropy 12.0	// about log2 (20000/4),
+					// assuming a variation of 20K
+					// in total file size and
+					// long-aligned file formats.
+#define kApplicationUpTimeEntropy 6.0	// Variance > 1 second, uptime
+					// in ticks  
+#define kSysStartupEntropy 7.0		// Entropy for machine startup
+					// time
+
+
+/*------------------------ Function definitions ----------------------*/
+
+CRandomizer::CRandomizer (void)
+{
+	long	result;
+	
+	mSupportsLargeVolumes =
+		(Gestalt(gestaltFSAttr, &result) == noErr) &&
+		((result & (1L << gestaltFSSupports2TBVols)) != 0);
+	
+	if (Gestalt (gestaltNativeCPUtype, &result) != noErr)
+	{
+		mIsPowerPC = false;
+		mIs601 = false;
+	}
+	else
+	{
+		mIs601 = (result == gestaltCPU601);
+		mIsPowerPC = (result >= gestaltCPU601);
+	}
+	mLastMouse.h = mLastMouse.v = -10;	// First mouse will
+						// always be recorded
+	mLastPeriodicTicks = TickCount();
+	GetTimeBaseResolution ();
+	
+	// Add initial entropy
+	AddTimeSinceMachineStartup ();
+	AddAbsoluteSystemStartupTime ();
+	AddStartupVolumeInfo ();
+	AddFiller ();
+}
+
+void CRandomizer::PeriodicAction (void)
+{
+	AddCurrentMouse ();
+	AddNow (0.0);	// Should have a better entropy estimate here
+	mLastPeriodicTicks = TickCount();
+}
+
+/*------------------------- Private Methods --------------------------*/
+
+void CRandomizer::AddCurrentMouse (void)
+{
+	Point mouseLoc;
+	unsigned long lastCheck;	// Ticks since mouse was last
+					// sampled
+
+#if TARGET_API_MAC_CARBON
+	GetGlobalMouse (&mouseLoc);
+#else
+	mouseLoc = LMGetMouseLocation();
+#endif
+	
+	if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
+	    labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
+		AddBytes (&mouseLoc, sizeof (mouseLoc),
+				kMousePositionEntropy);
+	
+	if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
+		mMouseStill ++;
+	else
+	{
+		double entropy;
+		
+		// Mouse has moved. Add the number of measurements for
+		// which it's been still. If the resolution is too
+		// coarse, assume the entropy is 0.
+
+		lastCheck = TickCount() - mLastPeriodicTicks;
+		if (lastCheck <= 0)
+			lastCheck = 1;
+		entropy = log2l
+			(kTypicalMouseIdleTicks/(double)lastCheck);
+		if (entropy < 0.0)
+			entropy = 0.0;
+		AddBytes (&mMouseStill, sizeof (mMouseStill), entropy);
+		mMouseStill = 0;
+	}
+	mLastMouse = mouseLoc;
+}
+
+void CRandomizer::AddAbsoluteSystemStartupTime (void)
+{
+	unsigned long	now;		// Time in seconds since
+					// 1/1/1904
+	GetDateTime (&now);
+	now -= TickCount() / 60;	// Time in ticks since machine
+					// startup
+	AddBytes (&now, sizeof (now), kSysStartupEntropy);
+}
+
+void CRandomizer::AddTimeSinceMachineStartup (void)
+{
+	AddNow (1.5);			// Uncertainty in app startup
+					// time is > 1.5 msec (for
+					// automated app startup).
+}
+
+void CRandomizer::AddAppRunningTime (void)
+{
+	ProcessSerialNumber PSN;
+	ProcessInfoRec		ProcessInfo;
+	
+	ProcessInfo.processInfoLength = sizeof (ProcessInfoRec);
+	ProcessInfo.processName = nil;
+	ProcessInfo.processAppSpec = nil;
+	
+	GetCurrentProcess (&PSN);
+	GetProcessInformation (&PSN, &ProcessInfo);
+
+	// Now add the amount of time in ticks that the current process
+	// has been active
+
+	AddBytes (&ProcessInfo, sizeof (ProcessInfoRec),
+			kApplicationUpTimeEntropy);
+}
+
+void CRandomizer::AddStartupVolumeInfo (void)
+{
+	short			vRefNum;
+	long			dirID;
+	XVolumeParam	pb;
+	OSErr			err;
+	
+	if (!mSupportsLargeVolumes)
+		return;
+		
+	FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder,
+			&vRefNum, &dirID);
+	pb.ioVRefNum = vRefNum;
+	pb.ioCompletion = 0;
+	pb.ioNamePtr = 0;
+	pb.ioVolIndex = 0;
+	err = PBXGetVolInfoSync (&pb);
+	if (err != noErr)
+		return;
+		
+	// Base the entropy on the amount of space used on the disk and
+	// on the next available allocation block. A lot else might be
+	// unpredictable, so might as well toss the whole block in. See
+	// comments for entropy estimate justifications.
+
+	AddBytes (&pb, sizeof (pb),
+		kVolumeBytesEntropy +
+		log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
+				* 4294967296.0D +
+			(pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo))
+				/ pb.ioVAlBlkSiz - 3.0));
+}
+
+/*
+	On a typical startup CRandomizer will come up with about 60
+	bits of good, unpredictable data. Assuming no more input will
+	be available, we'll need some more lower-quality data to give
+	OpenSSL the 128 bits of entropy it desires. AddFiller adds some
+	relatively predictable data into the soup.
+*/
+
+void CRandomizer::AddFiller (void)
+{
+	struct
+	{
+		ProcessSerialNumber psn;	// Front process serial
+						// number
+		RGBColor	hiliteRGBValue;	// User-selected
+						// highlight color
+		long		processCount;	// Number of active
+						// processes
+		long		cpuSpeed;	// Processor speed
+		long		totalMemory;	// Total logical memory
+						// (incl. virtual one)
+		long		systemVersion;	// OS version
+		short		resFile;	// Current resource file
+	} data;
+	
+	GetNextProcess ((ProcessSerialNumber*) kNoProcess);
+	while (GetNextProcess (&data.psn) == noErr)
+		data.processCount++;
+	GetFrontProcess (&data.psn);
+	LMGetHiliteRGB (&data.hiliteRGBValue);
+	Gestalt (gestaltProcClkSpeed, &data.cpuSpeed);
+	Gestalt (gestaltLogicalRAMSize, &data.totalMemory);
+	Gestalt (gestaltSystemVersion, &data.systemVersion);
+	data.resFile = CurResFile ();
+	
+	// Here we pretend to feed the PRNG completely random data. This
+	// is of course false, as much of the above data is predictable
+	// by an outsider. At this point we don't have any more
+	// randomness to add, but with OpenSSL we must have a 128 bit
+	// seed before we can start. We just add what we can, without a
+	// real entropy estimate, and hope for the best.
+
+	AddBytes (&data, sizeof(data), 8.0 * sizeof(data));
+	AddCurrentMouse ();
+	AddNow (1.0);
+}
+
+//-------------------  LOW LEVEL ---------------------
+
+void CRandomizer::AddBytes (void *data, long size, double entropy)
+{
+	RAND_add (data, size, entropy * 0.125);	// Convert entropy bits
+						// to bytes
+}
+
+void CRandomizer::AddNow (double millisecondUncertainty)
+{
+	long time = SysTimer();
+	AddBytes (&time, sizeof (time), log2l (millisecondUncertainty *
+			mTimebaseTicksPerMillisec));
+}
+
+//----------------- TIMING SUPPORT ------------------
+
+void CRandomizer::GetTimeBaseResolution (void)
+{	
+#ifdef __powerc
+	long speed;
+	
+	// gestaltProcClkSpeed available on System 7.5.2 and above
+	if (Gestalt (gestaltProcClkSpeed, &speed) != noErr)
+		// Only PowerPCs running pre-7.5.2 are 60-80 MHz
+		// machines.
+		mTimebaseTicksPerMillisec =  6000.0D;
+	// Assume 10 cycles per clock update, as in 601 spec. Seems true
+	// for later chips as well.
+	mTimebaseTicksPerMillisec = speed / 1.0e4D;
+#else
+	// 68K VIA-based machines (see Develop Magazine no. 29)
+	mTimebaseTicksPerMillisec = 783.360D;
+#endif
+}
+
+unsigned long CRandomizer::SysTimer (void)	// returns the lower 32
+						// bit of the chip timer
+{
+#ifdef __powerc
+	return GetPPCTimer (mIs601);
+#else
+	UnsignedWide usec;
+	Microseconds (&usec);
+	return usec.lo;
+#endif
+}
+
+#ifdef __powerc
+// The timebase is available through mfspr on 601, mftb on later chips.
+// Motorola recommends that an 601 implementation map mftb to mfspr
+// through an exception, but I haven't tested to see if MacOS actually
+// does this. We only sample the lower 32 bits of the timer (i.e. a
+// few minutes of resolution)
+
+asm unsigned long GetPPCTimer (register bool is601)
+{
+	cmplwi	is601, 0	// Check if 601
+	bne	_601		// if non-zero goto _601
+	mftb  	r3		// Available on 603 and later.
+	blr			// return with result in r3
+_601:
+	mfspr r3, spr5  	// Available on 601 only.
+				// blr inserted automatically
+}
+#endif

MacOS/Randomizer.h

@@ -0,0 +1,42 @@
+
+// Gathers unpredictable system data to be used for generating
+// random bits
+
+#include <MacTypes.h>
+
+class CRandomizer {
+ public:
+    CRandomizer(void);
+    void PeriodicAction(void);
+
+ private:
+
+    // Private calls
+
+    void AddTimeSinceMachineStartup(void);
+    void AddAbsoluteSystemStartupTime(void);
+    void AddAppRunningTime(void);
+    void AddStartupVolumeInfo(void);
+    void AddFiller(void);
+
+    void AddCurrentMouse(void);
+    void AddNow(double millisecondUncertainty);
+    void AddBytes(void *data, long size, double entropy);
+
+    void GetTimeBaseResolution(void);
+    unsigned long SysTimer(void);
+
+    // System Info
+    bool mSupportsLargeVolumes;
+    bool mIsPowerPC;
+    bool mIs601;
+
+    // Time info
+    double mTimebaseTicksPerMillisec;
+    unsigned long mLastPeriodicTicks;
+
+    // Mouse info
+    long mSamplePeriod;
+    Point mLastMouse;
+    long mMouseStill;
+};

MacOS/TODO

@@ -0,0 +1,18 @@
+-------------------------------------------------------------------
+Verify server certificate
+-------------------------------------------------------------------
+Currently omitted from the project:
+
+	crypto/tmdiff.c
+	crypto/bio/bss_conn.c
+	crypto/bio/b_sock.c
+	crypto/bio/bss_acpt.c
+	crypto/bio/bss_log.h
+
+-------------------------------------------------------------------
+Build libraries to link with...
+-------------------------------------------------------------------
+Port openssl application.
+-------------------------------------------------------------------
+BN optimizations (currently PPC version is compiled with BN_LLONG)
+-------------------------------------------------------------------

MacOS/_MWERKS_GUSI_prefix.h

@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+# pragma longlong on
+#endif
+#if 1
+# define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH

MacOS/_MWERKS_prefix.h

@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+# pragma longlong on
+#endif
+#if 0
+# define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH

MacOS/buildinf.h

@@ -0,0 +1,5 @@
+#ifndef MK1MF_BUILD
+# define CFLAGS        "-DB_ENDIAN"
+# define PLATFORM      "macos"
+# define DATE          "Sun Feb 27 19:44:16 MET 2000"
+#endif

