Import OpenSSL-1.0.0a.
authorPeter Avalos <pavalos@dragonflybsd.org>
Wed, 22 Sep 2010 11:21:58 +0000 (01:21 -1000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sun, 26 Sep 2010 22:16:04 +0000 (12:16 -1000)
723 files changed:
crypto/openssl/CHANGES
crypto/openssl/FAQ
crypto/openssl/NEWS
crypto/openssl/README
crypto/openssl/README.DELETED
crypto/openssl/apps/apps.c
crypto/openssl/apps/apps.h
crypto/openssl/apps/asn1pars.c
crypto/openssl/apps/ca.c
crypto/openssl/apps/ciphers.c
crypto/openssl/apps/cms.c
crypto/openssl/apps/crl2p7.c
crypto/openssl/apps/dgst.c
crypto/openssl/apps/dh.c
crypto/openssl/apps/dhparam.c
crypto/openssl/apps/dsa.c
crypto/openssl/apps/ec.c
crypto/openssl/apps/ecparam.c
crypto/openssl/apps/enc.c
crypto/openssl/apps/engine.c
crypto/openssl/apps/errstr.c
crypto/openssl/apps/gendh.c
crypto/openssl/apps/genpkey.c [new file with mode: 0644]
crypto/openssl/apps/genrsa.c
crypto/openssl/apps/ocsp.c
crypto/openssl/apps/openssl.c
crypto/openssl/apps/openssl.cnf
crypto/openssl/apps/pkcs12.c
crypto/openssl/apps/pkcs7.c
crypto/openssl/apps/pkcs8.c
crypto/openssl/apps/pkey.c [new file with mode: 0644]
crypto/openssl/apps/pkeyparam.c [copied from crypto/openssl/crypto/x509/x509cset.c with 51% similarity]
crypto/openssl/apps/pkeyutl.c [new file with mode: 0644]
crypto/openssl/apps/prime.c
crypto/openssl/apps/progs.h
crypto/openssl/apps/req.c
crypto/openssl/apps/rsa.c
crypto/openssl/apps/rsautl.c
crypto/openssl/apps/s_apps.h
crypto/openssl/apps/s_cb.c
crypto/openssl/apps/s_client.c
crypto/openssl/apps/s_server.c
crypto/openssl/apps/s_socket.c
crypto/openssl/apps/s_time.c
crypto/openssl/apps/smime.c
crypto/openssl/apps/speed.c
crypto/openssl/apps/ts.c [new file with mode: 0644]
crypto/openssl/apps/verify.c
crypto/openssl/apps/x509.c
crypto/openssl/crypto/aes/aes.h
crypto/openssl/crypto/aes/aes_cbc.c
crypto/openssl/crypto/aes/aes_cfb.c
crypto/openssl/crypto/aes/aes_core.c
crypto/openssl/crypto/aes/aes_ctr.c
crypto/openssl/crypto/aes/aes_ige.c
crypto/openssl/crypto/aes/aes_ofb.c
crypto/openssl/crypto/asn1/a_bitstr.c
crypto/openssl/crypto/asn1/a_dup.c
crypto/openssl/crypto/asn1/a_gentm.c
crypto/openssl/crypto/asn1/a_hdr.c [deleted file]
crypto/openssl/crypto/asn1/a_int.c
crypto/openssl/crypto/asn1/a_meth.c [deleted file]
crypto/openssl/crypto/asn1/a_object.c
crypto/openssl/crypto/asn1/a_octet.c
crypto/openssl/crypto/asn1/a_set.c
crypto/openssl/crypto/asn1/a_sign.c
crypto/openssl/crypto/asn1/a_strnid.c
crypto/openssl/crypto/asn1/a_time.c
crypto/openssl/crypto/asn1/a_type.c
crypto/openssl/crypto/asn1/a_utctm.c
crypto/openssl/crypto/asn1/a_verify.c
crypto/openssl/crypto/asn1/ameth_lib.c [new file with mode: 0644]
crypto/openssl/crypto/asn1/asn1.h
crypto/openssl/crypto/asn1/asn1_err.c
crypto/openssl/crypto/asn1/asn1_gen.c
crypto/openssl/crypto/asn1/asn1_lib.c
crypto/openssl/crypto/asn1/asn1_locl.h [copied from crypto/openssl/crypto/x509v3/pcy_node.c with 52% similarity]
crypto/openssl/crypto/asn1/asn1_mac.h
crypto/openssl/crypto/asn1/asn1_par.c
crypto/openssl/crypto/asn1/asn1t.h
crypto/openssl/crypto/asn1/asn_mime.c
crypto/openssl/crypto/asn1/asn_pack.c
crypto/openssl/crypto/asn1/bio_asn1.c [new file with mode: 0644]
crypto/openssl/crypto/asn1/bio_ndef.c [new file with mode: 0644]
crypto/openssl/crypto/asn1/charmap.h
crypto/openssl/crypto/asn1/d2i_pr.c
crypto/openssl/crypto/asn1/d2i_pu.c
crypto/openssl/crypto/asn1/i2d_pr.c
crypto/openssl/crypto/asn1/nsseq.c
crypto/openssl/crypto/asn1/p5_pbe.c
crypto/openssl/crypto/asn1/p5_pbev2.c
crypto/openssl/crypto/asn1/p8_pkey.c
crypto/openssl/crypto/asn1/t_pkey.c
crypto/openssl/crypto/asn1/t_req.c
crypto/openssl/crypto/asn1/t_spki.c
crypto/openssl/crypto/asn1/t_x509.c
crypto/openssl/crypto/asn1/tasn_dec.c
crypto/openssl/crypto/asn1/tasn_enc.c
crypto/openssl/crypto/asn1/tasn_fre.c
crypto/openssl/crypto/asn1/tasn_new.c
crypto/openssl/crypto/asn1/tasn_prn.c [new file with mode: 0644]
crypto/openssl/crypto/asn1/tasn_typ.c
crypto/openssl/crypto/asn1/x_crl.c
crypto/openssl/crypto/asn1/x_long.c
crypto/openssl/crypto/asn1/x_name.c
crypto/openssl/crypto/asn1/x_nx509.c [copied from crypto/openssl/crypto/pem/pem_x509.c with 86% similarity]
crypto/openssl/crypto/asn1/x_pubkey.c
crypto/openssl/crypto/asn1/x_req.c
crypto/openssl/crypto/asn1/x_x509.c
crypto/openssl/crypto/bf/bf_skey.c
crypto/openssl/crypto/bf/blowfish.h
crypto/openssl/crypto/bio/b_print.c
crypto/openssl/crypto/bio/b_sock.c
crypto/openssl/crypto/bio/bio.h
crypto/openssl/crypto/bio/bio_cb.c
crypto/openssl/crypto/bio/bio_err.c
crypto/openssl/crypto/bio/bio_lcl.h
crypto/openssl/crypto/bio/bio_lib.c
crypto/openssl/crypto/bio/bss_acpt.c
crypto/openssl/crypto/bio/bss_dgram.c
crypto/openssl/crypto/bio/bss_fd.c
crypto/openssl/crypto/bio/bss_file.c
crypto/openssl/crypto/bio/bss_log.c
crypto/openssl/crypto/bio/bss_mem.c
crypto/openssl/crypto/bio/bss_sock.c
crypto/openssl/crypto/bn/bn.h
crypto/openssl/crypto/bn/bn_asm.c
crypto/openssl/crypto/bn/bn_blind.c
crypto/openssl/crypto/bn/bn_ctx.c
crypto/openssl/crypto/bn/bn_div.c
crypto/openssl/crypto/bn/bn_gf2m.c
crypto/openssl/crypto/bn/bn_lcl.h
crypto/openssl/crypto/bn/bn_lib.c
crypto/openssl/crypto/bn/bn_mont.c
crypto/openssl/crypto/bn/bn_opt.c [deleted file]
crypto/openssl/crypto/bn/bn_print.c
crypto/openssl/crypto/bn/bn_x931p.c [deleted file]
crypto/openssl/crypto/buffer/buf_err.c
crypto/openssl/crypto/buffer/buffer.c
crypto/openssl/crypto/buffer/buffer.h
crypto/openssl/crypto/camellia/camellia.c
crypto/openssl/crypto/camellia/camellia.h
crypto/openssl/crypto/camellia/cmll_cbc.c
crypto/openssl/crypto/camellia/cmll_cfb.c
crypto/openssl/crypto/camellia/cmll_ctr.c
crypto/openssl/crypto/camellia/cmll_locl.h
crypto/openssl/crypto/camellia/cmll_misc.c
crypto/openssl/crypto/camellia/cmll_ofb.c
crypto/openssl/crypto/cast/c_skey.c
crypto/openssl/crypto/cast/cast.h
crypto/openssl/crypto/cms/cms.h
crypto/openssl/crypto/cms/cms_asn1.c
crypto/openssl/crypto/cms/cms_env.c
crypto/openssl/crypto/cms/cms_err.c
crypto/openssl/crypto/cms/cms_ess.c
crypto/openssl/crypto/cms/cms_io.c
crypto/openssl/crypto/cms/cms_lcl.h
crypto/openssl/crypto/cms/cms_lib.c
crypto/openssl/crypto/cms/cms_sd.c
crypto/openssl/crypto/cms/cms_smime.c
crypto/openssl/crypto/comp/c_zlib.c
crypto/openssl/crypto/comp/comp_err.c
crypto/openssl/crypto/conf/README
crypto/openssl/crypto/conf/conf.h
crypto/openssl/crypto/conf/conf_api.c
crypto/openssl/crypto/conf/conf_def.c
crypto/openssl/crypto/conf/conf_err.c
crypto/openssl/crypto/conf/conf_lib.c
crypto/openssl/crypto/conf/conf_mall.c
crypto/openssl/crypto/conf/conf_mod.c
crypto/openssl/crypto/cpt_err.c
crypto/openssl/crypto/cryptlib.c
crypto/openssl/crypto/crypto.h
crypto/openssl/crypto/des/des_enc.c
crypto/openssl/crypto/des/des_lib.c [deleted file]
crypto/openssl/crypto/des/des_locl.h
crypto/openssl/crypto/des/ecb_enc.c
crypto/openssl/crypto/des/enc_read.c
crypto/openssl/crypto/des/enc_writ.c
crypto/openssl/crypto/des/fcrypt_b.c
crypto/openssl/crypto/des/rpc_des.h
crypto/openssl/crypto/des/set_key.c
crypto/openssl/crypto/des/xcbc_enc.c
crypto/openssl/crypto/dh/dh.h
crypto/openssl/crypto/dh/dh_ameth.c [new file with mode: 0644]
crypto/openssl/crypto/dh/dh_asn1.c
crypto/openssl/crypto/dh/dh_check.c
crypto/openssl/crypto/dh/dh_err.c
crypto/openssl/crypto/dh/dh_gen.c
crypto/openssl/crypto/dh/dh_key.c
crypto/openssl/crypto/dh/dh_pmeth.c [new file with mode: 0644]
crypto/openssl/crypto/dh/dh_prn.c [moved from crypto/openssl/crypto/err/err_bio.c with 89% similarity]
crypto/openssl/crypto/dsa/dsa.h
crypto/openssl/crypto/dsa/dsa_ameth.c [new file with mode: 0644]
crypto/openssl/crypto/dsa/dsa_asn1.c
crypto/openssl/crypto/dsa/dsa_err.c
crypto/openssl/crypto/dsa/dsa_gen.c
crypto/openssl/crypto/dsa/dsa_key.c
crypto/openssl/crypto/dsa/dsa_lib.c
crypto/openssl/crypto/dsa/dsa_locl.h [copied from crypto/openssl/crypto/o_time.h with 82% similarity]
crypto/openssl/crypto/dsa/dsa_ossl.c
crypto/openssl/crypto/dsa/dsa_pmeth.c [new file with mode: 0644]
crypto/openssl/crypto/dsa/dsa_prn.c [copied from crypto/openssl/crypto/pem/pem_x509.c with 69% similarity]
crypto/openssl/crypto/dsa/dsa_sign.c
crypto/openssl/crypto/dsa/dsa_utl.c [deleted file]
crypto/openssl/crypto/dsa/dsa_vrf.c
crypto/openssl/crypto/dso/dso.h
crypto/openssl/crypto/dso/dso_dl.c
crypto/openssl/crypto/dso/dso_dlfcn.c
crypto/openssl/crypto/dso/dso_err.c
crypto/openssl/crypto/dso/dso_lib.c
crypto/openssl/crypto/dso/dso_null.c
crypto/openssl/crypto/dso/dso_openssl.c
crypto/openssl/crypto/dyn_lck.c [deleted file]
crypto/openssl/crypto/ec/ec.h
crypto/openssl/crypto/ec/ec2_mult.c
crypto/openssl/crypto/ec/ec2_smpl.c
crypto/openssl/crypto/ec/ec2_smpt.c [deleted file]
crypto/openssl/crypto/ec/ec_ameth.c [new file with mode: 0644]
crypto/openssl/crypto/ec/ec_curve.c
crypto/openssl/crypto/ec/ec_err.c
crypto/openssl/crypto/ec/ec_lcl.h
crypto/openssl/crypto/ec/ec_lib.c
crypto/openssl/crypto/ec/ec_mult.c
crypto/openssl/crypto/ec/ec_pmeth.c [new file with mode: 0644]
crypto/openssl/crypto/ec/eck_prn.c [new file with mode: 0644]
crypto/openssl/crypto/ec/ecp_nist.c
crypto/openssl/crypto/ecdh/ech_err.c
crypto/openssl/crypto/ecdsa/ecdsa.h
crypto/openssl/crypto/ecdsa/ecs_err.c
crypto/openssl/crypto/engine/eng_all.c
crypto/openssl/crypto/engine/eng_cryptodev.c
crypto/openssl/crypto/engine/eng_dyn.c
crypto/openssl/crypto/engine/eng_err.c
crypto/openssl/crypto/engine/eng_fat.c
crypto/openssl/crypto/engine/eng_int.h
crypto/openssl/crypto/engine/eng_lib.c
crypto/openssl/crypto/engine/eng_list.c
crypto/openssl/crypto/engine/eng_openssl.c
crypto/openssl/crypto/engine/eng_table.c
crypto/openssl/crypto/engine/engine.h
crypto/openssl/crypto/engine/tb_asnmth.c [new file with mode: 0644]
crypto/openssl/crypto/engine/tb_pkmeth.c [copied from crypto/openssl/crypto/x509/x509cset.c with 50% similarity]
crypto/openssl/crypto/err/err.c
crypto/openssl/crypto/err/err.h
crypto/openssl/crypto/err/err_all.c
crypto/openssl/crypto/err/err_def.c [deleted file]
crypto/openssl/crypto/err/err_prn.c
crypto/openssl/crypto/err/err_str.c [deleted file]
crypto/openssl/crypto/evp/bio_b64.c
crypto/openssl/crypto/evp/bio_enc.c
crypto/openssl/crypto/evp/bio_md.c
crypto/openssl/crypto/evp/c_all.c
crypto/openssl/crypto/evp/c_allc.c
crypto/openssl/crypto/evp/c_alld.c
crypto/openssl/crypto/evp/digest.c
crypto/openssl/crypto/evp/e_aes.c
crypto/openssl/crypto/evp/e_camellia.c
crypto/openssl/crypto/evp/e_des.c
crypto/openssl/crypto/evp/e_des3.c
crypto/openssl/crypto/evp/e_idea.c
crypto/openssl/crypto/evp/e_null.c
crypto/openssl/crypto/evp/e_rc2.c
crypto/openssl/crypto/evp/e_rc4.c
crypto/openssl/crypto/evp/e_seed.c [copied from crypto/openssl/crypto/o_init.c with 76% similarity]
crypto/openssl/crypto/evp/e_xcbc_d.c
crypto/openssl/crypto/evp/enc_min.c [deleted file]
crypto/openssl/crypto/evp/encode.c
crypto/openssl/crypto/evp/evp.h
crypto/openssl/crypto/evp/evp_enc.c
crypto/openssl/crypto/evp/evp_err.c
crypto/openssl/crypto/evp/evp_key.c
crypto/openssl/crypto/evp/evp_lib.c
crypto/openssl/crypto/evp/evp_locl.h
crypto/openssl/crypto/evp/evp_pbe.c
crypto/openssl/crypto/evp/evp_pkey.c
crypto/openssl/crypto/evp/m_dss.c
crypto/openssl/crypto/evp/m_dss1.c
crypto/openssl/crypto/evp/m_ecdsa.c
crypto/openssl/crypto/evp/m_md2.c
crypto/openssl/crypto/evp/m_md4.c
crypto/openssl/crypto/evp/m_md5.c
crypto/openssl/crypto/evp/m_mdc2.c
crypto/openssl/crypto/evp/m_sha.c
crypto/openssl/crypto/evp/m_sha1.c
crypto/openssl/crypto/evp/m_sigver.c [new file with mode: 0644]
crypto/openssl/crypto/evp/m_wp.c [new file with mode: 0644]
crypto/openssl/crypto/evp/names.c
crypto/openssl/crypto/evp/p5_crpt.c
crypto/openssl/crypto/evp/p5_crpt2.c
crypto/openssl/crypto/evp/p_dec.c
crypto/openssl/crypto/evp/p_enc.c
crypto/openssl/crypto/evp/p_lib.c
crypto/openssl/crypto/evp/p_open.c
crypto/openssl/crypto/evp/p_seal.c
crypto/openssl/crypto/evp/p_sign.c
crypto/openssl/crypto/evp/p_verify.c
crypto/openssl/crypto/evp/pmeth_fn.c [new file with mode: 0644]
crypto/openssl/crypto/evp/pmeth_gn.c [new file with mode: 0644]
crypto/openssl/crypto/evp/pmeth_lib.c [new file with mode: 0644]
crypto/openssl/crypto/ex_data.c
crypto/openssl/crypto/fips_err.c [deleted file]
crypto/openssl/crypto/fips_err.h [deleted file]
crypto/openssl/crypto/hmac/hm_ameth.c [copied from crypto/openssl/crypto/evp/evp_cnf.c with 59% similarity]
crypto/openssl/crypto/hmac/hm_pmeth.c [new file with mode: 0644]
crypto/openssl/crypto/hmac/hmac.c
crypto/openssl/crypto/hmac/hmac.h
crypto/openssl/crypto/idea/i_skey.c
crypto/openssl/crypto/idea/idea.h
crypto/openssl/crypto/krb5/krb5_asn.c [deleted file]
crypto/openssl/crypto/krb5/krb5_asn.h [deleted file]
crypto/openssl/crypto/lhash/lh_stats.c
crypto/openssl/crypto/lhash/lhash.c
crypto/openssl/crypto/lhash/lhash.h
crypto/openssl/crypto/md2/md2.h [deleted file]
crypto/openssl/crypto/md2/md2_dgst.c [deleted file]
crypto/openssl/crypto/md2/md2_one.c [deleted file]
crypto/openssl/crypto/md32_common.h
crypto/openssl/crypto/md4/md4.h
crypto/openssl/crypto/md4/md4_dgst.c
crypto/openssl/crypto/md5/md5.h
crypto/openssl/crypto/md5/md5_dgst.c
crypto/openssl/crypto/md5/md5_locl.h
crypto/openssl/crypto/mdc2/mdc2.h
crypto/openssl/crypto/mdc2/mdc2dgst.c
crypto/openssl/crypto/mem.c
crypto/openssl/crypto/mem_dbg.c
crypto/openssl/crypto/modes/cbc128.c [new file with mode: 0644]
crypto/openssl/crypto/modes/cfb128.c [new file with mode: 0644]
crypto/openssl/crypto/modes/ctr128.c [copied from crypto/openssl/crypto/camellia/cmll_ctr.c with 58% similarity]
crypto/openssl/crypto/modes/cts128.c [new file with mode: 0644]
crypto/openssl/crypto/modes/modes.h [new file with mode: 0644]
crypto/openssl/crypto/modes/ofb128.c [moved from crypto/openssl/crypto/o_init.c with 58% similarity]
crypto/openssl/crypto/o_time.c
crypto/openssl/crypto/o_time.h
crypto/openssl/crypto/objects/o_names.c
crypto/openssl/crypto/objects/obj_dat.c
crypto/openssl/crypto/objects/obj_dat.h
crypto/openssl/crypto/objects/obj_err.c
crypto/openssl/crypto/objects/obj_lib.c
crypto/openssl/crypto/objects/obj_xref.c [new file with mode: 0644]
crypto/openssl/crypto/objects/obj_xref.h [new file with mode: 0644]
crypto/openssl/crypto/objects/objects.h
crypto/openssl/crypto/ocsp/ocsp.h
crypto/openssl/crypto/ocsp/ocsp_cl.c
crypto/openssl/crypto/ocsp/ocsp_err.c
crypto/openssl/crypto/ocsp/ocsp_ext.c
crypto/openssl/crypto/ocsp/ocsp_ht.c
crypto/openssl/crypto/ocsp/ocsp_lib.c
crypto/openssl/crypto/ocsp/ocsp_prn.c
crypto/openssl/crypto/ocsp/ocsp_vfy.c
crypto/openssl/crypto/opensslv.h
crypto/openssl/crypto/ossl_typ.h
crypto/openssl/crypto/pem/pem.h
crypto/openssl/crypto/pem/pem_all.c
crypto/openssl/crypto/pem/pem_err.c
crypto/openssl/crypto/pem/pem_info.c
crypto/openssl/crypto/pem/pem_lib.c
crypto/openssl/crypto/pem/pem_pkey.c
crypto/openssl/crypto/pem/pem_x509.c
crypto/openssl/crypto/pem/pem_xaux.c
crypto/openssl/crypto/pem/pvkfmt.c [new file with mode: 0644]
crypto/openssl/crypto/pkcs12/p12_add.c
crypto/openssl/crypto/pkcs12/p12_attr.c
crypto/openssl/crypto/pkcs12/p12_crpt.c
crypto/openssl/crypto/pkcs12/p12_crt.c
crypto/openssl/crypto/pkcs12/p12_key.c
crypto/openssl/crypto/pkcs12/p12_kiss.c
crypto/openssl/crypto/pkcs12/p12_mutl.c
crypto/openssl/crypto/pkcs12/p12_npas.c
crypto/openssl/crypto/pkcs12/p12_utl.c
crypto/openssl/crypto/pkcs12/pk12err.c
crypto/openssl/crypto/pkcs12/pkcs12.h
crypto/openssl/crypto/pkcs7/bio_pk7.c [moved from crypto/openssl/crypto/rc4/rc4_fblk.c with 84% similarity]
crypto/openssl/crypto/pkcs7/pk7_asn1.c
crypto/openssl/crypto/pkcs7/pk7_attr.c
crypto/openssl/crypto/pkcs7/pk7_doit.c
crypto/openssl/crypto/pkcs7/pk7_lib.c
crypto/openssl/crypto/pkcs7/pk7_mime.c
crypto/openssl/crypto/pkcs7/pk7_smime.c
crypto/openssl/crypto/pkcs7/pkcs7.h
crypto/openssl/crypto/pkcs7/pkcs7err.c
crypto/openssl/crypto/pqueue/pq_compat.h [deleted file]
