Temporary Mailing List Freeze

**Newsflash**

/) {
-		print HTML "$text";
-	    } else {
-		print HTML "\n$text\n";
-	    }
-	}
-    }
-
-    # finish off any pending directives
-    finish_list();
-    print HTML <
-
-
-END_OF_TAIL
-
-    # close the html file
-    close(HTML);
-
-    warn "Finished\n" if $verbose;
-}
-
-##############################################################################
-
-my $usage;			# see below
-sub usage {
-    my $podfile = shift;
-    warn "$0: $podfile: @_\n" if @_;
-    die $usage;
-}
-
-$usage =< --infile= --outfile=
-           --podpath=:...: --podroot=
-           --libpods=:...: --recurse --verbose --index
-           --netscape --norecurse --noindex
-
-  --flush      - flushes the item and directory caches.
-  --help       - prints this message.
-  --htmlroot   - http-server base directory from which all relative paths
-                 in podpath stem (default is /).
-  --index      - generate an index at the top of the resulting html
-                 (default).
-  --infile     - filename for the pod to convert (input taken from stdin
-                 by default).
-  --libpods    - colon-separated list of pages to search for =item pod
-                 directives in as targets of C<> and implicit links (empty
-                 by default).  note, these are not filenames, but rather
-                 page names like those that appear in L<> links.
-  --netscape   - will use netscape html directives when applicable.
-  --nonetscape - will not use netscape directives (default).
-  --outfile    - filename for the resulting html file (output sent to
-                 stdout by default).
-  --podpath    - colon-separated list of directories containing library
-                 pods.  empty by default.
-  --podroot    - filesystem base directory from which all relative paths
-                 in podpath stem (default is .).
-  --noindex    - don't generate an index at the top of the resulting html.
-  --norecurse  - don't recurse on those subdirectories listed in podpath.
-  --recurse    - recurse on those subdirectories listed in podpath
-                 (default behavior).
-  --title      - title that will appear in resulting html file.
-  --verbose    - self-explanatory
-
-END_OF_USAGE
-
-sub parse_command_line {
-    my ($opt_flush,$opt_help,$opt_htmlroot,$opt_index,$opt_infile,$opt_libpods,$opt_netscape,$opt_outfile,$opt_podpath,$opt_podroot,$opt_norecurse,$opt_recurse,$opt_title,$opt_verbose);
-    my $result = GetOptions(
-			    'flush'      => \$opt_flush,
-			    'help'       => \$opt_help,
-			    'htmlroot=s' => \$opt_htmlroot,
-			    'index!'     => \$opt_index,
-			    'infile=s'   => \$opt_infile,
-			    'libpods=s'  => \$opt_libpods,
-			    'netscape!'  => \$opt_netscape,
-			    'outfile=s'  => \$opt_outfile,
-			    'podpath=s'  => \$opt_podpath,
-			    'podroot=s'  => \$opt_podroot,
-			    'norecurse'  => \$opt_norecurse,
-			    'recurse!'   => \$opt_recurse,
-			    'title=s'    => \$opt_title,
-			    'verbose'    => \$opt_verbose,
-			   );
-    usage("-", "invalid parameters") if not $result;
-
-    usage("-") if defined $opt_help;	# see if the user asked for help
-    $opt_help = "";			# just to make -w shut-up.
-
-    $podfile  = $opt_infile if defined $opt_infile;
-    $htmlfile = $opt_outfile if defined $opt_outfile;
-
-    @podpath  = split(":", $opt_podpath) if defined $opt_podpath;
-    @libpods  = split(":", $opt_libpods) if defined $opt_libpods;
-
-    warn "Flushing item and directory caches\n"
-	if $opt_verbose && defined $opt_flush;
-    unlink($dircache, $itemcache) if defined $opt_flush;
-
-    $htmlroot = $opt_htmlroot if defined $opt_htmlroot;
-    $podroot  = $opt_podroot if defined $opt_podroot;
-
-    $doindex  = $opt_index if defined $opt_index;
-    $recurse  = $opt_recurse if defined $opt_recurse;
-    $title    = $opt_title if defined $opt_title;
-    $verbose  = defined $opt_verbose ? 1 : 0;
-    $netscape = $opt_netscape if defined $opt_netscape;
-}
-
-
-my $saved_cache_key;
-
-sub get_cache {
-    my($dircache, $itemcache, $podpath, $podroot, $recurse) = @_;
-    my @cache_key_args = @_;
-
-    # A first-level cache:
-    # Don't bother reading the cache files if they still apply
-    # and haven't changed since we last read them.
-
-    my $this_cache_key = cache_key(@cache_key_args);
-
-    return if $saved_cache_key and $this_cache_key eq $saved_cache_key;
-
-    # load the cache of %pages and %items if possible.  $tests will be
-    # non-zero if successful.
-    my $tests = 0;
-    if (-f $dircache && -f $itemcache) {
-	warn "scanning for item cache\n" if $verbose;
-	$tests = load_cache($dircache, $itemcache, $podpath, $podroot);
-    }
-
-    # if we didn't succeed in loading the cache then we must (re)build
-    #  %pages and %items.
-    if (!$tests) {
-	warn "scanning directories in pod-path\n" if $verbose;
-	scan_podpath($podroot, $recurse, 0);
-    }
-    $saved_cache_key = cache_key(@cache_key_args);
-}
-
-sub cache_key {
-    my($dircache, $itemcache, $podpath, $podroot, $recurse) = @_;
-    return join('!', $dircache, $itemcache, $recurse,
-		@$podpath, $podroot, stat($dircache), stat($itemcache));
-}
-
-#
-# load_cache - tries to find if the caches stored in $dircache and $itemcache
-#  are valid caches of %pages and %items.  if they are valid then it loads
-#  them and returns a non-zero value.
-#
-
-sub load_cache {
-    my($dircache, $itemcache, $podpath, $podroot) = @_;
-    my($tests);
-    local $_;
-
-    $tests = 0;
-
-    open(CACHE, "<$itemcache") ||
-	die "$0: error opening $itemcache for reading: $!\n";
-    $/ = "\n";
-
-    # is it the same podpath?
-    $_ = ;
-    chomp($_);
-    $tests++ if (join(":", @$podpath) eq $_);
-
-    # is it the same podroot?
-    $_ = ;
-    chomp($_);
-    $tests++ if ($podroot eq $_);
-
-    # load the cache if its good
-    if ($tests != 2) {
-	close(CACHE);
-	return 0;
-    }
-
-    warn "loading item cache\n" if $verbose;
-    while () {
-	/(.*?) (.*)$/;
-	$items{$1} = $2;
-    }
-    close(CACHE);
-
-    warn "scanning for directory cache\n" if $verbose;
-    open(CACHE, "<$dircache") ||
-	die "$0: error opening $dircache for reading: $!\n";
-    $/ = "\n";
-    $tests = 0;
-
-    # is it the same podpath?
-    $_ = ;
-    chomp($_);
-    $tests++ if (join(":", @$podpath) eq $_);
-
-    # is it the same podroot?
-    $_ = ;
-    chomp($_);
-    $tests++ if ($podroot eq $_);
-
-    # load the cache if its good
-    if ($tests != 2) {
-	close(CACHE);
-	return 0;
-    }
-
-    warn "loading directory cache\n" if $verbose;
-    while () {
-	/(.*?) (.*)$/;
-	$pages{$1} = $2;
-    }
-
-    close(CACHE);
-
-    return 1;
-}
-
-#
-# scan_podpath - scans the directories specified in @podpath for directories,
-#  .pod files, and .pm files.  it also scans the pod files specified in
-#  @libpods for =item directives.
-#
-sub scan_podpath {
-    my($podroot, $recurse, $append) = @_;
-    my($pwd, $dir);
-    my($libpod, $dirname, $pod, @files, @poddata);
-
-    unless($append) {
-	%items = ();
-	%pages = ();
-    }
-
-    # scan each directory listed in @podpath
-    $pwd = getcwd();
-    chdir($podroot)
-	|| die "$0: error changing to directory $podroot: $!\n";
-    foreach $dir (@podpath) {
-	scan_dir($dir, $recurse);
-    }
-
-    # scan the pods listed in @libpods for =item directives
-    foreach $libpod (@libpods) {
-	# if the page isn't defined then we won't know where to find it
-	# on the system.
-	next unless defined $pages{$libpod} && $pages{$libpod};
-
-	# if there is a directory then use the .pod and .pm files within it.
-	if ($pages{$libpod} =~ /([^:]*[^(\.pod|\.pm)]):/) {
-	    #  find all the .pod and .pm files within the directory
-	    $dirname = $1;
-	    opendir(DIR, $dirname) ||
-		die "$0: error opening directory $dirname: $!\n";
-	    @files = grep(/(\.pod|\.pm)$/ && ! -d $_, readdir(DIR));
-	    closedir(DIR);
-
-	    # scan each .pod and .pm file for =item directives
-	    foreach $pod (@files) {
-		open(POD, "<$dirname/$pod") ||
-		    die "$0: error opening $dirname/$pod for input: $!\n";
-		@poddata = ;
-		close(POD);
-
-		scan_items("$dirname/$pod", @poddata);
-	    }
-
-	    # use the names of files as =item directives too.
-	    foreach $pod (@files) {
-		$pod =~ /^(.*)(\.pod|\.pm)$/;
-		$items{$1} = "$dirname/$1.html" if $1;
-	    }
-	} elsif ($pages{$libpod} =~ /([^:]*\.pod):/ ||
-		 $pages{$libpod} =~ /([^:]*\.pm):/) {
-	    # scan the .pod or .pm file for =item directives
-	    $pod = $1;
-	    open(POD, "<$pod") ||
-		die "$0: error opening $pod for input: $!\n";
-	    @poddata = ;
-	    close(POD);
-
-	    scan_items("$pod", @poddata);
-	} else {
-	    warn "$0: shouldn't be here (line ".__LINE__."\n";
-	}
-    }
-    @poddata = ();	# clean-up a bit
-
-    chdir($pwd)
-	|| die "$0: error changing to directory $pwd: $!\n";
-
-    # cache the item list for later use
-    warn "caching items for later use\n" if $verbose;
-    open(CACHE, ">$itemcache") ||
-	die "$0: error open $itemcache for writing: $!\n";
-
-    print CACHE join(":", @podpath) . "\n$podroot\n";
-    foreach my $key (keys %items) {
-	print CACHE "$key $items{$key}\n";
-    }
-
-    close(CACHE);
-
-    # cache the directory list for later use
-    warn "caching directories for later use\n" if $verbose;
-    open(CACHE, ">$dircache") ||
-	die "$0: error open $dircache for writing: $!\n";
-
-    print CACHE join(":", @podpath) . "\n$podroot\n";
-    foreach my $key (keys %pages) {
-	print CACHE "$key $pages{$key}\n";
-    }
-
-    close(CACHE);
-}
-
-#
-# scan_dir - scans the directory specified in $dir for subdirectories, .pod
-#  files, and .pm files.  notes those that it finds.  this information will
-#  be used later in order to figure out where the pages specified in L<>
-#  links are on the filesystem.
-#
-sub scan_dir {
-    my($dir, $recurse) = @_;
-    my($t, @subdirs, @pods, $pod, $dirname, @dirs);
-    local $_;
-
-    @subdirs = ();
-    @pods = ();
-
-    opendir(DIR, $dir) ||
-	die "$0: error opening directory $dir: $!\n";
-    while (defined($_ = readdir(DIR))) {
-	if (-d "$dir/$_" && $_ ne "." && $_ ne "..") {	    # directory
-	    $pages{$_}  = "" unless defined $pages{$_};
-	    $pages{$_} .= "$dir/$_:";
-	    push(@subdirs, $_);
-	} elsif (/\.pod$/) {	    	    	    	    # .pod
-	    s/\.pod$//;
-	    $pages{$_}  = "" unless defined $pages{$_};
-	    $pages{$_} .= "$dir/$_.pod:";
-	    push(@pods, "$dir/$_.pod");
-	} elsif (/\.pm$/) { 	    	    	    	    # .pm
-	    s/\.pm$//;
-	    $pages{$_}  = "" unless defined $pages{$_};
-	    $pages{$_} .= "$dir/$_.pm:";
-	    push(@pods, "$dir/$_.pm");
-	}
-    }
-    closedir(DIR);
-
-    # recurse on the subdirectories if necessary
-    if ($recurse) {
-	foreach my $subdir (@subdirs) {
-	    scan_dir("$dir/$subdir", $recurse);
-	}
-    }
-}
-
-#
-# scan_headings - scan a pod file for head[1-6] tags, note the tags, and
-#  build an index.
-#
-sub scan_headings {
-    my($sections, @data) = @_;
-    my($tag, $which_head, $title, $listdepth, $index);
-
-    # here we need	local $ignore = 0;
-    #  unfortunately, we can't have it, because $ignore is lexical
-    $ignore = 0;
-
-    $listdepth = 0;
-    $index = "";
-
-    # scan for =head directives, note their name, and build an index
-    #  pointing to each of them.
-    foreach my $line (@data) {
-	if ($line =~ /^=(head)([1-6])\s+(.*)/) {
-	    ($tag,$which_head, $title) = ($1,$2,$3);
-	    chomp($title);
-	    $$sections{htmlify(0,$title)} = 1;
-
-	    while ($which_head != $listdepth) {
-		if ($which_head > $listdepth) {
-		    $index .= "\n" . ("\t" x $listdepth) . "\n";
-		    $listdepth++;
-		} elsif ($which_head < $listdepth) {
-		    $listdepth--;
-		    $index .= "\n" . ("\t" x $listdepth) . "\n";
-		}
-	    }
-
-	    $index .= "\n" . ("\t" x $listdepth) . "" .
-	              "" .
-		      html_escape(process_text(\$title, 0)) . "";
-	}
-    }
-
-    # finish off the lists
-    while ($listdepth--) {
-	$index .= "\n" . ("\t" x $listdepth) . "\n";
-    }
-
-    # get rid of bogus lists
-    $index =~ s,\t*\s*\n,,g;
-
-    $ignore = 1;	# restore old value;
-
-    return $index;
-}
-
-#
-# scan_items - scans the pod specified by $pod for =item directives.  we
-#  will use this information later on in resolving C<> links.
-#
-sub scan_items {
-    my($pod, @poddata) = @_;
-    my($i, $item);
-    local $_;
-
-    $pod =~ s/\.pod$//;
-    $pod .= ".html" if $pod;
-
-    foreach $i (0..$#poddata) {
-	$_ = $poddata[$i];
-
-	# remove any formatting instructions
-	s,[A-Z]<([^<>]*)>,$1,g;
-
-	# figure out what kind of item it is and get the first word of
-	#  it's name.
-	if (/^=item\s+(\w*)\s*.*$/s) {
-	    if ($1 eq "*") {		# bullet list
-		/\A=item\s+\*\s*(.*?)\s*\Z/s;
-		$item = $1;
-	    } elsif ($1 =~ /^\d+/) {	# numbered list
-		/\A=item\s+\d+\.?(.*?)\s*\Z/s;
-		$item = $1;
-	    } else {
-#		/\A=item\s+(.*?)\s*\Z/s;
-		/\A=item\s+(\w*)/s;
-		$item = $1;
-	    }
-
-	    $items{$item} = "$pod" if $item;
-	}
-    }
-}
-
-#
-# process_head - convert a pod head[1-6] tag and convert it to HTML format.
-#
-sub process_head {
-    my($tag, $heading) = @_;
-    my $firstword;
-
-    # figure out the level of the =head
-    $tag =~ /head([1-6])/;
-    my $level = $1;
-
-    # can't have a heading full of spaces and speechmarks and so on
-    $firstword = $heading; $firstword =~ s/\s*(\w+)\s.*/$1/;
-
-    print HTML "\n" unless $listlevel;
-    print HTML "
\n" unless $listlevel || $top;
-    print HTML ""; # unless $listlevel;
-    #print HTML "" unless $listlevel;
-    my $convert = $heading; process_text(\$convert, 0);
-    $convert = html_escape($convert);
-    print HTML '$convert";
-    print HTML ""; # unless $listlevel;
-    print HTML "\n";
-}
-
-#
-# process_item - convert a pod item tag and convert it to HTML format.
-#
-sub process_item {
-    my $text = $_[0];
-    my($i, $quote, $name);
-
-    my $need_preamble = 0;
-    my $this_entry;
-    my $rawtext;
-    my $rawitem;
-
-
-    # lots of documents start a list without doing an =over.  this is
-    # bad!  but, the proper thing to do seems to be to just assume
-    # they did do an =over.  so warn them once and then continue.
-    warn "$0: $podfile: unexpected =item directive in paragraph $paragraph.  ignoring.\n"
-	unless $listlevel;
-    process_over() unless $listlevel;
-
-    return unless $listlevel;
-
-    $need_preamble = $items_seen[$listlevel]++ == 0;
-
-    # check if this is the first =item after an =over
-    $i = $listlevel - 1;
-    my $need_new = $listlevel >= @listitem;
-
-    if ($text =~ /\A\*/) {		# bullet
-
-	if ($need_preamble) {
-	    push(@listend,  "");
-	    print HTML "\n";
-	}
-
-	print HTML '';
-	if ($text =~ /\A\*\s*(.+)\Z/s) {
-	    $text = $1;
-	    # remove formatting instructions from the text, save in $rawtext
-	    $rawtext = $text;
-	    1 while $rawtext =~ s/[A-Z]<([^<>]*)>/$1/g;
-	    pre_escape(\$rawtext);
-	    process_text(\$text);
-
-	    print HTML '';
-	    if ($items_named{$rawtext}++) {
-		print HTML $text;
-	    } else {
-		my $name = 'item_' . htmlify(1,$rawtext);
-		print HTML qq(), $text, '';
-	    }
-	    print HTML '';
-	}
-
-# Numbered lists disabled because this code turns every list with numerical
-# tags into an  without looking at the actual tag values.
-# Obviously this is in general not acceptable when a "RETURN VALUES" or
-# "EXIT CODES" section is organized like this (doc/apps/smime.pod in OpenSSL).
-
-#    } elsif ($text =~ /\A[\d#]+/) {	# numbered list
-#
-#	if ($need_preamble) {
-#	    push(@listend,  "");
-#	    print HTML "\n";
-#	}
-#
-#	print HTML '';
-#	if ($text =~ /\A\d+\.?\s*(.+)\Z/s) {
-#	    $text = $1;
-#	    # remove formatting instructions from the text, save in $rawtext
-#	    $rawtext = $text;
-#	    1 while $rawtext =~ s/[A-Z]<([^<>]*)>/$1/g;
-#	    pre_escape(\$rawtext);
-#	    process_text(\$text);
-#
-#	    print HTML '';
-#	    if ($items_named{$rawtext}++) {
-#		print HTML $text;
-#	    } else {
-#		my $name = 'item_' . htmlify(0,$rawtext);
-#		print HTML qq(), $text, '';
-#	    }
-#	    print HTML '';
-#	}
-
-    } else {			# all others
-
-	if ($need_preamble) {
-	    push(@listend,  '');
-	    print HTML "\n";
-	}
-
-	$rawtext = $text;
-	# remove formatting instructions from the text, save in $rawtext
-	1 while $rawtext =~ s/[A-Z]<([^<>]*)>/$1/g;
-	pre_escape(\$rawtext);
-	process_text(\$text);
-
-	print HTML '';
-	if ($rawtext =~ /(\S+)/) {
-	    print HTML '';
-	    if ($items_named{$1}++) {
-		print HTML $text;
-	    } else {
-		my $name = 'item_' . htmlify(1,$rawtext);
-		print HTML qq(), $text, '';
-	    }
-	    print HTML '';
-	}
-       print HTML '
';
-    }
-
-    print HTML "\n";
-}
-
-#
-# process_over - process a pod over tag and start a corresponding HTML
-# list.
-#
-sub process_over {
-    # start a new list
-    $listlevel++;
-}
-
-#
-# process_back - process a pod back tag and convert it to HTML format.
-#
-sub process_back {
-    warn "$0: $podfile: unexpected =back directive in paragraph $paragraph.  ignoring.\n"
-	unless $listlevel;
-    return unless $listlevel;
-
-    # close off the list.  note, I check to see if $listend[$listlevel] is
-    # defined because an =item directive may have never appeared and thus
-    # $listend[$listlevel] may have never been initialized.
-    $listlevel--;
-    print HTML $listend[$listlevel] if defined $listend[$listlevel];
-    print HTML "\n";
-
-    # don't need the corresponding perl code anymore
-    pop(@listitem);
-    pop(@listdata);
-    pop(@listend);
-
-    pop(@items_seen);
-}
-
-#
-# process_cut - process a pod cut tag, thus stop ignoring pod directives.
-#
-sub process_cut {
-    $ignore = 1;
-}
-
-#
-# process_pod - process a pod pod tag, thus ignore pod directives until we see a
-# corresponding cut.
-#
-sub process_pod {
-    # no need to set $ignore to 0 cause the main loop did it
-}
-
-#
-# process_for - process a =for pod tag.  if it's for html, split
-# it out verbatim, if illustration, center it, otherwise ignore it.
-#
-sub process_for {
-    my($whom, $text) = @_;
-    if ( $whom =~ /^(pod2)?html$/i) {
-	print HTML $text;
-    } elsif ($whom =~ /^illustration$/i) {
-        1 while chomp $text;
-	for my $ext (qw[.png .gif .jpeg .jpg .tga .pcl .bmp]) {
-	  $text .= $ext, last if -r "$text$ext";
-	}
-        print HTML qq{};
-    }
-}
-
-#
-# process_begin - process a =begin pod tag.  this pushes
-# whom we're beginning on the begin stack.  if there's a
-# begin stack, we only print if it us.
-#
-sub process_begin {
-    my($whom, $text) = @_;
-    $whom = lc($whom);
-    push (@begin_stack, $whom);
-    if ( $whom =~ /^(pod2)?html$/) {
-	print HTML $text if $text;
-    }
-}
-
-#
-# process_end - process a =end pod tag.  pop the
-# begin stack.  die if we're mismatched.
-#
-sub process_end {
-    my($whom, $text) = @_;
-    $whom = lc($whom);
-    if ($begin_stack[-1] ne $whom ) {
-	die "Unmatched begin/end at chunk $paragraph\n"
-    } 
-    pop @begin_stack;
-}
-
-#
-# process_text - handles plaintext that appears in the input pod file.
-# there may be pod commands embedded within the text so those must be
-# converted to html commands.
-#
-sub process_text {
-    my($text, $escapeQuotes) = @_;
-    my($result, $rest, $s1, $s2, $s3, $s4, $match, $bf);
-    my($podcommand, $params, $tag, $quote);
-
-    return if $ignore;
-
-    $quote  = 0;    	    	# status of double-quote conversion
-    $result = "";
-    $rest = $$text;
-
-    if ($rest =~ /^\s+/) {	# preformatted text, no pod directives
-	$rest =~ s/\n+\Z//;
-	$rest =~ s#.*#
-	    my $line = $&;
-	    1 while $line =~ s/\t+/' ' x (length($&) * 8 - length($`) % 8)/e;
-	    $line;
-	#eg;
-
-	$rest   =~ s/&/&/g;
-	$rest   =~ s//>/g;
-	$rest   =~ s/"/"/g;
-
-	# try and create links for all occurrences of perl.* within
-	# the preformatted text.
-	$rest =~ s{
-		    (\s*)(perl\w+)
-		  }{
-		    if (defined $pages{$2}) {	# is a link
-			qq($1$2);
-		    } elsif (defined $pages{dosify($2)}) {	# is a link
-			qq($1$2);
-		    } else {
-			"$1$2";
-		    }
-		  }xeg;
-	$rest =~ s/(:]*:)?([^>:]*)\.pod:([^>:]*:)?/$1$3.html/g;
-
-  my $urls = '(' . join ('|', qw{
-                http
-                telnet
-		mailto
-		news
-                gopher
-                file
-                wais
-                ftp
-            } ) 
-        . ')';
-  
-  my $ltrs = '\w';
-  my $gunk = '/#~:.?+=&%@!\-';
-  my $punc = '.:?\-';
-  my $any  = "${ltrs}${gunk}${punc}";
-
-  $rest =~ s{
-        \b                          # start at word boundary
-        (                           # begin $1  {
-          $urls     :               # need resource and a colon
-          [$any] +?                 # followed by on or more
-                                    #  of any valid character, but
-                                    #  be conservative and take only
-                                    #  what you need to....
-        )                           # end   $1  }
-        (?=                         # look-ahead non-consumptive assertion
-                [$punc]*            # either 0 or more puntuation
-                [^$any]             #   followed by a non-url char
-            |                       # or else
-                $                   #   then end of the string
-        )
-      }{$1}igox;
-
-	$result =   ""	# text should be as it is (verbatim)
-		  . "$rest\n"
-		  . "\n";
-    } else {			# formatted text
-	# parse through the string, stopping each time we find a
-	# pod-escape.  once the string has been throughly processed
-	# we can output it.
-	while (length $rest) {
-	    # check to see if there are any possible pod directives in
-	    # the remaining part of the text.
-	    if ($rest =~ m/[BCEIFLSZ]'
-		$match = 1;
-		$bf = 0;
-		while ($match && !$bf) {
-		    $bf = 1;
-		    if ($rest =~ /\A([^<>]*[BCEIFLSZ]<)(.*)\Z/s) {
-			$bf = 0;
-			$match++;
-			$podcommand .= $1;
-			$rest        = $2;
-		    } elsif ($rest =~ /\A([^>]*>)(.*)\Z/s) {
-			$bf = 0;
-			$match--;
-			$podcommand .= $1;
-			$rest        = $2;
-		    }
-		}
-
-		if ($match != 0) {
-		    warn < for $s2 in paragraph $paragraph.
-WARN
-		    $result .= substr $podcommand, 0, 2;
-		    $rest = substr($podcommand, 2) . $rest;
-		    next;
-		}
-
-		# pull out the parameters to the pod-escape
-		$podcommand =~ /^([BCFEILSZ]?)<(.*)>$/s;
-		$tag    = $1;
-		$params = $2;
-
-		# process the text within the pod-escape so that any escapes
-		# which must occur do.
-		process_text(\$params, 0) unless $tag eq 'L';
-
-		$s1 = $params;
-		if (!$tag || $tag eq " ") {	#  <> : no tag
-		    $s1 = "<$params>";
-		} elsif ($tag eq "L") {		# L<> : link 
-		    $s1 = process_L($params);
-		} elsif ($tag eq "I" ||		# I<> : italicize text
-			 $tag eq "B" ||		# B<> : bold text
-			 $tag eq "F") {		# F<> : file specification
-		    $s1 = process_BFI($tag, $params);
-		} elsif ($tag eq "C") {		# C<> : literal code
-		    $s1 = process_C($params, 1);
-		} elsif ($tag eq "E") {		# E<> : escape
-		    $s1 = process_E($params);
-		} elsif ($tag eq "Z") {		# Z<> : zero-width character
-		    $s1 = process_Z($params);
-		} elsif ($tag eq "S") {		# S<> : non-breaking space
-		    $s1 = process_S($params);
-		} elsif ($tag eq "X") {		# S<> : non-breaking space
-		    $s1 = process_X($params);
-		} else {
-		    warn "$0: $podfile: unhandled tag '$tag' in paragraph $paragraph\n";
-		}
-
-		$result .= "$s1";
-	    } else {
-		# for pure text we must deal with implicit links and
-		# double-quotes among other things.
-		$result .= ($escapeQuotes ? process_puretext("$s1$s2$s3", \$quote) : "$s1$s2$s3");
-		$rest    = $s4;
-	    }
-	}
-    }
-    $$text = $result;
-}
-
-sub html_escape {
-    my $rest = $_[0];
-    $rest   =~ s/&/&/g;
-    $rest   =~ s//>/g;
-    $rest   =~ s/"/"/g;
-    return $rest;
-} 
-
-#
-# process_puretext - process pure text (without pod-escapes) converting
-#  double-quotes and handling implicit C<> links.
-#
-sub process_puretext {
-    my($text, $quote) = @_;
-    my(@words, $result, $rest, $lead, $trail);
-
-    # convert double-quotes to single-quotes
-    $text =~ s/\A([^"]*)"/$1''/s if $$quote;
-    while ($text =~ s/\A([^"]*)["]([^"]*)["]/$1``$2''/sg) {}
-
-    $$quote = ($text =~ m/"/ ? 1 : 0);
-    $text =~ s/\A([^"]*)"/$1``/s if $$quote;
-
-    # keep track of leading and trailing white-space
-    $lead  = ($text =~ /\A(\s*)/s ? $1 : "");
-    $trail = ($text =~ /(\s*)\Z/s ? $1 : "");
-
-    # collapse all white space into a single space
-    $text =~ s/\s+/ /g;
-    @words = split(" ", $text);
-
-    # process each word individually
-    foreach my $word (@words) {
-	# see if we can infer a link
-	if ($word =~ /^\w+$/) {
-	    # has parenthesis so should have been a C<> ref
-	    $word = process_C($word);
-#	    $word =~ /^[^()]*]\(/;
-#	    if (defined $items{$1} && $items{$1}) {
-#		$word =   "\n$word";
-#	    } elsif (defined $items{$word} && $items{$word}) {
-#		$word =   "\n$word";
-#	    } else {
-#		$word =   "\n$word";
-#	    }
-	} elsif ($word =~ /^[\$\@%&*]+\w+$/) {
-	    # perl variables, should be a C<> ref
-	    $word = process_C($word, 1);
-	} elsif ($word =~ m,^\w+://\w,) {
-	    # looks like a URL
-	    $word = qq($word);
-	} elsif ($word =~ /[\w.-]+\@[\w-]+\.\w/) {
-	    # looks like an e-mail address
-	    my ($w1, $w2, $w3) = ("", $word, "");
-	    ($w1, $w2, $w3) = ("(", $1, ")$2") if $word =~ /^\((.*?)$(,?)/;
-	    ($w1, $w2, $w3) = ("<", $1, ">$2") if $word =~ /^<(.*?)>(,?)/;
-	    $word = qq($w1$w2$w3);
-	} elsif ($word !~ /[a-z]/ && $word =~ /[A-Z]/) {  # all uppercase?
-	    $word = html_escape($word) if $word =~ /["&<>]/;
-	    $word = "\n$word" if $netscape;
-	} else { 
-	    $word = html_escape($word) if $word =~ /["&<>]/;
-	}
-    }
-
-    # build a new string based upon our conversion
-    $result = "";
-    $rest   = join(" ", @words);
-    while (length($rest) > 75) {
-	if ( $rest =~ m/^(.{0,75})\s(.*?)$/o ||
-	     $rest =~ m/^(\S*)\s(.*?)$/o) {
-
-	    $result .= "$1\n";
-	    $rest    = $2;
-	} else {
-	    $result .= "$rest\n";
-	    $rest    = "";
-	}
-    }
-    $result .= $rest if $rest;
-
-    # restore the leading and trailing white-space
-    $result = "$lead$result$trail";
-
-    return $result;
-}
-
-#
-# pre_escape - convert & in text to $amp;
-#
-sub pre_escape {
-    my($str) = @_;
-
-    $$str =~ s,&,&,g;
-}
-
-#
-# dosify - convert filenames to 8.3
-#
-sub dosify {
-    my($str) = @_;
-    if ($Is83) {
-        $str = lc $str;
-        $str =~ s/(\.\w+)/substr ($1,0,4)/ge;
-        $str =~ s/(\w+)/substr ($1,0,8)/ge;
-    }
-    return $str;
-}
-
-#
-# process_L - convert a pod L<> directive to a corresponding HTML link.
-#  most of the links made are inferred rather than known about directly
-#  (i.e it's not known whether the =head\d section exists in the target file,
-#   or whether a .pod file exists in the case of split files).  however, the
-#  guessing usually works.
-#
-# Unlike the other directives, this should be called with an unprocessed
-# string, else tags in the link won't be matched.
-#
-sub process_L {
-    my($str) = @_;
-    my($s1, $s2, $linktext, $page, $page83, $section, $link);	# work strings
-
-    $str =~ s/\n/ /g;			# undo word-wrapped tags
-    $s1 = $str;
-    for ($s1) {
-	# LREF: a la HREF L
-	$linktext = $1 if s:^([^|]+)\|::;
-
-	# make sure sections start with a /
-	s,^",/",g;
-	s,^,/,g if (!m,/, && / /);
-
-	# check if there's a section specified
-	if (m,^(.*?)/"?(.*?)"?$,) {	# yes
-	    ($page, $section) = ($1, $2);
-	} else {			# no
-	    ($page, $section) = ($_, "");
-	}
-
-	# check if we know that this is a section in this page
-	if (!defined $pages{$page} && defined $sections{$page}) {
-	    $section = $page;
-	    $page = "";
-	}
-    }
-
-    $page83=dosify($page);
-    $page=$page83 if (defined $pages{$page83});
-    if ($page eq "") {
-	$link = "#" . htmlify(0,$section);
-	$linktext = $section unless defined($linktext);
-    } elsif ( $page =~ /::/ ) {
-	$linktext  = ($section ? "$section" : "$page");
-	$page =~ s,::,/,g;
-	$link = "$htmlroot/$page.html";
-	$link .= "#" . htmlify(0,$section) if ($section);
-    } elsif (!defined $pages{$page}) {
-	warn "$0: $podfile: cannot resolve L<$str> in paragraph $paragraph: no such page '$page'\n";
-	$link = "";
-	$linktext = $page unless defined($linktext);
-    } else {
-	$linktext  = ($section ? "$section" : "the $page manpage") unless defined($linktext);
-	$section = htmlify(0,$section) if $section ne "";
-
-	# if there is a directory by the name of the page, then assume that an
-	# appropriate section will exist in the subdirectory
-	if ($section ne "" && $pages{$page} =~ /([^:]*[^(\.pod|\.pm)]):/) {
-	    $link = "$htmlroot/$1/$section.html";
-
-	# since there is no directory by the name of the page, the section will
-	# have to exist within a .html of the same name.  thus, make sure there
-	# is a .pod or .pm that might become that .html
-	} else {
-	    $section = "#$section";
-	    # check if there is a .pod with the page name
-	    if ($pages{$page} =~ /([^:]*)\.pod:/) {
-		$link = "$htmlroot/$1.html$section";
-	    } elsif ($pages{$page} =~ /([^:]*)\.pm:/) {
-		$link = "$htmlroot/$1.html$section";
-	    } else {
-		warn "$0: $podfile: cannot resolve L$str in paragraph $paragraph: ".
-			     "no .pod or .pm found\n";
-		$link = "";
-		$linktext = $section unless defined($linktext);
-	    }
-	}
-    }
-
-    process_text(\$linktext, 0);
-    if ($link) {
-	$s1 = "$linktext";
-    } else {
-	$s1 = "$linktext";
-    }
-    return $s1;
-}
-
-#
-# process_BFI - process any of the B<>, F<>, or I<> pod-escapes and
-# convert them to corresponding HTML directives.
-#
-sub process_BFI {
-    my($tag, $str) = @_;
-    my($s1);			# work string
-    my(%repltext) = (	'B' => 'STRONG',
-			'F' => 'EM',
-			'I' => 'EM');
-
-    # extract the modified text and convert to HTML
-    $s1 = "<$repltext{$tag}>$str";
-    return $s1;
-}
-
-#
-# process_C - process the C<> pod-escape.
-#
-sub process_C {
-    my($str, $doref) = @_;
-    my($s1, $s2);
-
-    $s1 = $str;
-    $s1 =~ s/$[^()]*$//g;	# delete parentheses
-    $s2 = $s1;
-    $s1 =~ s/\W//g;		# delete bogus characters
-    $str = html_escape($str);
-
-    # if there was a pod file that we found earlier with an appropriate
-    # =item directive, then create a link to that page.
-    if ($doref && defined $items{$s1}) {
-	$s1 = ($items{$s1} ?
-	       "$str" :
-	       "$str");
-	$s1 =~ s,(perl\w+/(\S+)\.html)#item_\2\b,$1,; 
-	confess "s1 has space: $s1" if $s1 =~ /HREF="[^"]*\s[^"]*"/;
-    } else {
-	$s1 = "$str";
-	# warn "$0: $podfile: cannot resolve C<$str> in paragraph $paragraph\n" if $verbose
-    }
-
-
-    return $s1;
-}
-
-#
-# process_E - process the E<> pod directive which seems to escape a character.
-#
-sub process_E {
-    my($str) = @_;
-
-    for ($str) {
-	s,([^/].*),\&$1\;,g;
-    }
-
-    return $str;
-}
-
-#
-# process_Z - process the Z<> pod directive which really just amounts to
-# ignoring it.  this allows someone to start a paragraph with an =
-#
-sub process_Z {
-    my($str) = @_;
-
-    # there is no equivalent in HTML for this so just ignore it.
-    $str = "";
-    return $str;
-}
-
-#
-# process_S - process the S<> pod directive which means to convert all
-# spaces in the string to non-breaking spaces (in HTML-eze).
-#
-sub process_S {
-    my($str) = @_;
-
-    # convert all spaces in the text to non-breaking spaces in HTML.
-    $str =~ s/ / /g;
-    return $str;
-}
-
-#
-# process_X - this is supposed to make an index entry.  we'll just 
-# ignore it.
-#
-sub process_X {
-    return '';
-}
-
-
-#
-# finish_list - finish off any pending HTML lists.  this should be called
-# after the entire pod file has been read and converted.
-#
-sub finish_list {
-    while ($listlevel > 0) {
-	print HTML "\n";
-	$listlevel--;
-    }
-}
-
-#
-# htmlify - converts a pod section specification to a suitable section
-# specification for HTML.  if first arg is 1, only takes 1st word.
-#
-sub htmlify {
-    my($compact, $heading) = @_;
-
-    if ($compact) {
-      $heading =~ /^(\w+)/;
-      $heading = $1;
-    } 
-
-  # $heading = lc($heading);
-  $heading =~ s/[^\w\s]/_/g;
-  $heading =~ s/(\s+)/ /g;
-  $heading =~ s/^\s*(.*?)\s*$/$1/s;
-  $heading =~ s/ /_/g;
-  $heading =~ s/\A(.{32}).*\Z/$1/s;
-  $heading =~ s/\s+\Z//;
-  $heading =~ s/_{2,}/_/g;
-
-  return $heading;
-}
-
-BEGIN {
-}
-
-1;