MacOS/mklinks.as.hqx

@@ -0,0 +1,820 @@
+(This file must be converted with BinHex 4.0)
+
+:#QeVE'PZDh-ZBA-!39"36'&`E(3J!!!!!!!!!*LiI6m!!!!!!3!!!*G#!!#@3J!
+!!AChFQPd!!!!K3)"!3m(Fh9`F'pbG!!!!)B#!3%$"(0eFQ8!!!#(!J-%"!3("3C
+cGfPdBfJ!!!#)!J%"#39cH@jMD!!!!)N#"J%$!`-&"3-'FhPcG'9Y!!!!LJ)&"3)
+%!J8("!-#!`4dB@*X!!!!L`))!3-$!`-$!`-$"(4PE'`!!!#-!J)"#38$G'KP!!!
+!M3))(J)@!Ki#!J))!K)#!`)B!Kd%G'KPE3!!!)i#!J%&#`4dD'9j!!!!M`)#!J)
+#$3TdD(*[G@GSEh9d!!!!N!!#!3%&"(4TCQB!!!#4!J%"!`4dD@eP!!!!NJ)"!JS
+#!h4T!!!!'N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!H!!!!!!!#!!!!!!
+!!!!!!!!!!!!!rrrrr`!!!$3!!!!N!!!!!#"[!!5JAb"[!!5K++!M6R9$9'mJFR9
+Z)(4SDA-JFf0bDA"d)'&`F'aTBf&dD@pZ,#"jEh8JEA9cG#"QDA*cG#"TER0dB@a
+X)%&`F'aP8f0bDA"d,J!!!)C8D'Pc)(0MFQP`G#"MFQ9KG'9c)#iZ,fPZBfaeC'8
+[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@aTBA0PFbi0$8P
+d)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9KFf8JBQ8JF'&
+dD@9ZG$SY+3!!!#S!!J!!!!!!$3!+!"!!!!!-!!!!!!!!!!!!63!0!!S!%!%!!!`
+!!!!!!!!!!!!B!!!!+!!!!!!!!!!)!!!!)!#N2c`!!DR`!!!!l!!!!!&19[ri,`0
+f!#m$-$bKVDG'*KmY52ri,`-`2+LITdBQ(b!ZrrLa`'FJ,`-J2'0`ER4"l[rm)NL
+KV5+)*Kp+3'B)5Ulrr'F#GJ%3!bBZrr41ANje6PB!!#m-@Bm[2%j29%Nr2!#!U"m
+SAb!-CJK`!cm!UFKJ+#m-UC)J9#!)d+J!'#&!!"JJ9#!)d+J!(#&!!"a9Mbm8)&q
+JAMk!9%mSE[rm6Pj1G8j@!!![$%kkre4+!'FU@Bm[2'&`E(3[2(0MF(4`)DJU+&m
+J$'F5@Bm[$#mm!!!!!A!!U#UTp&K26VVrG#KZrra1ANje!!!!('&`E(3!!!!"4P*
+&4J!!!!!!J%P$6L-!!!!!!*B!!!!"!!!!!!G"8&"-!!!!!!!"!!!"!!!!!S!!!!4
+!!!"i)!!!K"!!!3))!!)#"!!%"!)!#!J"!"!8!)!J)J"!3%%!)2#!J"#*!%!)KJ!
+J")3!)!*!!"!")!!3!K!!%!3)!"!)"!!J%!)!3#!"!)"!!S%!J!5#!3!)4!)!#%J
+%!!KB#!!%C"!!!m)J!!!"3!!!!)!!!!%!!!!$J!!!"m!!!(rJ!!$rm!!"rrJ!!rr
+m!!IrrJ!2rrm!(rrrJ$rrrm"rrrrJrrrrm2rrrrMrrrrmrrrrrRrrrrmrrrrq(rr
+rr!rrrrJ(rrr`!rrri!(rrm!$rrq!"rrr!!rrrJ!2rr`!$rri!!IRm!!$`q!!!!(
+!!!!!J!!!!!)!!!!!!!!!!!m!!!!!!!!!!!!!!!!!!!$`m!!!!!!!!!!!!!!!!!!
+2!!m!!!!!!!!!!!!!!!rrm!!!m!!!!!!!!!!!!!$`c0m!!!m!!!!!!!!!!!!2!!c
+-m!!!m!!!!!!!!!!!m!$-cI!!!!m!!!!!!!!!$`!-c0m!!!!!m!!!!!!!!2!!c-h
+`!!!!!!m!!!!!!!m!$-cIh`!!!!!!m!!!!!$`!-c0rGh`!!!!!!m!!!!2!!c-hph
+-h`!!!!!!m!!!rrr-cIhF`-h`!!!!!!m!!2lFr0rGc!`-h`!!!!!!m!$pc-rph-$
+!`-h`!!!!!!m!r-`2cF`-$!!-r3!!!!!!m!m!`-c!`-!!$0m!!!!!$-m!m!`-$!`
+!!-cI!!!!!-c`!!m!`-$!!!`-h`!!!!c2!!!!m!`-!!$!c0m!!!$-m!!!!!m!`!!
+-$-hm!!!-c`!!!!!!m!!!`-cIc!!!c2!!!!!!!!m!$!c0r-`!$-m!!!!!!!$pm-$
+-hmc!!-c`!!!!!!!2hI`-cIc-!!c2!!!!!!!!rGc2c0r-`!$-m!!!!!!!!2h-cmh
+mc!!-c`!!!!!!!!$mc!rIr-!!c2!!!!!!!!!!$m$2m!r-$-m!!!!!!!!!!!$rr`!
+!r-c`!!!!!!!!!!!!!!!!!!r2!!!!!!!!!!!!!!!!!!!!m!!!!!!!!!!!!!"!!B!
+13"%J)4"##18%Q)+3!%&!)5!L%%3BL#83*L!G3!#!!B!2`"rJ2r"rq2rmrrlrrhr
+r2riIr"ri2r!ri"h!!)!!!!#!!!!!$r!!!!!!!2r`$`!!!!!2$!m!m!!!!2$!c`!
+2!!!2$!c`!!$`!2r`cpm!!!m!rGrpc2!!!2$p$p`-c`!!$`m!`-$0m!$2!2!-$-h
+`$2!!$`$-hm$2!!!2m-hm$2!!!2h2hm$2!!!!r-rm$2!!!!!2r`r2!!!!!!!!!2!
+!!!!!!!#D8f0bDA"d)%&`F'aTBf&dD@pZ$3e8D'Pc)(0MFQP`G#"MFQ9KG'9c)#i
+Z,fPZBfaeC'8[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@a
+TBA0PFbi0$8Pd)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9
+KFf8JBQ8JF'&dD@9ZG$SY+3!!!")!!J!!!!!!!!!!!!%!"J!'%iN!!!!+@1!!!b!
+!!!-J!!!!!"3!+`!(!Cm#@!!V!!F"f!*B!!!!!3!!M`C'BA0N98&6)$%Z-6!a,M%
+`$J!!!!32rrm!!3!#!!-"rrm!!!d!!3!"D`!!!!!!!!!%!J!%!!)!"3!'$3!&!!*
+X!!)!!!U`!!IrrJd!"`!#6`!!!!!+X!!)!!N0!!J!!@X!!!!%#Um!#J)!#J!#!!X
+!$!d!#`!#E!!#!!3!"2rprr`"rrd!!!(rr!!!!J!-!!)!$3!1$3!0!!*X!!%!"!!
+%rrX!$`(rq`!!$!!2!&N!8b"(CA3JF'&dD#"dEb"dD'Pc)%&`F'aP8f0bDA"d)'&
+`F'aPG$XJGA0P)'Pd)(4[)'C[FQdJG'KP)("KG'JJG'mJG'KP)'PZBfaeC'8JCQp
+XC'9b!!)!!!)!$J!#!"!!%3d!%!!#E!!"!!3!"2rk!")"rrS!!!`!%J!Q!#!JB@j
+N)(4SC5"[G'KPFL"bC@aPGQ&ZG#"QEfaNCA*c,J!#!!!#!"%!!J!6!"30!"-!!R-
+!!!!%!"%!&3!@$3!9!!*M!!!!"!!1!"F!'!d!&`!#E!!&!!3!$!!CrrN0!"N!!Qi
+!!!!%!!`!'J!E$3!D!!)d!!!!"3!-rrJ!(!Vrq!!%#Q0[BQS0!"`!!Q`!"3!'!!X
+!(Irh$3!G!!0*!!)!"J!,rrB!([re#[rf!"JZC@&bFfCQC(*KE'Pc!!!!!!!!)!"
+KCQ4b$3!H!!"Q!!!!"J!(![re!!!"rrF!!!d!'`!"E3!!!!3!"3!I$`!I!6J)ER9
+XE!!!!!!!!Gq!rrm!!!!A"NCTEQ4PFJ!!(`*[Me!!ASfm!Qq,i!"HA[!!I&M!!!!
+!!!!!'mi!!JN#!Qq-1!!!Kb%#Ei`J!!!!!%C14&*038e"3e-!!"%!B@aTF`!!!!!
+!fJ!#!!!-6@&MD@jdEh0S)%K%!!!!!!!!!!!!!!!!!!!!XSA5h%*%!!!!!!!A"NC
+TEQ4PFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!3rLc#@a!4Nj%8Ne"3e2rrrrr!!!!!!!!!!!!!!!!!!!
+!!!!!!!e6HA0dC@dJ4QpXC'9b!!!"!!3!!!!A!!)!)8eKBfPZG'pcD#")4$T6HA0
+dC@dJ4QpXC'9b1NCTEQ4PFJ$rr`!!!Irj!!!0!"J!!@d!!!!-!!hrp!Vrp!!%#Q0
+dH(30!"B!!@m!!!!!!!$rm`[rm`!5-!!(G'KPF'&dD!!(G'KP8'&dD!)!&!!#!#!
+!)3d!)!!#E!!#!")!%[rbrr%"rr)!!!(rm3!!!J!K!!)!)J!M$3!L!!*b!!!!%J!
+A!#3!*3d!*!!#EJ!$!")!&3!Q!#F0!#B!!6%!!!!6!"Arm!Vrm!!%#R4iC'`0!#F
+!!6%!!!!5!"2rl`Vrl`!%#Q&cBh)0!#8!!@m!!!!!!!$rlJ[rlJ!F-!!-G'KPEfa
+NC'9XD@ec!!adD'92E'4%C@aTEA-#!#-!!J!S!#N0!#J!!R)!!!!B!"d!+J!V$3!
+U!!&Y!!!!'!!C!#`-!#`!"`!"1J!#!!!0!#X!!Qi!!`!!!!!!,3!Z$3!Y!!%a!!!
+!'J!Frqd+rqd!"!TdH'4X$3!Z!!%a!!!!'3!Drq`+rq`!"!TKFf0b!J!T!!)!,`!
+`$3![!!*X!!)!(J!Hrq[rkJ(rk`!!!IrU!!!#!$!!!J!a!$)0!$%!!R)!!!!H!#X
+!-`!d$3!c!!*X!!8!(J!T!$Ark3d!03!#EJ!!!"i!+3!f!$F0!$B!!cF"!!!I!#R
+rk!!i!$N+rqJ!"!TMDA4Y$3!i!!&Y!!!!)`!PrqF$rqF!!3d!13!"E3!!!#B!+2r
+Q!rrQrrd0!$F!!@m!!!!H!"rrj3[rj3!5-!!(G'KPF'&dD!!(G'KP8'&dD!(rk3!
+!$3!d!!&[!!!!!!!!rq3,rq3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0
+d8'&dD!)!-J!#!$S!1`d!1J!#FJ!!!#`!1`!m!$d0!$`!!Q-!!!!X!$N!2J!r$3!
+q!!*X!!8!,!!h!%$ri`d!3!!#EJ!!!#`!0`""!%)0!%%!!cF"!!!Y!$IriJ"$!%3
++rq)!"!TMDA4Y$3"$!!&Y!!!!-3!crq%$rq%!!3d!4!!"E3!!!$3!0[rJ!rrJrri
+0!%)!!@m!!!!X!#hrh`[rh`!5-!!(G'KPF'&dD!!(G'KP8'&dD!(ri`!!$3!r!!&
+Y!!!!0`!irpi+rpi!"!T849K8$3!p!!&[!!!!!!!!rpd,rpd!&M!!#A4SC@ePF'&
+dD!!*G'KP6@93BA4S!J!l!!)!43"'$3"&!!*X!!)!2!!mrpcrf`(rh!!!!IrE!!!
+#!%B!!J"(!%J0!%F!!R)!!!!m!%8!53"+$3"*!!*M!!!!2!""!%X!6!d!5`!#BJ!
+!!$`!2`"0!%i0!%d!!@m!!!!m!$hrfJ[rfJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4
+SC9"bEfTPBh43BA4S$3"1!!&Y!!!!23!q!%m-!%m!$3!(D@jME(9NC3!#!!!0!%`
+!!@d!!!!r!%$rf3Vrf3!%#P4&@&30!%S!!@m!!!!!!!$rf![rf!!Q-!!4D@jME(9
+NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S!J")!!)!8!"4$3"3!!*b!!!
+!4J"9!&)!8`d!8J!#B`!!!%B!83"8!&80!&3!!Q)!!!"'!%m!9J"A$3"@!!*L!!!
+!4J",!&J!@3d!@!!"E`!!!%B!4rrA#rrA!#!`!!jdD'9`FQpUC@0dF'&dD!!1G'K
+P8(*[DQ9MG&"KG'J0!&N!!@d!!!"(!%S!@J`!@J!0!!GTEQ0XG@4P!!)!!!d!9`!
+"E3!!!%X!6J"E$!"E!!d!"fp`C@jcFf`!!J!!$3"9!!&Y!!!!6`"3rpB+rpB!"!T
+849K8$3"6!!&[!!!!!!!!rp8,rp8!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S!J"4!!)!A!"G$3"F!!*b!!!!9J"
+K!&i!A`d!AJ!#B`!!!&B!A3"J!'%0!'!!!Q)!!!"@!&X!BJ"M$3"L!!&[!!!!9J"
+Arp3,rp3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0d8'&dD!d!B`!"E3!
+!!&F!@J"N$!"N!!`!"Q0bHA"dE`!#!!!0!'%!!@d!!!"E!&crd`Vrd`!%#P4&@&3
+0!&m!!@m!!!!!!!$rdJ[rdJ!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!)!A3!#!'8!CJd!C3!#FJ!!!')!E3"R!'J0!'F!!Q-!!!"L!'N!D3"
+U$3"T!!*L!!!!BJ"R!'X!E!d!D`!"E`!!!')!Brr4#rr4!#!`!!jdD'9`FQpUC@0
+dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!'`!!@d!!!"M!'B!E3`!E3!*!!0cFf`!!J!
+!$3"U!!&Y!!!!C`"Srp!+rp!!"!T849K8$3"S!!&[!!!!!!!!rmm,rmm!(M!!$A0
+cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J#!'B!!J"Z!'m0!'i!!R)!!!"Z!(8
+!F!"a$3"`!!*M!!!!EJ"a!()!F`d!FJ!"E`!!!'i!Err1#rr1!#!`!!jdD'9`FQp
+UC@0dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!(-!!@d!!!"[!($rc3Vrc3!%#P4&@&3
+0!(%!!@m!!!!!!!$rc![rc!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p`C@jcFfa
+'EfaNCA*3BA4S!J"[!!)!G!"e$3"d!!*X!!)!GJ"frm[rbJ(rb`!!!Ir+!!!#!(8
+!!J"f!(F0!(B!!R)!!!"f!(X!H!"j$3"i!!&[!!!!GJ"hrmN,rmN!($!!$(4SC@p
+XC'4PE'PYF`!-G'KP6faN4'9XD@ec$3"j!!*Z!!-!!!!!!(S!H`d!HJ!"-3!!!(J
+!H[r)#[r)!!3+G(KNE!d!H`!"-3!!!(F!H2r(#[r(!!3+BA0MFJ)!G`!#!(`!I3d
+!I!!#E!!#!(`!I2r'rm8"rmB!!!(ra3!!!J"p!!)!IJ"r$3"q!!*X!!%!I!"mrm3
+!J!(ra!!!$!#!!%!!1L"NC@aPG'8JEfaN)'PZBfaeC'8kEh"PER0cE#"QEfaNCA)
+JB@jN)(*PBh*PBA4P)'Pd)'0XC@&ZE(N!!J!!!J"r!!)!J3##$3#"!!*X!!)!I!"
+mrm2r`J(r``!!!Ir#!!!#!))!!J#$!)30!)-!!e%!!!"m!+8!K3#'!)F0!)8!!@X
+!!!"r!*`!L!)!L!!#!)N!LJd!L3!$53!#!(m!N[r"!)[r`!Vr`3!B,QeTFf0cE'0
+d+LSU+J!!!!!!!*!!!#SU+LS0!)X!!Qi!!!"r!)i!M!#0$3#-!!)d!!!!K`#1rlm
+!MJVr[`!%#Q0QEf`0!)i!!@d!!!#+!)d!M``!M`!0!!G[F'9ZFh0X!!)!!!d!M3!
+#0!!!!(m!Krqq!*!!#[qq!!3+BfC[E!d!N!!!!@m!!!#$!)Er[3[r[3!Q-!!4D@j
+ME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S![r!!!!#!)S!!J#4rl`
+0!*%!!dN!!J#6!*crZ`#5rlS+rlX!'#jMEh*PC'9XEbSU+LS!!!!!!!#3!!!U+LS
+U$3#5!!%a!!!!N`#BrlN+rlN!"!TcC@aP![qk!!!#rl`!!!d!KJ!$8J!!!!!!!2q
+irlIrYJVrZ!!B,Q&cBh*PFR)J+LSU+J!!!!!!!*!!!#SU+LS"rlF!!!,rYJ!!$3#
+(!!*X!!%!T!#Nrl8!N`(rY3!!$!#6!"-!$5"TCfj[FQ8JCA*bEh)!!J!!!J#%!!)
+!P!#9$3#8!!*X!!)!TJ#Qrl6rX`(rY!!!!Iqc!!!#!*8!!J#@!*F0!*B!!dN!!J#
+Q!,lrX[qa!*J+rl)!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Iqa!!!'!*J
+!!rq`!*N!QJVrX!!%#QY[Bf`0!*N!!@d!!!#U!+hrV`VrV`!%#Q0QEf`'!*S!!rq
+Z!*[rV3VrVJ!%#QPZFfJ0!*X!!M3!!!#`!,MrV!#F#[qX!!3+BfC[E!d!R!!"E`!
+!!,3!YrqV#rqV!#B`!"&TEQ0XG@4PCQpXC'9bF'&dD!!4D@jME(9NC8C[E'4PFP"
+KG'J'rkd!!!)!P`!#!*d!RJd!R3!#FJ!!!,m!aJ#I!+!0!*m!!Q`"!!#r!-)!SIq
+U$3#K!!%a!!!![`$#rkN+rkN!"!TbFfad!IqU!!!0!+!!!@m!!!!!!!$rU![rU!!
+Z-!!9G'KPEQ9hCQpXC'9bFQ9QCA*PEQ0P!"9dD'91CAG'EfaNCA*5C@CPFQ9ZBf8
+#!*i!!J#L!+-0!+)!!dN!!J$(!-lrT`#NrkB+rkF!'#jYDA0MFfaMG#SU+LS!!!!
+!!!#3!!!U+LSU$3#N!!&[!!!!a`$+rk8,rk8!,M!!&A4SC@jPGfC[E'4PFR*PCQ9
+bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P![qQ!!!#!+-!!J#P!+B0!+8!!R)
+!!!$2!0`!T`#S$3#R!!&Y!!!!c`$5!+N-!+N!$3!(Eh"PER0cE!!#!!!0!+J!!Qi
+!!!!!!!!!UJ#V$3#U!!%a!!!!e`$Erk3+rk3!"!T`EQ&Y$3#V!!%a!!!!dJ$Ark-
++rk-!"!TcC@aP!J#Q!!)!V!#Y$3#X!!*X!!)!h3$Grk,rS3(rSJ!!!IqK!!!#!+d
+!!J#Z!+m0!+i!!Q`!!3$G!0hrS!#`!IqJ!!!-!,!!(`!C)&0dBA*d)'eKDfPZCb"
+dD'8JB@aTBA0PF`!#!!!#!+m!!J#a!,)0!,%!!dN!!J$G!3ArRrqH!,-+rjm!'#j
+MEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!IqH!!!'!,-!!rqG!,3!Y3VrR3!%#QY
+[Bf`0!,3!!@d!!!$K!16rR!VrR!!%#Q&XD@%'!,8!!rqE!,B!Y`VrQ`!%#QPZFfJ
+0!,B!!M3!!!$R!1rrQJ#i#[qD!!3+BfC[E!d!Z!!"E`!!!1X!l[qC#rqC!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD!B!Y`!$rjJ!ZIqA#[qB!!3+G'mJ)!d!Z3!#EJ!!!2)!r`#k!,X0!,S!!M3!!!$
+i!2rrPJ#m#[q@!!3+CQPXC3d![!!"E3!!!2X!rJ#p$!#p!"-!$@p`C@jcFfaMEfj
+Q,QJ!!J!!$3#l!!)d!!!!mJ$irj8![JVrP3!%#Q0QEf`0!,i!!@m!!!$f!2IrP![
+rP!!@-!!*G'KPE@9`BA4S!!PdD'90C9"KG'J'rjF!!!)!XJ!#!,m!`!d![`!#E!!
+#!3B""[q6rj)"rj-!!!(rNJ!!!J$!!!)!`3$#$3$"!!*b!!!""J%4!--!a!d!``!
+#BJ!!!3B"$3$&!-B0!-8!!@m!!!%'!3RrN3[rN3!N-!!3Bh*jF(4[CQpXC'9bF'&
+dD!!3Bh*jF(4[4QpXC'9b8'&dD!d!aJ!"E3!!!3N"$!$($!$(!!X!"6TKFfia!!)
+!!!d!a!!"E`!!!!!!!2q3!![rN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!`J!
+#!-J!b3d!b!!$53!#!4)"22q2rii!bJVrM`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!
+!!'jeE'`"rii!!!B!bJ!$rid!b`$-#[q0!!3+DfpME!d!b`!"E3!!!4B"'Iq-#[q
+-!!3+B@aTB3B!c!!$riX!c3$1#[q,!!3+D@jcD!d!c3!#0!!!!4`"*2q+!-m+riS
+!"!TMCQpX$3$2!!&[!!!")!%MriN,riN!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9
+bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J$1!!2rL!$3riF+riJ!"!T
+dEb!J$3$3!!*Z!!!"*`%f!0%!dJd!d3!#0!!!!5m"0[q'!0-+riB!"!TQD@aP$3$
+6!!&Y!!!"-J%e!03-!03!$!!'BA0Z-5jS!!)!!!d!dJ!#0!!!!5F",rq&!08+ri8
+!"!TMCQpX$3$9!!&[!!!"+`%Zri3,ri3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!E
+rK`!!!J$*!!)!eJ$A$3$@!!0*!!)"23&Rri2rJJ$B#[q$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(rJJ!!"J$B!!2rJ3$C!0S+ri%!"!TVEf0X$3$C!!&Y!!!
+"33&%ri!+ri!!"!TKE'PK"J$D!!2rI`$E!0`+rhm!"!TTER0S$3$E!!)d!!!"4`&
+2rhi!h3VrIJ!%#Q0QEf`0!0d!!@m!!!&,!8lrI3[rI3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!0`!!rpm!0l
+rH`VrI!!%#R4[)#!0!0i!!Qi!!!&5!@%!h`$J$3$I!!)d!!!"@J&KrhS!i3VrHJ!
+%#QCTE'80!1%!!@d!!!&G!@!!iJ`!iJ!3!!TKFfiaAfeKBbjS!!)!!!d!i!!#0!!
+!!9)"@[pj!1-+rhN!"!TMCQpX$3$M!!&[!!!"9J&CrhJ,rhJ!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!ErH`!!!J$A!!)!j!$P$3$N!!*X!!)"D!&SrhIrGJ(rG`!!!Ip
+f!!!#!18!!J$Q!1F0!1B!!R)!!!&S!A-!k!$T$3$S!!*L!!!"D!&[!1S!k`d!kJ!
+"E`!!!@J"Drpe#rpe!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*
+3BA4S$3$V!!&Y!!!"D`&Z!1`-!1`!#J!%1Q*TE`!#!!!0!1N!!@m!!!!!!!$rG![
+rG!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J$R!!)!l3$Z$3$Y!!0*!!)"G!'Hrh2
+rFJ$[#[pc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(rFJ!!"J$[!!2rF3$
+`!2%+rh%!"!TVEf0X$3$`!!&Y!!!"H!&lrh!+rh!!"!TKE'PK"J$a!!2rE`$b!2-
++rfm!"!TTER0S$3$b!!)d!!!"IJ''rfi!p!VrEJ!%#Q0QEf`0!23!!@m!!!'#!BA
+rE3[rE3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!2-!!rpX!2ArD`VrE!!%#R4[)#!0!28!!Qi!!!'*!CJ!pJ$
+h$3$f!!)d!!!"N3'BrfS!q!VrDJ!%#QCTE'80!2J!!@d!!!'8!CF!q3`!q3!,!!9
+LD@mZD!!#!!!0!2F!!M3!!!'*!C(rD3$k#[pT!!3+BfC[E!d!qJ!"E`!!!Bd"N!$
+rD![rD!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[pV!!!#!1i!!J$l!2`0!2X!!Q`
+!!J'I!CrrCrpQ!IpR!!!"rfB!!!)!r!!#!2d!rJd!r3!#FJ!!!Cm"UJ$r!3!0!2m
+!!Q)!!!'I!DB"!3%#$3%"!!&[!!!"R`'Lrf8,rf8!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!3)!!@d!!!'L!D8"!``"!`!*!!-kBQB!!J!
+!$3%!!!&[!!!!!!!!rf3,rf3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!rJ!#!33
+""3d""!!$53!#!DX"eIpMrf)""JVrB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rf)!!!B""J!$rf%""`%)#[pK!!3+DfpME!d""`!"E3!!!Dm"X[pJ#[pJ!!3
++B@aTB3B"#!!$rem"#3%+#[pI!!3+D@jcD!d"#3!#0!!!!E8"[IpH!3X+rei!"!T
+MCQpX$3%,!!&[!!!"Z3'mred,red!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J%+!!2rA!%-reX+re`!"!TdEb!
+J$3%-!!*Z!!!"`!(2!3d"$Jd"$3!#0!!!!FJ"crpD!3m+reS!"!TQD@aP$3%2!!&
+Y!!!"b`(1!4!-!4!!%!!+BQa[GfCTFfJZD!!#!!!0!3i!!M3!!!(!!FMr@3%4#[p
+C!!3+BfC[E!d"%3!"E`!!!F3"arpB#rpB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J
+'reX!!!)""3!#!4)"%`d"%J!#E!!#!GB"e[pAreB"reF!!!(r9J!!!J%6!!)"&!%
+9$3%8!!*b!!!"eJ(K!4B"&`d"&J!#BJ!!!GB"h3%B!4N0!4J!!@m!!!(@!GRr93[
+r93!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"'3!"E3!
+!!GN"h!%D$!%D!!N!!cTLEJ!#!!!0!4F!!@m!!!!!!!$r9![r9!!8-!!)G'9YF("
+KG'J!#(4PEA"3BA4S!J%9!!)"'`%F$3%E!!0*!!)"iJ)-re2r8J%G#[p6!"JZBfp
+bC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r8J!!"J%G!!2r83%H!4m+re%!"!TVEf0
+X$3%H!!&Y!!!"jJ(Tre!+re!!"!TKE'PK"J%I!!2r6`%J!5%+rdm!"!TTER0S$3%
+J!!)d!!!"l!(drdi")JVr6J!%#Q0QEf`0!5)!!@m!!!(`!I2r63[r63!d-!!BEh"
+PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J
+'!5%!!rp-!52r5`Vr6!!%#R4[)#!0!5-!!Qi!!!(h!JB"*!%P$3%N!!)d!!!"r`)
+'rdS"*JVr5J!%#QCTE'80!5B!!@d!!!)#!J8"*``"*`!+!!4LELjS!!)!!!d"*3!
+#0!!!!IF"rrp*!5J+rdN!"!TMCQpX$3%S!!&[!!!"q`(qrdJ,rdJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!Er5`!!!J%F!!)"+3%U$3%T!!*X!!)#$3)0rdIr4J(r4`!
+!!Ip'!!!#!5S!!J%V!5`0!5X!!R)!!!)0!KJ",3%Z$3%Y!!*L!!!#$3)8!5m"-!d
+",`!"E`!!!Jd#%2p&#rp&!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3%`!!&Y!!!#%!)6!6%-!6%!$3!(1Q*eCQCPFJ!#!!!0!5i!!@m!!!!
+!!!$r4![r4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J%X!!)"-J%c$3%b!!0*!!)
+#'3*$rd2r3J%d#[p$!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r3J!!"J%
+d!!2r33%e!6B+rd%!"!TVEf0X$3%e!!&Y!!!#(3)Jrd!+rd!!"!TKE'PK"J%f!!2
+r2`%h!6J+rcm!"!TTER0S$3%h!!)d!!!#)`)Vrci"13Vr2J!%#Q0QEf`0!6N!!@m
+!!!)R!LVr23[r23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!6J!!rmm!6Vr1`Vr2!!%#R4[)#!0!6S!!Qi!!!)
+Z!Md"1`%m$3%l!!)d!!!#0J)prcS"23Vr1J!%#QCTE'80!6d!!@d!!!)j!M`"2J`
+"2J!1!!KLG@CQCA)ZD!!#!!!0!6`!!M3!!!)Z!MEr13%r#[mj!!3+BfC[E!d"2`!
+"E`!!!M)#0Imi#rmi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rcX!!!)"-`!#!8!
+"33d"3!!#E!!#!N3#42mhrcB"rcF!!!(r0J!!!J&"!!)"3J&$$3&#!!*b!!!#4!*
+2!83"43d"4!!#BJ!!!N3#5`&'!8F0!8B!!@m!!!*%!NIr03[r03!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"4`!"E3!!!NF#5J&)$!&)!!X
+!"6TMBA0d!!)!!!d"43!"E`!!!!!!!2md#rmd!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J#!8-!!J&*!8S0!8N!!dN!!J*3!RVr-rmb!8X+rc-!'#jMEh*PBh*PE#SU+LS
+!!!!!!!#3!!"ZG@aX!Imb!!!'!8X!!rma!8`"63Vr-3!%#QY[Bf`0!8`!!@d!!!*
+8!PIr-!Vr-!!%#Q&XD@%'!8d!!rm[!8i"6`Vr,`!%#QPZFfJ0!8i!!M3!!!*D!Q,
+r,J&3#[mZ!!3+BfC[E!d"8!!"E`!!!Pi#BImY#rmY!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"6`!$rb`"8Im
+V#[mX!!3+G'mJ)!d"83!#EJ!!!Q8#G!&5!9-0!9)!!M3!!!*Y!R6r+J&8#[mU!!3
++CQPXC3d"9!!"E3!!!R!#F`&9$!&9!!`!"Q0KFh3ZD!!#!!!0!9-!!M3!!!*P!Qh
+r+3&@#[mT!!3+BfC[E!d"9J!"E`!!!QN#E2mS#rmS!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rbX!!!)"5J!#!9F"@!d"9`!#E!!#!RX#HrmRrbB"rbF!!!(r*J!!!J&
+B!!)"@3&D$3&C!!*b!!!#H`+'!9X"A!d"@`!#BJ!!!RX#JJ&G!9i0!9d!!@m!!!*
+l!Rlr*3[r*3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+"AJ!"E3!!!Ri#J3&I$!&I!!X!"6TMEfe`!!)!!!d"A!!"E`!!!!!!!2mN#rmN!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!9S!!J&J!@%0!@!!!dN!!J+(!V(r)rmL!@)
++rb-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!ImL!!!'!@)!!rmK!@-"C!V
+r)3!%#QY[Bf`0!@-!!@d!!!+,!Slr)!Vr)!!%#Q&XD@%'!@3!!rmI!@8"CJVr(`!
+%#QPZFfJ0!@8!!M3!!!+4!TRr(J&R#[mH!!3+BfC[E!d"C`!"E`!!!T8#Q2mG#rm
+G!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4Qp
+XC'9b8'&dD!B"CJ!$ra`"D2mE#[mF!!3+G'mJ)!d"D!!#EJ!!!T`#U`&T!@S0!@N
+!!M3!!!+N!U[r'J&V#[mD!!3+CQPXC3d"D`!"E3!!!UF#UJ&X$!&X!!`!"Q0[EA!
+ZD!!#!!!0!@S!!M3!!!+F!U6r'3&Y#[mC!!3+BfC[E!d"E3!"E`!!!U!#SrmB#rm
+B!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'raX!!!)"B3!#!@i"E`d"EJ!#E!!#!V)
+#X[mAraB"raF!!!(r&J!!!J&[!!)"F!&a$3&`!!*b!!!#XJ+p!A)"F`d"FJ!#BJ!
+!!V)#Z3&d!A80!A3!!@m!!!+b!VAr&3[r&3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!
+3Bh*jF(4[4QpXC'9b8'&dD!d"G3!"E3!!!V8#Z!&f$!&f!!X!"6TMEfjQ!!)!!!d
+"F`!"E`!!!!!!!2m8#rm8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!A%!!J&h!AJ
+0!AF!!dN!!J+q!ZMr%rm5!AN+ra-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@a
+X!Im5!!!'!AN!!rm4!AS"H`Vr%3!%#QY[Bf`0!AS!!@d!!!,#!XAr%!Vr%!!%#Q&
+XD@%'!AX!!rm2!A`"I3Vr$`!%#QPZFfJ0!A`!!M3!!!,)!Y$r$J&q#[m1!!3+BfC
+[E!d"IJ!"E`!!!X`#crm0#rm0!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J
+!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"I3!$r``"Irm,#[m-!!3+G'mJ)!d
+"I`!#EJ!!!Y-#iJ'!!B%0!B!!!M3!!!,E!Z,r#J'##[m+!!3+CQPXC3d"JJ!"E3!
+!!Yi#i3'$$!'$!!`!"Q0[EQBZD!!#!!!0!B%!!M3!!!,6!Y[r#3'%#[m*!!3+BfC
+[E!d"K!!"E`!!!YF#f[m)#rm)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r`X!!!)
+"H!!#!B8"KJd"K3!#E!!#!ZN#kIm(r`B"r`F!!!(r"J!!!J''!!)"K`')$3'(!!*
+b!!!#k3,d!BN"LJd"L3!#BJ!!!ZN#m!',!B`0!BX!!@m!!!,T!Zcr"3[r"3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"M!!"E3!!!Z`#l`'
+0$!'0!!S!"$TNCA-!!J!!$3'+!!&[!!!!!!!!r`3,r`3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"L!!#!Bi"M`d"MJ!$53!#![8$(rm$r`)"N!!+r`-!'#jMEh*PBh*
+PE#SU+LS!!!!!!!#3!!"ZG@aX!Im#!!!'!C!!!!2r!3'4!C)+r`%!"!TVEf0X$3'
+4!!&Y!!!#q3,mr`!+r`!!"!TKE'PK"J'5!!2qr`'6!C3+r[m!"!TTER0S$3'6!!)
+d!!!#r`-(r[i"P3VqrJ!%#Q0QEf`0!C8!!@m!!!-$!`Eqr3[qr3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!C3
+!!rlm!CEqq`Vqr!!%#R4[)#!0!CB!!Qi!!!-+!aN"P`'B$3'A!!)d!!!$%J-Cr[S
+"Q3VqqJ!%#QCTE'80!CN!!@d!!!-9!aJ"QJ`"QJ!,!!9NCA-ZD!!#!!!0!CJ!!M3
+!!!-+!a,qq3'E#[lj!!3+BfC[E!d"Q`!"E`!!!`i$%Ili#rli!"3`!!KdC@e`F'&
+dD!!)G'9YF&"KG'J'r[X!!!)"M`!#!C`"R3d"R!!#E!!#!b!$)2lhr[B"r[F!!!(
+qpJ!!!J'G!!)"RJ'I$3'H!!*b!!!$)!-V!D!"S3d"S!!#BJ!!!b!$*`'L!D-0!D)
+!!@m!!!-J!b2qp3[qp3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9
+b8'&dD!d"S`!"E3!!!b-$*J'N$!'N!!N!!cTND!!#!!!0!D%!!@m!!!!!!!$qp![
+qp!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'I!!)"T3'Q$3'P!!0*!!)$,!0@r[2
+qmJ'R#[lc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(qmJ!!"J'R!!2qm3'
+S!DN+r[%!"!TVEf0X$3'S!!&Y!!!$-!-cr[!+r[!!"!TKE'PK"J'T!!2ql`'U!DX
++rZm!"!TTER0S$3'U!!)d!!!$0J-qrZi"V!VqlJ!%#Q0QEf`0!D`!!@m!!!-k!ch
+ql3[ql3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!DX!!rlX!Dhqk`Vql!!%#R4[)#!0!Dd!!Qi!!!0"!e!"VJ'
+[$3'Z!!)d!!!$5303rZS"X!VqkJ!%#QCTE'80!E!!!@d!!!0-!dm"X3`"X3!+!!4
+ND#jS!!)!!!d"V`!#0!!!!d%$5IlT!E)+rZN!"!TMCQpX$3'b!!&[!!!$430)rZJ
+,rZJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eqk`!!!J'Q!!)"X`'d$3'c!!*X!!)
+$9`0ArZIqjJ(qj`!!!IlQ!!!#!E3!!J'e!EB0!E8!!R)!!!0A!f)"Y`'i$3'h!!*
+L!!!$9`0H!EN"ZJd"Z3!"E`!!!eF$@[lP#rlP!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3'k!!&Y!!!$@J0G!EX-!EX!#J!%1Q4cB3!#!!!
+0!EJ!!@m!!!!!!!$qj![qj!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'f!!)"[!'
+p$3'm!!0*!!)$B`10rZ2qiJ'q#[lM!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(qiJ!!"J'q!!2qi3'r!F!+rZ%!"!TVEf0X$3'r!!&Y!!!$C`0UrZ!+rZ!!"!T
+KE'PK"J(!!!2qh`("!F)+rYm!"!TTER0S$3("!!)d!!!$E30erYi"``VqhJ!%#Q0
+QEf`0!F-!!@m!!!0a!h6qh3[qh3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!F)!!rlF!F6qf`Vqh!!%#R4[)#!
+0!F3!!Qi!!!0i!iF"a3('$3(&!!)d!!!$J!1(rYS"a`VqfJ!%#QCTE'80!FF!!@d
+!!!1$!iB"b!`"b!!,!!9NFf%ZD!!#!!!0!FB!!M3!!!0i!i$qf3(*#[lC!!3+BfC
+[E!d"b3!"E`!!!h`$IrlB#rlB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rYX!!!)
+"[3!#!FS"b`d"bJ!#E!!#!ii$M[lArYB"rYF!!!(qeJ!!!J(,!!)"c!(0$3(-!!*
+b!!!$MJ1C!Fi"c`d"cJ!#BJ!!!ii$P3(3!G%0!G!!!@m!!!11!j(qe3[qe3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"d3!"E3!!!j%$P!(
+5$!(5!!S!"$TPFR)!!J!!$3(2!!&[!!!!!!!!rY3,rY3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"c3!#!G-"e!d"d`!$53!#!jS$a2l6rY)"e3Vqd`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rY)!!!B"e3!$rY%"eJ(A#[l4!!3+DfpME!d"eJ!
+"E3!!!ji$SIl3#[l3!!3+B@aTB3B"e`!$rXm"f!(C#[l2!!3+D@jcD!d"f!!#0!!
+!!k3$V2l1!GS+rXi!"!TMCQpX$3(D!!&[!!!$U!1VrXd,rXd!0$!!''p`C@jcFfa
+TEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J(C!!2
+qc!(ErXX+rX`!"!TdEb!J$3(E!!*Z!!!$V`1q!G`"h3d"h!!#0!!!!lF$[[l+!Gi
++rXS!"!TQD@aP$3(H!!&Y!!!$ZJ1p!Gm-!Gm!#`!&CA*b,QJ!!J!!$3(G!!)d!!!
+$V`1hrXN"i!Vqb3!%#Q0QEf`0!H!!!@m!!!1c!lEqb![qb!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S"[l,!!!#!G3!!J(K!H)0!H%!!Q`!!J2&!mAqarl'!Il(!!!"rXB
+!!!)"iJ!#!H-"j!d"i`!#FJ!!!m8$d!(P!HB0!H8!!Q)!!!2&!m`"j`(S$3(R!!&
+[!!!$a32)rX8,rX8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"
+KG'J0!HJ!!@d!!!2)!mX"k3`"k3!+!!3kCAC`!!)!!!d"jJ!"E`!!!!!!!2l%#rl
+%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!H3!!J(U!HX0!HS!!dN!!J24!r[q`rl
+#!H`+rX-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Il#!!!'!H`!!rl"!Hd
+"lJVq`3!%#QY[Bf`0!Hd!!@d!!!29!pMq`!Vq`!!%#Q&XD@%'!Hi!!rkr!Hm"m!V
+q[`!%#QPZFfJ0!Hm!!M3!!!2E!q2q[J(a#[kq!!3+BfC[E!d"m3!"E`!!!pm$i[k
+p#rkp!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4
+P4QpXC'9b8'&dD!B"m!!$rV`"m[kl#[km!!3+G'mJ)!d"mJ!#EJ!!!qB$p3(c!I3
+0!I-!!M3!!!2Z!rAqZJ(e#[kk!!3+CQPXC3d"p3!"E3!!!r%$p!(f$!(f!!X!"@9
+fF#jS!!)!!!d"p!!#0!!!!qB$l[kj!IF+rVN!"!TMCQpX$3(h!!&[!!!$kJ2YrVJ
+,rVJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqZ`!!!J(V!!)"q!(j$3(i!!*X!!)
+$r!2mrVIqYJ(qY`!!!Ikf!!!#!IN!!J(k!IX0!IS!!R)!!!2m"!F"r!(p$3(m!!*
+L!!!$r!3$!Ii"r`d"rJ!"E`!!!r`$rrke#rke!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3(r!!&Y!!!$r`3#!J!-!J!!#`!&1QKYB@-!!J!
+!$3(p!!&[!!!!!!!!rV3,rV3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)"q`!#!J%
+#!Jd#!3!$53!#"!J%-[kcrV)#!`VqX`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rV)!!!B#!`!$rV%#"!)&#[ka!!3+DfpME!d#"!!"E3!!"!`%$rk`#[k`!!3
++B@aTB3B#"3!$rUm#"J)(#[k[!!3+D@jcD!d#"J!#0!!!"")%'[kZ!JJ+rUi!"!T
+MCQpX$3))!!&[!!!%&J3CrUd,rUd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)(!!2qV!)*rUX+rU`!"!TdEb!
+J$3)*!!*Z!!!%(33X!JS##`d##J!#0!!!"#8%,2kU!J`+rUS!"!TQD@aP$3)-!!&
+Y!!!%+!3V!Jd-!Jd!$!!'D'eKBbjS!!)!!!d##`!#0!!!""d%*IkT!Ji+rUN!"!T
+MCQpX$3)1!!&[!!!%)33NrUJ,rUJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqU`!
+!!J)#!!)#$`)3$3)2!!*X!!)%-`3crUIqTJ(qT`!!!IkQ!!!#!K!!!J)4!K)0!K%
+!!R)!!!3c"$i#%`)8$3)6!!*L!!!%-`3k!K8#&Jd#&3!"E`!!"$-%0[kP#rkP!#3
+`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3)@!!&Y!!!%0J3
+j!KF-!KF!#`!&1QPNC@%!!J!!$3)8!!&[!!!!!!!!rU3,rU3!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!)#%J!#!KJ#'3d#'!!$53!#"$m%DIkMrU)#'JVqS`!B,Q0[FQ9
+MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rU)!!!B#'J!$rU%#'`)F#[kK!!3+DfpME!d
+#'`!"E3!!"%-%4[kJ#[kJ!!3+B@aTB3B#(!!$rTm#(3)H#[kI!!3+D@jcD!d#(3!
+#0!!!"%N%8IkH!Km+rTi!"!TMCQpX$3)I!!&[!!!%6343rTd,rTd!0$!!''p`C@j
+cFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)
+H!!2qR!)JrTX+rT`!"!TdEb!J$3)J!!*Z!!!%9!4M!L%#)Jd#)3!#0!!!"&`%Brk
+D!L-+rTS!"!TQD@aP$3)M!!&Y!!!%A`4L!L3-!L3!$!!'D@4PB5jS!!)!!!d#)J!
+#0!!!"&3%A2kC!L8+rTN!"!TMCQpX$3)P!!&[!!!%@!4ErTJ,rTJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!EqQ`!!!J)C!!)#*J)R$3)Q!!*X!!)%DJ4UrTIqPJ(qP`!
+!!Ik@!!!#!LF!!J)S!LN0!LJ!!R)!!!4U"(8#+J)V$3)U!!*L!!!%DJ4a!L`#,3d
+#,!!"E`!!"'S%EIk9#rk9!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3)Y!!&Y!!!%E34`!Li-!Li!$!!'1QaSBA0S!!)!!!d#+`!"E`!!!!!
+!!2k8#rk8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!LN!!J)[!M!0!Lm!!dN!!J4
+f"+$qNrk5!M%+rT-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ik5!!!'!M%
+!!rk4!M)#-`VqN3!%#QY[Bf`0!M)!!@d!!!4k"(hqN!!+rT!!!!3+B@aTB3B#-`!
+$rSm#0!)e#[k2!!3+D@jcD!d#0!!#0!!!")!%L2k1!MB+rSi!"!TMCQpX$3)f!!&
+[!!!%K!5(rSd,rSd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP0
+66%PZBfaeC'9'EfaNCA*3BA4S"J)e!!2qM!)hrSX+rS`!"!TdEb!J$3)h!!*Z!!!
+%L`5D!MJ#13d#1!!#0!!!"*-%Q[k+!MS+rSS!"!TQD@aP$3)k!!&Y!!!%PJ5C!MX
+-!MX!$3!(E'KKFfJZD!!#!!!0!MN!!M3!!!5,"*2qL3)m#[k*!!3+BfC[E!d#2!!
+"E`!!")m%N[k)#rk)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rSX!!!)#-!!#!Md
+#2Jd#23!#E!!#"+%%SIk(rSB"rSF!!!(qKJ!!!J)q!!)#2`*!$3)r!!*b!!!%S35
+X!N%#3Jd#33!#BJ!!"+%%U!*$!N30!N-!!@m!!!5K"+6qK3[qK3!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d#4!!"E3!!"+3%T`*&$!*&!!S
+!"$TYC$)!!J!!$3*#!!&[!!!!!!!!rS3,rS3!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#3!!#!NB#4`d#4J!$53!#"+d%erk$rS)#5!VqJ`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rS)!!!B#5!!$rS%#53*+#[k"!!3+DfpME!d#53!"E3!!",%
+%Y2k!#[k!!!3+B@aTB3B#5J!$rRm#5`*-#[jr!!3+D@jcD!d#5`!#0!!!",F%[rj
+q!Nd+rRi!"!TMCQpX$3*0!!&[!!!%Z`5qrRd,rRd!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*-!!2qI!*1rRX
++rR`!"!TdEb!J$3*1!!*Z!!!%`J64!Nm#8!d#6`!#0!!!"-S%dIjk!P%+rRS!"!T
+QD@aP$3*4!!&Y!!!%c363!P)-!P)!#`!&E@3b,QJ!!J!!$3*3!!)d!!!%`J6+rRN
+#8`VqH3!%#Q0QEf`0!P-!!@m!!!6'"-RqH![qH!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S"[jl!!!#!NF!!J*8!P80!P3!!Q`!!J6B"0MqGrjf!Ijh!!!"rRB!!!)#93!
+#!PB#9`d#9J!#FJ!!"0J%i`*B!PN0!PJ!!Q)!!!6B"0m#@J*E$3*D!!&[!!!%f!6
+ErR8,rR8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!PX
+!!@d!!!6E"0i#A!`#A!!+!!3kE@3e!!)!!!d#@3!"E`!!!!!!!2jd#rjd!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J#!PF!!J*G!Pi0!Pd!!dN!!J6N"3lqFrjb!Pm+rR-
+!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ijb!!!'!Pm!!rja!Q!#B3VqF3!
+%#QY[Bf`0!Q!!!@d!!!6S"1[qF!VqF!!%#Q&XD@%'!Q%!!rj[!Q)#B`VqE`!%#QP
+ZFfJ0!Q)!!M3!!!6Z"2EqEJ*N#[jZ!!3+BfC[E!d#C!!"E`!!"2)%pIjY#rjY!$3
+`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9
+b8'&dD!B#B`!$rQ`#CIjV#[jX!!3+G'mJ)!d#C3!#EJ!!"2N&#!*Q!QF0!QB!!M3
+!!!8""3MqDJ*S#[jU!!3+CQPXC3d#D!!"E3!!"33&"`*T$!*T!!X!"@eN05jS!!)
+!!!d#C`!#0!!!"2N&!IjT!QS+rQN!"!TMCQpX$3*U!!&[!!!%r38!rQJ,rQJ!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!EqD`!!!J*H!!)#D`*X$3*V!!*X!!)&$`82rQI
+qCJ(qC`!!!IjQ!!!#!Q`!!J*Y!Qi0!Qd!!R)!!!82"4S#E`*`$3*[!!*L!!!&$`8
+@!R%#FJd#F3!"E`!!"3m&%[jP#rjP!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP
+`G'p'EfaNCA*3BA4S$3*b!!&Y!!!&%J89!R--!R-!#`!&1QeNBc)!!J!!$3*`!!&
+[!!!!!!!!rQ3,rQ3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)#EJ!#!R3#G3d#G!!
+$53!#"4X&4IjMrQ)#GJVqB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rQ)
+!!!B#GJ!$rQ%#G`*i#[jK!!3+DfpME!d#G`!"E3!!"4m&)[jJ#[jJ!!3+B@aTB3B
+#H!!$rPm#H3*k#[jI!!3+D@jcD!d#H3!#0!!!"58&,IjH!RX+rPi!"!TMCQpX$3*
+l!!&[!!!&+38XrPd,rPd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"
+PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*k!!2qA!*mrPX+rP`!"!TdEb!J$3*m!!*
+Z!!!&-!8r!Rd#IJd#I3!#0!!!"6J&2rjD!Rm+rPS!"!TQD@aP$3*r!!&Y!!!&1`8
+q!S!-!S!!$!!'E@4M-LjS!!)!!!d#IJ!#0!!!"6!&12jC!S%+rPN!"!TMCQpX$3+
+"!!&[!!!&0!8hrPJ,rPJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq@`!!!J*e!!)
+#JJ+$$3+#!!*X!!)&4J9'rPIq9J(q9`!!!Ij@!!!#!S-!!J+%!S80!S3!!R)!!!9
+'"9%#KJ+($3+'!!*L!!!&4J90!SJ#L3d#L!!"E`!!"8B&5Ij9#rj9!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3+*!!&Y!!!&539-!SS-!SS
+!$J!)1QpLDQ9MG(-!!J!!$3+(!!&[!!!!!!!!rP3,rP3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)#K3!#!SX#M!d#L`!$53!#"9)&I2j6rP)#M3Vq8`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rP)!!!B#M3!$rP%#MJ+2#[j4!!3+DfpME!d#MJ!
+"E3!!"9B&@Ij3#[j3!!3+B@aTB3B#M`!$rNm#N!!#N3Vq6`!%#QPZFfJ0!T!!!!)
+d!!!&A!9NrNi#NJVq6J!%#Q0QEf`0!T)!!@m!!!9J"@2q63[q63!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!T%
+!!rj-!T2q5`Vq6!!%#R4[)#!0!T-!!Qi!!!9R"AB#P!+9$3+8!!)d!!!&E`9frNS
+#PJVq5J!%#QCTE'80!TB!!@d!!!9b"A8#P``#P`!2!!P[BQTPBh4c,QJ!!J!!$3+
+9!!)d!!!&C`9[rNN#Q!Vq53!%#Q0QEf`0!TJ!!@m!!!9V"@lq5![q5!!8-!!)G'9
+YF("KG'J!#(4PEA"3BA4S"[j,!!!#!S`!!J+C!TS0!TN!!Q`!!J9p"Ahq4rj'!Ij
+(!!!"rNB!!!)#QJ!#!TX#R!d#Q`!#FJ!!"Ad&L!+G!Ti0!Td!!Q)!!!9p"B3#R`+
+J$3+I!!&[!!!&I3@!rN8,rN8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC
+[E'4PFP"KG'J0!U!!!@d!!!@!"B-#S3`#S3!+!!3kF'9Y!!)!!!d#RJ!"E`!!!!!
+!!2j%#rj%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!T`!!J+L!U-0!U)!!dN!!J@
+*"E2q3rj#!U3+rN-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ij#!!!'!U3
+!!rj"!U8#TJVq33!%#QY[Bf`0!U8!!@d!!!@0"C!!rN!+rN!!"!TKE'PK"J+Q!!2
+q2`+R!UJ+rMm!"!TTER0S$3+R!!)d!!!&N`@ErMi#U3Vq2J!%#Q0QEf`0!UN!!@m
+!!!@A"CVq23[q23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!UJ!!rim!UVq1`Vq2!!%#R4[)#!0!US!!Qi!!!@
+H"Dd#U`+X$3+V!!)d!!!&TJ@YrMS#V3Vq1J!%#QCTE'80!Ud!!@d!!!@T"D`#VJ`
+#VJ!,!!9`C@dZD!!#!!!0!U`!!M3!!!@H"DEq13+[#[ij!!3+BfC[E!d#V`!"E`!
+!"D)&TIii#rii!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rMX!!!)#S`!#!V!#X3d
+#X!!$53!#"E3&h[ihrMB#XJVq0`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`
+"rMB!!!B#XJ!$rM8#X`+d#[ie!!3+DfpME!d#X`!"E3!!"EJ&Zrid#[id!!3+B@a
+TB3B#Y!!$rM-#Y3+f#[ic!!3+D@jcD!d#Y3!#0!!!"Ei&a[ib!VF+rM)!"!TMCQp
+X$3+h!!&[!!!&`JA&rM%,rM%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!
+BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J+f!!2q-!+irLm+rM!!"!TdEb!J$3+
+i!!*Z!!!&b3AB!VN#ZJd#Z3!#0!!!"G%&f2iZ!VX+rLi!"!TQD@aP$3+l!!&Y!!!
+&e!AA!V`-!V`!$!!'F'9Y-LjS!!)!!!d#ZJ!#0!!!"FN&dIiY!Vd+rLd!"!TMCQp
+X$3+p!!&[!!!&c3A3rL`,rL`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq,`!!!J+
+a!!)#[J+r$3+q!!*X!!)&h`AIrL[q+J(q+`!!!IiU!!!#!Vm!!J,!!X%0!X!!!R)
+!!!AI"HS#`J,$$3,#!!*L!!!&h`AQ!X3#a3d#a!!"E`!!"Gm&i[iT#riT!#3`!""
+MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,&!!&Y!!!&iJAP!XB
+-!XB!$3!(1R"VBh-a-J!#!!!0!X-!!@m!!!!!!!$q+![q+!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S!J,"!!)#a`,)$3,(!!0*!!)&k`B9rLIq*J,*#[iR!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(q*J!!"J,*!!2q*3,+!XX+rL8!"!TVEf0X$3,
++!!&Y!!!&l`AbrL3+rL3!"!TKE'PK"J,,!!2q)`,-!Xd+rL-!"!TTER0S$3,-!!)
+d!!!&p3AprL)#cJVq)J!%#Q0QEf`0!Xi!!@m!!!Aj"Icq)3[q)3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!Xd
+!!riJ!Xrq(`Vq)!!%#R4[)#!0!Xm!!Qi!!!B!"Jm#d!,4$3,3!!)d!!!'#!B2rKi
+#dJVq(J!%#QCTE'80!Y)!!@d!!!B,"Ji#d``#d`!1!!K`Df0c-6)ZD!!#!!!0!Y%
+!!M3!!!B!"JMq(3,8#[iG!!3+BfC[E!d#e!!"E`!!"J3'"riF#riF!"3`!!KdC@e
+`F'&dD!!)G'9YF&"KG'J'rKm!!!)#b!!#!Y8#eJd#e3!#E!!#"KB'&[iErKS"rKX
+!!!(q'J!!!J,@!!)#e`,B$3,A!!*b!!!'&JBK!YN#fJd#f3!#BJ!!"KB'(3,E!Y`
+0!YX!!@m!!!B@"KRq'3[q'3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!d#h!!"E3!!"KN'(!,G$!,G!!`!"MT`Df0c0`!#!!!0!YS!!@m!!!!
+!!!$q'![q'!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J,B!!)#hJ,I$3,H!!0*!!)
+')JC-rKIq&J,J#[iA!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(q&J!!"J,
+J!!2q&3,K!Z)+rK8!"!TVEf0X$3,K!!&Y!!!'*JBTrK3+rK3!"!TKE'PK"J,L!!2
+q%`,M!Z3+rK-!"!TTER0S$3,M!!)d!!!',!BdrK)#j3Vq%J!%#Q0QEf`0!Z8!!@m
+!!!B`"M2q%3[q%3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!Z3!!ri3!ZEq$`Vq%!!%#R4[)#!0!ZB!!Qi!!!B
+h"NB#j`,S$3,R!!)d!!!'2`C'rJi#k3Vq$J!%#QCTE'80!ZN!!@d!!!C#"N8#kJ`
+#kJ!0!!G`Df0c0bjS!!)!!!d#k!!#0!!!"MF'2ri0!ZX+rJd!"!TMCQpX$3,V!!&
+[!!!'1`BqrJ`,rJ`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq$`!!!J,I!!)#l!,
+Y$3,X!!*X!!)'63C0rJ[q#J(q#`!!!Ii+!!!#!Zd!!J,Z!Zm0!Zi!!R)!!!C0"PJ
+#m!,a$3,`!!*L!!!'63C8![)#m`d#mJ!"E`!!"Nd'82i*#ri*!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,c!!&Y!!!'8!C6![3-![3!#`!
+&1R*KEQ3!!J!!$3,a!!&[!!!!!!!!rJJ,rJJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#l`!#![8#pJd#p3!$53!#"PN'Jri(rJB#p`Vq"`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rJB!!!B#p`!$rJ8#q!,j#[i&!!3+DfpME!d#q!!"E3!!"Pd
+'B2i%#[i%!!3+B@aTB3B#q3!$rJ-#qJ,l#[i$!!3+D@jcD!d#qJ!#0!!!"Q-'Dri
+#![`+rJ)!"!TMCQpX$3,m!!&[!!!'C`CUrJ%,rJ%!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J,l!!2q!!,prIm
++rJ!!"!TdEb!J$3,p!!*Z!!!'EJCp![i#r`d#rJ!#0!!!"RB'IIhq!`!+rIi!"!T
+QD@aP$3-!!!&Y!!!'H3Cm!`%-!`%!$!!'FQ&ZC#jS!!)!!!d#r`!#0!!!"Qi'G[h
+p!`)+rId!"!TMCQpX$3-#!!&[!!!'FJCerI`,rI`!&$!!#(4PEA"`BA4S!!KdC@e
+`8'&dD!Epr`!!!J,f!!)$!`-%$3-$!!*X!!)'K!D%rI[pqJ(pq`!!!Ihk!!!#!`3
+!!J-&!`B0!`8!!R)!!!D%"Sm$"`-)$3-(!!*L!!!'K!D,!`N$#Jd$#3!"E`!!"S3
+'Krhj#rhj!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-
++!!&Y!!!'K`D+!`X-!`X!#J!%1R*M-J!#!!!0!`J!!@m!!!!!!!$pq![pq!!8-!!
+)G'9YF("KG'J!#(4PEA"3BA4S!J-'!!)$$!-0$3--!!0*!!)'N!!'Z[hhrIB$$JV
+pp`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rIB!!!B$$J!$rI8$$`-3#[h
+e!!3+DfpME!d$$`!"E3!!"T3'Prhd#[hd!!3+B@aTB3B$%!!$rI-$%3-5#[hc!!3
++D@jcD!d$%3!#0!!!"TS'S[hb!a-+rI)!"!TMCQpX$3-6!!&[!!!'RJDKrI%,rI%
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J-5!!2pm!-8rHm+rI!!"!TdEb!J$3-8!!*Z!!!'T3Dd!a8$&Jd$&3!
+#0!!!"Ud'Y2hZ!aF+rHi!"!TQD@aP$3-A!!&Y!!!'X!Dc!aJ-!aJ!#`!&FQ-b,QJ
+!!J!!$3-@!!)d!!!'T3DYrHd$'3Vpl3!%#Q0QEf`0!aN!!@m!!!DT"Ucpl![pl!!
+8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[h[!!!#!`d!!J-D!aX0!aS!!Q`!!JDl"V[
+pkrhU!IhV!!!"rHS!!!)$'`!#!a`$(3d$(!!#FJ!!"VX'aJ-H!am0!ai!!Q)!!!D
+l"X)$)!-K$3-J!!&[!!!'Z`DqrHN,rHN!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0
+bHA"dEdC[E'4PFP"KG'J0!b%!!@d!!!Dq"X%$)J`$)J!+!!3kFQ-d!!)!!!d$(`!
+"E`!!!!!!!2hS#rhS!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!ad!!J-M!b30!b-
+!!dN!!JE("[(pjrhQ!b8+rHF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ih
+Q!!!'!b8!!rhP!bB$*`Vpj3!%#QY[Bf`0!bB!!@d!!!E,"Xlpj!Vpj!!%#Q&XD@%
+'!bF!!rhM!bJ$+3Vpi`!%#QPZFfJ0!bJ!!M3!!!E4"YRpiJ-U#[hL!!3+BfC[E!d
+$+J!"E`!!"Y8'f2hK#rhK!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p
+`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$+3!$rH!$+rhI#[hJ!!3+G'mJ)!d$+`!
+#EJ!!"Y`'k`-X!bd0!b`!!M3!!!EN"Z[phJ-Z#[hH!!3+CQPXC3d$,J!"E3!!"ZF
+'kJ-[$!-[!!X!"A*M0#jS!!)!!!d$,3!#0!!!"Y`'j2hG!c!+rGd!"!TMCQpX$3-
+`!!&[!!!'i!EMrG`,rG`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eph`!!!J-N!!)
+$-3-b$3-a!!*X!!)'mJEbrG[pfJ(pf`!!!IhD!!!#!c)!!J-c!c30!c-!!R)!!!E
+b"[d$03-f$3-e!!*L!!!'mJEj!cF$1!d$0`!"E`!!"[)'pIhC#rhC!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-i!!&Y!!!'p3Ei!cN-!cN
+!#J!%1R*M03!#!!!0!cB!!@m!!!!!!!$pf![pf!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S!J-d!!)$1J-l$3-k!!0*!!)'rJFSrGIpeJ-m#[hA!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(peJ!!"J-m!!2pe3-p!ci+rG8!"!TVEf0X$3-p!!&Y!!!
+(!JF&rG3+rG3!"!TKE'PK"J-q!!2pd`-r!d!+rG-!"!TTER0S$3-r!!)d!!!(#!F
+3rG)$33VpdJ!%#Q0QEf`0!d%!!@m!!!F-"`rpd3[pd3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!d!!!rh3!d,
+pc`Vpd!!%#R4[)#!0!d)!!Qi!!!F6"b)$3`0%$30$!!)d!!!('`FLrFi$43VpcJ!
+%#QCTE'80!d8!!@d!!!FH"b%$4J`$4J!,!!9bBc8ZD!!#!!!0!d3!!M3!!!F6"a[
+pc30(#[h0!!3+BfC[E!d$4`!"E`!!"aF('[h-#rh-!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rFm!!!)$1`!#!dJ$53d$5!!#E!!#"bN(+Ih,rFS"rFX!!!(pbJ!!!J0
+*!!)$5J0,$30+!!*b!!!(+3Fd!d`$63d$6!!#BJ!!"bN(-!01!dm0!di!!@m!!!F
+T"bcpb3[pb3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+$6`!"E3!!"b`(,`03$!03!!d!"cTbDA"PE@3!!J!!$300!!&[!!!!!!!!rFJ,rFJ
+!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$5`!#!e%$8Jd$83!$53!#"c8(Arh(rFB
+$8`Vpa`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rFB!!!B$8`!$rF8$9!0
+9#[h&!!3+DfpME!d$9!!"E3!!"cN(22h%#[h%!!3+B@aTB3B$93!$rF-$9J0A#[h
+$!!3+D@jcD!d$9J!#0!!!"cm(4rh#!eJ+rF)!"!TMCQpX$30B!!&[!!!(3`G'rF%
+,rF%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J0A!!2p`!0CrEm+rF!!"!TdEb!J$30C!!*Z!!!(5JGC!eS$@`d
+$@J!#0!!!"e)(@Ifq!e`+rEi!"!TQD@aP$30F!!&Y!!!(93GB!ed-!ed!$J!)FQP
+`C@eN,QJ!!J!!$30E!!)d!!!(5JG5rEd$AJVp[3!%#Q0QEf`0!ei!!@m!!!G1"e(
+p[![p[!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[fr!!!#!e)!!J0I!f!0!em!!Q`
+!!JGJ"f$pZrfk!Ifl!!!"rES!!!)$B!!#!f%$BJd$B3!#FJ!!"f!(D`0M!f30!f-
+!!Q)!!!GJ"fF$C30Q$30P!!&[!!!(B!GMrEN,rEN!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!fB!!@d!!!GM"fB$C``$C`!+!!3kFR0K!!)
+!!!d$C!!"E`!!!!!!!2fi#rfi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!f)!!J0
+S!fN0!fJ!!dN!!JGX"jEpYrff!fS+rEF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"
+ZG@aX!Iff!!!'!fS!!rfe!fX$E!VpY3!%#QY[Bf`0!fX!!@d!!!G`"h2pY!VpY!!
+%#Q&XD@%'!f`!!rfc!fd$EJVpX`!%#QPZFfJ0!fd!!M3!!!Gf"hlpXJ0[#[fb!!3
++BfC[E!d$E`!"E`!!"hS(IIfa#rfa!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"
+KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$EJ!$rE!$F2f[#[f`!!3+G'm
+J)!d$F!!#EJ!!"i%(N!!$F30b$30a!!)d!!!(L3H3!2fZ!h-+rDi!"!TQD@aP$30
+c!!&Y!!!(M!H2!h3-!h3!#`!&FR0K,QJ!!J!!$30b!!)d!!!(J3H*rDd$G3VpV3!
+%#Q0QEf`0!h8!!@m!!!H&"iMpV![pV!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[f
+[!!!#!fN!!J0f!hF0!hB!!Q`!!JHA"jIpUrfU!IfV!!!"rDS!!!)$G`!#!hJ$H3d
+$H!!#FJ!!"jF(SJ0k!hX0!hS!!Q)!!!HA"ji$I!0p$30m!!&[!!!(P`HDrDN,rDN
+!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!hd!!@d!!!H
+D"jd$IJ`$IJ!-!!BkFh4KBfX!!J!!$30l!!&[!!!!!!!!rDJ,rDJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!)$H3!#!hm$J!d$I`!$53!#"k-(cIfRrDB$J3VpT`!B,Q0
+[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rDB!!!B$J3!$rD8$JJ1$#[fP!!3+Dfp
+ME!d$JJ!"E3!!"kF(U[fN#[fN!!3+B@aTB3B$J`!$rD-$K!1&#[fM!!3+D@jcD!d
+$K!!#0!!!"kd(YIfL!iB+rD)!"!TMCQpX$31'!!&[!!!(X3HdrD%,rD%!0$!!''p
+`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4
+S"J1&!!2pS!1(rCm+rD!!"!TdEb!J$31(!!*Z!!!(Z!I(!iJ$L3d$L!!#0!!!"m!
+(arfH!iS+rCi!"!TQD@aP$31+!!&Y!!!(``I'!iX-!iX!$3!(Fh4KBfXZD!!#!!!
+0!iN!!M3!!!Hi"m$pR31-#[fG!!3+BfC[E!d$M!!"E`!!"l`([rfF#rfF!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J'rCm!!!)$J!!#!id$MJd$M3!$53!#"mi(q2fErCS
+$M`VpQ`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rCS!!!B$M`!$rCN$N!!
+$N3VpQ3!%#QY[Bf`0!j!!!!&Y!!!(dJI9rCJ+rCJ!"!TKE'PK"J14!!2pP`15!j-
++rCF!"!TTER0S$315!!)d!!!(f!IJrCB$P!VpPJ!%#Q0QEf`0!j3!!@m!!!IF"pr
+pP3[pP3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!j-!!rf8!jApN`VpP!!%#R4[)#!0!j8!!Qi!!!IM"r)$PJ1
+A$31@!!)d!!!(k`IbrC)$Q!VpNJ!%#QCTE'80!jJ!!@d!!!IZ"r%$Q3`$Q3!4!!Y
+cB@CPFh4KBfXZD!!#!!!0!jF!!M3!!!IM"q[pN31D#[f4!!3+BfC[E!d$QJ!"E`!
+!"qF(k[f3!![pN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EpN`!!!J11!!)$Q`1
+F$31E!!*X!!)(q3IjrBrpMJ(pM`!!!If1!!!#!j`!!J1G!ji0!jd!!R)!!!Ij#!3
+$R`1J$31I!!*L!!!(q3J!!k%$SJd$S3!"E`!!"rN(r2f0#rf0!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$31L!!&Y!!!(r!Ir!k--!k-!#J!
+%1R0SB3!#!!!0!k!!!@m!!!!!!!$pM![pM!!8-!!)G'9YF("KG'J!#(4PEA"3BA4
+S!J1H!!)$T!1P$31N!!0*!!))"3J[rB[pLJ1Q#[f,!"JZBfpbC@0bC@`U+LSU!!!
+!!!!!N!!!ER9XE!(pLJ!!"J1Q!!2pL31R!kJ+rBN!"!TVEf0X$31R!!&Y!!!)#3J
+-rBJ+rBJ!"!TKE'PK"J1S!!2pK`1T!kS+rBF!"!TTER0S$31T!!)d!!!)$`JArBB
+$U`VpKJ!%#Q0QEf`0!kX!!@m!!!J6#"EpK3[pK3!d-!!BEh"PER0cE'PZBfaeC'9
+QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!kS!!rf%!kcpJ`V
+pK!!%#R4[)#!0!k`!!Qi!!!JD##N$V31Z$31Y!!)d!!!))JJTrB)$V`VpJJ!%#QC
+TE'80!km!!@d!!!JP##J$X!`$X!!,!!9cD'%ZD!!#!!!0!ki!!M3!!!JD##,pJ31
+a#[f"!!3+BfC[E!d$X3!"E`!!#"i))If!#rf!!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J'rB-!!!)$T3!#!l)$X`d$XJ!#E!!##$!)-2errAi"rAm!!!(pIJ!!!J1c!!)
+$Y!1e$31d!!*b!!!)-!Jl!lB$Y`d$YJ!#BJ!!#$!)0`1i!lN0!lJ!!@m!!!J`#$2
+pI3[pI3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d$Z3!
+"E3!!#$-)0J1k$!1k!!d!"cTdH(4IC')!!J!!$31h!!&[!!!!!!!!rA`,rA`!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!)$Y3!#!lX$[!d$Z`!$53!##$`)C[elrAS$[3V
+pH`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rAS!!!B$[3!$rAN$[J1r#[e
+j!!3+DfpME!d$[J!"E3!!#%!)3rei#[ei!!3+B@aTB3B$[`!$rAF$`!2"#[eh!!3
++D@jcD!d$`!!#0!!!#%B)6[ef!m)+rAB!"!TMCQpX$32#!!&[!!!)5JK0rA8,rA8
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J2"!!2pG!2$rA-+rA3!"!TdEb!J$32$!!*Z!!!)83KJ!m3$a3d$a!!
+#0!!!#&N)B2eb!mB+rA)!"!TQD@aP$32'!!&Y!!!)A!KI!mF-!mF!$J!)G(KdAf4
+L,QJ!!J!!$32&!!)d!!!)83KCrA%$b!VpF3!%#Q0QEf`0!mJ!!@m!!!K9#&MpF![
+pF!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[ec!!!#!l`!!J2*!mS0!mN!!Q`!!JK
+R#'IpEreZ!Ie[!!!"r@i!!!)$bJ!#!mX$c!d$b`!#FJ!!#'F)FJ20!mi0!md!!Q)
+!!!KR#'i$c`23$322!!&[!!!)C`KUr@d,r@d!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J0!p!!!@d!!!KU#'d$d3`$d3!,!!8kH$8`13!#!!!
+0!mi!!@m!!!!!!!$pE![pE!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J2-!!)$dJ2
+6$325!!0*!!))F`LGr@[pDJ28#[eV!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(pDJ!!"J28!!2pD329!pB+r@N!"!TVEf0X$329!!&Y!!!)G`Kkr@J+r@J!"!T
+KE'PK"J2@!!2pC`2A!pJ+r@F!"!TTER0S$32A!!)d!!!)I3L&r@B$f3VpCJ!%#Q0
+QEf`0!pN!!@m!!!L"#)6pC3[pC3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!pJ!!reN!pVpB`VpC!!%#R4[)#!
+0!pS!!Qi!!!L)#*F$f`2F$32E!!)d!!!)N!!)PreL!pd+r@)!"!TQD@aP$32G!!&
+Y!!!)N`L@!pi-!pi!$!!'H$8`15jS!!)!!!d$h!!#0!!!#)J)N!$pB32I#[eK!!3
++BfC[E!d$h`!"E`!!#)`)MreJ#reJ!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r@-
+!!!)$d`!#!q!$i3d$i!!$53!##*i)b2eIr9i$iJVpA`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"r9i!!!B$iJ!$r9d$i`2N#[eG!!3+DfpME!d$i`!"E3!!#+)
+)TIeF#[eF!!3+B@aTB3B$j!!$r9X$j32Q#[eE!!3+D@jcD!d$j3!#0!!!#+J)X2e
+D!qF+r9S!"!TMCQpX$32R!!&[!!!)V!L[r9N,r9N!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J2Q!!2p@!2Sr9F
++r9J!"!TdEb!J$32S!!*Z!!!)X`M#!qN$kJd$k3!#0!!!#,X)`[e@!qX+r9B!"!T
+QD@aP$32V!!&Y!!!)[JM"!q`-!q`!%!!+H$8`19pfCRNZD!!#!!!0!qS!!M3!!!L
+c#,[p932Y#[e9!!3+BfC[E!d$l3!"E`!!#,F)Z[e8#re8!"3`!!KdC@e`F'&dD!!
+)G'9YF&"KG'J'r9F!!!)$i3!#!qi$l`d$lJ!#E!!##-N)bIe6r9)"r9-!!!(p8J!
+!!J2[!!)$m!2a$32`!!*b!!!)b3M8!r)$m`d$mJ!#BJ!!#-N)d!2d!r80!r3!!@m
+!!!M*#-cp83[p83!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&
+dD!d$p3!"E3!!#-`)c`2f$!2f!!d!"cTi06!jGM-!!J!!$32c!!&[!!!!!!!!r9!
+,r9!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$m3!#!rF$q!d$p`!$53!##08)rre
+2r8i$q3Vp6`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8i!!!B$q3!$r8d
+$qJ2l#[e0!!3+DfpME!d$qJ!"E3!!#0N)h2e-#[e-!!3+B@aTB3B$q`!$r8X$r!2
+p#[e,!!3+D@jcD!d$r!!#0!!!#0m)jre+!ri+r8S!"!TMCQpX$32q!!&[!!!)i`M
+Qr8N,r8N!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfa
+eC'9'EfaNCA*3BA4S"J2p!!2p5!2rr8F+r8J!"!TdEb!J$32r!!*Z!!!)kJMj"!!
+%!3d%!!!#0!!!#2))qIe'"!)+r8B!"!TQD@aP$33#!!&Y!!!)p3Mi"!--"!-!$J!
+)H$8`1ABc,QJ!!J!!$33"!!)d!!!)kJMbr88%"!Vp43!%#Q0QEf`0"!3!!@m!!!M
+Z#2(p4![p4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[e(!!!#!rJ!!J3&"!B0"!8
+!!Q`!!JN!#3$p3re#!Ie$!!!"r8)!!!)%"J!#"!F%#!d%"`!$53!##3!*+[e"r8!
+%#3Vp33!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8!!!!B%#3!$r6m%#J3
+,#[dr!!3+DfpME!d%#J!"E3!!#33*"rdq#[dq!!3+B@aTB3B%#`!$r6d%$!30#[d
+p!!3+D@jcD!d%$!!#0!!!#3S*%[dm"!i+r6`!"!TMCQpX$331!!&[!!!*$JN4r6X
+,r6X!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J30!!2p1J32r6N+r6S!"!TdEb!J$332!!*Z!!!*&3NN""!%%3d
+%%!!#0!!!#4d**2di"")+r6J!"!TQD@aP$335!!&Y!!!*)!NM""--""-!#`!&Fh0
+X,QJ!!J!!$334!!)d!!!*&3NGr6F%&!Vp0`!%#Q0QEf`0""3!!@m!!!NC#4cp0J[
+p0J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD!Ep13!!!J3)!!)%&33
+@$339!!0*!!)*+`P9r6Ap0!3A#[de!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(p0!!!"J3A!!2p-`3B""N+r6-!"!TVEf0X$33B!!&Y!!!*,`Nbr6)+r6)!"!T
+KE'PK"J3C!!2p-33D""X+r6%!"!TTER0S$33D!!)d!!!*03Npr6!%(!Vp-!!%#Q0
+QEf`0""`!!@m!!!Nj#6cp,`[p,`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'""X!!rdZ""hp,3Vp,J!%#R4[)#!
+0""d!!Qi!!!P!#8m%(J3I$33H!!)d!!!*5!P2r5`%)!Vp,!!%#QCTE'80"#!!!@d
+!!!P,#8i%)3`%)3!-!!CcFf`b,QJ!!J!!$33I!!)d!!!*3!P)r5X%)JVp+`!%#Q0
+QEf`0"#)!!@m!!!P%#8Ip+J[p+J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9
+b8'&dD!Ep,3!!!J3@!!)%)`3N$33M!!0*!!)*9JQ!r5Rp+!3P#[dT!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(p+!!!"J3P!!2p*`3Q"#F+r5F!"!TVEf0X$33
+Q!!&Y!!!*@JPGr5B+r5B!"!TKE'PK"J3R!!2p*33S"#N+r58!"!TTER0S$33S!!)
+d!!!*B!PSr53%+JVp*!!%#Q0QEf`0"#S!!@m!!!PN#@Ip)`[p)`!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"#N
+!!rdL"#[p)3Vp)J!%#R4[)#!0"#X!!Qi!!!PV#AS%,!3Y$33X!!)d!!!*F`Pkr5!
+%,JVp)!!%#QCTE'80"#i!!@d!!!Pf#AN%,``%,`!0!!GcFf`b-bjS!!)!!!d%,3!
+#0!!!#@X*FrdI"$!+r4m!"!TMCQpX$33`!!&[!!!*E`Pbr4i,r4i!(M!!$A0cE'C
+[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r5%!!!)%*!!#"$%%-Jd%-3!$53!##B%
+*UrdGr4`%-`Vp(3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r4`!!!B%-`!
+$r4X%0!3e#[dE!!3+DfpME!d%0!!"E3!!#B8*L2dD#[dD!!3+B@aTB3B%03!$r4N
+%0J3h#[dC!!3+D@jcD!d%0J!#0!!!#BX*NrdB"$J+r4J!"!TMCQpX$33i!!&[!!!
+*M`Q5r4F,r4F!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%P
+ZBfaeC'9'EfaNCA*3BA4S"J3h!!2p&J3jr48+r4B!"!TdEb!J$33j!!*Z!!!*PJQ
+P"$S%1`d%1J!#0!!!#Ci*TId8"$`+r43!"!TQD@aP$33m!!&Y!!!*S3QN"$d-"$d
+!$!!'Fh0X-bjS!!)!!!d%1`!#0!!!#CB*R[d6"$i+r4-!"!TMCQpX$33q!!&[!!!
+*QJQGr4),r4)!(M!!$A0cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r48!!!)
+%-J!#"$m%3!d%2`!$53!##D`*e[d4r4!%33Vp%3!B,Q0[FQ9MFQ9X+LSU+J!!!!!
+!!*!!!'jeE'`"r4!!!!B%33!$r3m%3J4$#[d2!!3+DfpME!d%3J!"E3!!#E!*Xrd
+1#[d1!!3+B@aTB3B%3`!$r3d%4!4&#[d0!!3+D@jcD!d%4!!#0!!!#EB*[[d-"%B
++r3`!"!TMCQpX$34'!!&[!!!*ZJQpr3X,r3X!0$!!''p`C@jcFfaTEQ0XG@4PCQp
+XC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J4&!!2p#J4(r3N+r3S
+!"!TdEb!J$34(!!*Z!!!*`3R3"%J%53d%5!!#0!!!#FN*d2d)"%S+r3J!"!TQD@a
+P$34+!!&Y!!!*c!R2"%X-"%X!$!!'G'ac-5jS!!)!!!d%53!#0!!!#F%*bId("%`
++r3F!"!TMCQpX$34-!!&[!!!*a3R)r3B,r3B!(M!!$A0cE'C[E'4PFR"KG'J!$A0
+cE%C[E'4PFP"KG'J'r3N!!!)%3!!#"%d%6Jd%63!#E!!##GF*erd&r33"r38!!!(
+p"!!!!J41!!)%6`43$342!!0*!!)*e`S"r32p!J44#[d$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(p!J!!"J44!!2p!345"&-+r3%!"!TVEf0X$345!!&Y!!!
+*f`RHr3!+r3!!"!TKE'PK"J46!!2mr`48"&8+r2m!"!TTER0S$348!!)d!!!*i3R
+Tr2i%9JVmrJ!%#Q0QEf`0"&B!!@m!!!RP#HMmr3[mr3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"&8!!rcm"&I
+mq`Vmr!!%#R4[)#!0"&F!!Qi!!!RX#IX%@!4C$34B!!)d!!!*p!Rlr2S%@JVmqJ!
+%#QCTE'80"&S!!@d!!!Rh#IS%@``%@`!1!!KMFRP`G'mZD!!#!!!0"&N!!M3!!!R
+X#I6mq34F#[cj!!3+BfC[E!d%A!!"E`!!#I!*mrci#rci!#3`!""MFRP`G'pQEfa
+NCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cl!!!#"&!!!J4G"&i0"&d!!Q`!!JS
+##J,mprcf!Ich!!!"r2B!!!)%AJ!#"&m%B!d%A`!$53!##J)+,2cer23%B3Vmp3!
+B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r23!!!B%B3!$r2-%BJ4M#[cc!!3
++DfpME!d%BJ!"E3!!#JB+#Icb#[cb!!3+B@aTB3B%B`!$r2%%C!4P#[ca!!3+D@j
+cD!d%C!!#0!!!#J`+&2c`"'B+r2!!"!TMCQpX$34Q!!&[!!!+%!S6r1m,r1m!0$!
+!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*
+3BA4S"J4P!!2mlJ4Rr1d+r1i!"!TdEb!J$34R!!*Z!!!+&`SQ"'J%D3d%D!!#0!!
+!#Km+*[cX"'S+r1`!"!TQD@aP$34U!!&Y!!!+)JSP"'X-"'X!%!!+Eh"PER0cE(B
+ZD!!#!!!0"'N!!M3!!!SA#Krmk`4X#[cV!!3+BfC[E!d%E!!"E`!!#KX+([cU#rc
+U!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cY!!!#"'!
+!!J4Y"'i0"'d!!dN!!JSY#PImkIcS"'m+r1N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcS!!!'"'m!!rcR"(!%F3Vmj`!%#QY[Bf`0"(!!!@d!!!Sa#M6mjJV
+mjJ!%#Q&XD@%'"(%!!rcP"()%F`Vmj3!%#QPZFfJ0"()!!M3!!!Sh#Mrmj!4d#[c
+N!!3+BfC[E!d%G!!"E`!!#MX+2[cM#rcM!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%F`!$r1)%GIcK#[cL!!3
++G'mJ)!d%G3!#EJ!!#N)+834f"(F0"(B!!M3!!!T+#P(mi!4i#[cJ!!3+CQPXC3d
+%H!!"E3!!#Nd+8!4j$!4j!!i!#(4YC'PQCLjS!!)!!!d%G`!#0!!!#N)+5[cI"(S
++r0m!"!TMCQpX$34k!!&[!!!+4JT*r0i,r0i!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J'r1%!!!)%EJ!#"(X%I!d%H`!#E!!##PJ+@2cGr0`
+"r0d!!!(mh!!!!J4m!!)%I34q$34p!!*X!!)+@!TBr0[mfJ(mf`!!!IcD!!!#"(i
+!!J4r")!0"(m!!dN!!JTB#S,mfIcB")%+r0N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcB!!!'")%!!rcA"))%J`Vme`!%#QY[Bf`0"))!!@d!!!TF#PrmeJV
+meJ!%#Q&XD@%'")-!!rc9")3%K3Vme3!%#QPZFfJ0")3!!M3!!!TL#QVme!5'#[c
+8!!3+BfC[E!d%KJ!"E`!!#QB+DIc6#rc6!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%K3!$r0)%Krc4#[c5!!3
++G'mJ)!d%K`!#EJ!!#Qd+I!5)")N0")J!!M3!!!Te#Rcmd!5+#[c3!!3+CQPXC3d
+%LJ!"E3!!#RJ+H`5,$!5,!!`!"Q9IEh-ZD!!#!!!0")N!!M3!!!TY#RAmc`5-#[c
+2!!3+BfC[E!d%M!!"E`!!#R%+G2c1#rc1!#B`!"&[F'9ZFh0XCQpXC'9bF'&dD!!
+4Eh"PER0cE%C[E'4PFP"KG'J'r0%!!!)%J!!#")d%MJd%M3!$53!##S-+VIc0r-`
+%M`Vmc3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r-`!!!B%M`!$r-X%N!!
+%N3Vmb`!%#QY[Bf`0"*!!!!&Y!!!+K`U+r-S+r-S!"!TKE'PK"J54!!2mb355"*-
++r-N!"!TTER0S$355!!)d!!!+M3U9r-J%P!Vmb!!%#Q0QEf`0"*3!!@m!!!U4#T6
+ma`[ma`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'"*-!!rc'"*Ama3VmaJ!%#R4[)#!0"*8!!Qi!!!UB#UF%PJ5
+A$35@!!)d!!!+S!URr-3%Q!Vma!!%#QCTE'80"*J!!@d!!!UM#UB%Q3`%Q3!0!!G
+PAfpc-LjS!!)!!!d%P`!#0!!!#TJ+S2c$"*S+r--!"!TMCQpX$35D!!&[!!!+R!U
+Ir-),r-)!*M!!%@p`C@jcFfaQEfaNCA*`BA4S!"&[F'9ZFh0X4QpXC'9b8'&dD!E
+ma3!!!J51!!)%Qrc"$35E!!*X!!)+VJUZr-$m[`(m`!!!!Ibr!!!#r-%!!!d!#3!
+"E3!!!!!!!3!I!Irq!!!#!!B!!J5F"*d0"*`!!Q`!!J!!!!$m[[bp!Ibq!!!"r,d
+!!!)%R3!#"*i%R`d%RJ!#E!!##V%+b!5Jr,`0"+!!!dN!!JUa#XMmZ`5K"+)+r,X
+!'#jcHA0[C'a[Cf&cDh)!!!!!!!!!!&4&@&30"+%!!@d!!!Ua#V3%S``%S`!'!!!
+!!J!!"J5L!!2mZJ5N"+8+r,S!"!TLG'jc$35N!!&+!!!+Y`Um"+B#"+B!!J5Rr,N
+0"+F!!@d!!!Uh#VS%U!`%U!!+!!4%EfjP!!)!!!,mZ3!!"J5P!!2mZ!5Tr,F+r,J
+!"!TRDACe$35T!!&Y!!!+[`V#r,B$r,B!"3EmY`!!!Ibm!!!#"*m!!J5Ur,80"+S
+!!Q`!!J!!!!$mY2bc!Ibd!!!"r,-!!!,mY3!!$J!#!!!2%!!$!",mXJ5V"+`%V35
+Z"+m%X!5a",)%X`5d",8%YJ5hr,(mX2b[r+i"r,)!!"!%U`!3r+hmV2bVr+VmUIb
+Sr+ImT[bPr+6mSrbLr+(mS2bIr*i+r+d!'#jKCACdEf&`F'jeE'`!!)!!!!#3!!!
+U+LSU#rbX!")`!!GdD'9`BA4S!!GdD'93BA4S#rbV!"``!!adD'9[E'4NC@aTEA-
+!$(4SC8pXC%4PE'PYF`[mUJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh4
+3BA4S#rbT!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mU!!Q-!!4D@jME(9NC@C
+[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rbR!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD![mTJ!N-!!3Bh*
+jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mT3!H-!!0Fh0XCQpXC'9
+bF'&dD!!0Fh0X4QpXC'9b8'&dD![mT!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p
+`C@jcFfa'EfaNCA*3BA4S#rbM!#i`!"9dD'9ZCAGQEfaNCA*bC@CPFQ9ZBf8!&A4
+SC8jPGdC[E'4PFP*PCQ9bC@jMC3[mSJ!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!Ib
+K!!!"r+!!!!(mR`!!!IbH!!!1"+`!"a$mR35ir*cmQ`5j",VmQJVmR3!B,Q&PGR4
+[BA"`ER9XE!!!J!!!!*!!!#SU+LS0",J!!@X!!!!!#XJ%Z`)%Z`!#!!8%[!)%[!!
+#"*lmQ3,mQ3!!!IbF!!!#r*X!!"!%Z3!!%!5k!)B!(rbBr*ImP[b9r*6mNrb5!#c
+mNIb3!2b2r)lmMIb-!%rmL`"D!&[mLJ"Nr)N!EIb)r)ImKJ#2r)AmK2b$r),mJIb
+!r(rmI[apr(cmH`#Tr(VmHIair(F![Iaf!-ImG3$8!1)!l!$j!3-"%!%D!5F"-3%
+q!8J"93&I!@`"GJ'$!Bd"QJ'N!E%"Z`()!G)"h`(T!IB#!!)0!KF#*!)Z!MX#43*
+5!P`#D3*c!S!#LJ+A!U%#VJ+m!XB#d`,G!ZS#p!-"!`X$'!-L!bm$130'!e!$A30
+R!h3$IJ1,!jN$S`1`!lS$a`24!pi$l!2f"!-%%`3K"#m%234,"&X%D`4j")X%Q35
+Mr(3%U2acr(,mF3VmQ!!%#Q0[BQS+r*F!'#jPBA*cCQCNFQ&XDA-!!!!!!!!J!'&
+QC()+r*B!"!TMG(Kd#rb9!")`!!GdD'9`BA4S!!GdD'93BA4S#[b8!!3+BA0MFJV
+mN`!%#R4iC'`,r*)!($!!$(4SC@pXC'4PE'PYF`!-G'KP6faN4'9XD@ec#[b4!!3
++BfPdE32mN!$rr3[mM`!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh43BA4
+S!rb1rri+r)d!"!T849K8#rb-!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mL`!
+Q-!!4D@jME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rb+!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD![mL3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mL!!
+H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD![mK`!Q-!!4Eh"PER0cE'C
+[E'4PFR"KG'J!%@p`C@jcFfa'EfaNCA*3BA4S#[b'!!3+BfC[E!VmK3!B,QeTFf0
+cE'0d+LSU+J!!!!!!!*!!!#SU+LS+r)3!"!TcC@aP#[b$!"JZBfpbC@4PE'mU+LS
+U!!!!!!!!N!!!+LSU+J(mJJ!!![b"!!!+r)!!"!TVEf0X#[ar!!3+D@jcD!2mIJ!
+%#[ap!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!VmI!!%#R*cE(3,r(X!,M!
+!&A4SC@jPGfC[E'4PFR*PCQ9bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P#[a
+k!!3+F'jKE3VmH3!%#Q&XD@%+r(J!"!TdEb!J#[ah!!3+CQPXC32mGJ!'#rae!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J+r(3!"!TLG'jc#[ac!!3+CfPfG32mFJ!&#[a
+a!"JZFhPcEf4XEfGKFfYb!!!!!!!!!!"849K8%IbD#XRJ%JUYi1%TDJ`!!LrM*N9
+4e%r&jLa&edrSaHBX4Nr%@qPF@eTVA&VU-NAE6m4Ek9aE@QYF@Z`bl5C&hNr,lbA
+Y*N9J!""2bf%!%59K!")Pl5C&B!!66mYK!"3Pl5C&B!!96mYK!"BPl5C&B!!A6m[
+Y*N9J!"K2amAQ,%C2&!!L+Q%!'9m!%#pK!"PK!"S[DJ`!'dmUB3!F,'S-!"eA!!K
+B!"i!(fK2+Q%!)'%!'@%!)5TK!"PI!"![B3!L$!!M6em!*%9J!#92A`!PDJ`!'dp
+K!#BUB3!F,'%!*ba'6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"R1,f%!+Q%!+bp
+K!#`-!#02A`!9B3!Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!#m[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!
+`,f%!,!`!)dpI!"9K!$%P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!
+Z,f%!+Q%!-LpK!#`-!#02A`!9B3!c*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!,LpK!#TK!$3[B3!X$!!M6em!&@%!059&B!!Z6bTK!#"K!#KK!#%UB3!
+CA`!6,f%!+5TK!"PI!#i[B3!UB3!f,f%!,!`!)dpI!"9K!$FP4@!!,NmUB3!JB3!
+SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!1#pK!#`-!#02A`!9B3!j*89J!#j
+2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!$S[B3!X$!!M6em!&@%
+!1b9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!m,f%!,!`
+!)dpI!"9K!$dP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!2LpK!#`-!#02A`!9B3!r*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!%![B3!X$!!M6em!&@%!359&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"#,f%!,!`!)dpI!"9K!%-P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!4#pK!#`-!#02A`!9B3"&*89J!#j2+Q%!)'%
+!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!%B[B3!X$!!M6em!&@%!4b9&B!!
+Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"),f%!,!`!)dpI!"9
+K!%NP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!5LpK!#`
+-!#02A`!9B3",*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#T
+K!%`[B3!X$!!M6em!&@%!659&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!#i[B3!UB3"1,f%!,!`!)dpI!"9K!%mP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bp
+K!#NUB3!CA`!Z,f%!+Q%!8#pK!#`-!#02A`!9B3"4*89J!#j2+Q%!)'%!+'%!)5T
+K!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&)[B3!X$!!M6em!&@%!8b9&B!!Z6bTK!#"
+K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"8,f%!,!`!)dpI!"9K!&8P4@!
+!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!9LpK!#`-!#02A`!
+9B3"A*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&J[B3!
+X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"C,f%!,!`!)dp
+I!"9K!&SP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!@bp
+K!#`-!#02A`!9B3"F*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!&d[B3!X$!!M6em!&@%!AL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5T
+K!"PI!#i[B3!UB3"I,f%!,!`!)dpI!"9K!'!P4@!!,NmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!Z,f%!+Q%!B5pK!#`-!#02A`!9B3"L*89J!#j2+Q%!)'%!+'%
+!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'-[B3!X$!!M6em!&@%!C#9&B!!Z6bT
+K!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"P,f%!,!`!)dpI!"9K!'B
+P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!CbpK!#`-!#0
+2A`!9B3"S*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'N
+[B3!X$!!M6em!&@%!DL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i
+[B3!UB3"V,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!E#pK!#`-!#02A`!9B3"Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!'i[B3!X$!!M6em!&@%!Eb9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"`,f%!,!`!)dpI!"9K!(%P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!FLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-
+[B3!T+Q%!'9m!,LpK!#TK!(-[B3!X$!!M6em!&@%!G#9&B!!Z6bTK!#"K!#KK!#%
+UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"e,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!A,f%!+Q%!GLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!&bpK!#TK!(F[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!"F[B3!UB3"i,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!A,f%
+!+Q%!H5pK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&bpK!#TK!(S
+[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!"8[B3!UB3"l,f%!,!`
+!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!9,f%!+Q%!I#pK!#`-!#02+Q%
+!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&5pK!#TK!(d[B3!X$!!M6bTK!#"K!#K
+K!#%UB3!CA`!6,f%!+5TK!"PI!"J[B3!UB3"q,f%!,!`!)dmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!B,f%!+Q%!IbpK!#`-!#028&92B3#!B3#"B3##DhCK!)0
+K!)4K!#)-!)82$!5Y!&%!5deKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0
+[E@PZCcT[F'9ZFh0X,90139!Y-6Nj16%b-6%k6@&M6e-kE@YXD@jVFbjKF`!#!!!
+1"+i!!J6mF!5p!ra`!!%1",d!!3!%[J`%[J!'!!!!!J!!$J5[!!)%r'm%[`2mE`!
+%$J5r!!3!"-!%`36#"---"-!!%J!-6@&MD@jdEh0S)%K%!!)!!!`%`3!8!!j%CA0
+VG'p`)%C[E'4PFJ!#!!!-"-)!$J!)5@jMEfeTEQF!!J!!$!6$!"X!&@p`C@jcFf`
+Y8dj"8#da16Nj-6)a-3!#!!!-",!!4J"!6@&MD@jdEh0S)%K%1N4PFfYdEh!J4Qp
+XC'9b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6T0B@028`!#!!!-",%
+!5!"#6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9b1NPZBfpYD@jR1Qp`C@jcFf`
+Y8dj"8#da16Nj-6)a-6TTEQ0XG@4P!!)!!!`%XJ"3!%T0B@0TER4[FfJJ5%3k4'9
+cDh4[F#"'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a1QPZBfa
+eC'8kEh"PER0cE!!#!!!-",-!4`""6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9
+b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6TMFRP`G'm!!J!!$!5d!%3
+!2NeKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90
+139!Y-6Nj16%b-6%kFh0X!!)!!!`%Y3"!!$T0B@0TER4[FfJJ5%3k4'9cDh4[F#"
+'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a!!)!!!i%YJ!"&!6
+%$J6%!!-B"-AmEJ6'$J6&!!-B"-ImE36)$J6(!!-B"-RmE!6+$J6*!!-B!"rmD`6
+,#[aV!!3+BfC[E!`%b`!1!!K*EQ0[E@PZC`!#!!!+r'`!"!TMCQpX$!6+!"X!&@p
+`C@jcFf`Y8dj"8#da16Nj-6)a-3!#!!!+r'd!"!TMCQpX$!6)!!d!"fPZBfaeC'8
+!!J!!#[aZ!!3+BfC[E!`%aJ!9!!peER4TG'aPC#"QEfaNCA)!!J!!$!5h!%i!5%e
+KBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90139!
+Y-6Nj16%b-6%kBh*jF(4[1RJe-$Pf-`!#!!!"r,%!!!(mX!!!!Ib[!!!"r+i!!'&
+cBh)!!3!-qYlHV3!!!3!!!*G#!!#@3J!!!AB!!$-8-0J!!!!F!AB!$h0MFhS!!!#
+#6Np853!!!)jcBh"d!!!!QP4&@&3!!3#QFh4jE!!!!,j$6d4&!!%!bN*14%`!!!$
+LBA"XG!!!!1j'8N9'!!!!qNP$6L-!!!%'D@0X0!!!!4*TBh-M!!!"(QPMFc3!!!%
+UD'CNFJ!!!6C659T&!!!"3PG3Eh-!!!&1!!$rr`!!!!!!!!!!!)$rre!!!"i!!!!
+!!)$rr`!!"cJ#DH#m"'Mrr`!!!*S!!!!!%iRrr`!!"Pi!!!!!"'Mrr`!!!53!!!!
+!!!$rrb!!!9)!!!!!!!(rra3!!@i#DG`%!)$rr`!!!Pi#DH"X!!$rr`!!!Ri!!!!
+!!)$rr`!!!S-#DH"d!*Err`!!!Si!!!!!!*Err`!!!j)!!!!!!*Err`!!"CB#DH%
+i!*Err`!!"GS#DH%dkF$rr`!!"[`!!!!!rrrrr`!!"a)!!!!!!)$rr`!!"b!!!!!
+!*4S:

MacOS/opensslconf.h

@@ -0,0 +1,126 @@
+/* MacOS/opensslconf.h */
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+# if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#  define OPENSSLDIR "/usr/local/ssl"
+# endif
+#endif
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+# define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+# define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+# define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H)
+# if !defined(RC4_INT)
+/*
+ * using int types make the structure larger but make the code faster on most
+ * boxes I have tested - up to %20 faster.
+ */
+/*-
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
+#  define RC4_INT unsigned char
+# endif
+# if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#  define RC4_CHUNK unsigned long
+# endif
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/*
+ * If this is set to 'unsigned int' on a DEC Alpha, this gives about a %20
+ * speed up (longs are 8 bytes, int's are 4).
+ */
+# ifndef DES_LONG
+#  define DES_LONG unsigned long
+# endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+# define CONFIG_HEADER_BN_H
+# if __option(longlong)
+#  define BN_LLONG
+# else
+#  undef BN_LLONG
+# endif
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/*
+ * The prime number generation stuff may not work when EIGHT_BIT but I don't
+ * care since I've only used this mode for debuging the bignum libraries
+ */
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# define THIRTY_TWO_BIT
+# undef SIXTEEN_BIT
+# undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+# define CONFIG_HEADER_RC4_LOCL_H
+/*
+ * if this is defined data[i] is used instead of *data, this is a %20 speedup
+ * on x86
+ */
+# undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+# define CONFIG_HEADER_BF_LOCL_H
+# define BF_PTR
+#endif                          /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+# define CONFIG_HEADER_DES_LOCL_H
+/*
+ * the following is tweaked from a config script, that is why it is a
+ * protected undef/define
+ */
+# ifndef DES_PTR
+#  define DES_PTR
+# endif
+
+/*
+ * This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers
+ */
+# ifndef DES_RISC1
+#  define DES_RISC1
+# endif
+
+# ifndef DES_RISC2
+#  undef DES_RISC2
+# endif
+
+# if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED ! !!!!
+# endif
+/*
+ * Unroll the inner loop, this sometimes helps, sometimes hinders. Very mucy
+ * CPU dependant
+ */
+# ifndef DES_UNROLL
+#  define DES_UNROLL
+# endif
+#endif                          /* HEADER_DES_LOCL_H */
+#ifndef __POWERPC__
+# define MD32_XARRAY
+#endif

Makefile.org

@@ -68,10 +68,8 @@ AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 NM= nm
 PERL= perl
-#RM= echo --
-RM= rm -f
 TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 
@@ -90,7 +88,6 @@ PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
-EC_ASM=
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
@@ -114,6 +111,9 @@ LIBKRB5=
 ZLIB_INCLUDE=
 LIBZLIB=
 
+# TOP level FIPS install directory.
+FIPSDIR=
+
 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
 # but since $(INSTALLTOP) can only take the default value
@@ -121,11 +121,12 @@ LIBZLIB=
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.
 
-FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
+FIPSLIBDIR=
 
 # The location of the library which contains fipscanister.o
-# normally it will be libcrypto. If not compiling in FIPS mode
-# at all this is empty making it a useful test for a FIPS compile.
+# normally it will be libcrypto unless fipsdso is set in which
+# case it will be libfips. If not compiling in FIPS mode at all
+# this is empty making it a useful test for a FIPS compile.
 
 FIPSCANLIB=
 
@@ -183,17 +184,6 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
-# Directories created on install if they don't exist.
-INSTALLDIRS=	\
-		$(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-
 all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
 
 # as we stick to -e, CLEARENV ensures that local variables in lower
@@ -231,8 +221,8 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
-		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
+		CPUID_OBJ='$(CPUID_OBJ)'			\
+		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
@@ -244,8 +234,8 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
+		FIPSDIR='${FIPSDIR}'				\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
-		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
@@ -256,13 +246,13 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 # This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
 # BUILD_ONE_CMD instead.
 #
-# RECURSIVE_BUILD_CMD is a macro to build a given target in all
-# subdirectories defined in $(DIRS).  It requires that the target
-# is given through the shell variable `target'.
-#
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
+#
+# RECURSIVE_BUILD_CMD is a macro to build a given target in all
+# subdirectories defined in $(DIRS).  It requires that the target
+# is given through the shell variable `target'.
 BUILD_CMD=  if [ -d "$$dir" ]; then \
 	    (	cd $$dir && echo "making $$target in $$dir..." && \
 		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
@@ -277,120 +267,43 @@ BUILD_ONE_CMD=\
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
-FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
-	../crypto/aes/aes_ecb.o \
-	../crypto/aes/aes_ofb.o \
-	../crypto/bn/bn_add.o \
-	../crypto/bn/bn_blind.o \
-	../crypto/bn/bn_ctx.o \
-	../crypto/bn/bn_div.o \
-	../crypto/bn/bn_exp2.o \
-	../crypto/bn/bn_exp.o \
-	../crypto/bn/bn_gcd.o \
-	../crypto/bn/bn_gf2m.o \
-	../crypto/bn/bn_lib.o \
-	../crypto/bn/bn_mod.o \
-	../crypto/bn/bn_mont.o \
-	../crypto/bn/bn_mul.o \
-	../crypto/bn/bn_nist.o \
-	../crypto/bn/bn_prime.o \
-	../crypto/bn/bn_rand.o \
-	../crypto/bn/bn_recp.o \
-	../crypto/bn/bn_shift.o \
-	../crypto/bn/bn_sqr.o \
-	../crypto/bn/bn_word.o \
-	../crypto/bn/bn_x931p.o \
-	../crypto/buffer/buf_str.o \
-	../crypto/cmac/cmac.o \
-	../crypto/cryptlib.o \
-	../crypto/des/cfb64ede.o \
-	../crypto/des/cfb64enc.o \
-	../crypto/des/cfb_enc.o \
-	../crypto/des/ecb3_enc.o \
-	../crypto/des/ofb64ede.o \
-	../crypto/des/fcrypt.o \
-	../crypto/des/set_key.o \
-	../crypto/dh/dh_check.o \
-	../crypto/dh/dh_gen.o \
-	../crypto/dh/dh_key.o \
-	../crypto/dsa/dsa_gen.o \
-	../crypto/dsa/dsa_key.o \
-	../crypto/dsa/dsa_ossl.o \
-	../crypto/ec/ec_curve.o \
-	../crypto/ec/ec_cvt.o \
-	../crypto/ec/ec_key.o \
-	../crypto/ec/ec_lib.o \
-	../crypto/ec/ecp_mont.o \
-	../crypto/ec/ec_mult.o \
-	../crypto/ec/ecp_nist.o \
-	../crypto/ec/ecp_smpl.o \
-	../crypto/ec/ec2_mult.o \
-	../crypto/ec/ec2_smpl.o \
-	../crypto/ecdh/ech_key.o \
-	../crypto/ecdh/ech_ossl.o \
-	../crypto/ecdsa/ecs_ossl.o \
-	../crypto/evp/e_aes.o \
-	../crypto/evp/e_des3.o \
-	../crypto/evp/e_null.o \
-	../crypto/evp/m_sha1.o \
-	../crypto/evp/m_dss1.o \
-	../crypto/evp/m_dss.o \
-	../crypto/evp/m_ecdsa.o \
-	../crypto/hmac/hmac.o \
-	../crypto/modes/cbc128.o \
-	../crypto/modes/ccm128.o \
-	../crypto/modes/cfb128.o \
-	../crypto/modes/ctr128.o \
-	../crypto/modes/gcm128.o \
-	../crypto/modes/ofb128.o \
-	../crypto/modes/xts128.o \
-	../crypto/rsa/rsa_eay.o \
-	../crypto/rsa/rsa_gen.o \
-	../crypto/rsa/rsa_crpt.o \
-	../crypto/rsa/rsa_none.o \
-	../crypto/rsa/rsa_oaep.o \
-	../crypto/rsa/rsa_pk1.o \
-	../crypto/rsa/rsa_pss.o \
-	../crypto/rsa/rsa_ssl.o \
-	../crypto/rsa/rsa_x931.o \
-	../crypto/rsa/rsa_x931g.o \
-	../crypto/sha/sha1dgst.o \
-	../crypto/sha/sha256.o \
-	../crypto/sha/sha512.o \
-	../crypto/thr_id.o \
-	../crypto/uid.o
-
 sub_all: build_all
-
 build_all: build_libs build_apps build_tests build_tools
 
 build_libs: build_crypto build_ssl build_engines
 
 build_crypto:
 	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl: build_crypto
+build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines: build_crypto
-	@dir=engines; target=all; AS='$(CC) -c'; export AS; $(BUILD_ONE_CMD)
-
-build_apps: build_libs
+build_engines:
+	@dir=engines; target=all; $(BUILD_ONE_CMD)
+build_apps:
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests: build_libs
+build_tests:
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools: build_libs
+build_tools:
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 
 all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 
-libcrypto$(SHLIB_EXT): libcrypto.a
+fips_premain_dso$(EXE_EXT): libcrypto.a
+	[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
+		-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@  \
+		$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
+		libcrypto.a $(EX_LIBS)
+
+libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
-			export CC FIPSLD_CC; \
+			FIPSLD_LIBCRYPTO=libcrypto.a ; \
+			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
+			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
+		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
@@ -413,7 +326,7 @@ clean-shared:
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+		if [ "$(PLATFORM)" = "Cygwin" ]; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@@ -462,11 +375,11 @@ libssl.pc: Makefile
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
-	    echo 'Name: OpenSSL-libssl'; \
+	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires.private: libcrypto'; \
-	    echo 'Libs: -L$${libdir} -lssl'; \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 
@@ -479,7 +392,10 @@ openssl.pc: Makefile
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: libssl libcrypto' ) > openssl.pc
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
 Makefile: Makefile.org Configure config
 	@echo "Makefile is older than Makefile.org, Configure or config."
@@ -491,9 +407,8 @@ libclean:
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
-	rm -f $(LIBS) tags TAGS
+	rm -f $(LIBS)
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
@@ -520,6 +435,7 @@ gentests:
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 
 dclean:
+	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
@@ -549,12 +465,9 @@ depend:
 lint:
 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
 
-tags TAGS: FORCE
-	rm -f TAGS tags
-	-ctags -R .
-	-etags -R .
-
-FORCE:
+tags:
+	rm -f TAGS
+	find . -name '[^.]*.[ch]' | xargs etags -a
 
 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
@@ -627,10 +540,15 @@ dist_pem_h:
 
 install: all install_docs install_sw
 
-uninstall: uninstall_sw uninstall_docs
-
 install_sw:
-	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
+	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -653,7 +571,11 @@ install_sw:
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+				if [ "$(PLATFORM)" != "Cygwin" ]; then \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@@ -661,10 +583,6 @@ install_sw:
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@@ -672,9 +590,9 @@ install_sw:
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo installing $$i; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 				cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 				chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 				mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 				fi; \
 			fi; \
 		done; \
@@ -695,59 +613,16 @@ install_sw:
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 
-uninstall_sw:
-	cd include/openssl && files=* && cd $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl && $(RM) $$files
-	@for i in $(LIBS) ;\
-	do \
-		test -f "$$i" && \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i && \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-	done;
-	@if [ -n "$(SHARED_LIBS)" ]; then \
-		tmp="$(SHARED_LIBS)"; \
-		for i in $${tmp:-x}; \
-		do \
-			if [ -f "$$i" -o -f "$$i.a" ]; then \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				else \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-				fi; \
-				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
-					case $$i in \
-						*crypto*) i=libeay32.dll;; \
-						*ssl*)    i=ssleay32.dll;; \
-					esac; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-				fi; \
-			fi; \
-		done; \
-	fi
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
-	@target=uninstall; $(RECURSIVE_BUILD_CMD)
-
 install_html_docs:
 	here="`pwd`"; \
-	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
-		filecase=-i; \
-	esac; \
 	for subdir in apps crypto ssl; do \
-		$(PERL) $(TOP)/util/mkdir-p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
 			cat $$i \
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-			| pod2html --podroot=doc --htmlroot=.. --podpath=$$subdir:apps:crypto:ssl \
+			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
 			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
@@ -759,43 +634,26 @@ install_html_docs:
 		done; \
 	done
 
-uninstall_html_docs:
-	here="`pwd`"; \
-	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
-		filecase=-i; \
-	esac; \
-	for subdir in apps crypto ssl; do \
-		for i in doc/$$subdir/*.pod; do \
-			fn=`basename $$i .pod`; \
-			$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
-			$(PERL) util/extract-names.pl < $$i | \
-				grep -v $$filecase "^$$fn\$$" | \
-				while read n; do \
-					$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
-				done; \
-		done; \
-	done
-
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
 		$(INSTALL_PREFIX)$(MANDIR)/man1 \
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
+	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
-	esac; \
+	fi; \
 	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -810,9 +668,9 @@ install_docs:
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -823,37 +681,4 @@ install_docs:
 			 done); \
 	done
 
-uninstall_docs:
-	@here="`pwd`"; \
-	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*) \
-		filecase=-i; \
-	esac; \
-	for i in doc/apps/*.pod; do \
-		fn=`basename $$i .pod`; \
-		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(PERL) util/extract-names.pl < $$i | \
-			(grep -v $$filecase "^$$fn\$$"; true) | \
-			(grep -v "[	]"; true) | \
-			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-			done; \
-	done; \
-	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
-		fn=`basename $$i .pod`; \
-		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(PERL) util/extract-names.pl < $$i | \
-			(grep -v $$filecase "^$$fn\$$"; true) | \
-			(grep -v "[	]"; true) | \
-			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-			done; \
-	done
-
 # DO NOT DELETE THIS LINE -- make depend depends on it.

Makefile.shared

@@ -170,6 +170,17 @@ link_a.gnu:
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
 
+DO_BEOS_SO=	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SUFFIX"
+
+link_o.beos:
+	@ $(DO_BEOS_SO); $(LINK_SO_O)
+link_a.beos:
+	@ $(DO_BEOS_SO); $(LINK_SO_A)
+
 link_o.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
@@ -544,10 +555,28 @@ link_app.aix:
 	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
 
+link_o.reliantunix:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) -G'; \
+	$(LINK_SO_O)
+link_a.reliantunix:
+	@ $(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS=; \
+	NOALLSYMSFLAGS=''; \
+	SHAREDFLAGS='$(CFLAGS) -G'; \
+	$(LINK_SO_A_UNPACKED)
+link_app.reliantunix:
+	$(LINK_APP)
 
 # Targets to build symbolic links when needed
 symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
-symlink.aix:
+symlink.aix symlink.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
@@ -562,7 +591,7 @@ symlink.hpux:
 	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
 # The following lines means those specific architectures do no symlinks
-symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
+symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath symlink.beos:
 
 # Compatibility targets
 link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
@@ -616,3 +645,11 @@ link_o.aix-shared: link_o.aix
 link_a.aix-shared: link_a.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix
+link_o.reliantunix-shared: link_o.reliantunix
+link_a.reliantunix-shared: link_a.reliantunix
+link_app.reliantunix-shared: link_app.reliantunix
+symlink.reliantunix-shared: symlink.reliantunix
+link_o.beos-shared: link_o.beos
+link_a.beos-shared: link_a.beos
+link_app.beos-shared: link_app.gnu
+symlink.beos-shared: symlink.beos

NEWS

@@ -5,16 +5,24 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.2 [in beta]:
+  Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [under development]
 
-      o Suite B support for TLS 1.2 and DTLS 1.2
-      o Support for DTLS 1.2
-      o TLS automatic EC curve selection.
-      o API to set TLS supported signature algorithms and curves
-      o SSL_CONF configuration API.
-      o TLS Brainpool support.
-      o ALPN support.
-      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
+      o
+
+  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
+
+      o Build fixes for the Windows and OpenVMS platforms
+
+  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2015-0206
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2015-0205
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
 
   Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
 
@@ -39,6 +47,7 @@
 
       o Fix for CVE-2014-0224
       o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0198
       o Fix for CVE-2014-0195
       o Fix for CVE-2014-3470
       o Fix for CVE-2010-5298
@@ -98,10 +107,6 @@
       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
       o SRP support.
 
-  Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014]
-
-      o Fix for DTLS retransmission bug CVE-2013-6450
-
   Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
 
       o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
@@ -187,16 +192,6 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]:
-
-      o Fix for CVE-2014-0224
-      o Fix for CVE-2014-0221
-      o Fix for CVE-2014-0195
-      o Fix for CVE-2014-3470
-      o Fix for CVE-2014-0076
-      o Fix for CVE-2010-5298
-      o Fix to TLS alert handling.
-
   Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
 
       o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169

Netware/do_tests.pl

@@ -270,6 +270,22 @@ sub ssl_tests
    print( OUT "\n========================================================\n");
    print( OUT "SSL TESTS:\n\n");
 
+   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2:");
+   log_output("ssltest -ssl2", $outFile);
+
+   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with server authentication:");
+   log_output("$ssltest -ssl2 -server_auth", $outFile);
+
+   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with client authentication:");
+   log_output("$ssltest -ssl2 -client_auth", $outFile);
+
+   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with both client and server authentication:");
+   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
+
    system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3:");
    log_output("ssltest -ssl3", $outFile);
@@ -302,10 +318,26 @@ sub ssl_tests
    log_desc("Testing sslv2/sslv3 with both client and server authentication:");
    log_output("$ssltest -server_auth -client_auth", $outFile);
 
+   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 via BIO pair:");
+   log_output("ssltest -bio_pair -ssl2", $outFile);
+
    system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
    log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
 
+   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with server authentication via BIO pair:");
+   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
+
+   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with client authentication via BIO pair:");
+   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
+
+   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
+   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
+   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
+
    system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
    log_desc("Testing sslv3 via BIO pair:");
    log_output("ssltest -bio_pair -ssl3", $outFile);

Netware/globals.txt

@@ -66,7 +66,7 @@ static LHASH *error_hash=NULL;
 static LHASH *thread_hash=NULL;
 
 several files have routines with static "init" to track if error strings
-   have been loaded ( may not want separate error strings for each process )
+   have been loaded ( may not want seperate error strings for each process )
    The "init" variable can't be left "global" because the error has is a ptr
    that is malloc'ed.  The malloc'ed error has is dependant on the "init"
    vars.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.0-dev
+ OpenSSL 1.0.1m-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -90,6 +90,32 @@
         SSL/TLS Client and Server Tests
         Handling of S/MIME signed or encrypted mail
 
+
+ PATENTS
+ -------
+
+ Various companies hold various patents for various algorithms in various
+ locations around the world. _YOU_ are responsible for ensuring that your use
+ of any algorithms is legal by checking if there are any patents in your
+ country.  The file contains some of the patents that we know about or are
+ rumored to exist. This is not a definitive list.
+
+ RSA Security holds software patents on the RC5 algorithm.  If you
+ intend to use this cipher, you must contact RSA Security for
+ licensing conditions. Their web page is http://www.rsasecurity.com/.
+
+ RC4 is a trademark of RSA Security, so use of this label should perhaps
+ only be used with RSA Security's permission.
+
+ The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
+ Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
+ should be contacted if that algorithm is to be used; their web page is
+ http://www.ascom.ch/.
+
+ NTT and Mitsubishi have patents and pending patents on the Camellia
+ algorithm, but allow use at no charge without requiring an explicit
+ licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
+
  INSTALLATION
  ------------
 
@@ -135,7 +161,8 @@
     - Problem Description (steps that will reproduce the problem, if known)
     - Stack Traceback (if the application dumps core)
 
- Email the report to:
+ Report the bug to the OpenSSL project via the Request Tracker
+ (http://www.openssl.org/support/rt.html) by mail to:
 
     openssl-bugs@openssl.org
 
@@ -143,11 +170,10 @@
  or support queries. Just because something doesn't work the way you expect
  does not mean it is necessarily a bug in OpenSSL.
 
- Note that mail to openssl-bugs@openssl.org is recorded in the public
- request tracker database (see https://www.openssl.org/support/rt.html
- for details) and also forwarded to a public mailing list. Confidential
- mail may be sent to openssl-security@openssl.org (PGP key available from
- the key servers).
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
+ readable request tracker database and is forwarded to a public
+ mailing list. Confidential mail may be sent to openssl-security@openssl.org
+ (PGP key available from the key servers).
 
  HOW TO CONTRIBUTE TO OpenSSL
  ----------------------------

README.ECC

@@ -1,61 +0,0 @@
-NOTE: The OpenSSL Software Foundation has executed a sublicense agreement
-entitled "Elliptic Curve Cryptography Patent License Agreement" with the
-National Security Agency/ Central Security Service Commercial Solutions
-Center (NCSC) dated 2010-11-04. That agreement permits implementation and
-distribution of software containing features covered by any or all of the
-following patents:
-
-1.) U.S. Pat. No. 5,761,305 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on June 2, 1998;
-2.) Can. Pat. Appl. Ser. No. 2176972 entitled "Key Agreement and Transport 
-    Protocol with Implicit Signature and Reduced Bandwidth" filed on May 
-    16, 1996;
-3.) U.S. Pat. No. 5,889,865 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on March 30, 1999;
-4.) U.S. Pat. No. 5,896,455 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on April 20, 1999;
-5.) U.S. Pat. No. 5,933,504 entitled "Strengthened Public Key Protocol" 
-    issued on August 3, 1999;
-6.) Can. Pat. Appl. Ser. No. 2176866 entitled "Strengthened Public Key 
-    Protocol" filed on May 17, 1996;
-7.) E.P. Pat. Appl. Ser. No. 96201322.3 entitled "Strengthened Public Key 
-    Protocol" filed on May 17, 1996;
-8.) U.S. Pat. No. 5,999,626 entitled "Digital Signatures on a Smartcard" 
-    issued on December 7, 1999;
-9.) Can. Pat. Appl. Ser. No. 2202566 entitled "Digital Signatures on a 
-    Smartcard" filed on April 14, 1997;
-10.) E.P. Pat. Appl. No. 97106114.8 entitled "Digital Signatures on a 
-     Smartcard" filed on April 15, 1997;
-11.) U.S Pat. No. 6,122,736 entitled "Key Agreement and Transport Protocol 
-     with Implicit Signatures" issued on September 19, 2000;
-12.) Can. Pat. Appl. Ser. No. 2174261 entitled "Key Agreement and Transport 
-     Protocol with Implicit Signatures" filed on April 16, 1996;
-13.) E.P. Pat. Appl. Ser. No. 96105920.1 entitled "Key Agreement and 
-     Transport Protocol with Implicit Signatures" filed on April 16, 1996;
-14.) U.S. Pat. No. 6,141,420 entitled "Elliptic Curve Encryption Systems" 
-     issued on October 31, 2000;
-15.) Can. Pat. Appl. Ser. No. 2155038 entitled "Elliptic Curve Encryption 
-     Systems" filed on July 31, 1995;
-16.) E.P. Pat. Appl. Ser. No. 95926348.4 entitled "Elliptic Curve Encryption 
-     Systems" filed on July 31, 1995;
-17.) U.S. Pat. No. 6,336,188 entitled "Authenticated Key Agreement" issued 
-     on January 1, 2002;
-18.) U.S. Pat. No. 6,487,661 entitled "Key Agreement and Transport Protocol" 
-     issued on November 26, 2002;
-19.) Can. Pat. Appl. Ser. No. 2174260 entitled "Key Agreement and Transport 
-     Protocol" filed on April 16, 1996;
-20.) E.P. Pat. Appl. Ser. No. 96105921.9 entitled "Key Agreement and 
-     Transport Protocol" filed on April 21, 1996;
-21.) U.S. Pat. No. 6,563,928 entitled "Strengthened Public Key Protocol" 
-     issued on May 13, 2003;
-22.) U.S. Pat. No. 6,618,483 entitled "Elliptic Curve Encryption Systems" 
-     issued September 9, 2003;
-23.) U.S. Pat. Appl. Ser. No. 09/434,247 entitled "Digital Signatures on a 
-     Smartcard" filed on November 5, 1999;
-24.) U.S. Pat. Appl. Ser. No. 09/558,256 entitled "Key Agreement and 
-     Transport Protocol with Implicit Signatures" filed on April 25, 2000;
-25.) U.S. Pat. Appl. Ser. No. 09/942,492 entitled "Digital Signatures on a 
-     Smartcard" filed on August 29, 2001 and published on July 18, 2002; and,
-26.) U.S. Pat. Appl. Ser. No. 10/185,735 entitled "Strengthened Public Key 
-     Protocol" filed on July 1, 2000.
-

README.FIPS

@@ -1,130 +0,0 @@
-Preliminary status and build information for FIPS module v2.0
-
-NB: if you are cross compiling you now need to use the latest "incore" script
-this can be found at util/incore in the tarballs.
-
-If you have any object files from a previous build do:
-
-make clean
-
-To build the module do:
-
-./config fipscanisteronly
-make
-
-Build should complete without errors.
-
-Build test utilities:
-
-make build_tests
-
-Run test suite:
-
-test/fips_test_suite
-
-again should complete without errors.
-
-Run test vectors: 
-
-1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
-   only the fips-2.0 testvector files are usable for complete tests.
-
-2. Extract the files to a suitable directory.
-
-3. Run the test vector perl script, for example:
-
-   cd fips
-   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
-
-4. It should say "passed all tests" at the end. Report full details of any
-   failures.
-
-If you wish to use the older 1.2.x testvectors (for example those from 2007)
-you need the command line switch --disable-v2 to fipsalgtest.pl
-
-Examine the external symbols in fips/fipscanister.o they should all begin
-with FIPS or fips. One way to check with GNU nm is:
-
-	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
-
-If you get *any* output at all from this test (i.e. symbols not starting with
-fips or FIPS) please report it.
-
-Restricted tarball tests.
-
-The validated module will have its own tarball containing sufficient code to
-build fipscanister.o and the associated algorithm tests. You can create a
-similar tarball yourself for testing purposes using the commands below.
-
-Standard restricted tarball:
-
-make -f Makefile.fips dist
-
-Prime field field only ECC tarball:
-
-make NOEC2M=1 -f Makefile.fips dist
-
-Once you've created the tarball extract into a fresh directory and do:
-
-./config
-make
-
-You can then run the algorithm tests as above. This build automatically uses
-fipscanisterbuild and no-ec2m as appropriate.
-
-FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
-
-At least initially the test module and FIPS capable OpenSSL may change and
-by out of sync. You are advised to check for any changes and pull the latest
-source from CVS if you have problems. See anon CVS and rsync instructions at:
-
-http://www.openssl.org/source/repos.html
-
-Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
-
-If required set the environment variable FIPSDIR to an appropriate location
-to install the test module. If cross compiling set other environment
-variables too.
-
-In this restricted tarball on a Linux or U*ix like system run:
-
-./config
-make
-make install
-
-On Windows from a VC++ environment do:
-
-ms\do_fips
-
-This will build and install the test module and some associated files.
-
-Now download the latest version of the OpenSSL 1.0.1 branch from either a
-snapshot or preferably CVS. For Linux do:
-
-./config fips [other args]
-make
-
-For Windows:
-
-perl Configure VC-WIN32 fips [other args]
-ms\do_nasm
-nmake -f ms\ntdll.mak
-
-(or ms\nt.mak for a static build).
-
-Where [other args] can be any other arguments you use for an OpenSSL build
-such as "shared" or "zlib".
-
-This will build the fips capable OpenSSL and link it to the test module. You
-can now try linking and testing applications against the FIPS capable OpenSSL.
-
-Please report any problems to either the openssl-dev mailing list or directly
-to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
-reports.
-
-Known issues:
-
-Code needs extensively reviewing to ensure it builds correctly on 
-supported platforms and is compliant with FIPS 140-2.
-The "FIPS capable OpenSSL" is still largely untested, it builds and runs
-some simple tests OK on some systems but needs far more "real world" testing.

apps/.cvsignore

@@ -0,0 +1,8 @@
+openssl
+Makefile.save
+der_chop
+der_chop.bak
+CA.pl
+*.flc
+semantic.cache
+*.dll

apps/CA.pl.in

@@ -1,10 +1,37 @@
 #!/usr/local/bin/perl
 #
-# CA - wrapper around ca to make it easier to use
+# CA - wrapper around ca to make it easier to use ... basically ca requires
+#      some setup stuff to be done before you can use it and this makes
+#      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
 # CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
+#
+# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# and the other the certificate) and cat them together and that is what
+# you want/need ... I'll make even this a little cleaner later.
+#
+#
+# 12-Jan-96 tjh    Added more things ... including CA -signcert which
+#                  converts a certificate to a request and then signs it.
+# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
+#		   environment variable so this can be driven from
+#		   a script.
+# 25-Jul-96 eay    Cleaned up filenames some more.
+# 11-Jun-96 eay    Fixed a few filename missmatches.
+# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
+# 18-Apr-96 tjh    Original hacking
+#
+# Tim Hudson
+# tjh@cryptsoft.com
+#
+
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
+#
+#
+# Steve Henson
+# shenson@bigfoot.com
 
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
@@ -30,7 +57,6 @@ $CATOP="./demoCA";
 $CAKEY="cakey.pem";
 $CAREQ="careq.pem";
 $CACERT="cacert.pem";
-$CACRL="crl.pem";
 
 $DIRMODE = 0777;
 
@@ -39,7 +65,6 @@ $RET = 0;
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-	    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -135,50 +160,17 @@ foreach (@ARGV) {
 	    } else {
 		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
 		    $RET=$?;
-		    exit $RET;
+	    	    exit 0;
 	    }
-	} elsif (/^-crl$/) {
-		system ("$CA -gencrl -out $CATOP/crl/$CACRL");
-		$RET=$?;
-		print "Generated CRL is in $CATOP/crl/$CACRL\n" if (!$RET);
-	} elsif (/^-revoke$/) {
-		my $cname = $ARGV[1];
-		if (!defined $cname) {
-			print "Certificate filename is required; reason optional.\n";
-			exit 1;
-		}
-		my $reason = $ARGV[2];
-		$reason = " -crl_reason $reason"
-			if defined $reason && crl_reason_ok($reason);
-		my $cmd = "$CA -revoke \"$cname\"".$reason;
-		system ($cmd);
-		$RET=$?;
-		exit $RET;
 	} else {
 	    print STDERR "Unknown arg $_\n";
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-	    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
 	    exit 1;
 	}
 }
 
 exit $RET;
 
