From 91e658d150d50d685c759a2842f7daf41f5ea781 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Wed, 15 May 2002 02:29:22 +0000 Subject: OpenSSL 0.9.7 stable 2002 05 08 merge --- lib/libssl/Makefile.bsd-wrapper | 4 +- lib/libssl/crypto/Makefile | 2 +- lib/libssl/src/CHANGES | 1964 +++++++++++++- lib/libssl/src/Configure | 776 ++++-- lib/libssl/src/FAQ | 139 +- lib/libssl/src/INSTALL | 19 +- lib/libssl/src/INSTALL.MacOS | 16 +- lib/libssl/src/INSTALL.VMS | 12 +- lib/libssl/src/INSTALL.W32 | 52 +- lib/libssl/src/LICENSE | 2 +- lib/libssl/src/MacOS/GetHTTPS.src/GetHTTPS.cpp | 4 +- lib/libssl/src/Makefile.org | 354 ++- lib/libssl/src/NEWS | 55 +- lib/libssl/src/README | 24 +- lib/libssl/src/README.ENGINE | 302 ++- lib/libssl/src/apps/CA.pl | 11 +- lib/libssl/src/apps/CA.pl.in | 11 +- lib/libssl/src/apps/Makefile.ssl | 1245 ++++----- lib/libssl/src/apps/app_rand.c | 21 +- lib/libssl/src/apps/apps.c | 641 ++++- lib/libssl/src/apps/apps.h | 139 +- lib/libssl/src/apps/asn1pars.c | 6 +- lib/libssl/src/apps/ca.c | 1622 ++++++++--- lib/libssl/src/apps/ciphers.c | 19 +- lib/libssl/src/apps/crl.c | 29 +- lib/libssl/src/apps/crl2p7.c | 6 +- lib/libssl/src/apps/dgst.c | 68 +- lib/libssl/src/apps/dh.c | 27 +- lib/libssl/src/apps/dhparam.c | 43 +- lib/libssl/src/apps/dsa.c | 36 +- lib/libssl/src/apps/dsaparam.c | 23 +- lib/libssl/src/apps/enc.c | 137 +- lib/libssl/src/apps/errstr.c | 3 +- lib/libssl/src/apps/gendh.c | 27 +- lib/libssl/src/apps/gendsa.c | 49 +- lib/libssl/src/apps/genrsa.c | 58 +- lib/libssl/src/apps/makeapps.com | 41 +- lib/libssl/src/apps/nseq.c | 2 +- lib/libssl/src/apps/openssl.c | 199 +- lib/libssl/src/apps/openssl.cnf | 13 +- lib/libssl/src/apps/passwd.c | 90 +- lib/libssl/src/apps/pkcs12.c | 105 +- lib/libssl/src/apps/pkcs7.c | 25 +- lib/libssl/src/apps/pkcs8.c | 45 +- lib/libssl/src/apps/progs.h | 154 +- lib/libssl/src/apps/progs.pl | 30 +- lib/libssl/src/apps/rand.c | 82 +- lib/libssl/src/apps/req.c | 705 +++-- lib/libssl/src/apps/rsa.c | 127 +- lib/libssl/src/apps/rsautl.c | 45 +- lib/libssl/src/apps/s_apps.h | 67 +- lib/libssl/src/apps/s_cb.c | 313 ++- lib/libssl/src/apps/s_client.c | 186 +- lib/libssl/src/apps/s_server.c | 270 +- lib/libssl/src/apps/s_socket.c | 34 +- lib/libssl/src/apps/s_time.c | 67 +- lib/libssl/src/apps/sess_id.c | 5 +- lib/libssl/src/apps/smime.c | 141 +- lib/libssl/src/apps/speed.c | 1121 +++++--- lib/libssl/src/apps/spkac.c | 54 +- lib/libssl/src/apps/testdsa.h | 72 +- lib/libssl/src/apps/verify.c | 82 +- lib/libssl/src/apps/version.c | 88 +- lib/libssl/src/apps/x509.c | 203 +- lib/libssl/src/bugs/stream.c | 2 +- lib/libssl/src/config | 293 +- lib/libssl/src/crypto/Makefile.ssl | 139 +- lib/libssl/src/crypto/asn1/Makefile.ssl | 1752 +++++------- lib/libssl/src/crypto/asn1/a_bitstr.c | 53 +- lib/libssl/src/crypto/asn1/a_bool.c | 4 +- lib/libssl/src/crypto/asn1/a_bytes.c | 15 +- lib/libssl/src/crypto/asn1/a_d2i_fp.c | 69 +- lib/libssl/src/crypto/asn1/a_digest.c | 24 +- lib/libssl/src/crypto/asn1/a_dup.c | 28 +- lib/libssl/src/crypto/asn1/a_enum.c | 58 +- lib/libssl/src/crypto/asn1/a_gentm.c | 35 +- lib/libssl/src/crypto/asn1/a_i2d_fp.c | 54 +- lib/libssl/src/crypto/asn1/a_int.c | 64 +- lib/libssl/src/crypto/asn1/a_object.c | 2 +- lib/libssl/src/crypto/asn1/a_octet.c | 24 - lib/libssl/src/crypto/asn1/a_print.c | 70 - lib/libssl/src/crypto/asn1/a_set.c | 3 + lib/libssl/src/crypto/asn1/a_sign.c | 152 +- lib/libssl/src/crypto/asn1/a_strex.c | 32 +- lib/libssl/src/crypto/asn1/a_strnid.c | 8 +- lib/libssl/src/crypto/asn1/a_time.c | 79 +- lib/libssl/src/crypto/asn1/a_type.c | 275 +- lib/libssl/src/crypto/asn1/a_utctm.c | 70 +- lib/libssl/src/crypto/asn1/a_utf8.c | 27 - lib/libssl/src/crypto/asn1/a_verify.c | 58 +- lib/libssl/src/crypto/asn1/asn1.h | 770 +++--- lib/libssl/src/crypto/asn1/asn1_err.c | 206 +- lib/libssl/src/crypto/asn1/asn1_lib.c | 3 +- lib/libssl/src/crypto/asn1/asn1_mac.h | 35 +- lib/libssl/src/crypto/asn1/asn_pack.c | 48 +- lib/libssl/src/crypto/asn1/d2i_pr.c | 16 +- lib/libssl/src/crypto/asn1/d2i_pu.c | 16 +- lib/libssl/src/crypto/asn1/f_int.c | 8 +- lib/libssl/src/crypto/asn1/i2d_pr.c | 10 +- lib/libssl/src/crypto/asn1/i2d_pu.c | 10 +- lib/libssl/src/crypto/asn1/n_pkey.c | 305 +-- lib/libssl/src/crypto/asn1/nsseq.c | 64 +- lib/libssl/src/crypto/asn1/p5_pbe.c | 47 +- lib/libssl/src/crypto/asn1/p5_pbev2.c | 109 +- lib/libssl/src/crypto/asn1/p8_pkey.c | 79 +- lib/libssl/src/crypto/asn1/t_crl.c | 49 +- lib/libssl/src/crypto/asn1/t_pkey.c | 44 +- lib/libssl/src/crypto/asn1/t_req.c | 50 +- lib/libssl/src/crypto/asn1/t_spki.c | 6 +- lib/libssl/src/crypto/asn1/t_x509.c | 295 +- lib/libssl/src/crypto/asn1/t_x509a.c | 2 +- lib/libssl/src/crypto/asn1/x_algor.c | 165 +- lib/libssl/src/crypto/asn1/x_attrib.c | 111 +- lib/libssl/src/crypto/asn1/x_crl.c | 330 +-- lib/libssl/src/crypto/asn1/x_exten.c | 190 +- lib/libssl/src/crypto/asn1/x_info.c | 2 +- lib/libssl/src/crypto/asn1/x_name.c | 343 ++- lib/libssl/src/crypto/asn1/x_pubkey.c | 80 +- lib/libssl/src/crypto/asn1/x_req.c | 231 +- lib/libssl/src/crypto/asn1/x_sig.c | 53 +- lib/libssl/src/crypto/asn1/x_spki.c | 109 +- lib/libssl/src/crypto/asn1/x_val.c | 52 +- lib/libssl/src/crypto/asn1/x_x509.c | 155 +- lib/libssl/src/crypto/asn1/x_x509a.c | 75 +- lib/libssl/src/crypto/bf/Makefile.ssl | 27 +- lib/libssl/src/crypto/bf/bf_opts.c | 6 +- lib/libssl/src/crypto/bf/bf_skey.c | 2 +- lib/libssl/src/crypto/bf/bfspeed.c | 6 +- lib/libssl/src/crypto/bf/bftest.c | 2 +- lib/libssl/src/crypto/bf/blowfish.h | 8 +- lib/libssl/src/crypto/bio/Makefile.ssl | 174 +- lib/libssl/src/crypto/bio/b_print.c | 6 +- lib/libssl/src/crypto/bio/b_sock.c | 66 +- lib/libssl/src/crypto/bio/bf_buff.c | 1 - lib/libssl/src/crypto/bio/bf_lbuf.c | 12 +- lib/libssl/src/crypto/bio/bf_nbio.c | 1 - lib/libssl/src/crypto/bio/bf_null.c | 1 - lib/libssl/src/crypto/bio/bio.h | 33 +- lib/libssl/src/crypto/bio/bio_cb.c | 2 +- lib/libssl/src/crypto/bio/bio_err.c | 5 +- lib/libssl/src/crypto/bio/bio_lib.c | 19 +- lib/libssl/src/crypto/bio/bss_acpt.c | 18 +- lib/libssl/src/crypto/bio/bss_bio.c | 10 +- lib/libssl/src/crypto/bio/bss_conn.c | 15 +- lib/libssl/src/crypto/bio/bss_fd.c | 226 +- lib/libssl/src/crypto/bio/bss_file.c | 18 +- lib/libssl/src/crypto/bio/bss_log.c | 19 +- lib/libssl/src/crypto/bio/bss_sock.c | 131 +- lib/libssl/src/crypto/bn/Makefile.ssl | 276 +- lib/libssl/src/crypto/bn/asm/README | 4 + lib/libssl/src/crypto/bn/asm/bn-586.pl | 213 +- lib/libssl/src/crypto/bn/asm/vms.mar | 697 ++--- lib/libssl/src/crypto/bn/bn.h | 177 +- lib/libssl/src/crypto/bn/bn_add.c | 12 +- lib/libssl/src/crypto/bn/bn_asm.c | 22 +- lib/libssl/src/crypto/bn/bn_ctx.c | 13 +- lib/libssl/src/crypto/bn/bn_div.c | 66 +- lib/libssl/src/crypto/bn/bn_err.c | 11 +- lib/libssl/src/crypto/bn/bn_exp.c | 149 +- lib/libssl/src/crypto/bn/bn_exp2.c | 27 +- lib/libssl/src/crypto/bn/bn_gcd.c | 338 ++- lib/libssl/src/crypto/bn/bn_lcl.h | 39 +- lib/libssl/src/crypto/bn/bn_lib.c | 336 ++- lib/libssl/src/crypto/bn/bn_mod.c | 296 ++ lib/libssl/src/crypto/bn/bn_mont.c | 63 +- lib/libssl/src/crypto/bn/bn_mpi.c | 2 +- lib/libssl/src/crypto/bn/bn_mul.c | 503 +++- lib/libssl/src/crypto/bn/bn_prime.c | 29 +- lib/libssl/src/crypto/bn/bn_print.c | 6 +- lib/libssl/src/crypto/bn/bn_rand.c | 94 +- lib/libssl/src/crypto/bn/bn_recp.c | 48 +- lib/libssl/src/crypto/bn/bn_shift.c | 8 +- lib/libssl/src/crypto/bn/bn_sqr.c | 18 +- lib/libssl/src/crypto/bn/bnspeed.c | 4 +- lib/libssl/src/crypto/bn/bntest.c | 261 +- lib/libssl/src/crypto/bn/expspeed.c | 176 +- lib/libssl/src/crypto/bn/exptest.c | 2 +- lib/libssl/src/crypto/bn/vms-helper.c | 2 +- lib/libssl/src/crypto/buffer/Makefile.ssl | 21 +- lib/libssl/src/crypto/buffer/buf_err.c | 4 +- lib/libssl/src/crypto/buffer/buffer.c | 3 +- lib/libssl/src/crypto/buffer/buffer.h | 4 +- lib/libssl/src/crypto/cast/Makefile.ssl | 26 +- lib/libssl/src/crypto/cast/cast.h | 2 +- lib/libssl/src/crypto/cast/cast_lcl.h | 12 +- lib/libssl/src/crypto/cast/cast_spd.c | 6 +- lib/libssl/src/crypto/cast/castopts.c | 6 +- lib/libssl/src/crypto/cast/casttest.c | 2 +- lib/libssl/src/crypto/comp/Makefile.ssl | 46 +- lib/libssl/src/crypto/comp/c_rle.c | 1 + lib/libssl/src/crypto/comp/c_zlib.c | 141 +- lib/libssl/src/crypto/comp/comp.h | 4 +- lib/libssl/src/crypto/comp/comp_err.c | 4 +- lib/libssl/src/crypto/conf/Makefile.ssl | 90 +- lib/libssl/src/crypto/conf/cnf_save.c | 7 +- lib/libssl/src/crypto/conf/conf.c | 730 +++++ lib/libssl/src/crypto/conf/conf.h | 111 +- lib/libssl/src/crypto/conf/conf_api.c | 49 +- lib/libssl/src/crypto/conf/conf_api.h | 12 +- lib/libssl/src/crypto/conf/conf_def.c | 62 +- lib/libssl/src/crypto/conf/conf_def.h | 143 +- lib/libssl/src/crypto/conf/conf_err.c | 18 +- lib/libssl/src/crypto/conf/conf_lib.c | 158 +- lib/libssl/src/crypto/conf/keysets.pl | 62 +- lib/libssl/src/crypto/cpt_err.c | 9 +- lib/libssl/src/crypto/cryptlib.c | 19 +- lib/libssl/src/crypto/cryptlib.h | 4 +- lib/libssl/src/crypto/crypto-lib.com | 115 +- lib/libssl/src/crypto/crypto.h | 110 +- lib/libssl/src/crypto/cversion.c | 8 + lib/libssl/src/crypto/des/Makefile.ssl | 267 +- lib/libssl/src/crypto/des/asm/crypt586.pl | 8 +- lib/libssl/src/crypto/des/asm/des-586.pl | 26 +- lib/libssl/src/crypto/des/asm/des686.pl | 20 +- lib/libssl/src/crypto/des/asm/desboth.pl | 8 +- lib/libssl/src/crypto/des/cbc3_enc.c | 52 +- lib/libssl/src/crypto/des/cbc_cksm.c | 8 +- lib/libssl/src/crypto/des/cfb64ede.c | 17 +- lib/libssl/src/crypto/des/cfb64enc.c | 10 +- lib/libssl/src/crypto/des/cfb_enc.c | 8 +- lib/libssl/src/crypto/des/des-lib.com | 4 +- lib/libssl/src/crypto/des/des.c | 112 +- lib/libssl/src/crypto/des/des.h | 290 +- lib/libssl/src/crypto/des/des_enc.c | 53 +- lib/libssl/src/crypto/des/des_locl.h | 79 +- lib/libssl/src/crypto/des/des_opts.c | 212 +- lib/libssl/src/crypto/des/des_ver.h | 6 + lib/libssl/src/crypto/des/destest.c | 103 +- lib/libssl/src/crypto/des/ecb3_enc.c | 9 +- lib/libssl/src/crypto/des/ecb_enc.c | 10 +- lib/libssl/src/crypto/des/ede_cbcm_enc.c | 24 +- lib/libssl/src/crypto/des/enc_read.c | 28 +- lib/libssl/src/crypto/des/enc_writ.c | 16 +- lib/libssl/src/crypto/des/fcrypt.c | 81 +- lib/libssl/src/crypto/des/fcrypt_b.c | 6 +- lib/libssl/src/crypto/des/ncbc_enc.c | 20 +- lib/libssl/src/crypto/des/ofb64ede.c | 21 +- lib/libssl/src/crypto/des/ofb64enc.c | 10 +- lib/libssl/src/crypto/des/ofb_enc.c | 7 +- lib/libssl/src/crypto/des/pcbc_enc.c | 9 +- lib/libssl/src/crypto/des/qud_cksm.c | 4 +- lib/libssl/src/crypto/des/rand_key.c | 13 +- lib/libssl/src/crypto/des/read2pwd.c | 69 +- lib/libssl/src/crypto/des/read_pwd.c | 62 +- lib/libssl/src/crypto/des/rpc_enc.c | 12 +- lib/libssl/src/crypto/des/rpw.c | 2 +- lib/libssl/src/crypto/des/set_key.c | 43 +- lib/libssl/src/crypto/des/speed.c | 54 +- lib/libssl/src/crypto/des/spr.h | 2 +- lib/libssl/src/crypto/des/str2key.c | 54 +- lib/libssl/src/crypto/des/xcbc_enc.c | 19 +- lib/libssl/src/crypto/dh/Makefile.ssl | 109 +- lib/libssl/src/crypto/dh/dh.h | 60 +- lib/libssl/src/crypto/dh/dh_check.c | 2 +- lib/libssl/src/crypto/dh/dh_err.c | 9 +- lib/libssl/src/crypto/dh/dh_gen.c | 32 +- lib/libssl/src/crypto/dh/dh_key.c | 59 +- lib/libssl/src/crypto/dh/dh_lib.c | 150 +- lib/libssl/src/crypto/dh/dhtest.c | 30 +- lib/libssl/src/crypto/dsa/Makefile.ssl | 167 +- lib/libssl/src/crypto/dsa/dsa.h | 85 +- lib/libssl/src/crypto/dsa/dsa_asn1.c | 200 +- lib/libssl/src/crypto/dsa/dsa_err.c | 7 +- lib/libssl/src/crypto/dsa/dsa_gen.c | 18 +- lib/libssl/src/crypto/dsa/dsa_key.c | 3 +- lib/libssl/src/crypto/dsa/dsa_lib.c | 151 +- lib/libssl/src/crypto/dsa/dsa_ossl.c | 11 +- lib/libssl/src/crypto/dsa/dsa_sign.c | 4 +- lib/libssl/src/crypto/dsa/dsa_vrf.c | 4 +- lib/libssl/src/crypto/dsa/dsatest.c | 17 +- lib/libssl/src/crypto/dso/Makefile.ssl | 71 +- lib/libssl/src/crypto/dso/README | 24 +- lib/libssl/src/crypto/dso/dso.h | 168 +- lib/libssl/src/crypto/dso/dso_dl.c | 112 +- lib/libssl/src/crypto/dso/dso_dlfcn.c | 97 +- lib/libssl/src/crypto/dso/dso_err.c | 23 +- lib/libssl/src/crypto/dso/dso_lib.c | 179 +- lib/libssl/src/crypto/dso/dso_vms.c | 82 +- lib/libssl/src/crypto/dso/dso_win32.c | 112 +- lib/libssl/src/crypto/ebcdic.c | 3 +- lib/libssl/src/crypto/engine/Makefile.ssl | 507 +++- lib/libssl/src/crypto/engine/README | 483 ++-- lib/libssl/src/crypto/engine/engine.h | 653 +++-- lib/libssl/src/crypto/engine/enginetest.c | 45 +- lib/libssl/src/crypto/engine/hw_atalla.c | 283 +- lib/libssl/src/crypto/engine/hw_cswift.c | 322 ++- lib/libssl/src/crypto/engine/hw_ncipher.c | 662 +++-- lib/libssl/src/crypto/engine/vendor_defns/atalla.h | 13 - lib/libssl/src/crypto/engine/vendor_defns/cswift.h | 45 +- lib/libssl/src/crypto/err/Makefile.ssl | 57 +- lib/libssl/src/crypto/err/err.c | 615 +++-- lib/libssl/src/crypto/err/err.h | 183 +- lib/libssl/src/crypto/err/err_all.c | 49 +- lib/libssl/src/crypto/err/err_prn.c | 46 +- lib/libssl/src/crypto/err/openssl.ec | 31 +- lib/libssl/src/crypto/evp/Makefile.ssl | 1129 +++----- lib/libssl/src/crypto/evp/bio_b64.c | 5 +- lib/libssl/src/crypto/evp/bio_enc.c | 20 +- lib/libssl/src/crypto/evp/bio_md.c | 30 +- lib/libssl/src/crypto/evp/bio_ok.c | 52 +- lib/libssl/src/crypto/evp/c_all.c | 12 +- lib/libssl/src/crypto/evp/c_allc.c | 30 +- lib/libssl/src/crypto/evp/c_alld.c | 18 +- lib/libssl/src/crypto/evp/digest.c | 254 +- lib/libssl/src/crypto/evp/e_bf.c | 14 +- lib/libssl/src/crypto/evp/e_cast.c | 16 +- lib/libssl/src/crypto/evp/e_des.c | 21 +- lib/libssl/src/crypto/evp/e_des3.c | 88 +- lib/libssl/src/crypto/evp/e_idea.c | 22 +- lib/libssl/src/crypto/evp/e_null.c | 6 +- lib/libssl/src/crypto/evp/e_rc2.c | 67 +- lib/libssl/src/crypto/evp/e_rc4.c | 37 +- lib/libssl/src/crypto/evp/e_rc5.c | 65 +- lib/libssl/src/crypto/evp/e_xcbc_d.c | 39 +- lib/libssl/src/crypto/evp/encode.c | 7 + lib/libssl/src/crypto/evp/evp.h | 502 ++-- lib/libssl/src/crypto/evp/evp_enc.c | 290 +- lib/libssl/src/crypto/evp/evp_err.c | 11 +- lib/libssl/src/crypto/evp/evp_key.c | 39 +- lib/libssl/src/crypto/evp/evp_locl.h | 125 +- lib/libssl/src/crypto/evp/evp_pbe.c | 6 +- lib/libssl/src/crypto/evp/evp_pkey.c | 24 +- lib/libssl/src/crypto/evp/m_dss.c | 24 +- lib/libssl/src/crypto/evp/m_dss1.c | 24 +- lib/libssl/src/crypto/evp/m_md2.c | 25 +- lib/libssl/src/crypto/evp/m_md4.c | 27 +- lib/libssl/src/crypto/evp/m_md5.c | 25 +- lib/libssl/src/crypto/evp/m_mdc2.c | 25 +- lib/libssl/src/crypto/evp/m_null.c | 25 +- lib/libssl/src/crypto/evp/m_ripemd.c | 24 +- lib/libssl/src/crypto/evp/m_sha.c | 24 +- lib/libssl/src/crypto/evp/m_sha1.c | 24 +- lib/libssl/src/crypto/evp/names.c | 4 +- lib/libssl/src/crypto/evp/p5_crpt.c | 40 +- lib/libssl/src/crypto/evp/p5_crpt2.c | 14 +- lib/libssl/src/crypto/evp/p_dec.c | 6 +- lib/libssl/src/crypto/evp/p_enc.c | 6 +- lib/libssl/src/crypto/evp/p_lib.c | 46 +- lib/libssl/src/crypto/evp/p_open.c | 14 +- lib/libssl/src/crypto/evp/p_seal.c | 17 +- lib/libssl/src/crypto/evp/p_sign.c | 8 +- lib/libssl/src/crypto/evp/p_verify.c | 6 +- lib/libssl/src/crypto/ex_data.c | 615 ++++- lib/libssl/src/crypto/hmac/Makefile.ssl | 25 +- lib/libssl/src/crypto/hmac/hmac.c | 51 +- lib/libssl/src/crypto/hmac/hmac.h | 12 +- lib/libssl/src/crypto/hmac/hmactest.c | 3 +- lib/libssl/src/crypto/idea/Makefile.ssl | 16 +- lib/libssl/src/crypto/idea/idea.h | 2 +- lib/libssl/src/crypto/install.com | 17 +- lib/libssl/src/crypto/lhash/Makefile.ssl | 17 +- lib/libssl/src/crypto/lhash/lh_stats.c | 22 +- lib/libssl/src/crypto/lhash/lh_test.c | 1 - lib/libssl/src/crypto/lhash/lhash.c | 63 +- lib/libssl/src/crypto/lhash/lhash.h | 92 +- lib/libssl/src/crypto/md2/Makefile.ssl | 16 +- lib/libssl/src/crypto/md2/md2.h | 8 +- lib/libssl/src/crypto/md2/md2_dgst.c | 13 +- lib/libssl/src/crypto/md2/md2test.c | 9 +- lib/libssl/src/crypto/md32_common.h | 22 +- lib/libssl/src/crypto/md4/Makefile.ssl | 15 +- lib/libssl/src/crypto/md4/md4.h | 14 +- lib/libssl/src/crypto/md4/md4_dgst.c | 3 +- lib/libssl/src/crypto/md4/md4_locl.h | 2 +- lib/libssl/src/crypto/md4/md4test.c | 7 +- lib/libssl/src/crypto/md5/Makefile.ssl | 11 +- lib/libssl/src/crypto/md5/asm/md5-sparcv9.S | 8 +- lib/libssl/src/crypto/md5/md5.h | 12 +- lib/libssl/src/crypto/md5/md5_dgst.c | 3 +- lib/libssl/src/crypto/md5/md5_locl.h | 6 +- lib/libssl/src/crypto/md5/md5test.c | 7 +- lib/libssl/src/crypto/mdc2/Makefile.ssl | 27 +- lib/libssl/src/crypto/mdc2/mdc2.h | 10 +- lib/libssl/src/crypto/mem.c | 127 +- lib/libssl/src/crypto/mem_dbg.c | 80 +- lib/libssl/src/crypto/objects/Makefile.ssl | 57 +- lib/libssl/src/crypto/objects/o_names.c | 147 +- lib/libssl/src/crypto/objects/obj_dat.c | 46 +- lib/libssl/src/crypto/objects/obj_dat.h | 2842 ++++++++++++++++++++ lib/libssl/src/crypto/objects/obj_dat.pl | 13 +- lib/libssl/src/crypto/objects/obj_err.c | 4 +- lib/libssl/src/crypto/objects/obj_lib.c | 7 +- lib/libssl/src/crypto/objects/obj_mac.h | 593 +++- lib/libssl/src/crypto/objects/obj_mac.num | 121 +- lib/libssl/src/crypto/objects/objects.h | 64 +- lib/libssl/src/crypto/objects/objects.pl | 17 +- lib/libssl/src/crypto/objects/objects.txt | 211 +- lib/libssl/src/crypto/opensslconf.h.in | 7 +- lib/libssl/src/crypto/opensslv.h | 22 +- lib/libssl/src/crypto/pem/Makefile.ssl | 268 +- lib/libssl/src/crypto/pem/pem.h | 33 +- lib/libssl/src/crypto/pem/pem_all.c | 23 +- lib/libssl/src/crypto/pem/pem_err.c | 4 +- lib/libssl/src/crypto/pem/pem_info.c | 14 +- lib/libssl/src/crypto/pem/pem_lib.c | 278 +- lib/libssl/src/crypto/pem/pem_seal.c | 31 +- lib/libssl/src/crypto/pem/pem_sign.c | 2 +- lib/libssl/src/crypto/perlasm/x86unix.pl | 83 + lib/libssl/src/crypto/pkcs12/Makefile.ssl | 477 ++-- lib/libssl/src/crypto/pkcs12/p12_add.c | 87 +- lib/libssl/src/crypto/pkcs12/p12_attr.c | 155 +- lib/libssl/src/crypto/pkcs12/p12_crpt.c | 10 +- lib/libssl/src/crypto/pkcs12/p12_crt.c | 6 +- lib/libssl/src/crypto/pkcs12/p12_decr.c | 69 +- lib/libssl/src/crypto/pkcs12/p12_init.c | 8 - lib/libssl/src/crypto/pkcs12/p12_key.c | 16 +- lib/libssl/src/crypto/pkcs12/p12_kiss.c | 10 +- lib/libssl/src/crypto/pkcs12/p12_mutl.c | 15 +- lib/libssl/src/crypto/pkcs12/p12_npas.c | 10 +- lib/libssl/src/crypto/pkcs12/p12_utl.c | 40 +- lib/libssl/src/crypto/pkcs12/pk12err.c | 4 +- lib/libssl/src/crypto/pkcs12/pkcs12.h | 125 +- lib/libssl/src/crypto/pkcs7/Makefile.ssl | 199 +- lib/libssl/src/crypto/pkcs7/bio_ber.c | 6 +- lib/libssl/src/crypto/pkcs7/enc.c | 2 +- lib/libssl/src/crypto/pkcs7/example.c | 1 + lib/libssl/src/crypto/pkcs7/pk7_attr.c | 60 +- lib/libssl/src/crypto/pkcs7/pk7_doit.c | 161 +- lib/libssl/src/crypto/pkcs7/pk7_lib.c | 22 +- lib/libssl/src/crypto/pkcs7/pk7_smime.c | 25 +- lib/libssl/src/crypto/pkcs7/pkcs7.h | 104 +- lib/libssl/src/crypto/pkcs7/pkcs7err.c | 5 +- lib/libssl/src/crypto/pkcs7/sign.c | 8 +- lib/libssl/src/crypto/pkcs7/verify.c | 8 +- lib/libssl/src/crypto/rand/Makefile.ssl | 118 +- lib/libssl/src/crypto/rand/md_rand.c | 53 +- lib/libssl/src/crypto/rand/rand.h | 30 +- lib/libssl/src/crypto/rand/rand_egd.c | 240 +- lib/libssl/src/crypto/rand/rand_err.c | 5 +- lib/libssl/src/crypto/rand/rand_lcl.h | 60 +- lib/libssl/src/crypto/rand/rand_lib.c | 82 +- lib/libssl/src/crypto/rand/rand_win.c | 63 +- lib/libssl/src/crypto/rand/randfile.c | 26 +- lib/libssl/src/crypto/rand/randtest.c | 9 +- lib/libssl/src/crypto/rc2/Makefile.ssl | 16 +- lib/libssl/src/crypto/rc2/rc2.h | 2 +- lib/libssl/src/crypto/rc2/rc2speed.c | 6 +- lib/libssl/src/crypto/rc2/rc2test.c | 2 +- lib/libssl/src/crypto/rc4/Makefile.ssl | 10 +- lib/libssl/src/crypto/rc4/rc4.c | 4 +- lib/libssl/src/crypto/rc4/rc4.h | 2 +- lib/libssl/src/crypto/rc4/rc4speed.c | 6 +- lib/libssl/src/crypto/rc4/rc4test.c | 2 +- lib/libssl/src/crypto/rc5/Makefile.ssl | 16 +- lib/libssl/src/crypto/rc5/rc5.h | 2 +- lib/libssl/src/crypto/ripemd/Makefile.ssl | 13 +- lib/libssl/src/crypto/ripemd/ripemd.h | 14 +- lib/libssl/src/crypto/ripemd/rmd_dgst.c | 3 +- lib/libssl/src/crypto/ripemd/rmd_locl.h | 4 +- lib/libssl/src/crypto/ripemd/rmdtest.c | 9 +- lib/libssl/src/crypto/rsa/Makefile.ssl | 224 +- lib/libssl/src/crypto/rsa/rsa.h | 150 +- lib/libssl/src/crypto/rsa/rsa_chk.c | 2 +- lib/libssl/src/crypto/rsa/rsa_eay.c | 114 +- lib/libssl/src/crypto/rsa/rsa_err.c | 5 +- lib/libssl/src/crypto/rsa/rsa_lib.c | 175 +- lib/libssl/src/crypto/rsa/rsa_none.c | 8 +- lib/libssl/src/crypto/rsa/rsa_null.c | 23 +- lib/libssl/src/crypto/rsa/rsa_oaep.c | 300 ++- lib/libssl/src/crypto/rsa/rsa_pk1.c | 12 +- lib/libssl/src/crypto/rsa/rsa_saos.c | 14 +- lib/libssl/src/crypto/rsa/rsa_sign.c | 30 +- lib/libssl/src/crypto/rsa/rsa_ssl.c | 10 +- lib/libssl/src/crypto/rsa/rsa_test.c | 14 +- lib/libssl/src/crypto/sha/Makefile.ssl | 20 +- lib/libssl/src/crypto/sha/sha.h | 24 +- lib/libssl/src/crypto/sha/sha1_one.c | 2 +- lib/libssl/src/crypto/sha/sha1dgst.c | 2 +- lib/libssl/src/crypto/sha/sha1test.c | 16 +- lib/libssl/src/crypto/sha/sha_dgst.c | 2 +- lib/libssl/src/crypto/sha/sha_locl.h | 5 +- lib/libssl/src/crypto/sha/sha_one.c | 2 +- lib/libssl/src/crypto/sha/shatest.c | 16 +- lib/libssl/src/crypto/stack/Makefile.ssl | 12 +- lib/libssl/src/crypto/stack/safestack.h | 378 +++ lib/libssl/src/crypto/stack/stack.c | 14 +- lib/libssl/src/crypto/symhacks.h | 131 +- lib/libssl/src/crypto/threads/mttest.c | 8 +- lib/libssl/src/crypto/threads/th-lock.c | 6 +- lib/libssl/src/crypto/tmdiff.c | 44 +- lib/libssl/src/crypto/txt_db/Makefile.ssl | 12 +- lib/libssl/src/crypto/txt_db/txt_db.c | 8 +- lib/libssl/src/crypto/txt_db/txt_db.h | 6 +- lib/libssl/src/crypto/uid.c | 7 +- lib/libssl/src/crypto/x509/Makefile.ssl | 647 ++--- lib/libssl/src/crypto/x509/by_file.c | 4 +- lib/libssl/src/crypto/x509/x509.h | 321 +-- lib/libssl/src/crypto/x509/x509_att.c | 26 +- lib/libssl/src/crypto/x509/x509_cmp.c | 37 +- lib/libssl/src/crypto/x509/x509_d2.c | 2 +- lib/libssl/src/crypto/x509/x509_err.c | 8 +- lib/libssl/src/crypto/x509/x509_ext.c | 19 + lib/libssl/src/crypto/x509/x509_lu.c | 40 +- lib/libssl/src/crypto/x509/x509_obj.c | 1 + lib/libssl/src/crypto/x509/x509_req.c | 16 +- lib/libssl/src/crypto/x509/x509_trs.c | 29 +- lib/libssl/src/crypto/x509/x509_txt.c | 10 +- lib/libssl/src/crypto/x509/x509_v3.c | 9 +- lib/libssl/src/crypto/x509/x509_vfy.c | 347 ++- lib/libssl/src/crypto/x509/x509_vfy.h | 67 +- lib/libssl/src/crypto/x509/x509spki.c | 1 - lib/libssl/src/crypto/x509/x_all.c | 203 +- lib/libssl/src/crypto/x509v3/Makefile.ssl | 602 ++--- lib/libssl/src/crypto/x509v3/ext_dat.h | 16 +- lib/libssl/src/crypto/x509v3/v3_akey.c | 71 +- lib/libssl/src/crypto/x509v3/v3_alt.c | 112 +- lib/libssl/src/crypto/x509v3/v3_bcons.c | 58 +- lib/libssl/src/crypto/x509v3/v3_bitst.c | 1 + lib/libssl/src/crypto/x509v3/v3_conf.c | 395 +-- lib/libssl/src/crypto/x509v3/v3_cpols.c | 328 +-- lib/libssl/src/crypto/x509v3/v3_crld.c | 181 +- lib/libssl/src/crypto/x509v3/v3_enum.c | 12 +- lib/libssl/src/crypto/x509v3/v3_extku.c | 132 +- lib/libssl/src/crypto/x509v3/v3_genn.c | 264 +- lib/libssl/src/crypto/x509v3/v3_info.c | 126 +- lib/libssl/src/crypto/x509v3/v3_int.c | 11 +- lib/libssl/src/crypto/x509v3/v3_lib.c | 80 +- lib/libssl/src/crypto/x509v3/v3_pku.c | 61 +- lib/libssl/src/crypto/x509v3/v3_prn.c | 80 +- lib/libssl/src/crypto/x509v3/v3_purp.c | 104 +- lib/libssl/src/crypto/x509v3/v3_skey.c | 15 +- lib/libssl/src/crypto/x509v3/v3_sxnet.c | 112 +- lib/libssl/src/crypto/x509v3/v3_utl.c | 45 +- lib/libssl/src/crypto/x509v3/v3conf.c | 1 - lib/libssl/src/crypto/x509v3/v3err.c | 9 +- lib/libssl/src/crypto/x509v3/v3prin.c | 2 - lib/libssl/src/crypto/x509v3/x509v3.h | 274 +- lib/libssl/src/demos/b64.c | 4 +- lib/libssl/src/demos/maurice/example1.c | 8 +- lib/libssl/src/demos/maurice/example3.c | 6 +- lib/libssl/src/demos/maurice/loadkeys.c | 9 +- lib/libssl/src/demos/sign/sign.c | 4 +- lib/libssl/src/demos/ssl/cli.cpp | 4 +- lib/libssl/src/demos/ssl/inetdsrv.cpp | 4 +- lib/libssl/src/demos/ssl/serv.cpp | 4 +- lib/libssl/src/doc/apps/CA.pl.pod | 5 + lib/libssl/src/doc/apps/ca.pod | 133 +- lib/libssl/src/doc/apps/enc.pod | 16 +- lib/libssl/src/doc/apps/openssl.pod | 8 + lib/libssl/src/doc/apps/passwd.pod | 8 +- lib/libssl/src/doc/apps/pkcs12.pod | 2 +- lib/libssl/src/doc/apps/pkcs7.pod | 2 +- lib/libssl/src/doc/apps/rand.pod | 2 +- lib/libssl/src/doc/apps/req.pod | 59 +- lib/libssl/src/doc/apps/rsa.pod | 2 +- lib/libssl/src/doc/apps/s_client.pod | 25 +- lib/libssl/src/doc/apps/s_server.pod | 28 +- lib/libssl/src/doc/apps/verify.pod | 8 +- lib/libssl/src/doc/apps/version.pod | 8 + lib/libssl/src/doc/apps/x509.pod | 122 +- lib/libssl/src/doc/crypto/BIO_f_md.pod | 2 +- lib/libssl/src/doc/crypto/BIO_new_bio_pair.pod | 7 +- lib/libssl/src/doc/crypto/BIO_s_accept.pod | 31 +- lib/libssl/src/doc/crypto/BIO_s_connect.pod | 34 +- lib/libssl/src/doc/crypto/BIO_s_socket.pod | 12 +- lib/libssl/src/doc/crypto/BN_add.pod | 89 +- lib/libssl/src/doc/crypto/BN_bn2bin.pod | 2 +- .../src/doc/crypto/BN_mod_mul_montgomery.pod | 20 +- lib/libssl/src/doc/crypto/BN_rand.pod | 5 + lib/libssl/src/doc/crypto/BN_zero.pod | 2 +- lib/libssl/src/doc/crypto/DH_set_method.pod | 4 +- lib/libssl/src/doc/crypto/DSA_set_method.pod | 2 +- lib/libssl/src/doc/crypto/ERR_get_error.pod | 29 +- lib/libssl/src/doc/crypto/EVP_DigestInit.pod | 119 +- lib/libssl/src/doc/crypto/EVP_EncryptInit.pod | 289 +- lib/libssl/src/doc/crypto/EVP_SignInit.pod | 39 +- lib/libssl/src/doc/crypto/EVP_VerifyInit.pod | 36 +- .../src/doc/crypto/OPENSSL_VERSION_NUMBER.pod | 29 +- lib/libssl/src/doc/crypto/RAND_egd.pod | 18 + lib/libssl/src/doc/crypto/RSA_generate_key.pod | 2 +- lib/libssl/src/doc/crypto/RSA_public_encrypt.pod | 4 - lib/libssl/src/doc/crypto/RSA_set_method.pod | 26 +- lib/libssl/src/doc/crypto/blowfish.pod | 4 +- lib/libssl/src/doc/crypto/bn.pod | 17 +- lib/libssl/src/doc/crypto/bn_internal.pod | 19 +- lib/libssl/src/doc/crypto/crypto.pod | 3 +- lib/libssl/src/doc/crypto/des.pod | 324 ++- lib/libssl/src/doc/crypto/hmac.pod | 31 +- lib/libssl/src/doc/crypto/lhash.pod | 196 +- lib/libssl/src/doc/crypto/rsa.pod | 1 - lib/libssl/src/doc/crypto/threads.pod | 6 +- .../src/doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 1 + lib/libssl/src/doc/ssl/SSL_CTX_free.pod | 2 + .../src/doc/ssl/SSL_CTX_load_verify_locations.pod | 6 +- lib/libssl/src/doc/ssl/SSL_CTX_new.pod | 4 - lib/libssl/src/doc/ssl/SSL_CTX_sess_set_get_cb.pod | 8 +- lib/libssl/src/doc/ssl/SSL_CTX_set_cipher_list.pod | 24 +- .../src/doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 6 + lib/libssl/src/doc/ssl/SSL_CTX_set_mode.pod | 3 + lib/libssl/src/doc/ssl/SSL_CTX_set_options.pod | 89 +- .../src/doc/ssl/SSL_CTX_set_session_cache_mode.pod | 1 + lib/libssl/src/doc/ssl/SSL_CTX_set_timeout.pod | 8 +- lib/libssl/src/doc/ssl/SSL_CTX_set_verify.pod | 14 +- lib/libssl/src/doc/ssl/SSL_CTX_use_certificate.pod | 1 + lib/libssl/src/doc/ssl/SSL_SESSION_free.pod | 32 +- lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod | 3 +- lib/libssl/src/doc/ssl/SSL_accept.pod | 5 - lib/libssl/src/doc/ssl/SSL_clear.pod | 22 +- lib/libssl/src/doc/ssl/SSL_connect.pod | 5 - lib/libssl/src/doc/ssl/SSL_get_client_CA_list.pod | 3 +- lib/libssl/src/doc/ssl/SSL_get_error.pod | 8 +- .../src/doc/ssl/SSL_get_peer_certificate.pod | 2 +- lib/libssl/src/doc/ssl/SSL_get_session.pod | 12 +- lib/libssl/src/doc/ssl/SSL_new.pod | 1 + lib/libssl/src/doc/ssl/SSL_read.pod | 25 +- lib/libssl/src/doc/ssl/SSL_set_connect_state.pod | 23 +- lib/libssl/src/doc/ssl/SSL_set_session.pod | 13 +- lib/libssl/src/doc/ssl/SSL_set_shutdown.pod | 6 +- lib/libssl/src/doc/ssl/SSL_shutdown.pod | 67 +- lib/libssl/src/doc/ssl/SSL_write.pod | 16 +- lib/libssl/src/doc/ssl/d2i_SSL_SESSION.pod | 14 +- lib/libssl/src/doc/ssl/ssl.pod | 39 +- lib/libssl/src/doc/ssleay.txt | 16 + lib/libssl/src/doc/standards.txt | 19 +- lib/libssl/src/e_os.h | 208 +- lib/libssl/src/e_os2.h | 235 +- lib/libssl/src/install.com | 2 +- lib/libssl/src/makevms.com | 100 +- lib/libssl/src/ms/32all.bat | 5 + lib/libssl/src/ms/testss.bat | 2 +- lib/libssl/src/openssl.spec | 37 +- lib/libssl/src/perl/OpenSSL.xs | 41 +- lib/libssl/src/perl/openssl_bio.xs | 10 +- lib/libssl/src/perl/openssl_bn.xs | 12 +- lib/libssl/src/perl/openssl_cipher.xs | 10 +- lib/libssl/src/perl/openssl_digest.xs | 7 +- lib/libssl/src/perl/openssl_ssl.xs | 12 +- lib/libssl/src/shlib/Makefile.hpux10-cc | 27 +- lib/libssl/src/shlib/hpux10-cc.sh | 18 +- lib/libssl/src/ssl/Makefile.ssl | 1140 ++++---- lib/libssl/src/ssl/bio_ssl.c | 8 +- lib/libssl/src/ssl/install.com | 2 +- lib/libssl/src/ssl/s23_clnt.c | 17 +- lib/libssl/src/ssl/s23_lib.c | 6 +- lib/libssl/src/ssl/s23_srvr.c | 181 +- lib/libssl/src/ssl/s2_clnt.c | 177 +- lib/libssl/src/ssl/s2_enc.c | 19 +- lib/libssl/src/ssl/s2_lib.c | 36 +- lib/libssl/src/ssl/s2_meth.c | 4 +- lib/libssl/src/ssl/s2_pkt.c | 63 +- lib/libssl/src/ssl/s2_srvr.c | 196 +- lib/libssl/src/ssl/s3_both.c | 74 +- lib/libssl/src/ssl/s3_clnt.c | 389 ++- lib/libssl/src/ssl/s3_enc.c | 201 +- lib/libssl/src/ssl/s3_lib.c | 403 ++- lib/libssl/src/ssl/s3_pkt.c | 181 +- lib/libssl/src/ssl/s3_srvr.c | 388 ++- lib/libssl/src/ssl/ssl-lib.com | 36 +- lib/libssl/src/ssl/ssl.h | 442 ++- lib/libssl/src/ssl/ssl2.h | 9 +- lib/libssl/src/ssl/ssl3.h | 91 +- lib/libssl/src/ssl/ssl_algs.c | 26 +- lib/libssl/src/ssl/ssl_asn1.c | 40 + lib/libssl/src/ssl/ssl_cert.c | 130 +- lib/libssl/src/ssl/ssl_ciph.c | 77 +- lib/libssl/src/ssl/ssl_err.c | 23 +- lib/libssl/src/ssl/ssl_err2.c | 2 +- lib/libssl/src/ssl/ssl_lib.c | 437 ++- lib/libssl/src/ssl/ssl_locl.h | 88 +- lib/libssl/src/ssl/ssl_rsa.c | 42 +- lib/libssl/src/ssl/ssl_sess.c | 122 +- lib/libssl/src/ssl/ssl_stat.c | 92 +- lib/libssl/src/ssl/ssl_task.c | 2 +- lib/libssl/src/ssl/ssl_txt.c | 14 +- lib/libssl/src/ssl/ssltest.c | 283 +- lib/libssl/src/ssl/t1_enc.c | 221 +- lib/libssl/src/ssl/tls1.h | 30 + lib/libssl/src/test/Makefile.ssl | 320 ++- lib/libssl/src/test/maketests.com | 44 +- lib/libssl/src/test/tests.com | 31 +- lib/libssl/src/test/testss | 15 +- lib/libssl/src/test/testssl | 120 +- lib/libssl/src/test/tmp.bctest | 2 + lib/libssl/src/tools/Makefile.ssl | 5 +- lib/libssl/src/tools/c_rehash.in | 4 +- lib/libssl/src/util/clean-depend.pl | 20 +- lib/libssl/src/util/domd | 22 +- lib/libssl/src/util/libeay.num | 1271 +++++++-- lib/libssl/src/util/mk1mf.pl | 98 +- lib/libssl/src/util/mkdef.pl | 980 +++++-- lib/libssl/src/util/mkerr.pl | 200 +- lib/libssl/src/util/mkfiles.pl | 6 +- lib/libssl/src/util/mkstack.pl | 2 +- lib/libssl/src/util/pl/BC-16.pl | 4 +- lib/libssl/src/util/pl/BC-32.pl | 3 +- lib/libssl/src/util/pl/VC-16.pl | 3 +- lib/libssl/src/util/pl/VC-32.pl | 9 +- lib/libssl/src/util/selftest.pl | 12 +- lib/libssl/src/util/ssleay.num | 76 +- lib/libssl/ssl/Makefile | 2 +- 690 files changed, 42239 insertions(+), 22764 deletions(-) create mode 100644 lib/libssl/src/crypto/bn/bn_mod.c create mode 100644 lib/libssl/src/crypto/conf/conf.c create mode 100644 lib/libssl/src/crypto/objects/obj_dat.h create mode 100644 lib/libssl/src/test/tmp.bctest diff --git a/lib/libssl/Makefile.bsd-wrapper b/lib/libssl/Makefile.bsd-wrapper index 0b37f1d31ef..71e293369a4 100644 --- a/lib/libssl/Makefile.bsd-wrapper +++ b/lib/libssl/Makefile.bsd-wrapper @@ -1,5 +1,5 @@ # Build wrapper for OpenSSL -# $OpenBSD: Makefile.bsd-wrapper,v 1.44 2002/05/15 01:48:54 beck Exp $ +# $OpenBSD: Makefile.bsd-wrapper,v 1.45 2002/05/15 02:29:01 beck Exp $ # Our lndir is hacked; specify a full path to avoid potential conflicts # with the one installed with X11. @@ -673,7 +673,7 @@ maninstall: --center='OpenSSL' --release="OpenBSD `uname -r`" \ `basename ${.ALLSRC}` ) | nroff -Tps -man > ${.TARGET} -SSL_SRC=openssl +SSL_SRC=src all: prereq ${MANALL} ${PSALL} # egcs bombs optimising this file on vax diff --git a/lib/libssl/crypto/Makefile b/lib/libssl/crypto/Makefile index 2bfd04d516a..97e12a758dc 100644 --- a/lib/libssl/crypto/Makefile +++ b/lib/libssl/crypto/Makefile @@ -1,7 +1,7 @@ LIB= crypto -SSLEAYDIST= openssl +SSLEAYDIST= src LCRYPTO_SRC= ${.CURDIR}/../${SSLEAYDIST}/crypto LCRYPTO_INC= ${.CURDIR}/../${SSLEAYDIST}/include diff --git a/lib/libssl/src/CHANGES b/lib/libssl/src/CHANGES index f88867b065e..b8399a3500a 100644 --- a/lib/libssl/src/CHANGES +++ b/lib/libssl/src/CHANGES @@ -2,6 +2,1964 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6d and 0.9.7 [XX xxx 2002] + + *) Fix escaping of non-ASCII characters when using the -subj option + of the "openssl req" command line tool. (Robert Joop ) + [Lutz Jaenicke] + + *) Make object definitions compliant to LDAP (RFC2256): SN is the short + form for "surname", serialNumber has no short form. + Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; + therefore remove "mail" short name for "internet 7". + Some more OID additions. (Michael Bell ) + [Lutz Jaenicke] + + *) Add an "init" command to the ENGINE config module and auto initialize + ENGINEs. Without any "init" command the ENGINE will be initialized + after all ctrl commands have been executed on it. If init=1 the + ENGINE is initailized at that point (ctrls before that point are run + on the uninitialized ENGINE and after on the initialized one). If + init=0 then the ENGINE will not be iniatialized at all. + [Steve Henson] + + *) Fix the 'app_verify_callback' interface so that the user-defined + argument is actually passed to the callback: In the + SSL_CTX_set_cert_verify_callback() prototype, the callback + declaration has been changed from + int (*cb)() + into + int (*cb)(X509_STORE_CTX *,void *); + in ssl_verify_cert_chain (ssl/ssl_cert.c), the call + i=s->ctx->app_verify_callback(&ctx) + has been changed into + i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). + + To update applications using SSL_CTX_set_cert_verify_callback(), + a dummy argument can be added to their callback functions. + [D. K. Smetters ] + + *) Added the '4758cca' ENGINE to support IBM 4758 cards. + [Maurice Gittens , touchups by Geoff Thorpe] + + *) Add and OPENSSL_LOAD_CONF define which will cause + OpenSSL_add_all_algorithms() to load the openssl.cnf config file. + This allows older applications to transparently support certain + OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. + Two new functions OPENSSL_add_all_algorithms_noconf() which will never + load the config file and OPENSSL_add_all_algorithms_conf() which will + always load it have also been added. + [Steve Henson] + + *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. + Adjust NIDs and EVP layer. + [Stephen Sprunk and Richard Levitte] + + *) Config modules support in openssl utility. + + Most commands now load modules from the config file, + though in a few (such as version) this isn't done + because it couldn't be used for anything. + + In the case of ca and req the config file used is + the same as the utility itself: that is the -config + command line option can be used to specify an + alternative file. + [Steve Henson] + + *) Move default behaviour from OPENSSL_config(). If appname is NULL + use "openssl_conf" if filename is NULL use default openssl config file. + [Steve Henson] + + *) Add an argument to OPENSSL_config() to allow the use of an alternative + config section name. Add a new flag to tolerate a missing config file + and move code to CONF_modules_load_file(). + [Steve Henson] + + *) Support for crypto accelerator cards from Accelerated Encryption + Processing, www.aep.ie. (Use engine 'aep') + The support was copied from 0.9.6c [engine] and adapted/corrected + to work with the new engine framework. + [AEP Inc. and Richard Levitte] + + *) Support for SureWare crypto accelerator cards from Baltimore + Technologies. (Use engine 'sureware') + The support was copied from 0.9.6c [engine] and adapted + to work with the new engine framework. + [Richard Levitte] + + *) Have the CHIL engine fork-safe (as defined by nCipher) and actually + make the newer ENGINE framework commands for the CHIL engine work. + [Toomas Kiisk and Richard Levitte] + + *) Make it possible to produce shared libraries on ReliantUNIX. + [Robert Dahlem via Richard Levitte] + + *) Add the configuration target debug-linux-ppro. + Make 'openssl rsa' use the general key loading routines + implemented in apps.c, and make those routines able to + handle the key format FORMAT_NETSCAPE and the variant + FORMAT_IISSGC. + [Toomas Kiisk via Richard Levitte] + + *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). + [Toomas Kiisk via Richard Levitte] + + *) Add -keyform to rsautl, and document -engine. + [Richard Levitte, inspired by Toomas Kiisk ] + + *) Change BIO_new_file (crypto/bio/bss_file.c) to use new + BIO_R_NO_SUCH_FILE error code rather than the generic + ERR_R_SYS_LIB error code if fopen() fails with ENOENT. + [Ben Laurie] + + *) Add new functions + ERR_peek_last_error + ERR_peek_last_error_line + ERR_peek_last_error_line_data. + These are similar to + ERR_peek_error + ERR_peek_error_line + ERR_peek_error_line_data, + but report on the latest error recorded rather than the first one + still in the error queue. + [Ben Laurie, Bodo Moeller] + + *) default_algorithms option in ENGINE config module. This allows things + like: + default_algorithms = ALL + default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS + [Steve Henson] + + *) Prelminary ENGINE config module. + [Steve Henson] + + *) New experimental application configuration code. + [Steve Henson] + + *) Change the AES code to follow the same name structure as all other + symmetric ciphers, and behave the same way. Move everything to + the directory crypto/aes, thereby obsoleting crypto/rijndael. + [Stephen Sprunk and Richard Levitte] + + *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. + [Ben Laurie and Theo de Raadt] + + *) Add option to output public keys in req command. + [Massimiliano Pala madwolf@openca.org] + + *) Use wNAFs in EC_POINTs_mul() for improved efficiency + (up to about 10% better than before for P-192 and P-224). + [Bodo Moeller] + + *) New functions/macros + + SSL_CTX_set_msg_callback(ctx, cb) + SSL_CTX_set_msg_callback_arg(ctx, arg) + SSL_set_msg_callback(ssl, cb) + SSL_set_msg_callback_arg(ssl, arg) + + to