hooks/post-receive
-- 
OpenSSL Web Pages 

From kurt at openssl.org  Wed Dec 10 12:35:44 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Wed, 10 Dec 2014 12:35:44 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 5b17b79a895bb9eace11d4596acadaa2ed69cf2d
Message-ID: <20141210173544.5C7F31DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  5b17b79a895bb9eace11d4596acadaa2ed69cf2d (commit)
       via  3a7581bf5ae3579e506b18f4b36c266c84890450 (commit)
       via  288b4e4f8f97069db63fdca6f6dddcf56282b03d (commit)
       via  c27dc3981cd676cdd6dba00b06d6146545fc63fc (commit)
       via  fed5b5525204a6892c936173d9336c479fa83941 (commit)
       via  e9e688effbd5f94e9a8614ca0181a9c8a596a6e1 (commit)
       via  bf8e7047aa888bdba4a89fd0d03862ebec2d302c (commit)
       via  9052ffda912a48bfb0f6aa1555a97e313ee54642 (commit)
       via  d00b1d62d62036dc21c78658a28da4a6279e6fe2 (commit)
      from  02a62d1a4ab711e935defb6e61c2564130ff8627 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5b17b79a895bb9eace11d4596acadaa2ed69cf2d
Author: Kurt Roeckx 
Date:   Mon Dec 9 22:03:34 2013 +0100

    capi_ctrl, capi_vtrace: check for NULL after allocating and free it
    
    Reviewed-by: Matt Caswell 

commit 3a7581bf5ae3579e506b18f4b36c266c84890450
Author: Jonas Maebe 
Date:   Mon Dec 9 22:02:35 2013 +0100

    tree_print: check for NULL after allocating err
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit 288b4e4f8f97069db63fdca6f6dddcf56282b03d
Author: Jonas Maebe 
Date:   Mon Dec 9 17:21:43 2013 +0100

    tls1_heartbeat: check for NULL after allocating buf
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit c27dc3981cd676cdd6dba00b06d6146545fc63fc
Author: Jonas Maebe 
Date:   Sun Dec 7 17:38:51 2014 +0100

    tls1_process_heartbeat: check for NULL after allocating buffer
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit fed5b5525204a6892c936173d9336c479fa83941
Author: Jonas Maebe 
Date:   Mon Dec 9 17:02:44 2013 +0100

    SSL_set_session: check for NULL after allocating s->kssl_ctx->client_princ
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit e9e688effbd5f94e9a8614ca0181a9c8a596a6e1
Author: Jonas Maebe 
Date:   Mon Dec 9 16:57:04 2013 +0100

    serverinfo_process_buffer: check result of realloc(ctx->cert->key->serverinfo) and don't leak memory if it fails
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit bf8e7047aa888bdba4a89fd0d03862ebec2d302c
Author: Jonas Maebe 
Date:   Mon Dec 9 16:45:44 2013 +0100

    ssl3_digest_cached_records: check for NULL after allocating s->s3->handshake_dgst
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit 9052ffda912a48bfb0f6aa1555a97e313ee54642
Author: Jonas Maebe 
Date:   Sun Dec 8 23:30:09 2013 +0100

    ssl3_get_certificate_request: check for NULL after allocating s->cert->ctypes
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

commit d00b1d62d62036dc21c78658a28da4a6279e6fe2
Author: Jonas Maebe 
Date:   Mon Dec 2 22:07:02 2013 +0100

    SSL_COMP_add_compression_method: exit if allocating the new compression method struct fails
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509v3/pcy_tree.c |    2 ++
 engines/e_capi.c         |   11 +++++++++++
 engines/e_capi_err.c     |    4 +++-
 engines/e_capi_err.h     |    2 ++
 ssl/s3_clnt.c            |    5 +++++
 ssl/s3_enc.c             |    5 +++++
 ssl/ssl.h                |    1 +
 ssl/ssl_ciph.c           |    7 +++++++
 ssl/ssl_err.c            |    1 +
 ssl/ssl_rsa.c            |    7 +++++--
 ssl/ssl_sess.c           |    5 +++++
 ssl/t1_lib.c             |   10 ++++++++++
 12 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 47b1bf8..93470c3 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -101,6 +101,8 @@ static void tree_print(char *str, X509_POLICY_TREE *tree,
 	int i;
 	BIO *err;
 	err = BIO_new_fp(stderr, BIO_NOCLOSE);
+	if (err == NULL)
+		return;
 	if (!curr)
 		curr = tree->levels + tree->nlevel;
 	else
diff --git a/engines/e_capi.c b/engines/e_capi.c
index 87a10dd..8a19ed0 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -340,6 +340,11 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 		}
 	ctx = ENGINE_get_ex_data(e, capi_idx);
 	out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	if (out == NULL)
+		{
+		CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_FILE_OPEN_ERROR);
+		return 0;
+		}
 	switch (cmd)
 		{
 		case CAPI_CMD_LIST_CSPS:
@@ -406,6 +411,7 @@ static int capi_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
 		if (i < 1 || i > 3)
 			{
 			CAPIerr(CAPI_F_CAPI_CTRL, CAPI_R_INVALID_LOOKUP_METHOD);
+			BIO_free(out);
 			return 0;
 			}
 		ctx->lookup_method = i;
@@ -1081,6 +1087,11 @@ static void capi_vtrace(CAPI_CTX *ctx, int level, char *format, va_list argptr)
 	if (!ctx || (ctx->debug_level < level) || (!ctx->debug_file))
 		return;
 	out = BIO_new_file(ctx->debug_file, "a+");
+	if (out == NULL)
+		{
+		CAPIerr(CAPI_F_CAPI_VTRACE, CAPI_R_FILE_OPEN_ERROR);
+		return;
+		}
 	BIO_vprintf(out, format, argptr);
 	BIO_free(out);
 	}
diff --git a/engines/e_capi_err.c b/engines/e_capi_err.c
index eaaefb2..a36ada3 100644
--- a/engines/e_capi_err.c
+++ b/engines/e_capi_err.c
@@ -1,6 +1,6 @@
 /* e_capi_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -86,6 +86,7 @@ static ERR_STRING_DATA CAPI_str_functs[]=
 {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_DEC),	"CAPI_RSA_PRIV_DEC"},
 {ERR_FUNC(CAPI_F_CAPI_RSA_PRIV_ENC),	"CAPI_RSA_PRIV_ENC"},
 {ERR_FUNC(CAPI_F_CAPI_RSA_SIGN),	"CAPI_RSA_SIGN"},
+{ERR_FUNC(CAPI_F_CAPI_VTRACE),	"CAPI_VTRACE"},
 {ERR_FUNC(CAPI_F_CERT_SELECT_DIALOG),	"CERT_SELECT_DIALOG"},
 {ERR_FUNC(CAPI_F_CLIENT_CERT_SELECT),	"CLIENT_CERT_SELECT"},
 {ERR_FUNC(CAPI_F_WIDE_TO_ASC),	"WIDE_TO_ASC"},
@@ -109,6 +110,7 @@ static ERR_STRING_DATA CAPI_str_reasons[]=
 {ERR_REASON(CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO),"error getting key provider info"},
 {ERR_REASON(CAPI_R_ERROR_OPENING_STORE)  ,"error opening store"},
 {ERR_REASON(CAPI_R_ERROR_SIGNING_HASH)   ,"error signing hash"},
+{ERR_REASON(CAPI_R_FILE_OPEN_ERROR)      ,"file open error"},
 {ERR_REASON(CAPI_R_FUNCTION_NOT_SUPPORTED),"function not supported"},
 {ERR_REASON(CAPI_R_GETUSERKEY_ERROR)     ,"getuserkey error"},
 {ERR_REASON(CAPI_R_INVALID_DIGEST_LENGTH),"invalid digest length"},
diff --git a/engines/e_capi_err.h b/engines/e_capi_err.h
index efa7001..1844bf0 100644
--- a/engines/e_capi_err.h
+++ b/engines/e_capi_err.h
@@ -87,6 +87,7 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line);
 #define CAPI_F_CAPI_RSA_PRIV_DEC			 110
 #define CAPI_F_CAPI_RSA_PRIV_ENC			 111
 #define CAPI_F_CAPI_RSA_SIGN				 112
+#define CAPI_F_CAPI_VTRACE				 118
 #define CAPI_F_CERT_SELECT_DIALOG			 117
 #define CAPI_F_CLIENT_CERT_SELECT			 116
 #define CAPI_F_WIDE_TO_ASC				 113
@@ -107,6 +108,7 @@ static void ERR_CAPI_error(int function, int reason, char *file, int line);
 #define CAPI_R_ERROR_GETTING_KEY_PROVIDER_INFO		 109
 #define CAPI_R_ERROR_OPENING_STORE			 110
 #define CAPI_R_ERROR_SIGNING_HASH			 111
+#define CAPI_R_FILE_OPEN_ERROR				 128
 #define CAPI_R_FUNCTION_NOT_SUPPORTED			 112
 #define CAPI_R_GETUSERKEY_ERROR				 113
 #define CAPI_R_INVALID_DIGEST_LENGTH			 124
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c5f6ceb..e178fe1 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2145,6 +2145,11 @@ int ssl3_get_certificate_request(SSL *s)
 		{
 		/* If we exceed static buffer copy all to cert structure */
 		s->cert->ctypes = OPENSSL_malloc(ctype_num);
+		if (s->cert->ctypes == NULL)
+			{
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
 		memcpy(s->cert->ctypes, p, ctype_num);
 		s->cert->ctype_num = (size_t)ctype_num;
 		ctype_num=SSL3_CT_NUMBER;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index f7de30b..66f5280 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -616,6 +616,11 @@ int ssl3_digest_cached_records(SSL *s)
 	/* Allocate handshake_dgst array */
 	ssl3_free_digest_list(s);
 	s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+	if (s->s3->handshake_dgst == NULL)
+		{
+		SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
 	memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
 	hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
 	if (hdatalen <= 0)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 61c9890..51b8df0 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2732,6 +2732,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT		 275
 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT		 276
 #define SSL_F_TLS1_PRF					 284
+#define SSL_F_TLS1_PROCESS_HEARTBEAT			 341
 #define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
 #define SSL_F_TLS1_SET_SERVER_SIGALGS			 335
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 1599d79..133d9d9 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1962,6 +1962,13 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 
 	MemCheck_off();
 	comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+	if (comp == NULL)
+		{
+		MemCheck_on();
+		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+		return(1);
+		}
+
 	comp->id=id;
 	comp->method=cm;
 	load_builtin_compressions();
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 00c4bc8..5f8c075 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -273,6 +273,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),	"TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),	"TLS1_PREPARE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PRF),	"tls1_prf"},
+{ERR_FUNC(SSL_F_TLS1_PROCESS_HEARTBEAT),	"tls1_process_heartbeat"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),	"tls1_setup_key_block"},
 {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS),	"tls1_set_server_sigalgs"},
 {0,NULL}
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 6f9337e..006c02e 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -948,6 +948,8 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo,
 int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
 			   size_t serverinfo_length)
 	{
+	unsigned char *new_serverinfo;
+
 	if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_PASSED_NULL_PARAMETER);
@@ -968,13 +970,14 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
 		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_INTERNAL_ERROR);
 		return 0;
 		}
-	ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
+	new_serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
 						     serverinfo_length);
-	if (ctx->cert->key->serverinfo == NULL)
+	if (new_serverinfo == NULL)
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO,ERR_R_MALLOC_FAILURE);
 		return 0;
 		}
+	ctx->cert->key->serverinfo = new_serverinfo;
 	memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
 	ctx->cert->key->serverinfo_length = serverinfo_length;
 
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 3bac2db..a85f279 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -792,6 +792,11 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
                     session->krb5_client_princ_len > 0)
                 {
                     s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
+                    if (s->kssl_ctx->client_princ == NULL)
+                    {
+                        SSLerr(SSL_F_SSL_SET_SESSION, ERR_R_MALLOC_FAILURE);
+                        return(0);
+                    }
                     memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
                             session->krb5_client_princ_len);
                     s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 891cd1f..8d5fd12 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4003,6 +4003,11 @@ tls1_process_heartbeat(SSL *s)
 		 * payload, plus padding
 		 */
 		buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+		if (buffer == NULL)
+			{
+			SSLerr(SSL_F_TLS1_PROCESS_HEARTBEAT,ERR_R_MALLOC_FAILURE);
+			return -1;
+			}
 		bp = buffer;
 		
 		/* Enter response type, length and copy payload */
@@ -4089,6 +4094,11 @@ tls1_heartbeat(SSL *s)
 	 *  - Padding
 	 */
 	buf = OPENSSL_malloc(1 + 2 + payload + padding);
+	if (buf == NULL)
+		{
+		SSLerr(SSL_F_TLS1_HEARTBEAT,ERR_R_MALLOC_FAILURE);
+		return -1;
+		}
 	p = buf;
 	/* Message Type */
 	*p++ = TLS1_HB_REQUEST;


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Wed Dec 10 15:46:46 2014
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 10 Dec 2014 15:46:46 -0500 (EST)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	1c90fbd4f1a896ba8ff2020c4b19584ea58e7255
Message-ID: <20141210204646.3BEAA1DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  1c90fbd4f1a896ba8ff2020c4b19584ea58e7255 (commit)
      from  e5c274d21c041d789fc2be297e29130194f83095 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1c90fbd4f1a896ba8ff2020c4b19584ea58e7255
Author: Rich Salz 
Date:   Wed Dec 10 15:46:34 2014 -0500

    add thanks to rsync and globalsign

-----------------------------------------------------------------------

Summary of changes:
 about/credits.wml |   22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/about/credits.wml b/about/credits.wml
index a68e817..27db0b1 100644
--- a/about/credits.wml
+++ b/about/credits.wml
@@ -16,6 +16,15 @@ Our current hosting is provided courtesy of
 
 
 

+Thanks to GMO GlobalSign for
+providing free TLS certificates.
+
+
+
Thanks to rsync.net for providing free
+backup storage.
+
+
+

 Thanks to Eric Young and Tim Hudson for the SSLeay
 package on which OpenSSL is based.
 
@@ -27,16 +36,15 @@ and Tim created while working for C2Net.
 

 
 

-Thanks to the Development Team
-of Internet Services at Cable
-& Wireless Germany, Munich, for providing the hardware and
-network resources for some time after 2002.
+Thanks to the Development Team of Internet Services at Cable & Wireless Munich, Germany, for
+providing the hardware and network resources for some time after 2002.
 
 
 

-Thanks to the IT-Support-Group
-of the Department of Information Technology and Electrical Engineering
-at the Swiss Federal Institute of Technology
+Thanks to the IT Support Group of the Department of
+Information Technology and Electrical Engineering at the Swiss Federal Institute of Technology
 Zurich (ETHZ) for providing the hardware and network resources
 from 1998 to 2002.
 