-sub crl_reason_ok {
-	my ($r) = shift;
-	if ($r eq 'unspecified' || $r eq 'keyCompromise' ||
-	$r eq 'CACompromise' || $r eq 'affiliationChanged' ||
-	$r eq 'superseded' || $r eq 'cessationOfOperation' ||
-	$r eq 'certificateHold' || $r eq 'removeFromCRL') {
-		return 1;
-	}
-	print STDERR "Invalid CRL reason; must be one of:\n";
-	print STDERR "    unspecified, keyCompromise, CACompromise,\n";
-	print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
-	print STDERR "    certificateHold, removeFromCRL";
-	exit 1;
-}
-
 sub cp_pem {
 my ($infile, $outfile, $bound) = @_;
 open IN, $infile;

apps/Makefile

@@ -117,19 +117,6 @@ install:
 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
 	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
 
-uninstall:
-	@set -e; for i in $(EXE); \
-	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-	done;
-	@set -e; for i in $(SCRIPTS); \
-	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-	done
-	$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
-
 tags:
 	ctags $(SRC)
 
@@ -150,6 +137,7 @@ depend:
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
+	rm -f CA.pl
 
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
@@ -165,6 +153,8 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
+	elif [ -n "$(FIPSCANLIB)" ]; then \
+	  FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; export CC FIPSLD_CC; \
 	fi; \
 	LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
 	$(MAKE) -f $(TOP)/Makefile.shared -e \
@@ -362,18 +352,20 @@ dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c
 dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dsaparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-dsaparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h
-dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dsaparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsaparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
+dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h
 dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
 dsaparam.o: dsaparam.c
 ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
@@ -468,20 +460,22 @@ errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
 gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gendh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h
-gendh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-gendh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-gendh.o: ../include/openssl/err.h ../include/openssl/evp.h
-gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-gendh.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
+gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
 gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-gendh.o: ../include/openssl/x509v3.h apps.h gendh.c
+gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h
+gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+gendh.o: gendh.c
 gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -518,6 +512,7 @@ genpkey.o: genpkey.c
 genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
@@ -530,8 +525,9 @@ genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
 genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c
+genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h
+genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+genrsa.o: genrsa.c
 nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -736,20 +732,21 @@ rand.o: ../include/openssl/x509v3.h apps.h rand.c
 req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-req.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-req.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-req.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-req.o: ../include/openssl/err.h ../include/openssl/evp.h
-req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+req.o: ../include/openssl/engine.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 req.o: ../include/openssl/sha.h ../include/openssl/stack.h
 req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-req.o: ../include/openssl/x509v3.h apps.h req.c
+req.o: ../include/openssl/ui.h ../include/openssl/x509.h
+req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
 rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -783,9 +780,8 @@ rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
 rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c
 s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_cb.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h
 s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
 s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
@@ -832,47 +828,48 @@ s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
 s_server.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-s_server.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_server.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_server.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_server.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
-s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s_server.o: ../include/openssl/sha.h ../include/openssl/srp.h
-s_server.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
+s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
 s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
 s_server.o: s_apps.h s_server.c timeouts.h
-s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_socket.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_socket.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_socket.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_socket.o: s_apps.h s_socket.c
+s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h
+s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_socket.o: ../include/openssl/x509v3.h apps.h s_apps.h s_socket.c
 s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h

apps/apps.c

@@ -119,7 +119,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(OPENSSL_SYSNAME_WINCE) && !defined(NETWARE_CLIB)
+#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
 # include <strings.h>
 #endif
 #include <sys/types.h>
@@ -273,8 +273,6 @@ int str2fmt(char *s)
         return (FORMAT_ASN1);
     else if ((*s == 'T') || (*s == 't'))
         return (FORMAT_TEXT);
-    else if ((strcmp(s, "NSS") == 0) || (strcmp(s, "nss") == 0))
-        return (FORMAT_NSS);
     else if ((*s == 'N') || (*s == 'n'))
         return (FORMAT_NETSCAPE);
     else if ((*s == 'S') || (*s == 's'))
@@ -287,8 +285,6 @@ int str2fmt(char *s)
         return (FORMAT_PKCS12);
     else if ((*s == 'E') || (*s == 'e'))
         return (FORMAT_ENGINE);
-    else if ((*s == 'H') || (*s == 'h'))
-        return FORMAT_HTTP;
     else if ((*s == 'P') || (*s == 'p')) {
         if (s[1] == 'V' || s[1] == 'v')
             return FORMAT_PVK;
@@ -298,7 +294,7 @@ int str2fmt(char *s)
         return (FORMAT_UNDEF);
 }
 
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_NETWARE)
 void program_name(char *in, char *out, int size)
 {
     int i, n;
@@ -780,72 +776,12 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,
     return ret;
 }
 
-int load_cert_crl_http(const char *url, BIO *err,
-                       X509 **pcert, X509_CRL **pcrl)
-{
-    char *host = NULL, *port = NULL, *path = NULL;
-    BIO *bio = NULL;
-    OCSP_REQ_CTX *rctx = NULL;
-    int use_ssl, rv = 0;
-    if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
-        goto err;
-    if (use_ssl) {
-        if (err)
-            BIO_puts(err, "https not supported\n");
-        goto err;
-    }
-    bio = BIO_new_connect(host);
-    if (!bio || !BIO_set_conn_port(bio, port))
-        goto err;
-    rctx = OCSP_REQ_CTX_new(bio, 1024);
-    if (!rctx)
-        goto err;
-    if (!OCSP_REQ_CTX_http(rctx, "GET", path))
-        goto err;
-    if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
-        goto err;
-    if (pcert) {
-        do {
-            rv = X509_http_nbio(rctx, pcert);
-        }
-        while (rv == -1);
-    } else {
-        do {
-            rv = X509_CRL_http_nbio(rctx, pcrl);
-        } while (rv == -1);
-    }
-
- err:
-    if (host)
-        OPENSSL_free(host);
-    if (path)
-        OPENSSL_free(path);
-    if (port)
-        OPENSSL_free(port);
-    if (bio)
-        BIO_free_all(bio);
-    if (rctx)
-        OCSP_REQ_CTX_free(rctx);
-    if (rv != 1) {
-        if (bio && err)
-            BIO_printf(bio_err, "Error loading %s from %s\n",
-                       pcert ? "certificate" : "CRL", url);
-        ERR_print_errors(bio_err);
-    }
-    return rv;
-}
-
 X509 *load_cert(BIO *err, const char *file, int format,
                 const char *pass, ENGINE *e, const char *cert_descrip)
 {
     X509 *x = NULL;
     BIO *cert;
 
-    if (format == FORMAT_HTTP) {
-        load_cert_crl_http(file, err, &x, NULL);
-        return x;
-    }
-
     if ((cert = BIO_new(BIO_s_file())) == NULL) {
         ERR_print_errors(err);
         goto end;
@@ -903,49 +839,6 @@ X509 *load_cert(BIO *err, const char *file, int format,
     return (x);
 }
 
-X509_CRL *load_crl(const char *infile, int format)
-{
-    X509_CRL *x = NULL;
-    BIO *in = NULL;
-
-    if (format == FORMAT_HTTP) {
-        load_cert_crl_http(infile, bio_err, NULL, &x);
-        return x;
-    }
-
-    in = BIO_new(BIO_s_file());
-    if (in == NULL) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
-    if (format == FORMAT_ASN1)
-        x = d2i_X509_CRL_bio(in, NULL);
-    else if (format == FORMAT_PEM)
-        x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
-    else {
-        BIO_printf(bio_err, "bad input format specified for input crl\n");
-        goto end;
-    }
-    if (x == NULL) {
-        BIO_printf(bio_err, "unable to load CRL\n");
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
- end:
-    BIO_free(in);
-    return (x);
-}
-
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *key_descrip)
 {
@@ -2254,11 +2147,7 @@ int args_verify(char ***pargs, int *pargc,
     int purpose = 0, depth = -1;
     char **oldargs = *pargs;
     char *arg = **pargs, *argn = (*pargs)[1];
-    const X509_VERIFY_PARAM *vpm = NULL;
     time_t at_time = 0;
-    char *hostname = NULL;
-    char *email = NULL;
-    char *ipasc = NULL;
     if (!strcmp(arg, "-policy")) {
         if (!argn)
             *badarg = 1;
@@ -2285,17 +2174,6 @@ int args_verify(char ***pargs, int *pargc,
             }
         }
         (*pargs)++;
-    } else if (strcmp(arg, "-verify_name") == 0) {
-        if (!argn)
-            *badarg = 1;
-        else {
-            vpm = X509_VERIFY_PARAM_lookup(argn);
-            if (!vpm) {
-                BIO_printf(err, "unrecognized verify name\n");
-                *badarg = 1;
-            }
-        }
-        (*pargs)++;
     } else if (strcmp(arg, "-verify_depth") == 0) {
         if (!argn)
             *badarg = 1;
@@ -2323,21 +2201,6 @@ int args_verify(char ***pargs, int *pargc,
             at_time = (time_t)timestamp;
         }
         (*pargs)++;
-    } else if (strcmp(arg, "-verify_hostname") == 0) {
-        if (!argn)
-            *badarg = 1;
-        hostname = argn;
-        (*pargs)++;
-    } else if (strcmp(arg, "-verify_email") == 0) {
-        if (!argn)
-            *badarg = 1;
-        email = argn;
-        (*pargs)++;
-    } else if (strcmp(arg, "-verify_ip") == 0) {
-        if (!argn)
-            *badarg = 1;
-        ipasc = argn;
-        (*pargs)++;
     } else if (!strcmp(arg, "-ignore_critical"))
         flags |= X509_V_FLAG_IGNORE_CRITICAL;
     else if (!strcmp(arg, "-issuer_checks"))
@@ -2364,16 +2227,6 @@ int args_verify(char ***pargs, int *pargc,
         flags |= X509_V_FLAG_NOTIFY_POLICY;
     else if (!strcmp(arg, "-check_ss_sig"))
         flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
-    else if (!strcmp(arg, "-trusted_first"))
-        flags |= X509_V_FLAG_TRUSTED_FIRST;
-    else if (!strcmp(arg, "-suiteB_128_only"))
-        flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
-    else if (!strcmp(arg, "-suiteB_128"))
-        flags |= X509_V_FLAG_SUITEB_128_LOS;
-    else if (!strcmp(arg, "-suiteB_192"))
-        flags |= X509_V_FLAG_SUITEB_192_LOS;
-    else if (!strcmp(arg, "-partial_chain"))
-        flags |= X509_V_FLAG_PARTIAL_CHAIN;
     else
         return 0;
 
@@ -2389,9 +2242,6 @@ int args_verify(char ***pargs, int *pargc,
         goto end;
     }
 
-    if (vpm)
-        X509_VERIFY_PARAM_set1(*pm, vpm);
-
     if (otmp)
         X509_VERIFY_PARAM_add0_policy(*pm, otmp);
     if (flags)
@@ -2406,15 +2256,6 @@ int args_verify(char ***pargs, int *pargc,
     if (at_time)
         X509_VERIFY_PARAM_set_time(*pm, at_time);
 
-    if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
-        *badarg = 1;
-
-    if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
-        *badarg = 1;
-
-    if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
-        *badarg = 1;
-
  end:
 
     (*pargs)++;
@@ -2698,9 +2539,6 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
 
     BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
 
-    if (psk_key)
-        OPENSSL_free(psk_key);
-
     psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 
     BIO_pop(bconn);
@@ -2730,9 +2568,6 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 
     BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
 
-    if (psk_key)
-        OPENSSL_free(psk_key);
-
     psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 
     BIO_pop(bconn);
@@ -2743,7 +2578,7 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 /*-
  * next_protos_parse parses a comma separated list of strings into a string
  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@@ -2782,106 +2617,8 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
     *outlen = len + 1;
     return out;
 }
-#endif                          /* ndef OPENSSL_NO_TLSEXT */
-
-void print_cert_checks(BIO *bio, X509 *x,
-                       const char *checkhost,
-                       const char *checkemail, const char *checkip)
-{
-    if (x == NULL)
-        return;
-    if (checkhost) {
-        BIO_printf(bio, "Hostname %s does%s match certificate\n",
-                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL)
-                   ? "" : " NOT");
-    }
-
-    if (checkemail) {
-        BIO_printf(bio, "Email %s does%s match certificate\n",
-                   checkemail, X509_check_email(x, checkemail, 0,
-                                                0) ? "" : " NOT");
-    }
-
-    if (checkip) {
-        BIO_printf(bio, "IP %s does%s match certificate\n",
-                   checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
-    }
-}
-
-/* Get first http URL from a DIST_POINT structure */
-
-static const char *get_dp_url(DIST_POINT *dp)
-{
-    GENERAL_NAMES *gens;
-    GENERAL_NAME *gen;
-    int i, gtype;
-    ASN1_STRING *uri;
-    if (!dp->distpoint || dp->distpoint->type != 0)
-        return NULL;
-    gens = dp->distpoint->name.fullname;
-    for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-        gen = sk_GENERAL_NAME_value(gens, i);
-        uri = GENERAL_NAME_get0_value(gen, &gtype);
-        if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
-            char *uptr = (char *)ASN1_STRING_data(uri);
-            if (!strncmp(uptr, "http://", 7))
-                return uptr;
-        }
-    }
-    return NULL;
-}
-
-/*
- * Look through a CRLDP structure and attempt to find an http URL to
- * downloads a CRL from.
- */
-
-static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
-{
-    int i;
-    const char *urlptr = NULL;
-    for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
-        DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
-        urlptr = get_dp_url(dp);
-        if (urlptr)
-            return load_crl(urlptr, FORMAT_HTTP);
-    }
-    return NULL;
-}
-
-/*
- * Example of downloading CRLs from CRLDP: not usable for real world as it
- * always downloads, doesn't support non-blocking I/O and doesn't cache
- * anything.
- */
-
-static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
-{
-    X509 *x;
-    STACK_OF(X509_CRL) *crls = NULL;
-    X509_CRL *crl;
-    STACK_OF(DIST_POINT) *crldp;
-    x = X509_STORE_CTX_get_current_cert(ctx);
-    crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
-    crl = load_crl_crldp(crldp);
-    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (!crl)
-        return NULL;
-    crls = sk_X509_CRL_new_null();
-    sk_X509_CRL_push(crls, crl);
-    /* Try to download delta CRL */
-    crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
-    crl = load_crl_crldp(crldp);
-    sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
-    if (crl)
-        sk_X509_CRL_push(crls, crl);
-    return crls;
-}
-
-void store_setup_crl_download(X509_STORE *st)
-{
-    X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
-}
+#endif                          /* !OPENSSL_NO_TLSEXT &&
+                                 * !OPENSSL_NO_NEXTPROTONEG */
 
 /*
  * Platform-specific sections

apps/apps.h

@@ -205,7 +205,7 @@ extern BIO *bio_err;
 #  endif
 # endif
 
-# if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
+# ifdef OPENSSL_SYSNAME_WIN32
 #  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
 # else
 #  define openssl_fdset(a,b) FD_SET(a, b)
@@ -245,9 +245,6 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
                 const char *pass, ENGINE *e, const char *cert_descrip);
-X509_CRL *load_crl(const char *infile, int format);
-int load_cert_crl_http(const char *url, BIO *err,
-                       X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
@@ -265,9 +262,8 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);
 
 # ifndef OPENSSL_NO_OCSP
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
-                                 const char *host, const char *path,
-                                 const char *port, int use_ssl,
-                                 const STACK_OF(CONF_VALUE) *headers,
+                                 char *host, char *path, char *port,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout);
 # endif
 
@@ -338,15 +334,10 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # endif
 
-# ifndef OPENSSL_NO_TLSEXT
+# if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
-# endif                         /* ndef OPENSSL_NO_TLSEXT */
-
-void print_cert_checks(BIO *bio, X509 *x,
-                       const char *checkhost,
-                       const char *checkemail, const char *checkip);
-
-void store_setup_crl_download(X509_STORE *st);
+# endif                         /* !OPENSSL_NO_TLSEXT &&
+                                 * !OPENSSL_NO_NEXTPROTONEG */
 
 # define FORMAT_UNDEF    0
 # define FORMAT_ASN1     1
@@ -362,8 +353,6 @@ void store_setup_crl_download(X509_STORE *st);
 # define FORMAT_ASN1RSA  10     /* DER RSAPubicKey format */
 # define FORMAT_MSBLOB   11     /* MS Key blob format */
 # define FORMAT_PVK      12     /* MS PVK file format */
-# define FORMAT_HTTP     13     /* Download using HTTP */
-# define FORMAT_NSS      14     /* NSS keylog format */
 
 # define EXT_COPY_NONE   0
 # define EXT_COPY_ADD    1

apps/asn1pars.c

@@ -92,9 +92,8 @@ int MAIN(int argc, char **argv)
     unsigned int length = 0;
     long num, tmplen;
     BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
-    int informat, indent = 0, noout = 0, dump = 0, strictpem = 0;
-    char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile =
-        NULL, *name = NULL, *header = NULL;
+    int informat, indent = 0, noout = 0, dump = 0;
+    char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile = NULL;
     char *genstr = NULL, *genconf = NULL;
     unsigned char *tmpbuf;
     const unsigned char *ctmpbuf;
@@ -171,9 +170,6 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             genconf = *(++argv);
-        } else if (strcmp(*argv, "-strictpem") == 0) {
-            strictpem = 1;
-            informat = FORMAT_PEM;
         } else {
             BIO_printf(bio_err, "unknown option %s\n", *argv);
             badops = 1;
@@ -207,9 +203,6 @@ int MAIN(int argc, char **argv)
                    " -genstr str   string to generate ASN1 structure from\n");
         BIO_printf(bio_err,
                    " -genconf file file to generate ASN1 structure from\n");
-        BIO_printf(bio_err,
-                   " -strictpem    do not attempt base64 decode outside PEM markers (-inform \n");
-        BIO_printf(bio_err, "               will be ignored)\n");
         goto end;
     }
 
@@ -255,55 +248,44 @@ int MAIN(int argc, char **argv)
         }
     }
 
-    if (strictpem) {
-        if (PEM_read_bio(in, &name, &header, (unsigned char **)&str, &num) !=
-            1) {
-            BIO_printf(bio_err, "Error reading PEM file\n");
+    if ((buf = BUF_MEM_new()) == NULL)
+        goto end;
+    if (!BUF_MEM_grow(buf, BUFSIZ * 8))
+        goto end;               /* Pre-allocate :-) */
+
+    if (genstr || genconf) {
+        num = do_generate(bio_err, genstr, genconf, buf);
+        if (num < 0) {
             ERR_print_errors(bio_err);
             goto end;
         }
-    } else {
-
-        if ((buf = BUF_MEM_new()) == NULL)
-            goto end;
-        if (!BUF_MEM_grow(buf, BUFSIZ * 8))
-            goto end;           /* Pre-allocate :-) */
-
-        if (genstr || genconf) {
-            num = do_generate(bio_err, genstr, genconf, buf);
-            if (num < 0) {
-                ERR_print_errors(bio_err);
-                goto end;
-            }
-        }
-
-        else {
-
-            if (informat == FORMAT_PEM) {
-                BIO *tmp;
-
-                if ((b64 = BIO_new(BIO_f_base64())) == NULL)
-                    goto end;
-                BIO_push(b64, in);
-                tmp = in;
-                in = b64;
-                b64 = tmp;
-            }
-
-            num = 0;
-            for (;;) {
-                if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
-                    goto end;
-                i = BIO_read(in, &(buf->data[num]), BUFSIZ);
-                if (i <= 0)
-                    break;
-                num += i;
-            }
-        }
-        str = buf->data;
-
     }
 
+    else {
+
+        if (informat == FORMAT_PEM) {
+            BIO *tmp;
+
+            if ((b64 = BIO_new(BIO_f_base64())) == NULL)
+                goto end;
+            BIO_push(b64, in);
+            tmp = in;
+            in = b64;
+            b64 = tmp;
+        }
+
+        num = 0;
+        for (;;) {
+            if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
+                goto end;
+            i = BIO_read(in, &(buf->data[num]), BUFSIZ);
+            if (i <= 0)
+                break;
+            num += i;
+        }
+    }
+    str = buf->data;
+
     /* If any structs to parse go through in sequence */
 
     if (sk_OPENSSL_STRING_num(osk)) {
@@ -380,12 +362,6 @@ int MAIN(int argc, char **argv)
         ERR_print_errors(bio_err);
     if (buf != NULL)
         BUF_MEM_free(buf);
-    if (name != NULL)
-        OPENSSL_free(name);
-    if (header != NULL)
-        OPENSSL_free(header);
-    if (strictpem && str != NULL)
-        OPENSSL_free(str);
     if (at != NULL)
         ASN1_TYPE_free(at);
     if (osk != NULL)

apps/ca.c

@@ -148,7 +148,7 @@
 static const char *ca_usage[] = {
     "usage: ca args\n",
     "\n",
-    " -verbose        - Talk a lot while doing things\n",
+    " -verbose        - Talk alot while doing things\n",
     " -config file    - A config file\n",
     " -name arg       - The particular CA definition to use\n",
     " -gencrl         - Generate a new CRL\n",
@@ -179,7 +179,7 @@ static const char *ca_usage[] = {
     " -utf8           - input characters are UTF8 (default ASCII)\n",
     " -multivalue-rdn - enable support for multivalued RDNs\n",
     " -extensions ..  - Extension section (override value in config file)\n",
-    " -extfile file   - Configuration file with X509v3 extensions to add\n",
+    " -extfile file   - Configuration file with X509v3 extentions to add\n",
     " -crlexts ..     - CRL extension section (override value in config file)\n",
 #ifndef OPENSSL_NO_ENGINE
     " -engine e       - use engine e, possibly a hardware device.\n",
@@ -479,11 +479,6 @@ int MAIN(int argc, char **argv)
                 goto bad;
             infile = *(++argv);
             dorevoke = 1;
-        } else if (strcmp(*argv, "-valid") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-            dorevoke = 2;
         } else if (strcmp(*argv, "-extensions") == 0) {
             if (--argc < 1)
                 goto bad;
@@ -615,10 +610,10 @@ int MAIN(int argc, char **argv)
 
             oid_bio = BIO_new_file(p, "r");
             if (oid_bio == NULL) {
-                /*-
-                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
-                ERR_print_errors(bio_err);
-                */
+                                /*-
+                                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                                ERR_print_errors(bio_err);
+                                */
                 ERR_clear_error();
             } else {
                 OBJ_create_objects(oid_bio);
@@ -927,7 +922,7 @@ int MAIN(int argc, char **argv)
     }
 
         /*****************************************************************/
-    /* Read extensions config file                                   */
+    /* Read extentions config file                                   */
     if (extfile) {
         extconf = NCONF_new(NULL);
         if (NCONF_load(extconf, extfile, &errorline) <= 0) {
@@ -1438,8 +1433,6 @@ int MAIN(int argc, char **argv)
             revcert = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile);
             if (revcert == NULL)
                 goto err;
-            if (dorevoke == 2)
-                rev_type = -1;
             j = do_revoke(revcert, db, rev_type, rev_arg);
             if (j <= 0)
                 goto err;
@@ -1967,12 +1960,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
     if (enddate == NULL)
         X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
-    else {
-        int tdays;
+    else
         ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
-        ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
-        days = tdays;
-    }
 
     if (!X509_set_subject_name(ret, subject))
         goto err;
@@ -2412,20 +2401,13 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
         }
 
         /* Revoke Certificate */
-        if (type == -1)
-            ok = 1;
-        else
-            ok = do_revoke(x509, db, type, value);
+        ok = do_revoke(x509, db, type, value);
 
         goto err;
 
     } else if (index_name_cmp_noconst(row, rrow)) {
         BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]);
         goto err;
-    } else if (type == -1) {
-        BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
-                   row[DB_serial]);
-        goto err;
     } else if (rrow[DB_type][0] == 'R') {
         BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
                    row[DB_serial]);

apps/ciphers.c

@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
 #include "apps.h"
 #include <openssl/err.h>
 #include <openssl/ssl.h>
@@ -70,6 +73,7 @@ static const char *ciphers_usage[] = {
     "usage: ciphers args\n",
     " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
     " -V          - even more verbose\n",
+    " -ssl2       - SSL2 mode\n",
     " -ssl3       - SSL3 mode\n",
     " -tls1       - TLS1 mode\n",
     NULL
@@ -81,10 +85,6 @@ int MAIN(int argc, char **argv)
 {
     int ret = 1, i;
     int verbose = 0, Verbose = 0;
-    int use_supported = 0;
-#ifndef OPENSSL_NO_SSL_TRACE
-    int stdname = 0;
-#endif
     const char **pp;
     const char *p;
     int badops = 0;
@@ -92,7 +92,7 @@ int MAIN(int argc, char **argv)
     SSL *ssl = NULL;
     char *ciphers = NULL;
     const SSL_METHOD *meth = NULL;
-    STACK_OF(SSL_CIPHER) *sk = NULL;
+    STACK_OF(SSL_CIPHER) *sk;
     char buf[512];
     BIO *STDout = NULL;
 
@@ -119,11 +119,9 @@ int MAIN(int argc, char **argv)
             verbose = 1;
         else if (strcmp(*argv, "-V") == 0)
             verbose = Verbose = 1;
-        else if (strcmp(*argv, "-s") == 0)
-            use_supported = 1;
-#ifndef OPENSSL_NO_SSL_TRACE
-        else if (strcmp(*argv, "-stdname") == 0)
-            stdname = verbose = 1;
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0)
+            meth = SSLv2_client_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
         else if (strcmp(*argv, "-ssl3") == 0)
@@ -164,15 +162,9 @@ int MAIN(int argc, char **argv)
     if (ssl == NULL)
         goto err;
 
-    if (use_supported)
-        sk = SSL_get1_supported_ciphers(ssl);
-    else
-        sk = SSL_get_ciphers(ssl);
-
     if (!verbose) {
-        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-            SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
-            p = SSL_CIPHER_get_name(c);
+        for (i = 0;; i++) {
+            p = SSL_get_cipher_list(ssl, i);
             if (p == NULL)
                 break;
             if (i != 0)
@@ -182,6 +174,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(STDout, "\n");
     } else {                    /* verbose */
 
+        sk = SSL_get_ciphers(ssl);
+
         for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
             SSL_CIPHER *c;
 
@@ -194,7 +188,11 @@ int MAIN(int argc, char **argv)
                 int id2 = (int)((id >> 8) & 0xffL);
                 int id3 = (int)(id & 0xffL);
 
-                if ((id & 0xff000000L) == 0x03000000L) {
+                if ((id & 0xff000000L) == 0x02000000L) {
+                    /* SSL2 cipher */
+                    BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1,
+                               id2, id3);
+                } else if ((id & 0xff000000L) == 0x03000000L) {
                     /* SSL3 cipher */
                     BIO_printf(STDout, "          0x%02X,0x%02X - ", id2,
                                id3);
@@ -204,14 +202,7 @@ int MAIN(int argc, char **argv)
                                id1, id2, id3);
                 }
             }
-#ifndef OPENSSL_NO_SSL_TRACE
-            if (stdname) {
-                const char *nm = SSL_CIPHER_standard_name(c);
-                if (nm == NULL)
-                    nm = "UNKNOWN";
-                BIO_printf(STDout, "%s - ", nm);
-            }
-#endif
+
             BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
         }
     }
@@ -223,8 +214,6 @@ int MAIN(int argc, char **argv)
         ERR_print_errors(bio_err);
     }
  end:
-    if (use_supported && sk)
-        sk_SSL_CIPHER_free(sk);
     if (ctx != NULL)
         SSL_CTX_free(ctx);
     if (ssl != NULL)

apps/cms.c

@@ -75,8 +75,6 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
                                                 *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
                                                 *rr_from);
-static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
-                              STACK_OF(OPENSSL_STRING) *param);
 
 # define SMIME_OP        0x10
 # define SMIME_IP        0x20
@@ -100,14 +98,6 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 
 int verify_err = 0;
 
-typedef struct cms_key_param_st cms_key_param;
-
-struct cms_key_param_st {
-    int idx;
-    STACK_OF(OPENSSL_STRING) *param;
-    cms_key_param *next;
-};
-
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
@@ -122,7 +112,7 @@ int MAIN(int argc, char **argv)
     STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
     char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
     char *certsoutfile = NULL;
-    const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
+    const EVP_CIPHER *cipher = NULL;
     CMS_ContentInfo *cms = NULL, *rcms = NULL;
     X509_STORE *store = NULL;
     X509 *cert = NULL, *recip = NULL, *signer = NULL;
@@ -150,8 +140,6 @@ int MAIN(int argc, char **argv)
     unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     size_t secret_keylen = 0, secret_keyidlen = 0;
 
-    cms_key_param *key_first = NULL, *key_param = NULL;
-
     ASN1_OBJECT *econtent_type = NULL;
 
     X509_VERIFY_PARAM *vpm = NULL;
@@ -213,8 +201,6 @@ int MAIN(int argc, char **argv)
             cipher = EVP_des_ede3_cbc();
         else if (!strcmp(*args, "-des"))
             cipher = EVP_des_cbc();
-        else if (!strcmp(*args, "-des3-wrap"))
-            wrap_cipher = EVP_des_ede3_wrap();
 # endif
 # ifndef OPENSSL_NO_SEED
         else if (!strcmp(*args, "-seed"))
@@ -235,12 +221,6 @@ int MAIN(int argc, char **argv)
             cipher = EVP_aes_192_cbc();
         else if (!strcmp(*args, "-aes256"))
             cipher = EVP_aes_256_cbc();
-        else if (!strcmp(*args, "-aes128-wrap"))
-            wrap_cipher = EVP_aes_128_wrap();
-        else if (!strcmp(*args, "-aes192-wrap"))
-            wrap_cipher = EVP_aes_192_wrap();
-        else if (!strcmp(*args, "-aes256-wrap"))
-            wrap_cipher = EVP_aes_256_wrap();
 # endif
 # ifndef OPENSSL_NO_CAMELLIA
         else if (!strcmp(*args, "-camellia128"))
@@ -254,8 +234,6 @@ int MAIN(int argc, char **argv)
             flags |= CMS_DEBUG_DECRYPT;
         else if (!strcmp(*args, "-text"))
             flags |= CMS_TEXT;
-        else if (!strcmp(*args, "-asciicrlf"))
-            flags |= CMS_ASCIICRLF;
         else if (!strcmp(*args, "-nointern"))
             flags |= CMS_NOINTERN;
         else if (!strcmp(*args, "-noverify")
@@ -400,17 +378,7 @@ int MAIN(int argc, char **argv)
         } else if (!strcmp(*args, "-recip")) {
             if (!args[1])
                 goto argerr;
-            if (operation == SMIME_ENCRYPT) {
-                if (!encerts)
-                    encerts = sk_X509_new_null();
-                cert = load_cert(bio_err, *++args, FORMAT_PEM,
-                                 NULL, e, "recipient certificate file");
-                if (!cert)
-                    goto end;
-                sk_X509_push(encerts, cert);
-                cert = NULL;
-            } else
-                recipfile = *++args;
+            recipfile = *++args;
         } else if (!strcmp(*args, "-certsout")) {
             if (!args[1])
                 goto argerr;
@@ -445,36 +413,6 @@ int MAIN(int argc, char **argv)
             if (!args[1])
                 goto argerr;
             keyform = str2fmt(*++args);
-        } else if (!strcmp(*args, "-keyopt")) {
-            int keyidx = -1;
-            if (!args[1])
-                goto argerr;
-            if (operation == SMIME_ENCRYPT) {
-                if (encerts)
-                    keyidx += sk_X509_num(encerts);
-            } else {
-                if (keyfile || signerfile)
-                    keyidx++;
-                if (skkeys)
-                    keyidx += sk_OPENSSL_STRING_num(skkeys);
-            }
-            if (keyidx < 0) {
-                BIO_printf(bio_err, "No key specified\n");
-                goto argerr;
-            }
-            if (key_param == NULL || key_param->idx != keyidx) {
-                cms_key_param *nparam;
-                nparam = OPENSSL_malloc(sizeof(cms_key_param));
-                nparam->idx = keyidx;
-                nparam->param = sk_OPENSSL_STRING_new_null();
-                nparam->next = NULL;
-                if (key_first == NULL)
-                    key_first = nparam;
-                else
-                    key_param->next = nparam;
-                key_param = nparam;
-            }
-            sk_OPENSSL_STRING_push(key_param->param, *++args);
         } else if (!strcmp(*args, "-rctform")) {
             if (!args[1])
                 goto argerr;
@@ -564,7 +502,7 @@ int MAIN(int argc, char **argv)
             badarg = 1;
         }
     } else if (operation == SMIME_ENCRYPT) {
-        if (!*args && !secret_key && !pwri_pass && !encerts) {
+        if (!*args && !secret_key && !pwri_pass) {
             BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
             badarg = 1;
         }
@@ -629,7 +567,6 @@ int MAIN(int argc, char **argv)
                    "-inkey file    input private key (if not signer or recipient)\n");
         BIO_printf(bio_err,
                    "-keyform arg   input private key format (PEM or ENGINE)\n");
-        BIO_printf(bio_err, "-keyopt nm:v   set public key parameters\n");
         BIO_printf(bio_err, "-out file      output file\n");
         BIO_printf(bio_err,
                    "-outform arg   output format SMIME (default), PEM or DER\n");
@@ -643,8 +580,6 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
-        BIO_printf(bio_err,
-                   "-trusted_first use locally trusted certificates first when building trust chain\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
@@ -715,7 +650,7 @@ int MAIN(int argc, char **argv)
             goto end;
         }
 
-        if (*args && !encerts)
+        if (*args)
             encerts = sk_X509_new_null();
         while (*args) {
             if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
@@ -867,39 +802,10 @@ int MAIN(int argc, char **argv)
     } else if (operation == SMIME_COMPRESS) {
         cms = CMS_compress(in, -1, flags);
     } else if (operation == SMIME_ENCRYPT) {
-        int i;
         flags |= CMS_PARTIAL;
-        cms = CMS_encrypt(NULL, in, cipher, flags);
+        cms = CMS_encrypt(encerts, in, cipher, flags);
         if (!cms)
             goto end;
-        for (i = 0; i < sk_X509_num(encerts); i++) {
-            CMS_RecipientInfo *ri;
-            cms_key_param *kparam;
-            int tflags = flags;
-            X509 *x = sk_X509_value(encerts, i);
-            for (kparam = key_first; kparam; kparam = kparam->next) {
-                if (kparam->idx == i) {
-                    tflags |= CMS_KEY_PARAM;
-                    break;
-                }
-            }
-            ri = CMS_add1_recipient_cert(cms, x, tflags);
-            if (!ri)
-                goto end;
-            if (kparam) {
-                EVP_PKEY_CTX *pctx;
-                pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-                if (!cms_set_pkey_param(pctx, kparam->param))
-                    goto end;
-            }
-            if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
-                && wrap_cipher) {
-                EVP_CIPHER_CTX *wctx;
-                wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-                EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
-            }
-        }
-
         if (secret_key) {
             if (!CMS_add0_recipient_key(cms, NID_undef,
                                         secret_key, secret_keylen,
@@ -972,11 +878,8 @@ int MAIN(int argc, char **argv)
             flags |= CMS_REUSE_DIGEST;
         for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
             CMS_SignerInfo *si;
-            cms_key_param *kparam;
-            int tflags = flags;
             signerfile = sk_OPENSSL_STRING_value(sksigners, i);
             keyfile = sk_OPENSSL_STRING_value(skkeys, i);
-
             signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
                                e, "signer certificate");
             if (!signer)
@@ -985,21 +888,9 @@ int MAIN(int argc, char **argv)
                            "signing key file");
             if (!key)
                 goto end;
-            for (kparam = key_first; kparam; kparam = kparam->next) {
-                if (kparam->idx == i) {
-                    tflags |= CMS_KEY_PARAM;
-                    break;
-                }
-            }
-            si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
+            si = CMS_add1_signer(cms, signer, key, sign_md, flags);
             if (!si)
                 goto end;
-            if (kparam) {
-                EVP_PKEY_CTX *pctx;
-                pctx = CMS_SignerInfo_get0_pkey_ctx(si);
-                if (!cms_set_pkey_param(pctx, kparam->param))
-                    goto end;
-            }
             if (rr && !CMS_add1_ReceiptRequest(si, rr))
                 goto end;
             X509_free(signer);
@@ -1154,13 +1045,6 @@ int MAIN(int argc, char **argv)
         sk_OPENSSL_STRING_free(rr_to);
     if (rr_from)
         sk_OPENSSL_STRING_free(rr_from);
-    for (key_param = key_first; key_param;) {
-        cms_key_param *tparam;
-        sk_OPENSSL_STRING_free(key_param->param);
-        tparam = key_param->next;
-        OPENSSL_free(key_param);
-        key_param = tparam;
-    }
     X509_STORE_free(store);
     X509_free(cert);
     X509_free(recip);
@@ -1334,22 +1218,4 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
     return NULL;
 }
 
-static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
-                              STACK_OF(OPENSSL_STRING) *param)
-{
-    char *keyopt;
-    int i;
-    if (sk_OPENSSL_STRING_num(param) <= 0)
-        return 1;
-    for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
-        keyopt = sk_OPENSSL_STRING_value(param, i);
-        if (pkey_ctrl_string(pctx, keyopt) <= 0) {
-            BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
-            ERR_print_errors(bio_err);
-            return 0;
-        }
-    }
-    return 1;
-}
-
 #endif

apps/crl.c

@@ -96,6 +96,7 @@ static const char *crl_usage[] = {
     NULL
 };
 
+static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out = NULL;
 
 int MAIN(int, char **);
@@ -105,10 +106,10 @@ int MAIN(int argc, char **argv)
     unsigned long nmflag = 0;
     X509_CRL *x = NULL;
     char *CAfile = NULL, *CApath = NULL;
-    int ret = 1, i, num, badops = 0, badsig = 0;
+    int ret = 1, i, num, badops = 0;
     BIO *out = NULL;
-    int informat, outformat, keyformat;
-    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+    int informat, outformat;
+    char *infile = NULL, *outfile = NULL;
     int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
         0, text = 0;
 #ifndef OPENSSL_NO_MD5
@@ -146,7 +147,6 @@ int MAIN(int argc, char **argv)
 
     informat = FORMAT_PEM;
     outformat = FORMAT_PEM;
-    keyformat = FORMAT_PEM;
 
     argc--;
     argv++;
@@ -173,18 +173,6 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             infile = *(++argv);
-        } else if (strcmp(*argv, "-gendelta") == 0) {
-            if (--argc < 1)
-                goto bad;
-            crldiff = *(++argv);
-        } else if (strcmp(*argv, "-key") == 0) {
-            if (--argc < 1)
-                goto bad;
-            keyfile = *(++argv);
-        } else if (strcmp(*argv, "-keyform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            keyformat = str2fmt(*(++argv));
         } else if (strcmp(*argv, "-out") == 0) {
             if (--argc < 1)
                 goto bad;
@@ -226,8 +214,6 @@ int MAIN(int argc, char **argv)
             fingerprint = ++num;
         else if (strcmp(*argv, "-crlnumber") == 0)
             crlnumber = ++num;
-        else if (strcmp(*argv, "-badsig") == 0)
-            badsig = 1;
         else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
             /* ok */
             digest = md_alg;
@@ -295,33 +281,6 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err, "verify OK\n");
     }
 
-    if (crldiff) {
-        X509_CRL *newcrl, *delta;
-        if (!keyfile) {
-            BIO_puts(bio_err, "Missing CRL signing key\n");
-            goto end;
-        }
-        newcrl = load_crl(crldiff, informat);
-        if (!newcrl)
-            goto end;
-        pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
-                        "CRL signing key");
-        if (!pkey) {
-            X509_CRL_free(newcrl);
-            goto end;
-        }
-        delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
-        X509_CRL_free(newcrl);
-        EVP_PKEY_free(pkey);
-        if (delta) {
-            X509_CRL_free(x);
-            x = delta;
-        } else {
-            BIO_puts(bio_err, "Error creating delta CRL\n");
-            goto end;
-        }
-    }
-
     if (num) {
         for (i = 1; i <= num; i++) {
             if (issuer == i) {
@@ -410,9 +369,6 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (badsig)
-        x->signature->data[x->signature->length - 1] ^= 0x1;
-
     if (outformat == FORMAT_ASN1)
         i = (int)i2d_X509_CRL_bio(out, x);
     else if (outformat == FORMAT_PEM)
@@ -427,8 +383,6 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
  end:
-    if (ret != 0)
-        ERR_print_errors(bio_err);
     BIO_free_all(out);
     BIO_free_all(bio_out);
     bio_out = NULL;
@@ -440,3 +394,41 @@ int MAIN(int argc, char **argv)
     apps_shutdown();
     OPENSSL_EXIT(ret);
 }
+
+static X509_CRL *load_crl(char *infile, int format)
+{
+    X509_CRL *x = NULL;
+    BIO *in = NULL;
+
+    in = BIO_new(BIO_s_file());
+    if (in == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+    if (infile == NULL)
+        BIO_set_fp(in, stdin, BIO_NOCLOSE);
+    else {
+        if (BIO_read_filename(in, infile) <= 0) {
+            perror(infile);
+            goto end;
+        }
+    }
+    if (format == FORMAT_ASN1)
+        x = d2i_X509_CRL_bio(in, NULL);
+    else if (format == FORMAT_PEM)
+        x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+    else {
+        BIO_printf(bio_err, "bad input format specified for input crl\n");
+        goto end;
+    }
+    if (x == NULL) {
+        BIO_printf(bio_err, "unable to load CRL\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
+ end:
+    BIO_free(in);
+    return (x);
+}

apps/dgst.c

@@ -103,7 +103,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-    ENGINE *e = NULL, *impl = NULL;
+    ENGINE *e = NULL;
     unsigned char *buf = NULL;
     int i, err = 1;
     const EVP_MD *md = NULL, *m;
@@ -124,7 +124,6 @@ int MAIN(int argc, char **argv)
     char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
     char *engine = NULL;
-    int engine_impl = 0;
 #endif
     char *hmac_key = NULL;
     char *mac_name = NULL;
@@ -200,8 +199,7 @@ int MAIN(int argc, char **argv)
                 break;
             engine = *(++argv);
             e = setup_engine(bio_err, engine, 0);
-        } else if (strcmp(*argv, "-engine_impl") == 0)
-            engine_impl = 1;
+        }
 #endif
         else if (strcmp(*argv, "-hex") == 0)
             out_bin = 0;
@@ -286,10 +284,6 @@ int MAIN(int argc, char **argv)
         EVP_MD_do_all_sorted(list_md_fn, bio_err);
         goto end;
     }
-#ifndef OPENSSL_NO_ENGINE
-    if (engine_impl)
-        impl = e;
-#endif
 
     in = BIO_new(BIO_s_file());
     bmd = BIO_new(BIO_f_md());
@@ -363,7 +357,7 @@ int MAIN(int argc, char **argv)
     if (mac_name) {
         EVP_PKEY_CTX *mac_ctx = NULL;
         int r = 0;
-        if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
+        if (!init_gen_str(bio_err, &mac_ctx, mac_name, e, 0))
             goto mac_end;
         if (macopts) {
             char *macopt;
@@ -397,7 +391,7 @@ int MAIN(int argc, char **argv)
     }
 
     if (hmac_key) {
-        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
+        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
                                       (unsigned char *)hmac_key, -1);
         if (!sigkey)
             goto end;
@@ -413,9 +407,9 @@ int MAIN(int argc, char **argv)
             goto end;
         }
         if (do_verify)
-            r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
+            r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
         else
-            r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
+            r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
         if (!r) {
             BIO_printf(bio_err, "Error setting context\n");
             ERR_print_errors(bio_err);
@@ -435,15 +429,9 @@ int MAIN(int argc, char **argv)
     }
     /* we use md as a filter, reading from 'in' */
     else {
-        EVP_MD_CTX *mctx = NULL;
-        if (!BIO_get_md_ctx(bmd, &mctx)) {
-            BIO_printf(bio_err, "Error getting context\n");
-            ERR_print_errors(bio_err);
-            goto end;
-        }
         if (md == NULL)
             md = EVP_md5();
-        if (!EVP_DigestInit_ex(mctx, md, impl)) {
+        if (!BIO_set_md(bmd, md)) {
             BIO_printf(bio_err, "Error setting digest %s\n", pname);
             ERR_print_errors(bio_err);
             goto end;
@@ -490,8 +478,7 @@ int MAIN(int argc, char **argv)
                     EVP_PKEY_asn1_get0_info(NULL, NULL,
                                             NULL, NULL, &sig_name, ameth);
             }
-            if (md)
-                md_name = EVP_MD_name(md);
+            md_name = EVP_MD_name(md);
         }
         err = 0;
         for (i = 0; i < argc; i++) {
@@ -589,12 +576,9 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
             BIO_printf(out, "%02x", buf[i]);
         BIO_printf(out, " *%s\n", file);
     } else {
-        if (sig_name) {
-            BIO_puts(out, sig_name);
-            if (md_name)
-                BIO_printf(out, "-%s", md_name);
-            BIO_printf(out, "(%s)= ", file);
-        } else if (md_name)
+        if (sig_name)
+            BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
+        else if (md_name)
             BIO_printf(out, "%s(%s)= ", md_name, file);
         else
             BIO_printf(out, "(%s)= ", file);

apps/dhparam.c

@@ -130,7 +130,7 @@
 # undef PROG
 # define PROG    dhparam_main
 
-# define DEFBITS 2048
+# define DEFBITS 512
 
 /*-
  * -inform arg  - input format - default PEM (DER or PEM)
@@ -144,7 +144,7 @@
  * -C
  */
 
-static int dh_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
@@ -254,7 +254,7 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    " -5            generate parameters using  5 as the generator value\n");
         BIO_printf(bio_err,
-                   " numbits       number of bits in to generate (default 2048)\n");
+                   " numbits       number of bits in to generate (default 512)\n");
 # ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err,
                    " -engine e     use engine e, possibly a hardware device.\n");
@@ -294,14 +294,8 @@ int MAIN(int argc, char **argv)
 
     if (num) {
 
-        BN_GENCB *cb;
-        cb = BN_GENCB_new();
-        if (!cb) {
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-
-        BN_GENCB_set(cb, dh_cb, bio_err);
+        BN_GENCB cb;
+        BN_GENCB_set(&cb, dh_cb, bio_err);
         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
             BIO_printf(bio_err,
                        "warning, not much extra random data, consider using the -rand option\n");
@@ -318,10 +312,9 @@ int MAIN(int argc, char **argv)
                        "Generating DSA parameters, %d bit long prime\n", num);
             if (!dsa
                 || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
-                                               cb)) {
+                                               &cb)) {
                 if (dsa)
                     DSA_free(dsa);
-                BN_GENCB_free(cb);
                 ERR_print_errors(bio_err);
                 goto end;
             }
@@ -329,7 +322,6 @@ int MAIN(int argc, char **argv)
             dh = DSA_dup_DH(dsa);
             DSA_free(dsa);
             if (dh == NULL) {
-                BN_GENCB_free(cb);
                 ERR_print_errors(bio_err);
                 goto end;
             }
@@ -341,14 +333,12 @@ int MAIN(int argc, char **argv)
                        "Generating DH parameters, %d bit long safe prime, generator %d\n",
                        num, g);
             BIO_printf(bio_err, "This is going to take a long time\n");
-            if (!dh || !DH_generate_parameters_ex(dh, num, g, cb)) {
-                BN_GENCB_free(cb);
+            if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) {
                 ERR_print_errors(bio_err);
                 goto end;
             }
         }
 