crypto/openssl/crypto/pqueue/pqueue.c
crypto/openssl/crypto/pqueue/pqueue.h
crypto/openssl/crypto/rand/md_rand.c
crypto/openssl/crypto/rand/rand.h
crypto/openssl/crypto/rand/rand_egd.c
crypto/openssl/crypto/rand/rand_eng.c [deleted file]
crypto/openssl/crypto/rand/rand_err.c
crypto/openssl/crypto/rand/rand_lcl.h
crypto/openssl/crypto/rand/rand_lib.c
crypto/openssl/crypto/rand/rand_unix.c
crypto/openssl/crypto/rand/randfile.c
crypto/openssl/crypto/rc2/rc2.h
crypto/openssl/crypto/rc2/rc2_skey.c
crypto/openssl/crypto/rc4/rc4.h
crypto/openssl/crypto/rc4/rc4_enc.c
crypto/openssl/crypto/rc4/rc4_skey.c
crypto/openssl/crypto/rc5/rc5.h [deleted file]
crypto/openssl/crypto/rc5/rc5_ecb.c [deleted file]
crypto/openssl/crypto/rc5/rc5_enc.c [deleted file]
crypto/openssl/crypto/rc5/rc5_locl.h [deleted file]
crypto/openssl/crypto/rc5/rc5_skey.c [deleted file]
crypto/openssl/crypto/rc5/rc5cfb64.c [deleted file]
crypto/openssl/crypto/rc5/rc5ofb64.c [deleted file]
crypto/openssl/crypto/ripemd/ripemd.h
crypto/openssl/crypto/ripemd/rmd_dgst.c
crypto/openssl/crypto/ripemd/rmd_locl.h
crypto/openssl/crypto/rsa/rsa.h
crypto/openssl/crypto/rsa/rsa_ameth.c [new file with mode: 0644]
crypto/openssl/crypto/rsa/rsa_asn1.c
crypto/openssl/crypto/rsa/rsa_eay.c
crypto/openssl/crypto/rsa/rsa_eng.c [deleted file]
crypto/openssl/crypto/rsa/rsa_err.c
crypto/openssl/crypto/rsa/rsa_gen.c
crypto/openssl/crypto/rsa/rsa_lib.c
crypto/openssl/crypto/rsa/rsa_locl.h [new file with mode: 0644]
crypto/openssl/crypto/rsa/rsa_oaep.c
crypto/openssl/crypto/rsa/rsa_pmeth.c [new file with mode: 0644]
crypto/openssl/crypto/rsa/rsa_prn.c [copied from crypto/openssl/crypto/pem/pem_x509.c with 80% similarity]
crypto/openssl/crypto/rsa/rsa_pss.c
crypto/openssl/crypto/rsa/rsa_sign.c
crypto/openssl/crypto/rsa/rsa_x931g.c [deleted file]
crypto/openssl/crypto/seed/seed.c [new file with mode: 0644]
crypto/openssl/crypto/seed/seed.h [copied from crypto/openssl/crypto/evp/m_ecdsa.c with 52% similarity]
crypto/openssl/crypto/seed/seed_cbc.c [copied from crypto/openssl/crypto/o_time.h with 75% similarity]
crypto/openssl/crypto/seed/seed_cfb.c [moved from crypto/openssl/crypto/evp/dig_eng.c with 74% similarity]
crypto/openssl/crypto/seed/seed_ecb.c [copied from crypto/openssl/crypto/o_time.h with 76% similarity]
crypto/openssl/crypto/seed/seed_locl.h [new file with mode: 0644]
crypto/openssl/crypto/seed/seed_ofb.c [copied from crypto/openssl/crypto/aes/aes_ofb.c with 86% similarity]
crypto/openssl/crypto/sha/sha.h
crypto/openssl/crypto/sha/sha1_one.c
crypto/openssl/crypto/sha/sha1dgst.c
crypto/openssl/crypto/sha/sha256.c
crypto/openssl/crypto/sha/sha512.c
crypto/openssl/crypto/sha/sha_dgst.c
crypto/openssl/crypto/sha/sha_locl.h
crypto/openssl/crypto/stack/safestack.h
crypto/openssl/crypto/stack/stack.c
crypto/openssl/crypto/stack/stack.h
crypto/openssl/crypto/store/README [deleted file]
crypto/openssl/crypto/store/store.h [deleted file]
crypto/openssl/crypto/store/str_err.c [deleted file]
crypto/openssl/crypto/store/str_lib.c [deleted file]
crypto/openssl/crypto/store/str_locl.h [deleted file]
crypto/openssl/crypto/store/str_mem.c [deleted file]
crypto/openssl/crypto/store/str_meth.c [deleted file]
crypto/openssl/crypto/symhacks.h
crypto/openssl/crypto/tmdiff.c [deleted file]
crypto/openssl/crypto/tmdiff.h [deleted file]
crypto/openssl/crypto/ts/ts.h [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_asn1.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_conf.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_err.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_lib.c [moved from crypto/openssl/crypto/evp/evp_cnf.c with 57% similarity]
crypto/openssl/crypto/ts/ts_req_print.c [copied from crypto/openssl/crypto/dh/dh_asn1.c with 72% similarity]
crypto/openssl/crypto/ts/ts_req_utils.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_rsp_print.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_rsp_sign.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_rsp_utils.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_rsp_verify.c [new file with mode: 0644]
crypto/openssl/crypto/ts/ts_verify_ctx.c [moved from crypto/openssl/crypto/buffer/buf_str.c with 52% similarity]
crypto/openssl/crypto/txt_db/txt_db.c
crypto/openssl/crypto/txt_db/txt_db.h
crypto/openssl/crypto/ui/ui.h
crypto/openssl/crypto/ui/ui_err.c
crypto/openssl/crypto/ui/ui_lib.c
crypto/openssl/crypto/ui/ui_openssl.c
crypto/openssl/crypto/whrlpool/whrlpool.h [new file with mode: 0644]
crypto/openssl/crypto/whrlpool/wp_block.c [new file with mode: 0644]
crypto/openssl/crypto/whrlpool/wp_dgst.c [new file with mode: 0644]
crypto/openssl/crypto/whrlpool/wp_locl.h [new file with mode: 0644]
crypto/openssl/crypto/x509/by_dir.c
crypto/openssl/crypto/x509/by_file.c
crypto/openssl/crypto/x509/x509.h
crypto/openssl/crypto/x509/x509_cmp.c
crypto/openssl/crypto/x509/x509_err.c
crypto/openssl/crypto/x509/x509_lu.c
crypto/openssl/crypto/x509/x509_obj.c
crypto/openssl/crypto/x509/x509_req.c
crypto/openssl/crypto/x509/x509_set.c
crypto/openssl/crypto/x509/x509_trs.c
crypto/openssl/crypto/x509/x509_txt.c
crypto/openssl/crypto/x509/x509_vfy.c
crypto/openssl/crypto/x509/x509_vfy.h
crypto/openssl/crypto/x509/x509_vpm.c
crypto/openssl/crypto/x509/x509cset.c
crypto/openssl/crypto/x509/x509name.c
crypto/openssl/crypto/x509/x509type.c
crypto/openssl/crypto/x509/x_all.c
crypto/openssl/crypto/x509v3/ext_dat.h
crypto/openssl/crypto/x509v3/pcy_cache.c
crypto/openssl/crypto/x509v3/pcy_data.c
crypto/openssl/crypto/x509v3/pcy_int.h
crypto/openssl/crypto/x509v3/pcy_map.c
crypto/openssl/crypto/x509v3/pcy_node.c
crypto/openssl/crypto/x509v3/pcy_tree.c
crypto/openssl/crypto/x509v3/v3_addr.c
crypto/openssl/crypto/x509v3/v3_alt.c
crypto/openssl/crypto/x509v3/v3_asid.c
crypto/openssl/crypto/x509v3/v3_conf.c
crypto/openssl/crypto/x509v3/v3_cpols.c
crypto/openssl/crypto/x509v3/v3_crld.c
crypto/openssl/crypto/x509v3/v3_enum.c
crypto/openssl/crypto/x509v3/v3_extku.c
crypto/openssl/crypto/x509v3/v3_genn.c
crypto/openssl/crypto/x509v3/v3_lib.c
crypto/openssl/crypto/x509v3/v3_ncons.c
crypto/openssl/crypto/x509v3/v3_ocsp.c
crypto/openssl/crypto/x509v3/v3_pci.c
crypto/openssl/crypto/x509v3/v3_pcons.c
crypto/openssl/crypto/x509v3/v3_pmaps.c
crypto/openssl/crypto/x509v3/v3_prn.c
crypto/openssl/crypto/x509v3/v3_purp.c
crypto/openssl/crypto/x509v3/v3_utl.c
crypto/openssl/crypto/x509v3/v3err.c
crypto/openssl/crypto/x509v3/x509v3.h
crypto/openssl/doc/apps/asn1parse.pod
crypto/openssl/doc/apps/ca.pod
crypto/openssl/doc/apps/ciphers.pod
crypto/openssl/doc/apps/cms.pod [new file with mode: 0644]
crypto/openssl/doc/apps/dgst.pod
crypto/openssl/doc/apps/dhparam.pod
crypto/openssl/doc/apps/dsa.pod
crypto/openssl/doc/apps/dsaparam.pod
crypto/openssl/doc/apps/ec.pod
crypto/openssl/doc/apps/ecparam.pod
crypto/openssl/doc/apps/enc.pod
crypto/openssl/doc/apps/gendsa.pod
crypto/openssl/doc/apps/genpkey.pod [new file with mode: 0644]
crypto/openssl/doc/apps/genrsa.pod
crypto/openssl/doc/apps/ocsp.pod
crypto/openssl/doc/apps/openssl.pod
crypto/openssl/doc/apps/pkcs12.pod
crypto/openssl/doc/apps/pkcs7.pod
crypto/openssl/doc/apps/pkcs8.pod
crypto/openssl/doc/apps/pkey.pod [new file with mode: 0644]
crypto/openssl/doc/apps/pkeyparam.pod [new file with mode: 0644]
crypto/openssl/doc/apps/pkeyutl.pod [new file with mode: 0644]
crypto/openssl/doc/apps/req.pod
crypto/openssl/doc/apps/rsa.pod
crypto/openssl/doc/apps/s_client.pod
crypto/openssl/doc/apps/s_server.pod
crypto/openssl/doc/apps/smime.pod
crypto/openssl/doc/apps/speed.pod
crypto/openssl/doc/apps/spkac.pod
crypto/openssl/doc/apps/ts.pod [new file with mode: 0644]
crypto/openssl/doc/apps/tsget.pod [new file with mode: 0644]
crypto/openssl/doc/apps/verify.pod
crypto/openssl/doc/apps/x509.pod
crypto/openssl/doc/apps/x509v3_config.pod
crypto/openssl/doc/crypto/ASN1_OBJECT_new.pod
crypto/openssl/doc/crypto/ASN1_STRING_length.pod
crypto/openssl/doc/crypto/ASN1_STRING_new.pod
crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
crypto/openssl/doc/crypto/BIO_f_buffer.pod
crypto/openssl/doc/crypto/BIO_f_md.pod
crypto/openssl/doc/crypto/BIO_f_ssl.pod
crypto/openssl/doc/crypto/BIO_new_CMS.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/BIO_s_file.pod
crypto/openssl/doc/crypto/BIO_s_mem.pod
crypto/openssl/doc/crypto/BIO_should_retry.pod
crypto/openssl/doc/crypto/BN_BLINDING_new.pod
crypto/openssl/doc/crypto/CMS_add0_cert.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_add1_recipient_cert.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_compress.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_decrypt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_encrypt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_final.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_get0_RecipientInfos.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_get0_SignerInfos.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_get0_type.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_sign.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_sign_add1_signer.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_sign_receipt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_uncompress.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_verify.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CMS_verify_receipt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/CRYPTO_set_ex_data.pod
crypto/openssl/doc/crypto/DSA_get_ex_new_index.pod
crypto/openssl/doc/crypto/EVP_DigestInit.pod
crypto/openssl/doc/crypto/EVP_DigestSignInit.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_CTX_new.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_cmp.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_decrypt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_derive.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_get_default_digest.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_keygen.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_print_private.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_sign.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_verify.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_PKEY_verifyrecover.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/EVP_SignInit.pod
crypto/openssl/doc/crypto/EVP_VerifyInit.pod
crypto/openssl/doc/crypto/OBJ_nid2obj.pod
crypto/openssl/doc/crypto/PEM_write_bio_CMS_stream.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/PEM_write_bio_PKCS7_stream.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/PKCS7_decrypt.pod
crypto/openssl/doc/crypto/PKCS7_encrypt.pod
crypto/openssl/doc/crypto/PKCS7_sign.pod
crypto/openssl/doc/crypto/PKCS7_sign_add_signer.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/PKCS7_verify.pod
crypto/openssl/doc/crypto/SMIME_read_CMS.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/SMIME_read_PKCS7.pod
crypto/openssl/doc/crypto/SMIME_write_CMS.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
crypto/openssl/doc/crypto/X509_STORE_CTX_get_error.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_STORE_CTX_new.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_STORE_CTX_set_verify_cb.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_STORE_set_verify_cb_func.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/X509_new.pod
crypto/openssl/doc/crypto/X509_verify_cert.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/bn_internal.pod
crypto/openssl/doc/crypto/d2i_RSAPublicKey.pod
crypto/openssl/doc/crypto/evp.pod
crypto/openssl/doc/crypto/hmac.pod
crypto/openssl/doc/crypto/i2d_CMS_bio_stream.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/i2d_PKCS7_bio_stream.pod [new file with mode: 0644]
crypto/openssl/doc/crypto/lhash.pod
crypto/openssl/doc/crypto/threads.pod
crypto/openssl/doc/crypto/ui_compat.pod
crypto/openssl/doc/ssl/SSL_CTX_new.pod
crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
crypto/openssl/doc/ssl/SSL_CTX_set_psk_client_callback.pod [new file with mode: 0644]
crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
crypto/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod [new file with mode: 0644]
crypto/openssl/doc/ssl/SSL_get_psk_identity.pod [new file with mode: 0644]
crypto/openssl/doc/ssl/SSL_library_init.pod
crypto/openssl/doc/ssl/ssl.pod
crypto/openssl/e_os.h
crypto/openssl/e_os2.h
crypto/openssl/engines/ccgost/README.gost [new file with mode: 0644]
crypto/openssl/engines/ccgost/e_gost_err.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/e_gost_err.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost2001.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost2001_keyx.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost2001_keyx.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost89.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost89.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost94_keyx.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_ameth.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_asn1.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_crypt.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_ctl.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_eng.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_keywrap.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_keywrap.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_lcl.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_md.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_params.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_params.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_pmeth.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gost_sign.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gosthash.c [new file with mode: 0644]
crypto/openssl/engines/ccgost/gosthash.h [new file with mode: 0644]
crypto/openssl/engines/ccgost/gostsum.c [new file with mode: 0644]
crypto/openssl/engines/e_4758cca.c
crypto/openssl/engines/e_aep.c
crypto/openssl/engines/e_capi.c [new file with mode: 0644]
crypto/openssl/engines/e_capi_err.c [new file with mode: 0644]
crypto/openssl/engines/e_capi_err.h [new file with mode: 0644]
crypto/openssl/engines/e_chil.c
crypto/openssl/engines/e_gmp.c
crypto/openssl/engines/e_padlock.c [moved from crypto/openssl/crypto/engine/eng_padlock.c with 98% similarity]
crypto/openssl/engines/e_sureware.c
crypto/openssl/engines/e_ubsec.c
crypto/openssl/ssl/bio_ssl.c
crypto/openssl/ssl/d1_both.c
crypto/openssl/ssl/d1_clnt.c
crypto/openssl/ssl/d1_enc.c
crypto/openssl/ssl/d1_lib.c
crypto/openssl/ssl/d1_meth.c
crypto/openssl/ssl/d1_pkt.c
crypto/openssl/ssl/d1_srvr.c
crypto/openssl/ssl/dtls1.h
crypto/openssl/ssl/kssl.c
crypto/openssl/ssl/kssl_lcl.h
crypto/openssl/ssl/s23_clnt.c
crypto/openssl/ssl/s23_lib.c
crypto/openssl/ssl/s23_meth.c
crypto/openssl/ssl/s23_srvr.c
crypto/openssl/ssl/s2_clnt.c
crypto/openssl/ssl/s2_enc.c
crypto/openssl/ssl/s2_lib.c
crypto/openssl/ssl/s2_meth.c
crypto/openssl/ssl/s2_pkt.c
crypto/openssl/ssl/s2_srvr.c
crypto/openssl/ssl/s3_both.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_enc.c
crypto/openssl/ssl/s3_lib.c
crypto/openssl/ssl/s3_meth.c
crypto/openssl/ssl/s3_pkt.c
crypto/openssl/ssl/s3_srvr.c
crypto/openssl/ssl/ssl.h
crypto/openssl/ssl/ssl3.h
crypto/openssl/ssl/ssl_algs.c
crypto/openssl/ssl/ssl_asn1.c
crypto/openssl/ssl/ssl_cert.c
crypto/openssl/ssl/ssl_ciph.c
crypto/openssl/ssl/ssl_err.c
crypto/openssl/ssl/ssl_lib.c
crypto/openssl/ssl/ssl_locl.h
crypto/openssl/ssl/ssl_sess.c
crypto/openssl/ssl/ssl_stat.c
crypto/openssl/ssl/ssl_txt.c
crypto/openssl/ssl/t1_clnt.c
crypto/openssl/ssl/t1_enc.c
crypto/openssl/ssl/t1_lib.c
crypto/openssl/ssl/t1_meth.c
crypto/openssl/ssl/t1_srvr.c
crypto/openssl/ssl/tls1.h