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Wed Dec 10 17:11:55 2014
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 10 Dec 2014 17:11:55 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. a4a934119dd213e16c9d8b11150a4815604c13bb
Message-ID: <20141210221155.76F531DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  a4a934119dd213e16c9d8b11150a4815604c13bb (commit)
      from  5b17b79a895bb9eace11d4596acadaa2ed69cf2d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a4a934119dd213e16c9d8b11150a4815604c13bb
Author: Rich Salz 
Date:   Wed Dec 10 17:10:59 2014 -0500

    Remove old private pod2man
    
    Include Richard's point to remove the 'sh -c' wrapper
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 Makefile.org         |    9 +-
 util/pod2man.pl      | 1184 --------------------------------------------------
 util/pod2mantest     |   58 ---
 util/pod2mantest.pod |   15 -
 4 files changed, 4 insertions(+), 1262 deletions(-)
 delete mode 100755 util/pod2man.pl
 delete mode 100755 util/pod2mantest
 delete mode 100644 util/pod2mantest.pod

diff --git a/Makefile.org b/Makefile.org
index 8bb7e01..7c802e8 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -716,7 +716,6 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
@@ -727,9 +726,9 @@ install_docs:
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
+		pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
+			--release=$(VERSION) `basename $$i`) \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -744,9 +743,9 @@ install_docs:
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
+		pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
+			--release=$(VERSION) `basename $$i`) \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
diff --git a/util/pod2man.pl b/util/pod2man.pl
deleted file mode 100755
index 025d914..0000000
--- a/util/pod2man.pl
+++ /dev/null
@@ -1,1184 +0,0 @@
-: #!/usr/bin/perl-5.005
-    eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
-	if $running_under_some_shell;
-
-$DEF_PM_SECTION = '3pm' || '3';
-
-=head1 NAME
-
-pod2man - translate embedded Perl pod directives into man pages
-
-=head1 SYNOPSIS
-
-B
-[ B<--section=>I ]
-[ B<--release=>I ]
-[ B<--center=>I ]
-[ B<--date=>I ]
-[ B<--fixed=>I ]
-[ B<--official> ]
-[ B<--lax> ]
-I
-
-=head1 DESCRIPTION
-
-B converts its input file containing embedded pod directives (see
-L) into nroff source suitable for viewing with nroff(1) or
-troff(1) using the man(7) macro set.
-
-Besides the obvious pod conversions, B also takes care of
-func(), func(n), and simple variable references like $foo or @bar so
-you don't have to use code escapes for them; complex expressions like
-C<$fred{'stuff'}> will still need to be escaped, though.  Other nagging
-little roffish things that it catches include translating the minus in
-something like foo-bar, making a long dash--like this--into a real em
-dash, fixing up "paired quotes", putting a little space after the
-parens in something like func(), making C++ and PI look right, making
-double underbars have a little tiny space between them, making ALLCAPS
-a teeny bit smaller in troff(1), and escaping backslashes so you don't
-have to.
-
-=head1 OPTIONS
-
-=over 8
-
-=item center
-
-Set the centered header to a specific string.  The default is
-"User Contributed Perl Documentation", unless the C<--official> flag is
-given, in which case the default is "Perl Programmers Reference Guide".
-
-=item date
-
-Set the left-hand footer string to this value.  By default,
-the modification date of the input file will be used.
-
-=item fixed
-
-The fixed font to use for code refs.  Defaults to CW.
-
-=item official
-
-Set the default header to indicate that this page is of
-the standard release in case C<--center> is not given.
-
-=item release
-
-Set the centered footer.  By default, this is the current
-perl release.
-
-=item section
-
-Set the section for the C<.TH> macro.  The standard conventions on
-sections are to use 1 for user commands,  2 for system calls, 3 for
-functions, 4 for devices, 5 for file formats, 6 for games, 7 for
-miscellaneous information, and 8 for administrator commands.  This works
-best if you put your Perl man pages in a separate tree, like
-F.  By default, section 1 will be used
-unless the file ends in F<.pm> in which case section 3 will be selected.
-
-=item lax
-
-Don't complain when required sections aren't present.
-
-=back
-
-=head1 Anatomy of a Proper Man Page
-
-For those not sure of the proper layout of a man page, here's
-an example of the skeleton of a proper man page.  Head of the
-major headers should be setout as a C<=head1> directive, and
-are historically written in the rather startling ALL UPPER CASE
-format, although this is not mandatory.
-Minor headers may be included using C<=head2>, and are
-typically in mixed case.
-
-=over 10
-
-=item NAME
-
-Mandatory section; should be a comma-separated list of programs or
-functions documented by this podpage, such as:
-
-    foo, bar - programs to do something
-
-=item SYNOPSIS
-
-A short usage summary for programs and functions, which
-may someday be deemed mandatory.
-
-=item DESCRIPTION
-
-Long drawn out discussion of the program.  It's a good idea to break this
-up into subsections using the C<=head2> directives, like
-
-    =head2 A Sample Subection
-
-    =head2 Yet Another Sample Subection
-
-=item OPTIONS
-
-Some people make this separate from the description.
-
-=item RETURN VALUE
-
-What the program or function returns if successful.
-
-=item ERRORS
-
-Exceptions, return codes, exit stati, and errno settings.
-
-=item EXAMPLES
-
-Give some example uses of the program.
-
-=item ENVIRONMENT
-
-Envariables this program might care about.
-
-=item FILES
-
-All files used by the program.  You should probably use the FEE
-for these.
-
-=item SEE ALSO
-
-Other man pages to check out, like man(1), man(7), makewhatis(8), or catman(8).
-
-=item NOTES
-
-Miscellaneous commentary.
-
-=item CAVEATS
-
-Things to take special care with; sometimes called WARNINGS.
-
-=item DIAGNOSTICS
-
-All possible messages the program can print out--and
-what they mean.
-
-=item BUGS
-
-Things that are broken or just don't work quite right.
-
-=item RESTRICTIONS
-
-Bugs you don't plan to fix :-)
-
-=item AUTHOR
-
-Who wrote it (or AUTHORS if multiple).
-
-=item HISTORY
-
-Programs derived from other sources sometimes have this, or
-you might keep a modification log here.
-
-=back
-
-=head1 EXAMPLES
-
-    pod2man program > program.1
-    pod2man some_module.pm > /usr/perl/man/man3/some_module.3
-    pod2man --section=7 note.pod > note.7
-
-=head1 DIAGNOSTICS
-
-The following diagnostics are generated by B.  Items
-marked "(W)" are non-fatal, whereas the "(F)" errors will cause
-B to immediately exit with a non-zero status.
-
-=over 4
-
-=item bad option in paragraph %d of %s: ``%s'' should be [%s]<%s>
-
-(W) If you start include an option, you should set it off
-as bold, italic, or code.
-
-=item can't open %s: %s
-
-(F) The input file wasn't available for the given reason.
-
-=item Improper man page - no dash in NAME header in paragraph %d of %s
-
-(W) The NAME header did not have an isolated dash in it.  This is
-considered important.
-
-=item Invalid man page - no NAME line in %s
-
-(F) You did not include a NAME header, which is essential.
-
-=item roff font should be 1 or 2 chars, not `%s'  (F)
-
-(F) The font specified with the C<--fixed> option was not
-a one- or two-digit roff font.
-
-=item %s is missing required section: %s
-
-(W) Required sections include NAME, DESCRIPTION, and if you're
-using a section starting with a 3, also a SYNOPSIS.  Actually,
-not having a NAME is a fatal.
-
-=item Unknown escape: %s in %s
-
-(W) An unknown HTML entity (probably for an 8-bit character) was given via
-a CE> directive.  Besides amp, lt, gt, and quot, recognized
-entities are Aacute, aacute, Acirc, acirc, AElig, aelig, Agrave, agrave,
-Aring, aring, Atilde, atilde, Auml, auml, Ccedil, ccedil, Eacute, eacute,
-Ecirc, ecirc, Egrave, egrave, ETH, eth, Euml, euml, Iacute, iacute, Icirc,
-icirc, Igrave, igrave, Iuml, iuml, Ntilde, ntilde, Oacute, oacute, Ocirc,
-ocirc, Ograve, ograve, Oslash, oslash, Otilde, otilde, Ouml, ouml, szlig,
-THORN, thorn, Uacute, uacute, Ucirc, ucirc, Ugrave, ugrave, Uuml, uuml,
-Yacute, yacute, and yuml.
-
-=item Unmatched =back
-
-(W) You have a C<=back> without a corresponding C<=over>.
-
-=item Unrecognized pod directive: %s
-
-(W) You specified a pod directive that isn't in the known list of
-C<=head1>, C<=head2>, C<=item>, C<=over>, C<=back>, or C<=cut>.
-
-
-=back
-
-=head1 NOTES
-
-If you would like to print out a lot of man page continuously, you
-probably want to set the C and D registers to set contiguous page
-numbering and even/odd paging, at least on some versions of man(7).
-Settting the F register will get you some additional experimental
-indexing:
-
-    troff -man -rC1 -rD1 -rF1 perl.1 perldata.1 perlsyn.1 ...
-
-The indexing merely outputs messages via C<.tm> for each
-major page, section, subsection, item, and any CE>
-directives.
-
-
-=head1 RESTRICTIONS
-
-None at this time.
-
-=head1 BUGS
-
-The =over and =back directives don't really work right.  They
-take absolute positions instead of offsets, don't nest well, and
-making people count is suboptimal in any event.
-
-=head1 AUTHORS
-
-Original prototype by Larry Wall, but so massively hacked over by
-Tom Christiansen such that Larry probably doesn't recognize it anymore.
-
-=cut
-
-$/ = "";
-$cutting = 1;
- at Indices = ();
-
-# We try first to get the version number from a local binary, in case we're
-# running an installed version of Perl to produce documentation from an
-# uninstalled newer version's pod files.
-if ($^O ne 'plan9' and $^O ne 'dos' and $^O ne 'os2' and $^O ne 'MSWin32') {
-  my $perl = (-x './perl' && -f './perl' ) ?
-                 './perl' :
-                 ((-x '../perl' && -f '../perl') ?
-                      '../perl' :
-                      '');
-  ($version,$patch) = `$perl -e 'print $]'` =~ /^(\d\.\d{3})(\d{2})?/ if $perl;
-}
-# No luck; we'll just go with the running Perl's version
-($version,$patch) = $] =~ /^(.{5})(\d{2})?/ unless $version;
-$DEF_RELEASE  = "perl $version";
-$DEF_RELEASE .= ", patch $patch" if $patch;
-
-
-sub makedate {
-    my $secs = shift;
-    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($secs);
-    my $mname = (qw{Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec})[$mon];
-    $year += 1900;
-    return "$mday/$mname/$year";
-}
-
-use Getopt::Long;
-
-$DEF_SECTION = 1;
-$DEF_CENTER = "User Contributed Perl Documentation";
-$STD_CENTER = "Perl Programmers Reference Guide";
-$DEF_FIXED = 'CW';
-$DEF_LAX = 0;
-
-sub usage {
-    warn "$0: @_\n" if @_;
-    die <";
-$Filename = $name;
-if ($section =~ /^1/) {
-    require File::Basename;
-    $name = uc File::Basename::basename($name);
-}
-$name =~ s/\.(pod|p[lm])$//i;
-
-# Lose everything up to the first of
-#     */lib/*perl*	standard or site_perl module
-#     */*perl*/lib	from -D prefix=/opt/perl
-#     */*perl*/		random module hierarchy
-# which works.
-$name =~ s-//+-/-g;
-if ($name =~ s-^.*?/lib/[^/]*perl[^/]*/--i
-	or $name =~ s-^.*?/[^/]*perl[^/]*/lib/--i
-	or $name =~ s-^.*?/[^/]*perl[^/]*/--i) {
-    # Lose ^site(_perl)?/.
-    $name =~ s-^site(_perl)?/--;
-    # Lose ^arch/.	(XXX should we use Config? Just for archname?)
-    $name =~ s~^(.*-$^O|$^O-.*)/~~o;
-    # Lose ^version/.
-    $name =~ s-^\d+\.\d+/--;
-}
-
-# Translate Getopt/Long to Getopt::Long, etc.
-$name =~ s(/)(::)g;
-
-if ($name ne 'something') {
-    FCHECK: {
-	open(F, "< $ARGV[0]") || die "can't open $ARGV[0]: $!";
-	while () {
-	    next unless /^=\b/;
-	    if (/^=head1\s+NAME\s*$/) {  # an /m would forgive mistakes
-		$_ = ;
-		unless (/\s*-+\s+/) {
-		    $oops++;
-		    warn "$0: Improper man page - no dash in NAME header in paragraph $. of $ARGV[0]\n"
-                } else {
-		    my @n = split /\s+-+\s+/;
-		    if (@n != 2) {
-			$oops++;
-			warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n"
-		    }
-		    else {
-			$n[0] =~ s/\n/ /g;
-			$n[1] =~ s/\n/ /g;
-			%namedesc = @n;
-		    }
-		}
-		last FCHECK;
-	    }
-	    next if /^=cut\b/;	# DB_File and Net::Ping have =cut before NAME
-	    next if /^=pod\b/;  # It is OK to have =pod before NAME
-	    next if /^=(for|begin|end)\s+comment\b/;  # It is OK to have =for =begin or =end comment before NAME
-	    die "$0: Invalid man page - 1st pod line is not NAME in $ARGV[0]\n" unless $lax;
-	}
-	die "$0: Invalid man page - no documentation in $ARGV[0]\n" unless $lax;
-    }
-    close F;
-}
-
-print <<"END";
-.rn '' }`
-''' \$RCSfile\$\$Revision\$\$Date\$
-'''
-''' \$Log\$
-'''
-.de Sh
-.br
-.if t .Sp
-.ne 5
-.PP
-\\fB\\\\\$1\\fR
-.PP
-..
-.de Sp
-.if t .sp .5v
-.if n .sp
-..
-.de Ip
-.br
-.ie \\\\n(.\$>=3 .ne \\\\\$3
-.el .ne 3
-.IP "\\\\\$1" \\\\\$2
-..
-.de Vb
-.ft $CFont
-.nf
-.ne \\\\\$1
-..
-.de Ve
-.ft R
-
-.fi
-..
-'''
-'''
-'''     Set up \\*(-- to give an unbreakable dash;
-'''     string Tr holds user defined translation string.
-'''     Bell System Logo is used as a dummy character.
-'''
-.tr \\(*W-|\\(bv\\*(Tr
-.ie n \\{\\
-.ds -- \\(*W-
-.ds PI pi
-.if (\\n(.H=4u)&(1m=24u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-12u'-\\" diablo 10 pitch
-.if (\\n(.H=4u)&(1m=20u) .ds -- \\(*W\\h'-12u'\\(*W\\h'-8u'-\\" diablo 12 pitch
-.ds L" ""
-.ds R" ""
-'''   \\*(M", \\*(S", \\*(N" and \\*(T" are the equivalent of
-'''   \\*(L" and \\*(R", except that they are used on ".xx" lines,
-'''   such as .IP and .SH, which do another additional levels of
-'''   double-quote interpretation
-.ds M" """
-.ds S" """
-.ds N" """""
-.ds T" """""
-.ds L' '
-.ds R' '
-.ds M' '
-.ds S' '
-.ds N' '
-.ds T' '
-'br\\}
-.el\\{\\
-.ds -- \\(em\\|
-.tr \\*(Tr
-.ds L" ``
-.ds R" ''
-.ds M" ``
-.ds S" ''
-.ds N" ``
-.ds T" ''
-.ds L' `
-.ds R' '
-.ds M' `
-.ds S' '
-.ds N' `
-.ds T' '
-.ds PI \\(*p
-'br\\}
-END
-
-print <<'END';
-.\"	If the F register is turned on, we'll generate
-.\"	index entries out stderr for the following things:
-.\"		TH	Title 
-.\"		SH	Header
-.\"		Sh	Subsection 
-.\"		Ip	Item
-.\"		X<>	Xref  (embedded
-.\"	Of course, you have to process the output yourself
-.\"	in some meaninful fashion.
-.if \nF \{
-.de IX
-.tm Index:\\$1\t\\n%\t"\\$2"
-..
-.nr % 0
-.rr F
-.\}
-END
-
-print <<"END";
-.TH $name $section "$RP" "$date" "$center"
-.UC
-END
-
-push(@Indices, qq{.IX Title "$name $section"});
-
-while (($name, $desc) = each %namedesc) {
-    for ($name, $desc) { s/^\s+//; s/\s+$//; }
-    push(@Indices, qq(.IX Name "$name - $desc"\n));
-}
-
-print <<'END';
-.if n .hy 0
-.if n .na
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.de CQ          \" put $1 in typewriter font
-END
-print ".ft $CFont\n";
-print <<'END';
-'if n "\c
-'if t \\&\\$1\c
-'if n \\&\\$1\c
-'if n \&"
-\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
-'.ft R
-..
-.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
-.	\" AM - accent mark definitions
-.bd B 3
-.	\" fudge factors for nroff and troff
-.if n \{\
-.	ds #H 0
-.	ds #V .8m
-.	ds #F .3m
-.	ds #[ \f1
-.	ds #] \fP
-.\}
-.if t \{\
-.	ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.	ds #V .6m
-.	ds #F 0
-.	ds #[ \&
-.	ds #] \&
-.\}
-.	\" simple accents for nroff and troff
-.if n \{\
-.	ds ' \&
-.	ds ` \&
-.	ds ^ \&
-.	ds , \&
-.	ds ~ ~
-.	ds ? ?
-.	ds ! !
-.	ds /
-.	ds q
-.\}
-.if t \{\
-.	ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.	ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.	ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.	ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.	ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.	ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
-.	ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
-.	ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.	ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
-.\}
-.	\" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
-.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
-.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
-.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.ds oe o\h'-(\w'o'u*4/10)'e
-.ds Oe O\h'-(\w'O'u*4/10)'E
-.	\" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.	\" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.	ds : e
-.	ds 8 ss
-.	ds v \h'-1'\o'\(aa\(ga'
-.	ds _ \h'-1'^
-.	ds . \h'-1'.
-.	ds 3 3
-.	ds o a
-.	ds d- d\h'-1'\(ga
-.	ds D- D\h'-1'\(hy
-.	ds th \o'bp'
-.	ds Th \o'LP'
-.	ds ae ae
-.	ds Ae AE
-.	ds oe oe
-.	ds Oe OE
-.\}
-.rm #[ #] #H #V #F C
-END
-
-$indent = 0;
-
-$begun = "";
-
-# Unrolling [^A-Z>]|[A-Z](?!<) gives:    // MRE pp 165.
-my $nonest = '(?:[^A-Z>]*(?:[A-Z](?!<)[^A-Z>]*)*)';
-
-while (<>) {
-    if ($cutting) {
-	next unless /^=/;
-	$cutting = 0;
-    }
-    if ($begun) {
-	if (/^=end\s+$begun/) {
-            $begun = "";
-	}
-	elsif ($begun =~ /^(roff|man)$/) {
-	    print STDOUT $_;
-        }
-	next;
-    }
-    chomp;
-
-    # Translate verbatim paragraph
-
-    if (/^\s/) {
-	@lines = split(/\n/);
-	for (@lines) {
-	    1 while s
-		{^( [^\t]* ) \t ( \t* ) }
-		{ $1 . ' ' x (8 - (length($1)%8) + 8 * (length($2))) }ex;
-	    s/\\/\\e/g;
-	    s/\A/\\&/s;
-	}
-	$lines = @lines;
-	makespace() unless $verbatim++;
-	print ".Vb $lines\n";
-	print join("\n", @lines), "\n";
-	print ".Ve\n";
-	$needspace = 0;
-	next;
-    }
-
-    $verbatim = 0;
-
-    if (/^=for\s+(\S+)\s*/s) {
-	if ($1 eq "man" or $1 eq "roff") {
-	    print STDOUT $',"\n\n";
-	} else {
-	    # ignore unknown for
-	}
-	next;
-    }
-    elsif (/^=begin\s+(\S+)\s*/s) {
-	$begun = $1;
-	if ($1 eq "man" or $1 eq "roff") {
-	    print STDOUT $'."\n\n";
-	}
-	next;
-    }
-
-    # check for things that'll hosed our noremap scheme; affects $_
-    init_noremap();
-
-    if (!/^=item/) {
-
-	# trofficate backslashes; must do it before what happens below
-	s/\\/noremap('\\e')/ge;
-
-	# protect leading periods and quotes against *roff
-	# mistaking them for directives
-	s/^(?:[A-Z]<)?[.']/\\&$&/gm;
-
-	# first hide the escapes in case we need to
-	# intuit something and get it wrong due to fmting
-
-	1 while s/([A-Z]<$nonest>)/noremap($1)/ge;
-
-	# func() is a reference to a perl function
-	s{
-	    \b
-	    (
-		[:\w]+ \(\)
-	    )
-	} {I<$1>}gx;
-
-	# func(n) is a reference to a perl function or a man page
-	s{
-	    ([:\w]+)
-	    (
-		\( [^\051]+ \)
-	    )
-	} {I<$1>\\|$2}gx;
-
-	# convert simple variable references
-	s/(\s+)([\$\@%][\w:]+)(?!\()/${1}C<$2>/g;
-
-	if (m{ (
-		    [\-\w]+
-		    \(
-			[^\051]*?
-			[\@\$,]
-			[^\051]*?
-		    \)
-		)
-	    }x && $` !~ /([LCI]<[^<>]*|-)$/ && !/^=\w/)
-	{
-	    warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [LCI]<$1>\n";
-	    $oops++;
-	}
-
-	while (/(-[a-zA-Z])\b/g && $` !~ /[\w\-]$/) {
-	    warn "$0: bad option in paragraph $. of $ARGV: ``$1'' should be [CB]<$1>\n";
-	    $oops++;
-	}
-
-	# put it back so we get the <> processed again;
-	clear_noremap(0); # 0 means leave the E's
-
-    } else {
-	# trofficate backslashes
-	s/\\/noremap('\\e')/ge;
-
-    }
-
-    # need to hide E<> first; they're processed in clear_noremap
-    s/(E<[^<>]+>)/noremap($1)/ge;
-
-
-    $maxnest = 10;
-    while ($maxnest-- && /[A-Z]/font($1) . $2 . font('R')/eg;
-
-	# files and filelike refs in italics
-	s/F<($nonest)>/I<$1>/g;
-
-	# no break -- usually we want C<> for this
-	s/S<($nonest)>/nobreak($1)/eg;
-
-	# LREF: a la HREF L
-	s:L<([^|>]+)\|[^>]+>:$1:g;
-
-	# LREF: a manpage(3f)
-	s:L<([a-zA-Z][^\s\/]+)(\([^\)]+\))?>:the I<$1>$2 manpage:g;
-
-	# LREF: an =item on another manpage
-	s{
-	    L<
-		([^/]+)
-		/
-		(
-		    [:\w]+
-		    (\(\))?
-		)
-	    >
-	} {the C<$2> entry in the I<$1> manpage}gx;
-
-	# LREF: an =item on this manpage
-	s{
-	   ((?:
-	    L<
-		/
-		(
-		    [:\w]+
-		    (\(\))?
-		)
-	    >
-	    (,?\s+(and\s+)?)?
-	  )+)
-	} { internal_lrefs($1) }gex;
-
-	# LREF: a =head2 (head1?), maybe on a manpage, maybe right here
-	# the "func" can disambiguate
-	s{
-	    L<
-		(?:
-		    ([a-zA-Z]\S+?) /
-		)?
-		"?(.*?)"?
-	    >
-	}{
-	    do {
-		$1 	# if no $1, assume it means on this page.
-		    ?  "the section on I<$2> in the I<$1> manpage"
-		    :  "the section on I<$2>"
-	    }
-	}gesx; # s in case it goes over multiple lines, so . matches \n
-
-	s/Z<>/\\&/g;
-
-	# comes last because not subject to reprocessing
-	s/C<($nonest)>/noremap("${CFont_embed}${1}\\fR")/eg;
-    }
-
-    if (s/^=//) {
-	$needspace = 0;		# Assume this.
-
-	s/\n/ /g;
-
-	($Cmd, $_) = split(' ', $_, 2);
-
-	$dotlevel = 1;
-	if ($Cmd eq 'head1') {
-	   $dotlevel = 1;
-	}
-	elsif ($Cmd eq 'head2') {
-	   $dotlevel = 1;
-	}
-	elsif ($Cmd eq 'item') {
-	   $dotlevel = 2;
-	}
-
-	if (defined $_) {
-	    &escapes($dotlevel);
-	    s/"/""/g;
-	}
-
-	clear_noremap(1);
-
-	if ($Cmd eq 'cut') {
-	    $cutting = 1;
-	}
-	elsif ($Cmd eq 'head1') {
-	    s/\s+$//;
-	    delete $wanna_see{$_} if exists $wanna_see{$_};
-	    print qq{.SH "$_"\n};
-      push(@Indices, qq{.IX Header "$_"\n});
-	}
-	elsif ($Cmd eq 'head2') {
-	    print qq{.Sh "$_"\n};
-      push(@Indices, qq{.IX Subsection "$_"\n});
-	}
-	elsif ($Cmd eq 'over') {
-	    push(@indent,$indent);
-	    $indent += ($_ + 0) || 5;
-	}
-	elsif ($Cmd eq 'back') {
-	    $indent = pop(@indent);
-	    warn "$0: Unmatched =back in paragraph $. of $ARGV\n" unless defined $indent;
-	    $needspace = 1;
-	}
-	elsif ($Cmd eq 'item') {
-	    s/^\*( |$)/\\(bu$1/g;
-	    # if you know how to get ":s please do
-	    s/\\\*\(L"([^"]+?)\\\*\(R"/'$1'/g;
-	    s/\\\*\(L"([^"]+?)""/'$1'/g;
-	    s/[^"]""([^"]+?)""[^"]/'$1'/g;
-	    # here do something about the $" in perlvar?
-	    print STDOUT qq{.Ip "$_" $indent\n};
-      push(@Indices, qq{.IX Item "$_"\n});
-	}
-	elsif ($Cmd eq 'pod') {
-	    # this is just a comment
-	} 
-	else {
-	    warn "$0: Unrecognized pod directive in paragraph $. of $ARGV: $Cmd\n";
-	}
-    }
-    else {
-	if ($needspace) {
-	    &makespace;
-	}
-	&escapes(0);
-	clear_noremap(1);
-	print $_, "\n";
-	$needspace = 1;
-    }
-}
-
-print <<"END";
-
-.rn }` ''
-END
-
-if (%wanna_see && !$lax) {
-    @missing = keys %wanna_see;
-    warn "$0: $Filename is missing required section"
-	.  (@missing > 1 && "s")
-	.  ": @missing\n";
-    $oops++;
-}
-
-foreach (@Indices) { print "$_\n"; }
-
-exit;
-#exit ($oops != 0);
-
-#########################################################################
-
-sub nobreak {
-    my $string = shift;
-    $string =~ s/ /\\ /g;
-    $string;
-}
-
-sub escapes {
-    my $indot = shift;
-
-    s/X<(.*?)>/mkindex($1)/ge;
-
-    # translate the minus in foo-bar into foo\-bar for roff
-    s/([^0-9a-z-])-([^-])/$1\\-$2/g;
-
-    # make -- into the string version \*(-- (defined above)
-    s/\b--\b/\\*(--/g;
-    s/"--([^"])/"\\*(--$1/g;  # should be a better way
-    s/([^"])--"/$1\\*(--"/g;
-
-    # fix up quotes; this is somewhat tricky
-    my $dotmacroL = 'L';
-    my $dotmacroR = 'R';
-    if ( $indot == 1 ) {
-	$dotmacroL = 'M';
-	$dotmacroR = 'S';
-    }  
-    elsif ( $indot >= 2 ) {
-	$dotmacroL = 'N';
-	$dotmacroR = 'T';
-    }  
-    if (!/""/) {
-	s/(^|\s)(['"])/noremap("$1\\*($dotmacroL$2")/ge;
-	s/(['"])($|[\-\s,;\\!?.])/noremap("\\*($dotmacroR$1$2")/ge;
-    }
-
-    #s/(?!")(?:.)--(?!")(?:.)/\\*(--/g;
-    #s/(?:(?!")(?:.)--(?:"))|(?:(?:")--(?!")(?:.))/\\*(--/g;
-
-
-    # make sure that func() keeps a bit a space tween the parens
-    ### s/\b\(\)/\\|()/g;
-    ### s/\b\(\)/(\\|)/g;
-
-    # make C++ into \*C+, which is a squinched version (defined above)
-    s/\bC\+\+/\\*(C+/g;
-
-    # make double underbars have a little tiny space between them
-    s/__/_\\|_/g;
-
-    # PI goes to \*(PI (defined above)
-    s/\bPI\b/noremap('\\*(PI')/ge;
-
-    # make all caps a teeny bit smaller, but don't muck with embedded code literals
-    my $hidCFont = font('C');
-    if ($Cmd !~ /^head1/) { # SH already makes smaller
-	# /g isn't enough; 1 while or we'll be off
-
-#	1 while s{
-#	    (?!$hidCFont)(..|^.|^)
-#	    \b
-#	    (
-#		[A-Z][\/A-Z+:\-\d_$.]+
-#	    )
-#	    (s?) 		
-#	    \b
-#	} {$1\\s-1$2\\s0}gmox;
-
-	1 while s{
-	    (?!$hidCFont)(..|^.|^)
-	    (
-		\b[A-Z]{2,}[\/A-Z+:\-\d_\$]*\b
-	    )
-	} {
-	    $1 . noremap( '\\s-1' .  $2 . '\\s0' )
-	}egmox;
-
-    }
-}
-
-# make troff just be normal, but make small nroff get quoted
-# decided to just put the quotes in the text; sigh;
-sub ccvt {
-    local($_,$prev) = @_;
-    noremap(qq{.CQ "$_" \n\\&});
-}
-
-sub makespace {
-    if ($indent) {
-	print ".Sp\n";
-    }
-    else {
-	print ".PP\n";
-    }
-}
-
-sub mkindex {
-    my ($entry) = @_;
-    my @entries = split m:\s*/\s*:, $entry;
-    push @Indices, ".IX Xref " . join ' ', map {qq("$_")} @entries;
-    return '';
-}
-
-sub font {
-    local($font) = shift;
-    return '\\f' . noremap($font);
-}
-
-sub noremap {
-    local($thing_to_hide) = shift;
-    $thing_to_hide =~ tr/\000-\177/\200-\377/;
-    return $thing_to_hide;
-}
-
-sub init_noremap {
-	# escape high bit characters in input stream
-	s/([\200-\377])/"E<".ord($1).">"/ge;
-}
-
-sub clear_noremap {
-    my $ready_to_print = $_[0];
-
-    tr/\200-\377/\000-\177/;
-
-    # trofficate backslashes
-    # s/(?!\\e)(?:..|^.|^)\\/\\e/g;
-
-    # now for the E<>s, which have been hidden until now
-    # otherwise the interative \w<> processing would have
-    # been hosed by the E
-    s {
-	    E<
-	    (
-	        ( \d + ) 
-	        | ( [A-Za-z]+ )	
-	    )
-	    >	
-    } {
-	 do {
-	     defined $2
-		? chr($2)
-		:	
-	     exists $HTML_Escapes{$3}
-		? do { $HTML_Escapes{$3} }
-		: do {
-		    warn "$0: Unknown escape in paragraph $. of $ARGV: ``$&''\n";
-		    "E<$1>";
-		}
-	 }
-    }egx if $ready_to_print;
-}
-
-sub internal_lrefs {
-    local($_) = shift;
-    local $trailing_and = s/and\s+$// ? "and " : "";
-
-    s{L]+)>}{$1}g;
-    my(@items) = split( /(?:,?\s+(?:and\s+)?)/ );
-    my $retstr = "the ";
-    my $i;
-    for ($i = 0; $i <= $#items; $i++) {
-	$retstr .= "C<$items[$i]>";
-	$retstr .= ", " if @items > 2 && $i != $#items;
-	$retstr .= " and " if $i+2 == @items;
-    }
-
-    $retstr .= " entr" . ( @items > 1  ? "ies" : "y" )
-	    .  " elsewhere in this document";
-    # terminal space to avoid words running together (pattern used
-    # strips terminal spaces)
-    $retstr .= " " if length $trailing_and;
-    $retstr .=  $trailing_and;
-
-    return $retstr;
-
-}
-
-BEGIN {
-%HTML_Escapes = (
-    'amp'	=>	'&',	#   ampersand
-    'lt'	=>	'<',	#   left chevron, less-than
-    'gt'	=>	'>',	#   right chevron, greater-than
-    'quot'	=>	'"',	#   double quote
-
-    "Aacute"	=>	"A\\*'",	#   capital A, acute accent
-    "aacute"	=>	"a\\*'",	#   small a, acute accent
-    "Acirc"	=>	"A\\*^",	#   capital A, circumflex accent
-    "acirc"	=>	"a\\*^",	#   small a, circumflex accent
-    "AElig"	=>	'\*(AE',	#   capital AE diphthong (ligature)
-    "aelig"	=>	'\*(ae',	#   small ae diphthong (ligature)
-    "Agrave"	=>	"A\\*`",	#   capital A, grave accent
-    "agrave"	=>	"A\\*`",	#   small a, grave accent
-    "Aring"	=>	'A\\*o',	#   capital A, ring
-    "aring"	=>	'a\\*o',	#   small a, ring
-    "Atilde"	=>	'A\\*~',	#   capital A, tilde
-    "atilde"	=>	'a\\*~',	#   small a, tilde
-    "Auml"	=>	'A\\*:',	#   capital A, dieresis or umlaut mark
-    "auml"	=>	'a\\*:',	#   small a, dieresis or umlaut mark
-    "Ccedil"	=>	'C\\*,',	#   capital C, cedilla
-    "ccedil"	=>	'c\\*,',	#   small c, cedilla
-    "Eacute"	=>	"E\\*'",	#   capital E, acute accent
-    "eacute"	=>	"e\\*'",	#   small e, acute accent
-    "Ecirc"	=>	"E\\*^",	#   capital E, circumflex accent
-    "ecirc"	=>	"e\\*^",	#   small e, circumflex accent
-    "Egrave"	=>	"E\\*`",	#   capital E, grave accent
-    "egrave"	=>	"e\\*`",	#   small e, grave accent
-    "ETH"	=>	'\\*(D-',	#   capital Eth, Icelandic
-    "eth"	=>	'\\*(d-',	#   small eth, Icelandic
-    "Euml"	=>	"E\\*:",	#   capital E, dieresis or umlaut mark
-    "euml"	=>	"e\\*:",	#   small e, dieresis or umlaut mark
-    "Iacute"	=>	"I\\*'",	#   capital I, acute accent
-    "iacute"	=>	"i\\*'",	#   small i, acute accent
-    "Icirc"	=>	"I\\*^",	#   capital I, circumflex accent
-    "icirc"	=>	"i\\*^",	#   small i, circumflex accent
-    "Igrave"	=>	"I\\*`",	#   capital I, grave accent
-    "igrave"	=>	"i\\*`",	#   small i, grave accent
-    "Iuml"	=>	"I\\*:",	#   capital I, dieresis or umlaut mark
-    "iuml"	=>	"i\\*:",	#   small i, dieresis or umlaut mark
-    "Ntilde"	=>	'N\*~',		#   capital N, tilde
-    "ntilde"	=>	'n\*~',		#   small n, tilde
-    "Oacute"	=>	"O\\*'",	#   capital O, acute accent
-    "oacute"	=>	"o\\*'",	#   small o, acute accent
-    "Ocirc"	=>	"O\\*^",	#   capital O, circumflex accent
-    "ocirc"	=>	"o\\*^",	#   small o, circumflex accent
-    "Ograve"	=>	"O\\*`",	#   capital O, grave accent
-    "ograve"	=>	"o\\*`",	#   small o, grave accent
-    "Oslash"	=>	"O\\*/",	#   capital O, slash
-    "oslash"	=>	"o\\*/",	#   small o, slash
-    "Otilde"	=>	"O\\*~",	#   capital O, tilde
-    "otilde"	=>	"o\\*~",	#   small o, tilde
-    "Ouml"	=>	"O\\*:",	#   capital O, dieresis or umlaut mark
-    "ouml"	=>	"o\\*:",	#   small o, dieresis or umlaut mark
-    "szlig"	=>	'\*8',		#   small sharp s, German (sz ligature)
-    "THORN"	=>	'\\*(Th',	#   capital THORN, Icelandic
-    "thorn"	=>	'\\*(th',,	#   small thorn, Icelandic
-    "Uacute"	=>	"U\\*'",	#   capital U, acute accent
-    "uacute"	=>	"u\\*'",	#   small u, acute accent
-    "Ucirc"	=>	"U\\*^",	#   capital U, circumflex accent
-    "ucirc"	=>	"u\\*^",	#   small u, circumflex accent
-    "Ugrave"	=>	"U\\*`",	#   capital U, grave accent
-    "ugrave"	=>	"u\\*`",	#   small u, grave accent
-    "Uuml"	=>	"U\\*:",	#   capital U, dieresis or umlaut mark
-    "uuml"	=>	"u\\*:",	#   small u, dieresis or umlaut mark
-    "Yacute"	=>	"Y\\*'",	#   capital Y, acute accent
-    "yacute"	=>	"y\\*'",	#   small y, acute accent
-    "yuml"	=>	"y\\*:",	#   small y, dieresis or umlaut mark
-);
-}
-
diff --git a/util/pod2mantest b/util/pod2mantest
deleted file mode 100755
index 384e683..0000000
--- a/util/pod2mantest
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-
-# This script is used by test/Makefile to check whether a sane 'pod2man'
-# is installed.
-# ('make install' should not try to run 'pod2man' if it does not exist or if
-# it is a broken 'pod2man' version that is known to cause trouble. if we find
-# the system 'pod2man' to be broken, we use our own copy instead)
-#
-# In any case, output an appropriate command line for running (or not
-# running) pod2man.
-
-
-IFS=:
-if test "$OSTYPE" = "msdosdjgpp"; then IFS=";"; fi
-
-try_without_dir=true
-# First we try "pod2man", then "$dir/pod2man" for each item in $PATH.
-for dir in dummy${IFS}$PATH; do
-    if [ "$try_without_dir" = true ]; then
-      # first iteration
-      pod2man=pod2man
-      try_without_dir=false
-    else
-      # second and later iterations
-      pod2man="$dir/pod2man"
-      if [ ! -f "$pod2man" ]; then  # '-x' is not available on Ultrix
-        pod2man=''
-      fi
-    fi
-
-    if [ ! "$pod2man" = '' ]; then
-        failure=none
-
-	if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | fgrep OpenSSL >/dev/null; then
-	    :
-	else
-	    failure=BasicTest
-	fi
-
-	if [ "$failure" = none ]; then
-	    if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null; then
-	        failure=MultilineTest
-	    fi
-	fi
-
-
-        if [ "$failure" = none ]; then
-            echo "$pod2man"
-            exit 0
-        fi
-
-        echo "$pod2man does not work properly ('$failure' failed).  Looking for another pod2man ..." >&2
-    fi
-done
-
-echo "No working pod2man found.  Consider installing a new version." >&2
-echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2
-echo "$1 ../../util/pod2man.pl"
diff --git a/util/pod2mantest.pod b/util/pod2mantest.pod
deleted file mode 100644
index 5d2539a..0000000
--- a/util/pod2mantest.pod
+++ /dev/null
@@ -1,15 +0,0 @@
-=pod
-
-=head1 NAME
-
-foo, bar,
-MARKER - test of multiline name section
-
-=head1 DESCRIPTION
-
-This is a test .pod file to see if we have a buggy pod2man or not.
-If we have a buggy implementation, we will get a line matching the
-regular expression "^ +MARKER - test of multiline name section *$"
-at the end of the resulting document.
-
-=cut