-        BN_GENCB_free(cb);
         app_RAND_write_file(NULL, bio_err);
     } else {
 
@@ -499,12 +489,9 @@ int MAIN(int argc, char **argv)
     if (!noout) {
         if (outformat == FORMAT_ASN1)
             i = i2d_DHparams_bio(out, dh);
-        else if (outformat == FORMAT_PEM) {
-            if (dh->q)
-                i = PEM_write_bio_DHxparams(out, dh);
-            else
-                i = PEM_write_bio_DHparams(out, dh);
-        } else {
+        else if (outformat == FORMAT_PEM)
+            i = PEM_write_bio_DHparams(out, dh);
+        else {
             BIO_printf(bio_err, "bad output format specified for outfile\n");
             goto end;
         }
@@ -527,7 +514,7 @@ int MAIN(int argc, char **argv)
 }
 
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
-static int dh_cb(int p, int n, BN_GENCB *cb)
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 {
     char c = '*';
 
@@ -539,8 +526,11 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
         c = '*';
     if (p == 3)
         c = '\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
     return 1;
 }
 

apps/dsaparam.c

@@ -57,6 +57,13 @@
  */
 
 #include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
 
 #ifndef OPENSSL_NO_DSA
 # include <assert.h>
@@ -101,7 +108,7 @@ static void timebomb_sigalarm(int foo)
 
 # endif
 
-static int dsa_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
@@ -114,8 +121,6 @@ int MAIN(int argc, char **argv)
     char *infile, *outfile, *prog, *inrand = NULL;
     int numbits = -1, num, genkey = 0;
     int need_rand = 0;
-    int non_fips_allow = 0;
-    BN_GENCB *cb = NULL;
 # ifndef OPENSSL_NO_ENGINE
     char *engine = NULL;
 # endif
@@ -186,8 +191,6 @@ int MAIN(int argc, char **argv)
             need_rand = 1;
         } else if (strcmp(*argv, "-noout") == 0)
             noout = 1;
-        else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
         else if (sscanf(*argv, "%d", &num) == 1) {
             /* generate a key */
             numbits = num;
@@ -272,20 +275,14 @@ int MAIN(int argc, char **argv)
     }
 
     if (numbits > 0) {
-        cb = BN_GENCB_new();
-        if (!cb) {
-            BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
-            goto end;
-        }
-        BN_GENCB_set(cb, dsa_cb, bio_err);
+        BN_GENCB cb;
+        BN_GENCB_set(&cb, dsa_cb, bio_err);
         assert(need_rand);
         dsa = DSA_new();
         if (!dsa) {
             BIO_printf(bio_err, "Error allocating DSA object\n");
             goto end;
         }
-        if (non_fips_allow)
-            dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
         BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
                    num);
         BIO_printf(bio_err, "This could take some time\n");
@@ -304,7 +301,7 @@ int MAIN(int argc, char **argv)
             alarm(timebomb);
         }
 # endif
-        if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
+        if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, &cb)) {
 # ifdef GENCB_TEST
             if (stop_keygen_flag) {
                 BIO_printf(bio_err, "DSA key generation time-stopped\n");
@@ -409,8 +406,6 @@ int MAIN(int argc, char **argv)
         assert(need_rand);
         if ((dsakey = DSAparams_dup(dsa)) == NULL)
             goto end;
-        if (non_fips_allow)
-            dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
         if (!DSA_generate_key(dsakey)) {
             ERR_print_errors(bio_err);
             DSA_free(dsakey);
@@ -432,8 +427,6 @@ int MAIN(int argc, char **argv)
         app_RAND_write_file(NULL, bio_err);
     ret = 0;
  end:
-    if (cb != NULL)
-        BN_GENCB_free(cb);
     if (in != NULL)
         BIO_free(in);
     if (out != NULL)
@@ -444,7 +437,7 @@ int MAIN(int argc, char **argv)
     OPENSSL_EXIT(ret);
 }
 
-static int dsa_cb(int p, int n, BN_GENCB *cb)
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 {
     char c = '*';
 
@@ -456,8 +449,11 @@ static int dsa_cb(int p, int n, BN_GENCB *cb)
         c = '*';
     if (p == 3)
         c = '\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
 # ifdef GENCB_TEST
     if (stop_keygen_flag)
         return 0;

apps/ecparam.c

@@ -370,9 +370,6 @@ int MAIN(int argc, char **argv)
         } else
             nid = OBJ_sn2nid(curve_name);
 
-        if (nid == 0)
-            nid = EC_curve_nist2nid(curve_name);
-
         if (nid == 0) {
             BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
             goto end;

apps/enc.c

@@ -537,12 +537,8 @@ int MAIN(int argc, char **argv)
                 sptr = salt;
             }
 
-            if (!EVP_BytesToKey(cipher, dgst, sptr,
-                                (unsigned char *)str,
-                                strlen(str), 1, key, iv)) {
-                BIO_printf(bio_err, "EVP_BytesToKey failed\n");
-                goto end;
-            }
+            EVP_BytesToKey(cipher, dgst, sptr,
+                           (unsigned char *)str, strlen(str), 1, key, iv);
             /*
              * zero the complete buffer or the string passed from the command
              * line bug picked up by Larry J. Hughes Jr. <hughes@indiana.edu>

apps/engine.c

@@ -60,6 +60,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
 #include "apps.h"
 #include <openssl/err.h>
 #ifndef OPENSSL_NO_ENGINE

apps/gendh.c

@@ -58,6 +58,13 @@
  */
 
 #include <openssl/opensslconf.h>
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
 
 #ifndef OPENSSL_NO_DH
 # include <stdio.h>
@@ -73,17 +80,17 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 
-# define DEFBITS 2048
+# define DEFBITS 512
 # undef PROG
 # define PROG gendh_main
 
-static int dh_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-    BN_GENCB *cb = NULL;
+    BN_GENCB cb;
     DH *dh = NULL;
     int ret = 1, num = DEFBITS;
     int g = 2;
@@ -96,16 +103,11 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+    BN_GENCB_set(&cb, dh_cb, bio_err);
     if (bio_err == NULL)
         if ((bio_err = BIO_new(BIO_s_file())) != NULL)
             BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
 
-    cb = BN_GENCB_new();
-    if (!cb)
-        goto end;
-
-    BN_GENCB_set(cb, dh_cb, bio_err);
-
     if (!load_config(bio_err, NULL))
         goto end;
 
@@ -120,8 +122,8 @@ int MAIN(int argc, char **argv)
             outfile = *(++argv);
         } else if (strcmp(*argv, "-2") == 0)
             g = 2;
-/*-     else if (strcmp(*argv,"-3") == 0)
-                g=3; */
+        /*-     else if (strcmp(*argv,"-3") == 0)
+                        g=3; */
         else if (strcmp(*argv, "-5") == 0)
             g = 5;
 # ifndef OPENSSL_NO_ENGINE
@@ -199,7 +201,7 @@ int MAIN(int argc, char **argv)
     BIO_printf(bio_err, "This is going to take a long time\n");
 
     if (((dh = DH_new()) == NULL)
-        || !DH_generate_parameters_ex(dh, num, g, cb))
+        || !DH_generate_parameters_ex(dh, num, g, &cb))
         goto end;
 
     app_RAND_write_file(NULL, bio_err);
@@ -214,13 +216,11 @@ int MAIN(int argc, char **argv)
         BIO_free_all(out);
     if (dh != NULL)
         DH_free(dh);
-    if (cb != NULL)
-        BN_GENCB_free(cb);
     apps_shutdown();
     OPENSSL_EXIT(ret);
 }
 
-static int dh_cb(int p, int n, BN_GENCB *cb)
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 {
     char c = '*';
 
@@ -232,8 +232,11 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
         c = '*';
     if (p == 3)
         c = '\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
     return 1;
 }
 #else                           /* !OPENSSL_NO_DH */

apps/genpkey.c

@@ -398,5 +398,8 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
         c = '\n';
     BIO_write(b, &c, 1);
     (void)BIO_flush(b);
+#ifdef LINT
+    p = n;
+#endif
     return 1;
 }

apps/genrsa.c

@@ -57,6 +57,13 @@
  */
 
 #include <openssl/opensslconf.h>
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
 
 #ifndef OPENSSL_NO_RSA
 # include <stdio.h>
@@ -73,28 +80,27 @@
 # include <openssl/pem.h>
 # include <openssl/rand.h>
 
-# define DEFBITS 2048
+# define DEFBITS 1024
 # undef PROG
 # define PROG genrsa_main
 
-static int genrsa_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
 
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-    BN_GENCB *cb = NULL;
+    BN_GENCB cb;
 # ifndef OPENSSL_NO_ENGINE
     ENGINE *e = NULL;
 # endif
     int ret = 1;
-    int non_fips_allow = 0;
-    int num = DEFBITS;
+    int i, num = DEFBITS;
+    long l;
     const EVP_CIPHER *enc = NULL;
     unsigned long f4 = RSA_F4;
     char *outfile = NULL;
     char *passargout = NULL, *passout = NULL;
-    char *hexe, *dece;
 # ifndef OPENSSL_NO_ENGINE
     char *engine = NULL;
 # endif
@@ -102,16 +108,12 @@ int MAIN(int argc, char **argv)
     BIO *out = NULL;
     BIGNUM *bn = BN_new();
     RSA *rsa = NULL;
+
     if (!bn)
         goto err;
 
-    cb = BN_GENCB_new();
-    if (!cb)
-        goto err;
-
     apps_startup();
-
-    BN_GENCB_set(cb, genrsa_cb, bio_err);
+    BN_GENCB_set(&cb, genrsa_cb, bio_err);
 
     if (bio_err == NULL)
         if ((bio_err = BIO_new(BIO_s_file())) != NULL)
@@ -183,9 +185,7 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             passargout = *(++argv);
-        } else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
-        else
+        } else
             break;
         argv++;
         argc--;
@@ -278,23 +278,24 @@ int MAIN(int argc, char **argv)
     if (!rsa)
         goto err;
 
-    if (non_fips_allow)
-        rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
-
-    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
+    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
         goto err;
 
     app_RAND_write_file(NULL, bio_err);
 
-    hexe = BN_bn2hex(rsa->e);
-    dece = BN_bn2dec(rsa->e);
-    if (hexe && dece) {
-        BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
+    /*
+     * We need to do the following for when the base number size is < long,
+     * esp windows 3.1 :-(.
+     */
+    l = 0L;
+    for (i = 0; i < rsa->e->top; i++) {
+# ifndef SIXTY_FOUR_BIT
+        l <<= BN_BITS4;
+        l <<= BN_BITS4;
+# endif
+        l += rsa->e->d[i];
     }
-    if (hexe)
-        OPENSSL_free(hexe);
-    if (dece)
-        OPENSSL_free(dece);
+    BIO_printf(bio_err, "e is %ld (0x%lX)\n", l, l);
     {
         PW_CB_DATA cb_data;
         cb_data.password = passout;
@@ -309,8 +310,6 @@ int MAIN(int argc, char **argv)
  err:
     if (bn)
         BN_free(bn);
-    if (cb)
-        BN_GENCB_free(cb);
     if (rsa)
         RSA_free(rsa);
     if (out)
@@ -323,7 +322,7 @@ int MAIN(int argc, char **argv)
     OPENSSL_EXIT(ret);
 }
 
-static int genrsa_cb(int p, int n, BN_GENCB *cb)
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
 {
     char c = '*';
 
@@ -335,8 +334,11 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
         c = '*';
     if (p == 3)
         c = '\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+    BIO_write(cb->arg, &c, 1);
+    (void)BIO_flush(cb->arg);
+# ifdef LINT
+    p = n;
+# endif
     return 1;
 }
 #else                           /* !OPENSSL_NO_RSA */

apps/makeapps.com

@@ -773,9 +773,12 @@ $ CCDEFS = "MONOLITH"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
-$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
-	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
+$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
+$ THEN
+$     IF CCDISABLEWARNINGS .NES. "" THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
+$     CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
+$ ENDIF
 $!
 $! Check To See If We Have A ZLIB Option.
 $!
@@ -1064,6 +1067,18 @@ $! Finish up the definition of CC.
 $!
 $ IF COMPILER .EQS. "DECC"
 $ THEN
+$!  Not all compiler versions support MAYLOSEDATA3.
+$   OPT_TEST = "MAYLOSEDATA3"
+$   DEFINE /USER_MODE SYS$ERROR NL:
+$   DEFINE /USER_MODE SYS$OUTPUT NL:
+$   'CC' /NOCROSS_REFERENCE /NOLIST /NOOBJECT -
+      /WARNINGS = DISABLE = ('OPT_TEST', EMPTYFILE) NL:
+$   IF ($SEVERITY)
+$   THEN
+$     IF CCDISABLEWARNINGS .NES. "" THEN -
+        CCDISABLEWARNINGS = CCDISABLEWARNINGS+ ","
+$     CCDISABLEWARNINGS = CCDISABLEWARNINGS+ OPT_TEST
+$   ENDIF
 $   IF CCDISABLEWARNINGS .NES. ""
 $   THEN
 $     CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"

apps/ocsp.c

@@ -110,17 +110,16 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
                               CA_DB *db, X509 *ca, X509 *rcert,
-                              EVP_PKEY *rkey, const EVP_MD *md,
-                              STACK_OF(X509) *rother, unsigned long flags,
-                              int nmin, int ndays, int badsig);
+                              EVP_PKEY *rkey, STACK_OF(X509) *rother,
+                              unsigned long flags, int nmin, int ndays);
 
 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
-static BIO *init_responder(const char *port);
+static BIO *init_responder(char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port);
+                        char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
-                                      const STACK_OF(CONF_VALUE) *headers,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+                                      STACK_OF(CONF_VALUE) *headers,
                                       OCSP_REQUEST *req, int req_timeout);
 
 # undef PROG
@@ -155,14 +154,12 @@ int MAIN(int argc, char **argv)
     long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
     char *CAfile = NULL, *CApath = NULL;
     X509_STORE *store = NULL;
-    X509_VERIFY_PARAM *vpm = NULL;
     STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
     char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
     unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
     int ret = 1;
     int accept_count = -1;
     int badarg = 0;
-    int badsig = 0;
     int i;
     int ignore_err = 0;
     STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@@ -173,7 +170,7 @@ int MAIN(int argc, char **argv)
     char *rca_filename = NULL;
     CA_DB *rdb = NULL;
     int nmin = 0, ndays = -1;
-    const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+    const EVP_MD *cert_id_md = NULL;
 
     if (bio_err == NULL)
         bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@ -267,8 +264,6 @@ int MAIN(int argc, char **argv)
             verify_flags |= OCSP_TRUSTOTHER;
         else if (!strcmp(*args, "-no_intern"))
             verify_flags |= OCSP_NOINTERN;
-        else if (!strcmp(*args, "-badsig"))
-            badsig = 1;
         else if (!strcmp(*args, "-text")) {
             req_text = 1;
             resp_text = 1;
@@ -325,10 +320,6 @@ int MAIN(int argc, char **argv)
                 CApath = *args;
             } else
                 badarg = 1;
-        } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
-            if (badarg)
-                goto end;
-            continue;
         } else if (!strcmp(*args, "-validity_period")) {
             if (args[1]) {
                 args++;
@@ -474,14 +465,6 @@ int MAIN(int argc, char **argv)
                 rcertfile = *args;
             } else
                 badarg = 1;
-        } else if (!strcmp(*args, "-rmd")) {
-            if (args[1]) {
-                args++;
-                rsign_md = EVP_get_digestbyname(*args);
-                if (!rsign_md)
-                    badarg = 1;
-            } else
-                badarg = 1;
         } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
             badarg = 1;
         }
@@ -535,8 +518,6 @@ int MAIN(int argc, char **argv)
                    "-CApath dir          trusted certificates directory\n");
         BIO_printf(bio_err,
                    "-CAfile file         trusted certificates file\n");
-        BIO_printf(bio_err,
-                   "-trusted_first       use locally trusted CA's first when building trust chain\n");
         BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
         BIO_printf(bio_err,
@@ -601,10 +582,7 @@ int MAIN(int argc, char **argv)
         add_nonce = 0;
 
     if (!req && reqin) {
-        if (!strcmp(reqin, "-"))
-            derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
-        else
-            derbio = BIO_new_file(reqin, "rb");
+        derbio = BIO_new_file(reqin, "rb");
         if (!derbio) {
             BIO_printf(bio_err, "Error Opening OCSP request file\n");
             goto end;
@@ -701,10 +679,7 @@ int MAIN(int argc, char **argv)
         OCSP_REQUEST_print(out, req, 0);
 
     if (reqout) {
-        if (!strcmp(reqout, "-"))
-            derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
-        else
-            derbio = BIO_new_file(reqout, "wb");
+        derbio = BIO_new_file(reqout, "wb");
         if (!derbio) {
             BIO_printf(bio_err, "Error opening file %s\n", reqout);
             goto end;
@@ -729,7 +704,7 @@ int MAIN(int argc, char **argv)
 
     if (rdb) {
         i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
-                               rsign_md, rother, rflags, nmin, ndays, badsig);
+                               rother, rflags, nmin, ndays);
         if (cbio)
             send_ocsp_response(cbio, resp);
     } else if (host) {
@@ -744,10 +719,7 @@ int MAIN(int argc, char **argv)
         goto end;
 # endif
     } else if (respin) {
-        if (!strcmp(respin, "-"))
-            derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
-        else
-            derbio = BIO_new_file(respin, "rb");
+        derbio = BIO_new_file(respin, "rb");
         if (!derbio) {
             BIO_printf(bio_err, "Error Opening OCSP response file\n");
             goto end;
@@ -767,10 +739,7 @@ int MAIN(int argc, char **argv)
  done_resp:
 
     if (respout) {
-        if (!strcmp(respout, "-"))
-            derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
-        else
-            derbio = BIO_new_file(respout, "wb");
+        derbio = BIO_new_file(respout, "wb");
         if (!derbio) {
             BIO_printf(bio_err, "Error opening file %s\n", respout);
             goto end;
@@ -807,10 +776,6 @@ int MAIN(int argc, char **argv)
             resp = NULL;
             goto redo_accept;
         }
-        ret = 0;
-        goto end;
-    } else if (ridx_filename) {
-        ret = 0;
         goto end;
     }
 
@@ -818,8 +783,6 @@ int MAIN(int argc, char **argv)
         store = setup_verify(bio_err, CAfile, CApath);
     if (!store)
         goto end;
-    if (vpm)
-        X509_STORE_set1_param(store, vpm);
     if (verify_certfile) {
         verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
                                   NULL, e, "validator certificate");
@@ -834,38 +797,37 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    ret = 0;
-
     if (!noverify) {
         if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
             if (i == -1)
                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
             else {
                 BIO_printf(bio_err, "Nonce Verify error\n");
-                ret = 1;
                 goto end;
             }
         }
 
         i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
+        if (i < 0)
+            i = OCSP_basic_verify(bs, NULL, store, 0);
+
         if (i <= 0) {
             BIO_printf(bio_err, "Response Verify Failure\n");
             ERR_print_errors(bio_err);
-            ret = 1;
         } else
             BIO_printf(bio_err, "Response verify OK\n");
 
     }
 
     if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
-        ret = 1;
+        goto end;
+
+    ret = 0;
 
  end:
     ERR_print_errors(bio_err);
     X509_free(signer);
     X509_STORE_free(store);
-    if (vpm)
-        X509_VERIFY_PARAM_free(vpm);
     EVP_PKEY_free(key);
     EVP_PKEY_free(rkey);
     X509_free(issuer);
@@ -1020,9 +982,8 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
                               CA_DB *db, X509 *ca, X509 *rcert,
-                              EVP_PKEY *rkey, const EVP_MD *rmd,
-                              STACK_OF(X509) *rother, unsigned long flags,
-                              int nmin, int ndays, int badsig)
+                              EVP_PKEY *rkey, STACK_OF(X509) *rother,
+                              unsigned long flags, int nmin, int ndays)
 {
     ASN1_TIME *thisupd = NULL, *nextupd = NULL;
     OCSP_CERTID *cid, *ca_id = NULL;
@@ -1106,10 +1067,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
 
     OCSP_copy_nonce(bs, req);
 
-    OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
-
-    if (badsig)
-        bs->signature->data[bs->signature->length - 1] ^= 0x1;
+    OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
 
     *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
 
@@ -1145,7 +1103,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
 
 /* Quick and dirty OCSP server: read in and parse input request */
 
-static BIO *init_responder(const char *port)
+static BIO *init_responder(char *port)
 {
     BIO *acbio = NULL, *bufbio = NULL;
     bufbio = BIO_new(BIO_f_buffer());
@@ -1177,7 +1135,7 @@ static BIO *init_responder(const char *port)
 }
 
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
-                        const char *port)
+                        char *port)
 {
     int have_post = 0, len;
     OCSP_REQUEST *req = NULL;
@@ -1238,8 +1196,8 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
     return 1;
 }
 
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
-                                      const STACK_OF(CONF_VALUE) *headers,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+                                      STACK_OF(CONF_VALUE) *headers,
                                       OCSP_REQUEST *req, int req_timeout)
 {
     int fd;
@@ -1326,9 +1284,8 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
 }
 
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
-                                 const char *host, const char *path,
-                                 const char *port, int use_ssl,
-                                 const STACK_OF(CONF_VALUE) *headers,
+                                 char *host, char *path, char *port,
+                                 int use_ssl, STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout)
 {
     BIO *cbio = NULL;

apps/openssl-vms.cnf

@@ -44,7 +44,7 @@ certs		= $dir.certs]		# Where the issued certs are kept
 crl_dir		= $dir.crl]		# Where the issued crl are kept
 database	= $dir]index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several certs with same subject.
+					# several ctificates with same subject.
 new_certs_dir	= $dir.newcerts]		# default place for new certs.
 
 certificate	= $dir]cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir]crl.pem 		# The current CRL
 private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file
 
-x509_extensions	= usr_cert		# The extensions to add to the cert
+x509_extensions	= usr_cert		# The extentions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 2048
+default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

apps/openssl.c

@@ -231,27 +231,27 @@ int main(int Argc, char *ARGV[])
     long errline;
 
 #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
-    /*-
-     * 2011-03-22 SMS.
-     * If we have 32-bit pointers everywhere, then we're safe, and
-     * we bypass this mess, as on non-VMS systems.  (See ARGV,
-     * above.)
-     * Problem 1: Compaq/HP C before V7.3 always used 32-bit
-     * pointers for argv[].
-     * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
-     * everywhere else, we always allocate and use a 64-bit
-     * duplicate of argv[].
-     * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
-     * to NULL-terminate a 64-bit argv[].  (As this was written, the
-     * compiler ECO was available only on IA64.)
-     * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
-     * 64-bit argv[argc] for NULL, and, if necessary, use a
-     * (properly) NULL-terminated (64-bit) duplicate of argv[].
-     * The same code is used in either case to duplicate argv[].
-     * Some of these decisions could be handled in preprocessing,
-     * but the code tends to get even uglier, and the penalty for
-     * deciding at compile- or run-time is tiny.
-     */
+        /*-
+         * 2011-03-22 SMS.
+         * If we have 32-bit pointers everywhere, then we're safe, and
+         * we bypass this mess, as on non-VMS systems.  (See ARGV,
+         * above.)
+         * Problem 1: Compaq/HP C before V7.3 always used 32-bit
+         * pointers for argv[].
+         * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
+         * everywhere else, we always allocate and use a 64-bit
+         * duplicate of argv[].
+         * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
+         * to NULL-terminate a 64-bit argv[].  (As this was written, the
+         * compiler ECO was available only on IA64.)
+         * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
+         * 64-bit argv[argc] for NULL, and, if necessary, use a
+         * (properly) NULL-terminated (64-bit) duplicate of argv[].
+         * The same code is used in either case to duplicate argv[].
+         * Some of these decisions could be handled in preprocessing,
+         * but the code tends to get even uglier, and the penalty for
+         * deciding at compile- or run-time is tiny.
+         */
     char **Argv = NULL;
     int free_Argv = 0;
 
@@ -663,14 +663,14 @@ static void list_md(BIO *out)
     EVP_MD_do_all_sorted(list_md_fn, out);
 }
 
-static int function_cmp(const FUNCTION * a, const FUNCTION * b)
+static int MS_CALLBACK function_cmp(const FUNCTION * a, const FUNCTION * b)
 {
     return strncmp(a->name, b->name, 8);
 }
 
 static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION)
 
-static unsigned long function_hash(const FUNCTION * a)
+static unsigned long MS_CALLBACK function_hash(const FUNCTION * a)
 {
     return lh_strhash(a->name);
 }

apps/openssl.cnf

@@ -44,7 +44,7 @@ certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several certs with same subject.
+					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 
 certificate	= $dir/cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
-x509_extensions	= usr_cert		# The extensions to add to the cert
+x509_extensions	= usr_cert		# The extentions to add to the cert
 
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 2048
+default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret

apps/pkcs12.c

@@ -116,7 +116,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -134,6 +134,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+# ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+# endif
+        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL)
         bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);

apps/pkcs8.c

@@ -57,7 +57,6 @@
  *
  */
 #include <stdio.h>
-#include <stdlib.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
@@ -125,16 +124,6 @@ int MAIN(int argc, char **argv)
                 }
             } else
                 badarg = 1;
-        } else if (!strcmp(*args, "-v2prf")) {
-            if (args[1]) {
-                args++;
-                pbe_nid = OBJ_txt2nid(*args);
-                if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
-                    BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args);
-                    badarg = 1;
-                }
-            } else
-                badarg = 1;
         } else if (!strcmp(*args, "-inform")) {
             if (args[1]) {
                 args++;
@@ -151,14 +140,7 @@ int MAIN(int argc, char **argv)
             topk8 = 1;
         else if (!strcmp(*args, "-noiter"))
             iter = 1;
-        else if (!strcmp(*args, "-iter")) {
-            if (args[1]) {
-                iter = atoi(*(++args));
-                if (iter <= 0)
-                    badarg = 1;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-nocrypt"))
+        else if (!strcmp(*args, "-nocrypt"))
             nocrypt = 1;
         else if (!strcmp(*args, "-nooct"))
             p8_broken = PKCS8_NO_OCTET;
@@ -167,22 +149,19 @@ int MAIN(int argc, char **argv)
         else if (!strcmp(*args, "-embed"))
             p8_broken = PKCS8_EMBEDDED_PARAM;
         else if (!strcmp(*args, "-passin")) {
-            if (args[1])
-                passargin = *(++args);
-            else
-                badarg = 1;
+            if (!args[1])
+                goto bad;
+            passargin = *(++args);
         } else if (!strcmp(*args, "-passout")) {
-            if (args[1])
-                passargout = *(++args);
-            else
-                badarg = 1;
+            if (!args[1])
+                goto bad;
+            passargout = *(++args);
         }
 #ifndef OPENSSL_NO_ENGINE
         else if (strcmp(*args, "-engine") == 0) {
-            if (args[1])
-                engine = *(++args);
-            else
-                badarg = 1;
+            if (!args[1])
+                goto bad;
+            engine = *(++args);
         }
 #endif
         else if (!strcmp(*args, "-in")) {
@@ -203,6 +182,7 @@ int MAIN(int argc, char **argv)
     }
 
     if (badarg) {
+ bad:
         BIO_printf(bio_err, "Usage pkcs8 [options]\n");
         BIO_printf(bio_err, "where options are\n");
         BIO_printf(bio_err, "-in file        input file\n");
@@ -220,7 +200,6 @@ int MAIN(int argc, char **argv)
                    "-embed          use (nonstandard) embedded DSA parameters format\n");
         BIO_printf(bio_err,
                    "-nsdb           use (nonstandard) DSA Netscape DB format\n");
-        BIO_printf(bio_err, "-iter count     use count as iteration count\n");
         BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
         BIO_printf(bio_err,
                    "-nocrypt        use or expect unencrypted private key\n");

apps/privkey.pem

@@ -1,16 +1,18 @@
------BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMo7DFNMqywUA1O/
-qvWqCOm6rGrUAcR+dKsSXw6y2qiKO7APDDyotc0b4Mxwqjga98npex2RBIwUoCGJ
-iEmMXo/a8RbXVUZ+ZwcAX7PC+XeXVC5qoajaBBkd2MvYmib/2PqnNrgvhHsUL5dO
-xhC7cRqxLM/g45k3Yyw+nGa+WkTdAgMBAAECgYBMBT5w4dVG0I8foGFnz+9hzWab
-Ee9IKjE5TcKmB93ilXQyjrWO5+zPmbc7ou6aAKk9IaPCTY1kCyzW7pho7Xdt+RFq
-TgVXGZZfqtixO7f2/5oqZAkd00eOn9ZrhBpVMu4yXbbDvhDyFe4/oy0HGDjRUhxa
-Lf6ZlBuTherxm4eFkQJBAPBQwRs9UtqaMAQlagA9pV5UsQjV1WT4IxDURMPfXgCd
-ETNkB6pP0SmxQm5xhv9N2HY1UtoWpug9s0OU5IJB15sCQQDXbfbjiujNbuOxCFNw
-68JZaCFVdNovyOWORkpenQLNEjVkmTCS9OayK09ADEYtsdpUGKeF+2EYBNkFr5px
-CajnAkBMYI4PNz1HBuwt1SpMa0tMoMQnV7bbwVV7usskKbC5pzHZUHhzM6z5gEHp
-0iEisT4Ty7zKXZqsgzefSgoaMAzzAkEAoCIaUhtwXzwdPfvNYnOs3J6doJMimECB
-+lbfcyLM8TimvadtRt+KGEg/OYGmLNM2UiqdY+duzdbUpvhYGcwvYwJAQvaoi9z2
-CkiwSs/PFrLaNlfLJmXRsUBzmiWYoh6+IQJJorEXz7ewI72ee9RBO4s746cgUFwH
-Ri+qO+HhZFUBqQ==
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,BA26229A1653B7FF
+
+6nhWG8PKhTPO/s3ZvjUa6226NlKdvPDZFsNXOOoSUs9ejxpb/aj5huhs6qRYzsz9
+Year47uaAZYhGD0vAagnNiBnYmjWEpN9G/wQxG7pgZThK1ZxDi63qn8aQ8UjuGHo
+F6RpnnBQIAnWTWqr/Qsybtc5EoNkrj/Cpx0OfbSr6gZsFBCxwX1R1hT3/mhJ45f3
+XMofY32Vdfx9/vtw1O7HmlHXQnXaqnbd9/nn1EpvFJG9+UjPoW7gV4jCOLuR4deE
+jS8hm+cpkwXmFtk3VGjT9tQXPpMv3JpYfBqgGQoMAJ5Toq0DWcHi6Wg08PsD8lgy
+vmTioPsRg+JGkJkJ8GnusgLpQdlQJbjzd7wGE6ElUFLfOxLo8bLlRHoriHNdWYhh
+JjY0LyeTkovcmWxVjImc6ZyBz5Ly4t0BYf1gq3OkjsV91Q1taBxnhiavfizqMCAf
+PPB3sLQnlXG77TOXkNxpqbZfEYrVZW2Nsqqdn8s07Uj4IMONZyq2odYKWFPMJBiM
+POYwXjMAOcmFMTHYsVlhcUJuV6LOuipw/FEbTtPH/MYMxLe4zx65dYo1rb4iLKLS
+gMtB0o/Wl4Xno3ZXh1ucicYnV2J7NpVcjVq+3SFiCRu2SrSkZHZ23EPS13Ec6fcz
+8X/YGA2vTJ8MAOozAzQUwHQYvLk7bIoQVekqDq4p0AZQbhdspHpArCk0Ifqqzg/v
+Uyky/zZiQYanzDenTSRVI/8wac3olxpU8QvbySxYqmbkgq6bTpXJfYFQfnAttEsC
+dA4S5UFgyOPZluxCAM4yaJF3Ft6neutNwftuJQMbgCUi9vYg2tGdSw==
+-----END RSA PRIVATE KEY-----

apps/progs.h

@@ -172,18 +172,6 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_RMD160
     {FUNC_TYPE_MD, "rmd160", dgst_main},
 #endif
-#ifndef OPENSSL_NO_SHA224
-    {FUNC_TYPE_MD, "sha224", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA256
-    {FUNC_TYPE_MD, "sha256", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA384
-    {FUNC_TYPE_MD, "sha384", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA512
-    {FUNC_TYPE_MD, "sha512", dgst_main},
-#endif
 #ifndef OPENSSL_NO_AES
     {FUNC_TYPE_CIPHER, "aes-128-cbc", enc_main},
 #endif

apps/progs.pl

@@ -57,7 +57,7 @@ foreach (@ARGV)
 		{ print $str; }
 	}
 
-foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160","sha224","sha256","sha384","sha512")
+foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
 	{
 	push(@files,$_);
 	printf "#ifndef OPENSSL_NO_".uc($_)."\n\t{FUNC_TYPE_MD,\"".$_."\",dgst_main},\n#endif\n";

apps/req.c

@@ -56,10 +56,21 @@
  * [including the GNU Public Licence.]
  */
 
+/*
+ * Until the key-gen callbacks are modified to use newer prototypes, we allow
+ * deprecated functions for openssl-internal code
+ */
+#ifdef OPENSSL_NO_DEPRECATED
+# undef OPENSSL_NO_DEPRECATED
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/evp.h>
@@ -491,10 +502,10 @@ int MAIN(int argc, char **argv)
 
             oid_bio = BIO_new_file(p, "r");
             if (oid_bio == NULL) {
-                /*-
-                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
-                ERR_print_errors(bio_err);
-                */
+                                /*-
+                                BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
+                                ERR_print_errors(bio_err);
+                                */
             } else {
                 OBJ_create_objects(oid_bio);
                 BIO_free(oid_bio);
@@ -844,7 +855,7 @@ int MAIN(int argc, char **argv)
     }
 
     if (subj && x509) {
-        BIO_printf(bio_err, "Cannot modify certificate subject\n");
+        BIO_printf(bio_err, "Cannot modifiy certificate subject\n");
         goto end;
     }
 
@@ -1079,13 +1090,15 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn,
     if (!X509_REQ_set_version(req, 0L))
         goto err;               /* version 1 */
 
-    if (subj)
-        i = build_subject(req, subj, chtype, multirdn);
-    else if (no_prompt)
+    if (no_prompt)
         i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
-    else
-        i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
-                        chtype);
+    else {
+        if (subj)
+            i = build_subject(req, subj, chtype, multirdn);
+        else
+            i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs,
+                            chtype);
+    }
     if (!i)
         goto err;
 
@@ -1654,6 +1667,9 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
         c = '\n';
     BIO_write(b, &c, 1);
     (void)BIO_flush(b);
+#ifdef LINT
+    p = n;
+#endif
     return 1;
 }
 

apps/s_apps.h

@@ -152,70 +152,33 @@ typedef fd_mask fd_set;
 #define PROTOCOL        "tcp"
 
 int do_server(int port, int type, int *ret,
-              int (*cb) (char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept);
-#ifndef NO_SYS_UN_H
-int do_server_unix(const char *path, int *ret,
-                   int (*cb) (char *hostname, int s, int stype,
-                              unsigned char *context), unsigned char *context,
-                   int naccept);
-#endif
+              int (*cb) (char *hostname, int s, unsigned char *context),
+              unsigned char *context);
 #ifdef HEADER_X509_H
-int verify_callback(int ok, X509_STORE_CTX *ctx);
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
-                       STACK_OF(X509) *chain, int build_chain);
-int ssl_print_sigalgs(BIO *out, SSL *s);
-int ssl_print_point_formats(BIO *out, SSL *s);
-int ssl_print_curves(BIO *out, SSL *s, int noshared);
-#endif
-int ssl_print_tmp_key(BIO *out, SSL *s);
-int init_client(int *sock, const char *server, int port, int type);
-#ifndef NO_SYS_UN_H
-int init_client_unix(int *sock, const char *server);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
 #endif
+int init_client(int *sock, char *server, int port, int type);
 int should_retry(int i);
-int extract_port(const char *str, short *port_ptr);
+int extract_port(char *str, short *port_ptr);
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
                       short *p);
 
-long bio_dump_callback(BIO *bio, int cmd, const char *argp,
-                       int argi, long argl, long ret);
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+                                   int argi, long argl, long ret);
 
 #ifdef HEADER_SSL_H
-void apps_ssl_info_callback(const SSL *s, int where, int ret);
-void msg_cb(int write_p, int version, int content_type, const void *buf,
-            size_t len, SSL *ssl, void *arg);
-void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
-               int len, void *arg);
+void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret);
+void MS_CALLBACK msg_cb(int write_p, int version, int content_type,
+                        const void *buf, size_t len, SSL *ssl, void *arg);
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+                           unsigned char *data, int len, void *arg);
 #endif
 
-int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
-                             unsigned int *cookie_len);
-int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
-                           unsigned int cookie_len);
-
-typedef struct ssl_excert_st SSL_EXCERT;
-
-void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
-void ssl_excert_free(SSL_EXCERT *exc);
-int args_excert(char ***pargs, int *pargc,
-                int *badarg, BIO *err, SSL_EXCERT **pexc);
-int load_excert(SSL_EXCERT **pexc, BIO *err);
-void print_ssl_summary(BIO *bio, SSL *s);
-#ifdef HEADER_SSL_H
-int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
-             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
-int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-                  STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
-int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
-                     int crl_download);
-int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
-                    const char *vfyCAfile, const char *chCApath,
-                    const char *chCAfile, STACK_OF(X509_CRL) *crls,
-                    int crl_download);
-void ssl_ctx_security_debug(SSL_CTX *ctx, BIO *out, int verbose);
-#endif
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                         unsigned int *cookie_len);
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+                                       unsigned int cookie_len);

apps/s_client.c

@@ -141,6 +141,10 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/e_os2.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
+
 /*
  * With IPv6, it looks like Digital has mixed up the proper order of
  * recursive header file inclusion, resulting in the compiler complaining
@@ -172,6 +176,10 @@ typedef unsigned int u_int;
 # undef FIONBIO
 #endif
 
+#if defined(OPENSSL_SYS_BEOS_R5)
+# include <fcntl.h>
+#endif
+
 #undef PROG
 #define PROG    s_client_main
 
@@ -194,7 +202,6 @@ typedef unsigned int u_int;
 extern int verify_depth;
 extern int verify_error;
 extern int verify_return_error;
-extern int verify_quiet;
 
 #ifdef FIONBIO
 static int c_nbio = 0;
@@ -217,10 +224,8 @@ static void print_stuff(BIO *berr, SSL *con, int full);
 static int ocsp_resp_cb(SSL *s, void *arg);
 #endif
 static BIO *bio_c_out = NULL;
-static BIO *bio_c_msg = NULL;
 static int c_quiet = 0;
 static int c_ign_eof = 0;
-static int c_brief = 0;
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -297,10 +302,9 @@ static void sc_usage(void)
     BIO_printf(bio_err, " -host host     - use -connect instead\n");
     BIO_printf(bio_err, " -port port     - use -connect instead\n");
     BIO_printf(bio_err,
-               " -connect host:port - connect over TCP/IP (default is %s:%s)\n",
+               " -connect host:port - who to connect to (default is %s:%s)\n",
                SSL_HOST_NAME, PORT_STR);
-    BIO_printf(bio_err,
-               " -unix path    - connect over unix domain sockets\n");
+
     BIO_printf(bio_err,
                " -verify arg   - turn on peer certificate verification\n");
     BIO_printf(bio_err,
@@ -318,8 +322,6 @@ static void sc_usage(void)
                " -pass arg     - private key file pass phrase source\n");
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
-    BIO_printf(bio_err,
-               " -trusted_first - Use local CA's first when building trust chain\n");
     BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
     BIO_printf(bio_err,
@@ -363,6 +365,7 @@ static void sc_usage(void)
                " -srp_strength int - minimal length in bits for N (default %d).\n",
                SRP_MINIMAL_N);
 #endif
+    BIO_printf(bio_err, " -ssl2         - just use SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD
     BIO_printf(bio_err, " -ssl3         - just use SSLv3\n");
 #endif
@@ -373,9 +376,11 @@ static void sc_usage(void)
     BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n");
     BIO_printf(bio_err, " -mtu          - set the link layer MTU\n");
     BIO_printf(bio_err,
-               " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n");
+               " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
     BIO_printf(bio_err,
                " -bugs         - Switch on all SSL implementation bug workarounds\n");
+    BIO_printf(bio_err,
+               " -serverpref   - Use server's cipher preferences (only SSLv2)\n");
     BIO_printf(bio_err,
                " -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
     BIO_printf(bio_err,
@@ -389,8 +394,6 @@ static void sc_usage(void)
     BIO_printf(bio_err,
                "                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
     BIO_printf(bio_err, "                 are supported.\n");
-    BIO_printf(bio_err,
-               " -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n");
 #ifndef OPENSSL_NO_ENGINE
     BIO_printf(bio_err,
                " -engine id    - Initialise and use the specified engine\n");
@@ -408,14 +411,10 @@ static void sc_usage(void)
                " -status           - request certificate status from server\n");
     BIO_printf(bio_err,
                " -no_ticket        - disable use of RFC4507bis session tickets\n");
-    BIO_printf(bio_err,
-               " -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
     BIO_printf(bio_err,
                " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
-    BIO_printf(bio_err,
-               " -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
 #endif
     BIO_printf(bio_err,
                " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
@@ -437,7 +436,7 @@ typedef struct tlsextctx_st {
     int ack;
 } tlsextctx;
 
-static int ssl_servername_cb(SSL *s, int *ad, void *arg)
+static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
 {
     tlsextctx *p = (tlsextctx *) arg;
     const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
@@ -463,7 +462,7 @@ typedef struct srp_arg_st {
 
 #  define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
 
-static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
+static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
 {
     BN_CTX *bn_ctx = BN_CTX_new();
     BIGNUM *p = BN_new();
@@ -504,7 +503,7 @@ static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
  * primality tests are rather cpu consuming.
  */
 
-static int ssl_srp_verify_param_cb(SSL *s, void *arg)
+static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
 {
     SRP_ARG *srp_arg = (SRP_ARG *)arg;
     BIGNUM *N = NULL, *g = NULL;
@@ -541,7 +540,7 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg)
 
 #  define PWD_STRLEN 1024
 
-static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
 {
     SRP_ARG *srp_arg = (SRP_ARG *)arg;
     char *pass = (char *)OPENSSL_malloc(PWD_STRLEN + 1);
@@ -599,27 +598,6 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen,
     return SSL_TLSEXT_ERR_OK;
 }
 # endif                         /* ndef OPENSSL_NO_NEXTPROTONEG */
-
-static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
-                                   const unsigned char *in, size_t inlen,
-                                   int *al, void *arg)
-{
-    char pem_name[100];
-    unsigned char ext_buf[4 + 65536];
-
-    /* Reconstruct the type/len fields prior to extension data */
-    ext_buf[0] = ext_type >> 8;
-    ext_buf[1] = ext_type & 0xFF;
-    ext_buf[2] = inlen >> 8;
-    ext_buf[3] = inlen & 0xFF;
-    memcpy(ext_buf + 4, in, inlen);
-
-    BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
-                 ext_type);
-    PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
-    return 1;
-}
-
 #endif
 
 enum {
@@ -635,7 +613,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-    int build_chain = 0;
+    unsigned int off = 0, clr = 0;
     SSL *con = NULL;
 #ifndef OPENSSL_NO_KRB5
     KSSL_CTX *kctx;
@@ -648,18 +626,13 @@ int MAIN(int argc, char **argv)
     short port = PORT;
     int full_log = 1;
     char *host = SSL_HOST_NAME;
-    const char *unix_path = NULL;
-    char *xmpphost = NULL;
-    char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
+    char *cert_file = NULL, *key_file = NULL;
     int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
     char *passarg = NULL, *pass = NULL;
     X509 *cert = NULL;
     EVP_PKEY *key = NULL;
-    STACK_OF(X509) *chain = NULL;
-    char *CApath = NULL, *CAfile = NULL;
-    char *chCApath = NULL, *chCAfile = NULL;
-    char *vfyCApath = NULL, *vfyCAfile = NULL;
-    int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE;
+    char *CApath = NULL, *CAfile = NULL, *cipher = NULL;
+    int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0;
     int crlf = 0;
     int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
     SSL_CTX *ctx = NULL;
@@ -680,8 +653,11 @@ int MAIN(int argc, char **argv)
     ENGINE *ssl_client_engine = NULL;
 #endif
     ENGINE *e = NULL;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
     struct timeval tv;
+# if defined(OPENSSL_SYS_BEOS_R5)
+    int stdin_set = 0;
+# endif
 #endif
 #ifndef OPENSSL_NO_TLSEXT
     char *servername = NULL;
@@ -689,10 +665,6 @@ int MAIN(int argc, char **argv)
 # ifndef OPENSSL_NO_NEXTPROTONEG
     const char *next_proto_neg_in = NULL;
 # endif
-    const char *alpn_in = NULL;
-# define MAX_SI_TYPES 100
-    unsigned short serverinfo_types[MAX_SI_TYPES];
-    int serverinfo_types_count = 0;
 #endif
     char *sess_in = NULL;
     char *sess_out = NULL;
@@ -702,26 +674,13 @@ int MAIN(int argc, char **argv)
     int enable_timeouts = 0;
     long socket_mtu = 0;
 #ifndef OPENSSL_NO_JPAKE
-    static char *jpake_secret = NULL;
-# define no_jpake !jpake_secret
-#else
-# define no_jpake 1
+    char *jpake_secret = NULL;
 #endif
 #ifndef OPENSSL_NO_SRP
     char *srppass = NULL;
     int srp_lateuser = 0;
     SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
 #endif
-    SSL_EXCERT *exc = NULL;
-
-    SSL_CONF_CTX *cctx = NULL;
-    STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
-
-    char *crl_file = NULL;
-    int crl_format = FORMAT_PEM;
-    int crl_download = 0;
-    STACK_OF(X509_CRL) *crls = NULL;
-    int sdebug = 0;
 
     meth = SSLv23_client_method();
 