index 97b3810..b139cf6 100644 (file)
@@ -2,6 +2,879 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
+
+  *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
+     (CVE-2010-1633)
+     [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
+
+ Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
+
+  *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
+     context. The operation can be customised via the ctrl mechanism in
+     case ENGINEs want to include additional functionality.
+     [Steve Henson]
+
+  *) Tolerate yet another broken PKCS#8 key format: private key value negative.
+     [Steve Henson]
+
+  *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
+     output hashes compatible with older versions of OpenSSL.
+     [Willy Weisz <weisz@vcpc.univie.ac.at>]
+
+  *) Fix compression algorithm handling: if resuming a session use the
+     compression algorithm of the resumed session instead of determining
+     it from client hello again. Don't allow server to change algorithm.
+     [Steve Henson]
+
+  *) Add load_crls() function to apps tidying load_certs() too. Add option
+     to verify utility to allow additional CRLs to be included.
+     [Steve Henson]
+
+  *) Update OCSP request code to permit adding custom headers to the request:
+     some responders need this.
+     [Steve Henson]
+
+  *) The function EVP_PKEY_sign() returns <=0 on error: check return code
+     correctly.
+     [Julia Lawall <julia@diku.dk>]
+
+  *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
+     needlessly dereferenced structures, used obsolete functions and
+     didn't handle all updated verify codes correctly.
+     [Steve Henson]
+
+  *) Disable MD2 in the default configuration.
+     [Steve Henson]
+
+  *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
+     indicate the initial BIO being pushed or popped. This makes it possible
+     to determine whether the BIO is the one explicitly called or as a result
+     of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
+     it handles reference counts correctly and doesn't zero out the I/O bio
+     when it is not being explicitly popped. WARNING: applications which
+     included workarounds for the old buggy behaviour will need to be modified
+     or they could free up already freed BIOs.
+     [Steve Henson]
+
+  *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
+     renaming to all platforms (within the 0.9.8 branch, this was
+     done conditionally on Netware platforms to avoid a name clash).
+     [Guenter <lists@gknw.net>]
+
+  *) Add ECDHE and PSK support to DTLS.
+     [Michael Tuexen <tuexen@fh-muenster.de>]
+
+  *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
+     be used on C++.
+     [Steve Henson]
+
+  *) Add "missing" function EVP_MD_flags() (without this the only way to
+     retrieve a digest flags is by accessing the structure directly. Update
+     EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
+     or cipher is registered as in the "from" argument. Print out all
+     registered digests in the dgst usage message instead of manually 
+     attempting to work them out.
+     [Steve Henson]
+
+  *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
+     this allows the use of compression and extensions. Change default cipher
+     string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
+     by default unless an application cipher string requests it.
+     [Steve Henson]
+
+  *) Alter match criteria in PKCS12_parse(). It used to try to use local
+     key ids to find matching certificates and keys but some PKCS#12 files
+     don't follow the (somewhat unwritten) rules and this strategy fails.
+     Now just gather all certificates together and the first private key
+     then look for the first certificate that matches the key.
+     [Steve Henson]
+
+  *) Support use of registered digest and cipher names for dgst and cipher
+     commands instead of having to add each one as a special case. So now
+     you can do:
+
+        openssl sha256 foo
+
+     as well as:
+
+        openssl dgst -sha256 foo
+
+     and this works for ENGINE based algorithms too.
+
+     [Steve Henson]
+
+  *) Update Gost ENGINE to support parameter files.
+     [Victor B. Wagner <vitus@cryptocom.ru>]
+
+  *) Support GeneralizedTime in ca utility. 
+     [Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
+
+  *) Enhance the hash format used for certificate directory links. The new
+     form uses the canonical encoding (meaning equivalent names will work
+     even if they aren't identical) and uses SHA1 instead of MD5. This form
+     is incompatible with the older format and as a result c_rehash should
+     be used to rebuild symbolic links.
+     [Steve Henson]
+
+  *) Make PKCS#8 the default write format for private keys, replacing the
+     traditional format. This form is standardised, more secure and doesn't
+     include an implicit MD5 dependency.
+     [Steve Henson]
+
+  *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
+     committed to OpenSSL should pass this lot as a minimum.
+     [Steve Henson]
+
+  *) Add session ticket override functionality for use by EAP-FAST.
+     [Jouni Malinen <j@w1.fi>]
+
+  *) Modify HMAC functions to return a value. Since these can be implemented
+     in an ENGINE errors can occur.
+     [Steve Henson]
+
+  *) Type-checked OBJ_bsearch_ex.
+     [Ben Laurie]
+
+  *) Type-checked OBJ_bsearch. Also some constification necessitated
+     by type-checking.  Still to come: TXT_DB, bsearch(?),
+     OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
+     CONF_VALUE.
+     [Ben Laurie]
+
+  *) New function OPENSSL_gmtime_adj() to add a specific number of days and
+     seconds to a tm structure directly, instead of going through OS
+     specific date routines. This avoids any issues with OS routines such
+     as the year 2038 bug. New *_adj() functions for ASN1 time structures
+     and X509_time_adj_ex() to cover the extended range. The existing
+     X509_time_adj() is still usable and will no longer have any date issues.
+     [Steve Henson]
+
+  *) Delta CRL support. New use deltas option which will attempt to locate
+     and search any appropriate delta CRLs available.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Support for CRLs partitioned by reason code. Reorganise CRL processing
+     code and add additional score elements. Validate alternate CRL paths
+     as part of the CRL checking and indicate a new error "CRL path validation
+     error" in this case. Applications wanting additional details can use
+     the verify callback and check the new "parent" field. If this is not
+     NULL CRL path validation is taking place. Existing applications wont
+     see this because it requires extended CRL support which is off by
+     default.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Support for freshest CRL extension.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Initial indirect CRL support. Currently only supported in the CRLs
+     passed directly and not via lookup. Process certificate issuer
+     CRL entry extension and lookup CRL entries by bother issuer name
+     and serial number. Check and process CRL issuer entry in IDP extension.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Add support for distinct certificate and CRL paths. The CRL issuer
+     certificate is validated separately in this case. Only enabled if
+     an extended CRL support flag is set: this flag will enable additional
+     CRL functionality in future.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Add support for policy mappings extension.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Fixes to pathlength constraint, self issued certificate handling,
+     policy processing to align with RFC3280 and PKITS tests.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Support for name constraints certificate extension. DN, email, DNS
+     and URI types are currently supported.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) To cater for systems that provide a pointer-based thread ID rather
+     than numeric, deprecate the current numeric thread ID mechanism and
+     replace it with a structure and associated callback type. This
+     mechanism allows a numeric "hash" to be extracted from a thread ID in
+     either case, and on platforms where pointers are larger than 'long',
+     mixing is done to help ensure the numeric 'hash' is usable even if it
+     can't be guaranteed unique. The default mechanism is to use "&errno"
+     as a pointer-based thread ID to distinguish between threads.
+
+     Applications that want to provide their own thread IDs should now use
+     CRYPTO_THREADID_set_callback() to register a callback that will call
+     either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
+
+     Note that ERR_remove_state() is now deprecated, because it is tied
+     to the assumption that thread IDs are numeric.  ERR_remove_state(0)
+     to free the current thread's error state should be replaced by
+     ERR_remove_thread_state(NULL).
+
+     (This new approach replaces the functions CRYPTO_set_idptr_callback(),
+     CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
+     OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
+     application was previously providing a numeric thread callback that
+     was inappropriate for distinguishing threads, then uniqueness might
+     have been obtained with &errno that happened immediately in the
+     intermediate development versions of OpenSSL; this is no longer the
+     case, the numeric thread callback will now override the automatic use
+     of &errno.)
+     [Geoff Thorpe, with help from Bodo Moeller]
+
+  *) Initial support for different CRL issuing certificates. This covers a
+     simple case where the self issued certificates in the chain exist and
+     the real CRL issuer is higher in the existing chain.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Removed effectively defunct crypto/store from the build.
+     [Ben Laurie]
+
+  *) Revamp of STACK to provide stronger type-checking. Still to come:
+     TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
+     ASN1_STRING, CONF_VALUE.
+     [Ben Laurie]
+
+  *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
+     RAM on SSL connections.  This option can save about 34k per idle SSL.
+     [Nick Mathewson]
+
+  *) Revamp of LHASH to provide stronger type-checking. Still to come:
+     STACK, TXT_DB, bsearch, qsort.
+     [Ben Laurie]
+
+  *) Initial support for Cryptographic Message Syntax (aka CMS) based
+     on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
+     support for data, signedData, compressedData, digestedData and
+     encryptedData, envelopedData types included. Scripts to check against
+     RFC4134 examples draft and interop and consistency checks of many
+     content types and variants.
+     [Steve Henson]
+
+  *) Add options to enc utility to support use of zlib compression BIO.
+     [Steve Henson]
+
+  *) Extend mk1mf to support importing of options and assembly language
+     files from Configure script, currently only included in VC-WIN32.
+     The assembly language rules can now optionally generate the source
+     files from the associated perl scripts.
+     [Steve Henson]
+
+  *) Implement remaining functionality needed to support GOST ciphersuites.
+     Interop testing has been performed using CryptoPro implementations.
+     [Victor B. Wagner <vitus@cryptocom.ru>]
+
+  *) s390x assembler pack.
+     [Andy Polyakov]
+
+  *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
+     "family."
+     [Andy Polyakov]
+
+  *) Implement Opaque PRF Input TLS extension as specified in
+     draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
+     official specification yet and no extension type assignment by
+     IANA exists, this extension (for now) will have to be explicitly
+     enabled when building OpenSSL by providing the extension number
+     to use.  For example, specify an option
+
+         -DTLSEXT_TYPE_opaque_prf_input=0x9527
+
+     to the "config" or "Configure" script to enable the extension,
+     assuming extension number 0x9527 (which is a completely arbitrary
+     and unofficial assignment based on the MD5 hash of the Internet
+     Draft).  Note that by doing so, you potentially lose
+     interoperability with other TLS implementations since these might
+     be using the same extension number for other purposes.
+
+     SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
+     opaque PRF input value to use in the handshake.  This will create
+     an interal copy of the length-'len' string at 'src', and will
+     return non-zero for success.
+
+     To get more control and flexibility, provide a callback function
+     by using
+
+          SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
+          SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
+
+     where
+
+          int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
+          void *arg;
+
+     Callback function 'cb' will be called in handshakes, and is
+     expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
+     Argument 'arg' is for application purposes (the value as given to
+     SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
+     be provided to the callback function).  The callback function
+     has to return non-zero to report success: usually 1 to use opaque
+     PRF input just if possible, or 2 to enforce use of the opaque PRF
+     input.  In the latter case, the library will abort the handshake
+     if opaque PRF input is not successfully negotiated.
+
+     Arguments 'peerinput' and 'len' given to the callback function
+     will always be NULL and 0 in the case of a client.  A server will
+     see the client's opaque PRF input through these variables if
+     available (NULL and 0 otherwise).  Note that if the server
+     provides an opaque PRF input, the length must be the same as the
+     length of the client's opaque PRF input.
+
+     Note that the callback function will only be called when creating
+     a new session (session resumption can resume whatever was
+     previously negotiated), and will not be called in SSL 2.0
+     handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
+     SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
+     for applications that need to enforce opaque PRF input.
+
+     [Bodo Moeller]
+
+  *) Update ssl code to support digests other than SHA1+MD5 for handshake
+     MAC. 
+
+     [Victor B. Wagner <vitus@cryptocom.ru>]
+
+  *) Add RFC4507 support to OpenSSL. This includes the corrections in
+     RFC4507bis. The encrypted ticket format is an encrypted encoded
+     SSL_SESSION structure, that way new session features are automatically
+     supported.
+
+     If a client application caches session in an SSL_SESSION structure
+     support is transparent because tickets are now stored in the encoded
+     SSL_SESSION.
+     
+     The SSL_CTX structure automatically generates keys for ticket
+     protection in servers so again support should be possible
+     with no application modification.
+
+     If a client or server wishes to disable RFC4507 support then the option
+     SSL_OP_NO_TICKET can be set.
+
+     Add a TLS extension debugging callback to allow the contents of any client
+     or server extensions to be examined.
+
+     This work was sponsored by Google.
+     [Steve Henson]
+
+  *) Final changes to avoid use of pointer pointer casts in OpenSSL.
+     OpenSSL should now compile cleanly on gcc 4.2
+     [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]
+
+  *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
+     support including streaming MAC support: this is required for GOST
+     ciphersuite support.
+     [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]
+
+  *) Add option -stream to use PKCS#7 streaming in smime utility. New
+     function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
+     to output in BER and PEM format.
+     [Steve Henson]
+
+  *) Experimental support for use of HMAC via EVP_PKEY interface. This
+     allows HMAC to be handled via the EVP_DigestSign*() interface. The
+     EVP_PKEY "key" in this case is the HMAC key, potentially allowing
+     ENGINE support for HMAC keys which are unextractable. New -mac and
+     -macopt options to dgst utility.
+     [Steve Henson]
+
+  *) New option -sigopt to dgst utility. Update dgst to use
+     EVP_Digest{Sign,Verify}*. These two changes make it possible to use
+     alternative signing paramaters such as X9.31 or PSS in the dgst 
+     utility.
+     [Steve Henson]
+
+  *) Change ssl_cipher_apply_rule(), the internal function that does
+     the work each time a ciphersuite string requests enabling
+     ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
+     removing ("!foo+bar") a class of ciphersuites: Now it maintains
+     the order of disabled ciphersuites such that those ciphersuites
+     that most recently went from enabled to disabled not only stay
+     in order with respect to each other, but also have higher priority
+     than other disabled ciphersuites the next time ciphersuites are
+     enabled again.
+
+     This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
+     the same ciphersuites as with "HIGH" alone, but in a specific
+     order where the PSK ciphersuites come first (since they are the
+     most recently disabled ciphersuites when "HIGH" is parsed).
+
+     Also, change ssl_create_cipher_list() (using this new
+     funcionality) such that between otherwise identical
+     cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
+     the default order.
+     [Bodo Moeller]
+
+  *) Change ssl_create_cipher_list() so that it automatically
+     arranges the ciphersuites in reasonable order before starting
+     to process the rule string.  Thus, the definition for "DEFAULT"
+     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
+     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
+     This makes it much easier to arrive at a reasonable default order
+     in applications for which anonymous ciphers are OK (meaning
+     that you can't actually use DEFAULT).
+     [Bodo Moeller; suggested by Victor Duchovni]
+
+  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
+     processing) into multiple integers instead of setting
+     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
+     "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
+     (These masks as well as the individual bit definitions are hidden
+     away into the non-exported interface ssl/ssl_locl.h, so this
+     change to the definition of the SSL_CIPHER structure shouldn't
+     affect applications.)  This give us more bits for each of these
+     categories, so there is no longer a need to coagulate AES128 and
+     AES256 into a single algorithm bit, and to coagulate Camellia128
+     and Camellia256 into a single algorithm bit, which has led to all
+     kinds of kludges.
+
+     Thus, among other things, the kludge introduced in 0.9.7m and
+     0.9.8e for masking out AES256 independently of AES128 or masking
+     out Camellia256 independently of AES256 is not needed here in 0.9.9.
+
+     With the change, we also introduce new ciphersuite aliases that
+     so far were missing: "AES128", "AES256", "CAMELLIA128", and
+     "CAMELLIA256".
+     [Bodo Moeller]
+
+  *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
+     Use the leftmost N bytes of the signature input if the input is
+     larger than the prime q (with N being the size in bytes of q).
+     [Nils Larsch]
+
+  *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
+     it yet and it is largely untested.
+     [Steve Henson]
+
+  *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
+     [Nils Larsch]
+
+  *) Initial incomplete changes to avoid need for function casts in OpenSSL
+     some compilers (gcc 4.2 and later) reject their use. Safestack is
+     reimplemented.  Update ASN1 to avoid use of legacy functions. 
+     [Steve Henson]
+
+  *) Win32/64 targets are linked with Winsock2.
+     [Andy Polyakov]
+
+  *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
+     to external functions. This can be used to increase CRL handling 
+     efficiency especially when CRLs are very large by (for example) storing
+     the CRL revoked certificates in a database.
+     [Steve Henson]
+
+  *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
+     new CRLs added to a directory can be used. New command line option
+     -verify_return_error to s_client and s_server. This causes real errors
+     to be returned by the verify callback instead of carrying on no matter
+     what. This reflects the way a "real world" verify callback would behave.
+     [Steve Henson]
+
+  *) GOST engine, supporting several GOST algorithms and public key formats.
+     Kindly donated by Cryptocom.
+     [Cryptocom]
+
+  *) Partial support for Issuing Distribution Point CRL extension. CRLs
+     partitioned by DP are handled but no indirect CRL or reason partitioning
+     (yet). Complete overhaul of CRL handling: now the most suitable CRL is
+     selected via a scoring technique which handles IDP and AKID in CRLs.
+     [Steve Henson]
+
+  *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
+     will ultimately be used for all verify operations: this will remove the
+     X509_STORE dependency on certificate verification and allow alternative
+     lookup methods.  X509_STORE based implementations of these two callbacks.
+     [Steve Henson]
+
+  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
+     Modify get_crl() to find a valid (unexpired) CRL if possible.
+     [Steve Henson]
+
+  *) New function X509_CRL_match() to check if two CRLs are identical. Normally
+     this would be called X509_CRL_cmp() but that name is already used by
+     a function that just compares CRL issuer names. Cache several CRL 
+     extensions in X509_CRL structure and cache CRLDP in X509.
+     [Steve Henson]
+
+  *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
+     this maps equivalent X509_NAME structures into a consistent structure.
+     Name comparison can then be performed rapidly using memcmp().
+     [Steve Henson]
+
+  *) Non-blocking OCSP request processing. Add -timeout option to ocsp 
+     utility.
+     [Steve Henson]
+
+  *) Allow digests to supply their own micalg string for S/MIME type using
+     the ctrl EVP_MD_CTRL_MICALG.
+     [Steve Henson]
+
+  *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
+     EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
+     ctrl. It can then customise the structure before and/or after signing
+     if necessary.
+     [Steve Henson]
+
+  *) New function OBJ_add_sigid() to allow application defined signature OIDs
+     to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
+     to free up any added signature OIDs.
+     [Steve Henson]
+
+  *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
+     EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
+     digest and cipher tables. New options added to openssl utility:
+     list-message-digest-algorithms and list-cipher-algorithms.
+     [Steve Henson]
+
+  *) Change the array representation of binary polynomials: the list
+     of degrees of non-zero coefficients is now terminated with -1.
+     Previously it was terminated with 0, which was also part of the
+     value; thus, the array representation was not applicable to
+     polynomials where t^0 has coefficient zero.  This change makes
+     the array representation useful in a more general context.
+     [Douglas Stebila]
+
+  *) Various modifications and fixes to SSL/TLS cipher string
+     handling.  For ECC, the code now distinguishes between fixed ECDH
+     with RSA certificates on the one hand and with ECDSA certificates
+     on the other hand, since these are separate ciphersuites.  The
+     unused code for Fortezza ciphersuites has been removed.
+
+     For consistency with EDH, ephemeral ECDH is now called "EECDH"
+     (not "ECDHE").  For consistency with the code for DH
+     certificates, use of ECDH certificates is now considered ECDH
+     authentication, not RSA or ECDSA authentication (the latter is
+     merely the CA's signing algorithm and not actively used in the
+     protocol).
+
+     The temporary ciphersuite alias "ECCdraft" is no longer
+     available, and ECC ciphersuites are no longer excluded from "ALL"
+     and "DEFAULT".  The following aliases now exist for RFC 4492
+     ciphersuites, most of these by analogy with the DH case:
+
+         kECDHr   - ECDH cert, signed with RSA
+         kECDHe   - ECDH cert, signed with ECDSA
+         kECDH    - ECDH cert (signed with either RSA or ECDSA)
+         kEECDH   - ephemeral ECDH
+         ECDH     - ECDH cert or ephemeral ECDH
+
+         aECDH    - ECDH cert
+         aECDSA   - ECDSA cert
+         ECDSA    - ECDSA cert
+
+         AECDH    - anonymous ECDH
+         EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
+
+     [Bodo Moeller]
+
+  *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
+     Use correct micalg parameters depending on digest(s) in signed message.
+     [Steve Henson]
+
+  *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
+     an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
+     [Steve Henson]
+
+  *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
+     an engine to register a method. Add ENGINE lookups for methods and
+     functional reference processing.
+     [Steve Henson]
+
+  *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
+     EVP_{Sign,Verify}* which allow an application to customise the signature
+     process.
+     [Steve Henson]
+
+  *) New -resign option to smime utility. This adds one or more signers
+     to an existing PKCS#7 signedData structure. Also -md option to use an
+     alternative message digest algorithm for signing.
+     [Steve Henson]
+
+  *) Tidy up PKCS#7 routines and add new functions to make it easier to
+     create PKCS7 structures containing multiple signers. Update smime
+     application to support multiple signers.
+     [Steve Henson]
+
+  *) New -macalg option to pkcs12 utility to allow setting of an alternative
+     digest MAC.
+     [Steve Henson]
+
+  *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
+     Reorganize PBE internals to lookup from a static table using NIDs,
+     add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
+     EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
+     PRF which will be automatically used with PBES2.
+     [Steve Henson]
+
+  *) Replace the algorithm specific calls to generate keys in "req" with the
+     new API.
+     [Steve Henson]
+
+  *) Update PKCS#7 enveloped data routines to use new API. This is now
+     supported by any public key method supporting the encrypt operation. A
+     ctrl is added to allow the public key algorithm to examine or modify
+     the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
+     a no op.
+     [Steve Henson]
+
+  *) Add a ctrl to asn1 method to allow a public key algorithm to express
+     a default digest type to use. In most cases this will be SHA1 but some
+     algorithms (such as GOST) need to specify an alternative digest. The
+     return value indicates how strong the prefernce is 1 means optional and
+     2 is mandatory (that is it is the only supported type). Modify
+     ASN1_item_sign() to accept a NULL digest argument to indicate it should
+     use the default md. Update openssl utilities to use the default digest
+     type for signing if it is not explicitly indicated.
+     [Steve Henson]
+
+  *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
+     EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
+     signing method from the key type. This effectively removes the link
+     between digests and public key types.
+     [Steve Henson]
+
+  *) Add an OID cross reference table and utility functions. Its purpose is to
+     translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
+     rsaEncryption. This will allow some of the algorithm specific hackery
+     needed to use the correct OID to be removed. 
+     [Steve Henson]
+
+  *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
+     structures for PKCS7_sign(). They are now set up by the relevant public
+     key ASN1 method.
+     [Steve Henson]
+
+  *) Add provisional EC pkey method with support for ECDSA and ECDH.
+     [Steve Henson]
+
+  *) Add support for key derivation (agreement) in the API, DH method and
+     pkeyutl.
+     [Steve Henson]
+
+  *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
+     public and private key formats. As a side effect these add additional 
+     command line functionality not previously available: DSA signatures can be
+     generated and verified using pkeyutl and DH key support and generation in
+     pkey, genpkey.
+     [Steve Henson]
+
+  *) BeOS support.
+     [Oliver Tappe <zooey@hirschkaefer.de>]
+
+  *) New make target "install_html_docs" installs HTML renditions of the
+     manual pages.
+     [Oliver Tappe <zooey@hirschkaefer.de>]
+
+  *) New utility "genpkey" this is analagous to "genrsa" etc except it can
+     generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
+     support key and parameter generation and add initial key generation
+     functionality for RSA.
+     [Steve Henson]
+
+  *) Add functions for main EVP_PKEY_method operations. The undocumented
+     functions EVP_PKEY_{encrypt,decrypt} have been renamed to
+     EVP_PKEY_{encrypt,decrypt}_old. 
+     [Steve Henson]
+
+  *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
+     key API, doesn't do much yet.
+     [Steve Henson]
+
+  *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
+     public key algorithms. New option to openssl utility:
+     "list-public-key-algorithms" to print out info.
+     [Steve Henson]
+
+  *) Implement the Supported Elliptic Curves Extension for
+     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
+     [Douglas Stebila]
+
+  *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
+     EVP_CIPHER structures to avoid later problems in EVP_cleanup().
+     [Steve Henson]
+
+  *) New utilities pkey and pkeyparam. These are similar to algorithm specific
+     utilities such as rsa, dsa, dsaparam etc except they process any key
+     type.
+     [Steve Henson]
+
+  *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
+     functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
+     EVP_PKEY_print_param() to print public key data from an EVP_PKEY
+     structure.
+     [Steve Henson]
+
+  *) Initial support for pluggable public key ASN1.
+     De-spaghettify the public key ASN1 handling. Move public and private
+     key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
+     algorithm specific handling to a single module within the relevant
+     algorithm directory. Add functions to allow (near) opaque processing
+     of public and private key structures.
+     [Steve Henson]
+
+  *) Implement the Supported Point Formats Extension for
+     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
+     [Douglas Stebila]
+
+  *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
+     for the psk identity [hint] and the psk callback functions to the
+     SSL_SESSION, SSL and SSL_CTX structure.
+     
+     New ciphersuites:
+         PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
+         PSK-AES256-CBC-SHA
+     New functions:
+         SSL_CTX_use_psk_identity_hint
+         SSL_get_psk_identity_hint
+         SSL_get_psk_identity
+         SSL_use_psk_identity_hint
+
+     [Mika Kousa and Pasi Eronen of Nokia Corporation]
+
+  *) Add RFC 3161 compliant time stamp request creation, response generation
+     and response verification functionality.
+     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
+
+  *) Add initial support for TLS extensions, specifically for the server_name
+     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
+     have new members for a host name.  The SSL data structure has an
+     additional member SSL_CTX *initial_ctx so that new sessions can be
+     stored in that context to allow for session resumption, even after the
+     SSL has been switched to a new SSL_CTX in reaction to a client's
+     server_name extension.
+
+     New functions (subject to change):
+
+         SSL_get_servername()
+         SSL_get_servername_type()
+         SSL_set_SSL_CTX()
+
+     New CTRL codes and macros (subject to change):
+
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+                                 - SSL_CTX_set_tlsext_servername_callback()
+         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
+                                      - SSL_CTX_set_tlsext_servername_arg()
+         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
+
+     openssl s_client has a new '-servername ...' option.
+
+     openssl s_server has new options '-servername_host ...', '-cert2 ...',
+     '-key2 ...', '-servername_fatal' (subject to change).  This allows
+     testing the HostName extension for a specific single host name ('-cert'
+     and '-key' remain fallbacks for handshakes without HostName
+     negotiation).  If the unrecogninzed_name alert has to be sent, this by
+     default is a warning; it becomes fatal with the '-servername_fatal'
+     option.
+
+     [Peter Sylvester,  Remy Allais, Christophe Renou]
+
+  *) Whirlpool hash implementation is added.
+     [Andy Polyakov]
+
+  *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
+     bn(64,32). Because of instruction set limitations it doesn't have
+     any negative impact on performance. This was done mostly in order
+     to make it possible to share assembler modules, such as bn_mul_mont
+     implementations, between 32- and 64-bit builds without hassle.
+     [Andy Polyakov]
+
+  *) Move code previously exiled into file crypto/ec/ec2_smpt.c
+     to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
+     macro.
+     [Bodo Moeller]
+
+  *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
+     dedicated Montgomery multiplication procedure, is introduced.
+     BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
+     "64-bit" performance on certain 32-bit targets.
+     [Andy Polyakov]
+
+  *) New option SSL_OP_NO_COMP to disable use of compression selectively
+     in SSL structures. New SSL ctrl to set maximum send fragment size. 
+     Save memory by seeting the I/O buffer sizes dynamically instead of
+     using the maximum available value.
+     [Steve Henson]
+
+  *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
+     in addition to the text details.
+     [Bodo Moeller]
+
+  *) Very, very preliminary EXPERIMENTAL support for printing of general
+     ASN1 structures. This currently produces rather ugly output and doesn't
+     handle several customised structures at all.
+     [Steve Henson]
+
+  *) Integrated support for PVK file format and some related formats such
+     as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
+     these in the 'rsa' and 'dsa' utilities.
+     [Steve Henson]
+
+  *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
+     [Steve Henson]
+
+  *) Remove the ancient ASN1_METHOD code. This was only ever used in one
+     place for the (very old) "NETSCAPE" format certificates which are now
+     handled using new ASN1 code equivalents.
+     [Steve Henson]
+
+  *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
+     pointer and make the SSL_METHOD parameter in SSL_CTX_new,
+     SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
+     [Nils Larsch]
+
+  *) Modify CRL distribution points extension code to print out previously
+     unsupported fields. Enhance extension setting code to allow setting of
+     all fields.
+     [Steve Henson]
+
+  *) Add print and set support for Issuing Distribution Point CRL extension.
+     [Steve Henson]
+
+  *) Change 'Configure' script to enable Camellia by default.
+     [NTT]
+  
+ Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+
+  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
+     access or freeing data twice (CVE-2010-0742)
+     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]
+
+  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
+     common in certificates and some applications which only call
+     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
+     [Steve Henson]
+
+ Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
+
+  *) When rejecting SSL/TLS records due to an incorrect version number, never
+     update s->server with a new major version number.  As of
+     - OpenSSL 0.9.8m if 'short' is a 16-bit type,
+     - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
+     the previous behavior could result in a read attempt at NULL when
+     receiving specific incorrect SSL/TLS records once record payload
+     protection is active.  (CVE-2010-####)
+     [Bodo Moeller, Adam Langley]
+
+  *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
+     could be crashed if the relevant tables were not present (e.g. chrooted).
+     [Tomas Hoger <thoger@redhat.com>]
+
  Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
 