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Wed Dec 10 17:31:18 2014
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 10 Dec 2014 17:31:18 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 5cf37957fbdb7e2a1be48e15c4114d218c135f73
Message-ID: <20141210223118.BCC521DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  5cf37957fbdb7e2a1be48e15c4114d218c135f73 (commit)
      from  a4a934119dd213e16c9d8b11150a4815604c13bb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5cf37957fbdb7e2a1be48e15c4114d218c135f73
Author: Rich Salz 
Date:   Tue Sep 23 13:23:09 2014 -0400

    RT3543: Remove #ifdef LINT
    
    I also replaced some exit/return wrappers in various
    programs (from main) to standardize on return.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 apps/dhparam.c         |    3 ---
 apps/dsaparam.c        |    3 ---
 apps/gendh.c           |    3 ---
 apps/genpkey.c         |    3 ---
 apps/genrsa.c          |    3 ---
 apps/req.c             |    3 ---
 apps/speed.c           |    9 ---------
 crypto/asn1/asn1_par.c |    3 ---
 crypto/des/read_pwd.c  |    3 ---
 crypto/des/rpw.c       |   10 ++--------
 crypto/dh/dhtest.c     |    3 ---
 crypto/ecdh/ecdhtest.c |    3 ---
 12 files changed, 2 insertions(+), 47 deletions(-)

diff --git a/apps/dhparam.c b/apps/dhparam.c
index c4cf168..1127d10 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -560,9 +560,6 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	if (p == 3) c='\n';
 	BIO_write(BN_GENCB_get_arg(cb),&c,1);
 	(void)BIO_flush(BN_GENCB_get_arg(cb));
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
 
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index e51f502..8ee5d42 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -482,9 +482,6 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 	if (p == 3) c='\n';
 	BIO_write(BN_GENCB_get_arg(cb),&c,1);
 	(void)BIO_flush(BN_GENCB_get_arg(cb));
-#ifdef LINT
-	p=n;
-#endif
 #ifdef GENCB_TEST
 	if(stop_keygen_flag)
 		return 0;
diff --git a/apps/gendh.c b/apps/gendh.c
index 1536cbf..c8645a4 100644
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -233,9 +233,6 @@ static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	if (p == 3) c='\n';
 	BIO_write(BN_GENCB_get_arg(cb),&c,1);
 	(void)BIO_flush(BN_GENCB_get_arg(cb));
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_DH */
diff --git a/apps/genpkey.c b/apps/genpkey.c
index 6dfda08..685e2c6 100644
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -433,8 +433,5 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
 	if (p == 3) c='\n';
 	BIO_write(b,&c,1);
 	(void)BIO_flush(b);
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 7b0bcc2..54e30d3 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -327,9 +327,6 @@ static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
 	if (p == 3) c='\n';
 	BIO_write(BN_GENCB_get_arg(cb),&c,1);
 	(void)BIO_flush(BN_GENCB_get_arg(cb));
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_RSA */
diff --git a/apps/req.c b/apps/req.c
index 6a19144..87ab412 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1773,9 +1773,6 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
 	if (p == 3) c='\n';
 	BIO_write(b,&c,1);
 	(void)BIO_flush(b);
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
 
diff --git a/apps/speed.c b/apps/speed.c
index b5d7921..e5742e6 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -272,9 +272,6 @@ static SIGRETTYPE sig_done(int sig)
 	{
 	signal(SIGALRM,sig_done);
 	run=0;
-#ifdef LINT
-	sig=sig;
-#endif
 	}
 #endif
 
@@ -2649,9 +2646,6 @@ static void print_message(const char *s, long num, int length)
 		   : "Doing %s %ld times on %d size blocks: ",s,num,length);
 	(void)BIO_flush(bio_err);
 #endif
-#ifdef LINT
-	num=num;
-#endif
 	}
 
 static void pkey_print_message(const char *str, const char *str2, long num,
@@ -2667,9 +2661,6 @@ static void pkey_print_message(const char *str, const char *str2, long num,
 			   : "Doing %ld %d bit %s %s's: ",num,bits,str,str2);
 	(void)BIO_flush(bio_err);
 #endif
-#ifdef LINT
-	num=num;
-#endif
 	}
 
 static void print_result(int alg,int run_no,int count,double time_used)
diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index aaca69a..147aa47 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -133,9 +133,6 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 		{
 		op=p;
 		j=ASN1_get_object(&p,&len,&tag,&xclass,length);
-#ifdef LINT
-		j=j;
-#endif
 		if (j & 0x80)
 			{
 			if (BIO_write(bp,"Error in encoding\n",18) <= 0)
diff --git a/crypto/des/read_pwd.c b/crypto/des/read_pwd.c
index 7e3f902..ffc458a 100644
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@@ -462,9 +462,6 @@ static void popsig(void)
 static void recsig(int i)
 	{
 	longjmp(save,1);
-#ifdef LINT
-	i=i;
-#endif
 	}
 
 #ifdef OPENSSL_SYS_MSDOS
diff --git a/crypto/des/rpw.c b/crypto/des/rpw.c
index 8a9473c..af1f0cf 100644
--- a/crypto/des/rpw.c
+++ b/crypto/des/rpw.c
@@ -86,14 +86,8 @@ int main(int argc, char *argv[])
 		for (i=0; i<8; i++)
 			printf("%02x ",k1[i]);
 		printf("\n");
-		exit(1);
+		return(1);
 		}
-	else
-		{
-		printf("error %d\n",i);
-		exit(0);
-		}
-#ifdef LINT
+	printf("error %d\n",i);
 	return(0);
-#endif
 	}
diff --git a/crypto/dh/dhtest.c b/crypto/dh/dhtest.c
index 1d49d04..c98c804 100644
--- a/crypto/dh/dhtest.c
+++ b/crypto/dh/dhtest.c
@@ -226,9 +226,6 @@ static int MS_CALLBACK cb(int p, int n, BN_GENCB *arg)
 	if (p == 3) c='\n';
 	BIO_write(BN_GENCB_get_arg(arg),&c,1);
 	(void)BIO_flush(BN_GENCB_get_arg(arg));
-#ifdef LINT
-	p=n;
-#endif
 	return 1;
 	}
 
diff --git a/crypto/ecdh/ecdhtest.c b/crypto/ecdh/ecdhtest.c
index 4b861fe..e4c0945 100644
--- a/crypto/ecdh/ecdhtest.c
+++ b/crypto/ecdh/ecdhtest.c
@@ -537,9 +537,6 @@ static void MS_CALLBACK cb(int p, int n, void *arg)
 	if (p == 3) c='\n';
 	BIO_write((BIO *)arg,&c,1);
 	(void)BIO_flush((BIO *)arg);
-#ifdef LINT
-	p=n;
-#endif
 	}
 #endif
 #endif


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Thu Dec 11 17:03:02 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 11 Dec 2014 17:03:02 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 5ab65c50ef8287b128d6642209525283e1ea07be
Message-ID: <20141211220302.D8BB41E013E@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  5ab65c50ef8287b128d6642209525283e1ea07be (commit)
      from  5cf37957fbdb7e2a1be48e15c4114d218c135f73 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5ab65c50ef8287b128d6642209525283e1ea07be
Author: Rich Salz 
Date:   Thu Dec 11 17:01:16 2014 -0500

    RT3497: Clean up "dclean" targets
    
    Some Makefiles had actions for "dclean" that really belonged
    to the "clean" target.  This is wrong because clean ends up,
    well, not really cleaning everything.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 Makefile.org        |    2 +-
 apps/Makefile       |    3 +--
 crypto/Makefile     |    2 +-
 crypto/md4/Makefile |    1 -
 tools/Makefile      |    2 +-
 5 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/Makefile.org b/Makefile.org
index 7c802e8..0844925 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -476,6 +476,7 @@ libclean:
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS) tags TAGS
 	rm -f openssl.pc libssl.pc libcrypto.pc
@@ -504,7 +505,6 @@ gentests:
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 
 dclean:
-	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
diff --git a/apps/Makefile b/apps/Makefile
index fd53f7c..a952a85 100644
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -137,11 +137,10 @@ depend:
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	rm -f CA.pl
 
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
-	rm -f req
+	rm -f req CA.pl
 
 $(DLIBSSL):
 	(cd ..; $(MAKE) DIRS=ssl all)
diff --git a/crypto/Makefile b/crypto/Makefile
index 12be189..6a6ac32 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -141,12 +141,12 @@ depend:
 
 clean:
 	rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f opensslconf.h
 	@target=clean; $(RECURSIVE_MAKE)
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	rm -f opensslconf.h
 	@target=dclean; $(RECURSIVE_MAKE)
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/md4/Makefile b/crypto/md4/Makefile
index fabc0af..af68603 100644
--- a/crypto/md4/Makefile
+++ b/crypto/md4/Makefile
@@ -69,7 +69,6 @@ depend:
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	rm -f ../../include/openssl/$(EXHEADER) ../../test/$(TEST) ../../apps/$(APPS)
 
 clean:
 	rm -f asm/mx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
diff --git a/tools/Makefile b/tools/Makefile
index bb6fb71..b50218d 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -49,10 +49,10 @@ depend:
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	rm -f c_rehash
 
 clean:
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f c_rehash
 
 errors:
 


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Thu Dec 11 17:07:30 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 11 Dec 2014 17:07:30 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. e03af1789f702dc19925abb50422ff8a21a70c72
Message-ID: <20141211220730.8C8FA1E013E@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  e03af1789f702dc19925abb50422ff8a21a70c72 (commit)
      from  5ab65c50ef8287b128d6642209525283e1ea07be (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e03af1789f702dc19925abb50422ff8a21a70c72
Author: Rich Salz 
Date:   Thu Dec 11 17:05:57 2014 -0500

    Minor doc fixes.
    
    In EVP_EncryptInit remove duplicate mention of EVP_idea_cbc()
    In EVP_PKEY_CTX_ctrl.pod remove EVP_PKEY_get_default_digest_nid
    since it is documented elsewhere.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/EVP_EncryptInit.pod   |    4 ++--
 doc/crypto/EVP_PKEY_CTX_ctrl.pod |    4 +---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 524921f..d4b6af3 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -20,7 +20,7 @@ EVP_CIPHER_CTX_set_padding,  EVP_enc_null, EVP_des_cbc, EVP_des_ecb,
 EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb,
 EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb,
 EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc,
-EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc,
+EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc,
 EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc,
 EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc,
 EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc,
@@ -332,7 +332,7 @@ RC4 stream cipher with 40 bit key length.
 This is obsolete and new code should use EVP_rc4()
 and the EVP_CIPHER_CTX_set_key_length() function.
 
-=item EVP_idea_cbc() EVP_idea_ecb(), EVP_idea_cfb(), EVP_idea_ofb(), EVP_idea_cbc()
+=item EVP_idea_cbc() EVP_idea_ecb(), EVP_idea_cfb(), EVP_idea_ofb()
 
 IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
 
diff --git a/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
index 44b5fdb..2367ae6 100644
--- a/doc/crypto/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, EVP_PKEY_get_default_digest_nid,
+EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str,
 EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_set_rsa_padding,
 EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_rsa_keygen_bits,
 EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_dsa_paramgen_bits,
@@ -19,8 +19,6 @@ EVP_PKEY_CTX_set_ec_paramgen_curve_nid - algorithm specific control operations
  int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
 						const char *value);
 