@@ -738,11 +697,6 @@ int MAIN(int argc, char **argv)
 
     if (!load_config(bio_err, NULL))
         goto end;
-    cctx = SSL_CONF_CTX_new();
-    if (!cctx)
-        goto end;
-    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
-    SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
 
     if (((cbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
         ((sbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
@@ -775,32 +729,17 @@ int MAIN(int argc, char **argv)
                 goto bad;
             if (!extract_host_port(*(++argv), &host, NULL, &port))
                 goto bad;
-        } else if (strcmp(*argv, "-unix") == 0) {
-            if (--argc < 1)
-                goto bad;
-            unix_path = *(++argv);
-        } else if (strcmp(*argv, "-xmpphost") == 0) {
-            if (--argc < 1)
-                goto bad;
-            xmpphost = *(++argv);
         } else if (strcmp(*argv, "-verify") == 0) {
             verify = SSL_VERIFY_PEER;
             if (--argc < 1)
                 goto bad;
             verify_depth = atoi(*(++argv));
-            if (!c_quiet)
-                BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
+            BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
         } else if (strcmp(*argv, "-cert") == 0) {
             if (--argc < 1)
                 goto bad;
             cert_file = *(++argv);
-        } else if (strcmp(*argv, "-CRL") == 0) {
-            if (--argc < 1)
-                goto bad;
-            crl_file = *(++argv);
-        } else if (strcmp(*argv, "-crl_download") == 0)
-            crl_download = 1;
-        else if (strcmp(*argv, "-sess_out") == 0) {
+        } else if (strcmp(*argv, "-sess_out") == 0) {
             if (--argc < 1)
                 goto bad;
             sess_out = *(++argv);
@@ -812,31 +751,13 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             cert_format = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-CRLform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            crl_format = str2fmt(*(++argv));
         } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
             if (badarg)
                 goto bad;
             continue;
         } else if (strcmp(*argv, "-verify_return_error") == 0)
             verify_return_error = 1;
-        else if (strcmp(*argv, "-verify_quiet") == 0)
-            verify_quiet = 1;
-        else if (strcmp(*argv, "-brief") == 0) {
-            c_brief = 1;
-            verify_quiet = 1;
-            c_quiet = 1;
-        } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) {
-            if (badarg)
-                goto bad;
-            continue;
-        } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
-            if (badarg)
-                goto bad;
-            continue;
-        } else if (strcmp(*argv, "-prexit") == 0)
+        else if (strcmp(*argv, "-prexit") == 0)
             prexit = 1;
         else if (strcmp(*argv, "-crlf") == 0)
             crlf = 1;
@@ -863,20 +784,7 @@ int MAIN(int argc, char **argv)
 #endif
         else if (strcmp(*argv, "-msg") == 0)
             c_msg = 1;
-        else if (strcmp(*argv, "-msgfile") == 0) {
-            if (--argc < 1)
-                goto bad;
-            bio_c_msg = BIO_new_file(*(++argv), "w");
-        }
-#ifndef OPENSSL_NO_SSL_TRACE
-        else if (strcmp(*argv, "-trace") == 0)
-            c_msg = 2;
-#endif
-        else if (strcmp(*argv, "-security_debug") == 0) {
-            sdebug = 1;
-        } else if (strcmp(*argv, "-security_debug_verbose") == 0) {
-            sdebug = 2;
-        } else if (strcmp(*argv, "-showcerts") == 0)
+        else if (strcmp(*argv, "-showcerts") == 0)
             c_showcerts = 1;
         else if (strcmp(*argv, "-nbio_test") == 0)
             nbio_test = 1;
@@ -927,6 +835,10 @@ int MAIN(int argc, char **argv)
             meth = TLSv1_client_method();
         }
 #endif
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0)
+            meth = SSLv2_client_method();
+#endif
 #ifndef OPENSSL_NO_SSL3_METHOD
         else if (strcmp(*argv, "-ssl3") == 0)
             meth = SSLv3_client_method();
@@ -940,15 +852,11 @@ int MAIN(int argc, char **argv)
             meth = TLSv1_client_method();
 #endif
 #ifndef OPENSSL_NO_DTLS1
-        else if (strcmp(*argv, "-dtls") == 0) {
-            meth = DTLS_client_method();
-            socket_type = SOCK_DGRAM;
-        } else if (strcmp(*argv, "-dtls1") == 0) {
+        else if (strcmp(*argv, "-dtls1") == 0) {
             meth = DTLSv1_client_method();
             socket_type = SOCK_DGRAM;
-        } else if (strcmp(*argv, "-dtls1_2") == 0) {
-            meth = DTLSv1_2_client_method();
-            socket_type = SOCK_DGRAM;
+        } else if (strcmp(*argv, "-fallback_scsv") == 0) {
+            fallback_scsv = 1;
         } else if (strcmp(*argv, "-timeout") == 0)
             enable_timeouts = 1;
         else if (strcmp(*argv, "-mtu") == 0) {
@@ -957,9 +865,9 @@ int MAIN(int argc, char **argv)
             socket_mtu = atol(*(++argv));
         }
 #endif
-        else if (strcmp(*argv, "-fallback_scsv") == 0) {
-            fallback_scsv = 1;
-        } else if (strcmp(*argv, "-keyform") == 0) {
+        else if (strcmp(*argv, "-bugs") == 0)
+            bugs = 1;
+        else if (strcmp(*argv, "-keyform") == 0) {
             if (--argc < 1)
                 goto bad;
             key_format = str2fmt(*(++argv));
@@ -967,10 +875,6 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             passarg = *(++argv);
-        } else if (strcmp(*argv, "-cert_chain") == 0) {
-            if (--argc < 1)
-                goto bad;
-            chain_file = *(++argv);
         } else if (strcmp(*argv, "-key") == 0) {
             if (--argc < 1)
                 goto bad;
@@ -981,30 +885,27 @@ int MAIN(int argc, char **argv)
             if (--argc < 1)
                 goto bad;
             CApath = *(++argv);
-        } else if (strcmp(*argv, "-chainCApath") == 0) {
-            if (--argc < 1)
-                goto bad;
-            chCApath = *(++argv);
-        } else if (strcmp(*argv, "-verifyCApath") == 0) {
-            if (--argc < 1)
-                goto bad;
-            vfyCApath = *(++argv);
-        } else if (strcmp(*argv, "-build_chain") == 0)
-            build_chain = 1;
-        else if (strcmp(*argv, "-CAfile") == 0) {
+        } else if (strcmp(*argv, "-CAfile") == 0) {
             if (--argc < 1)
                 goto bad;
             CAfile = *(++argv);
-        } else if (strcmp(*argv, "-chainCAfile") == 0) {
-            if (--argc < 1)
-                goto bad;
-            chCAfile = *(++argv);
-        } else if (strcmp(*argv, "-verifyCAfile") == 0) {
-            if (--argc < 1)
-                goto bad;
-            vfyCAfile = *(++argv);
+        } else if (strcmp(*argv, "-no_tls1_2") == 0)
+            off |= SSL_OP_NO_TLSv1_2;
+        else if (strcmp(*argv, "-no_tls1_1") == 0)
+            off |= SSL_OP_NO_TLSv1_1;
+        else if (strcmp(*argv, "-no_tls1") == 0)
+            off |= SSL_OP_NO_TLSv1;
+        else if (strcmp(*argv, "-no_ssl3") == 0)
+            off |= SSL_OP_NO_SSLv3;
+        else if (strcmp(*argv, "-no_ssl2") == 0)
+            off |= SSL_OP_NO_SSLv2;
+        else if (strcmp(*argv, "-no_comp") == 0) {
+            off |= SSL_OP_NO_COMPRESSION;
         }
 #ifndef OPENSSL_NO_TLSEXT
+        else if (strcmp(*argv, "-no_ticket") == 0) {
+            off |= SSL_OP_NO_TICKET;
+        }
 # ifndef OPENSSL_NO_NEXTPROTONEG
         else if (strcmp(*argv, "-nextprotoneg") == 0) {
             if (--argc < 1)
@@ -1012,32 +913,20 @@ int MAIN(int argc, char **argv)
             next_proto_neg_in = *(++argv);
         }
 # endif
-        else if (strcmp(*argv, "-alpn") == 0) {
-            if (--argc < 1)
-                goto bad;
-            alpn_in = *(++argv);
-        } else if (strcmp(*argv, "-serverinfo") == 0) {
-            char *c;
-            int start = 0;
-            int len;
-
-            if (--argc < 1)
-                goto bad;
-            c = *(++argv);
-            serverinfo_types_count = 0;
-            len = strlen(c);
-            for (i = 0; i <= len; ++i) {
-                if (i == len || c[i] == ',') {
-                    serverinfo_types[serverinfo_types_count]
-                        = atoi(c + start);
-                    serverinfo_types_count++;
-                    start = i + 1;
-                }
-                if (serverinfo_types_count == MAX_SI_TYPES)
-                    break;
-            }
-        }
 #endif
+        else if (strcmp(*argv, "-serverpref") == 0)
+            off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+        else if (strcmp(*argv, "-legacy_renegotiation") == 0)
+            off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+        else if (strcmp(*argv, "-legacy_server_connect") == 0) {
+            off |= SSL_OP_LEGACY_SERVER_CONNECT;
+        } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) {
+            clr |= SSL_OP_LEGACY_SERVER_CONNECT;
+        } else if (strcmp(*argv, "-cipher") == 0) {
+            if (--argc < 1)
+                goto bad;
+            cipher = *(++argv);
+        }
 #ifdef FIONBIO
         else if (strcmp(*argv, "-nbio") == 0) {
             c_nbio = 1;
@@ -1121,12 +1010,6 @@ int MAIN(int argc, char **argv)
         sc_usage();
         goto end;
     }
-
-    if (unix_path && (socket_type != SOCK_STREAM)) {
-        BIO_printf(bio_err,
-                   "Can't use unix sockets and datagrams together\n");
-        goto end;
-    }
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
     if (jpake_secret) {
         if (psk_key) {
@@ -1134,6 +1017,11 @@ int MAIN(int argc, char **argv)
             goto end;
         }
         psk_identity = "JPAKE";
+        if (cipher) {
+            BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+            goto end;
+        }
+        cipher = "PSK";
     }
 #endif
 
@@ -1192,33 +1080,6 @@ int MAIN(int argc, char **argv)
         }
     }
 
-    if (chain_file) {
-        chain = load_certs(bio_err, chain_file, FORMAT_PEM,
-                           NULL, e, "client certificate chain");
-        if (!chain)
-            goto end;
-    }
-
-    if (crl_file) {
-        X509_CRL *crl;
-        crl = load_crl(crl_file, crl_format);
-        if (!crl) {
-            BIO_puts(bio_err, "Error loading CRL\n");
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-        crls = sk_X509_CRL_new_null();
-        if (!crls || !sk_X509_CRL_push(crls, crl)) {
-            BIO_puts(bio_err, "Error adding CRL\n");
-            ERR_print_errors(bio_err);
-            X509_CRL_free(crl);
-            goto end;
-        }
-    }
-
-    if (!load_excert(&exc, bio_err))
-        goto end;
-
     if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
         && !RAND_status()) {
         BIO_printf(bio_err,
@@ -1229,10 +1090,8 @@ int MAIN(int argc, char **argv)
                    app_RAND_load_files(inrand));
 
     if (bio_c_out == NULL) {
-        if (c_quiet && !c_debug) {
+        if (c_quiet && !c_debug && !c_msg) {
             bio_c_out = BIO_new(BIO_s_null());
-            if (c_msg && !bio_c_msg)
-                bio_c_msg = BIO_new_fp(stdout, BIO_NOCLOSE);
         } else {
             if (bio_c_out == NULL)
                 bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
@@ -1251,23 +1110,9 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (sdebug)
-        ssl_ctx_security_debug(ctx, bio_err, sdebug);
-
     if (vpm)
         SSL_CTX_set1_param(ctx, vpm);
 
-    if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
-                         crls, crl_download)) {
-        BIO_printf(bio_err, "Error loading store locations\n");
-        ERR_print_errors(bio_err);
-        goto end;
-    }
 #ifndef OPENSSL_NO_ENGINE
     if (ssl_client_engine) {
         if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
@@ -1297,8 +1142,13 @@ int MAIN(int argc, char **argv)
     if (srtp_profiles != NULL)
         SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
 #endif
-    if (exc)
-        ssl_ctx_set_excert(ctx, exc);
+    if (bugs)
+        SSL_CTX_set_options(ctx, SSL_OP_ALL | off);
+    else
+        SSL_CTX_set_options(ctx, off);
+
+    if (clr)
+        SSL_CTX_clear_options(ctx, clr);
     /*
      * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
      * read ahead solves this problem.
@@ -1306,40 +1156,27 @@ int MAIN(int argc, char **argv)
     if (socket_type == SOCK_DGRAM)
         SSL_CTX_set_read_ahead(ctx, 1);
 
-#if !defined(OPENSSL_NO_TLSEXT)
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto.data)
         SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
-# endif
-    if (alpn_in) {
-        unsigned short alpn_len;
-        unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
-
-        if (alpn == NULL) {
-            BIO_printf(bio_err, "Error parsing -alpn argument\n");
-            goto end;
-        }
-        SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
-        OPENSSL_free(alpn);
-    }
-#endif
-#ifndef OPENSSL_NO_TLSEXT
-    for (i = 0; i < serverinfo_types_count; i++) {
-        SSL_CTX_add_client_custom_ext(ctx,
-                                      serverinfo_types[i],
-                                      NULL, NULL, NULL,
-                                      serverinfo_cli_parse_cb, NULL);
-    }
 #endif
 
     if (state)
         SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
+    if (cipher != NULL)
+        if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
+            BIO_printf(bio_err, "error setting cipher list\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
 #if 0
-    else
-        SSL_CTX_set_cipher_list(ctx, getenv("SSL_CIPHER"));
+        else
+            SSL_CTX_set_cipher_list(ctx, getenv("SSL_CIPHER"));
 #endif
 
     SSL_CTX_set_verify(ctx, verify, verify_callback);
+    if (!set_cert_key_stuff(ctx, cert, key))
+        goto end;
 
     if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
         (!SSL_CTX_set_default_verify_paths(ctx))) {
@@ -1349,12 +1186,6 @@ int MAIN(int argc, char **argv)
         ERR_print_errors(bio_err);
         /* goto end; */
     }
-
-    ssl_ctx_add_crls(ctx, crls, crl_download);
-
-    if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
-        goto end;
-
 #ifndef OPENSSL_NO_TLSEXT
     if (servername != NULL) {
         tlsextcbp.biodebug = bio_err;
@@ -1425,13 +1256,8 @@ int MAIN(int argc, char **argv)
 #endif
 
  re_start:
-#ifdef NO_SYS_UN_H
-    if (init_client(&s, host, port, socket_type) == 0)
-#else
-    if ((!unix_path && (init_client(&s, host, port, socket_type) == 0)) ||
-        (unix_path && (init_client_unix(&s, unix_path) == 0)))
-#endif
-    {
+
+    if (init_client(&s, host, port, socket_type) == 0) {
         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
         SHUTDOWN(s);
         goto end;
@@ -1451,7 +1277,7 @@ int MAIN(int argc, char **argv)
     if (c_Pause & 0x01)
         SSL_set_debug(con, 1);
 
-    if (socket_type == SOCK_DGRAM) {
+    if (SSL_version(con) == DTLS1_VERSION) {
 
         sbio = BIO_new_dgram(s, BIO_NOCLOSE);
         if (getsockname(s, &peer, (void *)&peerlen) < 0) {
@@ -1505,13 +1331,8 @@ int MAIN(int argc, char **argv)
         BIO_set_callback_arg(sbio, (char *)bio_c_out);
     }
     if (c_msg) {
-#ifndef OPENSSL_NO_SSL_TRACE
-        if (c_msg == 2)
-            SSL_set_msg_callback(con, SSL_trace);
-        else
-#endif
-            SSL_set_msg_callback(con, msg_cb);
-        SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
+        SSL_set_msg_callback(con, msg_cb);
+        SSL_set_msg_callback_arg(con, bio_c_out);
     }
 #ifndef OPENSSL_NO_TLSEXT
     if (c_tlsextdebug) {
@@ -1639,20 +1460,14 @@ int MAIN(int argc, char **argv)
         int seen = 0;
         BIO_printf(sbio, "<stream:stream "
                    "xmlns:stream='http://etherx.jabber.org/streams' "
-                   "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ?
-                   xmpphost : host);
+                   "xmlns='jabber:client' to='%s' version='1.0'>", host);
         seen = BIO_read(sbio, mbuf, BUFSIZZ);
         mbuf[seen] = 0;
         while (!strstr
-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
-               && !strstr(mbuf,
-                          "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
-        {
-            seen = BIO_read(sbio, mbuf, BUFSIZZ);
-
-            if (seen <= 0)
+               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+            if (strstr(mbuf, "/stream:features>"))
                 goto shut;
-
+            seen = BIO_read(sbio, mbuf, BUFSIZZ);
             mbuf[seen] = 0;
         }
         BIO_printf(sbio,
@@ -1700,11 +1515,6 @@ int MAIN(int argc, char **argv)
                         BIO_printf(bio_err, "Error writing session file %s\n",
                                    sess_out);
                 }
-                if (c_brief) {
-                    BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
-                    print_ssl_summary(bio_err, con);
-                }
-
                 print_stuff(bio_c_out, con, full_log);
                 if (full_log > 0)
                     full_log--;
@@ -1730,7 +1540,7 @@ int MAIN(int argc, char **argv)
         ssl_pending = read_ssl && SSL_pending(con);
 
         if (!ssl_pending) {
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
             if (tty_on) {
                 if (read_tty)
                     openssl_fdset(fileno(stdin), &readfds);
@@ -1749,8 +1559,8 @@ int MAIN(int argc, char **argv)
                     openssl_fdset(SSL_get_fd(con), &writefds);
             }
 #endif
-/*-         printf("mode tty(%d %d%d) ssl(%d%d)\n",
-                    tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
+/*-                     printf("mode tty(%d %d%d) ssl(%d%d)\n",
+                                tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
 
             /*
              * Note: under VMS with SOCKETSHR the second parameter is
@@ -1801,6 +1611,26 @@ int MAIN(int argc, char **argv)
                     i = select(width, (void *)&readfds, (void *)&writefds,
                                NULL, timeoutp);
             }
+#elif defined(OPENSSL_SYS_BEOS_R5)
+            /* Under BeOS-R5 the situation is similar to DOS */
+            i = 0;
+            stdin_set = 0;
+            (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+            if (!write_tty) {
+                if (read_tty) {
+                    tv.tv_sec = 1;
+                    tv.tv_usec = 0;
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, &tv);
+                    if (read(fileno(stdin), sbuf, 0) >= 0)
+                        stdin_set = 1;
+                    if (!i && (stdin_set != 1 || !read_tty))
+                        continue;
+                } else
+                    i = select(width, (void *)&readfds, (void *)&writefds,
+                               NULL, timeoutp);
+            }
+            (void)fcntl(fileno(stdin), F_SETFL, 0);
 #else
             i = select(width, (void *)&readfds, (void *)&writefds,
                        NULL, timeoutp);
@@ -1815,7 +1645,7 @@ int MAIN(int argc, char **argv)
 
         if ((SSL_version(con) == DTLS1_VERSION)
             && DTLSv1_handle_timeout(con) > 0) {
-            BIO_printf(bio_err, "TIMEOUT occurred\n");
+            BIO_printf(bio_err, "TIMEOUT occured\n");
         }
 
         if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) {
@@ -1876,7 +1706,7 @@ int MAIN(int argc, char **argv)
                 goto shut;
             }
         }
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
         /* Assume Windows/DOS/BeOS can always write */
         else if (!ssl_pending && write_tty)
 #else
@@ -1950,10 +1780,7 @@ int MAIN(int argc, char **argv)
                 break;
             case SSL_ERROR_SYSCALL:
                 ret = get_last_socket_error();
-                if (c_brief)
-                    BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
-                else
-                    BIO_printf(bio_err, "read:errno=%d\n", ret);
+                BIO_printf(bio_err, "read:errno=%d\n", ret);
                 goto shut;
             case SSL_ERROR_ZERO_RETURN:
                 BIO_printf(bio_c_out, "closed\n");
@@ -1975,6 +1802,8 @@ int MAIN(int argc, char **argv)
 # endif
 #elif defined (OPENSSL_SYS_NETWARE)
         else if (_kbhit())
+#elif defined(OPENSSL_SYS_BEOS_R5)
+        else if (stdin_set)
 #else
         else if (FD_ISSET(fileno(stdin), &readfds))
 #endif
@@ -2051,25 +1880,12 @@ int MAIN(int argc, char **argv)
         SSL_CTX_free(ctx);
     if (cert)
         X509_free(cert);
-    if (crls)
-        sk_X509_CRL_pop_free(crls, X509_CRL_free);
     if (key)
         EVP_PKEY_free(key);
-    if (chain)
-        sk_X509_pop_free(chain, X509_free);
     if (pass)
         OPENSSL_free(pass);
     if (vpm)
         X509_VERIFY_PARAM_free(vpm);
-    ssl_excert_free(exc);
-    if (ssl_args)
-        sk_OPENSSL_STRING_free(ssl_args);
-    if (cctx)
-        SSL_CONF_CTX_free(cctx);
-#ifndef OPENSSL_NO_JPAKE
-    if (jpake_secret && psk_key)
-        OPENSSL_free(psk_key);
-#endif
     if (cbuf != NULL) {
         OPENSSL_cleanse(cbuf, BUFSIZZ);
         OPENSSL_free(cbuf);
@@ -2086,10 +1902,6 @@ int MAIN(int argc, char **argv)
         BIO_free(bio_c_out);
         bio_c_out = NULL;
     }
-    if (bio_c_msg != NULL) {
-        BIO_free(bio_c_msg);
-        bio_c_msg = NULL;
-    }
     apps_shutdown();
     OPENSSL_EXIT(ret);
 }
@@ -2097,12 +1909,14 @@ int MAIN(int argc, char **argv)
 static void print_stuff(BIO *bio, SSL *s, int full)
 {
     X509 *peer = NULL;
+    char *p;
+    static const char *space = "                ";
     char buf[BUFSIZ];
     STACK_OF(X509) *sk;
     STACK_OF(X509_NAME) *sk2;
     const SSL_CIPHER *c;
     X509_NAME *xn;
-    int i;
+    int j, i;
 #ifndef OPENSSL_NO_COMP
     const COMP_METHOD *comp, *expansion;
 #endif
@@ -2155,9 +1969,31 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         } else {
             BIO_printf(bio, "---\nNo client certificate CA names sent\n");
         }
+        p = SSL_get_shared_ciphers(s, buf, sizeof buf);
+        if (p != NULL) {
+            /*
+             * This works only for SSL 2.  In later protocol versions, the
+             * client does not know what other ciphers (in addition to the
+             * one to be used in the current connection) the server supports.
+             */
 
-        ssl_print_sigalgs(bio, s);
-        ssl_print_tmp_key(bio, s);
+            BIO_printf(bio,
+                       "---\nCiphers common between both SSL endpoints:\n");
+            j = i = 0;
+            while (*p) {
+                if (*p == ':') {
+                    BIO_write(bio, space, 15 - j % 25);
+                    i++;
+                    j = 0;
+                    BIO_write(bio, ((i % 3) ? " " : "\n"), 1);
+                } else {
+                    BIO_write(bio, p, 1);
+                    j++;
+                }
+                p++;
+            }
+            BIO_write(bio, "\n", 1);
+        }
 
         BIO_printf(bio,
                    "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
@@ -2198,8 +2034,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     }
 #endif
 
-#if !defined(OPENSSL_NO_TLSEXT)
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
     if (next_proto.status != -1) {
         const unsigned char *proto;
         unsigned int proto_len;
@@ -2208,18 +2043,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         BIO_write(bio, proto, proto_len);
         BIO_write(bio, "\n", 1);
     }
-# endif
-    {
-        const unsigned char *proto;
-        unsigned int proto_len;
-        SSL_get0_alpn_selected(s, &proto, &proto_len);
-        if (proto_len > 0) {
-            BIO_printf(bio, "ALPN protocol: ");
-            BIO_write(bio, proto, proto_len);
-            BIO_write(bio, "\n", 1);
-        } else
-            BIO_printf(bio, "No ALPN negotiated\n");
-    }
 #endif
 
 #ifndef OPENSSL_NO_SRTP

apps/s_socket.c

@@ -64,6 +64,12 @@
 #include <errno.h>
 #include <signal.h>
 
+#ifdef FLAT_INC
+# include "e_os2.h"
+#else
+# include "../e_os2.h"
+#endif
+
 /*
  * With IPv6, it looks like Digital has mixed up the proper order of
  * recursive header file inclusion, resulting in the compiler complaining
@@ -95,20 +101,21 @@ typedef unsigned int u_int;
 #  include "netdb.h"
 # endif
 
-static struct hostent *GetHostByName(const char *name);
+static struct hostent *GetHostByName(char *name);
 # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static void ssl_sock_cleanup(void);
 # endif
 static int ssl_sock_init(void);
-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-                          int type);
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);
 static int init_server(int *sock, int port, int type);
 static int init_server_long(int *sock, int port, char *ip, int type);
 static int do_accept(int acc_sock, int *sock, char **host);
-static int host_ip(const char *str, unsigned char ip[4]);
-# ifndef NO_SYS_UN_H
-static int init_server_unix(int *sock, const char *path);
-static int do_accept_unix(int acc_sock, int *sock);
+static int host_ip(char *str, unsigned char ip[4]);
+
+# ifdef OPENSSL_SYS_WIN16
+#  define SOCKET_PROTOCOL 0     /* more microsoft stupidity */
+# else
+#  define SOCKET_PROTOCOL IPPROTO_TCP
 # endif
 
 # if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
@@ -119,6 +126,34 @@ static int wsa_init_done = 0;
 static struct WSAData wsa_state;
 static int wsa_init_done = 0;
 
+#  ifdef OPENSSL_SYS_WIN16
+static HWND topWnd = 0;
+static FARPROC lpTopWndProc = NULL;
+static FARPROC lpTopHookProc = NULL;
+extern HINSTANCE _hInstance;    /* nice global CRT provides */
+
+static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
+                                   LPARAM lParam)
+{
+    if (hwnd == topWnd) {
+        switch (message) {
+        case WM_DESTROY:
+        case WM_CLOSE:
+            SetWindowLong(topWnd, GWL_WNDPROC, (LONG) lpTopWndProc);
+            ssl_sock_cleanup();
+            break;
+        }
+    }
+    return CallWindowProc(lpTopWndProc, hwnd, message, wParam, lParam);
+}
+
+static BOOL CALLBACK enumproc(HWND hwnd, LPARAM lParam)
+{
+    topWnd = hwnd;
+    return (FALSE);
+}
+
+#  endif                        /* OPENSSL_SYS_WIN32 */
 # endif                         /* OPENSSL_SYS_WINDOWS */
 
 # ifdef OPENSSL_SYS_WINDOWS
@@ -164,6 +199,13 @@ static int ssl_sock_init(void)
                        err);
             return (0);
         }
+#  ifdef OPENSSL_SYS_WIN16
+        EnumTaskWindows(GetCurrentTask(), enumproc, 0L);
+        lpTopWndProc = (FARPROC) GetWindowLong(topWnd, GWL_WNDPROC);
+        lpTopHookProc = MakeProcInstance((FARPROC) topHookProc, _hInstance);
+
+        SetWindowLong(topWnd, GWL_WNDPROC, (LONG) lpTopHookProc);
+#  endif                        /* OPENSSL_SYS_WIN16 */
     }
 # elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
     WORD wVerReq;
@@ -189,18 +231,17 @@ static int ssl_sock_init(void)
     return (1);
 }
 
-int init_client(int *sock, const char *host, int port, int type)
+int init_client(int *sock, char *host, int port, int type)
 {
     unsigned char ip[4];
 
-    ip[0] = ip[1] = ip[2] = ip[3] = 0;
+    memset(ip, '\0', sizeof ip);
     if (!host_ip(host, &(ip[0])))
         return 0;
     return init_client_ip(sock, ip, port, type);
 }
 
-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-                          int type)
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 {
     unsigned long addr;
     struct sockaddr_in them;
@@ -219,7 +260,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
     them.sin_addr.s_addr = htonl(addr);
 
     if (type == SOCK_STREAM)
-        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
     else                        /* ( type == SOCK_DGRAM) */
         s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 
@@ -227,7 +268,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
         perror("socket");
         return (0);
     }
-# if defined(SO_KEEPALIVE)
+# if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
     if (type == SOCK_STREAM) {
         i = 0;
         i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
@@ -248,41 +289,9 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
     return (1);
 }
 
-# ifndef NO_SYS_UN_H
-int init_client_unix(int *sock, const char *server)
-{
-    struct sockaddr_un them;
-    int s;
-
-    if (strlen(server) > (UNIX_PATH_MAX + 1))
-        return (0);
-    if (!ssl_sock_init())
-        return (0);
-
-    s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == INVALID_SOCKET) {
-        perror("socket");
-        return (0);
-    }
-
-    memset((char *)&them, 0, sizeof(them));
-    them.sun_family = AF_UNIX;
-    strcpy(them.sun_path, server);
-
-    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-        closesocket(s);
-        perror("connect");
-        return (0);
-    }
-    *sock = s;
-    return (1);
-}
-# endif
-
 int do_server(int port, int type, int *ret,
-              int (*cb) (char *hostname, int s, int stype,
-                         unsigned char *context), unsigned char *context,
-              int naccept)
+              int (*cb) (char *hostname, int s, unsigned char *context),
+              unsigned char *context)
 {
     int sock;
     char *name = NULL;
@@ -298,67 +307,24 @@ int do_server(int port, int type, int *ret,
     }
     for (;;) {
         if (type == SOCK_STREAM) {
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            if (do_accept(accept_socket, &sock, NULL) == 0)
-# else
-            if (do_accept(accept_socket, &sock, &name) == 0)
-# endif
-            {
+            if (do_accept(accept_socket, &sock, &name) == 0) {
                 SHUTDOWN(accept_socket);
                 return (0);
             }
         } else
             sock = accept_socket;
-        i = (*cb) (name, sock, type, context);
+        i = (*cb) (name, sock, context);
         if (name != NULL)
             OPENSSL_free(name);
         if (type == SOCK_STREAM)
             SHUTDOWN2(sock);
-        if (naccept != -1)
-            naccept--;
-        if (i < 0 || naccept == 0) {
+        if (i < 0) {
             SHUTDOWN2(accept_socket);
             return (i);
         }
     }
 }
 
-# ifndef NO_SYS_UN_H
-int do_server_unix(const char *path, int *ret,
-                   int (*cb) (char *hostname, int s, int stype,
-                              unsigned char *context), unsigned char *context,
-                   int naccept)
-{
-    int sock;
-    int accept_socket = 0;
-    int i;
-
-    if (!init_server_unix(&accept_socket, path))
-        return (0);
-
-    if (ret != NULL)
-        *ret = accept_socket;
-    for (;;) {
-        if (do_accept_unix(accept_socket, &sock) == 0) {
-            SHUTDOWN(accept_socket);
-            i = 0;
-            goto out;
-        }
-        i = (*cb) (NULL, sock, 0, context);
-        SHUTDOWN2(sock);
-        if (naccept != -1)
-            naccept--;
-        if (i < 0 || naccept == 0) {
-            SHUTDOWN2(accept_socket);
-            goto out;
-        }
-    }
- out:
-    unlink(path);
-    return (i);
-}
-# endif
-
 static int init_server_long(int *sock, int port, char *ip, int type)
 {
     int ret = 0;
@@ -382,7 +348,7 @@ static int init_server_long(int *sock, int port, char *ip, int type)
 # endif
 
     if (type == SOCK_STREAM)
-        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);
     else                        /* type == SOCK_DGRAM */
         s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 
@@ -417,50 +383,6 @@ static int init_server(int *sock, int port, int type)
     return (init_server_long(sock, port, NULL, type));
 }
 
-# ifndef NO_SYS_UN_H
-static int init_server_unix(int *sock, const char *path)
-{
-    int ret = 0;
-    struct sockaddr_un server;
-    int s = -1;
-
-    if (strlen(path) > (UNIX_PATH_MAX + 1))
-        return (0);
-    if (!ssl_sock_init())
-        return (0);
-
-    s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == INVALID_SOCKET)
-        goto err;
-
-    memset((char *)&server, 0, sizeof(server));
-    server.sun_family = AF_UNIX;
-    strcpy(server.sun_path, path);
-
-    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-#  ifndef OPENSSL_SYS_WINDOWS
-        perror("bind");
-#  endif
-        goto err;
-    }
-    /* Make it 128 for linux */
-    if (listen(s, 128) == -1) {
-#  ifndef OPENSSL_SYS_WINDOWS
-        perror("listen");
-#  endif
-        unlink(path);
-        goto err;
-    }
-    *sock = s;
-    ret = 1;
- err:
-    if ((ret == 0) && (s != -1)) {
-        SHUTDOWN(s);
-    }
-    return (ret);
-}
-# endif
-
 static int do_accept(int acc_sock, int *sock, char **host)
 {
     int ret;
@@ -504,13 +426,13 @@ static int do_accept(int acc_sock, int *sock, char **host)
     }
 
 /*-
-    ling.l_onoff=1;
-    ling.l_linger=0;
-    i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
-    if (i < 0) { perror("linger"); return(0); }
-    i=0;
-    i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-    if (i < 0) { perror("keepalive"); return(0); }
+        ling.l_onoff=1;
+        ling.l_linger=0;
+        i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
+        if (i < 0) { perror("linger"); return(0); }
+        i=0;
+        i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
+        if (i < 0) { perror("keepalive"); return(0); }
 */
 
     if (host == NULL)
@@ -552,33 +474,6 @@ static int do_accept(int acc_sock, int *sock, char **host)
     return (1);
 }
 
-# ifndef NO_SYS_UN_H
-static int do_accept_unix(int acc_sock, int *sock)
-{
-    int ret;
-
-    if (!ssl_sock_init())
-        return (0);
-
- redoit:
-    ret = accept(acc_sock, NULL, NULL);
-    if (ret == INVALID_SOCKET) {
-        if (errno == EINTR) {
-            /*
-             * check_timeout();
-             */
-            goto redoit;
-        }
-        fprintf(stderr, "errno=%d ", errno);
-        perror("accept");
-        return (0);
-    }
-
-    *sock = ret;
-    return (1);
-}
-# endif
-
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
                       short *port_ptr)
 {
@@ -604,7 +499,7 @@ int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
     return (0);
 }
 
-static int host_ip(const char *str, unsigned char ip[4])
+static int host_ip(char *str, unsigned char ip[4])
 {
     unsigned int in[4];
     int i;
@@ -631,7 +526,8 @@ static int host_ip(const char *str, unsigned char ip[4])
             BIO_printf(bio_err, "gethostbyname failure\n");
             goto err;
         }
-        if (he->h_addrtype != AF_INET) {
+        /* cast to short because of win16 winsock definition */
+        if ((short)he->h_addrtype != AF_INET) {
             BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
             return (0);
         }
@@ -645,7 +541,7 @@ static int host_ip(const char *str, unsigned char ip[4])
     return (0);
 }
 
-int extract_port(const char *str, short *port_ptr)
+int extract_port(char *str, short *port_ptr)
 {
     int i;
     struct servent *s;
@@ -674,7 +570,7 @@ static struct ghbn_cache_st {
 static unsigned long ghbn_hits = 0L;
 static unsigned long ghbn_miss = 0L;
 
-static struct hostent *GetHostByName(const char *name)
+static struct hostent *GetHostByName(char *name)
 {
     struct hostent *ret;
     int i, lowi = 0;

apps/s_time.c

@@ -69,6 +69,9 @@
 
 #define USE_SOCKETS
 #include "apps.h"
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/pem.h>
@@ -187,6 +190,7 @@ static void s_time_usage(void)
            SSL_CONNECT_NAME);
 #ifdef FIONBIO
     printf("-nbio         - Run with non-blocking IO\n");
+    printf("-ssl2         - Just use SSLv2\n");
     printf("-ssl3         - Just use SSLv3\n");
     printf("-bugs         - Turn on SSL bug compatibility\n");
     printf("-new          - Just time new connections\n");
@@ -285,6 +289,10 @@ static int parseArgs(int argc, char **argv)
             }
         } else if (strcmp(*argv, "-bugs") == 0)
             st_bugs = 1;
+#ifndef OPENSSL_NO_SSL2
+        else if (strcmp(*argv, "-ssl2") == 0)
+            s_time_meth = SSLv2_client_method();
+#endif
 #ifndef OPENSSL_NO_SSL3
         else if (strcmp(*argv, "-ssl3") == 0)
             s_time_meth = SSLv3_client_method();
@@ -432,6 +440,8 @@ int MAIN(int argc, char **argv)
                 ver = 't';
             else if (ver == SSL3_VERSION)
                 ver = '3';
+            else if (ver == SSL2_VERSION)
+                ver = '2';
             else
                 ver = '*';
         }
@@ -525,6 +535,8 @@ int MAIN(int argc, char **argv)
                 ver = 't';
             else if (ver == SSL3_VERSION)
                 ver = '3';
+            else if (ver == SSL2_VERSION)
+                ver = '2';
             else
                 ver = '*';
         }

apps/sess_id.c

@@ -73,12 +73,12 @@ static const char *sess_id_usage[] = {
     "usage: sess_id args\n",
     "\n",
     " -inform arg     - input format - default PEM (DER or PEM)\n",
-    " -outform arg    - output format - default PEM (PEM, DER or NSS)\n",
+    " -outform arg    - output format - default PEM\n",
     " -in arg         - input file - default stdin\n",
     " -out arg        - output file - default stdout\n",
     " -text           - print ssl session id details\n",
     " -cert           - output certificate \n",
-    " -noout          - no output of encoded session info\n",
+    " -noout          - no CRL output\n",
     " -context arg    - set the session ID context\n",
     NULL
 };
@@ -228,8 +228,6 @@ int MAIN(int argc, char **argv)
             i = i2d_SSL_SESSION_bio(out, x);
         else if (outformat == FORMAT_PEM)
             i = PEM_write_bio_SSL_SESSION(out, x);
-        else if (outformat == FORMAT_NSS)
-            i = SSL_SESSION_print_keylog(out, x);
         else {
             BIO_printf(bio_err, "bad output format specified for outfile\n");
             goto end;

apps/smime.c

@@ -441,8 +441,6 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
-        BIO_printf(bio_err,
-                   "-trusted_first use locally trusted CA's first when building trust chain\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
         BIO_printf(bio_err,
@@ -634,12 +632,6 @@ int MAIN(int argc, char **argv)
             p7 = PKCS7_sign(NULL, NULL, other, in, flags);
             if (!p7)
                 goto end;
-            if (flags & PKCS7_NOCERTS) {
-                for (i = 0; i < sk_X509_num(other); i++) {
-                    X509 *x = sk_X509_value(other, i);
-                    PKCS7_add_certificate(p7, x);
-                }
-            }
         } else
             flags |= PKCS7_REUSE_DIGEST;
         for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {

apps/speed.c

@@ -74,10 +74,9 @@
 #ifndef OPENSSL_NO_SPEED
 
 # undef SECONDS
-# define SECONDS                 3
-# define PRIME_SECONDS   10
-# define RSA_SECONDS             10
-# define DSA_SECONDS             10
+# define SECONDS         3
+# define RSA_SECONDS     10
+# define DSA_SECONDS     10
 # define ECDSA_SECONDS   10
 # define ECDH_SECONDS    10
 
@@ -93,6 +92,9 @@
 # include <string.h>
 # include <math.h>
 # include "apps.h"
+# ifdef OPENSSL_NO_STDIO
+#  define APPS_WIN16
+# endif
 # include <openssl/crypto.h>
 # include <openssl/rand.h>
 # include <openssl/err.h>
@@ -147,7 +149,7 @@
 # ifndef OPENSSL_NO_SHA
 #  include <openssl/sha.h>
 # endif
-# ifndef OPENSSL_NO_RMD160
+# ifndef OPENSSL_NO_RIPEMD
 #  include <openssl/ripemd.h>
 # endif
 # ifndef OPENSSL_NO_WHIRLPOOL
@@ -191,10 +193,26 @@
 # endif
 # include <openssl/modes.h>
 
-# include <openssl/bn.h>
+# ifdef OPENSSL_FIPS
+#  ifdef OPENSSL_DOING_MAKEDEPEND
+#   undef AES_set_encrypt_key
+#   undef AES_set_decrypt_key
+#   undef DES_set_key_unchecked
+#  endif
+#  define BF_set_key      private_BF_set_key
+#  define CAST_set_key    private_CAST_set_key
+#  define idea_set_encrypt_key    private_idea_set_encrypt_key
+#  define SEED_set_key    private_SEED_set_key
+#  define RC2_set_key     private_RC2_set_key
+#  define RC4_set_key     private_RC4_set_key
+#  define DES_set_key_unchecked   private_DES_set_key_unchecked
+#  define AES_set_encrypt_key     private_AES_set_encrypt_key
+#  define AES_set_decrypt_key     private_AES_set_decrypt_key
+#  define Camellia_set_key        private_Camellia_set_key
+# endif
 
 # ifndef HAVE_FORK
-#  if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+#  if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
 #   define HAVE_FORK 0
 #  else
 #   define HAVE_FORK 1
@@ -208,9 +226,7 @@
 # endif
 
 # undef BUFSIZE
-# define BUFSIZE (1024*8+1)
-# define MAX_MISALIGNMENT 63
-
+# define BUFSIZE ((long)1024*8+1)
 static volatile int run = 0;
 
 static int mr = 0;
@@ -227,8 +243,7 @@ static int do_multi(int multi);
 
 # define ALGOR_NUM       30
 # define SIZE_NUM        5
-# define PRIME_NUM       3
-# define RSA_NUM         7
+# define RSA_NUM         4
 # define DSA_NUM         3
 
 # define EC_NUM       16
@@ -278,6 +293,9 @@ static SIGRETTYPE sig_done(int sig)
 {
     signal(SIGALRM, sig_done);
     run = 0;
+#  ifdef LINT
+    sig = sig;
+#  endif
 }
 # endif
 
@@ -307,10 +325,8 @@ static DWORD WINAPI sleepy(VOID * arg)
 
 static double Time_F(int s)
 {
-    double ret;
-    static HANDLE thr;
-
     if (s == START) {
+        HANDLE thr;
         schlock = 0;
         thr = CreateThread(NULL, 4096, sleepy, NULL, 0, NULL);
         if (thr == NULL) {
@@ -318,26 +334,18 @@ static double Time_F(int s)
             BIO_printf(bio_err, "unable to CreateThread (%d)", ret);
             ExitProcess(ret);
         }
+        CloseHandle(thr);       /* detach the thread */
         while (!schlock)
             Sleep(0);           /* scheduler spinlock */
-        ret = app_tminterval(s, usertime);
-    } else {
-        ret = app_tminterval(s, usertime);
-        if (run)
-            TerminateThread(thr, 0);
-        CloseHandle(thr);
     }
 
-    return ret;
+    return app_tminterval(s, usertime);
 }
 # else
 
 static double Time_F(int s)
 {
-    double ret = app_tminterval(s, usertime);
-    if (s == STOP)
-        alarm(0);
-    return ret;
+    return app_tminterval(s, usertime);
 }
 # endif
 
@@ -358,13 +366,10 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out,
 }
 # endif                         /* OPENSSL_NO_ECDH */
 
-static void multiblock_speed(const EVP_CIPHER *evp_cipher);
-
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-    unsigned char *buf_malloc = NULL, *buf2_malloc = NULL;
     unsigned char *buf = NULL, *buf2 = NULL;
     int mret = 1;
     long count = 0, save_count = 0;
@@ -401,7 +406,7 @@ int MAIN(int argc, char **argv)
 # ifndef OPENSSL_NO_WHIRLPOOL
     unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
 # endif
-# ifndef OPENSSL_NO_RMD160
+# ifndef OPENSSL_NO_RIPEMD
     unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
 # endif
 # ifndef OPENSSL_NO_RC4
@@ -511,19 +516,13 @@ int MAIN(int argc, char **argv)
 # define D_GHASH         29
     double d = 0.0;
     long c[ALGOR_NUM][SIZE_NUM];
-
-# ifndef OPENSSL_SYS_WIN32
-# endif
 # define R_DSA_512       0
 # define R_DSA_1024      1
 # define R_DSA_2048      2
 # define R_RSA_512       0
 # define R_RSA_1024      1
 # define R_RSA_2048      2
-# define R_RSA_3072      3
-# define R_RSA_4096      4
-# define R_RSA_7680      5
-# define R_RSA_15360     6
+# define R_RSA_4096      3
 
 # define R_EC_P160    0
 # define R_EC_P192    1
@@ -546,16 +545,14 @@ int MAIN(int argc, char **argv)
     RSA *rsa_key[RSA_NUM];
     long rsa_c[RSA_NUM][2];
     static unsigned int rsa_bits[RSA_NUM] = {
-        512, 1024, 2048, 3072, 4096, 7680, 15360
+        512, 1024, 2048, 4096
     };
     static unsigned char *rsa_data[RSA_NUM] = {
-        test512, test1024, test2048, test3072, test4096, test7680, test15360
+        test512, test1024, test2048, test4096
     };
     static int rsa_data_length[RSA_NUM] = {
         sizeof(test512), sizeof(test1024),
-        sizeof(test2048), sizeof(test3072),
-        sizeof(test4096), sizeof(test7680),
-        sizeof(test15360)
+        sizeof(test2048), sizeof(test4096)
     };
 # endif
 # ifndef OPENSSL_NO_DSA
@@ -649,8 +646,6 @@ int MAIN(int argc, char **argv)
 # ifndef NO_FORK
     int multi = 0;
 # endif
-    int multiblock = 0;
-    int misalign = MAX_MISALIGNMENT + 1;
 
 # ifndef TIMES
     usertime = -1;
@@ -685,22 +680,15 @@ int MAIN(int argc, char **argv)
         rsa_key[i] = NULL;
 # endif
 
-    if ((buf_malloc =
-         (unsigned char *)OPENSSL_malloc(BUFSIZE + misalign)) == NULL) {
+    if ((buf = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
         BIO_printf(bio_err, "out of memory\n");
         goto end;
     }
-    if ((buf2_malloc =
-         (unsigned char *)OPENSSL_malloc(BUFSIZE + misalign)) == NULL) {
+    if ((buf2 = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
         BIO_printf(bio_err, "out of memory\n");
         goto end;
     }
 