   *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
index 8041479..becee66 100644 (file)
@@ -70,6 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * I think I've detected a memory leak, is this a bug?
 * Why does Valgrind complain about the use of uninitialized data?
 * Why doesn't a memory BIO work when a file does?
+* Where are the declarations and implementations of d2i_X509() etc?
 
 ===============================================================================
 
@@ -78,7 +79,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8m was released on Feb 25th, 2010.
+OpenSSL 1.0.0a was released on Jun 1st, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -94,14 +95,17 @@ explains how to install this library.
 
 OpenSSL includes a command line utility that can be used to perform a
 variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written.  A
-few manual pages already are available; overviews over libcrypto and
+manpage.  Documentation for developers is currently being written. Many
+manual pages are available; overviews over libcrypto and
 libssl are given in the crypto(3) and ssl(3) manpages.
 
 The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
 different directory if you specified one as described in INSTALL).
 In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>.
+<URL: http://www.openssl.org/docs/>. Note that the online documents refer
+to the very latest development versions of OpenSSL and may include features
+not present in released versions. If in doubt refer to the documentation
+that came with the version of OpenSSL you are using.
 
 For information on parts of libcrypto that are not yet documented, you
 might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
@@ -717,8 +721,10 @@ file.
 
 Multi-threaded applications must provide two callback functions to
 OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback().  This is described in the threads(3)
-manpage.
+CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
+including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
+and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
+and friends. This is described in the threads(3) manpage.
 
 * I've compiled a program under Windows and it crashes: why?
 
@@ -962,4 +968,15 @@ is needed. This must be done by calling:
 See the manual pages for more details.
 
 
+* Where are the declarations and implementations of d2i_X509() etc?
+
+These are defined and implemented by macros of the form:
+
+
+ DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
+
+The implementation passes an ASN1 "template" defining the structure into an
+ASN1 interpreter using generalised functions such as ASN1_item_d2i().
+
+
 ===============================================================================
index 7bff959..3a787ea 100644 (file)
@@ -5,6 +5,47 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+
+      o Fix for security issue CVE-2010-1633.
+      o GOST MAC and CFB fixes.
+
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0:
+
+      o RFC3280 path validation: sufficient to process PKITS tests.
+      o Integrated support for PVK files and keyblobs.
+      o Change default private key format to PKCS#8.
+      o CMS support: able to process all examples in RFC4134
+      o Streaming ASN1 encode support for PKCS#7 and CMS.
+      o Multiple signer and signer add support for PKCS#7 and CMS.
+      o ASN1 printing support.
+      o Whirlpool hash algorithm added.
+      o RFC3161 time stamp support.
+      o New generalised public key API supporting ENGINE based algorithms.
+      o New generalised public key API utilities.
+      o New ENGINE supporting GOST algorithms.
+      o SSL/TLS GOST ciphersuite support.
+      o PKCS#7 and CMS GOST support.
+      o RFC4279 PSK ciphersuite support.
+      o Supported points format extension for ECC ciphersuites.
+      o ecdsa-with-SHA224/256/384/512 signature types.
+      o dsa-with-SHA224 and dsa-with-SHA256 signature types.
+      o Opaque PRF Input TLS extension support.
+      o Updated time routines to avoid OS limitations.
+
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+
+      o Fix for security issue CVE-2010-0742.
+      o Various DTLS fixes.
+      o Recognise SHA2 certificates if only SSL algorithms added.
+      o Fix for no-rc4 compilation.
+      o Chil ENGINE unload workaround.
+
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+
+      o CFB cipher definition fixes.
+      o Fix security issues CVE-2010-0740 and CVE-2010-0433.
+
   Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
 
       o Cipher definition fixes.
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+
+      o FIPS 1.1.1 module linking.
+      o Various ciphersuite selection fixes.
+
   Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
index 0cfba9c..c1d0a5f 100644 (file)
@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.8m
+ OpenSSL 1.0.0a 1 Jun 2010
 
- Copyright (c) 1998-2009 The OpenSSL Project
+ Copyright (c) 1998-2010 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
index abb4904..195de41 100644 (file)
@@ -54,6 +54,7 @@ apps/server.srl
 apps/server2.pem
 apps/set/
 apps/testCA.pem
+apps/tsget
 apps/winrand.c
 bugs/
 certs/
@@ -65,11 +66,10 @@ crypto/LPdir_win32.c
 crypto/LPdir_wince.c
 crypto/Makefile
 crypto/aes/Makefile
+crypto/aes/aes_x86core.c
 crypto/aes/asm/
 crypto/asn1/Makefile
 crypto/asn1/charmap.pl
-crypto/asn1/p8_key.c
-crypto/asn1/tasn_prn.c
 crypto/bf/INSTALL
 crypto/bf/Makefile
 crypto/bf/asm/
@@ -93,6 +93,7 @@ crypto/bn/exptest.c
 crypto/bn/vms-helper.c
 crypto/buffer/Makefile
 crypto/camellia/Makefile
+crypto/camellia/asm/
 crypto/cast/Makefile
 crypto/cast/asm/
 crypto/cast/cast_spd.c
@@ -146,6 +147,7 @@ crypto/dsa/Makefile
 crypto/dsa/dsagen.c
 crypto/dsa/dsatest.c
 crypto/dso/Makefile
+crypto/dso/dso_beos.c
 crypto/dso/dso_vms.c
 crypto/dso/dso_win32.c
 crypto/ec/Makefile
@@ -161,7 +163,6 @@ crypto/err/openssl.ec
 crypto/evp/Makefile
 crypto/evp/e_dsa.c
 crypto/evp/e_old.c
-crypto/evp/e_seed.c
 crypto/evp/evp_test.c
 crypto/evp/evptests.txt
 crypto/hmac/Makefile
@@ -172,13 +173,11 @@ crypto/idea/idea_spd.c
 crypto/idea/ideatest.c
 crypto/install.com
 crypto/jpake/
-crypto/krb5/Makefile
+crypto/krb5/
 crypto/lhash/Makefile
 crypto/lhash/lh_test.c
 crypto/lhash/num.pl
-crypto/md2/Makefile
-crypto/md2/md2.c
-crypto/md2/md2test.c
+crypto/md2/
 crypto/md4/Makefile
 crypto/md4/md4.c
 crypto/md4/md4s.cpp
@@ -190,14 +189,17 @@ crypto/md5/md5s.cpp
 crypto/md5/md5test.c
 crypto/mdc2/Makefile
 crypto/mdc2/mdc2test.c
+crypto/modes/Makefile
 crypto/o_dir_test.c
 crypto/o_str.c
 crypto/o_str.h
 crypto/objects/Makefile
 crypto/objects/obj_dat.pl
 crypto/objects/obj_mac.num
+crypto/objects/obj_xref.txt
 crypto/objects/objects.pl
 crypto/objects/objects.txt
+crypto/objects/objxref.pl
 crypto/ocsp/Makefile
 crypto/opensslconf.h
 crypto/opensslconf.h.in
@@ -220,6 +222,7 @@ crypto/pkcs7/server.pem
 crypto/pkcs7/sign.c
 crypto/pkcs7/t/
 crypto/pkcs7/verify.c
+crypto/ppccpuid.pl
 crypto/pqueue/Makefile
 crypto/rand/Makefile
 crypto/rand/rand_os2.c
@@ -238,30 +241,28 @@ crypto/rc4/rc4s.cpp
 crypto/rc4/rc4speed.c
 crypto/rc4/rc4test.c
 crypto/rc4/rrc4.doc
-crypto/rc5/Makefile
-crypto/rc5/asm/
-crypto/rc5/rc5s.cpp
-crypto/rc5/rc5speed.c
-crypto/rc5/rc5test.c
+crypto/rc5/
 crypto/ripemd/Makefile
 crypto/ripemd/asm/
 crypto/ripemd/rmd160.c
 crypto/ripemd/rmdtest.c
 crypto/rsa/Makefile
 crypto/rsa/rsa_test.c
-crypto/seed/
+crypto/s390xcap.c
+crypto/s390xcpuid.S
+crypto/seed/Makefile
 crypto/sha/Makefile
 crypto/sha/asm/
 crypto/sha/sha.c
 crypto/sha/sha1.c
-crypto/sha/sha1s.cpp
 crypto/sha/sha1test.c
 crypto/sha/sha256t.c
 crypto/sha/sha512t.c
 crypto/sha/shatest.c
 crypto/sparccpuid.S
+crypto/sparcv9cap.c
 crypto/stack/Makefile
-crypto/store/Makefile
+crypto/store/
 crypto/threads/mttest.c
 crypto/threads/netware.bat
 crypto/threads/profile.sh
@@ -272,8 +273,12 @@ crypto/threads/pthreads-vms.com
 crypto/threads/purify.sh
 crypto/threads/solaris.sh
 crypto/threads/win32.bat
+crypto/ts/Makefile
 crypto/txt_db/Makefile
 crypto/ui/Makefile
+crypto/whrlpool/Makefile
+crypto/whrlpool/asm/
+crypto/whrlpool/wp_test.c
 crypto/x509/Makefile
 crypto/x509v3/Makefile
 crypto/x509v3/tabtest.c
@@ -294,24 +299,26 @@ doc/ssleay.txt
 doc/standards.txt
 engines/Makefile
 engines/alpha.opt
+engines/axp.opt
+engines/capierr.bat
+engines/ccgost/Makefile
+engines/ccgost/e_gost_err.proto
+engines/ccgost/gost.ec
 engines/e_4758cca.ec
 engines/e_aep.ec
 engines/e_atalla.ec
-engines/e_capi.c
 engines/e_capi.ec
-engines/e_capi_err.c
-engines/e_capi_err.h
 engines/e_chil.ec
 engines/e_cswift.ec
 engines/e_gmp.ec
 engines/e_nuron.ec
+engines/e_padlock.ec
 engines/e_sureware.ec
 engines/e_ubsec.ec
 engines/engine_vector.mar
 engines/ia64.opt
 engines/makeengines.com
 engines/vax.opt
-fips/
 include/
 install.com
 makevms.com
@@ -331,19 +338,18 @@ times/
 tools/
 util/FreeBSD.sh
 util/add_cr.pl
-util/arx.pl
 util/bat.sh
 util/ck_errf.pl
 util/clean-depend.pl
 util/copy.pl
 util/cygwin.sh
 util/deleof.pl
+util/deltree.com
 util/dirname.pl
 util/do_ms.sh
 util/domd
 util/err-ins.pl
 util/files.pl
-util/fipslink.pl
 util/fixNT.sh
 util/install.sh
 util/libeay.num
@@ -354,7 +360,7 @@ util/mkdir-p.pl
 util/mkerr.pl
 util/mkfiles.pl
 util/mklink.pl
-util/mksdef.pl
+util/mkrc.pl
 util/mkstack.pl
 util/opensslwrap.sh
 util/perlpath.pl
index 35b62b8..acc50df 100644 (file)
  *
  */
 