- int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
-
  #include 
 
  int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Thu Dec 11 18:53:10 2014
From: matt at openssl.org (Matt Caswell)
Date: Thu, 11 Dec 2014 18:53:10 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. fd0ba77717c4fda075c9c9a6ff1e5975fdf76905
Message-ID: <20141211235310.80DE11E013E@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  fd0ba77717c4fda075c9c9a6ff1e5975fdf76905 (commit)
      from  e03af1789f702dc19925abb50422ff8a21a70c72 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fd0ba77717c4fda075c9c9a6ff1e5975fdf76905
Author: Matt Caswell 
Date:   Thu Dec 11 23:33:10 2014 +0000

    make update
    
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 crypto/Makefile          |    8 ++---
 crypto/bn/Makefile       |    6 ++--
 crypto/camellia/Makefile |    4 +--
 crypto/cms/Makefile      |   90 +++++++++++++++++++++++-----------------------
 crypto/pqueue/Makefile   |    5 +--
 crypto/ts/Makefile       |   11 +++---
 engines/ccgost/Makefile  |   22 ++++++------
 ssl/Makefile             |    2 +-
 test/Makefile            |    7 ++--
 util/libeay.num          |   68 +++++++++++++++++------------------
 10 files changed, 115 insertions(+), 108 deletions(-)

diff --git a/crypto/Makefile b/crypto/Makefile
index 6a6ac32..fafa418 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -222,10 +222,10 @@ o_init.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 o_init.o: ../include/openssl/symhacks.h o_init.c
 o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
 o_str.o: o_str.c o_str.h
-o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
-o_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-o_time.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-o_time.o: ../include/openssl/symhacks.h crypto.h o_time.c
+o_time.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+o_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+o_time.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+o_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h o_time.c
 thr_id.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 thr_id.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 thr_id.o: ../include/openssl/err.h ../include/openssl/lhash.h
diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile
index f0548ed..c53b189 100644
--- a/crypto/bn/Makefile
+++ b/crypto/bn/Makefile
@@ -212,11 +212,11 @@ bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_blind.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bn_blind.o: ../../include/openssl/symhacks.h ../cryptlib.h
 bn_blind.o: ../include/internal/bn_int.h bn_blind.c bn_lcl.h
-bn_const.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-bn_const.o: ../../include/openssl/opensslconf.h
+bn_const.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+bn_const.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 bn_const.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_const.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_const.o: ../../include/openssl/symhacks.h bn.h bn_const.c
+bn_const.o: ../../include/openssl/symhacks.h bn_const.c
 bn_ctx.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
diff --git a/crypto/camellia/Makefile b/crypto/camellia/Makefile
index 5dfd696..5923099 100644
--- a/crypto/camellia/Makefile
+++ b/crypto/camellia/Makefile
@@ -88,8 +88,8 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-camellia.o: ../../include/openssl/opensslconf.h camellia.c camellia.h
-camellia.o: cmll_locl.h
+camellia.o: ../../include/openssl/camellia.h
+camellia.o: ../../include/openssl/opensslconf.h camellia.c cmll_locl.h
 cmll_cbc.o: ../../include/openssl/camellia.h ../../include/openssl/modes.h
 cmll_cbc.o: ../../include/openssl/opensslconf.h cmll_cbc.c
 cmll_cfb.o: ../../include/openssl/camellia.h ../../include/openssl/modes.h
diff --git a/crypto/cms/Makefile b/crypto/cms/Makefile
index 644fef3..2e957c7 100644
--- a/crypto/cms/Makefile
+++ b/crypto/cms/Makefile
@@ -82,34 +82,34 @@ clean:
 
 cms_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_asn1.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-cms_asn1.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-cms_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-cms_asn1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-cms_asn1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-cms_asn1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-cms_asn1.o: ../../include/openssl/opensslconf.h
+cms_asn1.o: ../../include/openssl/cms.h ../../include/openssl/conf.h
+cms_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+cms_asn1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+cms_asn1.o: ../../include/openssl/ecdsa.h ../../include/openssl/evp.h
+cms_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+cms_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 cms_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 cms_asn1.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
 cms_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 cms_asn1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 cms_asn1.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 cms_asn1.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-cms_asn1.o: cms.h cms_asn1.c cms_lcl.h
+cms_asn1.o: cms_asn1.c cms_lcl.h
 cms_att.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_att.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-cms_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-cms_att.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-cms_att.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-cms_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-cms_att.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-cms_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-cms_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-cms_att.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-cms_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-cms_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-cms_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-cms_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-cms_att.o: cms.h cms_att.c cms_lcl.h
+cms_att.o: ../../include/openssl/cms.h ../../include/openssl/conf.h
+cms_att.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+cms_att.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+cms_att.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+cms_att.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+cms_att.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+cms_att.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+cms_att.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+cms_att.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+cms_att.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+cms_att.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cms_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+cms_att.o: ../../include/openssl/x509v3.h cms_att.c cms_lcl.h
 cms_cd.o: ../../e_os.h ../../include/openssl/asn1.h
 cms_cd.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 cms_cd.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h
@@ -206,18 +206,18 @@ cms_ess.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 cms_ess.o: ../../include/openssl/x509v3.h ../cryptlib.h cms_ess.c cms_lcl.h
 cms_io.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_io.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-cms_io.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-cms_io.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-cms_io.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-cms_io.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-cms_io.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-cms_io.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-cms_io.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
-cms_io.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-cms_io.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-cms_io.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-cms_io.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h cms.h
-cms_io.o: cms_io.c cms_lcl.h
+cms_io.o: ../../include/openssl/cms.h ../../include/openssl/crypto.h
+cms_io.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+cms_io.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+cms_io.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+cms_io.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+cms_io.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+cms_io.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+cms_io.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+cms_io.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+cms_io.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+cms_io.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+cms_io.o: ../../include/openssl/x509_vfy.h cms_io.c cms_lcl.h
 cms_kari.o: ../../e_os.h ../../include/openssl/aes.h
 cms_kari.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_kari.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
@@ -238,19 +238,19 @@ cms_kari.o: ../../include/openssl/x509v3.h ../asn1/asn1_locl.h ../cryptlib.h
 cms_kari.o: cms_kari.c cms_lcl.h
 cms_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-cms_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-cms_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-cms_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-cms_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-cms_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-cms_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-cms_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-cms_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-cms_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-cms_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-cms_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-cms_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-cms_lib.o: cms.h cms_lcl.h cms_lib.c
+cms_lib.o: ../../include/openssl/cms.h ../../include/openssl/conf.h
+cms_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+cms_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+cms_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+cms_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+cms_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+cms_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+cms_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+cms_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+cms_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+cms_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cms_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+cms_lib.o: ../../include/openssl/x509v3.h cms_lcl.h cms_lib.c
 cms_pwri.o: ../../e_os.h ../../include/openssl/aes.h
 cms_pwri.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 cms_pwri.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
diff --git a/crypto/pqueue/Makefile b/crypto/pqueue/Makefile
index fb36a0c..3c2d33d 100644
--- a/crypto/pqueue/Makefile
+++ b/crypto/pqueue/Makefile
@@ -79,5 +79,6 @@ pqueue.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pqueue.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 pqueue.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 pqueue.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-pqueue.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-pqueue.o: ../../include/openssl/symhacks.h ../cryptlib.h pqueue.c pqueue.h
+pqueue.o: ../../include/openssl/pqueue.h ../../include/openssl/safestack.h
+pqueue.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pqueue.o: ../cryptlib.h pqueue.c
diff --git a/crypto/ts/Makefile b/crypto/ts/Makefile
index c182345..32872a7 100644
--- a/crypto/ts/Makefile
+++ b/crypto/ts/Makefile
@@ -146,8 +146,9 @@ ts_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ts_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 ts_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 ts_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ts_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ts_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ts.h ts_lib.c
+ts_lib.o: ../../include/openssl/ts.h ../../include/openssl/x509.h
+ts_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ts_lib.o: ../cryptlib.h ts_lib.c
 ts_req_print.o: ../../e_os.h ../../include/openssl/asn1.h
 ts_req_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 ts_req_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
@@ -196,9 +197,9 @@ ts_rsp_print.o: ../../include/openssl/opensslv.h
 ts_rsp_print.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 ts_rsp_print.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 ts_rsp_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ts_rsp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-ts_rsp_print.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-ts_rsp_print.o: ../cryptlib.h ts.h ts_rsp_print.c
+ts_rsp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h
+ts_rsp_print.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ts_rsp_print.o: ../../include/openssl/x509v3.h ../cryptlib.h ts_rsp_print.c
 ts_rsp_sign.o: ../../e_os.h ../../include/openssl/asn1.h
 ts_rsp_sign.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 ts_rsp_sign.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
index 1dbd883..bcb82e3 100644
--- a/engines/ccgost/Makefile
+++ b/engines/ccgost/Makefile
@@ -131,9 +131,9 @@ gost94_keyx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 gost94_keyx.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 gost94_keyx.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 gost94_keyx.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-gost94_keyx.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-gost94_keyx.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-gost94_keyx.o: ../../include/openssl/objects.h
+gost94_keyx.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+gost94_keyx.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+gost94_keyx.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 gost94_keyx.o: ../../include/openssl/opensslconf.h
 gost94_keyx.o: ../../include/openssl/opensslv.h
 gost94_keyx.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
@@ -179,8 +179,9 @@ gost_crypt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 gost_crypt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 gost_crypt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 gost_crypt.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-gost_crypt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-gost_crypt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+gost_crypt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+gost_crypt.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+gost_crypt.o: ../../include/openssl/objects.h
 gost_crypt.o: ../../include/openssl/opensslconf.h
 gost_crypt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 gost_crypt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
@@ -247,9 +248,9 @@ gost_pmeth.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
 gost_pmeth.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
 gost_pmeth.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 gost_pmeth.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-gost_pmeth.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-gost_pmeth.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-gost_pmeth.o: ../../include/openssl/objects.h
+gost_pmeth.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+gost_pmeth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+gost_pmeth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 gost_pmeth.o: ../../include/openssl/opensslconf.h
 gost_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 gost_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
@@ -264,8 +265,9 @@ gost_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 gost_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 gost_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 gost_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-gost_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-gost_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+gost_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+gost_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+gost_sign.o: ../../include/openssl/objects.h
 gost_sign.o: ../../include/openssl/opensslconf.h
 gost_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 gost_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
diff --git a/ssl/Makefile b/ssl/Makefile
index ebbdedc..0a7a1a3 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -242,7 +242,7 @@ d1_srtp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 d1_srtp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 d1_srtp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 d1_srtp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srtp.c
-d1_srtp.o: srtp.h ssl_locl.h
+d1_srtp.o: ssl_locl.h
 d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
diff --git a/test/Makefile b/test/Makefile
index 85ba594..2f5d205 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -719,8 +719,11 @@ jpaketest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
 jpaketest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 jpaketest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 jpaketest.o: ../include/openssl/symhacks.h jpaketest.c
-md2test.o: ../e_os.h ../include/openssl/e_os2.h
-md2test.o: ../include/openssl/opensslconf.h md2test.c
+md2test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+md2test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+md2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+md2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+md2test.o: ../include/openssl/symhacks.h md2test.c
 md4test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 md4test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 md4test.o: ../include/openssl/evp.h ../include/openssl/md4.h
diff --git a/util/libeay.num b/util/libeay.num
index f29a327..fa12145 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -3676,7 +3676,7 @@ BN_X931_generate_prime_ex               4060	EXIST::FUNCTION:
 FIPS_selftest_check                     4061	NOEXIST::FUNCTION:
 FIPS_rand_set_dt                        4062	NOEXIST::FUNCTION:
 CRYPTO_dbg_pop_info                     4063	NOEXIST::FUNCTION:
-FIPS_dsa_free                           4064	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_free                           4064	NOEXIST::FUNCTION:
 RSA_X931_derive_ex                      4065	EXIST::FUNCTION:RSA
 FIPS_rsa_new                            4066	NOEXIST::FUNCTION:
 FIPS_rand_bytes                         4067	NOEXIST::FUNCTION:
@@ -3685,9 +3685,9 @@ EVP_CIPHER_CTX_test_flags               4069	EXIST::FUNCTION:
 CRYPTO_malloc_debug_init                4070	NOEXIST::FUNCTION:
 CRYPTO_dbg_push_info                    4071	NOEXIST::FUNCTION:
 FIPS_corrupt_rsa_keygen                 4072	NOEXIST::FUNCTION:
-FIPS_dh_new                             4073	EXIST:OPENSSL_FIPS:FUNCTION:DH
+FIPS_dh_new                             4073	NOEXIST::FUNCTION:
 FIPS_corrupt_dsa_keygen                 4074	NOEXIST::FUNCTION:
-FIPS_dh_free                            4075	EXIST:OPENSSL_FIPS:FUNCTION:DH
+FIPS_dh_free                            4075	NOEXIST::FUNCTION:
 fips_pkey_signature_test                4076	NOEXIST::FUNCTION:
 EVP_add_alg_module                      4077	EXIST::FUNCTION:
 int_RAND_init_engine_callbacks          4078	NOEXIST::FUNCTION:
@@ -3695,7 +3695,7 @@ int_EVP_CIPHER_set_engine_callbacks     4079	NOEXIST::FUNCTION:
 int_EVP_MD_init_engine_callbacks        4080	NOEXIST::FUNCTION:
 FIPS_rand_test_mode                     4081	NOEXIST::FUNCTION:
 FIPS_rand_reset                         4082	NOEXIST::FUNCTION:
-FIPS_dsa_new                            4083	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_new                            4083	NOEXIST::FUNCTION:
 int_RAND_set_callbacks                  4084	NOEXIST::FUNCTION:
 BN_X931_derive_prime_ex                 4085	EXIST::FUNCTION:
 int_ERR_lib_init                        4086	NOEXIST::FUNCTION:
@@ -4412,37 +4412,37 @@ X509_VERIFY_PARAM_add1_host             4771	EXIST::FUNCTION:
 EC_GROUP_get_mont_data                  4772	EXIST::FUNCTION:EC
 i2d_re_X509_tbs                         4773	EXIST::FUNCTION:
 RSA_security_bits                       4774	EXIST::FUNCTION:RSA
-FIPS_ecdsa_verify_digest                4775	EXIST:OPENSSL_FIPS:FUNCTION:ECDSA
-FIPS_ecdsa_verify                       4776	EXIST:OPENSSL_FIPS:FUNCTION:ECDSA
+FIPS_ecdsa_verify_digest                4775	NOEXIST::FUNCTION:
+FIPS_ecdsa_verify                       4776	NOEXIST::FUNCTION:
 BN_security_bits                        4777	EXIST::FUNCTION:
-FIPS_ecdsa_verify_ctx                   4778	EXIST:OPENSSL_FIPS:FUNCTION:ECDSA
+FIPS_ecdsa_verify_ctx                   4778	NOEXIST::FUNCTION:
 ASN1_SCTX_get_template                  4779	EXIST::FUNCTION:
 EVP_PKEY_asn1_set_security_bits         4780	EXIST::FUNCTION:
 ASN1_SCTX_set_app_data                  4781	EXIST::FUNCTION:
 ASN1_SCTX_free                          4782	EXIST::FUNCTION:
-FIPS_dsa_sign                           4783	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_sign                           4783	NOEXIST::FUNCTION:
 DH_security_bits                        4784	EXIST::FUNCTION:DH
 EVP_aes_128_wrap_pad                    4785	EXIST::FUNCTION:AES
 EVP_aes_192_wrap_pad                    4786	EXIST::FUNCTION:AES
-FIPS_dsa_verify_digest                  4787	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_verify_digest                  4787	NOEXIST::FUNCTION:
 ASN1_add_stable_module                  4788	EXIST::FUNCTION:
 DSA_security_bits                       4789	EXIST::FUNCTION:DSA
 ASN1_SCTX_get_item                      4790	EXIST::FUNCTION:
 ASN1_SCTX_get_app_data                  4791	EXIST::FUNCTION:
-FIPS_dsa_sign_digest                    4792	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_sign_digest                    4792	NOEXIST::FUNCTION:
 CRYPTO_128_unwrap_pad                   4793	EXIST::FUNCTION:
 ASN1_str2mask                           4794	EXIST::FUNCTION:
 EVP_aes_256_wrap_pad                    4795	EXIST::FUNCTION:AES
 CRYPTO_128_wrap_pad                     4796	EXIST::FUNCTION:
-FIPS_ecdsa_sign_ctx                     4797	EXIST:OPENSSL_FIPS:FUNCTION:ECDSA
-FIPS_ecdsa_sign_digest                  4798	EXIST:OPENSSL_FIPS:FUNCTION:ECDSA
+FIPS_ecdsa_sign_ctx                     4797	NOEXIST::FUNCTION:
+FIPS_ecdsa_sign_digest                  4798	NOEXIST::FUNCTION:
 ASN1_SCTX_new                           4799	EXIST::FUNCTION:
 BN_generate_dsa_nonce                   4800	EXIST::FUNCTION:
 EVP_PKEY_security_bits                  4801	EXIST::FUNCTION:
 BN_nist_mod_func                        4802	EXIST::FUNCTION:
 ASN1_SCTX_get_flags                     4803	EXIST::FUNCTION:
-FIPS_dsa_verify                         4804	EXIST:OPENSSL_FIPS:FUNCTION:DSA
-FIPS_dsa_verify_ctx                     4805	EXIST:OPENSSL_FIPS:FUNCTION:DSA
+FIPS_dsa_verify                         4804	NOEXIST::FUNCTION:
+FIPS_dsa_verify_ctx                     4805	NOEXIST::FUNCTION:
 FIPS_selftest                           4806	NOEXIST::FUNCTION:
 FIPS_set_error_callbacks                4807	NOEXIST::FUNCTION:
 FIPS_drbg_set_check_interval            4808	NOEXIST::FUNCTION:
@@ -4512,8 +4512,8 @@ FIPS_rsa_verify_ctx                     4871	NOEXIST::FUNCTION:
 RSA_check_key_ex                        4872	EXIST::FUNCTION:RSA
 i2s_ASN1_IA5STRING                      4874	EXIST::FUNCTION:
 s2i_ASN1_IA5STRING                      4875	EXIST::FUNCTION:
-FIPS_dsa_sign_ctx                       4876	EXIST:OPENSSL_FIPS:FUNCTION:DSA
-CRYPTO_ocb128_release                   4878	EXIST::FUNCTION:
+FIPS_dsa_sign_ctx                       4876	NOEXIST::FUNCTION:
+CRYPTO_ocb128_release                   4878	NOEXIST::FUNCTION:
 CRYPTO_ocb128_new                       4879	EXIST::FUNCTION:
 CRYPTO_ocb128_finish                    4880	EXIST::FUNCTION:
 EVP_aes_256_ocb                         4881	EXIST::FUNCTION:AES
@@ -4525,21 +4525,21 @@ EVP_aes_192_ocb                         4886	EXIST::FUNCTION:AES
 EVP_aes_128_ocb                         4887	EXIST::FUNCTION:AES
 CRYPTO_ocb128_init                      4888	EXIST::FUNCTION:
 CRYPTO_ocb128_encrypt                   4889	EXIST::FUNCTION:
-bn_wexpand                              4878	NOEXIST::FUNCTION:
-BN_zero_ex                              4879	EXIST::FUNCTION:
-BN_is_zero                              4880	EXIST::FUNCTION:
-BN_with_flags                           4881	EXIST::FUNCTION:
-BN_abs_is_word                          4882	EXIST::FUNCTION:
-bn_correct_top                          4883	NOEXIST::FUNCTION:
-BN_to_montgomery                        4884	EXIST::FUNCTION:
-BN_GENCB_new                            4885	EXIST::FUNCTION:
-BN_is_odd                               4886	EXIST::FUNCTION:
-BN_is_negative                          4887	EXIST::FUNCTION:
-BN_GENCB_get_arg                        4888	EXIST::FUNCTION:
-BN_GENCB_set                            4889	EXIST::FUNCTION:
-BN_is_word                              4890	EXIST::FUNCTION:
-BN_set_flags                            4891	EXIST::FUNCTION:
-BN_is_one                               4892	EXIST::FUNCTION:
-BN_GENCB_set_old                        4893	EXIST::FUNCTION:
-BN_GENCB_free                           4894	EXIST::FUNCTION:
-BN_get_flags                            4895	EXIST::FUNCTION:
+CRYPTO_ocb128_copy_ctx                  4890	EXIST::FUNCTION:
+BN_is_word                              4891	EXIST::FUNCTION:
+BN_GENCB_set                            4892	EXIST::FUNCTION:
+CRYPTO_ocb128_cleanup                   4893	EXIST::FUNCTION:
+BN_GENCB_set_old                        4894	EXIST::FUNCTION:
+BN_is_zero                              4895	EXIST::FUNCTION:
+BN_with_flags                           4896	EXIST::FUNCTION:
+BN_GENCB_new                            4897	EXIST::FUNCTION:
+BN_to_montgomery                        4898	EXIST::FUNCTION:
+BN_GENCB_free                           4899	EXIST::FUNCTION:
+BN_is_negative                          4900	EXIST::FUNCTION:
+BN_get_flags                            4901	EXIST::FUNCTION:
+BN_is_one                               4902	EXIST::FUNCTION:
+BN_abs_is_word                          4903	EXIST::FUNCTION:
+BN_GENCB_get_arg                        4904	EXIST::FUNCTION:
+BN_zero_ex                              4905	EXIST::FUNCTION:
+BN_is_odd                               4906	EXIST::FUNCTION:
+BN_set_flags                            4907	EXIST::FUNCTION:


hooks/post-receive
-- 
OpenSSL source code

From root at openssl.org  Thu Dec 11 23:07:09 2014
From: root at openssl.org (root)
Date: Thu, 11 Dec 2014 23:07:09 -0500 (EST)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	33268635160bba24f6bc98448a8162661d1ddb30
Message-ID: <20141212040711.DC2D91E013E@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  33268635160bba24f6bc98448a8162661d1ddb30 (commit)
       via  8a11f2314dd5d23dbefaf7f09b1ba07b73caeb87 (commit)
      from  1c90fbd4f1a896ba8ff2020c4b19584ea58e7255 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 33268635160bba24f6bc98448a8162661d1ddb30
Author: Rich Salz 
Date:   Thu Dec 11 23:06:29 2014 -0500

    Tweak fips; add "raw list" to manpages

commit 8a11f2314dd5d23dbefaf7f09b1ba07b73caeb87
Author: root 
Date:   Thu Dec 11 16:38:38 2014 -0500

    New scripts to generate the manpages.
    
    Only for the website, not general-purpose.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore          |    2 ++
 docs/fips/index.wml |    4 ++--
 docs/index.wml      |   15 +++++++++------
 getnames.pl         |   30 ++++++++++++++++++++++++++++++
 run-pod2html.sh     |   28 +++++++++++++++++-----------
 5 files changed, 60 insertions(+), 19 deletions(-)
 create mode 100644 getnames.pl

diff --git a/.gitignore b/.gitignore
index e6b8277..d6c50ad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,8 @@
 *.html
 *.pdf
 *.gz*
+pod2htmd.tmp
+pod2htmi.tmp
 blog
 news/changelog.inc
 news/vulnerabilities.wml
diff --git a/docs/fips/index.wml b/docs/fips/index.wml
index 976af4c..0e8ccd3 100644
--- a/docs/fips/index.wml
+++ b/docs/fips/index.wml
@@ -7,13 +7,13 @@
 
 Here you can find a number of FIPS140 related files including the user
 guide and test vectors.
-

-
 The latest User Guide is the best place to start.  For a basic
 introduction and some general background see
 Important Notes About OpenSSL and FIPS 140-2, also note the
 summary and status of the ongoing open source based OpenSSL FIPS Object Module validation.
 

+
+

 Note FIPS module and FIPS validation support is included in some of the
 OpenSSL support plans.  Assistance
 with private label validation is also available on a
diff --git a/docs/index.wml b/docs/index.wml
index b43a376..770c8e2 100644
--- a/docs/index.wml
+++ b/docs/index.wml
@@ -13,16 +13,19 @@ features which are not present in other releases.
 

 

 openssl(1)

-    Manual page documenting the openssl command line tool.
-    (Opens in new page or tab).
+    Manual page documenting the openssl command line tool,
+    or the full command list.
+    (Opens in new page or tab.)
 
 
ssl(3)

-    Manual page documenting the OpenSSL SSL/TLS library.
-    (Opens in new page or tab).
+    Manual page documenting the OpenSSL SSL/TLS library,
+    or the full list of SSL API's.
+    (Opens in new page or tab.)
 
 
crypto(3)

-    Manual page documenting the OpenSSL Crypto library.
-    (Opens in new page or tab).
+    Manual page documenting the OpenSSL Crypto library,
+    or the full list of crypto API's.
+    (Opens in new page or tab.)
 
 
HOWTO

     HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.
diff --git a/getnames.pl b/getnames.pl
new file mode 100644
index 0000000..58ee6d0
--- /dev/null
+++ b/getnames.pl
@@ -0,0 +1,30 @@
+#!/usr/bin/perl
+
+my $func = $ARGV[0];
+$func =~ s/\.pod//;
+$func =~ s at .*/@@;
+
+open(FH, $ARGV[0]) || die "Can't open $ARGV[1], $!";
+$/ = "";			# Eat a paragraph at once.
+while () {
+    chop;
+    s/\n/ /gm;
+    if (/^=head1 /) {
+	$name = 0;
+    } elsif ($name) {
+	if (/ - /) {
+	    s/ - .*//;
+	    s/,\s+/,/g;
+	    s/\s+,/,/g;
+	    s/^\s+//g;
+	    s/\s+$//g;
+	    s/\s/_/g;
+	    push @words, split ',';
+	}
+    }
+    if (/^=head1 *NAME *$/) {
+	$name = 1;
+    }
+}
+
+print join("\n", grep { $_ ne $func } @words),"\n";
diff --git a/run-pod2html.sh b/run-pod2html.sh
index c7a2ce5..0afd144 100755
--- a/run-pod2html.sh
+++ b/run-pod2html.sh
@@ -1,14 +1,20 @@
 #! /bin/sh
-x=$1
-rm -rf pod2htm*
-for subdir in apps crypto ssl ; do
-    mkdir -p docs/$subdir
-    for I in $x/$subdir/*.pod ; do
-	OUT=`basename $I .pod`
-	sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' <$I |
-	pod2html > docs/$subdir/$OUT.html \
-	    --podroot=$x "--htmlroot=/docs" \
-	    "--podpath=apps:crypto:ssl"
+SRC=$1
+DEST=docs
+HERE=`/bin/pwd`
+
+for SUB in apps crypto ssl; do
+    DIR=$DEST/$SUB
+    rm -rf $DIR
+    mkdir -p $DIR
+    for IN in $SRC/$SUB/*.pod; do
+	FN=`basename $IN .pod`
+	cat $IN \
+	| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
+	| pod2html --podroot=$SRC --htmlroot=/docs --podpath=$SUB:apps:crypto:ssl \
+	| sed -r 's/ $DIR/$FN.html
+	for L in `perl $HERE/getnames.pl $IN` ; do
+	    ln $DIR/$FN.html $DIR/$L.html || echo FAIL $DIR/$FN.html $DIR/$L.html
+	done
     done
 done
-rm -rf pod2htm*


hooks/post-receive
-- 
OpenSSL Web Pages 

From root at openssl.org  Fri Dec 12 04:53:46 2014
From: root at openssl.org (root)
Date: Thu, 11 Dec 2014 23:53:46 -0500 (EST)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	5d5b987a68d97f30f947df7dc268e59ca1ebbaf8
Message-ID: <20141212045346.A53801E013E@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  5d5b987a68d97f30f947df7dc268e59ca1ebbaf8 (commit)
      from  33268635160bba24f6bc98448a8162661d1ddb30 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5d5b987a68d97f30f947df7dc268e59ca1ebbaf8
Author: Rich Salz 
Date:   Thu Dec 11 23:53:20 2014 -0500

    Add a basic CSS file

-----------------------------------------------------------------------

Summary of changes:
 manpage.css     |   96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 run-pod2html.sh |    2 +-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 manpage.css

diff --git a/manpage.css b/manpage.css
new file mode 100644
index 0000000..1fc97bc
--- /dev/null
+++ b/manpage.css
@@ -0,0 +1,96 @@
+BODY {
+	background: white;
+	color: black;
+	font-family: arial,sans-serif;
+	margin: 0;
+	padding: 1ex;
+}
+TABLE {
+	border-collapse: collapse;
+	border-spacing: 0;
+	border-width: 0;
+	color: inherit;
+}
+IMG { border: 0; }
+FORM { margin: 0; }
+input { margin: 2px; }
+A.fred {
+	text-decoration: none;
+}
+A:link, A:visited {
+	background: transparent;
+	color: #006699;
+}
+TD {
+	margin: 0;
+	padding: 0;
+}
+DIV {
+	border-width: 0;
+}
+DT {
+	margin-top: 1em;
+}
+TH {
+	background: #bbbbbb;
+	color: inherit;
+	padding: 0.4ex 1ex;
+	text-align: left;
+}
+TH A:link, TH A:visited {
+	background: transparent;
+	color: black;
+}
+A.m:link, A.m:visited {
+	background: #006699;
+	color: white;
+	font: bold 10pt Arial,Helvetica,sans-serif;
+	text-decoration: none;
+}
+A.o:link, A.o:visited {
+	background: #006699;
+	color: #ccffcc;
+	font: bold 10pt Arial,Helvetica,sans-serif;
+	text-decoration: none;
+}
+A.o:hover {
+	background: transparent;
+	color: #ff6600;
+	text-decoration: underline;
+}
+A.m:hover {
+	background: transparent;
+	color: #ff6600;
+	text-decoration: underline;
+}
+table.dlsip     {
+	background: #dddddd;
+	border: 0.4ex solid #dddddd;
+}
+.pod PRE     {
+	background: #eeeeee;
+	border: 1px solid #888888;
+	color: black;
+	padding-top: 1em;
+	white-space: pre;
+}
+.pod H1      {
+	background: transparent;
+	color: #006699;
+	font-size: large;
+}
+.pod H2      {
+	background: transparent;
+	color: #006699;
+	font-size: medium;
+}
+.pod IMG     {
+	vertical-align: top;
+}
+.pod .toc A  {
+	text-decoration: none;
+}
+.pod .toc LI {
+	line-height: 1.2em;
+	list-style-type: none;
+}
diff --git a/run-pod2html.sh b/run-pod2html.sh
index 0afd144..8a1218d 100755
--- a/run-pod2html.sh
+++ b/run-pod2html.sh
@@ -11,7 +11,7 @@ for SUB in apps crypto ssl; do
 	FN=`basename $IN .pod`
 	cat $IN \
 	| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-	| pod2html --podroot=$SRC --htmlroot=/docs --podpath=$SUB:apps:crypto:ssl \
+	| pod2html --podroot=$SRC -css=/manpage.css --htmlroot=/docs --podpath=$SUB:apps:crypto:ssl \
 	| sed -r 's/ $DIR/$FN.html
 	for L in `perl $HERE/getnames.pl $IN` ; do
 	    ln $DIR/$FN.html $DIR/$L.html || echo FAIL $DIR/$FN.html $DIR/$L.html


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Fri Dec 12 18:18:29 2014
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 12 Dec 2014 13:18:29 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. c3f22253b139793ff3b91ff7e6969e180cf06815
Message-ID: <20141212181829.AB5871E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  c3f22253b139793ff3b91ff7e6969e180cf06815 (commit)
      from  fd0ba77717c4fda075c9c9a6ff1e5975fdf76905 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c3f22253b139793ff3b91ff7e6969e180cf06815
Author: Rich Salz 
Date:   Fri Dec 12 13:17:51 2014 -0500

    RT1688: Add dependencies for parallel make
    
    Reviewed-by: Dr. Stephen Henson 

-----------------------------------------------------------------------

Summary of changes:
 Makefile.org |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/Makefile.org b/Makefile.org
index 0844925..8e15bb2 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -348,21 +348,23 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
 	../crypto/uid.o
 
 sub_all: build_all
+
 build_all: build_libs build_apps build_tests build_tools
 
 build_libs: build_crypto build_ssl build_engines
 
 build_crypto:
 	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
 	@dir=engines; target=all; AS='$(CC) -c'; export AS; $(BUILD_ONE_CMD)
-build_apps:
+
+build_apps: build_libs
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 
 all_testapps: build_libs build_testapps


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 12 23:56:22 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 18:56:22 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-61-gc6a84ff
Message-ID: <20141212235622.D9E2B1E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  c6a84ff3516d8ecd92d866b6f0ae0d63df6d9c53 (commit)
      from  b8b9bcb4587f6df315223ae18ec10ecdb5a9dab8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c6a84ff3516d8ecd92d866b6f0ae0d63df6d9c53
Author: Matt Caswell 
Date:   Thu Dec 4 10:18:40 2014 +0000

    Fix use of NULL memory pointer in X509_VERIFY_PARAM_new in the event of a
    malloc failure.
    