-    misalign = 0;               /* set later and buf/buf2 are adjusted
-                                 * accordingly */
-    buf = buf_malloc;
-    buf2 = buf2_malloc;
-
     memset(c, 0, sizeof(c));
     memset(DES_iv, 0, sizeof(DES_iv));
     memset(iv, 0, sizeof(iv));
@@ -788,26 +776,6 @@ int MAIN(int argc, char **argv)
             mr = 1;
             j--;                /* Otherwise, -mr gets confused with an
                                  * algorithm. */
-        } else if (argc > 0 && !strcmp(*argv, "-mb")) {
-            multiblock = 1;
-            j--;
-        } else if (argc > 0 && !strcmp(*argv, "-misalign")) {
-            argc--;
-            argv++;
-            if (argc == 0) {
-                BIO_printf(bio_err, "no misalignment given\n");
-                goto end;
-            }
-            misalign = atoi(argv[0]);
-            if (misalign < 0 || misalign > MAX_MISALIGNMENT) {
-                BIO_printf(bio_err,
-                           "misalignment is outsize permitted range 0-%d\n",
-                           MAX_MISALIGNMENT);
-                goto end;
-            }
-            buf = buf_malloc + misalign;
-            buf2 = buf2_malloc + misalign;
-            j--;
         } else
 # ifndef OPENSSL_NO_MD2
         if (strcmp(*argv, "md2") == 0)
@@ -856,7 +824,7 @@ int MAIN(int argc, char **argv)
             doit[D_WHIRLPOOL] = 1;
         else
 # endif
-# ifndef OPENSSL_NO_RMD160
+# ifndef OPENSSL_NO_RIPEMD
         if (strcmp(*argv, "ripemd") == 0)
             doit[D_RMD160] = 1;
         else if (strcmp(*argv, "rmd160") == 0)
@@ -927,14 +895,8 @@ int MAIN(int argc, char **argv)
             rsa_doit[R_RSA_1024] = 2;
         else if (strcmp(*argv, "rsa2048") == 0)
             rsa_doit[R_RSA_2048] = 2;
-        else if (strcmp(*argv, "rsa3072") == 0)
-            rsa_doit[R_RSA_3072] = 2;
         else if (strcmp(*argv, "rsa4096") == 0)
             rsa_doit[R_RSA_4096] = 2;
-        else if (strcmp(*argv, "rsa7680") == 0)
-            rsa_doit[R_RSA_7680] = 2;
-        else if (strcmp(*argv, "rsa15360") == 0)
-            rsa_doit[R_RSA_15360] = 2;
         else
 # ifndef OPENSSL_NO_RC2
         if (strcmp(*argv, "rc2-cbc") == 0)
@@ -1009,10 +971,7 @@ int MAIN(int argc, char **argv)
             rsa_doit[R_RSA_512] = 1;
             rsa_doit[R_RSA_1024] = 1;
             rsa_doit[R_RSA_2048] = 1;
-            rsa_doit[R_RSA_3072] = 1;
             rsa_doit[R_RSA_4096] = 1;
-            rsa_doit[R_RSA_7680] = 1;
-            rsa_doit[R_RSA_15360] = 1;
         } else
 # endif
 # ifndef OPENSSL_NO_DSA
@@ -1129,12 +1088,12 @@ int MAIN(int argc, char **argv)
 # ifndef OPENSSL_NO_WHIRLPOOL
             BIO_printf(bio_err, "whirlpool");
 # endif
-# ifndef OPENSSL_NO_RMD160
+# ifndef OPENSSL_NO_RIPEMD160
             BIO_printf(bio_err, "rmd160");
 # endif
 # if !defined(OPENSSL_NO_MD2) || !defined(OPENSSL_NO_MDC2) || \
     !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
-    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RMD160) || \
+    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
     !defined(OPENSSL_NO_WHIRLPOOL)
             BIO_printf(bio_err, "\n");
 # endif
@@ -1176,9 +1135,7 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err, "\n");
 
 # ifndef OPENSSL_NO_RSA
-            BIO_printf(bio_err,
-                       "rsa512   rsa1024  rsa2048  rsa3072  rsa4096\n");
-            BIO_printf(bio_err, "rsa7680  rsa15360\n");
+            BIO_printf(bio_err, "rsa512   rsa1024  rsa2048  rsa4096\n");
 # endif
 
 # ifndef OPENSSL_NO_DSA
@@ -1252,12 +1209,6 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err,
                        "-mr             "
                        "produce machine readable output.\n");
-            BIO_printf(bio_err,
-                       "-mb             "
-                       "perform multi-block benchmark (for specific ciphers)\n");
-            BIO_printf(bio_err,
-                       "-misalign n     "
-                       "perform benchmark with misaligned data\n");
 # ifndef NO_FORK
             BIO_printf(bio_err,
                        "-multi n        " "run n benchmarks in parallel.\n");
@@ -1414,25 +1365,23 @@ int MAIN(int argc, char **argv)
     c[D_IGE_256_AES][0] = count;
     c[D_GHASH][0] = count;
 
+    for (i = 1; i < SIZE_NUM; i++) {
+        c[D_MD2][i] = c[D_MD2][0] * 4 * lengths[0] / lengths[i];
+        c[D_MDC2][i] = c[D_MDC2][0] * 4 * lengths[0] / lengths[i];
+        c[D_MD4][i] = c[D_MD4][0] * 4 * lengths[0] / lengths[i];
+        c[D_MD5][i] = c[D_MD5][0] * 4 * lengths[0] / lengths[i];
+        c[D_HMAC][i] = c[D_HMAC][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA1][i] = c[D_SHA1][0] * 4 * lengths[0] / lengths[i];
+        c[D_RMD160][i] = c[D_RMD160][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA256][i] = c[D_SHA256][0] * 4 * lengths[0] / lengths[i];
+        c[D_SHA512][i] = c[D_SHA512][0] * 4 * lengths[0] / lengths[i];
+        c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * lengths[0] / lengths[i];
+    }
     for (i = 1; i < SIZE_NUM; i++) {
         long l0, l1;
 
-        l0 = (long)lengths[0];
-        l1 = (long)lengths[i];
-
-        c[D_MD2][i] = c[D_MD2][0] * 4 * l0 / l1;
-        c[D_MDC2][i] = c[D_MDC2][0] * 4 * l0 / l1;
-        c[D_MD4][i] = c[D_MD4][0] * 4 * l0 / l1;
-        c[D_MD5][i] = c[D_MD5][0] * 4 * l0 / l1;
-        c[D_HMAC][i] = c[D_HMAC][0] * 4 * l0 / l1;
-        c[D_SHA1][i] = c[D_SHA1][0] * 4 * l0 / l1;
-        c[D_RMD160][i] = c[D_RMD160][0] * 4 * l0 / l1;
-        c[D_SHA256][i] = c[D_SHA256][0] * 4 * l0 / l1;
-        c[D_SHA512][i] = c[D_SHA512][0] * 4 * l0 / l1;
-        c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * l0 / l1;
-
         l0 = (long)lengths[i - 1];
-
+        l1 = (long)lengths[i];
         c[D_RC4][i] = c[D_RC4][i - 1] * l0 / l1;
         c[D_CBC_DES][i] = c[D_CBC_DES][i - 1] * l0 / l1;
         c[D_EDE3_DES][i] = c[D_EDE3_DES][i - 1] * l0 / l1;
@@ -1452,7 +1401,6 @@ int MAIN(int argc, char **argv)
         c[D_IGE_192_AES][i] = c[D_IGE_192_AES][i - 1] * l0 / l1;
         c[D_IGE_256_AES][i] = c[D_IGE_256_AES][i - 1] * l0 / l1;
     }
-
 #   ifndef OPENSSL_NO_RSA
     rsa_c[R_RSA_512][0] = count / 2000;
     rsa_c[R_RSA_512][1] = count / 400;
@@ -1638,7 +1586,8 @@ int MAIN(int argc, char **argv)
             print_message(names[D_MD5], c[D_MD5][j], lengths[j]);
             Time_F(START);
             for (count = 0, run = 1; COND(c[D_MD5][j]); count++)
-                MD5(buf, lengths[j], md5);
+                EVP_Digest(&(buf[0]), (unsigned long)lengths[j], &(md5[0]),
+                           NULL, EVP_get_digestbyname("md5"), NULL);
             d = Time_F(STOP);
             print_result(D_MD5, j, count, d);
         }
@@ -1673,12 +1622,8 @@ int MAIN(int argc, char **argv)
             print_message(names[D_SHA1], c[D_SHA1][j], lengths[j]);
             Time_F(START);
             for (count = 0, run = 1; COND(c[D_SHA1][j]); count++)
-#  if 0
                 EVP_Digest(buf, (unsigned long)lengths[j], &(sha[0]), NULL,
                            EVP_sha1(), NULL);
-#  else
-                SHA1(buf, lengths[j], sha);
-#  endif
             d = Time_F(STOP);
             print_result(D_SHA1, j, count, d);
         }
@@ -1723,7 +1668,7 @@ int MAIN(int argc, char **argv)
     }
 # endif
 
-# ifndef OPENSSL_NO_RMD160
+# ifndef OPENSSL_NO_RIPEMD
     if (doit[D_RMD160]) {
         for (j = 0; j < SIZE_NUM; j++) {
             print_message(names[D_RMD160], c[D_RMD160][j], lengths[j]);
@@ -1996,20 +1941,6 @@ int MAIN(int argc, char **argv)
 # endif
 
     if (doit[D_EVP]) {
-# ifdef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
-        if (multiblock && evp_cipher) {
-            if (!
-                (EVP_CIPHER_flags(evp_cipher) &
-                 EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
-                fprintf(stderr, "%s is not multi-block capable\n",
-                        OBJ_nid2ln(evp_cipher->nid));
-                goto end;
-            }
-            multiblock_speed(evp_cipher);
-            mret = 0;
-            goto end;
-        }
-# endif
         for (j = 0; j < SIZE_NUM; j++) {
             if (evp_cipher) {
                 EVP_CIPHER_CTX ctx;
@@ -2061,8 +1992,7 @@ int MAIN(int argc, char **argv)
             print_result(D_EVP, j, count, d);
         }
     }
-# ifndef OPENSSL_SYS_WIN32
-# endif
+
     RAND_pseudo_bytes(buf, 36);
 # ifndef OPENSSL_NO_RSA
     for (j = 0; j < RSA_NUM; j++) {
@@ -2547,10 +2477,10 @@ int MAIN(int argc, char **argv)
 
  end:
     ERR_print_errors(bio_err);
-    if (buf_malloc != NULL)
-        OPENSSL_free(buf_malloc);
-    if (buf2_malloc != NULL)
-        OPENSSL_free(buf2_malloc);
+    if (buf != NULL)
+        OPENSSL_free(buf);
+    if (buf2 != NULL)
+        OPENSSL_free(buf2);
 # ifndef OPENSSL_NO_RSA
     for (i = 0; i < RSA_NUM; i++)
         if (rsa_key[i] != NULL)
@@ -2594,6 +2524,9 @@ static void print_message(const char *s, long num, int length)
                : "Doing %s %ld times on %d size blocks: ", s, num, length);
     (void)BIO_flush(bio_err);
 # endif
+# ifdef LINT
+    num = num;
+# endif
 }
 
 static void pkey_print_message(const char *str, const char *str2, long num,
@@ -2611,6 +2544,9 @@ static void pkey_print_message(const char *str, const char *str2, long num,
                : "Doing %ld %d bit %s %s's: ", num, bits, str, str2);
     (void)BIO_flush(bio_err);
 # endif
+# ifdef LINT
+    num = num;
+# endif
 }
 
 static void print_result(int alg, int run_no, int count, double time_used)
@@ -2718,25 +2654,6 @@ static int do_multi(int multi)
                 k = atoi(sstrsep(&p, sep));
                 sstrsep(&p, sep);
 
-                d = atof(sstrsep(&p, sep));
-                if (n)
-                    rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d);
-                else
-                    rsa_results[k][0] = d;
-
-                d = atof(sstrsep(&p, sep));
-                if (n)
-                    rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d);
-                else
-                    rsa_results[k][1] = d;
-            } else if (!strncmp(buf, "+F2:", 4)) {
-                int k;
-                double d;
-
-                p = buf + 4;
-                k = atoi(sstrsep(&p, sep));
-                sstrsep(&p, sep);
-
                 d = atof(sstrsep(&p, sep));
                 if (n)
                     rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d);
@@ -2825,104 +2742,4 @@ static int do_multi(int multi)
     return 1;
 }
 # endif
-
-static void multiblock_speed(const EVP_CIPHER *evp_cipher)
-{
-    static int mblengths[] =
-        { 8 * 1024, 2 * 8 * 1024, 4 * 8 * 1024, 8 * 8 * 1024, 8 * 16 * 1024 };
-    int j, count, num = sizeof(lengths) / sizeof(lengths[0]);
-    const char *alg_name;
-    unsigned char *inp, *out, no_key[32], no_iv[16];
-    EVP_CIPHER_CTX ctx;
-    double d = 0.0;
-
-    inp = OPENSSL_malloc(mblengths[num - 1]);
-    out = OPENSSL_malloc(mblengths[num - 1] + 1024);
-
-    EVP_CIPHER_CTX_init(&ctx);
-    EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv);
-    EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key),
-                        no_key);
-    alg_name = OBJ_nid2ln(evp_cipher->nid);
-
-    for (j = 0; j < num; j++) {
-        print_message(alg_name, 0, mblengths[j]);
-        Time_F(START);
-        for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
-            unsigned char aad[13];
-            EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
-            size_t len = mblengths[j];
-            int packlen;
-
-            memset(aad, 0, 8);  /* avoid uninitialized values */
-            aad[8] = 23;        /* SSL3_RT_APPLICATION_DATA */
-            aad[9] = 3;         /* version */
-            aad[10] = 2;
-            aad[11] = 0;        /* length */
-            aad[12] = 0;
-            mb_param.out = NULL;
-            mb_param.inp = aad;
-            mb_param.len = len;
-            mb_param.interleave = 8;
-
-            packlen = EVP_CIPHER_CTX_ctrl(&ctx,
-                                          EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
-                                          sizeof(mb_param), &mb_param);
-
-            if (packlen > 0) {
-                mb_param.out = out;
-                mb_param.inp = inp;
-                mb_param.len = len;
-                EVP_CIPHER_CTX_ctrl(&ctx,
-                                    EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
-                                    sizeof(mb_param), &mb_param);
-            } else {
-                int pad;
-
-                RAND_bytes(out, 16);
-                len += 16;
-                aad[11] = len >> 8;
-                aad[12] = len;
-                pad = EVP_CIPHER_CTX_ctrl(&ctx,
-                                          EVP_CTRL_AEAD_TLS1_AAD, 13, aad);
-                EVP_Cipher(&ctx, out, inp, len + pad);
-            }
-        }
-        d = Time_F(STOP);
-        BIO_printf(bio_err,
-                   mr ? "+R:%d:%s:%f\n"
-                   : "%d %s's in %.2fs\n", count, "evp", d);
-        results[D_EVP][j] = ((double)count) / d * mblengths[j];
-    }
-
-    if (mr) {
-        fprintf(stdout, "+H");
-        for (j = 0; j < num; j++)
-            fprintf(stdout, ":%d", mblengths[j]);
-        fprintf(stdout, "\n");
-        fprintf(stdout, "+F:%d:%s", D_EVP, alg_name);
-        for (j = 0; j < num; j++)
-            fprintf(stdout, ":%.2f", results[D_EVP][j]);
-        fprintf(stdout, "\n");
-    } else {
-        fprintf(stdout,
-                "The 'numbers' are in 1000s of bytes per second processed.\n");
-        fprintf(stdout, "type                    ");
-        for (j = 0; j < num; j++)
-            fprintf(stdout, "%7d bytes", mblengths[j]);
-        fprintf(stdout, "\n");
-        fprintf(stdout, "%-24s", alg_name);
-
-        for (j = 0; j < num; j++) {
-            if (results[D_EVP][j] > 10000)
-                fprintf(stdout, " %11.2fk", results[D_EVP][j] / 1e3);
-            else
-                fprintf(stdout, " %11.2f ", results[D_EVP][j]);
-        }
-        fprintf(stdout, "\n");
-    }
-
-    OPENSSL_free(inp);
-    OPENSSL_free(out);
-}
 #endif

apps/srp.c

@@ -85,7 +85,7 @@
 static char *srp_usage[] = {
     "usage: srp [args] [user] \n",
     "\n",
-    " -verbose        Talk a lot while doing things\n",
+    " -verbose        Talk alot while doing things\n",
     " -config file    A config file\n",
     " -name arg       The particular srp definition to use\n",
     " -srpvfile arg   The srp verifier file name\n",
@@ -198,7 +198,7 @@ static int update_index(CA_DB *db, BIO *bio, char **row)
     return 1;
 }
 
-static void lookup_fail(const char *name, const char *tag)
+static void lookup_fail(const char *name, char *tag)
 {
     BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
 }
@@ -217,17 +217,14 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
 
     if (password_callback(password, 1024, 0, &cb_tmp) > 0) {
         VERBOSE BIO_printf(bio,
-                           "Validating\n"
-                           " user=\"%s\"\n"
-                           " srp_verifier=\"%s\"\n"
-                           " srp_usersalt=\"%s\"\n"
-                           " g=\"%s\"\n N=\"%s\"\n",
+                           "Validating\n   user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
                            user, srp_verifier, srp_usersalt, g, N);
         BIO_printf(bio, "Pass %s\n", password);
 
-        OPENSSL_assert(srp_usersalt != NULL);
-        if (!(gNid = SRP_create_verifier(user, password, &srp_usersalt,
-                                         &verifier, N, g))) {
+        if (!
+            (gNid =
+             SRP_create_verifier(user, password, &srp_usersalt, &verifier, N,
+                                 g))) {
             BIO_printf(bio, "Internal error validating SRP verifier\n");
         } else {
             if (strcmp(verifier, srp_verifier))
@@ -251,11 +248,12 @@ static char *srp_create_user(char *user, char **srp_verifier,
 
     if (password_callback(password, 1024, 1, &cb_tmp) > 0) {
         VERBOSE BIO_printf(bio,
-                           "Creating\n"
-                           " user=\"%s\"\n"
-                           " g=\"%s\"\n" " N=\"%s\"\n", user, g, N);
-        if (!(gNid = SRP_create_verifier(user, password, &salt,
-                                         srp_verifier, N, g))) {
+                           "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",
+                           user, g, N);
+        if (!
+            (gNid =
+             SRP_create_verifier(user, password, &salt, srp_verifier, N,
+                                 g))) {
             BIO_printf(bio, "Internal error creating SRP verifier\n");
         } else
             *srp_usersalt = salt;
@@ -384,13 +382,13 @@ int MAIN(int argc, char **argv)
         badops = 1;
     }
     if (add_user + delete_user + modify_user + list_user != 1) {
-        BIO_printf(bio_err, "Exactly one of the options "
-                   "-add, -delete, -modify -list must be specified.\n");
+        BIO_printf(bio_err,
+                   "Exactly one of the options -add, -delete, -modify -list must be specified.\n");
         badops = 1;
     }
     if (delete_user + modify_user + delete_user == 1 && argc <= 0) {
-        BIO_printf(bio_err, "Need at least one user for options "
-                   "-add, -delete, -modify. \n");
+        BIO_printf(bio_err,
+                   "Need at least one user for options -add, -delete, -modify. \n");
         badops = 1;
     }
     if ((passin || passout) && argc != 1) {
@@ -573,15 +571,16 @@ int MAIN(int argc, char **argv)
                 row[DB_srpverifier] = NULL;
                 row[DB_srpsalt] = NULL;
                 row[DB_srpinfo] = NULL;
-                if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
-                                             &(row[DB_srpsalt]),
-                                             gNrow ? gNrow[DB_srpsalt] : gN,
-                                             gNrow ? gNrow[DB_srpverifier] :
-                                             NULL, passout, bio_err,
-                                             verbose))) {
+                if (!
+                    (gNid =
+                     srp_create_user(user, &(row[DB_srpverifier]),
+                                     &(row[DB_srpsalt]),
+                                     gNrow ? gNrow[DB_srpsalt] : gN,
+                                     gNrow ? gNrow[DB_srpverifier] : NULL,
+                                     passout, bio_err, verbose))) {
                     BIO_printf(bio_err,
-                               "Cannot create srp verifier for user \"%s\","
-                               " operation abandoned .\n", user);
+                               "Cannot create srp verifier for user \"%s\", operation abandoned .\n",
+                               user);
                     errors++;
                     goto err;
                 }
@@ -590,9 +589,13 @@ int MAIN(int argc, char **argv)
                 row[DB_srpgN] = BUF_strdup(gNid);
 
                 if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype]
-                    || !row[DB_srpverifier] || !row[DB_srpsalt]
-                    || (userinfo
-                        && (!(row[DB_srpinfo] = BUF_strdup(userinfo))))
+                    || !row[DB_srpverifier] || !row[DB_srpsalt] || (userinfo
+                                                                    &&
+                                                                    (!(row
+                                                                       [DB_srpinfo]
+                                                                       =
+                                                                       BUF_strdup
+                                                                       (userinfo))))
                     || !update_index(db, bio_err, row)) {
                     if (row[DB_srpid])
                         OPENSSL_free(row[DB_srpid]);
@@ -638,8 +641,9 @@ int MAIN(int argc, char **argv)
                         if ((user_gN =
                              get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
                             irow =
-                                sk_OPENSSL_PSTRING_value(db->db->data,
-                                                         userindex);
+                                (char **)sk_OPENSSL_PSTRING_value(db->
+                                                                  db->data,
+                                                                  userindex);
 
                         if (!srp_verify_user
                             (user, row[DB_srpverifier], row[DB_srpsalt],
@@ -657,16 +661,16 @@ int MAIN(int argc, char **argv)
                                        "Password for user \"%s\" ok.\n",
                                        user);
 
-                    if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]),
-                                                 &(row[DB_srpsalt]),
-                                                 gNrow ? gNrow[DB_srpsalt] :
-                                                 NULL,
-                                                 gNrow ? gNrow[DB_srpverifier]
-                                                 : NULL, passout, bio_err,
-                                                 verbose))) {
+                    if (!
+                        (gNid =
+                         srp_create_user(user, &(row[DB_srpverifier]),
+                                         &(row[DB_srpsalt]),
+                                         gNrow ? gNrow[DB_srpsalt] : NULL,
+                                         gNrow ? gNrow[DB_srpverifier] : NULL,
+                                         passout, bio_err, verbose))) {
                         BIO_printf(bio_err,
-                                   "Cannot create srp verifier for user \"%s\","
-                                   " operation abandoned.\n", user);
+                                   "Cannot create srp verifier for user \"%s\", operation abandoned.\n",
+                                   user);
                         errors++;
                         goto err;
                     }

apps/ts.c

@@ -105,7 +105,7 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
                                 char *queryfile, char *passin, char *inkey,
                                 char *signer, char *chain,
                                 const char *policy);
-static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
+static ASN1_INTEGER *MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
 static ASN1_INTEGER *next_serial(const char *serialfile);
 static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
 
@@ -118,7 +118,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                                         char *ca_path, char *ca_file,
                                         char *untrusted);
 static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
-static int verify_cb(int ok, X509_STORE_CTX *ctx);
+static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx);
 
 /* Main function definition. */
 int MAIN(int, char **);
@@ -591,8 +591,7 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
         while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
             EVP_DigestUpdate(&md_ctx, buffer, length);
         }
-        if (!EVP_DigestFinal(&md_ctx, *md_value, NULL))
-            return 0;
+        EVP_DigestFinal(&md_ctx, *md_value, NULL);
     } else {
         /* Digest bytes are specified with digest. */
         long digest_len;
@@ -859,7 +858,7 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
     return response;
 }
 
-static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data)
+static ASN1_INTEGER *MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data)
 {
     const char *serial_file = (const char *)data;
     ASN1_INTEGER *serial = next_serial(serial_file);
@@ -1100,21 +1099,21 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
     return NULL;
 }
 
-static int verify_cb(int ok, X509_STORE_CTX *ctx)
+static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
 {
-    /*-
-    char buf[256];
+        /*-
+        char buf[256];
 
-    if (!ok)
-            {
-            X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
-                              buf, sizeof(buf));
-            printf("%s\n", buf);
-            printf("error %d at %d depth lookup: %s\n",
-                   ctx->error, ctx->error_depth,
-                    X509_verify_cert_error_string(ctx->error));
-            }
-    */
+        if (!ok)
+                {
+                X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
+                                  buf, sizeof(buf));
+                printf("%s\n", buf);
+                printf("error %d at %d depth lookup: %s\n",
+                       ctx->error, ctx->error_depth,
+                        X509_verify_cert_error_string(ctx->error));
+                }
+        */
 
     return ok;
 }

apps/tsget

@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 # Written by Zoltan Glozik <zglozik@stones.com>.
 # Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
-$::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';
+$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $';
 
 use strict;
 use IO::Handle;

apps/verify.c

@@ -69,10 +69,10 @@
 #undef PROG
 #define PROG    verify_main
 
-static int cb(int ok, X509_STORE_CTX *ctx);
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain);
+                 STACK_OF(X509_CRL) *crls, ENGINE *e);
 static int v_verbose = 0, vflags = 0;
 
 int MAIN(int, char **);
@@ -88,7 +88,6 @@ int MAIN(int argc, char **argv)
     X509_STORE *cert_ctx = NULL;
     X509_LOOKUP *lookup = NULL;
     X509_VERIFY_PARAM *vpm = NULL;
-    int crl_download = 0, show_chain = 0;
 #ifndef OPENSSL_NO_ENGINE
     char *engine = NULL;
 #endif
@@ -137,10 +136,7 @@ int MAIN(int argc, char **argv)
                 if (argc-- < 1)
                     goto end;
                 crlfile = *(++argv);
-            } else if (strcmp(*argv, "-crl_download") == 0)
-                crl_download = 1;
-            else if (strcmp(*argv, "-show_chain") == 0)
-                show_chain = 1;
+            }
 #ifndef OPENSSL_NO_ENGINE
             else if (strcmp(*argv, "-engine") == 0) {
                 if (--argc < 1)
@@ -217,26 +213,21 @@ int MAIN(int argc, char **argv)
             goto end;
     }
 
-    if (crl_download)
-        store_setup_crl_download(cert_ctx);
-
     ret = 0;
     if (argc < 1) {
-        if (1 !=
-            check(cert_ctx, NULL, untrusted, trusted, crls, e, show_chain))
+        if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
             ret = -1;
     } else {
         for (i = 0; i < argc; i++)
-            if (1 !=
-                check(cert_ctx, argv[i], untrusted, trusted, crls, e,
-                      show_chain))
+            if (1 != check(cert_ctx, argv[i], untrusted, trusted, crls, e))
                 ret = -1;
     }
 
  end:
     if (ret == 1) {
         BIO_printf(bio_err,
-                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+        BIO_printf(bio_err, " [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
 #endif
@@ -250,15 +241,6 @@ int MAIN(int argc, char **argv)
                        X509_PURPOSE_get0_sname(ptmp),
                        X509_PURPOSE_get0_name(ptmp));
         }
-
-        BIO_printf(bio_err, "recognized verify names:\n");
-        for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) {
-            const X509_VERIFY_PARAM *vptmp;
-            vptmp = X509_VERIFY_PARAM_get0(i);
-            BIO_printf(bio_err, "\t%-10s\n",
-                       X509_VERIFY_PARAM_get0_name(vptmp));
-        }
-
     }
     if (vpm)
         X509_VERIFY_PARAM_free(vpm);
@@ -273,12 +255,11 @@ int MAIN(int argc, char **argv)
 
 static int check(X509_STORE *ctx, char *file,
                  STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
-                 STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain)
+                 STACK_OF(X509_CRL) *crls, ENGINE *e)
 {
     X509 *x = NULL;
     int i = 0, ret = 0;
     X509_STORE_CTX *csc;
-    STACK_OF(X509) *chain = NULL;
 
     x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
     if (x == NULL)
@@ -300,8 +281,6 @@ static int check(X509_STORE *ctx, char *file,
     if (crls)
         X509_STORE_CTX_set0_crls(csc, crls);
     i = X509_verify_cert(csc);
-    if (i > 0 && show_chain)
-        chain = X509_STORE_CTX_get1_chain(csc);
     X509_STORE_CTX_free(csc);
 
     ret = 0;
@@ -311,25 +290,13 @@ static int check(X509_STORE *ctx, char *file,
         ret = 1;
     } else
         ERR_print_errors(bio_err);
-    if (chain) {
-        printf("Chain:\n");
-        for (i = 0; i < sk_X509_num(chain); i++) {
-            X509 *cert = sk_X509_value(chain, i);
-            printf("depth=%d: ", i);
-            X509_NAME_print_ex_fp(stdout,
-                                  X509_get_subject_name(cert),
-                                  0, XN_FLAG_ONELINE);
-            printf("\n");
-        }
-        sk_X509_pop_free(chain, X509_free);
-    }
     if (x != NULL)
         X509_free(x);
 
     return (ret);
 }
 
-static int cb(int ok, X509_STORE_CTX *ctx)
+static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 {
     int cert_error = X509_STORE_CTX_get_error(ctx);
     X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);

apps/x509.c

@@ -60,6 +60,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#ifdef OPENSSL_NO_STDIO
+# define APPS_WIN16
+#endif
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
@@ -147,13 +150,10 @@ static const char *x509_usage[] = {
     " -engine e       - use engine e, possibly a hardware device.\n",
 #endif
     " -certopt arg    - various certificate text options\n",
-    " -checkhost host - check certificate matches \"host\"\n",
-    " -checkemail email - check certificate matches \"email\"\n",
-    " -checkip ipaddr - check certificate matches \"ipaddr\"\n",
     NULL
 };
 
-static int callb(int ok, X509_STORE_CTX *ctx);
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
                 const EVP_MD *digest, CONF *conf, char *section);
 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
@@ -163,9 +163,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                         char *section, ASN1_INTEGER *sno);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 static int reqfile = 0;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-static int force_version = 2;
-#endif
 
 int MAIN(int, char **);
 
@@ -177,16 +174,15 @@ int MAIN(int argc, char **argv)
     X509 *x = NULL, *xca = NULL;
     ASN1_OBJECT *objtmp;
     STACK_OF(OPENSSL_STRING) *sigopts = NULL;
-    EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
+    EVP_PKEY *Upkey = NULL, *CApkey = NULL;
     ASN1_INTEGER *sno = NULL;
-    int i, num, badops = 0, badsig = 0;
+    int i, num, badops = 0;
     BIO *out = NULL;
     BIO *STDout = NULL;
     STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
     int informat, outformat, keyformat, CAformat, CAkeyformat;
     char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
     char *CAkeyfile = NULL, *CAserial = NULL;
-    char *fkeyfile = NULL;
     char *alias = NULL;
     int text = 0, serial = 0, subject = 0, issuer = 0, startdate =
         0, enddate = 0;
@@ -212,9 +208,6 @@ int MAIN(int argc, char **argv)
     int need_rand = 0;
     int checkend = 0, checkoffset = 0;
     unsigned long nmflag = 0, certflag = 0;
-    char *checkhost = NULL;
-    char *checkemail = NULL;
-    char *checkip = NULL;
 #ifndef OPENSSL_NO_ENGINE
     char *engine = NULL;
 #endif
@@ -281,15 +274,7 @@ int MAIN(int argc, char **argv)
                 sigopts = sk_OPENSSL_STRING_new_null();
             if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
                 goto bad;
-        }
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        else if (strcmp(*argv, "-force_version") == 0) {
-            if (--argc < 1)
-                goto bad;
-            force_version = atoi(*(++argv)) - 1;
-        }
-#endif
-        else if (strcmp(*argv, "-days") == 0) {
+        } else if (strcmp(*argv, "-days") == 0) {
             if (--argc < 1)
                 goto bad;
             days = atoi(*(++argv));
@@ -342,10 +327,6 @@ int MAIN(int argc, char **argv)
                 goto bad;
             if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
                 goto bad;
-        } else if (strcmp(*argv, "-force_pubkey") == 0) {
-            if (--argc < 1)
-                goto bad;
-            fkeyfile = *(++argv);
         } else if (strcmp(*argv, "-addtrust") == 0) {
             if (--argc < 1)
                 goto bad;
@@ -443,18 +424,6 @@ int MAIN(int argc, char **argv)
                 goto bad;
             checkoffset = atoi(*(++argv));
             checkend = 1;
-        } else if (strcmp(*argv, "-checkhost") == 0) {
-            if (--argc < 1)
-                goto bad;
-            checkhost = *(++argv);
-        } else if (strcmp(*argv, "-checkemail") == 0) {
-            if (--argc < 1)
-                goto bad;
-            checkemail = *(++argv);
-        } else if (strcmp(*argv, "-checkip") == 0) {
-            if (--argc < 1)
-                goto bad;
-            checkip = *(++argv);
         } else if (strcmp(*argv, "-noout") == 0)
             noout = ++num;
         else if (strcmp(*argv, "-trustout") == 0)
@@ -478,8 +447,6 @@ int MAIN(int argc, char **argv)
 #endif
         else if (strcmp(*argv, "-ocspid") == 0)
             ocspid = ++num;
-        else if (strcmp(*argv, "-badsig") == 0)
-            badsig = 1;
         else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
             /* ok */
             digest = md_alg;
@@ -517,13 +484,6 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (fkeyfile) {
-        fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
-                           NULL, e, "Forced key");
-        if (fkey == NULL)
-            goto end;
-    }
-
     if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
         CAkeyfile = CAfile;
     } else if ((CA_flag) && (CAkeyfile == NULL)) {
@@ -645,13 +605,10 @@ int MAIN(int argc, char **argv)
 
         X509_gmtime_adj(X509_get_notBefore(x), 0);
         X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
-        if (fkey)
-            X509_set_pubkey(x, fkey);
-        else {
-            pkey = X509_REQ_get_pubkey(req);
-            X509_set_pubkey(x, pkey);
-            EVP_PKEY_free(pkey);
-        }
+
+        pkey = X509_REQ_get_pubkey(req);
+        X509_set_pubkey(x, pkey);
+        EVP_PKEY_free(pkey);
     } else
         x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
 
@@ -975,16 +932,11 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    print_cert_checks(STDout, x, checkhost, checkemail, checkip);
-
     if (noout) {
         ret = 0;
         goto end;
     }
 
-    if (badsig)
-        x->signature->data[x->signature->length - 1] ^= 0x1;
-
     if (outformat == FORMAT_ASN1)
         i = i2d_X509_bio(out, x);
     else if (outformat == FORMAT_PEM) {
@@ -1025,7 +977,6 @@ int MAIN(int argc, char **argv)
     X509_free(xca);
     EVP_PKEY_free(Upkey);
     EVP_PKEY_free(CApkey);
-    EVP_PKEY_free(fkey);
     if (sigopts)
         sk_OPENSSL_STRING_free(sigopts);
     X509_REQ_free(rq);
@@ -1145,11 +1096,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 
     if (conf) {
         X509V3_CTX ctx2;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx2, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1168,7 +1115,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
     return ret;
 }
 
-static int callb(int ok, X509_STORE_CTX *ctx)
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 {
     int err;
     X509 *err_cert;
@@ -1234,11 +1181,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
     }
     if (conf) {
         X509V3_CTX ctx;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))

bugs/dggccbug.c

@@ -0,0 +1,45 @@
+/* NOCW */
+/* dggccbug.c */
+/* bug found by Eric Young (eay@cryptsoft.com) - May 1995 */
+
+#include <stdio.h>
+
+/*
+ * There is a bug in gcc version 2.5.8 (88open OCS/BCS, DG-2.5.8.3, Oct 14
+ * 1994) as shipped with DGUX 5.4R3.10 that can be bypassed by defining
+ * DG_GCC_BUG in my code. The bug manifests itself by the vaule of a pointer
+ * that is used only by reference, not having it's value change when it is
+ * used to check for exiting the loop.  Probably caused by there being 2
+ * copies of the valiable, one in a register and one being an address that is
+ * passed.
+ */
+
+/*-
+ * compare the out put from
+ * gcc dggccbug.c; ./a.out
+ * and
+ * gcc -O dggccbug.c; ./a.out
+ * compile with -DFIXBUG to remove the bug when optimising.
+ */
+
+void inc(a)
+int *a;
+{
+    (*a)++;
+}
+
+main()
+{
+    int p = 0;
+#ifdef FIXBUG
+    int dummy;
+#endif
+
+    while (p < 3) {
+        fprintf(stderr, "%08X\n", p);
+        inc(&p);
+#ifdef FIXBUG
+        dummy += p;
+#endif
+    }
+}

bugs/sslref.dif

@@ -17,10 +17,10 @@ is returned as 1.
 =====
 I have not tested the following but it is reported by holtzman@mit.edu.
 
-SSLref clients wait to receive a server-verify before they send a
+SSLref clients wait to recieve a server-verify before they send a
 client-finished.  Besides this not being evident from the examples in
 2.2.1, it makes more sense to always send all packets you can before
-reading.  SSLeay was waiting in the server to receive a client-finish
+reading.  SSLeay was waiting in the server to recieve a client-finish
 before sending the server-verify :-).  I have changed SSLeay to send a
 server-verify before trying to read the client-finished.
 

config

@@ -102,6 +102,10 @@ fi
 # Now we simply scan though... In most cases, the SYSTEM info is enough
 #
 case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
+    MPE/iX:*)
+	MACHINE=`echo "$MACHINE" | sed -e 's/-/_/g'`
+	echo "parisc-hp-MPE/iX"; exit 0
+	;;
     A/UX:*)
 	echo "m68k-apple-aux3"; exit 0
 	;;
@@ -118,6 +122,18 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-ibm-aix3"; exit 0
 	;;
 
+    BeOS:*:BePC)
+    if [ -e /boot/develop/headers/be/bone ]; then
+		echo "beos-x86-bone"; exit 0
+	else
+		echo "beos-x86-r5"; exit 0
+	fi
+	;;
+
+    dgux:*)
+	echo "${MACHINE}-dg-dgux"; exit 0
+	;;
+
     HI-UX:*)
 	echo "${MACHINE}-hi-hiux"; exit 0
 	;;
@@ -304,6 +320,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-unknown-ultrix"; exit 0
 	;;
 
+    SINIX*|ReliantUNIX*)
+	echo "${MACHINE}-siemens-sysv4"; exit 0
+	;;
+
     POSIX-BC*)
 	echo "${MACHINE}-siemens-sysv4"; exit 0   # Here, $MACHINE == "BS2000"
 	;;
@@ -320,6 +340,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
 	;;
 
+    NEWS-OS:4.*)
+	echo "mips-sony-newsos4"; exit 0;
+	;;
+
     MINGW*)
 	echo "${MACHINE}-whatever-mingw"; exit 0;
 	;;
@@ -335,6 +359,18 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	exit 0
 	;;
 
+    *"CRAY T3E")
+       echo "t3e-cray-unicosmk"; exit 0;
+       ;;
+
+    *CRAY*)
+       echo "j90-cray-unicos"; exit 0;
+       ;;
+
+    NONSTOP_KERNEL*)
+       echo "nsr-tandem-nsk"; exit 0;
+       ;;
+
     vxworks*)
        echo "${MACHINE}-whatever-vxworks"; exit 0;
        ;;
@@ -346,7 +382,7 @@ esac
 #
 
 # Do the Apollo stuff first. Here, we just simply assume
-# that the existence of the /usr/apollo directory is proof
+# that the existance of the /usr/apollo directory is proof
 # enough
 if [ -d /usr/apollo ]; then
     echo "whatever-apollo-whatever"
@@ -536,8 +572,6 @@ case "$GUESSOS" in
   *-*-iphoneos)
 	options="$options -arch%20${MACHINE}"
 	OUT="iphoneos-cross" ;;
-  arm64-*-iphoneos|*-*-ios64)
-	OUT="ios64-cross" ;;
   alpha-*-linux2)
         ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
 	case ${ISA:-generic} in
@@ -553,33 +587,15 @@ case "$GUESSOS" in
 	fi
 	;;
   ppc64-*-linux2)
-	if [ -z "$KERNEL_BITS" ]; then
-	    echo "WARNING! If you wish to build 64-bit library, then you have to"
-	    echo "         invoke './Configure linux-ppc64' *manually*."
-	    if [ "$TEST" = "false" -a -t 1 ]; then
-		echo "         You have about 5 seconds to press Ctrl-C to abort."
-		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
-	    fi
-	fi
-	if [ "$KERNEL_BITS" = "64" ]; then
-	    OUT="linux-ppc64"
-	else
-	    OUT="linux-ppc"
-	    (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
-	fi
-	;;
-  ppc64le-*-linux2) OUT="linux-ppc64le" ;;
-  ppc-*-linux2) OUT="linux-ppc" ;;
-  mips64*-*-linux2)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
-	echo "         invoke './Configure linux64-mips64' *manually*."
+	echo "         invoke './Configure linux-ppc64' *manually*."
 	if [ "$TEST" = "false" -a -t 1 ]; then
 	    echo "         You have about 5 seconds to press Ctrl-C to abort."
 	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
-	OUT="linux-mips64"
+	OUT="linux-ppc"
 	;;
-  mips*-*-linux2) OUT="linux-mips32" ;;
+  ppc-*-linux2) OUT="linux-ppc" ;;
   ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
   ppcgen-*-vxworks*) OUT="vxworks-ppcgen" ;;
   pentium-*-vxworks*) OUT="vxworks-pentium" ;;
@@ -628,7 +644,6 @@ case "$GUESSOS" in
   armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
   armv[7-9]*-*-linux2) OUT="linux-armv4"; options="$options -march=armv7-a" ;;
   arm*-*-linux2) OUT="linux-armv4" ;;
-  aarch64-*-linux2) OUT="linux-aarch64" ;;
   sh*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
   sh*-*-linux2)  OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;
   m68k*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
@@ -748,6 +763,8 @@ case "$GUESSOS" in
 	EXE=".pm"
 	OUT="vos-$CC" ;;
   BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
+  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
+  *-siemens-sysv4) OUT="SINIX" ;;
   *-hpux1*)
 	if [ $CC = "gcc" -a $GCC_BITS = "64" ]; then
 	    OUT="hpux64-parisc2-gcc"
@@ -813,8 +830,14 @@ case "$GUESSOS" in
 	fi
 	;;
   # these are all covered by the catchall below
+  # *-dgux) OUT="dgux" ;;
+  mips-sony-newsos4) OUT="newsos4-gcc" ;;
   *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
   *-*-cygwin) OUT="Cygwin" ;;
+  t3e-cray-unicosmk) OUT="cray-t3e" ;;
+  j90-cray-unicos) OUT="cray-j90" ;;
+  nsr-tandem-nsk) OUT="tandem-c89" ;;
+  beos-*) OUT="$GUESSOS" ;;
   x86pc-*-qnx6) OUT="QNX6-i386" ;;
   *-*-qnx6) OUT="QNX6" ;;
   x86-*-android|i?86-*-android) OUT="android-x86" ;;
@@ -822,7 +845,7 @@ case "$GUESSOS" in
   *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 
-# NB: This atalla support has been superseded by the ENGINE support
+# NB: This atalla support has been superceded by the ENGINE support
 # That contains its own header and definitions anyway. Support can
 # be enabled or disabled on any supported platform without external
 # headers, eg. by adding the "hw-atalla" switch to ./config or
@@ -834,10 +857,6 @@ esac
 #  options="$options -DATALLA"
 #fi
 
-if [ -n "$CONFIG_OPTIONS" ]; then
-  options="$options $CONFIG_OPTIONS"
-fi
-
 if expr "$options" : '.*no\-asm' > /dev/null; then :; else
   sh -c "$CROSS_COMPILE${CC:-gcc} -Wa,--help -c -o /tmp/null.$$.o -x assembler /dev/null && rm /tmp/null.$$.o" 2>&1 | \
   grep \\--noexecstack >/dev/null && \

crypto/.cvsignore

@@ -0,0 +1,8 @@
+lib
+buildinf.h
+opensslconf.h
+Makefile.save
+*.flc
+semantic.cache
+*cpuid.s
+uplink-cof.s

crypto/Makefile

@@ -7,7 +7,7 @@ TOP=		..
 CC=		cc
 INCLUDE=	-I. -I$(TOP) -I../include $(ZLIB_INCLUDE)
 # INCLUDES targets sudbirs!
-INCLUDES=	-I.. -I../.. -I../modes -I../asn1 -I../evp -I../include -I../../include $(ZLIB_INCLUDE)
+INCLUDES=	-I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include $(ZLIB_INCLUDE)
 CFLAG=		-g
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
@@ -36,17 +36,15 @@ TEST=constant_time_test.c
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-	ebcdic.c uid.c o_time.c o_str.c o_dir.c thr_id.c lock.c fips_ers.c \
-	o_init.c o_fips.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
-	ebcdic.o uid.o o_time.o o_str.o o_dir.o thr_id.o lock.o fips_ers.o \
-	o_init.o o_fips.o $(CPUID_OBJ)
+	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
+	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
 
 SRC= $(LIBSRC)
 
 EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_str.h o_dir.h \
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
 	constant_time_locl.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -56,13 +54,6 @@ top:
 
 all: shared
 
-fips: cryptlib.o thr_id.o uid.o $(CPUID_OBJ)
-	[ -n "$(SDIRS)" ] && for i in $(SDIRS) ; do \
-		    ( obj=`$(PERL) $(TOP)/util/fipsobj.pl $$i` && \
-			cd $$i && echo "making fips in $(DIR)/$$i..." && \
-		    $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='$(INCLUDES)' $$obj ) || exit 1; \
-		done;
-
 buildinf.h: ../Makefile
 	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
@@ -78,20 +69,26 @@ uplink.o:	$(TOP)/ms/uplink.c applink.o
 uplink-x86.s:	$(TOP)/ms/uplink-x86.pl
 	$(PERL) $(TOP)/ms/uplink-x86.pl $(PERLASM_SCHEME) > $@
 
-x86_64cpuid.s:	x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
-ia64cpuid.s:	ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
+x86_64cpuid.s: x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
+ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
-	(preproc=$$$$.$@.S; trap "rm $$preproc" INT; \
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
 	$(PERL) alphacpuid.pl > $$preproc && \
-	$(CC) -E -P $$preproc > $@ && rm $$preproc)
+	$(CC) -E $$preproc > $@ && rm $$preproc)
+
+testapps:
+	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \
+				then cd des && $(MAKE) -e des; fi )
+	[ -z "$(THIS)" ] || ( cd pkcs7 && $(MAKE) -e testapps );
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
 subdirs:
 	@target=all; $(RECURSIVE_MAKE)
 
 files:
-	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 	@target=files; $(RECURSIVE_MAKE)
 
 links:
@@ -105,6 +102,7 @@ lib:	$(LIB)
 	@touch lib
 $(LIB):	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
+	[ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
 	$(RANLIB) $(LIB) || echo Never mind.
 
 shared: buildinf.h lib subdirs
@@ -124,8 +122,6 @@ install:
 	done;
 	@target=install; $(RECURSIVE_MAKE)
 
-uninstall:
-
 lint:
 	@target=lint; $(RECURSIVE_MAKE)
 
@@ -143,6 +139,7 @@ clean:
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
+	rm -f opensslconf.h
 	@target=dclean; $(RECURSIVE_MAKE)
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
@@ -176,13 +173,6 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
 ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 ex_data.o: ex_data.c
 fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c
-lock.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-lock.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-lock.o: ../include/openssl/err.h ../include/openssl/lhash.h
-lock.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-lock.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-lock.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-lock.o: lock.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -218,17 +208,8 @@ o_init.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 o_init.o: ../include/openssl/symhacks.h o_init.c
 o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
 o_str.o: o_str.c o_str.h
-o_time.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-o_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-o_time.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-o_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h o_time.c
-thr_id.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-thr_id.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-thr_id.o: ../include/openssl/err.h ../include/openssl/lhash.h
-thr_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-thr_id.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-thr_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-thr_id.o: thr_id.c
+o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
+o_time.o: o_time.h
 uid.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 uid.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 uid.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h

crypto/aes/.cvsignore

@@ -0,0 +1,5 @@
+lib
+Makefile.save
+*.flc
+semantic.cache
+aes-*.s

crypto/aes/Makefile

@@ -24,8 +24,8 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c \
-       aes_ige.c aes_wrap.c
-LIBOBJ=aes_misc.o aes_ecb.o aes_cfb.o aes_ofb.o aes_ige.o aes_wrap.o \
+       aes_ctr.c aes_ige.c aes_wrap.c
+LIBOBJ=aes_misc.o aes_ecb.o aes_cfb.o aes_ofb.o aes_ctr.o aes_ige.o aes_wrap.o \
        $(AES_ENC)
 