+#ifndef _POSIX_C_SOURCE
+#define _POSIX_C_SOURCE 2      /* On VMS, you need to define this to get
+                                  the declaration of fileno().  The value
+                                  2 is to make sure no function defined
+                                  in POSIX-2 is left undefined. */
+#endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
+#include <strings.h>
+#endif
 #include <sys/types.h>
-#include <sys/stat.h>
 #include <ctype.h>
+#include <errno.h>
 #include <assert.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include "apps.h"
 #undef NON_MAIN
 
+#ifdef _WIN32
+static int WIN32_rename(const char *from, const char *to);
+#define rename(from,to) WIN32_rename((from),(to))
+#endif
+
 typedef struct {
        const char *name;
        unsigned long flag;
@@ -166,18 +180,23 @@ int args_from_file(char *file, int *argc, char **argv[])
        static char *buf=NULL;
        static char **arg=NULL;
        char *p;
-       struct stat stbuf;
-
-       if (stat(file,&stbuf) < 0) return(0);
 
        fp=fopen(file,"r");
        if (fp == NULL)
                return(0);
 
+       if (fseek(fp,0,SEEK_END)==0)
+               len=ftell(fp), rewind(fp);
+       else    len=-1;
+       if (len<=0)
+               {
+               fclose(fp);
+               return(0);
+               }
+
        *argc=0;
        *argv=NULL;
 
-       len=(unsigned int)stbuf.st_size;
        if (buf != NULL) OPENSSL_free(buf);
        buf=(char *)OPENSSL_malloc(len+1);
        if (buf == NULL) return(0);
@@ -242,18 +261,25 @@ int str2fmt(char *s)
                return(FORMAT_ASN1);
        else if ((*s == 'T') || (*s == 't'))
                return(FORMAT_TEXT);
-       else if ((*s == 'P') || (*s == 'p'))
-               return(FORMAT_PEM);
-       else if ((*s == 'N') || (*s == 'n'))
-               return(FORMAT_NETSCAPE);
-       else if ((*s == 'S') || (*s == 's'))
-               return(FORMAT_SMIME);
+       else if ((*s == 'N') || (*s == 'n'))
+               return(FORMAT_NETSCAPE);
+       else if ((*s == 'S') || (*s == 's'))
+               return(FORMAT_SMIME);
+       else if ((*s == 'M') || (*s == 'm'))
+               return(FORMAT_MSBLOB);
        else if ((*s == '1')
                || (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
                || (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
                return(FORMAT_PKCS12);
        else if ((*s == 'E') || (*s == 'e'))
                return(FORMAT_ENGINE);
+       else if ((*s == 'P') || (*s == 'p'))
+               {
+               if (s[1] == 'V' || s[1] == 'v')
+                       return FORMAT_PVK;
+               else
+                       return(FORMAT_PEM);
+               }
        else
                return(FORMAT_UNDEF);
        }
@@ -639,6 +665,15 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
                                BIO_printf(err, "Can't open file %s\n", arg + 5);
                                return NULL;
                        }
+#if !defined(_WIN32)
+               /*
+                * Under _WIN32, which covers even Win64 and CE, file
+                * descriptors referenced by BIO_s_fd are not inherited
+                * by child process and therefore below is not an option.
+                * It could have been an option if bss_fd.c was operating
+                * on real Windows descriptors, such as those obtained
+                * with CreateFile.
+                */
                } else if(!strncmp(arg, "fd:", 3)) {
                        BIO *btmp;
                        i = atoi(arg + 3);
@@ -650,6 +685,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
                        /* Can't do BIO_gets on an fd BIO so add a buffering BIO */
                        btmp = BIO_new(BIO_f_buffer());
                        pwdbio = BIO_push(btmp, pwdbio);
+#endif
                } else if(!strcmp(arg, "stdin")) {
                        pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
                        if(!pwdbio) {
@@ -749,8 +785,6 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip)
        {
-       ASN1_HEADER *ah=NULL;
-       BUF_MEM *buf=NULL;
        X509 *x=NULL;
        BIO *cert;
 
@@ -762,7 +796,9 @@ X509 *load_cert(BIO *err, const char *file, int format,
 
        if (file == NULL)
                {
+#ifdef _IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+#endif
                BIO_set_fp(cert,stdin,BIO_NOCLOSE);
                }
        else
@@ -780,46 +816,21 @@ X509 *load_cert(BIO *err, const char *file, int format,
                x=d2i_X509_bio(cert,NULL);
        else if (format == FORMAT_NETSCAPE)
                {
-               const unsigned char *p,*op;
-               int size=0,i;
-
-               /* We sort of have to do it this way because it is sort of nice
-                * to read the header first and check it, then
-                * try to read the certificate */
-               buf=BUF_MEM_new();
-               for (;;)
-                       {
-                       if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
-                               goto end;
-                       i=BIO_read(cert,&(buf->data[size]),1024*10);
-                       size+=i;
-                       if (i == 0) break;
-                       if (i < 0)
-                               {
-                               perror("reading certificate");
+               NETSCAPE_X509 *nx;
+               nx=ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),cert,NULL);
+               if (nx == NULL)
                                goto end;
-                               }
-                       }
-               p=(unsigned char *)buf->data;
-               op=p;
 
-               /* First load the header */
-               if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
-                       goto end;
-               if ((ah->header == NULL) || (ah->header->data == NULL) ||
-                       (strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data,
-                       ah->header->length) != 0))
+               if ((strncmp(NETSCAPE_CERT_HDR,(char *)nx->header->data,
+                       nx->header->length) != 0))
                        {
+                       NETSCAPE_X509_free(nx);
                        BIO_printf(err,"Error reading header on certificate\n");
                        goto end;
                        }
-               /* header is ok, so now read the object */
-               p=op;
-               ah->meth=X509_asn1_meth();
-               if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
-                       goto end;
-               x=(X509 *)ah->data;
-               ah->data=NULL;
+               x=nx->cert;
+               nx->cert = NULL;
+               NETSCAPE_X509_free(nx);
                }
        else if (format == FORMAT_PEM)
                x=PEM_read_bio_X509_AUX(cert,NULL,
@@ -841,9 +852,7 @@ end:
                BIO_printf(err,"unable to load certificate\n");
                ERR_print_errors(err);
                }
-       if (ah != NULL) ASN1_HEADER_free(ah);
        if (cert != NULL) BIO_free(cert);
-       if (buf != NULL) BUF_MEM_free(buf);
        return(x);
        }
 
@@ -866,10 +875,17 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        if (format == FORMAT_ENGINE)
                {
                if (!e)
-                       BIO_printf(bio_err,"no engine specified\n");
+                       BIO_printf(err,"no engine specified\n");
                else
+                       {
                        pkey = ENGINE_load_private_key(e, file,
                                ui_method, &cb_data);
+                       if (!pkey) 
+                               {
+                               BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+                               ERR_print_errors(err);
+                               }       
+                       }
                goto end;
                }
 #endif
@@ -881,7 +897,9 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                }
        if (file == NULL && maybe_stdin)
                {
+#ifdef _IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+#endif
                BIO_set_fp(key,stdin,BIO_NOCLOSE);
                }
        else
@@ -912,6 +930,13 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                                &pkey, NULL, NULL))
                        goto end;
                }
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
+       else if (format == FORMAT_MSBLOB)
+               pkey = b2i_PrivateKey_bio(key);
+       else if (format == FORMAT_PVK)
+               pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
+                                                               &cb_data);
+#endif
        else
                {
                BIO_printf(err,"bad input format specified for key file\n");
@@ -919,8 +944,11 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                }
  end:
        if (key != NULL) BIO_free(key);
-       if (pkey == NULL)
+       if (pkey == NULL) 
+               {
                BIO_printf(err,"unable to load %s\n", key_descrip);
+               ERR_print_errors(err);
+               }       
        return(pkey);
        }
 
@@ -958,7 +986,9 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
                }
        if (file == NULL && maybe_stdin)
                {
+#ifdef _IONBF
                setvbuf(stdin, NULL, _IONBF, 0);
+#endif
                BIO_set_fp(key,stdin,BIO_NOCLOSE);
                }
        else
@@ -973,6 +1003,37 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
                {
                pkey=d2i_PUBKEY_bio(key, NULL);
                }
+#ifndef OPENSSL_NO_RSA
+       else if (format == FORMAT_ASN1RSA)
+               {
+               RSA *rsa;
+               rsa = d2i_RSAPublicKey_bio(key, NULL);
+               if (rsa)
+                       {
+                       pkey = EVP_PKEY_new();
+                       if (pkey)
+                               EVP_PKEY_set1_RSA(pkey, rsa);
+                       RSA_free(rsa);
+                       }
+               else
+                       pkey = NULL;
+               }
+       else if (format == FORMAT_PEMRSA)
+               {
+               RSA *rsa;
+               rsa = PEM_read_bio_RSAPublicKey(key, NULL, 
+                       (pem_password_cb *)password_callback, &cb_data);
+               if (rsa)
+                       {
+                       pkey = EVP_PKEY_new();
+                       if (pkey)
+                               EVP_PKEY_set1_RSA(pkey, rsa);
+                       RSA_free(rsa);
+                       }
+               else
+                       pkey = NULL;
+               }
+#endif
        else if (format == FORMAT_PEM)
                {
                pkey=PEM_read_bio_PUBKEY(key,NULL,
@@ -981,6 +1042,10 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
        else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
                pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
+       else if (format == FORMAT_MSBLOB)
+               pkey = b2i_PublicKey_bio(key);
 #endif
        else
                {
@@ -1040,76 +1105,120 @@ error:
        }
 #endif /* ndef OPENSSL_NO_RC4 */
 
-STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
-       const char *pass, ENGINE *e, const char *cert_descrip)
+static int load_certs_crls(BIO *err, const char *file, int format,
+       const char *pass, ENGINE *e, const char *desc,
+       STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)
        {
-       BIO *certs;
        int i;
-       STACK_OF(X509) *othercerts = NULL;
-       STACK_OF(X509_INFO) *allcerts = NULL;
+       BIO *bio;
+       STACK_OF(X509_INFO) *xis = NULL;
        X509_INFO *xi;
        PW_CB_DATA cb_data;
+       int rv = 0;
 
        cb_data.password = pass;
        cb_data.prompt_info = file;
 
-       if((certs = BIO_new(BIO_s_file())) == NULL)
+       if (format != FORMAT_PEM)
                {
-               ERR_print_errors(err);
-               goto end;
+               BIO_printf(err,"bad input format specified for %s\n", desc);
+               return 0;
                }
 
        if (file == NULL)
-               BIO_set_fp(certs,stdin,BIO_NOCLOSE);
+               bio = BIO_new_fp(stdin,BIO_NOCLOSE);
        else
+               bio = BIO_new_file(file, "r");
+
+       if (bio == NULL)
                {
-               if (BIO_read_filename(certs,file) <= 0)
-                       {
-                       BIO_printf(err, "Error opening %s %s\n",
-                               cert_descrip, file);
-                       ERR_print_errors(err);
+               BIO_printf(err, "Error opening %s %s\n",
+                               desc, file ? file : "stdin");
+               ERR_print_errors(err);
+               return 0;
+               }
+
+       xis = PEM_X509_INFO_read_bio(bio, NULL,
+                               (pem_password_cb *)password_callback, &cb_data);
+
+       BIO_free(bio);
+
+       if (pcerts)
+               {
+               *pcerts = sk_X509_new_null();
+               if (!*pcerts)
                        goto end;
-                       }
                }
 
-       if      (format == FORMAT_PEM)
+       if (pcrls)
                {
-               othercerts = sk_X509_new_null();
-               if(!othercerts)
-                       {
-                       sk_X509_free(othercerts);
-                       othercerts = NULL;
+               *pcrls = sk_X509_CRL_new_null();
+               if (!*pcrls)
                        goto end;
+               }
+
+       for(i = 0; i < sk_X509_INFO_num(xis); i++)
+               {
+               xi = sk_X509_INFO_value (xis, i);
+               if (xi->x509 && pcerts)
+                       {
+                       if (!sk_X509_push(*pcerts, xi->x509))
+                               goto end;
+                       xi->x509 = NULL;
                        }
-               allcerts = PEM_X509_INFO_read_bio(certs, NULL,
-                               (pem_password_cb *)password_callback, &cb_data);
-               for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
+               if (xi->crl && pcrls)
                        {
-                       xi = sk_X509_INFO_value (allcerts, i);
-                       if (xi->x509)
-                               {
-                               sk_X509_push(othercerts, xi->x509);
-                               xi->x509 = NULL;
-                               }
+                       if (!sk_X509_CRL_push(*pcrls, xi->crl))
+                               goto end;
+                       xi->crl = NULL;
                        }
-               goto end;
                }
-       else    {
-               BIO_printf(err,"bad input format specified for %s\n",
-                       cert_descrip);
-               goto end;
-               }
-end:
-       if (othercerts == NULL)
+
+       if (pcerts && sk_X509_num(*pcerts) > 0)
+               rv = 1;
+
+       if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
+               rv = 1;
+
+       end:
+
+       if (xis)
+               sk_X509_INFO_pop_free(xis, X509_INFO_free);
+
+       if (rv == 0)
                {
-               BIO_printf(err,"unable to load certificates\n");
+               if (pcerts)
+                       {
+                       sk_X509_pop_free(*pcerts, X509_free);
+                       *pcerts = NULL;
+                       }
+               if (pcrls)
+                       {
+                       sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
+                       *pcrls = NULL;
+                       }
+               BIO_printf(err,"unable to load %s\n",
+                               pcerts ? "certificates" : "CRLs");
                ERR_print_errors(err);
                }
-       if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
-       if (certs != NULL) BIO_free(certs);
-       return(othercerts);
+       return rv;
        }
 
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+       const char *pass, ENGINE *e, const char *desc)
+       {
+       STACK_OF(X509) *certs;
+       load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+       return certs;
+       }       
+
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+       const char *pass, ENGINE *e, const char *desc)
+       {
+       STACK_OF(X509_CRL) *crls;
+       load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+       return crls;
+       }       
 
 #define X509V3_EXT_UNKNOWN_MASK                (0xfL << 16)
 /* Return error for unknown extensions */
@@ -1396,6 +1505,10 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
 
 int load_config(BIO *err, CONF *cnf)
        {
+       static int load_config_called = 0;
+       if (load_config_called)
+               return 1;
+       load_config_called = 1;
        if (!cnf)
                cnf = config;
        if (!cnf)
@@ -1429,7 +1542,7 @@ char *make_config_name()
        return p;
        }
 
-static unsigned long index_serial_hash(const char **a)
+static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
        {
        const char *n;
 
@@ -1438,7 +1551,7 @@ static unsigned long index_serial_hash(const char **a)
        return(lh_strhash(n));
        }
 
-static int index_serial_cmp(const char **a, const char **b)
+static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
        {
        const char *aa,*bb;
 
@@ -1450,17 +1563,16 @@ static int index_serial_cmp(const char **a, const char **b)
 static int index_name_qual(char **a)
        { return(a[0][0] == 'V'); }
 
-static unsigned long index_name_hash(const char **a)
+static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
        { return(lh_strhash(a[DB_name])); }
 
-int index_name_cmp(const char **a, const char **b)
-       { return(strcmp(a[DB_name],
-            b[DB_name])); }
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
+       { return(strcmp(a[DB_name], b[DB_name])); }
 
-static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
-static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
+static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
+static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
 
 #undef BSIZE
 #define BSIZE 256
@@ -1588,7 +1700,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
        {
        char buf[5][BSIZE];
        int i,j;
-       struct stat sb;
 
        i = strlen(serialfile) + strlen(old_suffix);
        j = strlen(serialfile) + strlen(new_suffix);
@@ -1613,30 +1724,21 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
        j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
                serialfile, old_suffix);
 #endif
-       if (stat(serialfile,&sb) < 0)
-               {
-               if (errno != ENOENT 
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               serialfile, buf[1]);
+#endif
+       if (rename(serialfile,buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
                        && errno != ENOTDIR
 #endif
-                  )
-                       goto err;
-               }
-       else
-               {
-#ifdef RL_DEBUG
-               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-                       serialfile, buf[1]);
-#endif
-               if (rename(serialfile,buf[1]) < 0)
-                       {
+          )            {
                        BIO_printf(bio_err,
                                "unable to rename %s to %s\n",
                                serialfile, buf[1]);
                        perror("reason");
                        goto err;
                        }
-               }
 #ifdef RL_DEBUG
        BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
                buf[0],serialfile);
@@ -1703,10 +1805,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
                goto err;
                }
        if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL)
-               {
-               if (tmpdb != NULL) TXT_DB_free(tmpdb);
                goto err;
-               }
 
 #ifndef OPENSSL_SYS_VMS
        BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
@@ -1767,8 +1866,8 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
 int index_index(CA_DB *db)
        {
        if (!TXT_DB_create_index(db->db, DB_serial, NULL,
-                               LHASH_HASH_FN(index_serial_hash),
-                               LHASH_COMP_FN(index_serial_cmp)))
+                               LHASH_HASH_FN(index_serial),
+                               LHASH_COMP_FN(index_serial)))
                {
                BIO_printf(bio_err,
                  "error creating serial number index:(%ld,%ld,%ld)\n",
@@ -1778,8 +1877,8 @@ int index_index(CA_DB *db)
 
        if (db->attributes.unique_subject
                && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
-                       LHASH_HASH_FN(index_name_hash),
-                       LHASH_COMP_FN(index_name_cmp)))
+                       LHASH_HASH_FN(index_name),
+                       LHASH_COMP_FN(index_name)))
                {
                BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
                        db->db->error,db->db->arg1,db->db->arg2);
@@ -1859,7 +1958,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
        {
        char buf[5][BSIZE];
        int i,j;
-       struct stat sb;
 
        i = strlen(dbfile) + strlen(old_suffix);
        j = strlen(dbfile) + strlen(new_suffix);
@@ -1903,30 +2001,21 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
        j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s",
                dbfile, old_suffix);
 #endif
-       if (stat(dbfile,&sb) < 0)
-               {
-               if (errno != ENOENT 
-#ifdef ENOTDIR
-                       && errno != ENOTDIR
-#endif
-                  )
-                       goto err;
-               }
-       else
-               {
 #ifdef RL_DEBUG
-               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-                       dbfile, buf[1]);
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               dbfile, buf[1]);
 #endif
-               if (rename(dbfile,buf[1]) < 0)
-                       {
+       if (rename(dbfile,buf[1]) < 0 && errno != ENOENT
+#ifdef ENOTDIR
+               && errno != ENOTDIR
+#endif
+          )            {
                        BIO_printf(bio_err,
                                "unable to rename %s to %s\n",
                                dbfile, buf[1]);
                        perror("reason");
                        goto err;
                        }
-               }
 #ifdef RL_DEBUG
        BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
                buf[0],dbfile);
@@ -1940,23 +2029,15 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
                rename(buf[1],dbfile);
                goto err;
                }
-       if (stat(buf[4],&sb) < 0)
-               {
-               if (errno != ENOENT 
-#ifdef ENOTDIR
-                       && errno != ENOTDIR
-#endif
-                  )
-                       goto err;
-               }
-       else
-               {
 #ifdef RL_DEBUG
-               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-                       buf[4],buf[3]);
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               buf[4],buf[3]);
 #endif
-               if (rename(buf[4],buf[3]) < 0)
-                       {
+       if (rename(buf[4],buf[3]) < 0 && errno != ENOENT
+#ifdef ENOTDIR
+               && errno != ENOTDIR
+#endif
+          )            {
                        BIO_printf(bio_err,
                                "unable to rename %s to %s\n",
                                buf[4], buf[3]);
@@ -1965,7 +2046,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
                        rename(buf[1],dbfile);
                        goto err;
                        }
-               }
 #ifdef RL_DEBUG
        BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
                buf[2],buf[4]);
@@ -2160,52 +2240,13 @@ error:
        return NULL;
 }
 