    Reviewed-by: Kurt Roeckx 

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vpm.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index dfd89d8..ba546bd 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -89,6 +89,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 	{
 	X509_VERIFY_PARAM *param;
 	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+	if (!param)
+		return NULL;
 	memset(param, 0, sizeof(X509_VERIFY_PARAM));
 	x509_verify_param_zero(param);
 	return param;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 12 23:56:32 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 18:56:32 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-41-gaf8a66d
Message-ID: <20141212235632.31AE31E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  af8a66d10d320b614a60493c94cf5995a3639f87 (commit)
      from  ec5c25b3b46078de5af092b67916140fa9ca147b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit af8a66d10d320b614a60493c94cf5995a3639f87
Author: Matt Caswell 
Date:   Thu Dec 4 10:18:40 2014 +0000

    Fix use of NULL memory pointer in X509_VERIFY_PARAM_new in the event of a
    malloc failure.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit c6a84ff3516d8ecd92d866b6f0ae0d63df6d9c53)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vpm.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index dfd89d8..ba546bd 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -89,6 +89,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 	{
 	X509_VERIFY_PARAM *param;
 	param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
+	if (!param)
+		return NULL;
 	memset(param, 0, sizeof(X509_VERIFY_PARAM));
 	x509_verify_param_zero(param);
 	return param;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Sat Dec 13 00:15:15 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 19:15:15 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 24097938ad19acaaac00f4e8549bfe1a976d662d
Message-ID: <20141213001515.BDADA1E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  24097938ad19acaaac00f4e8549bfe1a976d662d (commit)
      from  c3f22253b139793ff3b91ff7e6969e180cf06815 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 24097938ad19acaaac00f4e8549bfe1a976d662d
Author: Matt Caswell 
Date:   Fri Dec 12 11:03:00 2014 +0000

    Fixed memory leak if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_srvr.c  |    1 +
 ssl/s23_srvr.c |    1 +
 2 files changed, 2 insertions(+)

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index aef38bb..0cdc51b 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -251,6 +251,7 @@ int dtls1_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 08aa5b6..6e44e0c 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -185,6 +185,7 @@ int ssl23_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Sat Dec 13 00:15:29 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 19:15:29 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-100-gd04a1e0
Message-ID: <20141213001529.EEE101E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2 (commit)
       via  bb1ddd3d9a0d01656b90693a214b911995a5fe8c (commit)
      from  6806b69084fc0a800cf33787568c517a21ebc2c3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2
Author: Matt Caswell 
Date:   Fri Dec 12 11:05:21 2014 +0000

    Fix memory leak in s2_srvr.c if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 

commit bb1ddd3d9a0d01656b90693a214b911995a5fe8c
Author: Matt Caswell 
Date:   Fri Dec 12 11:03:00 2014 +0000

    Fixed memory leak if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_srvr.c  |    1 +
 ssl/s23_srvr.c |    1 +
 ssl/s2_srvr.c  |   22 +++++++++++++++-------
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 0841183..5f15467 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -251,6 +251,7 @@ int dtls1_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index e656ac2..9840d47 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -192,6 +192,7 @@ int ssl23_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 2cba426..59ced3f 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -188,13 +188,21 @@ int ssl2_accept(SSL *s)
 			s->version=SSL2_VERSION;
 			s->type=SSL_ST_ACCEPT;
 
-			buf=s->init_buf;
-			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-				{ ret= -1; goto end; }
-			if (!BUF_MEM_grow(buf,(int)
-				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-				{ ret= -1; goto end; }
-			s->init_buf=buf;
+			if(s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+					{
+					BUF_MEM_free(buf);
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
 			s->init_num=0;
 			s->ctx->stats.sess_accept++;
 			s->handshake_func=ssl2_accept;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Sat Dec 13 00:15:41 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 19:15:41 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-63-gc983a77
Message-ID: <20141213001541.289781E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  c983a77887519f4f82f4b0745a6d91f36344eedf (commit)
       via  7516eaf49216c3525506c9dedc008737c4a06501 (commit)
      from  c6a84ff3516d8ecd92d866b6f0ae0d63df6d9c53 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c983a77887519f4f82f4b0745a6d91f36344eedf
Author: Matt Caswell 
Date:   Fri Dec 12 11:05:21 2014 +0000

    Fix memory leak in s2_srvr.c if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2)

commit 7516eaf49216c3525506c9dedc008737c4a06501
Author: Matt Caswell 
Date:   Fri Dec 12 11:03:00 2014 +0000

    Fixed memory leak if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit bb1ddd3d9a0d01656b90693a214b911995a5fe8c)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_srvr.c  |    1 +
 ssl/s23_srvr.c |    1 +
 ssl/s2_srvr.c  |   22 +++++++++++++++-------
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 6a075b3..a5660bc 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -233,6 +233,7 @@ int dtls1_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index de909b1..3178815 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -192,6 +192,7 @@ int ssl23_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 2cba426..59ced3f 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -188,13 +188,21 @@ int ssl2_accept(SSL *s)
 			s->version=SSL2_VERSION;
 			s->type=SSL_ST_ACCEPT;
 
-			buf=s->init_buf;
-			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-				{ ret= -1; goto end; }
-			if (!BUF_MEM_grow(buf,(int)
-				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-				{ ret= -1; goto end; }
-			s->init_buf=buf;
+			if(s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+					{
+					BUF_MEM_free(buf);
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
 			s->init_num=0;
 			s->ctx->stats.sess_accept++;
 			s->handshake_func=ssl2_accept;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Sat Dec 13 00:15:59 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 12 Dec 2014 19:15:59 -0500 (EST)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-43-geae2bb2
Message-ID: <20141213001559.BBFA71E1C27@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  eae2bb2f1f5347c0bd305026fd3c222e0ccd69e2 (commit)
       via  c3132708368e4d13ddfc74be225a979d16a6a37e (commit)
      from  af8a66d10d320b614a60493c94cf5995a3639f87 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit eae2bb2f1f5347c0bd305026fd3c222e0ccd69e2
Author: Matt Caswell 
Date:   Fri Dec 12 11:05:21 2014 +0000

    Fix memory leak in s2_srvr.c if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2)

commit c3132708368e4d13ddfc74be225a979d16a6a37e
Author: Matt Caswell 
Date:   Fri Dec 12 11:03:00 2014 +0000

    Fixed memory leak if BUF_MEM_grow fails
    
    Reviewed-by: Tim Hudson 
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit bb1ddd3d9a0d01656b90693a214b911995a5fe8c)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_srvr.c  |    1 +
 ssl/s23_srvr.c |    1 +
 ssl/s2_srvr.c  |   22 +++++++++++++++-------
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 139f5f3..a14fb43 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -209,6 +209,7 @@ int dtls1_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index f1974e0..d2b3317 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -185,6 +185,7 @@ int ssl23_accept(SSL *s)
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
+					BUF_MEM_free(buf);
 					ret= -1;
 					goto end;
 					}
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index bc885e8..73a54dc 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -188,13 +188,21 @@ int ssl2_accept(SSL *s)
 			s->version=SSL2_VERSION;
 			s->type=SSL_ST_ACCEPT;
 
-			buf=s->init_buf;
-			if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
-				{ ret= -1; goto end; }
-			if (!BUF_MEM_grow(buf,(int)
-				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
-				{ ret= -1; goto end; }
-			s->init_buf=buf;
+			if(s->init_buf == NULL)
+				{
+				if ((buf=BUF_MEM_new()) == NULL)
+					{
+					ret= -1;
+					goto end;
+					}
+				if (!BUF_MEM_grow(buf,(int) SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
+					{
+					BUF_MEM_free(buf);
+					ret= -1;
+					goto end;
+					}
+				s->init_buf=buf;
+				}
 			s->init_num=0;
 			s->ctx->stats.sess_accept++;
 			s->handshake_func=ssl2_accept;


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Mon Dec 15 12:20:44 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 15 Dec 2014 13:20:44 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-64-g458f23f
Message-ID: <20141215122044.198D31DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  458f23f61021da8badf2457db0608232b3c8bec4 (commit)
      from  c983a77887519f4f82f4b0745a6d91f36344eedf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 458f23f61021da8badf2457db0608232b3c8bec4
Author: Emilia Kasper 
Date:   Mon Dec 15 13:11:52 2014 +0100

    Fix unused variable warning
    
    The temporary variable causes unused variable warnings in opt mode with clang,
    because the subsequent assert is compiled out.
    
    Reviewed-by: Rich Salz 
    (cherry picked from commit 6af16ec5eed85390bcbd004806a842d6153d6a31)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn.h |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 21a1a3f..c4d6185 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -780,7 +780,9 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
 #define bn_wcheck_size(bn, words) \
 	do { \
 		const BIGNUM *_bnum2 = (bn); \
-		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+		assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+		/* avoid unused variable warning with NDEBUG */ \
+		(void)(_bnum2); \
 	} while(0)
 
 #else /* !BN_DEBUG */


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Mon Dec 15 12:20:44 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 15 Dec 2014 13:20:44 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-101-g6af16ec
Message-ID: <20141215122044.2B8E51DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  6af16ec5eed85390bcbd004806a842d6153d6a31 (commit)
      from  d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6af16ec5eed85390bcbd004806a842d6153d6a31
Author: Emilia Kasper 
Date:   Mon Dec 15 13:11:52 2014 +0100

    Fix unused variable warning
    
    The temporary variable causes unused variable warnings in opt mode with clang,
    because the subsequent assert is compiled out.
    
    Reviewed-by: Rich Salz 

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn.h |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 2e3fab9..84cad17 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -762,7 +762,9 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
 #define bn_wcheck_size(bn, words) \
 	do { \
 		const BIGNUM *_bnum2 = (bn); \
-		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+		assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+		/* avoid unused variable warning with NDEBUG */ \
+		(void)(_bnum2); \
 	} while(0)
 
 #else /* !BN_DEBUG */


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Mon Dec 15 12:20:44 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 15 Dec 2014 13:20:44 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 9669d2e1ad7aaa539c3931955ec9dd56faa2dc3c
Message-ID: <20141215122044.4FAA11DF122@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  9669d2e1ad7aaa539c3931955ec9dd56faa2dc3c (commit)
      from  24097938ad19acaaac00f4e8549bfe1a976d662d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9669d2e1ad7aaa539c3931955ec9dd56faa2dc3c
Author: Emilia Kasper 
Date:   Fri Dec 12 17:45:46 2014 +0100

    Fix unused variable warning
    
    The temporary variable causes unused variable warnings in opt mode with clang,
    because the subsequent assert is compiled out.
    
    Reviewed-by: Rich Salz 

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_lcl.h |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index c072ee7..260f67b 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -194,7 +194,9 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
 #define bn_wcheck_size(bn, words) \
 	do { \
 		const BIGNUM *_bnum2 = (bn); \
-		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+		assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \
+		/* avoid unused variable warning with NDEBUG */ \
+		(void)(_bnum2); \
 	} while(0)
 
 #else /* !BN_DEBUG */


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Mon Dec 15 14:19:35 2014
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 15 Dec 2014 15:19:35 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 56999ba5891e917763fba4e203f430037ee8ee0d
Message-ID: <20141215141935.4B1921DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  56999ba5891e917763fba4e203f430037ee8ee0d (commit)
      from  9669d2e1ad7aaa539c3931955ec9dd56faa2dc3c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 56999ba5891e917763fba4e203f430037ee8ee0d
Author: Rich Salz 
Date:   Mon Dec 15 09:18:11 2014 -0500

    RT3497: Fix; don't remove header files
    
    Doing 'config ; make clean' broke because clean removed
    header files that normal build didn't create.  So don't
    remove those files.  Hopefully will be better addressed by
    Geoff's no-symlinks patch.
    
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 Makefile.org    |    2 +-
 crypto/Makefile |    1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/Makefile.org b/Makefile.org
index 8e15bb2..f2460dc 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -478,7 +478,7 @@ libclean:
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	rm -rf *.bak include/openssl certs/.0
+	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS) tags TAGS
 	rm -f openssl.pc libssl.pc libcrypto.pc
diff --git a/crypto/Makefile b/crypto/Makefile
index fafa418..0029b1b 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -141,7 +141,6 @@ depend:
 
 clean:
 	rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-	rm -f opensslconf.h
 	@target=clean; $(RECURSIVE_MAKE)
 
 dclean:


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Mon Dec 15 17:12:14 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Mon, 15 Dec 2014 18:12:14 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 995207bedcc58f2fa1bd7c460ee530b92c7dfbfe
Message-ID: <20141215171214.5E37C1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  995207bedcc58f2fa1bd7c460ee530b92c7dfbfe (commit)
      from  56999ba5891e917763fba4e203f430037ee8ee0d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 995207bedcc58f2fa1bd7c460ee530b92c7dfbfe
Author: Kurt Roeckx 
Date:   Wed Dec 10 13:38:57 2014 +0100

    Allow using -SSLv2 again when setting Protocol in the config.
    
    RT#3625
    
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_conf.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 3785b4f..95ca88a 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -333,6 +333,7 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value)
 	static const ssl_flag_tbl ssl_protocol_list[] =
 		{
 		SSL_FLAG_TBL_INV("ALL", SSL_OP_NO_SSL_MASK),
+		SSL_FLAG_TBL_INV("SSLv2", SSL_OP_NO_SSLv2),
 		SSL_FLAG_TBL_INV("SSLv3", SSL_OP_NO_SSLv3),
 		SSL_FLAG_TBL_INV("TLSv1", SSL_OP_NO_TLSv1),
 		SSL_FLAG_TBL_INV("TLSv1.1", SSL_OP_NO_TLSv1_1),


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Mon Dec 15 17:26:31 2014
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 15 Dec 2014 18:26:31 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 129c81b951ef436995d5718a55ecd68cb5914972
Message-ID: <20141215172631.5357D1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  129c81b951ef436995d5718a55ecd68cb5914972 (commit)
      from  995207bedcc58f2fa1bd7c460ee530b92c7dfbfe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 129c81b951ef436995d5718a55ecd68cb5914972
Author: Rich Salz 
Date:   Mon Dec 15 12:24:25 2014 -0500

    RT3497: The ticket that keeps on giving.
    
    Don't remove c_rehash that wasn't created by make; this script
    is created by configure.
    
    This fix brought to you by the letter "f" and
    Reviewed-by: Emilia Kasper 

-----------------------------------------------------------------------

Summary of changes:
 tools/Makefile |    1 -
 1 file changed, 1 deletion(-)

diff --git a/tools/Makefile b/tools/Makefile
index b50218d..4ca835c 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -52,7 +52,6 @@ dclean:
 
 clean:
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-	rm -f c_rehash
 
 errors:
 


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Mon Dec 15 21:31:39 2014
From: matt at openssl.org (Matt Caswell)
Date: Mon, 15 Dec 2014 22:31:39 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-45-g9d41057
Message-ID: <20141215213139.4061A1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  9d410579a782262c1a372bea80475ddee523985d (commit)
       via  4f90ef0c5bf46d927b1bd1ce54223d36852a4f3a (commit)
      from  eae2bb2f1f5347c0bd305026fd3c222e0ccd69e2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9d410579a782262c1a372bea80475ddee523985d
Author: Matt Caswell 
Date:   Wed Dec 3 11:15:40 2014 +0000

    Checkout return value of dtls1_output_cert_chain
    
    Reviewed-by: Tim Hudson 
    (cherry picked from commit 9beb948c0dae6056caddf46a9aa099e18905d184)

commit 4f90ef0c5bf46d927b1bd1ce54223d36852a4f3a
Author: Matt Caswell 
Date:   Tue Mar 18 14:19:22 2014 +0000

    Check return value of ssl3_output_cert_chain
    
    Based on commit 66f96fe2d519147097c118d4bf60704c69ed0635 by Steve Henson
    
    Reviewed-by: Tim Hudson 
    (cherry picked from commit ce5ddefc4394a0ae6c79efaffe08cf47ac659ea0)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_clnt.c |    6 ++++++
 ssl/d1_srvr.c |    5 +++++
 ssl/s3_clnt.c |    6 ++++++
 ssl/s3_srvr.c |    5 +++++
 4 files changed, 22 insertions(+)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index d8cf926..0fea865 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -1548,6 +1548,12 @@ int dtls1_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=dtls1_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index a14fb43..f52c735 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1446,6 +1446,11 @@ int dtls1_send_server_certificate(SSL *s)
 			}
 
 		l=dtls1_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 89dc06e..e614f96 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2962,6 +2962,12 @@ int ssl3_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=ssl3_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 		}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 546d633..4573ec8 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3084,6 +3084,11 @@ int ssl3_send_server_certificate(SSL *s)
 			}
 
 		l=ssl3_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Mon Dec 15 21:31:50 2014
From: matt at openssl.org (Matt Caswell)
Date: Mon, 15 Dec 2014 22:31:50 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-66-g9beb948
Message-ID: <20141215213150.8A0481DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  9beb948c0dae6056caddf46a9aa099e18905d184 (commit)
       via  ce5ddefc4394a0ae6c79efaffe08cf47ac659ea0 (commit)
      from  458f23f61021da8badf2457db0608232b3c8bec4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9beb948c0dae6056caddf46a9aa099e18905d184
Author: Matt Caswell 
Date:   Wed Dec 3 11:15:40 2014 +0000

    Checkout return value of dtls1_output_cert_chain
    
    Reviewed-by: Tim Hudson 

commit ce5ddefc4394a0ae6c79efaffe08cf47ac659ea0
Author: Matt Caswell 
Date:   Tue Mar 18 14:19:22 2014 +0000

    Check return value of ssl3_output_cert_chain
    
    Based on commit 66f96fe2d519147097c118d4bf60704c69ed0635 by Steve Henson
    
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_clnt.c |    6 ++++++
 ssl/d1_srvr.c |    5 +++++
 ssl/s3_clnt.c |    6 ++++++
 ssl/s3_srvr.c |    5 +++++
 4 files changed, 22 insertions(+)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 9947be2..9045fb9 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -1717,6 +1717,12 @@ int dtls1_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=dtls1_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index a5660bc..e40701e 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1625,6 +1625,11 @@ int dtls1_send_server_certificate(SSL *s)
 			}
 
 		l=dtls1_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7ad1357..f10e1aa 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3280,6 +3280,12 @@ int ssl3_send_client_certificate(SSL *s)
 		s->state=SSL3_ST_CW_CERT_D;
 		l=ssl3_output_cert_chain(s,
 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		s->init_num=(int)l;
 		s->init_off=0;
 		}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c67f11a..719e6d3 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3406,6 +3406,11 @@ int ssl3_send_server_certificate(SSL *s)
 			}
 
 		l=ssl3_output_cert_chain(s,x);
+		if (!l)
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 00:12:44 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 01:12:44 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-47-g2ececf5
Message-ID: <20141216001244.CC9821DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  2ececf59deb88819a5caf8de61d357ff87bf8190 (commit)
       via  a60536348b62f844f9d8e3a88c063f4b89d1f606 (commit)
      from  9d410579a782262c1a372bea80475ddee523985d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2ececf59deb88819a5caf8de61d357ff87bf8190
Author: Matt Caswell 
Date:   Mon Dec 15 20:48:33 2014 +0000

    Remove extraneous white space, and add some braces
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 55e530265a7ea8f264717a4e37338cc04eca2007)

commit a60536348b62f844f9d8e3a88c063f4b89d1f606
Author: Matt Caswell 
Date:   Fri Dec 12 15:32:24 2014 +0000

    DTLS fixes for signed/unsigned issues
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 1904d21123849a65dafde1705e6dd5b7c2f420eb)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |   40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 7c8bed3..f3492c0 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -259,9 +259,9 @@ static int dtls1_query_mtu(SSL *s)
 int dtls1_do_write(SSL *s, int type)
 	{
 	int ret;
-	int curr_mtu;
+	unsigned int curr_mtu;
 	int retry = 1;
-	unsigned int len, frag_off, mac_size, blocksize;
+	unsigned int len, frag_off, mac_size, blocksize, used_len;
 
 	if(!dtls1_query_mtu(s))
 		return -1;
@@ -284,10 +284,15 @@ int dtls1_do_write(SSL *s, int type)
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
+	/* s->init_num shouldn't ever be < 0...but just in case */
+	while(s->init_num > 0)
 		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+		used_len = BIO_wpending(SSL_get_wbio(s)) +  DTLS1_RT_HEADER_LENGTH
+			+ mac_size + blocksize;
+		if(s->d1->mtu > used_len)
+			curr_mtu = s->d1->mtu - used_len;
+		else
+			curr_mtu = 0;
 
 		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
 			{
@@ -295,15 +300,27 @@ int dtls1_do_write(SSL *s, int type)
 			ret = BIO_flush(SSL_get_wbio(s));
 			if ( ret <= 0)
 				return ret;
-			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
+			used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+			if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+				{
+				curr_mtu = s->d1->mtu - used_len;
+				}
+			else
+				{
+				/* Shouldn't happen */
+				return -1;
+				}
 			}
 
-		if ( s->init_num > curr_mtu)
+		/* We just checked that s->init_num > 0 so this cast should be safe */
+		if (((unsigned int)s->init_num) > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
+		/* Shouldn't ever happen */
+		if(len > INT_MAX)
+			len = INT_MAX;
 
 		/* XDTLS: this function is too long.  split out the CCS part */
 		if ( type == SSL3_RT_HANDSHAKE)
@@ -314,12 +331,17 @@ int dtls1_do_write(SSL *s, int type)
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				if ( s->init_num > curr_mtu)
+				/* We just checked that s->init_num > 0 so this cast should be safe */
+				if (((unsigned int)s->init_num) > curr_mtu)
 					len = curr_mtu;
 				else
 					len = s->init_num;
 				}
 
+			/* Shouldn't ever happen */
+			if(len > INT_MAX)
+				len = INT_MAX;
+
 			if ( len < DTLS1_HM_HEADER_LENGTH )
 				{
 				/*


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 00:12:55 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 01:12:55 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-68-g9673056
Message-ID: <20141216001255.711611DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  9673056c259dae5a0b44a4714c8856871e281e9f (commit)
       via  f50730d3615026d3d898e8c6821b23bdcf69cf96 (commit)
      from  9beb948c0dae6056caddf46a9aa099e18905d184 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9673056c259dae5a0b44a4714c8856871e281e9f
Author: Matt Caswell 
Date:   Mon Dec 15 20:48:33 2014 +0000

    Remove extraneous white space, and add some braces
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 55e530265a7ea8f264717a4e37338cc04eca2007)

commit f50730d3615026d3d898e8c6821b23bdcf69cf96
Author: Matt Caswell 
Date:   Fri Dec 12 15:32:24 2014 +0000

    DTLS fixes for signed/unsigned issues
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 1904d21123849a65dafde1705e6dd5b7c2f420eb)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |   40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 20f5628..1b9d64b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -259,9 +259,9 @@ static int dtls1_query_mtu(SSL *s)
 int dtls1_do_write(SSL *s, int type)
 	{
 	int ret;
-	int curr_mtu;
+	unsigned int curr_mtu;
 	int retry = 1;
-	unsigned int len, frag_off, mac_size, blocksize;
+	unsigned int len, frag_off, mac_size, blocksize, used_len;
 
 	if(!dtls1_query_mtu(s))
 		return -1;
@@ -284,10 +284,15 @@ int dtls1_do_write(SSL *s, int type)
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
+	/* s->init_num shouldn't ever be < 0...but just in case */
+	while(s->init_num > 0)
 		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+		used_len = BIO_wpending(SSL_get_wbio(s)) +  DTLS1_RT_HEADER_LENGTH
+			+ mac_size + blocksize;
+		if(s->d1->mtu > used_len)
+			curr_mtu = s->d1->mtu - used_len;
+		else
+			curr_mtu = 0;
 
 		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
 			{
@@ -295,15 +300,27 @@ int dtls1_do_write(SSL *s, int type)
 			ret = BIO_flush(SSL_get_wbio(s));
 			if ( ret <= 0)
 				return ret;
-			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
+			used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+			if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+				{
+				curr_mtu = s->d1->mtu - used_len;
+				}
+			else
+				{
+				/* Shouldn't happen */
+				return -1;
+				}
 			}
 