request calling a callback function + + void cb(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg) + + whenever a protocol message has been completely received + (write_p == 0) or sent (write_p == 1). Here 'version' is the + protocol version according to which the SSL library interprets + the current protocol message (SSL2_VERSION, SSL3_VERSION, or + TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or + the content type as defined in the SSL 3.0/TLS 1.0 protocol + specification (change_cipher_spec(20), alert(21), handshake(22)). + 'buf' and 'len' point to the actual message, 'ssl' to the + SSL object, and 'arg' is the application-defined value set by + SSL[_CTX]_set_msg_callback_arg(). + + 'openssl s_client' and 'openssl s_server' have new '-msg' options + to enable a callback that displays all protocol messages. + [Bodo Moeller] + + *) Change the shared library support so shared libraries are built as + soon as the corresponding static library is finished, and thereby get + openssl and the test programs linked against the shared library. + This still only happens when the keyword "shard" has been given to + the configuration scripts. + + NOTE: shared library support is still an experimental thing, and + backward binary compatibility is still not guaranteed. + ["Maciej W. Rozycki" and Richard Levitte] + + *) Add support for Subject Information Access extension. + [Peter Sylvester ] + + *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero + additional bytes when new memory had to be allocated, not just + when reusing an existing buffer. + [Bodo Moeller] + + *) New command line and configuration option 'utf8' for the req command. + This allows field values to be specified as UTF8 strings. + [Steve Henson] + + *) Add -multi and -mr options to "openssl speed" - giving multiple parallel + runs for the former and machine-readable output for the latter. + [Ben Laurie] + + *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion + of the e-mail address in the DN (i.e., it will go into a certificate + extension only). The new configuration file option 'email_in_dn = no' + has the same effect. + [Massimiliano Pala madwolf@openca.org] + + *) Change all functions with names starting with des_ to be starting + with DES_ instead. Add wrappers that are compatible with libdes, + but are named _ossl_old_des_*. Finally, add macros that map the + des_* symbols to the corresponding _ossl_old_des_* if libdes + compatibility is desired. If OpenSSL 0.9.6c compatibility is + desired, the des_* symbols will be mapped to DES_*, with one + exception. + + Since we provide two compatibility mappings, the user needs to + define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes + compatibility is desired. The default (i.e., when that macro + isn't defined) is OpenSSL 0.9.6c compatibility. + + There are also macros that enable and disable the support of old + des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT + and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those + are defined, the default will apply: to support the old des routines. + + In either case, one must include openssl/des.h to get the correct + definitions. Do not try to just include openssl/des_old.h, that + won't work. + + NOTE: This is a major break of an old API into a new one. Software + authors are encouraged to switch to the DES_ style functions. Some + time in the future, des_old.h and the libdes compatibility functions + will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the + default), and then completely removed. + [Richard Levitte] + + *) Test for certificates which contain unsupported critical extensions. + If such a certificate is found during a verify operation it is + rejected by default: this behaviour can be overridden by either + handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or + by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function + X509_supported_extension() has also been added which returns 1 if a + particular extension is supported. + [Steve Henson] + + *) Modify the behaviour of EVP cipher functions in similar way to digests + to retain compatibility with existing code. + [Steve Henson] + + *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain + compatibility with existing code. In particular the 'ctx' parameter does + not have to be to be initialized before the call to EVP_DigestInit() and + it is tidied up after a call to EVP_DigestFinal(). New function + EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function + EVP_MD_CTX_copy() changed to not require the destination to be + initialized valid and new function EVP_MD_CTX_copy_ex() added which + requires the destination to be valid. + + Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), + EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). + [Steve Henson] + + *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it + so that complete 'Handshake' protocol structures are kept in memory + instead of overwriting 'msg_type' and 'length' with 'body' data. + [Bodo Moeller] + + *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. + [Massimo Santin via Richard Levitte] + + *) Major restructuring to the underlying ENGINE code. This includes + reduction of linker bloat, separation of pure "ENGINE" manipulation + (initialisation, etc) from functionality dealing with implementations + of specific crypto iterfaces. This change also introduces integrated + support for symmetric ciphers and digest implementations - so ENGINEs + can now accelerate these by providing EVP_CIPHER and EVP_MD + implementations of their own. This is detailed in crypto/engine/README + as it couldn't be adequately described here. However, there are a few + API changes worth noting - some RSA, DSA, DH, and RAND functions that + were changed in the original introduction of ENGINE code have now + reverted back - the hooking from this code to ENGINE is now a good + deal more passive and at run-time, operations deal directly with + RSA_METHODs, DSA_METHODs (etc) as they did before, rather than + dereferencing through an ENGINE pointer any more. Also, the ENGINE + functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - + they were not being used by the framework as there is no concept of a + BIGNUM_METHOD and they could not be generalised to the new + 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, + ENGINE_cpy() has been removed as it cannot be consistently defined in + the new code. + [Geoff Thorpe] + + *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. + [Steve Henson] + + *) Change mkdef.pl to sort symbols that get the same entry number, + and make sure the automatically generated functions ERR_load_* + become part of libeay.num as well. + [Richard Levitte] + + *) New function SSL_renegotiate_pending(). This returns true once + renegotiation has been requested (either SSL_renegotiate() call + or HelloRequest/ClientHello receveived from the peer) and becomes + false once a handshake has been completed. + (For servers, SSL_renegotiate() followed by SSL_do_handshake() + sends a HelloRequest, but does not ensure that a handshake takes + place. SSL_renegotiate_pending() is useful for checking if the + client has followed the request.) + [Bodo Moeller] + + *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. + By default, clients may request session resumption even during + renegotiation (if session ID contexts permit); with this option, + session resumption is possible only in the first handshake. + [Bodo Moeller] + + *) Add some demos for certificate and certificate request creation. + [Steve Henson] + + *) Make maximum certificate chain size accepted from the peer application + settable (SSL*_get/set_max_cert_list()), as proposed by + "Douglas E. Engert" . + [Lutz Jaenicke] + + *) Add support for shared libraries for Unixware-7 + (Boyd Lynn Gerber ). + [Lutz Jaenicke] + + *) Add a "destroy" handler to ENGINEs that allows structural cleanup to + be done prior to destruction. Use this to unload error strings from + ENGINEs that load their own error strings. NB: This adds two new API + functions to "get" and "set" this destroy handler in an ENGINE. + [Geoff Thorpe] + + *) Alter all existing ENGINE implementations (except "openssl" and + "openbsd") to dynamically instantiate their own error strings. This + makes them more flexible to be built both as statically-linked ENGINEs + and self-contained shared-libraries loadable via the "dynamic" ENGINE. + Also, add stub code to each that makes building them as self-contained + shared-libraries easier (see README.ENGINE). + [Geoff Thorpe] + + *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE + implementations into applications that are completely implemented in + self-contained shared-libraries. The "dynamic" ENGINE exposes control + commands that can be used to configure what shared-library to load and + to control aspects of the way it is handled. Also, made an update to + the README.ENGINE file that brings its information up-to-date and + provides some information and instructions on the "dynamic" ENGINE + (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). + [Geoff Thorpe] + + *) Make it possible to unload ranges of ERR strings with a new + "ERR_unload_strings" function. + [Geoff Thorpe] + + *) Add a copy() function to EVP_MD. + [Ben Laurie] + + *) Make EVP_MD routines take a context pointer instead of just the + md_data void pointer. + [Ben Laurie] + + *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates + that the digest can only process a single chunk of data + (typically because it is provided by a piece of + hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application + is only going to provide a single chunk of data, and hence the + framework needn't accumulate the data for oneshot drivers. + [Ben Laurie] + + *) As with "ERR", make it possible to replace the underlying "ex_data" + functions. This change also alters the storage and management of global + ex_data state - it's now all inside ex_data.c and all "class" code (eg. + RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class + index counters. The API functions that use this state have been changed + to take a "class_index" rather than pointers to the class's local STACK + and counter, and there is now an API function to dynamically create new + classes. This centralisation allows us to (a) plug a lot of the + thread-safety problems that existed, and (b) makes it possible to clean + up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) + such data would previously have always leaked in application code and + workarounds were in place to make the memory debugging turn a blind eye + to it. Application code that doesn't use this new function will still + leak as before, but their memory debugging output will announce it now + rather than letting it slide. + + Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change + induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now + has a return value to indicate success or failure. + [Geoff Thorpe] + + *) Make it possible to replace the underlying "ERR" functions such that the + global state (2 LHASH tables and 2 locks) is only used by the "default" + implementation. This change also adds two functions to "get" and "set" + the implementation prior to it being automatically set the first time + any other ERR function takes place. Ie. an application can call "get", + pass the return value to a module it has just loaded, and that module + can call its own "set" function using that value. This means the + module's "ERR" operations will use (and modify) the error state in the + application and not in its own statically linked copy of OpenSSL code. + [Geoff Thorpe] + + *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment + reference counts. This performs normal REF_PRINT/REF_CHECK macros on + the operation, and provides a more encapsulated way for external code + (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code + to use these functions rather than manually incrementing the counts. + + Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". + [Geoff Thorpe] + + *) Add EVP test program. + [Ben Laurie] + + *) Add symmetric cipher support to ENGINE. Expect the API to change! + [Ben Laurie] + + *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() + X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), + X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). + These allow a CRL to be built without having to access X509_CRL fields + directly. Modify 'ca' application to use new functions. + [Steve Henson] + + *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended + bug workarounds. Rollback attack detection is a security feature. + The problem will only arise on OpenSSL servers when TLSv1 is not + available (sslv3_server_method() or SSL_OP_NO_TLSv1). + Software authors not wanting to support TLSv1 will have special reasons + for their choice and can explicitly enable this option. + [Bodo Moeller, Lutz Jaenicke] + + *) Rationalise EVP so it can be extended: don't include a union of + cipher/digest structures, add init/cleanup functions. This also reduces + the number of header dependencies. + Usage example: + + EVP_MD_CTX md; + + EVP_MD_CTX_init(&md); /* new function call */ + EVP_DigestInit(&md, EVP_sha1()); + EVP_DigestUpdate(&md, in, len); + EVP_DigestFinal(&md, out, NULL); + EVP_MD_CTX_cleanup(&md); /* new function call */ + + [Ben Laurie] + + *) Make DES key schedule conform to the usual scheme, as well as + correcting its structure. This means that calls to DES functions + now have to pass a pointer to a des_key_schedule instead of a + plain des_key_schedule (which was actually always a pointer + anyway): E.g., + + des_key_schedule ks; + + des_set_key_checked(..., &ks); + des_ncbc_encrypt(..., &ks, ...); + + (Note that a later change renames 'des_...' into 'DES_...'.) + [Ben Laurie] + + *) Initial reduction of linker bloat: the use of some functions, such as + PEM causes large amounts of unused functions to be linked in due to + poor organisation. For example pem_all.c contains every PEM function + which has a knock on effect of linking in large amounts of (unused) + ASN1 code. Grouping together similar functions and splitting unrelated + functions prevents this. + [Steve Henson] + + *) Cleanup of EVP macros. + [Ben Laurie] + + *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the + correct _ecb suffix. + [Ben Laurie] + + *) Add initial OCSP responder support to ocsp application. The + revocation information is handled using the text based index + use by the ca application. The responder can either handle + requests generated internally, supplied in files (for example + via a CGI script) or using an internal minimal server. + [Steve Henson] + + *) Add configuration choices to get zlib compression for TLS. + [Richard Levitte] + + *) Changes to Kerberos SSL for RFC 2712 compliance: + 1. Implemented real KerberosWrapper, instead of just using + KRB5 AP_REQ message. [Thanks to Simon Wilkinson ] + 2. Implemented optional authenticator field of KerberosWrapper. + + Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, + and authenticator structs; see crypto/krb5/. + + Generalized Kerberos calls to support multiple Kerberos libraries. + [Vern Staats , + Jeffrey Altman + via Richard Levitte] + + *) Cause 'openssl speed' to use fully hard-coded DSA keys as it + already does with RSA. testdsa.h now has 'priv_key/pub_key' + values for each of the key sizes rather than having just + parameters (and 'speed' generating keys each time). + [Geoff Thorpe] + + *) Speed up EVP routines. + Before: +encrypt +type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes +des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k +des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k +des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k +decrypt +des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k +des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k +des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k + After: +encrypt +des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k +decrypt +des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k + [Ben Laurie] + + *) Added the OS2-EMX target. + ["Brian Havard" and Richard Levitte] + + *) Rewrite apps to use NCONF routines instead of the old CONF. New functions + to support NCONF routines in extension code. New function CONF_set_nconf() + to allow functions which take an NCONF to also handle the old LHASH + structure: this means that the old CONF compatible routines can be + retained (in particular wrt extensions) without having to duplicate the + code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. + [Steve Henson] + + *) Enhance the general user interface with mechanisms for inner control + and with possibilities to have yes/no kind of prompts. + [Richard Levitte] + + *) Change all calls to low level digest routines in the library and + applications to use EVP. Add missing calls to HMAC_cleanup() and + don't assume HMAC_CTX can be copied using memcpy(). + [Verdon Walker , Steve Henson] + + *) Add the possibility to control engines through control names but with + arbitrary arguments instead of just a string. + Change the key loaders to take a UI_METHOD instead of a callback + function pointer. NOTE: this breaks binary compatibility with earlier + versions of OpenSSL [engine]. + Adapt the nCipher code for these new conditions and add a card insertion + callback. + [Richard Levitte] + + *) Enhance the general user interface with mechanisms to better support + dialog box interfaces, application-defined prompts, the possibility + to use defaults (for example default passwords from somewhere else) + and interrupts/cancellations. + [Richard Levitte] + + *) Tidy up PKCS#12 attribute handling. Add support for the CSP name + attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. + [Steve Henson] + + *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also + tidy up some unnecessarily weird code in 'sk_new()'). + [Geoff, reported by Diego Tartara ] + + *) Change the key loading routines for ENGINEs to use the same kind + callback (pem_password_cb) as all other routines that need this + kind of callback. + [Richard Levitte] + + *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with + 256 bit (=32 byte) keys. Of course seeding with more entropy bytes + than this minimum value is recommended. + [Lutz Jaenicke] + + *) New random seeder for OpenVMS, using the system process statistics + that are easily reachable. + [Richard Levitte] + + *) Windows apparently can't transparently handle global + variables defined in DLLs. Initialisations such as: + + const ASN1_ITEM *it = &ASN1_INTEGER_it; + + wont compile. This is used by the any