-/* This code MUST COME AFTER anything that uses rename() */
-#ifdef OPENSSL_SYS_WIN32
-int WIN32_rename(const char *from, const char *to)
-       {
-#ifndef OPENSSL_SYS_WINCE
-       /* Windows rename gives an error if 'to' exists, so delete it
-        * first and ignore file not found errror
-        */
-       if((remove(to) != 0) && (errno != ENOENT))
-               return -1;
-#undef rename
-       return rename(from, to);
-#else
-       /* convert strings to UNICODE */
-       {
-       BOOL result = FALSE;
-       WCHAR* wfrom;
-       WCHAR* wto;
-       int i;
-       wfrom = malloc((strlen(from)+1)*2);
-       wto = malloc((strlen(to)+1)*2);
-       if (wfrom != NULL && wto != NULL)
-               {
-               for (i=0; i<(int)strlen(from)+1; i++)
-                       wfrom[i] = (short)from[i];
-               for (i=0; i<(int)strlen(to)+1; i++)
-                       wto[i] = (short)to[i];
-               result = MoveFile(wfrom, wto);
-               }
-       if (wfrom != NULL)
-               free(wfrom);
-       if (wto != NULL)
-               free(wto);
-       return result;
-       }
-#endif
-       }
-#endif
-
 int args_verify(char ***pargs, int *pargc,
                        int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
        {
        ASN1_OBJECT *otmp = NULL;
        unsigned long flags = 0;
        int i;
-       int purpose = 0;
+       int purpose = 0, depth = -1;
        char **oldargs = *pargs;
        char *arg = **pargs, *argn = (*pargs)[1];
        if (!strcmp(arg, "-policy"))
@@ -2245,6 +2286,21 @@ int args_verify(char ***pargs, int *pargc,
                        }
                (*pargs)++;
                }
+       else if (strcmp(arg,"-verify_depth") == 0)
+               {
+               if (!argn)
+                       *badarg = 1;
+               else
+                       {
+                       depth = atoi(argn);
+                       if(depth < 0)
+                               {
+                               BIO_printf(err, "invalid depth\n");
+                               *badarg = 1;
+                               }
+                       }
+               (*pargs)++;
+               }
        else if (!strcmp(arg, "-ignore_critical"))
                flags |= X509_V_FLAG_IGNORE_CRITICAL;
        else if (!strcmp(arg, "-issuer_checks"))
@@ -2257,8 +2313,16 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_POLICY_CHECK;
        else if (!strcmp(arg, "-explicit_policy"))
                flags |= X509_V_FLAG_EXPLICIT_POLICY;
+       else if (!strcmp(arg, "-inhibit_any"))
+               flags |= X509_V_FLAG_INHIBIT_ANY;
+       else if (!strcmp(arg, "-inhibit_map"))
+               flags |= X509_V_FLAG_INHIBIT_MAP;
        else if (!strcmp(arg, "-x509_strict"))
                flags |= X509_V_FLAG_X509_STRICT;
+       else if (!strcmp(arg, "-extended_crl"))
+               flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
+       else if (!strcmp(arg, "-use_deltas"))
+               flags |= X509_V_FLAG_USE_DELTAS;
        else if (!strcmp(arg, "-policy_print"))
                flags |= X509_V_FLAG_NOTIFY_POLICY;
        else if (!strcmp(arg, "-check_ss_sig"))
@@ -2288,6 +2352,9 @@ int args_verify(char ***pargs, int *pargc,
        if (purpose)
                X509_VERIFY_PARAM_set_purpose(*pm, purpose);
 
+       if (depth >= 0)
+               X509_VERIFY_PARAM_set_depth(*pm, depth);
+
        end:
 
        (*pargs)++;
@@ -2299,6 +2366,61 @@ int args_verify(char ***pargs, int *pargc,
 
        }
 
+/* Read whole contents of a BIO into an allocated memory buffer and
+ * return it.
+ */
+
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
+       {
+       BIO *mem;
+       int len, ret;
+       unsigned char tbuf[1024];
+       mem = BIO_new(BIO_s_mem());
+       if (!mem)
+               return -1;
+       for(;;)
+               {
+               if ((maxlen != -1) && maxlen < 1024)
+                       len = maxlen;
+               else
+                       len = 1024;
+               len = BIO_read(in, tbuf, len);
+               if (len <= 0)
+                       break;
+               if (BIO_write(mem, tbuf, len) != len)
+                       {
+                       BIO_free(mem);
+                       return -1;
+                       }
+               maxlen -= len;
+
+               if (maxlen == 0)
+                       break;
+               }
+       ret = BIO_get_mem_data(mem, (char **)out);
+       BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
+       BIO_free(mem);
+       return ret;
+       }
+
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
+       {
+       int rv;
+       char *stmp, *vtmp = NULL;
+       stmp = BUF_strdup(value);
+       if (!stmp)
+               return -1;
+       vtmp = strchr(stmp, ':');
+       if (vtmp)
+               {
+               *vtmp = 0;
+               vtmp++;
+               }
+       rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
+       OPENSSL_free(stmp);
+       return rv;
+       }
+
 static void nodes_print(BIO *out, const char *name,
        STACK_OF(X509_POLICY_NODE) *nodes)
        {
@@ -2340,7 +2462,7 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
                BIO_free(out);
        }
 
-#ifndef OPENSSL_NO_JPAKE
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
 
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
                                                         const char *secret)
@@ -2523,17 +2645,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
        jpake_send_step3a(bconn, ctx);
        jpake_receive_step3b(ctx, bconn);
 
-       /*
-        * The problem is that you must use the derived key in the
-        * session key or you are subject to man-in-the-middle
-        * attacks.
-        */
-       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
-                " be MitMed. See the version in HEAD for how to do it"
-                " properly)\n");
+       BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+       psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 
        BIO_pop(bconn);
        BIO_free(bconn);
+
+       JPAKE_CTX_free(ctx);
        }
 
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
@@ -2555,17 +2674,340 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
        jpake_receive_step3a(ctx, bconn);
        jpake_send_step3b(bconn, ctx);
 
-       /*
-        * The problem is that you must use the derived key in the
-        * session key or you are subject to man-in-the-middle
-        * attacks.
-        */
-       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
-                " be MitMed. See the version in HEAD for how to do it"
-                " properly)\n");
+       BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
+
+       psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 
        BIO_pop(bconn);
        BIO_free(bconn);
+
+       JPAKE_CTX_free(ctx);
+       }
+
+#endif
+
+/*
+ * Platform-specific sections
+ */
+#if defined(_WIN32)
+# ifdef fileno
+#  undef fileno
+#  define fileno(a) (int)_fileno(a)
+# endif
+
+# include <windows.h>
+# include <tchar.h>
+
+static int WIN32_rename(const char *from, const char *to)
+       {
+       TCHAR  *tfrom=NULL,*tto;
+       DWORD   err;
+       int     ret=0;
+
+       if (sizeof(TCHAR) == 1)
+               {
+               tfrom = (TCHAR *)from;
+               tto   = (TCHAR *)to;
+               }
+       else    /* UNICODE path */
+               {
+               size_t i,flen=strlen(from)+1,tlen=strlen(to)+1;
+               tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen));
+               if (tfrom==NULL) goto err;
+               tto=tfrom+flen;
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+               if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen))
+#endif
+                       for (i=0;i<flen;i++)    tfrom[i]=(TCHAR)from[i];
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+               if (!MultiByteToWideChar(CP_ACP,0,to,  tlen,(WCHAR *)tto,  tlen))
+#endif
+                       for (i=0;i<tlen;i++)    tto[i]  =(TCHAR)to[i];
+               }
+
+       if (MoveFile(tfrom,tto))        goto ok;
+       err=GetLastError();
+       if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS)
+               {
+               if (DeleteFile(tto) && MoveFile(tfrom,tto))
+                       goto ok;
+               err=GetLastError();
+               }
+       if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND)
+               errno = ENOENT;
+       else if (err==ERROR_ACCESS_DENIED)
+               errno = EACCES;
+       else
+               errno = EINVAL; /* we could map more codes... */
+err:
+       ret=-1;
+ok:
+       if (tfrom!=NULL && tfrom!=(TCHAR *)from)        free(tfrom);
+       return ret;
+       }
+#endif
+
+/* app_tminterval section */
+#if defined(_WIN32)
+double app_tminterval(int stop,int usertime)
+       {
+       FILETIME                now;
+       double                  ret=0;
+       static ULARGE_INTEGER   tmstart;
+       static int              warning=1;
+#ifdef _WIN32_WINNT
+       static HANDLE           proc=NULL;
+
+       if (proc==NULL)
+               {
+               if (GetVersion() < 0x80000000)
+                       proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
+                                               GetCurrentProcessId());
+               if (proc==NULL) proc = (HANDLE)-1;
+               }
+
+       if (usertime && proc!=(HANDLE)-1)
+               {
+               FILETIME junk;
+               GetProcessTimes(proc,&junk,&junk,&junk,&now);
+               }
+       else
+#endif
+               {
+               SYSTEMTIME systime;
+
+               if (usertime && warning)
+                       {
+                       BIO_printf(bio_err,"To get meaningful results, run "
+                                          "this program on idle system.\n");
+                       warning=0;
+                       }
+               GetSystemTime(&systime);
+               SystemTimeToFileTime(&systime,&now);
+               }
+
+       if (stop==TM_START)
+               {
+               tmstart.u.LowPart  = now.dwLowDateTime;
+               tmstart.u.HighPart = now.dwHighDateTime;
+               }
+       else    {
+               ULARGE_INTEGER tmstop;
+
+               tmstop.u.LowPart   = now.dwLowDateTime;
+               tmstop.u.HighPart  = now.dwHighDateTime;
+
+               ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7;
+               }
+
+       return (ret);
+       }
+
+#elif defined(OPENSSL_SYS_NETWARE)
+#include <time.h>
+
+double app_tminterval(int stop,int usertime)
+       {
+       double          ret=0;
+       static clock_t  tmstart;
+       static int      warning=1;
+
+       if (usertime && warning)
+               {
+               BIO_printf(bio_err,"To get meaningful results, run "
+                                  "this program on idle system.\n");
+               warning=0;
+               }
+
+       if (stop==TM_START)     tmstart = clock();
+       else                    ret     = (clock()-tmstart)/(double)CLOCKS_PER_SEC;
+
+       return (ret);
+       }
+
+#elif defined(OPENSSL_SYSTEM_VXWORKS)
+#include <time.h>
+
+double app_tminterval(int stop,int usertime)
+       {
+       double ret=0;
+#ifdef CLOCK_REALTIME
+       static struct timespec  tmstart;
+       struct timespec         now;
+#else
+       static unsigned long    tmstart;
+       unsigned long           now;
+#endif
+       static int warning=1;
+
+       if (usertime && warning)
+               {
+               BIO_printf(bio_err,"To get meaningful results, run "
+                                  "this program on idle system.\n");
+               warning=0;
+               }
+
+#ifdef CLOCK_REALTIME
+       clock_gettime(CLOCK_REALTIME,&now);
+       if (stop==TM_START)     tmstart = now;
+       else    ret = ( (now.tv_sec+now.tv_nsec*1e-9)
+                       - (tmstart.tv_sec+tmstart.tv_nsec*1e-9) );
+#else
+       now = tickGet();
+       if (stop==TM_START)     tmstart = now;
+       else                    ret = (now - tmstart)/(double)sysClkRateGet();
+#endif
+       return (ret);
+       }
+
+#elif defined(OPENSSL_SYSTEM_VMS)
+#include <time.h>
+#include <times.h>
+
+double app_tminterval(int stop,int usertime)
+       {
+       static clock_t  tmstart;
+       double          ret = 0;
+       clock_t         now;
+#ifdef __TMS
+       struct tms      rus;
+
+       now = times(&rus);
+       if (usertime)   now = rus.tms_utime;
+#else
+       if (usertime)
+               now = clock(); /* sum of user and kernel times */
+       else    {
+               struct timeval tv;
+               gettimeofday(&tv,NULL);
+               now = (clock_t)(
+                       (unsigned long long)tv.tv_sec*CLK_TCK +
+                       (unsigned long long)tv.tv_usec*(1000000/CLK_TCK)
+                       );
+               }
+#endif
+       if (stop==TM_START)     tmstart = now;
+       else                    ret = (now - tmstart)/(double)(CLK_TCK);
+
+       return (ret);
+       }
+
+#elif defined(_SC_CLK_TCK)     /* by means of unistd.h */
+#include <sys/times.h>
+
+double app_tminterval(int stop,int usertime)
+       {
+       double          ret = 0;
+       struct tms      rus;
+       clock_t         now = times(&rus);
+       static clock_t  tmstart;
+
+       if (usertime)           now = rus.tms_utime;
+
+       if (stop==TM_START)     tmstart = now;
+       else
+               {
+               long int tck = sysconf(_SC_CLK_TCK);
+               ret = (now - tmstart)/(double)tck;
+               }
+
+       return (ret);
+       }
+
+#else
+#include <sys/time.h>
+#include <sys/resource.h>
+
+double app_tminterval(int stop,int usertime)
+       {
+       double          ret = 0;
+       struct rusage   rus;
+       struct timeval  now;
+       static struct timeval tmstart;
+
+       if (usertime)           getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime;
+       else                    gettimeofday(&now,NULL);
+
+       if (stop==TM_START)     tmstart = now;
+       else                    ret = ( (now.tv_sec+now.tv_usec*1e-6)
+                                       - (tmstart.tv_sec+tmstart.tv_usec*1e-6) );
+
+       return ret;
        }
+#endif
+
+/* app_isdir section */
+#ifdef _WIN32
+int app_isdir(const char *name)
+       {
+       HANDLE          hList;
+       WIN32_FIND_DATA FileData;
+#if defined(UNICODE) || defined(_UNICODE)
+       size_t i, len_0 = strlen(name)+1;
 
+       if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0]))
+               return -1;
+
+#if !defined(_WIN32_WCE) || _WIN32_WCE>=101
+       if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0))
+#endif
+               for (i=0;i<len_0;i++)
+                       FileData.cFileName[i] = (WCHAR)name[i];
+
+       hList = FindFirstFile(FileData.cFileName,&FileData);
+#else
+       hList = FindFirstFile(name,&FileData);
+#endif
+       if (hList == INVALID_HANDLE_VALUE)      return -1;
+       FindClose(hList);
+       return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0);
+       }
+#else
+#include <sys/stat.h>
+#ifndef S_ISDIR
+# if defined(_S_IFMT) && defined(_S_IFDIR)
+#  define S_ISDIR(a)   (((a) & _S_IFMT) == _S_IFDIR)
+# else 
+#  define S_ISDIR(a)   (((a) & S_IFMT) == S_IFDIR)
+# endif 
+#endif 
+
+int app_isdir(const char *name)
+       {
+#if defined(S_ISDIR)
+       struct stat st;
+
+       if (stat(name,&st)==0)  return S_ISDIR(st.st_mode);
+       else                    return -1;
+#else
+       return -1;
+#endif
+       }
+#endif
+
+/* raw_read|write section */
+#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
+int raw_read_stdin(void *buf,int siz)
+       {
+       DWORD n;
+       if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL))
+               return (n);
+       else    return (-1);
+       }
+#else
+int raw_read_stdin(void *buf,int siz)
+       {       return read(fileno(stdin),buf,siz);     }
+#endif
+
+#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
+int raw_write_stdout(const void *buf,int siz)
+       {
+       DWORD n;
+       if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL))
+               return (n);
+       else    return (-1);
+       }
+#else
+int raw_write_stdout(const void *buf,int siz)
+       {       return write(fileno(stdout),buf,siz);   }
 #endif
index 8857909..596a39a 100644 (file)
@@ -137,11 +137,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                        * (see e_os.h).  The string is
                                        * destroyed! */
 
-#ifdef OPENSSL_SYS_WIN32
-#define rename(from,to) WIN32_rename((from),(to))
-int WIN32_rename(const char *oldname,const char *newname);
-#endif
-
 #ifndef MONOLITH
 
 #define MAIN(a,v)      main(a,v)
@@ -149,11 +144,9 @@ int WIN32_rename(const char *oldname,const char *newname);
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
-int in_FIPS_mode=0;
 #else
 extern CONF *config;
 extern BIO *bio_err;
-extern int in_FIPS_mode;
 #endif
 
 #else
@@ -162,7 +155,6 @@ extern int in_FIPS_mode;
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
-extern int in_FIPS_mode;
 
 #endif
 
@@ -176,61 +168,37 @@ extern int in_FIPS_mode;
 #define do_pipe_sig()
 #endif
 
+#ifdef OPENSSL_NO_COMP
+#define zlib_cleanup() 
+#else
+#define zlib_cleanup() COMP_zlib_cleanup()
+#endif
+
 #if defined(MONOLITH) && !defined(OPENSSL_C)
 #  define apps_startup() \
                do_pipe_sig()
 #  define apps_shutdown()
 #else
 #  ifndef OPENSSL_NO_ENGINE
-#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
-     defined(OPENSSL_SYS_WIN32)
-#      ifdef _O_BINARY
-#        define apps_startup() \
-                       do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
-                       ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                       ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
-#      else
-#        define apps_startup() \
-                       do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+#    define apps_startup() \
+                       do { do_pipe_sig(); CRYPTO_malloc_init(); \
                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
                        ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
-#      endif
-#    else
-#      define apps_startup() \
-                       do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
-                       ERR_load_crypto_strings(); ENGINE_load_builtin_engines(); \
-                       setup_ui_method(); } while(0)
-#    endif
 #    define apps_shutdown() \
                        do { CONF_modules_unload(1); destroy_ui_method(); \
-                       EVP_cleanup(); ENGINE_cleanup(); \
-                       CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
-                       ERR_free_strings(); } while(0)
+                       OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
+                       CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+                       ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
-#    if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN16) || \
-     defined(OPENSSL_SYS_WIN32)
-#      ifdef _O_BINARY
-#        define apps_startup() \
-                       do { _fmode=_O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
+#    define apps_startup() \
+                       do { do_pipe_sig(); CRYPTO_malloc_init(); \
                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
                        setup_ui_method(); } while(0)
-#      else
-#        define apps_startup() \
-                       do { _fmode=O_BINARY; do_pipe_sig(); CRYPTO_malloc_init(); \
-                       ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                       setup_ui_method(); } while(0)
-#      endif
-#    else
-#      define apps_startup() \
-                       do { do_pipe_sig(); OpenSSL_add_all_algorithms(); \
-                       ERR_load_crypto_strings(); \
-                       setup_ui_method(); } while(0)
-#    endif
 #    define apps_shutdown() \
                        do { CONF_modules_unload(1); destroy_ui_method(); \
-                       EVP_cleanup(); \
-                       CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
-                       ERR_free_strings(); } while(0)
+                       OBJ_cleanup(); EVP_cleanup(); \
+                       CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+                       ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
 
@@ -240,6 +208,7 @@ extern int in_FIPS_mode;
 #  define openssl_fdset(a,b) FD_SET(a, b)
 #endif
 
+
 typedef struct args_st
        {
        char **data;
@@ -282,6 +251,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip);
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+       const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
 #ifndef OPENSSL_NO_ENGINE
 ENGINE *setup_engine(BIO *err, const char *engine, int debug);
@@ -290,6 +261,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);
 #ifndef OPENSSL_NO_OCSP
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
                        char *host, char *path, char *port, int use_ssl,
+                       STACK_OF(CONF_VALUE) *headers,
                        int req_timeout);
 #endif
 
@@ -331,13 +303,23 @@ int index_index(CA_DB *db);
 int save_index(const char *dbfile, const char *suffix, CA_DB *db);
 int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix);
 void free_index(CA_DB *db);
-int index_name_cmp(const char **a, const char **b);
+#define index_name_cmp_noconst(a, b) \
+       index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
+       (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
+int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
 int parse_yesno(const char *str, int def);
 
 X509_NAME *parse_name(char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc,
                        int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
 void policies_print(BIO *out, X509_STORE_CTX *ctx);
+int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+                       const char *algname, ENGINE *e, int do_param);
+#ifndef OPENSSL_NO_PSK
+extern char *psk_key;
+#endif
 #ifndef OPENSSL_NO_JPAKE
 void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
@@ -353,6 +335,10 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 #define FORMAT_ENGINE   7
 #define FORMAT_IISSGC  8       /* XXX this stupid macro helps us to avoid
                                 * adding yet another param to load_*key() */
+#define FORMAT_PEMRSA  9       /* PEM RSAPubicKey format */
+#define FORMAT_ASN1RSA 10      /* DER RSAPubicKey format */
+#define FORMAT_MSBLOB  11      /* MS Key blob format */
+#define FORMAT_PVK     12      /* MS PVK file format */
 