 SRC= $(LIBSRC)
@@ -65,22 +65,12 @@ aesni-x86_64.s: asm/aesni-x86_64.pl
 	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
 aesni-sha1-x86_64.s:	asm/aesni-sha1-x86_64.pl
 	$(PERL) asm/aesni-sha1-x86_64.pl $(PERLASM_SCHEME) > $@
-aesni-sha256-x86_64.s:	asm/aesni-sha256-x86_64.pl
-	$(PERL) asm/aesni-sha256-x86_64.pl $(PERLASM_SCHEME) > $@
-aesni-mb-x86_64.s:	asm/aesni-mb-x86_64.pl
-	$(PERL) asm/aesni-mb-x86_64.pl $(PERLASM_SCHEME) > $@
 
 aes-sparcv9.s: asm/aes-sparcv9.pl
 	$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
-aest4-sparcv9.s: asm/aest4-sparcv9.pl
-	$(PERL) asm/aest4-sparcv9.pl $(CFLAGS) > $@
 
 aes-ppc.s:	asm/aes-ppc.pl
 	$(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
-vpaes-ppc.s:	asm/vpaes-ppc.pl
-	$(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
-aesp8-ppc.s:	asm/aesp8-ppc.pl
-	$(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
 
 aes-parisc.s:	asm/aes-parisc.pl
 	$(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
@@ -88,18 +78,12 @@ aes-parisc.s:	asm/aes-parisc.pl
 aes-mips.S:	asm/aes-mips.pl
 	$(PERL) asm/aes-mips.pl $(PERLASM_SCHEME) $@
 
-aesv8-armx.S:	asm/aesv8-armx.pl
-	$(PERL) asm/aesv8-armx.pl $(PERLASM_SCHEME) $@
-aesv8-armx.o:	aesv8-armx.S
-
 # GNU make "catch all"
-aes-%.S:	asm/aes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
+aes-%.S:	asm/aes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) > $@
 aes-armv4.o:	aes-armv4.S
-bsaes-%.S:	asm/bsaes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
-bsaes-armv7.o:	bsaes-armv7.S
 
 files:
-	$(PERL) $(TOP)/util/files.pl "AES_ENC=$(AES_ENC)" Makefile >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@@ -139,11 +123,10 @@ aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
 aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c
 aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
 aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c
-aes_core.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_core.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-aes_core.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-aes_core.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-aes_core.o: ../../include/openssl/symhacks.h aes_core.c aes_locl.h
+aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
+aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
+aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c
 aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h
 aes_ige.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/bio.h
@@ -153,16 +136,18 @@ aes_ige.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 aes_ige.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 aes_ige.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 aes_ige.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_ige.c aes_locl.h
-aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_misc.o: ../../include/openssl/opensslconf.h
-aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c
+aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
+aes_misc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+aes_misc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+aes_misc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+aes_misc.o: ../../include/openssl/symhacks.h aes_locl.h aes_misc.c
 aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
 aes_ofb.o: ../../include/openssl/opensslconf.h aes_ofb.c
 aes_wrap.o: ../../e_os.h ../../include/openssl/aes.h
 aes_wrap.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 aes_wrap.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 aes_wrap.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-aes_wrap.o: ../../include/openssl/modes.h ../../include/openssl/opensslconf.h
+aes_wrap.o: ../../include/openssl/opensslconf.h
 aes_wrap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 aes_wrap.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 aes_wrap.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_wrap.c

crypto/aes/README

@@ -0,0 +1,3 @@
+This is an OpenSSL-compatible version of AES (also called Rijndael).
+aes_core.c is basically the same as rijndael-alg-fst.c but with an
+API that looks like the rest of the OpenSSL symmetric cipher suite.

crypto/aes/aes.h

@@ -92,6 +92,11 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
                         AES_KEY *key);
 
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key);
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key);
+
 void AES_encrypt(const unsigned char *in, unsigned char *out,
                  const AES_KEY *key);
 void AES_decrypt(const unsigned char *in, unsigned char *out,
@@ -114,13 +119,11 @@ void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
                         size_t length, const AES_KEY *key,
                         unsigned char *ivec, int *num);
-# if 0
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
                         size_t length, const AES_KEY *key,
                         unsigned char ivec[AES_BLOCK_SIZE],
                         unsigned char ecount_buf[AES_BLOCK_SIZE],
                         unsigned int *num);
-# endif
 /* NB: the IV is _two_ blocks long */
 void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
                      size_t length, const AES_KEY *key,

crypto/aes/aes_core.c

@@ -36,7 +36,6 @@
 #include <assert.h>
 
 #include <stdlib.h>
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -626,8 +625,8 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -728,8 +727,8 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -737,7 +736,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
     u32 temp;
 
     /* first, start with an encryption schedule */
-    status = AES_set_encrypt_key(userKey, bits, key);
+    status = private_AES_set_encrypt_key(userKey, bits, key);
     if (status < 0)
         return status;
 
@@ -1205,11 +1204,11 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
     u32 *rk;
-    int i = 0;
+   	int i = 0;
     u32 temp;
 
     if (!userKey || !key)
@@ -1306,8 +1305,8 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-                        AES_KEY *key)
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                                AES_KEY *key)
 {
 
     u32 *rk;
@@ -1315,7 +1314,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
     u32 temp;
 
     /* first, start with an encryption schedule */
-    status = AES_set_encrypt_key(userKey, bits, key);
+    status = private_AES_set_encrypt_key(userKey, bits, key);
     if (status < 0)
         return status;
 

crypto/aes/aes_ctr.c

@@ -1,9 +1,6 @@
-/* crypto/ecdh/ec_kdf.c */
-/*
- * Written by Stephen Henson for the OpenSSL project.
- */
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -49,61 +46,18 @@
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  * ====================================================================
+ *
  */
 
-#include <string.h>
-#include <openssl/ecdh.h>
-#include <openssl/evp.h>
+#include <openssl/aes.h>
+#include <openssl/modes.h>
 
-/* Key derivation function from X9.62/SECG */
-/* Way more than we will ever need */
-#define ECDH_KDF_MAX    (1 << 30)
-
-int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
-                   const unsigned char *Z, size_t Zlen,
-                   const unsigned char *sinfo, size_t sinfolen,
-                   const EVP_MD *md)
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+                        size_t length, const AES_KEY *key,
+                        unsigned char ivec[AES_BLOCK_SIZE],
+                        unsigned char ecount_buf[AES_BLOCK_SIZE],
+                        unsigned int *num)
 {
-    EVP_MD_CTX mctx;
-    int rv = 0;
-    unsigned int i;
-    size_t mdlen;
-    unsigned char ctr[4];
-    if (sinfolen > ECDH_KDF_MAX || outlen > ECDH_KDF_MAX
-        || Zlen > ECDH_KDF_MAX)
-        return 0;
-    mdlen = EVP_MD_size(md);
-    EVP_MD_CTX_init(&mctx);
-    for (i = 1;; i++) {
-        unsigned char mtmp[EVP_MAX_MD_SIZE];
-        EVP_DigestInit_ex(&mctx, md, NULL);
-        ctr[3] = i & 0xFF;
-        ctr[2] = (i >> 8) & 0xFF;
-        ctr[1] = (i >> 16) & 0xFF;
-        ctr[0] = (i >> 24) & 0xFF;
-        if (!EVP_DigestUpdate(&mctx, Z, Zlen))
-            goto err;
-        if (!EVP_DigestUpdate(&mctx, ctr, sizeof(ctr)))
-            goto err;
-        if (!EVP_DigestUpdate(&mctx, sinfo, sinfolen))
-            goto err;
-        if (outlen >= mdlen) {
-            if (!EVP_DigestFinal(&mctx, out, NULL))
-                goto err;
-            outlen -= mdlen;
-            if (outlen == 0)
-                break;
-            out += mdlen;
-        } else {
-            if (!EVP_DigestFinal(&mctx, mtmp, NULL))
-                goto err;
-            memcpy(out, mtmp, outlen);
-            OPENSSL_cleanse(mtmp, mdlen);
-            break;
-        }
-    }
-    rv = 1;
- err:
-    EVP_MD_CTX_cleanup(&mctx);
-    return rv;
+    CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
+                          (block128_f) AES_encrypt);
 }

crypto/aes/aes_misc.c

@@ -50,6 +50,7 @@
  */
 
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -63,3 +64,23 @@ const char *AES_options(void)
     return "aes(partial)";
 #endif
 }
+
+/* FIPS wrapper functions to block low level AES calls in FIPS mode */
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+#ifdef OPENSSL_FIPS
+    fips_cipher_abort(AES);
+#endif
+    return private_AES_set_encrypt_key(userKey, bits, key);
+}
+
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+#ifdef OPENSSL_FIPS
+    fips_cipher_abort(AES);
+#endif
+    return private_AES_set_decrypt_key(userKey, bits, key);
+}

crypto/aes/aes_wrap.c

@@ -54,19 +54,197 @@
 
 #include "cryptlib.h"
 #include <openssl/aes.h>
-#include <openssl/modes.h>
+#include <openssl/bio.h>
+
+static const unsigned char default_iv[] = {
+    0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
+};
 
 int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
                  unsigned char *out,
                  const unsigned char *in, unsigned int inlen)
 {
-    return CRYPTO_128_wrap(key, iv, out, in, inlen, (block128_f) AES_encrypt);
+    unsigned char *A, B[16], *R;
+    unsigned int i, j, t;
+    if ((inlen & 0x7) || (inlen < 8))
+        return -1;
+    A = B;
+    t = 1;
+    memcpy(out + 8, in, inlen);
+    if (!iv)
+        iv = default_iv;
+
+    memcpy(A, iv, 8);
+
+    for (j = 0; j < 6; j++) {
+        R = out + 8;
+        for (i = 0; i < inlen; i += 8, t++, R += 8) {
+            memcpy(B + 8, R, 8);
+            AES_encrypt(B, B, key);
+            A[7] ^= (unsigned char)(t & 0xff);
+            if (t > 0xff) {
+                A[6] ^= (unsigned char)((t >> 8) & 0xff);
+                A[5] ^= (unsigned char)((t >> 16) & 0xff);
+                A[4] ^= (unsigned char)((t >> 24) & 0xff);
+            }
+            memcpy(R, B + 8, 8);
+        }
+    }
+    memcpy(out, A, 8);
+    return inlen + 8;
 }
 
 int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
                    unsigned char *out,
                    const unsigned char *in, unsigned int inlen)
 {
-    return CRYPTO_128_unwrap(key, iv, out, in, inlen,
-                             (block128_f) AES_decrypt);
+    unsigned char *A, B[16], *R;
+    unsigned int i, j, t;
+    inlen -= 8;
+    if (inlen & 0x7)
+        return -1;
+    if (inlen < 8)
+        return -1;
+    A = B;
+    t = 6 * (inlen >> 3);
+    memcpy(A, in, 8);
+    memcpy(out, in + 8, inlen);
+    for (j = 0; j < 6; j++) {
+        R = out + inlen - 8;
+        for (i = 0; i < inlen; i += 8, t--, R -= 8) {
+            A[7] ^= (unsigned char)(t & 0xff);
+            if (t > 0xff) {
+                A[6] ^= (unsigned char)((t >> 8) & 0xff);
+                A[5] ^= (unsigned char)((t >> 16) & 0xff);
+                A[4] ^= (unsigned char)((t >> 24) & 0xff);
+            }
+            memcpy(B + 8, R, 8);
+            AES_decrypt(B, B, key);
+            memcpy(R, B + 8, 8);
+        }
+    }
+    if (!iv)
+        iv = default_iv;
+    if (memcmp(A, iv, 8)) {
+        OPENSSL_cleanse(out, inlen);
+        return 0;
+    }
+    return inlen;
 }
+
+#ifdef AES_WRAP_TEST
+
+int AES_wrap_unwrap_test(const unsigned char *kek, int keybits,
+                         const unsigned char *iv,
+                         const unsigned char *eout,
+                         const unsigned char *key, int keylen)
+{
+    unsigned char *otmp = NULL, *ptmp = NULL;
+    int r, ret = 0;
+    AES_KEY wctx;
+    otmp = OPENSSL_malloc(keylen + 8);
+    ptmp = OPENSSL_malloc(keylen);
+    if (!otmp || !ptmp)
+        return 0;
+    if (AES_set_encrypt_key(kek, keybits, &wctx))
+        goto err;
+    r = AES_wrap_key(&wctx, iv, otmp, key, keylen);
+    if (r <= 0)
+        goto err;
+
+    if (eout && memcmp(eout, otmp, keylen))
+        goto err;
+
+    if (AES_set_decrypt_key(kek, keybits, &wctx))
+        goto err;
+    r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r);
+
+    if (memcmp(key, ptmp, keylen))
+        goto err;
+
+    ret = 1;
+
+ err:
+    if (otmp)
+        OPENSSL_free(otmp);
+    if (ptmp)
+        OPENSSL_free(ptmp);
+
+    return ret;
+
+}
+
+int main(int argc, char **argv)
+{
+
+    static const unsigned char kek[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+    };
+
+    static const unsigned char key[] = {
+        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+        0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+    };
+
+    static const unsigned char e1[] = {
+        0x1f, 0xa6, 0x8b, 0x0a, 0x81, 0x12, 0xb4, 0x47,
+        0xae, 0xf3, 0x4b, 0xd8, 0xfb, 0x5a, 0x7b, 0x82,
+        0x9d, 0x3e, 0x86, 0x23, 0x71, 0xd2, 0xcf, 0xe5
+    };
+
+    static const unsigned char e2[] = {
+        0x96, 0x77, 0x8b, 0x25, 0xae, 0x6c, 0xa4, 0x35,
+        0xf9, 0x2b, 0x5b, 0x97, 0xc0, 0x50, 0xae, 0xd2,
+        0x46, 0x8a, 0xb8, 0xa1, 0x7a, 0xd8, 0x4e, 0x5d
+    };
+
+    static const unsigned char e3[] = {
+        0x64, 0xe8, 0xc3, 0xf9, 0xce, 0x0f, 0x5b, 0xa2,
+        0x63, 0xe9, 0x77, 0x79, 0x05, 0x81, 0x8a, 0x2a,
+        0x93, 0xc8, 0x19, 0x1e, 0x7d, 0x6e, 0x8a, 0xe7
+    };
+
+    static const unsigned char e4[] = {
+        0x03, 0x1d, 0x33, 0x26, 0x4e, 0x15, 0xd3, 0x32,
+        0x68, 0xf2, 0x4e, 0xc2, 0x60, 0x74, 0x3e, 0xdc,
+        0xe1, 0xc6, 0xc7, 0xdd, 0xee, 0x72, 0x5a, 0x93,
+        0x6b, 0xa8, 0x14, 0x91, 0x5c, 0x67, 0x62, 0xd2
+    };
+
+    static const unsigned char e5[] = {
+        0xa8, 0xf9, 0xbc, 0x16, 0x12, 0xc6, 0x8b, 0x3f,
+        0xf6, 0xe6, 0xf4, 0xfb, 0xe3, 0x0e, 0x71, 0xe4,
+        0x76, 0x9c, 0x8b, 0x80, 0xa3, 0x2c, 0xb8, 0x95,
+        0x8c, 0xd5, 0xd1, 0x7d, 0x6b, 0x25, 0x4d, 0xa1
+    };
+
+    static const unsigned char e6[] = {
+        0x28, 0xc9, 0xf4, 0x04, 0xc4, 0xb8, 0x10, 0xf4,
+        0xcb, 0xcc, 0xb3, 0x5c, 0xfb, 0x87, 0xf8, 0x26,
+        0x3f, 0x57, 0x86, 0xe2, 0xd8, 0x0e, 0xd3, 0x26,
+        0xcb, 0xc7, 0xf0, 0xe7, 0x1a, 0x99, 0xf4, 0x3b,
+        0xfb, 0x98, 0x8b, 0x9b, 0x7a, 0x02, 0xdd, 0x21
+    };
+
+    AES_KEY wctx, xctx;
+    int ret;
+    ret = AES_wrap_unwrap_test(kek, 128, NULL, e1, key, 16);
+    fprintf(stderr, "Key test result %d\n", ret);
+    ret = AES_wrap_unwrap_test(kek, 192, NULL, e2, key, 16);
+    fprintf(stderr, "Key test result %d\n", ret);
+    ret = AES_wrap_unwrap_test(kek, 256, NULL, e3, key, 16);
+    fprintf(stderr, "Key test result %d\n", ret);
+    ret = AES_wrap_unwrap_test(kek, 192, NULL, e4, key, 24);
+    fprintf(stderr, "Key test result %d\n", ret);
+    ret = AES_wrap_unwrap_test(kek, 256, NULL, e5, key, 24);
+    fprintf(stderr, "Key test result %d\n", ret);
+    ret = AES_wrap_unwrap_test(kek, 256, NULL, e6, key, 32);
+    fprintf(stderr, "Key test result %d\n", ret);
+}
+
+#endif

crypto/aes/aes_x86core.c

@@ -89,10 +89,8 @@ typedef unsigned long long u64;
 #endif
 
 #undef ROTATE
-#if defined(_MSC_VER)
-# define ROTATE(a,n)    _lrotl(a,n)
-#elif defined(__ICC)
-# define ROTATE(a,n)    _rotl(a,n)
+#if defined(_MSC_VER) || defined(__ICC)
+# define ROTATE(a,n)	_lrotl(a,n)
 #elif defined(__GNUC__) && __GNUC__>=2
 # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \

crypto/aes/asm/aes-586.pl

@@ -39,7 +39,7 @@
 # but exhibits up to 10% improvement on other cores.
 #
 # Second version is "monolithic" replacement for aes_core.c, which in
-# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
+# addition to AES_[de|en]crypt implements private_AES_set_[de|en]cryption_key.
 # This made it possible to implement little-endian variant of the
 # algorithm without modifying the base C code. Motivating factor for
 # the undertaken effort was that it appeared that in tight IA-32
@@ -103,12 +103,11 @@
 # byte for 128-bit key.
 #
 #		ECB encrypt	ECB decrypt	CBC large chunk
-# P4		52[54]		83[95]		23
-# AMD K8	46[41]		66[70]		18
-# PIII		41[50]		60[77]		24
-# Core 2	31[36]		45[64]		18.5
-# Atom		76[100]		96[138]		60
-# Pentium	115		150		77
+# P4		56[60]		84[100]		23
+# AMD K8	48[44]		70[79]		18
+# PIII		41[50]		61[91]		24
+# Core 2	32[38]		45[70]		18.5
+# Pentium	120		160		77
 #
 # Version 4.1 switches to compact S-box even in key schedule setup.
 #
@@ -243,7 +242,7 @@ $vertical_spin=0;	# shift "verticaly" defaults to 0, because of
 
 sub encvert()
 { my ($te,@s) = @_;
-  my ($v0,$v1) = ($acc,$key);
+  my $v0 = $acc, $v1 = $key;
 
 	&mov	($v0,$s[3]);				# copy s3
 	&mov	(&DWP(4,"esp"),$s[2]);			# save s2
@@ -300,7 +299,7 @@ sub encvert()
 # Another experimental routine, which features "horizontal spin," but
 # eliminates one reference to stack. Strangely enough runs slower...
 sub enchoriz()
-{ my ($v0,$v1) = ($key,$acc);
+{ my $v0 = $key, $v1 = $acc;
 
 	&movz	($v0,&LB($s0));			#  3, 2, 1, 0*
 	&rotr	($s2,8);			#  8,11,10, 9
@@ -428,7 +427,7 @@ sub sse_encbody()
 ######################################################################
 
 sub enccompact()
-{ my $Fn = \&mov;
+{ my $Fn = mov;
   while ($#_>5) { pop(@_); $Fn=sub{}; }
   my ($i,$te,@s)=@_;
   my $tmp = $key;
@@ -477,25 +476,24 @@ sub enctransform()
   my $tmp = $tbl;
   my $r2  = $key ;
 
-	&and	($tmp,$s[$i]);
-	&lea	($r2,&DWP(0,$s[$i],$s[$i]));
-	&mov	($acc,$tmp);
+	&mov	($acc,$s[$i]);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
-	&and	($r2,0xfefefefe);
+	&lea	($r2,&DWP(0,$s[$i],$s[$i]));
 	&sub	($acc,$tmp);
-	&mov	($tmp,$s[$i]);
+	&and	($r2,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
-	&rotr	($tmp,16);
+	&mov	($tmp,$s[$i]);
 	&xor	($acc,$r2);	# r2
-	&mov	($r2,$s[$i]);
 
 	&xor	($s[$i],$acc);	# r0 ^ r2
-	&rotr	($r2,16+8);
-	&xor	($acc,$tmp);
 	&rotl	($s[$i],24);
-	&xor	($acc,$r2);
-	&mov	($tmp,0x80808080)	if ($i!=1);
-	&xor	($s[$i],$acc);	# ROTATE(r2^r0,24) ^ r2
+	&xor	($s[$i],$acc)	# ROTATE(r2^r0,24) ^ r2
+	&rotr	($tmp,16);
+	&xor	($s[$i],$tmp);
+	&rotr	($tmp,8);
+	&xor	($s[$i],$tmp);
 }
 
 &function_begin_B("_x86_AES_encrypt_compact");
@@ -528,7 +526,6 @@ sub enctransform()
 		&enccompact(1,$tbl,$s1,$s2,$s3,$s0,1);
 		&enccompact(2,$tbl,$s2,$s3,$s0,$s1,1);
 		&enccompact(3,$tbl,$s3,$s0,$s1,$s2,1);
-		&mov	($tbl,0x80808080);
 		&enctransform(2);
 		&enctransform(3);
 		&enctransform(0);
@@ -610,84 +607,82 @@ sub sse_enccompact()
 	&pshufw	("mm5","mm4",0x0d);		# 15,14,11,10
 	&movd	("eax","mm1");			#  5, 4, 1, 0
 	&movd	("ebx","mm5");			# 15,14,11,10
-	&mov	($__key,$key);
 
 	&movz	($acc,&LB("eax"));		#  0
-	&movz	("edx",&HB("eax"));		#  1
-	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
-	&movz	($key,&LB("ebx"));		# 10
+	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
+	&movz	("edx",&HB("eax"));		#  1
 	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
-	&shr	("eax",16);			#  5, 4
 	&shl	("edx",8);			#  1
+	&shr	("eax",16);			#  5, 4
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($key,&HB("ebx"));		# 11
+	&movz	($acc,&LB("ebx"));		# 10
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 10
 	&shl	($acc,16);			# 10
-	&pshufw	("mm6","mm4",0x08);		# 13,12, 9, 8
 	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
-	&movz	($key,&HB("eax"));		#  5
+	&pshufw	("mm6","mm4",0x08);		# 13,12, 9, 8
+	&movz	($acc,&HB("ebx"));		# 11
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 11
 	&shl	($acc,24);			# 11
-	&shr	("ebx",16);			# 15,14
 	&or	("edx",$acc);			# 11
+	&shr	("ebx",16);			# 15,14
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
-	&movz	($key,&HB("ebx"));		# 15
+	&movz	($acc,&HB("eax"));		#  5
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  5
 	&shl	($acc,8);			#  5
 	&or	("ecx",$acc);			#  5
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 15
-	&movz	($key,&LB("eax"));		#  4
+	&movz	($acc,&HB("ebx"));		# 15
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 15
 	&shl	($acc,24);			# 15
 	&or	("ecx",$acc);			# 15
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	($key,&LB("ebx"));		# 14
-	&movd	("eax","mm2");			#  7, 6, 3, 2
 	&movd	("mm0","ecx");			# t[0] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 14
-	&movz	($key,&HB("eax"));		#  3
-	&shl	("ecx",16);			# 14
-	&movd	("ebx","mm6");			# 13,12, 9, 8
+
+	&movz	($acc,&LB("eax"));		#  4
+	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  4
+	&movd	("eax","mm2");			#  7, 6, 3, 2
+	&movz	($acc,&LB("ebx"));		# 14
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 14
+	&shl	($acc,16);			# 14
 	&or	("ecx",$acc);			# 14
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  3
-	&movz	($key,&HB("ebx"));		#  9
+	&movd	("ebx","mm6");			# 13,12, 9, 8
+	&movz	($acc,&HB("eax"));		#  3
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  3
 	&shl	($acc,24);			#  3
 	&or	("ecx",$acc);			#  3
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($key,&LB("ebx"));		#  8
+	&movz	($acc,&HB("ebx"));		#  9
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  9
 	&shl	($acc,8);			#  9
-	&shr	("ebx",16);			# 13,12
 	&or	("ecx",$acc);			#  9
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  8
-	&movz	($key,&LB("eax"));		#  2
-	&shr	("eax",16);			#  7, 6
 	&movd	("mm1","ecx");			# t[1] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	#  2
-	&movz	($key,&HB("eax"));		#  7
-	&shl	("ecx",16);			#  2
-	&and	("eax",0xff);			#  6
+
+	&movz	($acc,&LB("ebx"));		#  8
+	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  8
+	&shr	("ebx",16);			# 13,12
+	&movz	($acc,&LB("eax"));		#  2
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  2
+	&shl	($acc,16);			#  2
 	&or	("ecx",$acc);			#  2
+	&shr	("eax",16);			#  7, 6
 
 	&punpckldq	("mm0","mm1");		# t[0,1] collected
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
-	&movz	($key,&HB("ebx"));		# 13
+	&movz	($acc,&HB("eax"));		#  7
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  7
 	&shl	($acc,24);			#  7
-	&and	("ebx",0xff);			# 12
-	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  6
 	&or	("ecx",$acc);			#  7
+	&and	("eax",0xff);			#  6
+	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  6
 	&shl	("eax",16);			#  6
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
 	&or	("edx","eax");			#  6
+	&movz	($acc,&HB("ebx"));		# 13
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 13
 	&shl	($acc,8);			# 13
-	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	# 12
 	&or	("ecx",$acc);			# 13
-	&or	("edx","ebx");			# 12
-	&mov	($key,$__key);
 	&movd	("mm4","ecx");			# t[2] collected
+	&and	("ebx",0xff);			# 12
+	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	# 12
+	&or	("edx","ebx");			# 12
 	&movd	("mm5","edx");			# t[3] collected
 
 	&punpckldq	("mm4","mm5");		# t[2,3] collected
@@ -1227,7 +1222,7 @@ sub enclast()
 ######################################################################
 
 sub deccompact()
-{ my $Fn = \&mov;
+{ my $Fn = mov;
   while ($#_>5) { pop(@_); $Fn=sub{}; }
   my ($i,$td,@s)=@_;
   my $tmp = $key;
@@ -1275,30 +1270,30 @@ sub dectransform()
   my $tp4 = @s[($i+3)%4]; $tp4 = @s[3] if ($i==1);
   my $tp8 = $tbl;
 
-	&mov	($tmp,0x80808080);
-	&and	($tmp,$s[$i]);
-	&mov	($acc,$tmp);
+	&mov	($acc,$s[$i]);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp2,&DWP(0,$s[$i],$s[$i]));
 	&sub	($acc,$tmp);
 	&and	($tp2,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
-	&xor	($tp2,$acc);
-	&mov	($tmp,0x80808080);
+	&xor	($acc,$tp2);
+	&mov	($tp2,$acc);
 
-	&and	($tmp,$tp2);
-	&mov	($acc,$tmp);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp4,&DWP(0,$tp2,$tp2));
 	&sub	($acc,$tmp);
 	&and	($tp4,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
 	 &xor	($tp2,$s[$i]);	# tp2^tp1
-	&xor	($tp4,$acc);
-	&mov	($tmp,0x80808080);
+	&xor	($acc,$tp4);
+	&mov	($tp4,$acc);
 
-	&and	($tmp,$tp4);
-	&mov	($acc,$tmp);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp8,&DWP(0,$tp4,$tp4));
 	&sub	($acc,$tmp);
@@ -1310,13 +1305,13 @@ sub dectransform()
 
 	&xor	($s[$i],$tp2);
 	&xor	($tp2,$tp8);
+	&rotl	($tp2,24);
 	&xor	($s[$i],$tp4);
 	&xor	($tp4,$tp8);
-	&rotl	($tp2,24);
-	&xor	($s[$i],$tp8);	# ^= tp8^(tp4^tp1)^(tp2^tp1)
 	&rotl	($tp4,16);
-	&xor	($s[$i],$tp2);	# ^= ROTATE(tp8^tp2^tp1,24)
+	&xor	($s[$i],$tp8);	# ^= tp8^(tp4^tp1)^(tp2^tp1)
 	&rotl	($tp8,8);
+	&xor	($s[$i],$tp2);	# ^= ROTATE(tp8^tp2^tp1,24)
 	&xor	($s[$i],$tp4);	# ^= ROTATE(tp8^tp4^tp1,16)
 	 &mov	($s[0],$__s0)			if($i==2); #prefetch $s0
 	 &mov	($s[1],$__s1)			if($i==3); #prefetch $s1
@@ -1394,87 +1389,85 @@ sub dectransform()
 sub sse_deccompact()
 {
 	&pshufw	("mm1","mm0",0x0c);		#  7, 6, 1, 0
-	&pshufw	("mm5","mm4",0x09);		# 13,12,11,10
 	&movd	("eax","mm1");			#  7, 6, 1, 0
-	&movd	("ebx","mm5");			# 13,12,11,10
-	&mov	($__key,$key);
 
+	&pshufw	("mm5","mm4",0x09);		# 13,12,11,10
 	&movz	($acc,&LB("eax"));		#  0
-	&movz	("edx",&HB("eax"));		#  1
-	&pshufw	("mm2","mm0",0x06);		#  3, 2, 5, 4
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
-	&movz	($key,&LB("ebx"));		# 10
+	&movd	("ebx","mm5");			# 13,12,11,10
+	&movz	("edx",&HB("eax"));		#  1
 	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
-	&shr	("eax",16);			#  7, 6
 	&shl	("edx",8);			#  1
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($key,&HB("ebx"));		# 11
+	&pshufw	("mm2","mm0",0x06);		#  3, 2, 5, 4
+	&movz	($acc,&LB("ebx"));		# 10
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 10
 	&shl	($acc,16);			# 10
-	&pshufw	("mm6","mm4",0x03);		# 9, 8,15,14
 	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
-	&movz	($key,&HB("eax"));		#  7
+	&shr	("eax",16);			#  7, 6
+	&movz	($acc,&HB("ebx"));		# 11
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 11
 	&shl	($acc,24);			# 11
-	&shr	("ebx",16);			# 13,12
 	&or	("edx",$acc);			# 11
+	&shr	("ebx",16);			# 13,12
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
-	&movz	($key,&HB("ebx"));		# 13
+	&pshufw	("mm6","mm4",0x03);		# 9, 8,15,14
+	&movz	($acc,&HB("eax"));		#  7
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  7
 	&shl	($acc,24);			#  7
 	&or	("ecx",$acc);			#  7
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
-	&movz	($key,&LB("eax"));		#  6
+	&movz	($acc,&HB("ebx"));		# 13
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 13
 	&shl	($acc,8);			# 13
-	&movd	("eax","mm2");			#  3, 2, 5, 4
 	&or	("ecx",$acc);			# 13
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  6
-	&movz	($key,&LB("ebx"));		# 12
-	&shl	($acc,16);			#  6
-	&movd	("ebx","mm6");			#  9, 8,15,14
 	&movd	("mm0","ecx");			# t[0] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 12
-	&movz	($key,&LB("eax"));		#  4
+
+	&movz	($acc,&LB("eax"));		#  6
+	&movd	("eax","mm2");			#  3, 2, 5, 4
+	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  6
+	&shl	("ecx",16);			#  6
+	&movz	($acc,&LB("ebx"));		# 12
+	&movd	("ebx","mm6");			#  9, 8,15,14
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 12
 	&or	("ecx",$acc);			# 12
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	($key,&LB("ebx"));		# 14
+	&movz	($acc,&LB("eax"));		#  4
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  4
 	&or	("edx",$acc);			#  4
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 14
-	&movz	($key,&HB("eax"));		#  5
+	&movz	($acc,&LB("ebx"));		# 14
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 14
 	&shl	($acc,16);			# 14
-	&shr	("eax",16);			#  3, 2
 	&or	("edx",$acc);			# 14
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
-	&movz	($key,&HB("ebx"));		# 15
-	&shr	("ebx",16);			#  9, 8
-	&shl	($acc,8);			#  5
 	&movd	("mm1","edx");			# t[1] collected
-	&movz	("edx",&BP(-128,$tbl,$key,1));	# 15
-	&movz	($key,&HB("ebx"));		#  9
-	&shl	("edx",24);			# 15
-	&and	("ebx",0xff);			#  8
+
+	&movz	($acc,&HB("eax"));		#  5
+	&movz	("edx",&BP(-128,$tbl,$acc,1));	#  5
+	&shl	("edx",8);			#  5
+	&movz	($acc,&HB("ebx"));		# 15
+	&shr	("eax",16);			#  3, 2
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 15
+	&shl	($acc,24);			# 15
 	&or	("edx",$acc);			# 15
+	&shr	("ebx",16);			#  9, 8
 
 	&punpckldq	("mm0","mm1");		# t[0,1] collected
 
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($key,&LB("eax"));		#  2
+	&movz	($acc,&HB("ebx"));		#  9
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  9
 	&shl	($acc,8);			#  9
-	&movz	("eax",&HB("eax"));		#  3
-	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	#  8
 	&or	("ecx",$acc);			#  9
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  2
+	&and	("ebx",0xff);			#  8
+	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	#  8
 	&or	("edx","ebx");			#  8
+	&movz	($acc,&LB("eax"));		#  2
+	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  2
 	&shl	($acc,16);			#  2
-	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  3
 	&or	("edx",$acc);			#  2
+	&movd	("mm4","edx");			# t[2] collected
+	&movz	("eax",&HB("eax"));		#  3
+	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  3
 	&shl	("eax",24);			#  3
 	&or	("ecx","eax");			#  3
-	&mov	($key,$__key);
-	&movd	("mm4","edx");			# t[2] collected
 	&movd	("mm5","ecx");			# t[3] collected
 
 	&punpckldq	("mm4","mm5");		# t[2,3] collected
@@ -2188,8 +2181,8 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
 	&mov	("ecx",240/4);
 	&xor	("eax","eax");
 	&align	(4);
-	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_ezero");
+	&data_word(0xABF3F689);	# rep stosd
+	&set_label("skip_ezero")
 	&mov	("esp",$_esp);
 	&popf	();
     &set_label("drop_out");
@@ -2308,8 +2301,8 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
 	&mov	("ecx",240/4);
 	&xor	("eax","eax");
 	&align	(4);
-	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_dzero");
+	&data_word(0xABF3F689);	# rep stosd
+	&set_label("skip_dzero")
 	&mov	("esp",$_esp);
 	&popf	();
 	&function_end_A();
@@ -2861,43 +2854,43 @@ sub enckey()
     &set_label("exit");
 &function_end("_x86_AES_set_encrypt_key");
 
-# int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
-&function_begin_B("AES_set_encrypt_key");
+&function_begin_B("private_AES_set_encrypt_key");
 	&call	("_x86_AES_set_encrypt_key");
 	&ret	();
-&function_end_B("AES_set_encrypt_key");
+&function_end_B("private_AES_set_encrypt_key");
 
 sub deckey()
 { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
   my $tmp = $tbl;
 
-	&mov	($tmp,0x80808080);
-	&and	($tmp,$tp1);
-	&lea	($tp2,&DWP(0,$tp1,$tp1));
-	&mov	($acc,$tmp);
+	&mov	($acc,$tp1);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
+	&lea	($tp2,&DWP(0,$tp1,$tp1));
 	&sub	($acc,$tmp);
 	&and	($tp2,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
-	&xor	($tp2,$acc);
-	&mov	($tmp,0x80808080);
+	&xor	($acc,$tp2);
+	&mov	($tp2,$acc);
 
-	&and	($tmp,$tp2);
-	&lea	($tp4,&DWP(0,$tp2,$tp2));
-	&mov	($acc,$tmp);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
+	&lea	($tp4,&DWP(0,$tp2,$tp2));
 	&sub	($acc,$tmp);
 	&and	($tp4,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
 	 &xor	($tp2,$tp1);	# tp2^tp1
-	&xor	($tp4,$acc);
-	&mov	($tmp,0x80808080);
+	&xor	($acc,$tp4);
+	&mov	($tp4,$acc);
 
-	&and	($tmp,$tp4);
-	&lea	($tp8,&DWP(0,$tp4,$tp4));
-	&mov	($acc,$tmp);
+	&and	($acc,0x80808080);
+	&mov	($tmp,$acc);
 	&shr	($tmp,7);
+	&lea	($tp8,&DWP(0,$tp4,$tp4));
 	 &xor	($tp4,$tp1);	# tp4^tp1
 	&sub	($acc,$tmp);
 	&and	($tp8,0xfefefefe);
@@ -2923,9 +2916,9 @@ sub deckey()
 	&mov	(&DWP(4*$i,$key),$tp1);
 }
 
-# int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
-&function_begin_B("AES_set_decrypt_key");
+&function_begin_B("private_AES_set_decrypt_key");
 	&call	("_x86_AES_set_encrypt_key");
 	&cmp	("eax",0);
 	&je	(&label("proceed"));
@@ -2981,7 +2974,7 @@ sub deckey()
 	&jb	(&label("permute"));
 
 	&xor	("eax","eax");			# return success
-&function_end("AES_set_decrypt_key");
+&function_end("private_AES_set_decrypt_key");
 &asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>");
 
 &asm_finish();

crypto/aes/asm/aes-armv4.pl

@@ -1,7 +1,7 @@
 #!/usr/bin/env perl
 
 # ====================================================================
-# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
@@ -51,23 +51,9 @@ $key="r11";
 $rounds="r12";
 
 $code=<<___;
-#ifndef __KERNEL__
-# include "arm_arch.h"
-#else
-# define __ARM_ARCH__ __LINUX_ARM_ARCH__
-#endif
-
+#include "arm_arch.h"
 .text
-#if __ARM_ARCH__<7
 .code	32
-#else
-.syntax	unified
-# ifdef __thumb2__
-.thumb
-# else
-.code	32
-# endif
-#endif
 
 .type	AES_Te,%object
 .align	5
@@ -181,11 +167,7 @@ AES_Te:
 .type   AES_encrypt,%function
 .align	5
 AES_encrypt:
-#if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_encrypt
-#else
-	adr	r3,AES_encrypt
-#endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
@@ -422,26 +404,16 @@ _armv4_AES_encrypt:
 	ldr	pc,[sp],#4		@ pop and return
 .size	_armv4_AES_encrypt,.-_armv4_AES_encrypt
 
-.global AES_set_encrypt_key
-.type   AES_set_encrypt_key,%function
+.global private_AES_set_encrypt_key
+.type   private_AES_set_encrypt_key,%function
 .align	5
-AES_set_encrypt_key:
+private_AES_set_encrypt_key:
 _armv4_AES_set_encrypt_key:
-#if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_set_encrypt_key
-#else
-	adr	r3,AES_set_encrypt_key
-#endif
 	teq	r0,#0
-#if __ARM_ARCH__>=7
-	itt	eq			@ Thumb2 thing, sanity check in ARM
-#endif
 	moveq	r0,#-1
 	beq	.Labrt
 	teq	r2,#0
-#if __ARM_ARCH__>=7
-	itt	eq			@ Thumb2 thing, sanity check in ARM
-#endif
 	moveq	r0,#-1
 	beq	.Labrt
 
@@ -450,9 +422,6 @@ _armv4_AES_set_encrypt_key:
 	teq	r1,#192
 	beq	.Lok
 	teq	r1,#256
-#if __ARM_ARCH__>=7
-	itt	ne			@ Thumb2 thing, sanity check in ARM
-#endif
 	movne	r0,#-1
 	bne	.Labrt
 
@@ -607,9 +576,6 @@ _armv4_AES_set_encrypt_key:
 	str	$s2,[$key,#-16]
 	subs	$rounds,$rounds,#1
 	str	$s3,[$key,#-12]
-#if __ARM_ARCH__>=7
-	itt	eq				@ Thumb2 thing, sanity check in ARM
-#endif
 	subeq	r2,$key,#216
 	beq	.Ldone
 
@@ -679,9 +645,6 @@ _armv4_AES_set_encrypt_key:
 	str	$s2,[$key,#-24]
 	subs	$rounds,$rounds,#1
 	str	$s3,[$key,#-20]
-#if __ARM_ARCH__>=7
-	itt	eq				@ Thumb2 thing, sanity check in ARM
-#endif
 	subeq	r2,$key,#256
 	beq	.Ldone
 
@@ -711,77 +674,48 @@ _armv4_AES_set_encrypt_key:
 	str	$i3,[$key,#-4]
 	b	.L256_loop
 
-.align	2
 .Ldone:	mov	r0,#0
 	ldmia   sp!,{r4-r12,lr}
-.Labrt:
-#if __ARM_ARCH__>=5
-	ret				@ bx lr
-#else
-	tst	lr,#1
+.Labrt:	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
-#endif
-.size	AES_set_encrypt_key,.-AES_set_encrypt_key
+.size	private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
 
-.global AES_set_decrypt_key
-.type   AES_set_decrypt_key,%function
+.global private_AES_set_decrypt_key
+.type   private_AES_set_decrypt_key,%function
 .align	5
-AES_set_decrypt_key:
+private_AES_set_decrypt_key:
 	str	lr,[sp,#-4]!            @ push lr
 	bl	_armv4_AES_set_encrypt_key
 	teq	r0,#0
-	ldr	lr,[sp],#4              @ pop lr
+	ldrne	lr,[sp],#4              @ pop lr
 	bne	.Labrt
 
-	mov	r0,r2			@ AES_set_encrypt_key preserves r2,
-	mov	r1,r2			@ which is AES_KEY *key
-	b	_armv4_AES_set_enc2dec_key
-.size	AES_set_decrypt_key,.-AES_set_decrypt_key
+	stmdb   sp!,{r4-r12}
 
-@ void AES_set_enc2dec_key(const AES_KEY *inp,AES_KEY *out)
-.global	AES_set_enc2dec_key
-.type	AES_set_enc2dec_key,%function
-.align	5
-AES_set_enc2dec_key:
-_armv4_AES_set_enc2dec_key:
-	stmdb   sp!,{r4-r12,lr}
+	ldr	$rounds,[r2,#240]	@ AES_set_encrypt_key preserves r2,
+	mov	$key,r2			@ which is AES_KEY *key
+	mov	$i1,r2
+	add	$i2,r2,$rounds,lsl#4
 
-	ldr	$rounds,[r0,#240]
-	mov	$i1,r0			@ input
-	add	$i2,r0,$rounds,lsl#4
-	mov	$key,r1			@ ouput
-	add	$tbl,r1,$rounds,lsl#4
-	str	$rounds,[r1,#240]
-
-.Linv:	ldr	$s0,[$i1],#16
-	ldr	$s1,[$i1,#-12]
-	ldr	$s2,[$i1,#-8]
-	ldr	$s3,[$i1,#-4]
-	ldr	$t1,[$i2],#-16
-	ldr	$t2,[$i2,#16+4]
-	ldr	$t3,[$i2,#16+8]
-	ldr	$i3,[$i2,#16+12]
-	str	$s0,[$tbl],#-16
-	str	$s1,[$tbl,#16+4]
-	str	$s2,[$tbl,#16+8]
-	str	$s3,[$tbl,#16+12]
-	str	$t1,[$key],#16
-	str	$t2,[$key,#-12]
-	str	$t3,[$key,#-8]
-	str	$i3,[$key,#-4]
-	teq	$i1,$i2
-	bne	.Linv
-
-	ldr	$s0,[$i1]
+.Linv:	ldr	$s0,[$i1]
 	ldr	$s1,[$i1,#4]
 	ldr	$s2,[$i1,#8]
 	ldr	$s3,[$i1,#12]
-	str	$s0,[$key]
-	str	$s1,[$key,#4]
-	str	$s2,[$key,#8]
-	str	$s3,[$key,#12]
-	sub	$key,$key,$rounds,lsl#3
+	ldr	$t1,[$i2]
+	ldr	$t2,[$i2,#4]
+	ldr	$t3,[$i2,#8]
+	ldr	$i3,[$i2,#12]
+	str	$s0,[$i2],#-16
+	str	$s1,[$i2,#16+4]
+	str	$s2,[$i2,#16+8]
+	str	$s3,[$i2,#16+12]
+	str	$t1,[$i1],#16
+	str	$t2,[$i1,#-12]
+	str	$t3,[$i1,#-8]
+	str	$i3,[$i1,#-4]
+	teq	$i1,$i2
+	bne	.Linv
 ___
 $mask80=$i1;
 $mask1b=$i2;
@@ -839,7 +773,7 @@ $code.=<<___;
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
 #endif
-.size	AES_set_enc2dec_key,.-AES_set_enc2dec_key
+.size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
 
 .type	AES_Td,%object
 .align	5
@@ -949,11 +883,7 @@ AES_Td:
 .type   AES_decrypt,%function
 .align	5
 AES_decrypt:
-#if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_decrypt
-#else
-	adr	r3,AES_decrypt
-#endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
@@ -1150,9 +1080,8 @@ _armv4_AES_decrypt:
 	ldrb	$t3,[$tbl,$i3]		@ Td4[s0>>0]
 	and	$i3,lr,$s1,lsr#8
 
-	add	$s1,$tbl,$s1,lsr#24
 	ldrb	$i1,[$tbl,$i1]		@ Td4[s1>>0]
-	ldrb	$s1,[$s1]		@ Td4[s1>>24]
+	ldrb	$s1,[$tbl,$s1,lsr#24]	@ Td4[s1>>24]
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s1>>16]
 	eor	$s0,$i1,$s0,lsl#24
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s1>>8]
@@ -1165,8 +1094,7 @@ _armv4_AES_decrypt:
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s2>>0]
 	and	$i3,lr,$s2,lsr#16
 
-	add	$s2,$tbl,$s2,lsr#24
-	ldrb	$s2,[$s2]		@ Td4[s2>>24]
+	ldrb	$s2,[$tbl,$s2,lsr#24]	@ Td4[s2>>24]
 	eor	$s0,$s0,$i1,lsl#8
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s2>>16]
 	eor	$s1,$i2,$s1,lsl#16
@@ -1178,9 +1106,8 @@ _armv4_AES_decrypt:
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s3>>8]
 	and	$i3,lr,$s3		@ i2
 
-	add	$s3,$tbl,$s3,lsr#24
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s3>>0]
-	ldrb	$s3,[$s3]		@ Td4[s3>>24]
+	ldrb	$s3,[$tbl,$s3,lsr#24]	@ Td4[s3>>24]
 	eor	$s0,$s0,$i1,lsl#16
 	ldr	$i1,[$key,#0]
 	eor	$s1,$s1,$i2,lsl#8
@@ -1203,15 +1130,5 @@ _armv4_AES_decrypt:
 ___
 
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
-$code =~ s/\bret\b/bx\tlr/gm;
-
-open SELF,$0;
-while(<SELF>) {
-	next if (/^#!/);
-	last if (!s/^#/@/ and !/^$/);
-	print;
-}
-close SELF;
-
 print $code;
 close STDOUT;	# enforce flush