applications that need to + declare their own ASN1 modules. This was fixed by adding the option + EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly + needed for static libraries under Win32. + [Steve Henson] + + *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle + setting of purpose and trust fields. New X509_STORE trust and + purpose functions and tidy up setting in other SSL functions. + [Steve Henson] + + *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE + structure. These are inherited by X509_STORE_CTX when it is + initialised. This allows various defaults to be set in the + X509_STORE structure (such as flags for CRL checking and custom + purpose or trust settings) for functions which only use X509_STORE_CTX + internally such as S/MIME. + + Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and + trust settings if they are not set in X509_STORE. This allows X509_STORE + purposes and trust (in S/MIME for example) to override any set by default. + + Add command line options for CRL checking to smime, s_client and s_server + applications. + [Steve Henson] + + *) Initial CRL based revocation checking. If the CRL checking flag(s) + are set then the CRL is looked up in the X509_STORE structure and + its validity and signature checked, then if the certificate is found + in the CRL the verify fails with a revoked error. + + Various new CRL related callbacks added to X509_STORE_CTX structure. + + Command line options added to 'verify' application to support this. + + This needs some additional work, such as being able to handle multiple + CRLs with different times, extension based lookup (rather than just + by subject name) and ultimately more complete V2 CRL extension + handling. + [Steve Henson] + + *) Add a general user interface API (crypto/ui/). This is designed + to replace things like des_read_password and friends (backward + compatibility functions using this new API are provided). + The purpose is to remove prompting functions from the DES code + section as well as provide for prompting through dialog boxes in + a window system and the like. + [Richard Levitte] + + *) Add "ex_data" support to ENGINE so implementations can add state at a + per-structure level rather than having to store it globally. + [Geoff] + + *) Make it possible for ENGINE structures to be copied when retrieved by + ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. + This causes the "original" ENGINE structure to act like a template, + analogous to the RSA vs. RSA_METHOD type of separation. Because of this + operational state can be localised to each ENGINE structure, despite the + fact they all share the same "methods". New ENGINE structures returned in + this case have no functional references and the return value is the single + structural reference. This matches the single structural reference returned + by ENGINE_by_id() normally, when it is incremented on the pre-existing + ENGINE structure. + [Geoff] + + *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this + needs to match any other type at all we need to manually clear the + tag cache. + [Steve Henson] + + *) Changes to the "openssl engine" utility to include; + - verbosity levels ('-v', '-vv', and '-vvv') that provide information + about an ENGINE's available control commands. + - executing control commands from command line arguments using the + '-pre' and '-post' switches. '-post' is only used if '-t' is + specified and the ENGINE is successfully initialised. The syntax for + the individual commands are colon-separated, for example; + openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so + [Geoff] + + *) New dynamic control command support for ENGINEs. ENGINEs can now + declare their own commands (numbers), names (strings), descriptions, + and input types for run-time discovery by calling applications. A + subset of these commands are implicitly classed as "executable" + depending on their input type, and only these can be invoked through + the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this + can be based on user input, config files, etc). The distinction is + that "executable" commands cannot return anything other than a boolean + result and can only support numeric or string input, whereas some + discoverable commands may only be for direct use through + ENGINE_ctrl(), eg. supporting the exchange of binary data, function + pointers, or other custom uses. The "executable" commands are to + support parameterisations of ENGINE behaviour that can be + unambiguously defined by ENGINEs and used consistently across any + OpenSSL-based application. Commands have been added to all the + existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow + control over shared-library paths without source code alterations. + [Geoff] + + *) Changed all ENGINE implementations to dynamically allocate their + ENGINEs rather than declaring them statically. Apart from this being + necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, + this also allows the implementations to compile without using the + internal engine_int.h header. + [Geoff] + + *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a + 'const' value. Any code that should be able to modify a RAND_METHOD + should already have non-const pointers to it (ie. they should only + modify their own ones). + [Geoff] + + *) Made a variety of little tweaks to the ENGINE code. + - "atalla" and "ubsec" string definitions were moved from header files + to C code. "nuron" string definitions were placed in variables + rather than hard-coded - allowing parameterisation of these values + later on via ctrl() commands. + - Removed unused "#if 0"'d code. + - Fixed engine list iteration code so it uses ENGINE_free() to release + structural references. + - Constified the RAND_METHOD element of ENGINE structures. + - Constified various get/set functions as appropriate and added + missing functions (including a catch-all ENGINE_cpy that duplicates + all ENGINE values onto a new ENGINE except reference counts/state). + - Removed NULL parameter checks in get/set functions. Setting a method + or function to NULL is a way of cancelling out a previously set + value. Passing a NULL ENGINE parameter is just plain stupid anyway + and doesn't justify the extra error symbols and code. + - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for + flags from engine_int.h to engine.h. + - Changed prototypes for ENGINE handler functions (init(), finish(), + ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. + [Geoff] + + *) Implement binary inversion algorithm for BN_mod_inverse in addition + to the algorithm using long division. The binary algorithm can be + used only if the modulus is odd. On 32-bit systems, it is faster + only for relatively small moduli (roughly 20-30% for 128-bit moduli, + roughly 5-15% for 256-bit moduli), so we use it only for moduli + up to 450 bits. In 64-bit environments, the binary algorithm + appears to be advantageous for much longer moduli; here we use it + for moduli up to 2048 bits. + [Bodo Moeller] + + *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code + could not support the combine flag in choice fields. + [Steve Henson] + + *) Add a 'copy_extensions' option to the 'ca' utility. This copies + extensions from a certificate request to the certificate. + [Steve Henson] + + *) Allow multiple 'certopt' and 'nameopt' options to be separated + by commas. Add 'namopt' and 'certopt' options to the 'ca' config + file: this allows the display of the certificate about to be + signed to be customised, to allow certain fields to be included + or excluded and extension details. The old system didn't display + multicharacter strings properly, omitted fields not in the policy + and couldn't display additional details such as extensions. + [Steve Henson] + + *) Function EC_POINTs_mul for multiple scalar multiplication + of an arbitrary number of elliptic curve points + \sum scalars[i]*points[i], + optionally including the generator defined for the EC_GROUP: + scalar*generator + \sum scalars[i]*points[i]. + + EC_POINT_mul is a simple wrapper function for the typical case + that the point list has just one item (besides the optional + generator). + [Bodo Moeller] + + *) First EC_METHODs for curves over GF(p): + + EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr + operations and provides various method functions that can also + operate with faster implementations of modular arithmetic. + + EC_GFp_mont_method() reuses most functions that are part of + EC_GFp_simple_method, but uses Montgomery arithmetic. + + [Bodo Moeller; point addition and point doubling + implementation directly derived from source code provided by + Lenka Fibikova ] + + *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, + crypto/ec/ec_lib.c): + + Curves are EC_GROUP objects (with an optional group generator) + based on EC_METHODs that are built into the library. + + Points are EC_POINT objects based on EC_GROUP objects. + + Most of the framework would be able to handle curves over arbitrary + finite fields, but as there are no obvious types for fields other + than GF(p), some functions are limited to that for now. + [Bodo Moeller] + + *) Add the -HTTP option to s_server. It is similar to -WWW, but requires + that the file contains a complete HTTP response. + [Richard Levitte] + + *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl + change the def and num file printf format specifier from "%-40sXXX" + to "%-39s XXX". The latter will always guarantee a space after the + field while the former will cause them to run together if the field + is 40 of more characters long. + [Steve Henson] + + *) Constify the cipher and digest 'method' functions and structures + and modify related functions to take constant EVP_MD and EVP_CIPHER + pointers. + [Steve Henson] + + *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them + in . Also further increase BN_CTX_NUM to 32. + [Bodo Moeller] + + *) Modify EVP_Digest*() routines so they now return values. Although the + internal software routines can never fail additional hardware versions + might. + [Steve Henson] + + *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: + + Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 + (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. + + ASN1 error codes + ERR_R_NESTED_ASN1_ERROR + ... + ERR_R_MISSING_ASN1_EOS + were 4 .. 9, conflicting with + ERR_LIB_RSA (= ERR_R_RSA_LIB) + ... + ERR_LIB_PEM (= ERR_R_PEM_LIB). + They are now 58 .. 63 (i.e., just below ERR_R_FATAL). + + Add new error code 'ERR_R_INTERNAL_ERROR'. + [Bodo Moeller] + + *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock + suffices. + [Bodo Moeller] + + *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This + sets the subject name for a new request or supersedes the + subject name in a given request. Formats that can be parsed are + 'CN=Some Name, OU=myOU, C=IT' + and + 'CN=Some Name/OU=myOU/C=IT'. + + Add options '-batch' and '-verbose' to 'openssl req'. + [Massimiliano Pala ] + + *) Introduce the possibility to access global variables through + functions on platform were that's the best way to handle exporting + global variables in shared libraries. To enable this functionality, + one must configure with "EXPORT_VAR_AS_FN" or defined the C macro + "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter + is normally done by Configure or something similar). + + To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL + in the source file (foo.c) like this: + + OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; + OPENSSL_IMPLEMENT_GLOBAL(double,bar); + + To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL + and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: + + OPENSSL_DECLARE_GLOBAL(int,foo); + #define foo OPENSSL_GLOBAL_REF(foo) + OPENSSL_DECLARE_GLOBAL(double,bar); + #define bar OPENSSL_GLOBAL_REF(bar) + + The #defines are very important, and therefore so is including the + header file everywhere where the defined globals are used. + + The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition + of ASN.1 items, but that structure is a bit different. + + The largest change is in util/mkdef.pl which has been enhanced with + better and easier to understand logic to choose which symbols should + go into the Windows .def files as well as a number of fixes and code + cleanup (among others, algorithm keywords are now sorted + lexicographically to avoid constant rewrites). + [Richard Levitte] + + *) In BN_div() keep a copy of the sign of 'num' before writing the + result to 'rm' because if rm==num the value will be overwritten + and produce the wrong result if 'num' is negative: this caused + problems with BN_mod() and BN_nnmod(). + [Steve Henson] + + *) Function OCSP_request_verify(). This checks the signature on an + OCSP request and verifies the signer certificate. The signer + certificate is just checked for a generic purpose and OCSP request + trust settings. + [Steve Henson] + + *) Add OCSP_check_validity() function to check the validity of OCSP + responses. OCSP responses are prepared in real time and may only + be a few seconds old. Simply checking that the current time lies + between thisUpdate and nextUpdate max reject otherwise valid responses + caused by either OCSP responder or client clock inaccuracy. Instead + we allow thisUpdate and nextUpdate to fall within a certain period of + the current time. The age of the response can also optionally be + checked. Two new options -validity_period and -status_age added to + ocsp utility. + [Steve Henson] + + *) If signature or public key algorithm is unrecognized print out its + OID rather that just UNKNOWN. + [Steve Henson] + + *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and + OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate + ID to be generated from the issuer certificate alone which can then be + passed to OCSP_id_issuer_cmp(). + [Steve Henson] + + *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new + ASN1 modules to export functions returning ASN1_ITEM pointers + instead of the ASN1_ITEM structures themselves. This adds several + new macros which allow the underlying ASN1 function/structure to + be accessed transparently. As a result code should not use ASN1_ITEM + references directly (such as &X509_it) but instead use the relevant + macros (such as ASN1_ITEM_rptr(X509)). This option is to allow + use of the new ASN1 code on platforms where exporting structures + is problematical (for example in shared libraries) but exporting + functions returning pointers to structures is not. + [Steve Henson] + + *) Add support for overriding the generation of SSL/TLS session IDs. + These callbacks can be registered either in an SSL_CTX or per SSL. + The purpose of this is to allow applications to control, if they wish, + the arbitrary values chosen for use as session IDs, particularly as it + can be useful for session caching in multiple-server environments. A + command-line switch for testing this (and any client code that wishes + to use such a feature) has been added to "s_server". + [Geoff Thorpe, Lutz Jaenicke] + + *) Modify mkdef.pl to recognise and parse preprocessor conditionals + of the form '#if defined(...) || defined(...) || ...' and + '#if !defined(...) && !defined(...) && ...'. This also avoids + the growing number of special cases it was previously handling. + [Richard Levitte] + + *) Make all configuration macros available for application by making + sure they are available in opensslconf.h, by giving them names starting + with "OPENSSL_" to avoid conflicts with other packages and by making + sure e_os2.h will cover all platform-specific cases together with + opensslconf.h. + Additionally, it is now possible to define configuration/platform- + specific names (called "system identities"). In the C code, these + are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another + macro with the name beginning with "OPENSSL_SYS_", which is determined + from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on + what is available. + [Richard Levitte] + + *) New option -set_serial to 'req' and 'x509' this allows the serial + number to use to be specified on the command line. Previously self + signed certificates were hard coded with serial number 0 and the + CA options of 'x509' had to use a serial number in a file which was + auto incremented. + [Steve Henson] + + *) New options to 'ca' utility to support V2 CRL entry extensions. + Currently CRL reason, invalidity date and hold instruction are + supported. Add new CRL extensions to V3 code and some new objects. + [Steve Henson] + + *) New function EVP_CIPHER_CTX_set_padding() this is used to + disable standard block padding (aka PKCS#5 padding) in the EVP + API, which was previously mandatory. This means that the data is + not padded in any way and so the total length much be a multiple + of the block size, otherwise an error occurs. + [Steve Henson] + + *) Initial (incomplete) OCSP SSL support. + [Steve Henson] + + *) New function OCSP_parse_url(). This splits up a URL into its host, + port and path components: primarily to parse OCSP URLs. New -url + option to ocsp utility. + [Steve Henson] + + *) New nonce behavior. The return value of OCSP_check_nonce() now + reflects the various checks performed. Applications can decide + whether to tolerate certain situations such as an absent nonce + in a response when one was present in a request: the ocsp application + just prints out a warning. New function OCSP_add1_basic_nonce() + this is to allow responders to include a nonce in a response even if + the request is nonce-less. + [Steve Henson] + + *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are + skipped when using openssl x509 multiple times on a single input file, + e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) ] + + *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates + passed by the function are trusted implicitly. If any of them signed the + response then it is assumed to be valid and is not verified. + [Steve Henson] + + *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT + to data. This was previously part of the PKCS7 ASN1 code. This + was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. + [Steve Henson, reported by Kenneth R. Robinette + ] + + *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 + routines: without these tracing memory leaks is very painful. + Fix leaks in PKCS12 and PKCS7 routines. + [Steve Henson] + + *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). + Previously it initialised the 'type' argument to V_ASN1_UTCTIME which + effectively meant GeneralizedTime would never be used. Now it + is initialised to -1 but X509_time_adj() now has to check the value + and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or + V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. + [Steve Henson, reported by Kenneth R. Robinette + ] + + *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously + result in a zero length in the ASN1_INTEGER structure which was + not consistent with the structure when d2i_ASN1_INTEGER() was used + and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() + to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() + where it did not print out a minus for negative ASN1_INTEGER. + [Steve Henson] + + *) Add summary printout to ocsp utility. The various functions which + convert status values to strings have been renamed to: + OCSP_response_status_str(), OCSP_cert_status_str() and + OCSP_crl_reason_str() and are no longer static. New options + to verify nonce values and to disable verification. OCSP response + printout format cleaned up. + [Steve Henson] + + *) Add additional OCSP certificate checks. These are those specified + in RFC2560. This consists of two separate checks: the CA of the + certificate being checked must either be the OCSP signer certificate + or the issuer of the OCSP signer certificate. In the latter case the + OCSP signer certificate must contain the OCSP signing extended key + usage. This check is performed by attempting to match the OCSP + signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash + in the OCSP_CERTID structures of the response. + [Steve Henson] + + *) Initial OCSP certificate verification added to OCSP_basic_verify() + and related routines. This uses the standard OpenSSL certificate + verify routines to perform initial checks (just CA validity) and + to obtain the certificate chain. Then additional checks will be + performed on the chain. Currently the root CA is checked to see + if it is explicitly trusted for OCSP signing. This is used to set + a root CA as a global signing root: that is any certificate that + chains to that CA is an acceptable OCSP signing certificate. + [Steve Henson] + + *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 + extensions from a separate configuration file. + As when reading extensions from the main configuration file, + the '-extensions ...' option may be used for specifying the + section to use. + [Massimiliano Pala ] + + *) New OCSP utility. Allows OCSP requests to be generated or + read. The request can be sent to a responder and the output + parsed, outputed or printed in text form. Not complete yet: + still needs to check the OCSP response validity. + [Steve Henson] + + *) New subcommands for 'openssl ca': + 'openssl ca -status ' prints the status of the cert with + the given serial number (according to the index file). + 'openssl ca -updatedb' updates the expiry status of certificates + in the index file. + [Massimiliano Pala ] + + *) New '-newreq-nodes' command option to CA.pl. This is like + '-newreq', but calls 'openssl req' with the '-nodes' option + so that the resulting key is not encrypted. + [Damien Miller ] + + *) New configuration for the GNU Hurd. + [Jonathan Bartlett via Richard Levitte] + + *) Initial code to implement OCSP basic response verify. This + is currently incomplete. Currently just finds the signer's + certificate and verifies the signature on the response. + [Steve Henson] + + *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in + value of OPENSSLDIR. This is available via the new '-d' option + to 'openssl version', and is also included in 'openssl version -a'. + [Bodo Moeller] + + *) Allowing defining memory allocation callbacks that will be given + file name and line number information in additional arguments + (a const char* and an int). The basic functionality remains, as + well as the original possibility to just replace malloc(), + realloc() and free() by functions that do not know about these + additional arguments. To register and find out the current + settings for extended allocation functions, the following + functions are provided: + + CRYPTO_set_mem_ex_functions + CRYPTO_set_locked_mem_ex_functions + CRYPTO_get_mem_ex_functions + CRYPTO_get_locked_mem_ex_functions + + These work the same way as CRYPTO_set_mem_functions and friends. + CRYPTO_get_[locked_]mem_functions now writes 0 where such an + extended allocation function is enabled. + Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where + a conventional allocation function is enabled. + [Richard Levitte, Bodo Moeller] + + *) Finish off removing the remaining LHASH function pointer casts. + There should no longer be any prototype-casting required when using + the LHASH abstraction, and any casts that remain are "bugs". See + the callback types and macros at the head of lhash.h for details + (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). + [Geoff Thorpe] + + *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. + If /dev/[u]random devices are not available or do not return enough + entropy, EGD style sockets (served by EGD or PRNGD) will automatically + be queried. + The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and + /etc/entropy will be queried once each in this sequence, quering stops + when enough entropy was collected without querying more sockets. + [Lutz Jaenicke] + + *) Change the Unix RAND_poll() variant to be able to poll several + random devices, as specified by DEVRANDOM, until a sufficient amount + of data has been collected. We spend at most 10 ms on each file + (select timeout) and read in non-blocking mode. DEVRANDOM now + defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" + (previously it was just the string "/dev/urandom"), so on typical + platforms the 10 ms delay will never occur. + Also separate out the Unix variant to its own file, rand_unix.c. + For VMS, there's a currently-empty rand_vms.c. + [Richard Levitte] + + *) Move OCSP client related routines to ocsp_cl.c. These + provide utility functions which an application needing + to issue a request to an OCSP responder and analyse the + response will typically need: as opposed to those which an + OCSP responder itself would need which will be added later. + + OCSP_request_sign() signs an OCSP request with an API similar + to PKCS7_sign(). OCSP_response_status() returns status of OCSP + response. OCSP_response_get1_basic() extracts basic response + from response. OCSP_resp_find_status(): finds and extracts status + information from an OCSP_CERTID structure (which will be created + when the request structure is built). These are built from lower + level functions which work on OCSP_SINGLERESP structures but + wont normally be used unless the application wishes to examine + extensions in the OCSP response for example. + + Replace nonce routines with a pair of functions. + OCSP_request_add1_nonce() adds a nonce value and optionally + generates a random value. OCSP_check_nonce() checks the + validity of the nonce in an OCSP response. + [Steve Henson] + + *) Change function OCSP_request_add() to OCSP_request_add0_id(). + This doesn't copy the supplied OCSP_CERTID and avoids the + need to free up the newly created id. Change return type + to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. + This can then be used to add extensions to the request. + Deleted OCSP_request_new(), since most of its functionality + is now in OCSP_REQUEST_new() (and the case insensitive name + clash) apart from the ability to set the request name which + will be added elsewhere. + [Steve Henson] + + *) Update OCSP API. Remove obsolete extensions argument from + various functions. Extensions are now handled using the new + OCSP extension code. New simple OCSP HTTP function which + can be used to send requests and parse the response. + [Steve Henson] + + *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new + ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN + uses the special reorder version of SET OF to sort the attributes + and reorder them to match the encoded order. This resolves a long + standing problem: a verify on a PKCS7 structure just after signing + it used to fail because the attribute order did not match the + encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: + it uses the received order. This is necessary to tolerate some broken + software that does not order SET OF. This is handled by encoding + as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) + to produce the required SET OF. + [Steve Henson] + + *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and + OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header + files to get correct declarations of the ASN.1 item variables. + [Richard Levitte] + + *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many + PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: + asn1_check_tlen() would sometimes attempt to use 'ctx' when it was + NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). + New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant + ASN1_ITEM and no wrapper functions. + [Steve Henson] + + *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These + replace the old function pointer based I/O routines. Change most of + the *_d2i_bio() and *_d2i_fp() functions to use these. + [Steve Henson] + + *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor + lines, recognice more "algorithms" that can be deselected, and make + it complain about algorithm deselection that isn't recognised. + [Richard Levitte] + + *) New ASN1 functions to handle dup, sign, verify, digest, pack and + unpack operations in terms of ASN1_ITEM. Modify existing wrappers + to use new functions. Add NO_ASN1_OLD which can be set to remove + some old style ASN1 functions: this can be used to determine if old + code will still work when these eventually go away. + [Steve Henson] + + *) New extension functions for OCSP structures, these follow the + same conventions as certificates and CRLs. + [Steve Henson] + + *) New function X509V3_add1_i2d(). This automatically encodes and + adds an extension. Its behaviour can be customised with various + flags to append, replace or delete. Various wrappers added for + certifcates and CRLs. + [Steve Henson] + + *) Fix to avoid calling the underlying ASN1 print routine when + an extension cannot be parsed. Correct a typo in the + OCSP_SERVICELOC extension. Tidy up print OCSP format. + [Steve Henson] + + *) Make mkdef.pl parse some of the ASN1 macros and add apropriate + entries for variables. + [Steve Henson] + + *) Add functionality to apps/openssl.c for detecting locking + problems: As the program is single-threaded, all we have + to do is register a locking callback using an array for + storing which locks are currently held by the program. + [Bodo Moeller] + + *) Use a lock around the call to CRYPTO_get_ex_new_index() in + SSL_get_ex_data_X509_STORE_idx(), which is used in + ssl_verify_cert_chain() and thus can be called at any time + during TLS/SSL handshakes so that thread-safety is essential. + Unfortunately, the ex_data design is not at all suited + for multi-threaded use, so it probably should be abolished. + [Bodo Moeller] + + *) Added Broadcom "ubsec" ENGINE to OpenSSL. + [Broadcom, tweaked and integrated by Geoff Thorpe] + + *) Move common extension printing code to new function + X509V3_print_extensions(). Reorganise OCSP print routines and + implement some needed OCSP ASN1 functions. Add OCSP extensions. + [Steve Henson] + + *) New function X509_signature_print() to remove duplication in some + print routines. + [Steve Henson] + + *) Add a special meaning when SET OF and SEQUENCE OF flags are both + set (this was treated exactly the same as SET OF previously). This + is used to reorder the STACK representing the structure to match the + encoding. This will be used to get round a problem where a PKCS7 + structure which was signed could not be verified because the STACK + order did not reflect the encoded order. + [Steve Henson] + + *) Reimplement the OCSP ASN1 module using the new code. + [Steve Henson] + + *) Update the X509V3 code to permit the use of an ASN1_ITEM structure + for its ASN1 operations. The old style function pointers still exist + for now but they will eventually go away. + [Steve Henson] + + *) Merge in replacement ASN1 code from the ASN1 branch. This almost + completely replaces the old ASN1 functionality with a table driven + encoder and decoder which interprets an ASN1_ITEM structure describing + the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is + largely maintained. Almost all of the old asn1_mac.h macro based ASN1 + has also been converted to the new form. + [Steve Henson] + + *) Change BN_mod_exp_recp so that negative moduli are tolerated + (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set + so that BN_mod_exp_mont and BN_mod_exp_mont_word work + for negative moduli. + [Bodo Moeller] + + *) Fix BN_uadd and BN_usub: Always return non-negative results instead + of not touching the result's sign bit. + [Bodo Moeller] + + *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be + set. + [Bodo Moeller] + + *) Changed the LHASH code to use prototypes for callbacks, and created + macros to declare and implement thin (optionally static) functions + that provide type-safety and avoid function pointer casting for the + type-specific callbacks. + [Geoff Thorpe] + + *) Added Kerberos Cipher Suites to be used with TLS, as written in + RFC 2712. + [Veers Staats , + Jeffrey Altman , via Richard Levitte] + + *) Reformat the FAQ so the different questions and answers can be divided + in sections depending on the subject. + [Richard Levitte] + + *) Have the zlib compression code load ZLIB.DLL dynamically under + Windows. + [Richard Levitte] + + *) New function BN_mod_sqrt for computing square roots modulo a prime + (using the probabilistic Tonelli-Shanks algorithm unless + p == 3 (mod 4) or p == 5 (mod 8), which are cases that can + be handled deterministically). + [Lenka Fibikova , Bodo Moeller] + + *) Make BN_mod_inverse faster by explicitly handling small quotients + in the Euclid loop. (Speed gain about 20% for small moduli [256 or + 512 bits], about 30% for larger ones [1024 or 2048 bits].) + [Bodo Moeller] + + *) New function BN_kronecker. + [Bodo Moeller] + + *) Fix BN_gcd so that it works on negative inputs; the result is + positive unless both parameters are zero. + Previously something reasonably close to an infinite loop was + possible because numbers could be growing instead of shrinking + in the implementation of Euclid's algorithm. + [Bodo Moeller] + + *) Fix BN_is_word() and BN_is_one() macros to take into account the + sign of the number in question. + + Fix BN_is_word(a,w) to work correctly for w == 0. + + The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) + because its test if the absolute value of 'a' equals 'w'. + Note that BN_abs_is_word does *not* handle w == 0 reliably; + it exists mostly for use in the implementations of BN_is_zero(), + BN_is_one(), and BN_is_word(). + [Bodo Moeller] + + *) New function BN_swap. + [Bodo Moeller] + + *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that + the exponentiation functions are more likely to produce reasonable + results on negative inputs. + [Bodo Moeller] + + *) Change BN_mod_mul so that the result is always non-negative. + Previously, it could be negative if one of the factors was negative; + I don't think anyone really wanted that behaviour. + [Bodo Moeller] + + *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c + (except for exponentiation, which stays in crypto/bn/bn_exp.c, + and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) + and add new functions: + + BN_nnmod + BN_mod_sqr + BN_mod_add + BN_mod_add_quick + BN_mod_sub + BN_mod_sub_quick + BN_mod_lshift1 + BN_mod_lshift1_quick + BN_mod_lshift + BN_mod_lshift_quick + + These functions always generate non-negative results. + + BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r + such that |m| < r < 0, BN_nnmod will output rem + |m| instead). + + BN_mod_XXX_quick(r, a, [b,] m) generates the same result as + BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] + be reduced modulo m. + [Lenka Fibikova , Bodo Moeller] + + *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there + was actually never needed) and in BN_mul(). The removal in BN_mul() + required a small change in bn_mul_part_recursive() and the addition + of the functions bn_cmp_part_words(), bn_sub_part_words() and + bn_add_part_words(), which do the same thing as bn_cmp_words(), + bn_sub_words() and bn_add_words() except they take arrays with + differing sizes. + [Richard Levitte] + + *) In 'openssl passwd', verify passwords read from the terminal + unless the '-salt' option is used (which usually means that + verification would just waste user's time since the resulting + hash is going to be compared with some given password hash) + or the new '-noverify' option is used. + + This is an incompatible change, but it does not affect + non-interactive use of 'openssl passwd' (passwords on the command + line, '-stdin' option, '-in ...' option) and thus should not + cause any problems. + [Bodo Moeller] + + *) Remove all references to RSAref, since there's no more need for it. + [Richard Levitte] + + *) Make DSO load along a path given through an environment variable + (SHLIB_PATH) with shl_load(). + [Richard Levitte] + + *) Constify the ENGINE code as a result of BIGNUM constification. + Also constify the RSA code and most things related to it. In a + few places, most notable in the depth of the ASN.1 code, ugly + casts back to non-const were required (to be solved at a later + time) + [Richard Levitte] + + *) Make it so the openssl application has all engines loaded by default. + [Richard Levitte] + + *) Constify the BIGNUM routines a little more. + [Richard Levitte] + + *) Add the following functions: + + ENGINE_load_cswift() + ENGINE_load_chil() + ENGINE_load_atalla() + ENGINE_load_nuron() + ENGINE_load_builtin_engines() + + That way, an application can itself choose if external engines that + are built-in in OpenSSL shall ever be used or not. The benefit is + that applications won't have to be linked with libdl or other dso + libraries unless it's really needed. + + Changed 'openssl engine' to load all engines on demand. + Changed the engine header files to avoid the duplication of some + declarations (they differed!). + [Richard Levitte] + + *) 'openssl engine' can now list capabilities. + [Richard Levitte] + + *) Better error reporting in 'openssl engine'. + [Richard Levitte] + + *) Never call load_dh_param(NULL) in s_server. + [Bodo Moeller] + + *) Add engine application. It can currently list engines by name and + identity, and test if they are actually available. + [Richard Levitte] + + *) Improve RPM specification file by forcing symbolic linking and making + sure the installed documentation is also owned by root.root. + [Damien Miller ] + + *) Give the OpenSSL applications more possibilities to make use of + keys (public as well as private) handled by engines. + [Richard Levitte] + + *) Add OCSP code that comes from CertCo. + [Richard Levitte] + + *) Add VMS support for the Rijndael code. + [Richard Levitte] + + *) Added untested support for Nuron crypto accelerator. + [Ben Laurie] + + *) Add support for external cryptographic devices. This code was + previously distributed separately as the "engine" branch. + [Geoff Thorpe, Richard Levitte] + + *) Rework the filename-translation in the DSO code. It is now possible to + have far greater control over how a "name" is turned into a filename + depending on the operating environment and any oddities about the + different shared library filenames on each system. + [Geoff Thorpe] + + *) Support threads on FreeBSD-elf in Configure. + [Richard Levitte] + + *) Fix for SHA1 assembly problem with MASM: it produces + warnings about corrupt line number information when assembling + with debugging information. This is caused by the overlapping + of two sections. + [Bernd Matthes , Steve Henson] + + *) NCONF changes. + NCONF_get_number() has no error checking at all. As a replacement, + NCONF_get_number_e() is defined (_e for "error checking") and is + promoted strongly. The old NCONF_get_number is kept around for + binary backward compatibility. + Make it possible for methods to load from something other than a BIO, + by providing a function pointer that is given a name instead of a BIO. + For example, this could be used to load configuration data from an + LDAP server. + [Richard Levitte] + + *) Fix for non blocking accept BIOs. Added new I/O special reason + BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs + with non blocking I/O was not possible because no retry code was + implemented. Also added new SSL code SSL_WANT_ACCEPT to cover + this case. + [Steve Henson] + + *) Added the beginnings of Rijndael support. + [Ben Laurie] + + *) Fix for bug in DirectoryString mask setting. Add support for + X509_NAME_print_ex() in 'req' and X509_print_ex() function + to allow certificate printing to more controllable, additional + 'certopt' option to 'x509' to allow new printing options to be + set. + [Steve Henson] + + *) Clean old EAY MD5 hack from e_os.h. + [Richard Levitte] + + Changes between 0.9.6c and 0.9.6d [XX xxx 2002] + + *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not + encoded as NULL) with id-dsa-with-sha1. + [Nils Larsch ; problem pointed out by Bodo Moeller] + + *) Check various X509_...