 #define EXT_COPY_NONE  0
 #define EXT_COPY_ADD   1
@@ -364,4 +350,11 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 
 #define SERIAL_RAND_BITS       64
 
+int app_isdir(const char *);
+int raw_read_stdin(void *,int);
+int raw_write_stdout(const void *,int);
+
+#define TM_START       0
+#define TM_STOP                1
+double app_tminterval (int stop,int usertime);
 #endif
index bde61d0..b5d65e7 100644 (file)
@@ -96,7 +96,7 @@ int MAIN(int argc, char **argv)
        unsigned char *tmpbuf;
        const unsigned char *ctmpbuf;
        BUF_MEM *buf=NULL;
-       STACK *osk=NULL;
+       STACK_OF(OPENSSL_STRING) *osk=NULL;
        ASN1_TYPE *at=NULL;
 
        informat=FORMAT_PEM;
@@ -113,7 +113,7 @@ int MAIN(int argc, char **argv)
        prog=argv[0];
        argc--;
        argv++;
-       if ((osk=sk_new_null()) == NULL)
+       if ((osk=sk_OPENSSL_STRING_new_null()) == NULL)
                {
                BIO_printf(bio_err,"Memory allocation failure\n");
                goto end;
@@ -169,7 +169,7 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-strparse") == 0)
                        {
                        if (--argc < 1) goto bad;
-                       sk_push(osk,*(++argv));
+                       sk_OPENSSL_STRING_push(osk,*(++argv));
                        }
                else if (strcmp(*argv,"-genstr") == 0)
                        {
@@ -302,18 +302,18 @@ bad:
 
        /* If any structs to parse go through in sequence */
 
-       if (sk_num(osk))
+       if (sk_OPENSSL_STRING_num(osk))
                {
                tmpbuf=(unsigned char *)str;
                tmplen=num;
-               for (i=0; i<sk_num(osk); i++)
+               for (i=0; i<sk_OPENSSL_STRING_num(osk); i++)
                        {
                        ASN1_TYPE *atmp;
                        int typ;
-                       j=atoi(sk_value(osk,i));
+                       j=atoi(sk_OPENSSL_STRING_value(osk,i));
                        if (j == 0)
                                {
-                               BIO_printf(bio_err,"'%s' is an invalid number\n",sk_value(osk,i));
+                               BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i));
                                continue;
                                }
                        tmpbuf+=j;
@@ -378,7 +378,7 @@ end:
                ERR_print_errors(bio_err);
        if (buf != NULL) BUF_MEM_free(buf);
        if (at != NULL) ASN1_TYPE_free(at);
-       if (osk != NULL) sk_free(osk);
+       if (osk != NULL) sk_OPENSSL_STRING_free(osk);
        OBJ_cleanup();
        apps_shutdown();
        OPENSSL_EXIT(ret);
index 651c5a6..6b8b0ef 100644 (file)
@@ -63,7 +63,6 @@
 #include <string.h>
 #include <ctype.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 #include <openssl/conf.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -83,7 +82,7 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
 #    include <sys/file.h>
 #  endif
 #endif
@@ -258,6 +257,7 @@ int MAIN(int argc, char **argv)
        int doupdatedb=0;
        long crldays=0;
        long crlhours=0;
+       long crlsec=0;
        long errorline= -1;
        char *configfile=NULL;
        char *md=NULL;
@@ -305,7 +305,8 @@ int MAIN(int argc, char **argv)
        ASN1_TIME *tmptm;
        ASN1_INTEGER *tmpser;
        char *f;
-       const char *p, **pp;
+       const char *p;
+       char * const *pp;
        int i,j;
        const EVP_MD *dgst=NULL;
        STACK_OF(CONF_VALUE) *attribs=NULL;
@@ -456,6 +457,11 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        crlhours= atol(*(++argv));
                        }
+               else if (strcmp(*argv,"-crlsec") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crlsec = atol(*(++argv));
+                       }
                else if (strcmp(*argv,"-infiles") == 0)
                        {
                        argc--;
@@ -549,8 +555,10 @@ bad:
 
        if (badops)
                {
-               for (pp=ca_usage; (*pp != NULL); pp++)
-                       BIO_printf(bio_err,"%s",*pp);
+               const char **pp2;
+
+               for (pp2=ca_usage; (*pp2 != NULL); pp2++)
+                       BIO_printf(bio_err,"%s",*pp2);
                goto err;
                }
 
@@ -825,7 +833,6 @@ bad:
        /* lookup where to write new certificates */
        if ((outdir == NULL) && (req))
                {
-               struct stat sb;
 
                if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
                        == NULL)
@@ -844,27 +851,23 @@ bad:
               that to access().  However, time's too short to do that just
               now.
            */
+#ifndef _WIN32
                if (access(outdir,R_OK|W_OK|X_OK) != 0)
+#else
+               if (_access(outdir,R_OK|W_OK|X_OK) != 0)
+#endif
                        {
                        BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
                        perror(outdir);
                        goto err;
                        }
 
-               if (stat(outdir,&sb) != 0)
-                       {
-                       BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
-                       perror(outdir);
-                       goto err;
-                       }
-#ifdef S_ISDIR
-               if (!S_ISDIR(sb.st_mode))
+               if (app_isdir(outdir)<=0)
                        {
                        BIO_printf(bio_err,"%s need to be a directory\n",outdir);
                        perror(outdir);
                        goto err;
                        }
-#endif
 #endif
                }
 
@@ -879,9 +882,9 @@ bad:
        if (db == NULL) goto err;
 
        /* Lets check some fields */
-       for (i=0; i<sk_num(db->db->data); i++)
+       for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)
                {
-               pp=(const char **)sk_value(db->db->data,i);
+               pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
                if ((pp[DB_type][0] != DB_TYPE_REV) &&
                        (pp[DB_rev_date][0] != '\0'))
                        {
@@ -894,7 +897,7 @@ bad:
                        BIO_printf(bio_err," in entry %d\n", i+1);
                        goto err;
                        }
-               if (!check_time_format(pp[DB_exp_date]))
+               if (!check_time_format((char *)pp[DB_exp_date]))
                        {
                        BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
                        goto err;
@@ -934,7 +937,7 @@ bad:
 #endif
                TXT_DB_write(out,db->db);
                BIO_printf(bio_err,"%d entries loaded from the database\n",
-                       db->db->data->num);
+                          sk_OPENSSL_PSTRING_num(db->db->data));
                BIO_printf(bio_err,"generating index\n");
                }
        
@@ -1025,6 +1028,17 @@ bad:
                goto err;
                }
 
+       if (!strcmp(md, "default"))
+               {
+               int def_nid;
+               if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
+                       {
+                       BIO_puts(bio_err,"no default digest\n");
+                       goto err;
+                       }
+               md = (char *)OBJ_nid2sn(def_nid);
+               }
+
        if ((dgst=EVP_get_digestbyname(md)) == NULL)
                {
                BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
@@ -1094,9 +1108,9 @@ bad:
                        if (startdate == NULL)
                                ERR_clear_error();
                        }
-               if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
+               if (startdate && !ASN1_TIME_set_string(NULL, startdate))
                        {
-                       BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
+                       BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
                        goto err;
                        }
                if (startdate == NULL) startdate="today";
@@ -1108,9 +1122,9 @@ bad:
                        if (enddate == NULL)
                                ERR_clear_error();
                        }
-               if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
+               if (enddate && !ASN1_TIME_set_string(NULL, enddate))
                        {
-                       BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
+                       BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
                        goto err;
                        }
 
@@ -1370,7 +1384,7 @@ bad:
                                goto err;
                                }
 
-               if (!crldays && !crlhours)
+               if (!crldays && !crlhours && !crlsec)
                        {
                        if (!NCONF_get_number(conf,section,
                                ENV_DEFAULT_CRL_DAYS, &crldays))
@@ -1379,7 +1393,7 @@ bad:
                                ENV_DEFAULT_CRL_HOURS, &crlhours))
                                crlhours = 0;
                        }
-               if ((crldays == 0) && (crlhours == 0))
+               if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
                        {
                        BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
                        goto err;
@@ -1393,14 +1407,19 @@ bad:
                if (!tmptm) goto err;
                X509_gmtime_adj(tmptm,0);
                X509_CRL_set_lastUpdate(crl, tmptm);    
-               X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+               if (!X509_time_adj_ex(tmptm, crldays, crlhours*60*60 + crlsec,
+                       NULL))
+                       {
+                       BIO_puts(bio_err, "error setting CRL nextUpdate\n");
+                       goto err;
+                       }
                X509_CRL_set_nextUpdate(crl, tmptm);    
 
                ASN1_TIME_free(tmptm);
 
-               for (i=0; i<sk_num(db->db->data); i++)
+               for (i=0; i<sk_OPENSSL_PSTRING_num(db->db->data); i++)
                        {
-                       pp=(const char **)sk_value(db->db->data,i);
+                       pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
                        if (pp[DB_type][0] == DB_TYPE_REV)
                                {
                                if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1426,15 +1445,6 @@ bad:
 
                /* we now have a CRL */
                if (verbose) BIO_printf(bio_err,"signing CRL\n");
-#ifndef OPENSSL_NO_DSA
-               if (pkey->type == EVP_PKEY_DSA) 
-                       dgst=EVP_dss1();
-               else
-#endif
-#ifndef OPENSSL_NO_ECDSA
-               if (pkey->type == EVP_PKEY_EC)
-                       dgst=EVP_ecdsa();
-#endif
 
                /* Add any extensions asked for */
 
@@ -1467,6 +1477,12 @@ bad:
                if (crlnumberfile != NULL)      /* we have a CRL number that need updating */
                        if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
 
+               if (crlnumber)
+                       {
+                       BN_free(crlnumber);
+                       crlnumber = NULL;
+                       }
+
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
                PEM_write_bio_X509_CRL(Sout,crl);
@@ -1519,6 +1535,7 @@ err:
        if (free_key && key)
                OPENSSL_free(key);
        BN_free(serial);
+       BN_free(crlnumber);
        free_index(db);
        EVP_PKEY_free(pkey);
        if (x509) X509_free(x509);
@@ -1677,7 +1694,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        int ok= -1,i,j,last,nid;
        const char *p;
        CONF_VALUE *cv;
-       char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
+       OPENSSL_STRING row[DB_NUMBER];
+       OPENSSL_STRING *irow=NULL;
+       OPENSSL_STRING *rrow=NULL;
        char buf[25];
 
        tmptm=ASN1_UTCTIME_new();
@@ -1919,7 +1938,9 @@ again2:
 
        if (db->attributes.unique_subject)
                {
-               rrow=TXT_DB_get_by_index(db->db,DB_name,row);
+               OPENSSL_STRING *crow=row;
+
+               rrow=TXT_DB_get_by_index(db->db,DB_name,crow);
                if (rrow != NULL)
                        {
                        BIO_printf(bio_err,
@@ -1995,11 +2016,11 @@ again2:
 
        if (strcmp(startdate,"today") == 0)
                X509_gmtime_adj(X509_get_notBefore(ret),0);
-       else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
+       else ASN1_TIME_set_string(X509_get_notBefore(ret),startdate);
 
        if (enddate == NULL)
-               X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
-       else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
+               X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL);
+       else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);
 
        if (!X509_set_subject_name(ret,subject)) goto err;
 
@@ -2119,25 +2140,11 @@ again2:
                        }
                }
 
-
-#ifndef OPENSSL_NO_DSA
-       if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
        pktmp=X509_get_pubkey(ret);
        if (EVP_PKEY_missing_parameters(pktmp) &&
                !EVP_PKEY_missing_parameters(pkey))
                EVP_PKEY_copy_parameters(pktmp,pkey);
        EVP_PKEY_free(pktmp);
-#endif
-#ifndef OPENSSL_NO_ECDSA
-       if (pkey->type == EVP_PKEY_EC)
-               dgst = EVP_ecdsa();
-       pktmp = X509_get_pubkey(ret);
-       if (EVP_PKEY_missing_parameters(pktmp) &&
-               !EVP_PKEY_missing_parameters(pkey))
-               EVP_PKEY_copy_parameters(pktmp, pkey);
-       EVP_PKEY_free(pktmp);
-#endif
-
 
        if (!X509_sign(ret,pkey,dgst))
                goto err;
@@ -2239,7 +2246,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
             unsigned long nameopt, int default_op, int ext_copy)
        {
        STACK_OF(CONF_VALUE) *sk=NULL;
-       LHASH *parms=NULL;
+       LHASH_OF(CONF_VALUE) *parms=NULL;
        X509_REQ *req=NULL;
        CONF_VALUE *cv=NULL;
        NETSCAPE_SPKI *spki = NULL;
@@ -2373,15 +2380,7 @@ err:
 
 static int check_time_format(const char *str)
        {
-       ASN1_TIME tm;
-
-       tm.data=(unsigned char *)str;
-       tm.length=strlen(str);
-       tm.type=V_ASN1_UTCTIME;
-       if (ASN1_TIME_check(&tm))
-               return 1;
-       tm.type=V_ASN1_GENERALIZEDTIME;
-       return ASN1_TIME_check(&tm);
+       return ASN1_TIME_set_string(NULL, str);
        }
 
 static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
@@ -2396,6 +2395,8 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                row[i]=NULL;
        row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
        bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
+       if (!bn)
+               goto err;
        if (BN_is_zero(bn))
                row[DB_serial]=BUF_strdup("00");
        else
@@ -2465,7 +2466,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                goto err;
 
                }
-       else if (index_name_cmp((const char **)row,(const char **)rrow))
+       else if (index_name_cmp_noconst(row, rrow))
                {
                BIO_printf(bio_err,"ERROR:name does not match %s\n",
                           row[DB_name]);
@@ -2614,9 +2615,9 @@ static int do_updatedb (CA_DB *db)
        else
                a_y2k = 0;
 
-       for (i = 0; i < sk_num(db->db->data); i++)
+       for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
                {
-               rrow = (char **) sk_value(db->db->data, i);
+               rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
 
                if (rrow[DB_type][0] == 'V')
                        {
@@ -2863,22 +2864,13 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
        p=(char *)str->data;
        for (j=str->length; j>0; j--)
                {
-#ifdef CHARSET_EBCDIC
-               if ((*p >= 0x20) && (*p <= 0x7e))
-                       BIO_printf(bp,"%c",os_toebcdic[*p]);
-#else
                if ((*p >= ' ') && (*p <= '~'))
                        BIO_printf(bp,"%c",*p);
-#endif
                else if (*p & 0x80)
                        BIO_printf(bp,"\\0x%02X",*p);
                else if ((unsigned char)*p == 0xf7)
                        BIO_printf(bp,"^?");
-#ifdef CHARSET_EBCDIC
-               else    BIO_printf(bp,"^%c",os_toebcdic[*p+0x40]);
-#else
                else    BIO_printf(bp,"^%c",*p+'@');
-#endif
                p++;
                }
        BIO_printf(bp,"'\n");
index 43f0ac5..3d4c60d 100644 (file)
@@ -71,7 +71,8 @@
 
 static const char *ciphers_usage[]={
 "usage: ciphers args\n",
-" -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
+" -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
+" -V          - even more verbose\n",
 " -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
 " -tls1       - TLS1 mode\n",
@@ -83,14 +84,14 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
        {
        int ret=1,i;
-       int verbose=0;
+       int verbose=0,Verbose=0;
        const char **pp;
        const char *p;
        int badops=0;
        SSL_CTX *ctx=NULL;
        SSL *ssl=NULL;
        char *ciphers=NULL;
-       SSL_METHOD *meth=NULL;
+       const SSL_METHOD *meth=NULL;
        STACK_OF(SSL_CIPHER) *sk;
        char buf[512];
        BIO *STDout=NULL;
@@ -114,6 +115,8 @@ int MAIN(int argc, char **argv)
        STDout = BIO_push(tmpbio, STDout);
        }
 #endif
+       if (!load_config(bio_err, NULL))
+               goto end;
 
        argc--;
        argv++;
@@ -121,6 +124,8 @@ int MAIN(int argc, char **argv)
                {
                if (strcmp(*argv,"-v") == 0)
                        verbose=1;
+               else if (strcmp(*argv,"-V") == 0)
+                       verbose=Verbose=1;
 #ifndef OPENSSL_NO_SSL2
                else if (strcmp(*argv,"-ssl2") == 0)
                        meth=SSLv2_client_method();
@@ -179,15 +184,33 @@ int MAIN(int argc, char **argv)
                        }
                BIO_printf(STDout,"\n");
                }
-       else
+       else /* verbose */
                {
                sk=SSL_get_ciphers(ssl);
 
                for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                        {
-                       BIO_puts(STDout,SSL_CIPHER_description(
-                               sk_SSL_CIPHER_value(sk,i),
-                               buf,sizeof buf));
+                       SSL_CIPHER *c;
+
+                       c = sk_SSL_CIPHER_value(sk,i);
+                       
+                       if (Verbose)
+                               {
+                               unsigned long id = c->id;
+                               int id0 = (int)(id >> 24);
+                               int id1 = (int)((id >> 16) & 0xffL);
+                               int id2 = (int)((id >> 8) & 0xffL);
+                               int id3 = (int)(id & 0xffL);
+                               
+                               if ((id & 0xff000000L) == 0x02000000L)
+                                       BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
+                               else if ((id & 0xff000000L) == 0x03000000L)
+                                       BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
+                               else
+                                       BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
+                               }
+
+                       BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf));
                        }
                }
 
index 6d227ac..d29a884 100644 (file)
@@ -71,8 +71,9 @@
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
 static int cms_cb(int ok, X509_STORE_CTX *ctx);
 static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
-static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,
-                                                               STACK *rr_from);
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
+                                               int rr_allorfirst,
+                                       STACK_OF(OPENSSL_STRING) *rr_from);
 
 #define SMIME_OP       0x10
 #define SMIME_IP       0x20
@@ -94,6 +95,8 @@ static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,
 #define SMIME_SIGN_RECEIPT     (15 | SMIME_IP | SMIME_OP)
 #define SMIME_VERIFY_RECEIPT   (16 | SMIME_IP)
 