-		if ( s->init_num > curr_mtu)
+		/* We just checked that s->init_num > 0 so this cast should be safe */
+		if (((unsigned int)s->init_num) > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
+		/* Shouldn't ever happen */
+		if(len > INT_MAX)
+			len = INT_MAX;
 
 		/* XDTLS: this function is too long.  split out the CCS part */
 		if ( type == SSL3_RT_HANDSHAKE)
@@ -314,12 +331,17 @@ int dtls1_do_write(SSL *s, int type)
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				if ( s->init_num > curr_mtu)
+				/* We just checked that s->init_num > 0 so this cast should be safe */
+				if (((unsigned int)s->init_num) > curr_mtu)
 					len = curr_mtu;
 				else
 					len = s->init_num;
 				}
 
+			/* Shouldn't ever happen */
+			if(len > INT_MAX)
+				len = INT_MAX;
+
 			if ( len < DTLS1_HM_HEADER_LENGTH )
 				{
 				/*


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 00:15:59 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 01:15:59 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-103-g4ca0e95
Message-ID: <20141216001559.53DC11DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  4ca0e95b92811f7dac9fff213350c248619a135c (commit)
       via  f9398b92de8c124c8c8e2a687e705b62758bef6f (commit)
      from  6af16ec5eed85390bcbd004806a842d6153d6a31 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4ca0e95b92811f7dac9fff213350c248619a135c
Author: Matt Caswell 
Date:   Mon Dec 15 20:48:33 2014 +0000

    Remove extraneous white space, and add some braces
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 55e530265a7ea8f264717a4e37338cc04eca2007)

commit f9398b92de8c124c8c8e2a687e705b62758bef6f
Author: Matt Caswell 
Date:   Fri Dec 12 15:32:24 2014 +0000

    DTLS fixes for signed/unsigned issues
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 1904d21123849a65dafde1705e6dd5b7c2f420eb)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |   40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 82e814a..a2a39ba 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -259,9 +259,9 @@ static int dtls1_query_mtu(SSL *s)
 int dtls1_do_write(SSL *s, int type)
 	{
 	int ret;
-	int curr_mtu;
+	unsigned int curr_mtu;
 	int retry = 1;
-	unsigned int len, frag_off, mac_size, blocksize;
+	unsigned int len, frag_off, mac_size, blocksize, used_len;
 
 	if(!dtls1_query_mtu(s))
 		return -1;
@@ -289,10 +289,15 @@ int dtls1_do_write(SSL *s, int type)
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
+	/* s->init_num shouldn't ever be < 0...but just in case */
+	while(s->init_num > 0)
 		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+		used_len = BIO_wpending(SSL_get_wbio(s)) +  DTLS1_RT_HEADER_LENGTH
+			+ mac_size + blocksize;
+		if(s->d1->mtu > used_len)
+			curr_mtu = s->d1->mtu - used_len;
+		else
+			curr_mtu = 0;
 
 		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
 			{
@@ -300,15 +305,27 @@ int dtls1_do_write(SSL *s, int type)
 			ret = BIO_flush(SSL_get_wbio(s));
 			if ( ret <= 0)
 				return ret;
-			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
+			used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+			if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+				{
+				curr_mtu = s->d1->mtu - used_len;
+				}
+			else
+				{
+				/* Shouldn't happen */
+				return -1;
+				}
 			}
 
-		if ( s->init_num > curr_mtu)
+		/* We just checked that s->init_num > 0 so this cast should be safe */
+		if (((unsigned int)s->init_num) > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
+		/* Shouldn't ever happen */
+		if(len > INT_MAX)
+			len = INT_MAX;
 
 		/* XDTLS: this function is too long.  split out the CCS part */
 		if ( type == SSL3_RT_HANDSHAKE)
@@ -319,12 +336,17 @@ int dtls1_do_write(SSL *s, int type)
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				if ( s->init_num > curr_mtu)
+				/* We just checked that s->init_num > 0 so this cast should be safe */
+				if (((unsigned int)s->init_num) > curr_mtu)
 					len = curr_mtu;
 				else
 					len = s->init_num;
 				}
 
+			/* Shouldn't ever happen */
+			if(len > INT_MAX)
+				len = INT_MAX;
+
 			if ( len < DTLS1_HM_HEADER_LENGTH )
 				{
 				/*


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 00:16:08 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 01:16:08 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 55e530265a7ea8f264717a4e37338cc04eca2007
Message-ID: <20141216001608.E23B61DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  55e530265a7ea8f264717a4e37338cc04eca2007 (commit)
       via  1904d21123849a65dafde1705e6dd5b7c2f420eb (commit)
      from  129c81b951ef436995d5718a55ecd68cb5914972 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 55e530265a7ea8f264717a4e37338cc04eca2007
Author: Matt Caswell 
Date:   Mon Dec 15 20:48:33 2014 +0000

    Remove extraneous white space, and add some braces
    
    Reviewed-by: Emilia K?sper 

commit 1904d21123849a65dafde1705e6dd5b7c2f420eb
Author: Matt Caswell 
Date:   Fri Dec 12 15:32:24 2014 +0000

    DTLS fixes for signed/unsigned issues
    
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |   40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 877a2bf..14d45b5 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -259,9 +259,9 @@ static int dtls1_query_mtu(SSL *s)
 int dtls1_do_write(SSL *s, int type)
 	{
 	int ret;
-	int curr_mtu;
+	unsigned int curr_mtu;
 	int retry = 1;
-	unsigned int len, frag_off, mac_size, blocksize;
+	unsigned int len, frag_off, mac_size, blocksize, used_len;
 
 	if(!dtls1_query_mtu(s))
 		return -1;
@@ -289,10 +289,15 @@ int dtls1_do_write(SSL *s, int type)
 		blocksize = 0;
 
 	frag_off = 0;
-	while( s->init_num)
+	/* s->init_num shouldn't ever be < 0...but just in case */
+	while(s->init_num > 0)
 		{
-		curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
-			DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+		used_len = BIO_wpending(SSL_get_wbio(s)) +  DTLS1_RT_HEADER_LENGTH
+			+ mac_size + blocksize;
+		if(s->d1->mtu > used_len)
+			curr_mtu = s->d1->mtu - used_len;
+		else
+			curr_mtu = 0;
 
 		if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
 			{
@@ -300,15 +305,27 @@ int dtls1_do_write(SSL *s, int type)
 			ret = BIO_flush(SSL_get_wbio(s));
 			if ( ret <= 0)
 				return ret;
-			curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
-				mac_size - blocksize;
+			used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+			if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+				{
+				curr_mtu = s->d1->mtu - used_len;
+				}
+			else
+				{
+				/* Shouldn't happen */
+				return -1;
+				}
 			}
 
-		if ( s->init_num > curr_mtu)
+		/* We just checked that s->init_num > 0 so this cast should be safe */
+		if (((unsigned int)s->init_num) > curr_mtu)
 			len = curr_mtu;
 		else
 			len = s->init_num;
 
+		/* Shouldn't ever happen */
+		if(len > INT_MAX)
+			len = INT_MAX;
 
 		/* XDTLS: this function is too long.  split out the CCS part */
 		if ( type == SSL3_RT_HANDSHAKE)
@@ -319,12 +336,17 @@ int dtls1_do_write(SSL *s, int type)
 				s->init_off -= DTLS1_HM_HEADER_LENGTH;
 				s->init_num += DTLS1_HM_HEADER_LENGTH;
 
-				if ( s->init_num > curr_mtu)
+				/* We just checked that s->init_num > 0 so this cast should be safe */
+				if (((unsigned int)s->init_num) > curr_mtu)
 					len = curr_mtu;
 				else
 					len = s->init_num;
 				}
 
+			/* Shouldn't ever happen */
+			if(len > INT_MAX)
+				len = INT_MAX;
+
 			if ( len < DTLS1_HM_HEADER_LENGTH )
 				{
 				/*


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 10:25:54 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 11:25:54 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-48-g2e3e3d2
Message-ID: <20141216102554.A67D51DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  2e3e3d278ec4984d352c65e2df8270ecf658d5b4 (commit)
      from  2ececf59deb88819a5caf8de61d357ff87bf8190 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2e3e3d278ec4984d352c65e2df8270ecf658d5b4
Author: Matt Caswell 
Date:   Tue Nov 18 15:56:50 2014 +0000

    Add OPENSSL_NO_ECDH guards
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit 7f9edfd23a9b9cd0827cc381e8fbd8cd0c9e5035)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_pmeth.c |    6 ++++++
 ssl/s3_lib.c         |    2 ++
 2 files changed, 8 insertions(+)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index ba4b519..03ac81e 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -167,6 +167,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -200,6 +201,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	*keylen = ret;
 	return 1;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -332,7 +334,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index b874dd4..c561e7b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3058,6 +3058,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#ifndef OPENSSL_NO_ECDH
 		if (
 			/* if we are considering an ECC cipher suite that uses an ephemeral EC key */
 			(alg_k & SSL_kEECDH)
@@ -3105,6 +3106,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 10:26:08 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 11:26:08 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-69-g7f9edfd
Message-ID: <20141216102609.011E71DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  7f9edfd23a9b9cd0827cc381e8fbd8cd0c9e5035 (commit)
      from  9673056c259dae5a0b44a4714c8856871e281e9f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7f9edfd23a9b9cd0827cc381e8fbd8cd0c9e5035
Author: Matt Caswell 
Date:   Tue Nov 18 15:56:50 2014 +0000

    Add OPENSSL_NO_ECDH guards
    
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_pmeth.c |    6 ++++++
 ssl/s3_lib.c         |    2 ++
 2 files changed, 8 insertions(+)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 66ee397..b62b532 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -167,6 +167,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -200,6 +201,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	*keylen = ret;
 	return 1;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -333,7 +335,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3f17453..73852fb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4000,6 +4000,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#ifndef OPENSSL_NO_ECDH
 		if (
 			/* if we are considering an ECC cipher suite that uses an ephemeral EC key */
 			(alg_k & SSL_kEECDH)
@@ -4047,6 +4048,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 				}
 			ok = ok && ec_ok;
 			}
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 14:22:48 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 15:22:48 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-105-gf74f5c8
Message-ID: <20141216142249.060301DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  f74f5c8586b2bd30738f0bd45aec1f9e95d5945f (commit)
       via  a38ae11c48761ab468296e8960210f041b93dfde (commit)
      from  4ca0e95b92811f7dac9fff213350c248619a135c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f74f5c8586b2bd30738f0bd45aec1f9e95d5945f
Author: Matt Caswell 
Date:   Tue Dec 16 10:53:36 2014 +0000

    Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit db812f2d70f0695fd53b386fe5e870bef8ca3c22)

commit a38ae11c48761ab468296e8960210f041b93dfde
Author: Matt Caswell 
Date:   Tue Nov 18 16:54:07 2014 +0000

    Add OPENSSL_NO_ECDH guards
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit af6e2d51bfeabbae827030d4c9d58a8f7477c4a0)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_pmeth.c |    8 ++++++++
 ssl/s3_lib.c         |    8 +++++++-
 ssl/ssl.h            |    1 +
 ssl/ssl_ciph.c       |    5 +++++
 ssl/ssl_err.c        |    1 +
 ssl/ssl_lib.c        |    2 ++
 ssl/ssl_locl.h       |    2 ++
 ssl/t1_lib.c         |    2 ++
 test/cms-test.pl     |   20 ++++++++++++++++++++
 9 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index e66e690..aea1d5b 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
 		}
 	return rv;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
 		return 1;
 
+#ifndef OPENSSL_NO_ECDH
 		case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
 		if (p1 == -2)
 			{
@@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 			dctx->co_key = NULL;
 			}
 		return 1;
+#endif
 
 		case EVP_PKEY_CTRL_EC_KDF_TYPE:
 		if (p1 == -2)
@@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_kdf_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 361f295..713de72 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3484,10 +3484,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case SSL_CTRL_GET_SHARED_CURVE:
 		return tls1_shared_curve(s, larg);
 
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		s->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -3558,7 +3560,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			EVP_PKEY *ptmp;
 			int rv = 0;
 			sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
 			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
 							&& !sc->peer_ecdh_tmp)
 				return 0;
@@ -3899,10 +3901,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
 					&ctx->tlsext_ellipticcurvelist_length,
 								parg);
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		ctx->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -4200,10 +4204,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 		/* if we are considering an ECC cipher suite that uses
 		 * an ephemeral EC key check it */
 		if (alg_k & SSL_kEECDH)
 			ok = ok && tls1_check_ec_tmp_key(s, c->id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index a5af6fc..d51ae38 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2778,6 +2778,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING			 318
 #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE	 322
 #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE	 323
+#define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE		 374
 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER		 310
 #define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST	 354
 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d961903..0ad11dd 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1420,6 +1420,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		return 0;
 		}
 
+#ifndef OPENSSL_NO_ECDH
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -1438,6 +1439,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	/* Set auto ECDH parameter determination */
 	c->ecdh_tmp_auto = 1;
 	return 1;
+#else
+	SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
+	return 0;
+#endif
 	}
 #endif
 
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index fd63d37..8fca51b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
+{ERR_REASON(SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),"ecdh required for suiteb mode"},
 {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
 {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8f49a6f..8c269c4 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2355,8 +2355,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		x = cpk->x509;
 		/* This call populates extension flags (ex_flags) */
 		X509_check_purpose(x, -1, 0);
+#ifndef OPENSSL_NO_ECDH
 		ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+#endif
 		ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
 		if (!(cpk->valid_flags & CERT_PKEY_SIGN))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ebcb5a2..7bc839c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1301,7 +1301,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
 			int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
 				const char *str);
+#ifndef OPENSSL_NO_ECDH
 int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2dea518..962861d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -887,6 +887,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 		}
 	return rv;
 	}
+#ifndef OPENSSL_NO_ECDH
 /* Check EC temporary key is compatible with client extensions */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	{
@@ -953,6 +954,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	return tls1_check_ec_key(s, curve_id, NULL);
 #endif
 	}
+#endif /* OPENSSL_NO_ECDH */
 
 #else
 
diff --git a/test/cms-test.pl b/test/cms-test.pl
index b5145ad..acd9315 100644
--- a/test/cms-test.pl
+++ b/test/cms-test.pl
@@ -89,6 +89,7 @@ my $halt_err = 1;
 my $badcmd = 0;
 my $no_ec;
 my $no_ec2m;
+my $no_ecdh;
 my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
 
 system ("$ossl_path no-ec > $null_path");
@@ -118,6 +119,20 @@ else
 	{
 	die "Error checking for EC2M support\n";
 	}
+
+system ("$ossl_path no-ecdh >/dev/null");
+if ($? == 0)
+	{
+	$no_ecdh = 1;
+	}
+elsif ($? == 256)
+	{
+	$no_ecdh = 0;
+	}
+else
+	{
+	die "Error checking for ECDH support\n";
+	}
     
 my @smime_pkcs7_tests = (
 
@@ -512,6 +527,11 @@ sub run_smime_tests {
 		print "$tnam: skipped, EC disabled\n";
 		next;
 		}
+	if ($no_ecdh && $tnam =~ /ECDH/)
+		{
+		print "$tnam: skipped, ECDH disabled\n";
+		next;
+		}
 	if ($no_ec2m && $tnam =~ /K-283/)
 		{
 		print "$tnam: skipped, EC2M disabled\n";


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 14:22:56 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 15:22:56 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. db812f2d70f0695fd53b386fe5e870bef8ca3c22
Message-ID: <20141216142257.0DC501DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  db812f2d70f0695fd53b386fe5e870bef8ca3c22 (commit)
       via  ad500fdc494cc8b988b567371eef60824a78b070 (commit)
       via  fd86c2b153de991362a98771bc6d3deb2ee579bd (commit)
       via  af6e2d51bfeabbae827030d4c9d58a8f7477c4a0 (commit)
      from  55e530265a7ea8f264717a4e37338cc04eca2007 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit db812f2d70f0695fd53b386fe5e870bef8ca3c22
Author: Matt Caswell 
Date:   Tue Dec 16 10:53:36 2014 +0000

    Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
    
    Reviewed-by: Emilia K?sper 

commit ad500fdc494cc8b988b567371eef60824a78b070
Author: Matt Caswell 
Date:   Wed Nov 19 14:07:36 2014 +0000

    Rename gost2814789t.c to gost2814789test.c. The old name caused problems
    for dummytest if gost is compiled out, since the name of the test is not
    standard (dummytest segfaults). Also the old name caused problems for git
    because the executable was not in the .gitignore file
    
    Reviewed-by: Emilia K?sper 

commit fd86c2b153de991362a98771bc6d3deb2ee579bd
Author: Matt Caswell 
Date:   Tue Nov 18 17:16:57 2014 +0000

    Add missing OPENSSL_NO_EC guards
    
    Reviewed-by: Emilia K?sper 

commit af6e2d51bfeabbae827030d4c9d58a8f7477c4a0
Author: Matt Caswell 
Date:   Tue Nov 18 16:54:07 2014 +0000

    Add OPENSSL_NO_ECDH guards
    
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c                                        |    2 ++
 crypto/ec/ec_pmeth.c                               |    8 +++++
 engines/ccgost/Makefile                            |    2 +-
 .../ccgost/{gost2814789t.c => gost2814789test.c}   |    0
 ssl/s3_lib.c                                       |    8 ++++-
 ssl/ssl.h                                          |    1 +
 ssl/ssl_ciph.c                                     |    5 ++++
 ssl/ssl_err.c                                      |    1 +
 ssl/ssl_lib.c                                      |    2 ++
 ssl/ssl_locl.h                                     |    2 ++
 ssl/t1_lib.c                                       |    2 ++
 test/Makefile                                      |   31 ++++++++++----------
 test/cms-test.pl                                   |   20 +++++++++++++
 13 files changed, 67 insertions(+), 17 deletions(-)
 rename engines/ccgost/{gost2814789t.c => gost2814789test.c} (100%)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index f3892f9..0a6d0ce 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1816,6 +1816,7 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
 		BIO_puts(sdb->out, SSL_CIPHER_get_name(other));
 		break;
 
+#ifndef OPENSSL_NO_EC
 	case SSL_SECOP_OTHER_CURVE:
 			{
 			const char *cname;
@@ -1825,6 +1826,7 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx,
 			BIO_puts(sdb->out, cname);
 			}
 			break;
+#endif
 
 	case SSL_SECOP_OTHER_DH:
 			{
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index 2975299..ad68139 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -213,6 +213,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_ECDH
 static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 	{
 	int ret;
@@ -288,6 +289,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
 		}
 	return rv;
 	}
+#endif
 
 static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 	{
@@ -316,6 +318,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		EC_GROUP_set_asn1_flag(dctx->gen_group, p1);
 		return 1;
 
+#ifndef OPENSSL_NO_ECDH
 		case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
 		if (p1 == -2)
 			{
@@ -357,6 +360,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 			dctx->co_key = NULL;
 			}
 		return 1;
+#endif
 
 		case EVP_PKEY_CTRL_EC_KDF_TYPE:
 		if (p1 == -2)
@@ -556,7 +560,11 @@ const EVP_PKEY_METHOD ec_pkey_meth =
 	0,0,
 
 	0,
+#ifndef OPENSSL_NO_ECDH
 	pkey_ec_kdf_derive,
+#else
+	0,
+#endif
 
 	pkey_ec_ctrl,
 	pkey_ec_ctrl_str
diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
index bcb82e3..be9a134 100644
--- a/engines/ccgost/Makefile
+++ b/engines/ccgost/Makefile
@@ -8,7 +8,7 @@ AR= ar r
 CFLAGS= $(INCLUDES) $(CFLAG)
 LIB=$(TOP)/libcrypto.a
 
-TEST=gost2814789t.c
+TEST=gost2814789test.c
 
 LIBSRC= gost2001.c gost2001_keyx.c gost89.c gost94_keyx.c gost_ameth.c gost_asn1.c gost_crypt.c gost_ctl.c gost_eng.c gosthash.c gost_keywrap.c gost_md.c gost_params.c gost_pmeth.c gost_sign.c
 
diff --git a/engines/ccgost/gost2814789t.c b/engines/ccgost/gost2814789test.c
similarity index 100%
rename from engines/ccgost/gost2814789t.c
rename to engines/ccgost/gost2814789test.c
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 51a4ec3..0cd08bd 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3810,10 +3810,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case SSL_CTRL_GET_SHARED_CURVE:
 		return tls1_shared_curve(s, larg);
 
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		s->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -3884,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
 			EVP_PKEY *ptmp;
 			int rv = 0;
 			sc = s->session->sess_cert;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH)
 			if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
 							&& !sc->peer_ecdh_tmp)
 				return 0;
@@ -4237,10 +4239,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
 		return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
 					&ctx->tlsext_ellipticcurvelist_length,
 								parg);
+#ifndef OPENSSL_NO_ECDH
 	case SSL_CTRL_SET_ECDH_AUTO:
 		ctx->cert->ecdh_tmp_auto = larg;
 		return 1;
 #endif
+#endif
 	case SSL_CTRL_SET_SIGALGS:
 		return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -4543,10 +4547,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 
 #ifndef OPENSSL_NO_TLSEXT
 #ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_ECDH
 		/* if we are considering an ECC cipher suite that uses
 		 * an ephemeral EC key check it */
 		if (alg_k & SSL_kECDHE)
 			ok = ok && tls1_check_ec_tmp_key(s, c->id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 51b8df0..02c53c7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2811,6 +2811,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_ECC_CERT_NOT_FOR_SIGNING			 318
 #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE	 322
 #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE	 323
+#define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE		 374
 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER		 310
 #define SSL_R_EE_KEY_TOO_SMALL				 399
 #define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST	 354
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 133d9d9..4a673ec 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1436,6 +1436,7 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 		return 0;
 		}
 
+#ifndef OPENSSL_NO_ECDH
 	switch(suiteb_flags)
 		{
 	case SSL_CERT_FLAG_SUITEB_128_LOS:
@@ -1454,6 +1455,10 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	/* Set auto ECDH parameter determination */
 	c->ecdh_tmp_auto = 1;
 	return 1;
+#else
+	SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
+	return 0;
+#endif
 	}
 #endif
 
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 5f8c075..4ec771c 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -355,6 +355,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING),"ecc cert not for signing"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
 {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
+{ERR_REASON(SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE),"ecdh required for suiteb mode"},
 {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
 {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL)      ,"ee key too small"},
 {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a4d565f..ea271fb 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2361,8 +2361,10 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 		x = cpk->x509;
 		/* This call populates extension flags (ex_flags) */
 		X509_check_purpose(x, -1, 0);
+#ifndef OPENSSL_NO_ECDH
 		ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
+#endif
 		ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
 		    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
 		if (!(cpk->valid_flags & CERT_PKEY_SIGN))
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4e307e4..2e598e3 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1250,7 +1250,9 @@ int tls1_set_curves(unsigned char **pext, size_t *pextlen,
 			int *curves, size_t ncurves);
 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen, 
 				const char *str);
+#ifndef OPENSSL_NO_ECDH
 int tls1_check_ec_tmp_key(SSL *s, unsigned long id);
+#endif /* OPENSSL_NO_ECDH */
 #endif /* OPENSSL_NO_EC */
 
 #ifndef OPENSSL_NO_TLSEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8d5fd12..f0291b1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -828,6 +828,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 		}
 	return rv;
 	}
+#ifndef OPENSSL_NO_ECDH
 /* Check EC temporary key is compatible with client extensions */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	{
@@ -894,6 +895,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 	return tls1_check_ec_key(s, curve_id, NULL);
 #endif
 	}
+#endif /* OPENSSL_NO_ECDH */
 
 #else
 
diff --git a/test/Makefile b/test/Makefile
index 2f5d205..3eb551c 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -53,7 +53,7 @@ RC5TEST=	rc5test
 BFTEST=		bftest
 CASTTEST=	casttest
 DESTEST=	destest
-GOST2814789TEST=gost2814789t
+GOST2814789TEST=gost2814789test
 RANDTEST=	randtest
 DHTEST=		dhtest
 DSATEST=	dsatest
@@ -664,20 +664,21 @@ exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 exptest.o: ../include/openssl/symhacks.h exptest.c
-gost2814789t.o: ../engines/ccgost/gost89.h ../include/openssl/asn1.h
-gost2814789t.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-gost2814789t.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gost2814789t.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-gost2814789t.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-gost2814789t.o: ../include/openssl/engine.h ../include/openssl/err.h
-gost2814789t.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-gost2814789t.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-gost2814789t.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gost2814789t.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-gost2814789t.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-gost2814789t.o: ../include/openssl/sha.h ../include/openssl/stack.h
-gost2814789t.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-gost2814789t.o: ../include/openssl/x509_vfy.h gost2814789t.c
+gost2814789test.o: ../engines/ccgost/gost89.h ../include/openssl/asn1.h
+gost2814789test.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+gost2814789test.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+gost2814789test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+gost2814789test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+gost2814789test.o: ../include/openssl/engine.h ../include/openssl/err.h
+gost2814789test.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+gost2814789test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+gost2814789test.o: ../include/openssl/objects.h
+gost2814789test.o: ../include/openssl/opensslconf.h
+gost2814789test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gost2814789test.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+gost2814789test.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gost2814789test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+gost2814789test.o: ../include/openssl/x509_vfy.h gost2814789test.c
 heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
diff --git a/test/cms-test.pl b/test/cms-test.pl
index 595ab48..7d4ca29 100644
--- a/test/cms-test.pl
+++ b/test/cms-test.pl
@@ -84,6 +84,7 @@ my $halt_err = 1;
 my $badcmd = 0;
 my $no_ec;
 my $no_ec2m;
+my $no_ecdh;
 my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
 
 system ("$ossl_path no-ec >/dev/null");
@@ -113,6 +114,20 @@ else
 	{
 	die "Error checking for EC2M support\n";
 	}
+
+system ("$ossl_path no-ecdh >/dev/null");
+if ($? == 0)
+	{
+	$no_ecdh = 1;
+	}
+elsif ($? == 256)
+	{
+	$no_ecdh = 0;
+	}
+else
+	{
+	die "Error checking for ECDH support\n";
+	}
     
 my @smime_pkcs7_tests = (
 
@@ -507,6 +522,11 @@ sub run_smime_tests {
 		print "$tnam: skipped, EC disabled\n";
 		next;
 		}
+	if ($no_ecdh && $tnam =~ /ECDH/)
+		{
+		print "$tnam: skipped, ECDH disabled\n";
+		next;
+		}
 	if ($no_ec2m && $tnam =~ /K-283/)
 		{
 		print "$tnam: skipped, EC2M disabled\n";


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 14:49:08 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 15:49:08 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-106-g63ef0db
Message-ID: <20141216144908.255771DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  63ef0db60f7b9fc0c2bcabdc7e2bd133784ddd60 (commit)
      from  f74f5c8586b2bd30738f0bd45aec1f9e95d5945f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 63ef0db60f7b9fc0c2bcabdc7e2bd133784ddd60
Author: Adam Langley 
Date:   Sat Dec 13 20:13:10 2014 +0000

    Don't set client_version to the ServerHello version.
    