() return values in apps/req.c. + [Nils Larsch ] + + *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: + an end-of-file condition would erronously be flagged, when the CRLF + was just at the end of a processed block. The bug was discovered when + processing data through a buffering memory BIO handing the data to a + BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov + and Nedelcho Stanev. + [Lutz Jaenicke] + + *) Implement a countermeasure against a vulnerability recently found + in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment + before application data chunks to avoid the use of known IVs + with data potentially chosen by the attacker. + [Bodo Moeller] + + *) Fix length checks in ssl3_get_client_hello(). + [Bodo Moeller] + + *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently + to prevent ssl3_read_internal() from incorrectly assuming that + ssl3_read_bytes() found application data while handshake + processing was enabled when in fact s->s3->in_read_app_data was + merely automatically cleared during the initial handshake. + [Bodo Moeller; problem pointed out by Arne Ansper ] + + *) Fix object definitions for Private and Enterprise: they were not + recognized in their shortname (=lowercase) representation. Extend + obj_dat.pl to issue an error when using undefined keywords instead + of silently ignoring the problem (Svenning Sorensen + ). + [Lutz Jaenicke] + + *) Fix DH_generate_parameters() so that it works for 'non-standard' + generators, i.e. generators other than 2 and 5. (Previously, the + code did not properly initialise the 'add' and 'rem' values to + BN_generate_prime().) + + In the new general case, we do not insist that 'generator' is + actually a primitive root: This requirement is rather pointless; + a generator of the order-q subgroup is just as good, if not + better. + [Bodo Moeller] + + *) Map new X509 verification errors to alerts. Discovered and submitted by + Tom Wu . + [Lutz Jaenicke] + + *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from + returning non-zero before the data has been completely received + when using non-blocking I/O. + [Bodo Moeller; problem pointed out by John Hughes] + + *) Some of the ciphers missed the strength entry (SSL_LOW etc). + [Ben Laurie, Lutz Jaenicke] + + *) Fix bug in SSL_clear(): bad sessions were not removed (found by + Yoram Zahavi ). + [Lutz Jaenicke] + + *) Add information about CygWin 1.3 and on, and preserve proper + configuration for the versions before that. + [Corinna Vinschen and Richard Levitte] + + *) Make removal from session cache (SSL_CTX_remove_session()) more robust: + check whether we deal with a copy of a session and do not delete from + the cache in this case. Problem reported by "Izhar Shoshani Levi" + . + [Lutz Jaenicke] + + *) Do not store session data into the internal session cache, if it + is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + flag is set). Proposed by Aslam . + [Lutz Jaenicke] + + *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested + value is 0. + [Richard Levitte] + + *) Add the configuration target linux-s390x. + [Neale Ferguson via Richard Levitte] + + *) [In 0.9.6d-engine release:] + Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). + [Toomas Kiisk via Richard Levitte] + + *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of + ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag + variable as an indication that a ClientHello message has been + received. As the flag value will be lost between multiple + invocations of ssl3_accept when using non-blocking I/O, the + function may not be aware that a handshake has actually taken + place, thus preventing a new session from being added to the + session cache. + + To avoid this problem, we now set s->new_session to 2 instead of + using a local variable. + [Lutz Jaenicke, Bodo Moeller] + + *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) + if the SSL_R_LENGTH_MISMATCH error is detected. + [Geoff Thorpe, Bodo Moeller] + + *) New 'shared_ldflag' column in Configure platform table. + [Richard Levitte] + + *) Fix EVP_CIPHER_mode macro. + ["Dan S. Camper" ] + + *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown + type, we must throw them away by setting rr->length to 0. + [D P Chang ] + + Changes between 0.9.6b and 0.9.6c [21 dec 2001] + + *) Fix BN_rand_range bug pointed out by Dominikus Scherkl + . (The previous implementation + worked incorrectly for those cases where range = 10..._2 and + 3*range is two bits longer than range.) + [Bodo Moeller] + + *) Only add signing time to PKCS7 structures if it is not already + present. + [Steve Henson] + + *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", + OBJ_ld_ce should be OBJ_id_ce. + Also some ip-pda OIDs in crypto/objects/objects.txt were + incorrect (cf. RFC 3039). + [Matt Cooper, Frederic Giudicelli, Bodo Moeller] + + *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() + returns early because it has nothing to do. + [Andy Schneider ] + + *) [In 0.9.6c-engine release:] + Fix mutex callback return values in crypto/engine/hw_ncipher.c. + [Andy Schneider ] + + *) [In 0.9.6c-engine release:] + Add support for Cryptographic Appliance's keyserver technology. + (Use engine 'keyclient') + [Cryptographic Appliances and Geoff Thorpe] + + *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' + is called via tools/c89.sh because arguments have to be + rearranged (all '-L' options must appear before the first object + modules). + [Richard Shapiro ] + + *) [In 0.9.6c-engine release:] + Add support for Broadcom crypto accelerator cards, backported + from 0.9.7. + [Broadcom, Nalin Dahyabhai , Mark Cox] + + *) [In 0.9.6c-engine release:] + Add support for SureWare crypto accelerator cards from + Baltimore Technologies. (Use engine 'sureware') + [Baltimore Technologies and Mark Cox] + + *) [In 0.9.6c-engine release:] + Add support for crypto accelerator cards from Accelerated + Encryption Processing, www.aep.ie. (Use engine 'aep') + [AEP Inc. and Mark Cox] + + *) Add a configuration entry for gcc on UnixWare. + [Gary Benson ] + + *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake + messages are stored in a single piece (fixed-length part and + variable-length part combined) and fix various bugs found on the way. + [Bodo Moeller] + + *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() + instead. BIO_gethostbyname() does not know what timeouts are + appropriate, so entries would stay in cache even when they have + become invalid. + [Bodo Moeller; problem pointed out by Rich Salz + + *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when + faced with a pathologically small ClientHello fragment that does + not contain client_version: Instead of aborting with an error, + simply choose the highest available protocol version (i.e., + TLS 1.0 unless it is disabled). In practice, ClientHello + messages are never sent like this, but this change gives us + strictly correct behaviour at least for TLS. + [Bodo Moeller] + + *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() + never resets s->method to s->ctx->method when called from within + one of the SSL handshake functions. + [Bodo Moeller; problem pointed out by Niko Baric] + + *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert + (sent using the client's version number) if client_version is + smaller than the protocol version in use. Also change + ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if + the client demanded SSL 3.0 but only TLS 1.0 is enabled; then + the client will at least see that alert. + [Bodo Moeller] + + *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation + correctly. + [Bodo Moeller] + + *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a + client receives HelloRequest while in a handshake. + [Bodo Moeller; bug noticed by Andy Schneider ] + + *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C + should end in 'break', not 'goto end' which circuments various + cleanups done in state SSL_ST_OK. But session related stuff + must be disabled for SSL_ST_OK in the case that we just sent a + HelloRequest. + + Also avoid some overhead by not calling ssl_init_wbio_buffer() + before just sending a HelloRequest. + [Bodo Moeller, Eric Rescorla ] + + *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't + reveal whether illegal block cipher padding was found or a MAC + verification error occured. (Neither SSLerr() codes nor alerts + are directly visible to potential attackers, but the information + may leak via logfiles.) + + Similar changes are not required for the SSL 2.0 implementation + because the number of padding bytes is sent in clear for SSL 2.0, + and the extra bytes are just ignored. However ssl/s2_pkt.c + failed to verify that the purported number of padding bytes is in + the legal range. + [Bodo Moeller] + + *) Add OpenUNIX-8 support including shared libraries + (Boyd Lynn Gerber ). + [Lutz Jaenicke] + + *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid + 'wristwatch attack' using huge encoding parameters (cf. + James H. Manger's CRYPTO 2001 paper). Note that the + RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use + encoding parameters and hence was not vulnerable. + [Bodo Moeller] + + *) BN_sqr() bug fix. + [Ulf Möller, reported by Jim Ellis ] + + *) Rabin-Miller test analyses assume uniformly distributed witnesses, + so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() + followed by modular reduction. + [Bodo Moeller; pointed out by Adam Young ] + + *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() + equivalent based on BN_pseudo_rand() instead of BN_rand(). + [Bodo Moeller] + + *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). + This function was broken, as the check for a new client hello message + to handle SGC did not allow these large messages. + (Tracked down by "Douglas E. Engert" .) + [Lutz Jaenicke] + + *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). + [Lutz Jaenicke] + + *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() + for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" ). + [Lutz Jaenicke] + + *) Rework the configuration and shared library support for Tru64 Unix. + The configuration part makes use of modern compiler features and + still retains old compiler behavior for those that run older versions + of the OS. The shared library support part includes a variant that + uses the RPATH feature, and is available through the special + configuration target "alpha-cc-rpath", which will never be selected + automatically. + [Tim Mooney via Richard Levitte] + + *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() + with the same message size as in ssl3_get_certificate_request(). + Otherwise, if no ServerKeyExchange message occurs, CertificateRequest + messages might inadvertently be reject as too long. + [Petr Lampa ] + + *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). + [Andy Polyakov] + + *) Modified SSL library such that the verify_callback that has been set + specificly for an SSL object with SSL_set_verify() is actually being + used. Before the change, a verify_callback set with this function was + ignored and the verify_callback() set in the SSL_CTX at the time of + the call was used. New function X509_STORE_CTX_set_verify_cb() introduced + to allow the necessary settings. + [Lutz Jaenicke] + + *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c + explicitly to NULL, as at least on Solaris 8 this seems not always to be + done automatically (in contradiction to the requirements of the C + standard). This made problems when used from OpenSSH. + [Lutz Jaenicke] + + *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored + dh->length and always used + + BN_rand_range(priv_key, dh->p). + + BN_rand_range() is not necessary for Diffie-Hellman, and this + specific range makes Diffie-Hellman unnecessarily inefficient if + dh->length (recommended exponent length) is much smaller than the + length of dh->p. We could use BN_rand_range() if the order of + the subgroup was stored in the DH structure, but we only have + dh->length. + + So switch back to + + BN_rand(priv_key, l, ...) + + where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 + otherwise. + [Bodo Moeller] + + *) In + + RSA_eay_public_encrypt + RSA_eay_private_decrypt + RSA_eay_private_encrypt (signing) + RSA_eay_public_decrypt (signature verification) + + (default implementations for RSA_public_encrypt, + RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), + always reject numbers >= n. + [Bodo Moeller] + + *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 + to synchronize access to 'locking_thread'. This is necessary on + systems where access to 'locking_thread' (an 'unsigned long' + variable) is not atomic. + [Bodo Moeller] + + *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID + *before* setting the 'crypto_lock_rand' flag. The previous code had + a race condition if 0 is a valid thread ID. + [Travis Vitek ] + + *) Add support for shared libraries under Irix. + [Albert Chin-A-Young ] + + *) Add configuration option to build on Linux on both big-endian and + little-endian MIPS. + [Ralf Baechle ] + + *) Add the possibility to create shared libraries on HP-UX. + [Richard Levitte] + Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) @@ -56,7 +2014,7 @@ [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 - RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 + RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking @@ -106,7 +2064,7 @@ combination of a flag and a thread ID variable. Otherwise while one thread is in ssleay_rand_bytes (which sets the flag), *other* threads can enter ssleay_add_bytes without obeying - the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock + the CRYPTO_LOCK_RAND lock (and may even illegally release the lock that they do not hold after the first thread unsets add_do_not_lock). [Bodo Moeller] @@ -748,7 +2706,7 @@ default is static libraries only, and the OpenSSL programs are always statically linked for now, but there are preparations for dynamic linking in place. - This has been tested on Linux and True64. + This has been tested on Linux and Tru64. [Richard Levitte] *) Randomness polling function for Win9x, as described in: diff --git a/lib/libssl/src/Configure b/lib/libssl/src/Configure index 49665153faa..1ffe1ac8565 100644 --- a/lib/libssl/src/Configure +++ b/lib/libssl/src/Configure @@ -10,7 +10,7 @@ use strict; # see INSTALL for instructions. -my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n"; +my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n"; # Options: # @@ -23,23 +23,37 @@ my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- # default). This needn't be set in advance, you can # just as well use "make INSTALL_PREFIX=/whatever install". # +# --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected +# to live in the subdirectory lib/ and the header files in +# include/. A value is required. +# --with-krb5-lib Declare where the Kerberos 5 libraries live. A value is +# required. +# (Default: KRB5_DIR/lib) +# --with-krb5-include Declare where the Kerberos 5 header files live. A +# value is required. +# (Default: KRB5_DIR/include) +# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently +# supported values are "MIT" and "Heimdal". A value is required. +# +# --test-sanity Make a number of sanity checks on the data in this file. +# This is a debugging tool for OpenSSL developers. +# # no-hw-xxx do not compile support for specific crypto hardware. # Generic OpenSSL-style methods relating to this support # are always compiled but return NULL if the hardware # support isn't compiled. # no-hw do not compile support for any crypto hardware. -# rsaref use RSAref # [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is "threads" if we # know how to do it) # [no-]shared [don't] try to create shared libraries when supported. -# IT IS NOT RECOMMENDED TO USE "shared"! Since this is a -# development branch, the positions of the ENGINE symbols -# in the transfer vector are constantly moving, so binary -# backward compatibility can't be guaranteed in any way. # no-asm do not use assembler # no-dso do not compile in any native shared-library methods. This # will ensure that all methods just return