+int verify_err = 0;
+
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
@@ -105,7 +108,7 @@ int MAIN(int argc, char **argv)
        const char *inmode = "r", *outmode = "w";
        char *infile = NULL, *outfile = NULL, *rctfile = NULL;
        char *signerfile = NULL, *recipfile = NULL;
-       STACK *sksigners = NULL, *skkeys = NULL;
+       STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
        char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
        char *certsoutfile = NULL;
        const EVP_CIPHER *cipher = NULL;
@@ -116,9 +119,10 @@ int MAIN(int argc, char **argv)
        STACK_OF(X509) *encerts = NULL, *other = NULL;
        BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
        int badarg = 0;
-       int flags = CMS_DETACHED;
+       int flags = CMS_DETACHED, noout = 0, print = 0;
+       int verify_retcode = 0;
        int rr_print = 0, rr_allorfirst = -1;
-       STACK *rr_to = NULL, *rr_from = NULL;
+       STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL;
        CMS_ReceiptRequest *rr = NULL;
        char *to = NULL, *from = NULL, *subject = NULL;
        char *CAfile = NULL, *CApath = NULL;
@@ -166,6 +170,8 @@ int MAIN(int argc, char **argv)
                        operation = SMIME_RESIGN;
                else if (!strcmp (*args, "-verify"))
                        operation = SMIME_VERIFY;
+               else if (!strcmp (*args, "-verify_retcode"))
+                       verify_retcode = 1;
                else if (!strcmp(*args,"-verify_receipt"))
                        {
                        operation = SMIME_VERIFY_RECEIPT;
@@ -252,21 +258,17 @@ int MAIN(int argc, char **argv)
                else if (!strcmp (*args, "-no_attr_verify"))
                                flags |= CMS_NO_ATTR_VERIFY;
                else if (!strcmp (*args, "-stream"))
-                               {
-                               args++;
-                               continue;
-                               }
+                               flags |= CMS_STREAM;
                else if (!strcmp (*args, "-indef"))
-                               {
-                               args++;
-                               continue;
-                               }
+                               flags |= CMS_STREAM;
                else if (!strcmp (*args, "-noindef"))
                                flags &= ~CMS_STREAM;
                else if (!strcmp (*args, "-nooldmime"))
                                flags |= CMS_NOOLDMIMETYPE;
                else if (!strcmp (*args, "-crlfeol"))
                                flags |= CMS_CRLFEOL;
+               else if (!strcmp (*args, "-noout"))
+                               noout = 1;
                else if (!strcmp (*args, "-receipt_request_print"))
                                rr_print = 1;
                else if (!strcmp (*args, "-receipt_request_all"))
@@ -279,8 +281,8 @@ int MAIN(int argc, char **argv)
                                goto argerr;
                        args++;
                        if (!rr_from)
-                               rr_from = sk_new_null();
-                       sk_push(rr_from, *args);
+                               rr_from = sk_OPENSSL_STRING_new_null();
+                       sk_OPENSSL_STRING_push(rr_from, *args);
                        }
                else if (!strcmp(*args,"-receipt_request_to"))
                        {
@@ -288,9 +290,14 @@ int MAIN(int argc, char **argv)
                                goto argerr;
                        args++;
                        if (!rr_to)
-                               rr_to = sk_new_null();
-                       sk_push(rr_to, *args);
+                               rr_to = sk_OPENSSL_STRING_new_null();
+                       sk_OPENSSL_STRING_push(rr_to, *args);
                        }
+               else if (!strcmp (*args, "-print"))
+                               {
+                               noout = 1;
+                               print = 1;
+                               }
                else if (!strcmp(*args,"-secretkey"))
                        {
                        long ltmp;
@@ -380,13 +387,13 @@ int MAIN(int argc, char **argv)
                        if (signerfile)
                                {
                                if (!sksigners)
-                                       sksigners = sk_new_null();
-                               sk_push(sksigners, signerfile);
+                                       sksigners = sk_OPENSSL_STRING_new_null();
+                               sk_OPENSSL_STRING_push(sksigners, signerfile);
                                if (!keyfile)
                                        keyfile = signerfile;
                                if (!skkeys)
-                                       skkeys = sk_new_null();
-                               sk_push(skkeys, keyfile);
+                                       skkeys = sk_OPENSSL_STRING_new_null();
+                               sk_OPENSSL_STRING_push(skkeys, keyfile);
                                keyfile = NULL;
                                }
                        signerfile = *++args;
@@ -428,12 +435,12 @@ int MAIN(int argc, char **argv)
                                        goto argerr;
                                        }
                                if (!sksigners)
-                                       sksigners = sk_new_null();
-                               sk_push(sksigners, signerfile);
+                                       sksigners = sk_OPENSSL_STRING_new_null();
+                               sk_OPENSSL_STRING_push(sksigners, signerfile);
                                signerfile = NULL;
                                if (!skkeys)
-                                       skkeys = sk_new_null();
-                               sk_push(skkeys, keyfile);
+                                       skkeys = sk_OPENSSL_STRING_new_null();
+                               sk_OPENSSL_STRING_push(skkeys, keyfile);
                                }
                        keyfile = *++args;
                        }
@@ -532,13 +539,13 @@ int MAIN(int argc, char **argv)
                if (signerfile)
                        {
                        if (!sksigners)
-                               sksigners = sk_new_null();
-                       sk_push(sksigners, signerfile);
+                               sksigners = sk_OPENSSL_STRING_new_null();
+                       sk_OPENSSL_STRING_push(sksigners, signerfile);
                        if (!skkeys)
-                               skkeys = sk_new_null();
+                               skkeys = sk_OPENSSL_STRING_new_null();
                        if (!keyfile)
                                keyfile = signerfile;
-                       sk_push(skkeys, keyfile);
+                       sk_OPENSSL_STRING_push(skkeys, keyfile);
                        }
                if (!sksigners)
                        {
@@ -697,7 +704,7 @@ int MAIN(int argc, char **argv)
 
                if (secret_key && !secret_keyid)
                        {
-                       BIO_printf(bio_err, "No sectre key id\n");
+                       BIO_printf(bio_err, "No secret key id\n");
                        goto end;
                        }
 
@@ -873,7 +880,7 @@ int MAIN(int argc, char **argv)
                {
                if (!(store = setup_verify(bio_err, CAfile, CApath)))
                        goto end;
-               X509_STORE_set_verify_cb_func(store, cms_cb);
+               X509_STORE_set_verify_cb(store, cms_cb);
                if (vpm)
                        X509_STORE_set1_param(store, vpm);
                }
@@ -973,11 +980,11 @@ int MAIN(int argc, char **argv)
                        }
                else
                        flags |= CMS_REUSE_DIGEST;
-               for (i = 0; i < sk_num(sksigners); i++)
+               for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++)
                        {
                        CMS_SignerInfo *si;
-                       signerfile = sk_value(sksigners, i);
-                       keyfile = sk_value(skkeys, i);
+                       signerfile = sk_OPENSSL_STRING_value(sksigners, i);
+                       keyfile = sk_OPENSSL_STRING_value(skkeys, i);
                        signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
                                        e, "signer certificate");
                        if (!signer)
@@ -1075,6 +1082,8 @@ int MAIN(int argc, char **argv)
                else
                        {
                        BIO_printf(bio_err, "Verification failure\n");
+                       if (verify_retcode)
+                               ret = verify_err + 32;
                        goto end;
                        }
                if (signerfile)
@@ -1107,7 +1116,12 @@ int MAIN(int argc, char **argv)
                }
        else
                {
-               if (outformat == FORMAT_SMIME)
+               if (noout)
+                       {
+                       if (print)
+                               CMS_ContentInfo_print_ctx(out, cms, 0, NULL);
+                       }
+               else if (outformat == FORMAT_SMIME)
                        {
                        if (to)
                                BIO_printf(out, "To: %s\n", to);
@@ -1121,9 +1135,9 @@ int MAIN(int argc, char **argv)
                                ret = SMIME_write_CMS(out, cms, in, flags);
                        }
                else if (outformat == FORMAT_PEM) 
-                       ret = PEM_write_bio_CMS(out, cms);
+                       ret = PEM_write_bio_CMS_stream(out, cms, in, flags);
                else if (outformat == FORMAT_ASN1) 
-                       ret = i2d_CMS_bio(out,cms);
+                       ret = i2d_CMS_bio_stream(out,cms, in, flags);
                else
                        {
                        BIO_printf(bio_err, "Bad output format for CMS file\n");
@@ -1146,9 +1160,9 @@ end:
        if (vpm)
                X509_VERIFY_PARAM_free(vpm);
        if (sksigners)
-               sk_free(sksigners);
+               sk_OPENSSL_STRING_free(sksigners);
        if (skkeys)
-               sk_free(skkeys);
+               sk_OPENSSL_STRING_free(skkeys);
        if (secret_key)
                OPENSSL_free(secret_key);
        if (secret_keyid)
@@ -1158,9 +1172,9 @@ end:
        if (rr)
                CMS_ReceiptRequest_free(rr);
        if (rr_to)
-               sk_free(rr_to);
+               sk_OPENSSL_STRING_free(rr_to);
        if (rr_from)
-               sk_free(rr_from);
+               sk_OPENSSL_STRING_free(rr_from);
        X509_STORE_free(store);
        X509_free(cert);
        X509_free(recip);
@@ -1199,6 +1213,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx)
 
        error = X509_STORE_CTX_get_error(ctx);
 
+       verify_err = error;
+
        if ((error != X509_V_ERR_NO_EXPLICIT_POLICY)
                && ((error != X509_V_OK) || (ok != 2)))
                return ok;
@@ -1280,7 +1296,7 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms)
                }
        }
 
-static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)
+static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns)
        {
        int i;
        STACK_OF(GENERAL_NAMES) *ret;
@@ -1289,12 +1305,10 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)
        ret = sk_GENERAL_NAMES_new_null();
        if (!ret)
                goto err;
-       for (i = 0; i < sk_num(ns); i++)
+       for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++)
                {
-               CONF_VALUE cnf;
-               cnf.name = "email";
-               cnf.value = sk_value(ns, i);
-               gen = v2i_GENERAL_NAME(NULL, NULL, &cnf);
+               char *str = sk_OPENSSL_STRING_value(ns, i);
+               gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0);
                if (!gen)
                        goto err;
                gens = GENERAL_NAMES_new();
@@ -1321,8 +1335,9 @@ static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK *ns)
        }
 
 
-static CMS_ReceiptRequest *make_receipt_request(STACK *rr_to, int rr_allorfirst,
-                                                               STACK *rr_from)
+static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
+                                               int rr_allorfirst,
+                                               STACK_OF(OPENSSL_STRING) *rr_from)
        {
        STACK_OF(GENERAL_NAMES) *rct_to, *rct_from;
        CMS_ReceiptRequest *rr;
index b2f2d12..bbc8377 100644 (file)
@@ -63,7 +63,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 #include "apps.h"
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -93,7 +92,7 @@ int MAIN(int argc, char **argv)
        PKCS7 *p7 = NULL;
        PKCS7_SIGNED *p7s = NULL;
        X509_CRL *crl=NULL;
-       STACK *certflst=NULL;
+       STACK_OF(OPENSSL_STRING) *certflst=NULL;
        STACK_OF(X509_CRL) *crl_stack=NULL;
        STACK_OF(X509) *cert_stack=NULL;
        int ret=1,nocrl=0;
@@ -141,8 +140,8 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-certfile") == 0)
                        {
                        if (--argc < 1) goto bad;
-                       if(!certflst) certflst = sk_new_null();
-                       sk_push(certflst,*(++argv));
+                       if(!certflst) certflst = sk_OPENSSL_STRING_new_null();
+                       sk_OPENSSL_STRING_push(certflst,*(++argv));
                        }
                else
                        {
@@ -227,8 +226,8 @@ bad:
        if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
        p7s->cert=cert_stack;
 
-       if(certflst) for(i = 0; i < sk_num(certflst); i++) {
-               certfile = sk_value(certflst, i);
+       if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
+               certfile = sk_OPENSSL_STRING_value(certflst, i);
                if (add_certs_from_file(cert_stack,certfile) < 0)
                        {
                        BIO_printf(bio_err, "error loading certificates\n");
@@ -237,7 +236,7 @@ bad:
                        }
        }
 
-       sk_free(certflst);
+       sk_OPENSSL_STRING_free(certflst);
 
        if (outfile == NULL)
                {
@@ -295,19 +294,12 @@ end:
  */
 static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
        {
-       struct stat st;
        BIO *in=NULL;
        int count=0;
        int ret= -1;
        STACK_OF(X509_INFO) *sk=NULL;
        X509_INFO *xi;
 
-       if ((stat(certfile,&st) != 0))
-               {
-               BIO_printf(bio_err,"unable to load the file, %s\n",certfile);
-               goto end;
-               }
-
        in=BIO_new(BIO_s_file());
        if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0))
                {
index 9ebfc22..9bf38ce 100644 (file)
 #define PROG   dgst_main
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-         EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-         const char *file,BIO *bmd,const char *hmac_key, int non_fips_allow);
+         EVP_PKEY *key, unsigned char *sigin, int siglen,
+         const char *sig_name, const char *md_name,
+         const char *file,BIO *bmd);
+
+static void list_md_fn(const EVP_MD *m,
+                       const char *from, const char *to, void *arg)
+       {
+       const char *mname;
+       /* Skip aliases */
+       if (!m)
+               return;
+       mname = OBJ_nid2ln(EVP_MD_type(m));
+       /* Skip shortnames */
+       if (strcmp(from, mname))
+               return;
+       /* Skip clones */
+       if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
+               return;
+       if (strchr(mname, ' '))
+               mname= EVP_MD_name(m);
+       BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
+                       mname, mname);
+       }
 
 int MAIN(int, char **);
 
@@ -89,7 +110,6 @@ int MAIN(int argc, char **argv)
        BIO *in=NULL,*inp;
        BIO *bmd=NULL;
        BIO *out = NULL;
-       const char *name;
 #define PROG_NAME_SIZE  39
        char pname[PROG_NAME_SIZE+1];
        int separator=0;
@@ -101,16 +121,16 @@ int MAIN(int argc, char **argv)
        EVP_PKEY *sigkey = NULL;
        unsigned char *sigbuf = NULL;
        int siglen = 0;
-       unsigned int sig_flags = 0;
        char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
        char *engine=NULL;
 #endif
        char *hmac_key=NULL;
-       int non_fips_allow = 0;
+       char *mac_name=NULL;
+       STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
 
        apps_startup();
-ERR_load_crypto_strings();
+
        if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
                {
                BIO_printf(bio_err,"out of memory\n");
@@ -135,6 +155,8 @@ ERR_load_crypto_strings();
                if ((*argv)[0] != '-') break;
                if (strcmp(*argv,"-c") == 0)
                        separator=1;
+               else if (strcmp(*argv,"-r") == 0)
+                       separator=2;
                else if (strcmp(*argv,"-rand") == 0)
                        {
                        if (--argc < 1) break;
@@ -169,27 +191,6 @@ ERR_load_crypto_strings();
                        keyfile=*(++argv);
                        do_verify = 1;
                        }
-               else if (strcmp(*argv,"-x931") == 0)
-                       sig_flags = EVP_MD_CTX_FLAG_PAD_X931;
-               else if (strcmp(*argv,"-pss_saltlen") == 0)
-                       {
-                       int saltlen;
-                       if (--argc < 1) break;
-                       saltlen=atoi(*(++argv));
-                       if (saltlen == -1)
-                               sig_flags = EVP_MD_CTX_FLAG_PSS_MREC;
-                       else if (saltlen == -2)
-                               sig_flags = EVP_MD_CTX_FLAG_PSS_MDLEN;
-                       else if (saltlen < -2 || saltlen >= 0xFFFE)
-                               {
-                               BIO_printf(bio_err, "Invalid PSS salt length %d\n", saltlen);
-                               goto end;
-                               }
-                       else
-                               sig_flags = saltlen;
-                       sig_flags <<= 16;
-                       sig_flags |= EVP_MD_CTX_FLAG_PAD_PSS;
-                       }
                else if (strcmp(*argv,"-signature") == 0)
                        {
                        if (--argc < 1) break;
@@ -205,6 +206,7 @@ ERR_load_crypto_strings();
                        {
                        if (--argc < 1) break;
                        engine= *(++argv);
+                       e = setup_engine(bio_err, engine, 0);
                        }
 #endif
                else if (strcmp(*argv,"-hex") == 0)
@@ -213,16 +215,36 @@ ERR_load_crypto_strings();
                        out_bin = 1;
                else if (strcmp(*argv,"-d") == 0)
                        debug=1;
-               else if (strcmp(*argv,"-non-fips-allow") == 0)
-                       non_fips_allow=1;
-               else if (!strcmp(*argv,"-fips-fingerprint"))
-                       hmac_key = "etaonrishdlcupfm";
                else if (!strcmp(*argv,"-hmac"))
                        {
                        if (--argc < 1)
                                break;
                        hmac_key=*++argv;
                        }
+               else if (!strcmp(*argv,"-mac"))
+                       {
+                       if (--argc < 1)
+                               break;
+                       mac_name=*++argv;
+                       }
+               else if (strcmp(*argv,"-sigopt") == 0)
+                       {
+                       if (--argc < 1)
+                               break;
+                       if (!sigopts)
+                               sigopts = sk_OPENSSL_STRING_new_null();
+                       if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+                               break;
+                       }
+               else if (strcmp(*argv,"-macopt") == 0)
+                       {
+                       if (--argc < 1)
+                               break;
+                       if (!macopts)
+                               macopts = sk_OPENSSL_STRING_new_null();
+                       if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
+                               break;
+                       }
                else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
                        md=m;
                else
@@ -231,12 +253,9 @@ ERR_load_crypto_strings();
                argv++;
                }
 
-       if (md == NULL)
-               md=EVP_md5();
 
        if(do_verify && !sigfile) {
                BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
-               err = 1; 
                goto end;
        }
 
@@ -245,6 +264,7 @@ ERR_load_crypto_strings();
                BIO_printf(bio_err,"unknown option '%s'\n",*argv);
                BIO_printf(bio_err,"options are\n");
                BIO_printf(bio_err,"-c              to output the digest with separating colons\n");
+               BIO_printf(bio_err,"-r              to output the digest in coreutils format\n");
                BIO_printf(bio_err,"-d              to output debug info\n");
                BIO_printf(bio_err,"-hex            output as hex dump\n");
                BIO_printf(bio_err,"-binary         output in binary form\n");
@@ -252,49 +272,20 @@ ERR_load_crypto_strings();
                BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
                BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
                BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n");
+               BIO_printf(bio_err,"-out filename   output to filename rather than stdout\n");
                BIO_printf(bio_err,"-signature file signature to verify\n");
-               BIO_printf(bio_err,"-binary         output in binary form\n");
+               BIO_printf(bio_err,"-sigopt nm:v    signature parameter\n");
                BIO_printf(bio_err,"-hmac key       create hashed MAC with key\n");
+               BIO_printf(bio_err,"-mac algorithm  create MAC (not neccessarily HMAC)\n"); 
+               BIO_printf(bio_err,"-macopt nm:v    MAC algorithm parameters or key\n");
 #ifndef OPENSSL_NO_ENGINE
                BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 #endif
 
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n",
-                       LN_md5,LN_md5);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_md4,LN_md4);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_md2,LN_md2);
-#ifndef OPENSSL_NO_SHA
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha1,LN_sha1);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha,LN_sha);
-#ifndef OPENSSL_NO_SHA256
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha224,LN_sha224);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha256,LN_sha256);
-#endif
-#ifndef OPENSSL_NO_SHA512
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha384,LN_sha384);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_sha512,LN_sha512);
-#endif
-#endif
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_mdc2,LN_mdc2);
-               BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
-                       LN_ripemd160,LN_ripemd160);
-               err=1;
+               EVP_MD_do_all_sorted(list_md_fn, bio_err);
                goto end;
                }
 
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
-
        in=BIO_new(BIO_s_file());
        bmd=BIO_new(BIO_f_md());
        if (debug)
@@ -317,8 +308,10 @@ ERR_load_crypto_strings();
                }
 
        if(out_bin == -1) {
-               if(keyfile) out_bin = 1;
-               else out_bin = 0;
+               if(keyfile)
+                       out_bin = 1;
+               else
+                       out_bin = 0;
        }
 
        if(randfile)
@@ -344,6 +337,11 @@ ERR_load_crypto_strings();
                ERR_print_errors(bio_err);
                goto end;
        }
+       if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
+               {
+               BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
+               goto end;
+               }
 
        if(keyfile)
                {
@@ -361,6 +359,101 @@ ERR_load_crypto_strings();
                        }
                }
 
+       if (mac_name)
+               {
+               EVP_PKEY_CTX *mac_ctx = NULL;
+               int r = 0;
+               if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
+                       goto mac_end;
+               if (macopts)
+                       {
+                       char *macopt;
+                       for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++)
+                               {
+                               macopt = sk_OPENSSL_STRING_value(macopts, i);
+                               if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
+                                       {
+                                       BIO_printf(bio_err,
+                                               "MAC parameter error \"%s\"\n",
+                                               macopt);
+                                       ERR_print_errors(bio_err);
+                                       goto mac_end;
+                                       }
+                               }
+                       }
+               if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
+                       {
+                       BIO_puts(bio_err, "Error generating key\n");
+                       ERR_print_errors(bio_err);
+                       goto mac_end;
+                       }
+               r = 1;
+               mac_end:
+               if (mac_ctx)
+                       EVP_PKEY_CTX_free(mac_ctx);
+               if (r == 0)
+                       goto end;
+               }
+
+       if (hmac_key)
+               {
+               sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
+                                       (unsigned char *)hmac_key, -1);
+               if (!sigkey)
+                       goto end;
+               }
+
+       if (sigkey)
+               {
+               EVP_MD_CTX *mctx = NULL;
+               EVP_PKEY_CTX *pctx = NULL;
+               int r;
+               if (!BIO_get_md_ctx(bmd, &mctx))
+                       {
+                       BIO_printf(bio_err, "Error getting context\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               if (do_verify)
+                       r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+               else
+                       r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+               if (!r)
+                       {
+                       BIO_printf(bio_err, "Error setting context\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               if (sigopts)
+                       {
+                       char *sigopt;
+                       for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
+                               {
+                               sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+                               if (pkey_ctrl_string(pctx, sigopt) <= 0)
+                                       {
+                                       BIO_printf(bio_err,
+                                               "parameter error \"%s\"\n",
+                                               sigopt);
+                                       ERR_print_errors(bio_err);
+                                       goto end;
+                                       }
+                               }
+                       }
+               }
+       /* we use md as a filter, reading from 'in' */
+       else
+