NULL. +# no-krb5 do not compile in any KRB5 library or code. +# [no-]zlib [don't] compile support for zlib compression. +# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared +# library and will be loaded in run-time by the OpenSSL library. # 386 generate 80386 code # no- build without specified algorithm (rsa, idea, rc5, ...) # - + compiler options are passed through @@ -106,7 +120,7 @@ my $alpha_asm="::::::::"; # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined -#config-string $cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag +#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib my %table=( # File 'TABLE' (created by 'make TABLE') contains the data from this list, @@ -119,87 +133,93 @@ my %table=( #"b2-is-ri-dp", "${tcc}:${tflags}::${tlib}:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:${tbn_mul}::", # Our development configs -"purify", "purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::", -"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::", -"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::", -"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::", -"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::", -"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn", -"dist", "cc:-O::(unknown):::::", +"purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::", +"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::", +"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o", +"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", +"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", +"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::", +"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", +"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"dist", "cc:-O::(unknown)::::::", # Basic configs that should work on any (32 and less bit) box -"gcc", "gcc:-O3::(unknown)::BN_LLONG:::", -"cc", "cc:-O::(unknown):::::", +"gcc", "gcc:-O3::(unknown):::BN_LLONG:::", +"cc", "cc:-O::(unknown)::::::", -#### Solaris x86 setups -# -DNO_INLINE_ASM switches off inline assembler. We have to do it +#### Solaris x86 with GNU C setups +# -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it # here because whenever GNU C instantiates an assembler template it # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups -"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc +"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. -"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests -"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 # SC5.0 note: Compiler common patch 107357-01 or later is required! -"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", +"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", #### -"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups -"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", +"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", # Ray Miller has patiently # assisted with debugging of following two configs. -"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::", +"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. -"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:", +"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # !!!Folowing can't be even tested yet!!! # We have to wait till 64-bit glibc for SPARC is operational!!! -#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", +#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:", # Sunos configs, assuming sparc for the gcc one. -##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown)::DES_UNROLL:::", -"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::", +##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):::DES_UNROLL:::", +"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::", #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. -"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::", -"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::", +"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IRIX 6.x configs # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Unified HP-UX ANSI C configs. # Special notes: @@ -217,7 +237,7 @@ my %table=( # - Keep in mind that the HP compiler by default generates code # suitable for execution on the host you're currently compiling at. # If the toolkit is ment to be used on various PA-RISC processors -# consider './config +Dportable'. +# consider './config +DAportable'. # - +DD64 is chosen in favour of +DA2.0W because it's ment to be # compatible with *future* releases. # - If you run ./Configure hpux-parisc-[g]cc manually don't forget to @@ -229,60 +249,102 @@ my %table=( # crypto/sha/sha_lcl.h. # # -#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", # Since there is mention of this in shlib/hpux10-cc.sh -"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", -"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", -"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn", +"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# IA-64 targets +# I have no idea if this one actually works, feedback needed. +"hpux-ia64-cc","cc:-Ae +DD32 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# Frank Geurts has patiently assisted with +# with debugging of the following config. +"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # # Chris Ruemmler # Kevin Steves -"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", -"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl", -"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn", -"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", +"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# Isn't the line below meaningless? HP-UX cc optimizes for host by default. +# hpux-parisc1_0-cc with +DAportable flag would make more sense. +"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or # egcs. gcc 2.8.1 is also broken. -"hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise, # please report your OS and compiler version to the openssl-bugs@openssl.org # mailing list. -"hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux-gcc fails, try this one: -"hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# HPUX 9.X on Motorola 68k platforms with gcc +"hpux-m68k-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):::BN_LLONG DES_PTR DES_UNROLL:::::::::::::", # HPUX 10.X config. Supports threads. -"hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG): -"hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # If hpux10-gcc fails, try this one: -"hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl", +"hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # HPUX 11.X from www.globus.org. # Only works on PA-RISC 2.0 cpus, and not optimized. Why? -#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::", -#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::", +#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::DES_PTR DES_UNROLL DES_RISC1:::", +#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::", # Use unified settings above instead. #### HP MPE/iX http://jazz.external.hp.com/src/openssl/ -"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", +"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", + +#### PARISC Linux setups +"linux-parisc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", -# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with -# the new compiler +# Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion +# from the older DEC C Compiler to the newer compiler. It's now the +# same as the preferred entry, alpha-cc. If you are still using the +# older compiler (you're at 3.x or earlier, or perhaps very early 4.x) +# you should use `alphaold-cc'. +# +# "What's in a name? That which we call a rose +# By any other word would smell as sweet." +# +# - William Shakespeare, "Romeo & Juliet", Act II, scene II. +# +# For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the +# vendor compiler, use alphaold-cc. +# For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc. +# For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc. +# +# There's also an alternate target available (which `config' will never +# select) called alpha-cc-rpath. This target builds an RPATH into the +# shared libraries, which is very convenient on Tru64 since binaries +# linked against that shared library will automatically inherit that RPATH, +# and hence know where to look for the openssl libraries, even if they're in +# an odd place. +# # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", -"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# +"alpha-gcc","gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", +"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so", +"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so", +"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath:::.so", +# +# This probably belongs in a different section. +# +"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups # Special notes: @@ -297,65 +359,80 @@ my %table=( # # # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", -"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - -# assembler versions -- currently defunct: -##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", -"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", -"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", -"linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", -"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", -"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", -"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", -"bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", -"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"nextstep", "cc:-O -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", -"nextstep3.3", "cc:-O3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-pentium", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ppro", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-k6", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", +"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", +"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::", +"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", +"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::", +"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG:::::::::::linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", +"bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", +"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"nextstep", "cc:-O -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", +"nextstep3.3", "cc:-O3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", + # NCR MP-RAS UNIX ver 02.03.01 -"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", +"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", # QNX 4 -"qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:", +"qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:", + +# QNX 6 +"qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # UnixWare 2.0x fails destest with -O -"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.0","cc:-DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # UnixWare 2.1 -"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # UnixWare 7 -"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", -"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# OpenUNIX 8 +"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IBM's AIX. -"aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", -"aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", -"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::", +"aix-gcc", "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:", # -# Cray T90 (SDSC) +# Cray T90 and similar (SDSC) # It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT # defined. The T90 ints and longs are 8 bytes long, and apparently the # B_ENDIAN code assumes 4 byte ints. Fortunately, the non-B_ENDIAN and @@ -365,7 +442,10 @@ my %table=( #'Taking the address of a bit field is not allowed. ' #'An expression with bit field exists as the operand of "sizeof" ' # (written by Wayne Schroeder ) -"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::", +# +# j90 is considered the base machine type for unicos machines, +# so this configuration is now called "cray-j90" ... +"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::", # # Cray T3E (Research Center Juelich, beckman@acl.lanl.gov) @@ -375,80 +455,123 @@ my %table=( # for some st_addr stuff, and then sizeof and address-of fails # I could not use the ams/alpha.o option because the Cray assembler, 'cam' # did not like it. -"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::", +"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::", # DGUX, 88100. -"dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::", -"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", -"dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):::RC4_INDEX DES_UNROLL:::", +"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", +"dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", # SCO 3 - Tim Rice -"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... +"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # SCO 5 - Ben Laurie says the -O breaks the # SCO cc. -"sco5-cc", "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? -"sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? -"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... +"sco5-cc", "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-Kpic", # des options? +"sco5-cc-pentium", "cc:-Kpentium::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? +"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g */ -"ReliantUNIX","cc:-KPIC -g -DSNI -DTERMIOS -DB_ENDIAN::-Kthread:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::", -"SINIX","cc:-O -DSNI::(unknown):-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::", -"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown):-lucb:RC4_INDEX RC4_CHAR:::", +"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::", +"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::", # SIEMENS BS2000/OSD: an EBCDIC-based mainframe -"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", +"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", + +# OS/390 Unix an EBCDIC-based Unix system on IBM mainframe +# You need to compile using the c89.sh wrapper in the tools directory, because the +# IBM compiler does not like the -L switch after any object modules. +# +"OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE::(unknown):::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::", # Windows NT, Microsoft Visual C++ 4.0 -"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32", -"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32", -"VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", -"VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", -"VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", -"VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", +"VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", +"VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32", +"VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", +"VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", +"VC-W31-32","cl::::WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::", +"VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::", # Borland C++ 4.5 -"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX::::::::::win32", -"BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", +"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX::::::::::win32", +"BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::", # Mingw32 # (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl # and its library files in util/pl/*) -"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", -# CygWin32 -"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +# Cygwin +"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", +"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll", # Ultrix from Bernhard Simon -"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::", -"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown)::::::", +"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::", +"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::", # K&R C is no longer supported; you need gcc on old Ultrix installations -##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::", +##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::", # Some OpenBSD from Bob Beck -"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-alpha", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-m88k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-mips", "gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-powerpc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"OpenBSD-sparc64", "gcc:-mcpu=ultrasparc -O2 -fomit-frame-pointer -Wall -DB_ENDIAN -DTERMIOS -DULTRASPARC::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::", -"OpenBSD-vax", "gcc:-DL_ENDIAN -DTERMIOS -O2 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", - -##### MacOS X (a.k.a. Rhapsody) setup -"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", +"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-alpha", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-m88k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-mips", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-powerpc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-sparc64", "gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-vax", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-hppa", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +##### MacOS X (a.k.a. Rhapsody or Darwin) setup +"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", +"darwin-ppc-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::-fPIC", +"darwin-i386-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::-fPIC", ##### Sony NEWS-OS 4.x -"newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", +"newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", + +##### GNU Hurd +"hurd-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", + +##### OS/2 EMX +"OS2-EMX", "gcc::::::::", + +##### VxWorks for various targets +"vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", ); my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 - BC-16 Mingw32); + BC-16 Mingw32 OS2-EMX); + +my $idx = 0; +my $idx_cc = $idx++; +my $idx_cflags = $idx++; +my $idx_unistd = $idx++; +my $idx_thread_cflag = $idx++; +my $idx_sys_id = $idx++; +my $idx_lflags = $idx++; +my $idx_bn_ops = $idx++; +my $idx_bn_obj = $idx++; +my $idx_des_obj = $idx++; +my $idx_bf_obj = $idx++; +my $idx_md5_obj = $idx++; +my $idx_sha1_obj = $idx++; +my $idx_cast_obj = $idx++; +my $idx_rc4_obj = $idx++; +my $idx_rmd160_obj = $idx++; +my $idx_rc5_obj = $idx++; +my $idx_dso_scheme = $idx++; +my $idx_shared_target = $idx++; +my $idx_shared_cflag = $idx++; +my $idx_shared_ldflag = $idx++; +my $idx_shared_extension = $idx++; +my $idx_ranlib = $idx++; my $prefix=""; my $openssldir=""; @@ -456,6 +579,8 @@ my $exe_ext=""; my $install_prefix=""; my $no_threads=0; my $no_shared=1; +my $zlib=0; +my $no_krb5=0; my $threads=0; my $no_asm=0; my $no_dso=0; @@ -483,6 +608,14 @@ my $processor=""; my $default_ranlib; my $perl; +my $no_ssl2=0; +my $no_ssl3=0; +my $no_tls1=0; +my $no_md5=0; +my $no_sha=0; +my $no_rsa=0; +my $no_dh=0; + $default_ranlib= &which("ranlib") or $default_ranlib="true"; $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; @@ -493,11 +626,13 @@ my $flags; my $depflags; my $openssl_algorithm_defines; my $openssl_thread_defines; +my $openssl_sys_defines=""; my $openssl_other_defines; my $libs; my $target; my $options; my $symlink; +my %withargs=(); my @argvcopy=@ARGV; my $argvstring=""; @@ -509,6 +644,7 @@ while($argv_unprocessed) $depflags=""; $openssl_algorithm_defines=""; $openssl_thread_defines=""; + $openssl_sys_defines=""; $openssl_other_defines=""; $libs=""; $target=""; @@ -522,26 +658,32 @@ PROCESS_ARGS: foreach (@argvcopy) { s /^-no-/no-/; # some people just can't read the instructions - if (/^no-asm$/) + if (/^--test-sanity$/) + { + exit(&test_sanity()); + } + elsif (/^no-asm$/) { $no_asm=1; - $flags .= "-DNO_ASM "; - $openssl_other_defines .= "#define NO_ASM\n"; + $flags .= "-DOPENSSL_NO_ASM "; + $openssl_other_defines .= "#define OPENSSL_NO_ASM\n"; } elsif (/^no-hw-(.+)$/) { my $hw=$1; $hw =~ tr/[a-z]/[A-Z]/; - $flags .= "-DNO_HW_$hw "; - $openssl_other_defines .= "#define NO_HW_$hw\n"; + $flags .= "-DOPENSSL_NO_HW_$hw "; + $openssl_other_defines .= "#define OPENSSL_NO_HW_$hw\n"; } elsif (/^no-hw$/) { - $flags .= "-DNO_HW "; - $openssl_other_defines .= "#define NO_HW\n"; + $flags .= "-DOPENSSL_NO_HW "; + $openssl_other_defines .= "#define OPENSSL_NO_HW\n"; } elsif (/^no-dso$/) { $no_dso=1; } + elsif (/^no-krb5$/) + { $no_krb5=1; } elsif (/^no-threads$/) { $no_threads=1; } elsif (/^threads$/) @@ -550,23 +692,59 @@ PROCESS_ARGS: { $no_shared=1; } elsif (/^shared$/) { $no_shared=0; } + elsif (/^no-zlib$/) + { $zlib=0; } + elsif (/^zlib$/) + { $zlib=1; } + elsif (/^zlib-dynamic$/) + { $zlib=2; } elsif (/^no-symlinks$/) { $symlink=0; } + elsif (/^no-ssl$/) + { $no_ssl2 = $no_ssl3 = 1; } + elsif (/^no-ssl2$/) + { $no_ssl2 = 1; } + elsif (/^no-ssl3$/) + { $no_ssl3 = 1; } + elsif (/^no-tls1?$/) + { $no_tls1 = 1; } elsif (/^no-(.+)$/) { my $algo=$1; push @skip,$algo; $algo =~ tr/[a-z]/[A-Z]/; - $flags .= "-DNO_$algo "; - $depflags .= "-DNO_$algo "; - $openssl_algorithm_defines .= "#define NO_$algo\n"; + $flags .= "-DOPENSSL_NO_$algo "; + $depflags .= "-DOPENSSL_NO_$algo "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n"; + if ($algo eq "RIJNDAEL") + { + $flags .= "-DOPENSSL_NO_AES "; + $depflags .= "-DOPENSSL_NO_AES "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n"; + } if ($algo eq "DES") { push @skip, "mdc2"; $options .= " no-mdc2"; - $flags .= "-DNO_MDC2 "; - $depflags .= "-DNO_MDC2 "; - $openssl_algorithm_defines .= "#define NO_MDC2\n"; + $flags .= "-DOPENSSL_NO_MDC2 "; + $depflags .= "-DOPENSSL_NO_MDC2 "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n"; + } + if ($algo eq "MD5") + { + $no_md5 = 1; + } + if ($algo eq "SHA") + { + $no_sha = 1; + } + if ($algo eq "RSA") + { + $no_rsa = 1; + } + if ($algo eq "DH") + { + $no_dh = 1; } } elsif (/^reconfigure/ || /^reconf/) @@ -596,9 +774,9 @@ PROCESS_ARGS: { $processor=386; } elsif (/^rsaref$/) { - $libs.= "-lRSAglue -lrsaref "; - $flags.= "-DRSAref "; - $openssl_other_defines .= "#define RSAref\n"; + # No RSAref support any more since it's not needed. + # The check for the option is there so scripts aren't + # broken } elsif (/^[-+]/) { @@ -622,6 +800,10 @@ PROCESS_ARGS: { $install_prefix=$1; } + elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/) + { + $withargs{"krb5-".$1}=$2; + } else { print STDERR $usage; @@ -648,6 +830,39 @@ PROCESS_ARGS: } } +$no_ssl3=1 if ($no_md5 || $no_sha); +$no_ssl3=1 if ($no_rsa && $no_dh); + +$no_ssl2=1 if ($no_md5); +$no_ssl2=1 if ($no_rsa); + +$no_tls1=1 if ($no_md5 || $no_sha); +$no_tls1=1 if ($no_dh); + +if ($no_ssl2) + { + push @skip,"SSL2"; + $flags .= "-DOPENSSL_NO_SSL2 "; + $depflags .= "-DOPENSSL_NO_SSL2 "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL2\n"; + } + +if ($no_ssl3) + { + push @skip,"SSL3"; + $flags .= "-DOPENSSL_NO_SSL3 "; + $depflags .= "-DOPENSSL_NO_SSL3 "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_SSL3\n"; + } + +if ($no_tls1) + { + push @skip,"TLS1"; + $flags .= "-DOPENSSL_NO_TLS1 "; + $depflags .= "-DOPENSSL_NO_TLS1 "; + $openssl_algorithm_defines .= "#define OPENSSL_NO_TLS1\n"; + } + if ($target eq "TABLE") { foreach $target (sort keys %table) { print_table_entry($target); @@ -663,13 +878,17 @@ if ($target eq "LIST") { exit 0; } +if ($target =~ m/^CygWin32(-.*)$/) { + $target = "Cygwin".$1; +} + print "Configuring for $target\n"; &usage if (!defined($table{$target})); my $IsWindows=scalar grep /^$target$/,@WinTargets; -$exe_ext=".exe" if ($target eq "CygWin32"); +$exe_ext=".exe" if ($target eq "Cygwin"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; @@ -682,11 +901,85 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; print "IsWindows=$IsWindows\n"; -(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, - $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)= - split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); +my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); +my $cc = $fields[$idx_cc]; +my $cflags = $fields[$idx_cflags]; +my $unistd = $fields[$idx_unistd]; +my $thread_cflag = $fields[$idx_thread_cflag]; +my $sys_id = $fields[$idx_sys_id]; +my $lflags = $fields[$idx_lflags]; +my $bn_ops = $fields[$idx_bn_ops]; +my $bn_obj = $fields[$idx_bn_obj]; +my $des_obj = $fields[$idx_des_obj]; +my $bf_obj = $fields[$idx_bf_obj]; +$md5_obj = $fields[$idx_md5_obj]; +$sha1_obj = $fields[$idx_sha1_obj]; +my $cast_obj = $fields[$idx_cast_obj]; +my $rc4_obj = $fields[$idx_rc4_obj]; +$rmd160_obj = $fields[$idx_rmd160_obj]; +my $rc5_obj = $fields[$idx_rc5_obj]; +my $dso_scheme = $fields[$idx_dso_scheme]; +my $shared_target = $fields[$idx_shared_target]; +my $shared_cflag = $fields[$idx_shared_cflag]; +my $shared_ldflag = $fields[$idx_shared_ldflag]; +my $shared_extension = $fields[$idx_shared_extension]; +my $ranlib = $fields[$idx_ranlib]; + $cflags="$flags$cflags" if ($flags ne ""); +# Kerberos settings. The flavor must be provided from outside, either through +# the script "config" or manually. +if ($no_krb5 + || !defined($withargs{"krb5-flavor"}) + || $withargs{"krb5-flavor"} eq "") + { + $cflags="-DOPENSSL_NO_KRB5 $cflags"; + $options.=" no-krb5" unless $no_krb5; + $openssl_algorithm_defines .= "#define OPENSSL_NO_KRB5\n"; + } +else + { + my ($lresolv, $lpath, $lext); + if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/) + { + $withargs{"krb5-dir"} = "/usr/heimdal" + if $withargs{"krb5-dir"} eq ""; + $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}. + "/lib -lgssapi -lkrb5 -lcom_err" + if $withargs{"krb5-lib"} eq ""; + $cflags="-DKRB5_HEIMDAL $cflags"; + } + if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/) + { + $withargs{"krb5-dir"} = "/usr/kerberos" + if $withargs{"krb5-dir"} eq ""; + $withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}. + "/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto" + if $withargs{"krb5-lib"} eq ""; + $cflags="-DKRB5_MIT $cflags"; + $withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//; + if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/) + { + $cflags="-DKRB5_MIT_OLD11 $cflags"; + } + } + LRESOLV: + foreach $lpath ("/lib", "/usr/lib") + { + foreach $lext ("a", "so") + { + $lresolv = "$lpath/libresolv.$lext"; + last LRESOLV if (-r "$lresolv"); + $lresolv = ""; + } + } + $withargs{"krb5-lib"} .= " -lresolv" + if ("$lresolv"); + $withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" + if $withargs{"krb5-include"} eq "" && + $withargs{"krb5-dir"} ne ""; + } + # The DSO code currently always implements all functions so that no # applications will have to worry about that from a compilation point # of view. However, the "method"s may return zero unless that platform @@ -700,18 +993,14 @@ if (!$no_dso && $dso_scheme ne "") if ($dso_scheme eq "DLFCN") { $dso_cflags = "-DDSO_DLFCN -DHAVE_DLFCN_H"; - $openssl_other_defines .= "#define DSO_DLFCN\n"; - $openssl_other_defines .= "#define HAVE_DLFCN_H\n"; } elsif ($dso_scheme eq "DLFCN_NO_H") { $dso_cflags = "-DDSO_DLFCN"; - $openssl_other_defines .= "#define DSO_DLFCN\n"; } else { $dso_cflags = "-DDSO_$dso_scheme"; - $openssl_other_defines .= "#define DSO_$dso_scheme\n"; } $cflags = "$dso_cflags $cflags"; } @@ -727,13 +1016,13 @@ if ($thread_cflag eq "(unknown)") { # If the user asked for "threads", hopefully they also provided # any system-dependent compiler options that are necessary. - $thread_cflags="-DTHREADS $cflags" ; - $thread_defines .= "#define THREADS\n"; + $thread_cflags="-DOPENSSL_THREADS $cflags" ; + $thread_defines .= "#define OPENSSL_THREADS\n"; } else { - $thread_cflags="-DTHREADS $thread_cflag $cflags"; - $thread_defines .= "#define THREADS\n"; + $thread_cflags="-DOPENSSL_THREADS $thread_cflag $cflags"; + $thread_defines .= "#define OPENSSL_THREADS\n"; # my $def; # foreach $def (split ' ',$thread_cflag) # { @@ -754,8 +1043,15 @@ if ($no_asm) if ($threads) { - $cflags=$thread_cflags; - $openssl_thread_defines .= $thread_defines; + $cflags=$thread_cflags; + $openssl_thread_defines .= $thread_defines; + } + +if ($zlib) + { + $cflags = "-DZLIB $cflags"; + $cflags = "-DZLIB_SHARED $cflags" if $zlib == 2; + $lflags = "$lflags -lz" if $zlib == 2; } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org @@ -776,6 +1072,12 @@ else $no_shared = 1; } +if ($sys_id ne "") + { + $cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; + $openssl_sys_defines="#define OPENSSL_SYSNAME_$sys_id\n"; + } + if ($ranlib eq "") { $ranlib = $default_ranlib; @@ -850,7 +1152,7 @@ while () if ($sdirs) { my $dir; foreach $dir (@skip) { - s/$dir//; + s/([ ])$dir /\1/; } } $sdirs = 0 unless /\\$/; @@ -869,6 +1171,7 @@ while () s/^OPTIONS=.*$/OPTIONS=$options/; s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/; s/^CC=.*$/CC= $cc/; + s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc"; s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; @@ -885,10 +1188,22 @@ while () s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; + s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/; + s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); - s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/); + if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/) + { + my $sotmp = $1; + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/ + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; + } + s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/; print OUT $_."\n"; } close(IN); @@ -909,6 +1224,10 @@ print "RMD160_OBJ_ASM=$rmd160_obj\n"; print "PROCESSOR =$processor\n"; print "RANLIB =$ranlib\n"; print "PERL =$perl\n"; +print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n" + if $withargs{"krb5-include"} ne ""; +print "LIBKRB5 =",$withargs{"krb5-lib"},"\n" + if $withargs{"krb5-lib"} ne ""; my $des_ptr=0; my $des_risc1=0; @@ -925,6 +1244,7 @@ my $rc4_chunk=0; my $bf_ptr=0; my @type=("char","short","int","long"); my ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0); +my $export_var_as_fn=0; my $des_int; @@ -954,6 +1274,7 @@ foreach (sort split(/\s+/,$bn_ops)) ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0) if /THIRTY_TWO_BIT/; ($b64l,$b64,$b32,$b16,$b8)=(0,0,0,1,0) if /SIXTEEN_BIT/; ($b64l,$b64,$b32,$b16,$b8)=(0,0,0,0,1) if /EIGHT_BIT/; + $export_var_as_fn=1 if /EXPORT_VAR_AS_FN/; } open(IN,') { if (/^#define\s+OPENSSLDIR/) { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } + elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) + { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" + if $export_var_as_fn; + printf OUT "#%s OPENSSL_EXPORT_VAR_AS_FUNCTION\n", + ($export_var_as_fn)?"define":"undef"; } elsif (/^#define\s+OPENSSL_UNISTD/) { $unistd = "" if $unistd eq ""; @@ -1172,11 +1512,11 @@ sub print_table_entry { my $target = shift; - (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops, - my $bn_obj,my $des_obj,my $bf_obj, + (my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags, + my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj, my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, - my $shared_extension,my $ranlib)= + my $shared_ldflag,my $shared_extension,my $ranlib)= split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); print <. -OpenSSL 0.9.6b was released on July 9th, 2001. +OpenSSL 0.9.6c was released on December 21st, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at &5 - for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then -- LIBS="$saved_LIBS -L$ssldir" -+ LIBS="$saved_LIBS -L$ssldir/lib" - CFLAGS="$CFLAGS -I$ssldir/include" - if test "x$need_dash_r" = "x1" ; then -- LIBS="$LIBS -R$ssldir" -+ LIBS="$LIBS -R$ssldir/lib" - fi - fi - LIBS="$LIBS -lcrypto" ------ snip:end ----- +Several reasons for problems with the automatic detection exist. +OpenSSH requires at least version 0.9.5a of the OpenSSL libraries. +Sometimes the distribution has installed an older version in the system +locations that is detected instead of a new one installed. The OpenSSL +library might have been compiled for another CPU or another mode (32/64 bits). +Permissions might be wrong. +The general answer is to check the config.log file generated when running +the OpenSSH configure script. It should contain the detailed information +on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? @@ -579,7 +620,7 @@ SSL_write() will try to continue any pending handshake. * Why doesn't my server application receive a client certificate? Due to the TLS protocol definition, a client will only send a certificate, -if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the SSL_CTX_set_verify() function to enable the use of client certificates. diff --git a/lib/libssl/src/INSTALL b/lib/libssl/src/INSTALL index 5bafcd4b5d1..06aa96bcfac 100644 --- a/lib/libssl/src/INSTALL +++ b/lib/libssl/src/INSTALL @@ -52,14 +52,20 @@ This will usually require additional system-dependent options! See "Note on multi-threading" below. + no-zlib Don't try to build with support for zlib compression and + decompression. + + zlib Build with support for zlib compression/decompression. + + zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically + when needed. This is only supported on systems where loading + of shared libraries is supported. This is the default choice. + no-shared Don't try to create shared libraries. shared In addition to the usual static libraries, create shared libraries on platforms where it's supported. See "Note on - shared libraries" below. THIS IS NOT RECOMMENDED! Since - this is a development branch, the positions of the ENGINE - symbols in the transfer vector are constantly moving, so - binary backward compatibility can't be guaranteed in any way. + shared libraries" below. no-asm Do not use assembler code. @@ -271,6 +277,11 @@ Note on shared libraries ------------------------ + Shared library is currently an experimental feature. The only reason to + have them would be to conserve memory on systems where several program + are using OpenSSL. Binary backward compatibility can't be guaranteed + before OpenSSL version 1.0. + For some systems, the OpenSSL Configure script knows what is needed to build shared libraries for libcrypto and libssl. On these systems, the shared libraries are currently not created by default, but giving diff --git a/lib/libssl/src/INSTALL.MacOS b/lib/libssl/src/INSTALL.MacOS index a8c4f7f1dac..01c60d81f96 100644 --- a/lib/libssl/src/INSTALL.MacOS +++ b/lib/libssl/src/INSTALL.MacOS @@ -1,7 +1,7 @@ -OpenSSL - Port To The Macintosh -=============================== +OpenSSL - Port To The Macintosh OS 9 or Earlier +=============================================== -Thanks to Roy Wood initial support for MacOS (pre +Thanks to Roy Wood initial support for Mac OS (pre X) is now provided. "Initial" means that unlike other platforms where you get an SDK and a "swiss army" openssl application, on Macintosh you only get one sample application which fetches a page over HTTPS(*) and dumps it @@ -32,17 +32,17 @@ Installation procedure: to 42, change appropriately. (**) If you use SUNtar, then it might have already unbinhexed the files in question. -(***) The project file was saved with CW Pro 5.3. If you have earlier +(***) The project file was saved with CW Pro 5.3. If you have an earlier version and it refuses to open it, then download http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it overwriting the original OpenSSL.mcp. -(****) Other targets are work in progress. If you feel like giving 'em a +(****) Other targets are works in progress. If you feel like giving 'em a shot, then you should know that OpenSSL* and Lib* targets are supposed to be built with the GUSI, MacOS library which mimics BSD sockets and some other POSIX APIs. The GUSI distribution is - expected to be found in the same directory as openssl source tree, - i.e. in the parent directory to the one where this very file, - namely INSTALL.MacOS. For more informations about GUSI, see + expected to be found in the same directory as the openssl source tree, + i.e., in the parent directory to the one where this very file, + namely INSTALL.MacOS, resides. For more information about GUSI, see http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html Finally some essential comments from our generous contributor:-) diff --git a/lib/libssl/src/INSTALL.VMS b/lib/libssl/src/INSTALL.VMS index b8ea2d0a4d9..7658f64e1d7 100644 --- a/lib/libssl/src/INSTALL.VMS +++ b/lib/libssl/src/INSTALL.VMS @@ -33,11 +33,11 @@ Checking the distribution: ========================== There have been reports of places where the distribution didn't quite get -through, for example if you've copied the tree from a NFS-mounted unix +through, for example if you've copied the tree from a NFS-mounted Unix mount point. The easiest way to check if everything got through as it should is to check -for oen of the following files: +for one of the following files: [.CRYPTO]OPENSSLCONF.H_IN [.CRYPTO]OPENSSLCONF_H.IN @@ -69,7 +69,7 @@ for a command procedure name xxx-LIB.COM (in the library directories) or MAKExxx.COM (in the program directories) and read the comments at the top to understand how to use them. However, if you want to compile all you can get, the simplest is to use MAKEVMS.COM in the top -directory. The syntax is trhe following: +directory. The syntax is the following: @MAKEVMS