    The client_version needs to be preserved for the RSA key exchange.
    
    This change also means that renegotiation will, like TLS, repeat the old
    client_version rather than advertise only the final version. (Either way,
    version change on renego is not allowed.) This is necessary in TLS to work
    around an SChannel bug, but it's not strictly necessary in DTLS.
    
    (From BoringSSL)
    
    Reviewed-by: Emilia K?sper 
    (cherry picked from commit ec1af3c4195c1dfecdd9dc7458850ab1b8b951e0)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c9b5ee1..b16b3c4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -941,7 +941,7 @@ int ssl3_get_server_hello(SSL *s)
 			al = SSL_AD_PROTOCOL_VERSION;
 			goto f_err;
 			}
-		s->version = s->client_version = s->method->version;
+		s->version = s->method->version;
 		}
 
 	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 14:49:15 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 15:49:15 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. ec1af3c4195c1dfecdd9dc7458850ab1b8b951e0
Message-ID: <20141216144915.9C3611DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  ec1af3c4195c1dfecdd9dc7458850ab1b8b951e0 (commit)
      from  db812f2d70f0695fd53b386fe5e870bef8ca3c22 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ec1af3c4195c1dfecdd9dc7458850ab1b8b951e0
Author: Adam Langley 
Date:   Sat Dec 13 20:13:10 2014 +0000

    Don't set client_version to the ServerHello version.
    
    The client_version needs to be preserved for the RSA key exchange.
    
    This change also means that renegotiation will, like TLS, repeat the old
    client_version rather than advertise only the final version. (Either way,
    version change on renego is not allowed.) This is necessary in TLS to work
    around an SChannel bug, but it's not strictly necessary in DTLS.
    
    (From BoringSSL)
    
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e178fe1..1aff833 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -944,7 +944,7 @@ int ssl3_get_server_hello(SSL *s)
 			al = SSL_AD_PROTOCOL_VERSION;
 			goto f_err;
 			}
-		s->version = s->client_version = s->method->version;
+		s->version = s->method->version;
 		}
 
 	if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 15:04:34 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 16:04:34 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 789da2c73d875af59b14156b6295aa4bdfc4f424
Message-ID: <20141216150435.147C61DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  789da2c73d875af59b14156b6295aa4bdfc4f424 (commit)
      from  ec1af3c4195c1dfecdd9dc7458850ab1b8b951e0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 789da2c73d875af59b14156b6295aa4bdfc4f424
Author: Matt Caswell 
Date:   Wed Dec 3 10:33:08 2014 +0000

    The dtls1_output_cert_chain function no longer exists so remove it from
    ssl_locl.h
    
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_locl.h |    1 -
 1 file changed, 1 deletion(-)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2e598e3..5212bc9 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1129,7 +1129,6 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq, 


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 16 15:04:44 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 16 Dec 2014 16:04:44 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-108-gc8667a2
Message-ID: <20141216150444.673911DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  c8667a2e462c3e9e2c4fe1dc170b9b157d9ba938 (commit)
       via  5ee441162e3a5a236429f43d5c352beb5eb29cc3 (commit)
      from  63ef0db60f7b9fc0c2bcabdc7e2bd133784ddd60 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c8667a2e462c3e9e2c4fe1dc170b9b157d9ba938
Author: Dr. Stephen Henson 
Date:   Tue Mar 18 14:19:22 2014 +0000

    Check return value of ssl3_output_cert_chain
    
    (cherry picked from commit 66f96fe2d519147097c118d4bf60704c69ed0635)
    
    Reviewed-by: Tim Hudson 

commit 5ee441162e3a5a236429f43d5c352beb5eb29cc3
Author: Matt Caswell 
Date:   Wed Dec 3 10:33:08 2014 +0000

    The dtls1_output_cert_chain function no longer exists so remove it from
    ssl_locl.h
    
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c  |    9 +++++++--
 ssl/s3_srvr.c  |    6 +++++-
 ssl/ssl_locl.h |    1 -
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b16b3c4..2b9fdb0 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3470,8 +3470,13 @@ int ssl3_send_client_certificate(SSL *s)
 	if (s->state == SSL3_ST_CW_CERT_C)
 		{
 		s->state=SSL3_ST_CW_CERT_D;
-		ssl3_output_cert_chain(s,
-			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
+		if (!ssl3_output_cert_chain(s,
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key))
+			{
+			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		}
 	/* SSL3_ST_CW_CERT_D */
 	return ssl_do_write(s);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a4342ba..83d110f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3450,7 +3450,11 @@ int ssl3_send_server_certificate(SSL *s)
 				}
 			}
 
-		ssl3_output_cert_chain(s,cpk);
+		if (!ssl3_output_cert_chain(s,cpk))
+			{
+			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			return(0);
+			}
 		s->state=SSL3_ST_SW_CERT_B;
 		}
 
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 7bc839c..6b53f24 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1180,7 +1180,6 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq, 


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Tue Dec 16 17:22:54 2014
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 16 Dec 2014 18:22:54 +0100 (CET)
Subject: [openssl-commits] [config] UNNAMED PROJECT branch master created.
	d913b3d3e69fbb93450dd7887e537f43fb2b7a20
Message-ID: <20141216172254.206F11DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "UNNAMED PROJECT".

The branch, master has been created
        at  d913b3d3e69fbb93450dd7887e537f43fb2b7a20 (commit)

- Log -----------------------------------------------------------------
commit d913b3d3e69fbb93450dd7887e537f43fb2b7a20
Author: Rich Salz 
Date:   Tue Dec 16 12:22:21 2014 -0500

    Initial set of files

-----------------------------------------------------------------------


hooks/post-receive
-- 
UNNAMED PROJECT

From emilia at openssl.org  Wed Dec 17 09:02:34 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 10:02:34 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-70-gbfd19df
Message-ID: <20141217090234.CC08E1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  bfd19df6d06918c98a52a90e53712a8883d18db0 (commit)
      from  7f9edfd23a9b9cd0827cc381e8fbd8cd0c9e5035 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bfd19df6d06918c98a52a90e53712a8883d18db0
Author: Emilia Kasper 
Date:   Mon Dec 15 14:52:22 2014 +0100

    Check for invalid divisors in BN_div.
    
    Invalid zero-padding in the divisor could cause a division by 0.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit a43bcd9e96c5180e5c6c82164ece643c0097485e)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_div.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 7b24031..0ec90e8 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -189,15 +189,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	int no_branch=0;
 
 	/* Invalid zero-padding would have particularly bad consequences
-	 * in the case of 'num', so don't just rely on bn_check_top() for this one
+	 * so don't just rely on bn_check_top() here
 	 * (bn_check_top() works only for BN_DEBUG builds) */
-	if (num->top > 0 && num->d[num->top - 1] == 0)
+	if ((num->top > 0 && num->d[num->top - 1] == 0) ||
+		(divisor->top > 0 && divisor->d[divisor->top - 1] == 0))
 		{
 		BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
 		return 0;
 		}
 
 	bn_check_top(num);
+	bn_check_top(divisor);
 
 	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
 		{
@@ -207,7 +209,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	bn_check_top(dv);
 	bn_check_top(rm);
 	/* bn_check_top(num); */ /* 'num' has been checked already */
-	bn_check_top(divisor);
+	/* bn_check_top(divisor); */ /* 'divisor' has been checked already */
 
 	if (BN_is_zero(divisor))
 		{


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 09:02:34 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 10:02:34 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. a015758d11f8fd2171a3b73be60e90bed1bd857e
Message-ID: <20141217090234.EFCF11DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  a015758d11f8fd2171a3b73be60e90bed1bd857e (commit)
      from  789da2c73d875af59b14156b6295aa4bdfc4f424 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a015758d11f8fd2171a3b73be60e90bed1bd857e
Author: Emilia Kasper 
Date:   Mon Dec 15 14:52:22 2014 +0100

    Check for invalid divisors in BN_div.
    
    Invalid zero-padding in the divisor could cause a division by 0.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit a43bcd9e96c5180e5c6c82164ece643c0097485e)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_div.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 06d87d0..1b5c29c 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -190,15 +190,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	int no_branch=0;
 
 	/* Invalid zero-padding would have particularly bad consequences
-	 * in the case of 'num', so don't just rely on bn_check_top() for this one
+	 * so don't just rely on bn_check_top() here
 	 * (bn_check_top() works only for BN_DEBUG builds) */
-	if (num->top > 0 && num->d[num->top - 1] == 0)
+	if ((num->top > 0 && num->d[num->top - 1] == 0) ||
+		(divisor->top > 0 && divisor->d[divisor->top - 1] == 0))
 		{
 		BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
 		return 0;
 		}
 
 	bn_check_top(num);
+	bn_check_top(divisor);
 
 	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
 		{
@@ -208,7 +210,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	bn_check_top(dv);
 	bn_check_top(rm);
 	/* bn_check_top(num); */ /* 'num' has been checked already */
-	bn_check_top(divisor);
+	/* bn_check_top(divisor); */ /* 'divisor' has been checked already */
 
 	if (BN_is_zero(divisor))
 		{


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 09:03:17 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 10:03:17 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-109-ga43bcd9
Message-ID: <20141217090318.096651DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  a43bcd9e96c5180e5c6c82164ece643c0097485e (commit)
      from  c8667a2e462c3e9e2c4fe1dc170b9b157d9ba938 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a43bcd9e96c5180e5c6c82164ece643c0097485e
Author: Emilia Kasper 
Date:   Mon Dec 15 14:52:22 2014 +0100

    Check for invalid divisors in BN_div.
    
    Invalid zero-padding in the divisor could cause a division by 0.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_div.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 7b24031..0ec90e8 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -189,15 +189,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	int no_branch=0;
 
 	/* Invalid zero-padding would have particularly bad consequences
-	 * in the case of 'num', so don't just rely on bn_check_top() for this one
+	 * so don't just rely on bn_check_top() here
 	 * (bn_check_top() works only for BN_DEBUG builds) */
-	if (num->top > 0 && num->d[num->top - 1] == 0)
+	if ((num->top > 0 && num->d[num->top - 1] == 0) ||
+		(divisor->top > 0 && divisor->d[divisor->top - 1] == 0))
 		{
 		BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
 		return 0;
 		}
 
 	bn_check_top(num);
+	bn_check_top(divisor);
 
 	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
 		{
@@ -207,7 +209,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	bn_check_top(dv);
 	bn_check_top(rm);
 	/* bn_check_top(num); */ /* 'num' has been checked already */
-	bn_check_top(divisor);
+	/* bn_check_top(divisor); */ /* 'divisor' has been checked already */
 
 	if (BN_is_zero(divisor))
 		{


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Wed Dec 17 09:16:15 2014
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 17 Dec 2014 10:16:15 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 57dc72e018ddecf222b6c5e598793b75069d42a2
Message-ID: <20141217091615.510681DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  57dc72e018ddecf222b6c5e598793b75069d42a2 (commit)
       via  6dec5e1ca91171aa8b5e528c8d8f5f88a7841ec6 (commit)
       via  3ddb2914b5ef3c22960b9c90c8d9ef49ae957e02 (commit)
       via  a501f647aa080c69611f486ef581ab05065982ea (commit)
       via  72b5d03b5b097cfa7a0785b819e96b2af35c1209 (commit)
       via  a93891632d5074bcb59690989a2f017bf19a91a1 (commit)
      from  a015758d11f8fd2171a3b73be60e90bed1bd857e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 57dc72e018ddecf222b6c5e598793b75069d42a2
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:53 2014 +0100

    Clear warnings/errors within RL_DEBUG code sections (RL_DEBUG should be renamed)
    
    Reviewed-by: Tim Hudson 

commit 6dec5e1ca91171aa8b5e528c8d8f5f88a7841ec6
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:19 2014 +0100

    Clear warnings/errors within TLS_DEBUG code sections
    
    Reviewed-by: Tim Hudson 

commit 3ddb2914b5ef3c22960b9c90c8d9ef49ae957e02
Author: Richard Levitte 
Date:   Tue Dec 16 04:13:41 2014 +0100

    Clear warnings/errors within KSSL_DEBUG code sections
    
    Reviewed-by: Tim Hudson 

commit a501f647aa080c69611f486ef581ab05065982ea
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:50 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Tim Hudson 

commit 72b5d03b5b097cfa7a0785b819e96b2af35c1209
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:03 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Tim Hudson 

commit a93891632d5074bcb59690989a2f017bf19a91a1
Author: Richard Levitte 
Date:   Tue Dec 16 01:38:39 2014 +0100

    Clear warnings/errors within BN_CTX_DEBUG code sections
    
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c           |    2 +-
 crypto/bn/bn_ctx.c  |    2 +-
 crypto/evp/e_des3.c |   22 +++++++++-------
 ssl/kssl.c          |   72 +++++++++++++++++++++++++--------------------------
 ssl/s3_clnt.c       |   12 ++++-----
 ssl/s3_lib.c        |   14 +++++-----
 ssl/s3_srvr.c       |   15 ++++++-----
 ssl/ssl_ciph.c      |   12 ++++-----
 ssl/ssl_lib.c       |    2 +-
 ssl/t1_enc.c        |   70 ++++++++++++++++++++++++-------------------------
 10 files changed, 113 insertions(+), 110 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 89f0de3..baa6a90 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -709,7 +709,7 @@ bad:
 		ERR_clear_error();
 #ifdef RL_DEBUG
 	if (!p)
-		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
 #endif
 #ifdef RL_DEBUG
 	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 9fe8751..d5eb022 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -159,7 +159,7 @@ static void ctxdbg(BN_CTX *ctx)
 	unsigned int bnidx = 0, fpidx = 0;
 	BN_POOL_ITEM *item = ctx->pool.head;
 	BN_STACK *stack = &ctx->stack;
-	fprintf(stderr,"(%08x): ", (unsigned int)ctx);
+	fprintf(stderr,"(%16p): ", ctx);
 	while(bnidx < ctx->used)
 		{
 		fprintf(stderr,"%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index c43091d..11d290e 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -146,12 +146,11 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        char *cp;
-	printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
-	printf("\t iv= ");
+	fprintf(stderr,"des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, ctx->buf_len);
+	fprintf(stderr,"\t iv= ");
         for(i=0;i<8;i++)
-                printf("%02X",ctx->iv[i]);
-	printf("\n");
+                fprintf(stderr,"%02X",ctx->iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif    /* KSSL_DEBUG */
 	if (dat->stream.cbc)
@@ -305,11 +304,14 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
-	printf("\tKEY= ");
-        for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
-	printf("\t IV= ");
-        for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
+        fprintf(stderr,"des_ede3_init_key(ctx=%p)\n", ctx);
+	fprintf(stderr,"\tKEY= ");
+        for(i=0;i<24;i++) fprintf(stderr,"%02X",key[i]); fprintf(stderr,"\n");
+	if (iv) 
+		{
+		fprintf(stderr,"\t IV= ");
+		for(i=0;i<8;i++) fprintf(stderr,"%02X",iv[i]); fprintf(stderr,"\n");
+		}
 	}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 4eaf294..10687f0 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -954,15 +954,15 @@ print_krb5_data(char *label, krb5_data *kdata)
         {
 	int i;
 
-	printf("%s[%d] ", label, kdata->length);
+	fprintf(stderr,"%s[%d] ", label, kdata->length);
 	for (i=0; i < (int)kdata->length; i++)
                 {
 		if (0 &&  isprint((int) kdata->data[i]))
-                        printf(	"%c ",  kdata->data[i]);
+                        fprintf(stderr,	"%c ",  kdata->data[i]);
 		else
-                        printf(	"%02x ", (unsigned char) kdata->data[i]);
+                        fprintf(stderr,	"%02x ", (unsigned char) kdata->data[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
         }
 
 
@@ -973,20 +973,20 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
         {
 	if (adata == NULL)
                 {
-		printf("%s, authdata==0\n", label);
+		fprintf(stderr,"%s, authdata==0\n", label);
 		return;
 		}
-	printf("%s [%p]\n", label, (void *)adata);
+	fprintf(stderr,"%s [%p]\n", label, (void *)adata);
 #if 0
 	{
         int 	i;
-	printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+	fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length);
 	for (i=0; i < adata->length; i++)
                 {
-                printf((isprint(adata->contents[i]))? "%c ": "%02x",
+                fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x",
                         adata->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 	}
 #endif
 	}
@@ -1001,24 +1001,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 	if (keyblk == NULL)
                 {
-		printf("%s, keyblk==0\n", label);
+		fprintf(stderr,"%s, keyblk==0\n", label);
 		return;
 		}
 #ifdef KRB5_HEIMDAL
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype,
 					   keyblk->keyvalue->length);
 	for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
-		printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+		fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #else
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
 	for (i=0; i < (int)keyblk->length; i++)
                 {
-		printf("%02x",keyblk->contents[i]);
+		fprintf(stderr,"%02x",keyblk->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #endif
         }
 
@@ -1031,17 +1031,17 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         {
 	int i, ui, uj;
 
-	printf("%s principal Realm: ", label);
+	fprintf(stderr,"%s principal Realm: ", label);
 	if (princ == NULL)  return;
 	for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
-	printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+	fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length);
 	for (i=0; i < (int)princ->length; i++)
                 {
-		printf("\t%d [%d]: ", i, princ->data[i].length);
+		fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length);
 		for (uj=0; uj < (int)princ->data[i].length; uj++)  {
 			putchar(princ->data[i].data[uj]);
 			}
-		printf("\n");
+		fprintf(stderr,"\n");
 		}
 	return;
         }
@@ -1332,7 +1332,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		}
 
 #ifdef KSSL_DEBUG
-	printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+	fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
 #endif	/* KSSL_DEBUG */
 
 	if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
@@ -1481,18 +1481,18 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 #ifdef KSSL_DEBUG
 		{
 		int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
-		printf("Decrypted ticket fields:\n");
-		printf("\tflags: %X, transit-type: %X",
+		fprintf(stderr,"Decrypted ticket fields:\n");
+		fprintf(stderr,"\tflags: %X, transit-type: %X",
 			krb5ticket->enc_part2->flags,
 			krb5ticket->enc_part2->transited.tr_type);
 		print_krb5_data("\ttransit-data: ",
 			&(krb5ticket->enc_part2->transited.tr_contents));
-		printf("\tcaddrs: %p, authdata: %p\n",
+		fprintf(stderr,"\tcaddrs: %p, authdata: %p\n",
 			krb5ticket->enc_part2->caddrs,
 			krb5ticket->enc_part2->authorization_data);
 		if (paddr)
 			{
-			printf("\tcaddrs:\n");
+			fprintf(stderr,"\tcaddrs:\n");
 			for (i=0; paddr[i] != NULL; i++)
 				{
 				krb5_data d;
@@ -1501,7 +1501,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 				print_krb5_data("\t\tIP: ", &d);
 				}
 			}
-		printf("\tstart/auth/end times: %d / %d / %d\n",
+		fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n",
 			krb5ticket->enc_part2->times.starttime,
 			krb5ticket->enc_part2->times.authtime,
 			krb5ticket->enc_part2->times.endtime);
@@ -1976,7 +1976,7 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 	if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
 
 #ifdef KSSL_DEBUG
-	printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
+	fprintf(stderr,"kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
 		start, atime, now, skew, ttimes->endtime);
 #endif	/* KSSL_DEBUG */
 
@@ -2027,10 +2027,10 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
         {
         unsigned int ui;
-	printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+	fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length);
 	p = authentp->data; 
-	for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
-	printf("\n");
+	for (ui=0; ui < authentp->length; ui++)  fprintf(stderr,"%02x ",p[ui]);
+	fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -2095,9 +2095,9 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
 	{
 	int padl;
-	printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
-	for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
-	printf("\n");
+	fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+	for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -2132,10 +2132,10 @@ krb5_error_code  kssl_check_authent(
  		}
 
 #ifdef KSSL_DEBUG
-	printf("kssl_check_authent: returns %d for client time ", *atimep);
+	fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep);
 	if (auth->ctime && auth->ctime->length && auth->ctime->data)
-		printf("%.*s\n", auth->ctime->length, auth->ctime->data);
-	else	printf("NULL\n");
+		fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data);
+	else	fprintf(stderr,"NULL\n");
 #endif	/* KSSL_DEBUG */
 
  err:
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1aff833..321afc1 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1275,9 +1275,9 @@ int ssl3_get_server_certificate(SSL *s)
 	            ? 0 : 1;
 
 #ifdef KSSL_DEBUG
-	printf("pkey,x = %p, %p\n", pkey,x);
-	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
+	fprintf(stderr,"pkey,x = %p, %p\n", pkey,x);
+	fprintf(stderr,"ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
+	fprintf(stderr,"cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
 		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
 #endif    /* KSSL_DEBUG */
 
@@ -2562,7 +2562,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			EVP_CIPHER_CTX_init(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
-			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+			fprintf(stderr,"ssl3_send_client_key_exchange(%lx & %lx)\n",
 				alg_k, SSL_kKRB5);
 #endif	/* KSSL_DEBUG */
 
@@ -2578,9 +2578,9 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    goto err;
 #ifdef KSSL_DEBUG
 			{
-			printf("kssl_cget_tkt rtn %d\n", krb5rc);
+			fprintf(stderr,"kssl_cget_tkt rtn %d\n", krb5rc);
 			if (krb5rc && kssl_err.text)
-			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+			  fprintf(stderr,"kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
 			}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0cd08bd..14a4a6e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4457,17 +4457,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 
 #ifdef CIPHER_DEBUG
-	printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
+	fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
 	for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
 		{
 		c=sk_SSL_CIPHER_value(srvr,i);
-		printf("%p:%s\n",(void *)c,c->name);
+		fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 		}
-	printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
+	fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
 	for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
 	    {
 	    c=sk_SSL_CIPHER_value(clnt,i);
-	    printf("%p:%s\n",(void *)c,c->name);
+	    fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 	    }
 #endif
 
@@ -4509,7 +4509,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 			
 #ifdef KSSL_DEBUG
-/*		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
+/*		fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
 #endif    /* KSSL_DEBUG */
 
 		alg_k=c->algorithm_mkey;
@@ -4532,7 +4532,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & emask_k) && (alg_a & emask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
 			       (void *)c,c->name);
 #endif
 			}
@@ -4540,7 +4540,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
 			       c->name);
 #endif
 			}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a2eebbb..7a61864 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1190,14 +1190,15 @@ int ssl3_get_client_hello(SSL *s)
 		id=s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-		printf("client sent %d ciphers\n",sk_num(ciphers));
+		fprintf(stderr,"client sent %d ciphers\n",sk_SSL_CIPHER_num(ciphers));
 #endif
 		for (i=0; iid == id)
 				{
@@ -2559,10 +2560,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_sget_tkt rtn %d [%d]\n",
+			fprintf(stderr,"kssl_sget_tkt rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
@@ -2576,10 +2577,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&authtime, &kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_check_authent rtn %d [%d]\n",
+			fprintf(stderr,"kssl_check_authent rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4a673ec..4d65a2b 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -837,7 +837,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 			co_list[co_list_num].active = 0;
 			co_list_num++;
 #ifdef KSSL_DEBUG
-			printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
+			fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
 #endif	/* KSSL_DEBUG */
 			/*
 			if (!sk_push(ca_list,(char *)c)) goto err;
@@ -954,7 +954,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 	int reverse = 0;
 
 #ifdef CIPHER_DEBUG
-	printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
+	fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
 		rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
 #endif
 
@@ -1000,7 +1000,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		else
 			{
 #ifdef CIPHER_DEBUG
-			printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
+			fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 			if (cipher_id && cipher_id != cp->id)
@@ -1023,7 +1023,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			}
 
 #ifdef CIPHER_DEBUG
-		printf("Action = %d\n", rule);
+		fprintf(stderr, "Action = %d\n", rule);
 #endif
 
 		/* add the cipher if it has not been added yet. */
@@ -1497,7 +1497,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	num_of_ciphers = ssl_method->num_ciphers();
 #ifdef KSSL_DEBUG
-	printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
+	fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
 #endif    /* KSSL_DEBUG */
 	co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
 	if (co_list == NULL)
@@ -1625,7 +1625,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 				return NULL;
 				}
 #ifdef CIPHER_DEBUG
-			printf("<%s>\n",curr->cipher->name);
+			fprintf(stderr, "<%s>\n",curr->cipher->name);
 #endif
 			}
 		}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ea271fb..d09bb7d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2283,7 +2283,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	
 
 #ifdef CIPHER_DEBUG
-	printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+	fprintf(stderr,"rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
 	        rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
 		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 59b3fdb..dd29306 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -302,15 +302,15 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 		 s->session->master_key,s->session->master_key_length,
 		 km,tmp,num);
 #ifdef KSSL_DEBUG
-	printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
+	fprintf(stderr,"tls1_generate_key_block() ==> %d byte master_key =\n\t",
                 s->session->master_key_length);
 	{
         int i;
         for (i=0; i < s->session->master_key_length; i++)
                 {
-                printf("%02X", s->session->master_key[i]);
+                fprintf(stderr,"%02X", s->session->master_key[i]);
                 }
-        printf("\n");  }
+        fprintf(stderr,"\n");  }
 #endif    /* KSSL_DEBUG */
 	return ret;
 	}
@@ -348,19 +348,19 @@ int tls1_change_cipher_state(SSL *s, int which)
 #endif
 
 #ifdef KSSL_DEBUG
-	printf("tls1_change_cipher_state(which= %d) w/\n", which);
-	printf("\talg= %ld/%ld, comp= %p\n",
+	fprintf(stderr,"tls1_change_cipher_state(which= %d) w/\n", which);
+	fprintf(stderr,"\talg= %ld/%ld, comp= %p\n",
 	       s->s3->tmp.new_cipher->algorithm_mkey,
 	       s->s3->tmp.new_cipher->algorithm_auth,
 	       comp);
-	printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
-	printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+	fprintf(stderr,"\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+	fprintf(stderr,"\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
                 c->nid,c->block_size,c->key_len,c->iv_len);
-	printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+	fprintf(stderr,"\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
 	{
         int i;
         for (i=0; is3->tmp.key_block_length; i++)
-		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
+		fprintf(stderr,"%02x", s->s3->tmp.key_block[i]);  fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -538,11 +538,11 @@ printf("which = %04X\nmac key=",which);
 #ifdef KSSL_DEBUG
 	{
         int i;
-	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
-	printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]);
-	printf("\n");
-	printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]);
-	printf("\n");
+	fprintf(stderr,"EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+	fprintf(stderr,"\tkey= "); for (i=0; ikey_len; i++) fprintf(stderr,"%02x", key[i]);
+	fprintf(stderr,"\n");
+	fprintf(stderr,"\t iv= "); for (i=0; iiv_len; i++) fprintf(stderr,"%02x", iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -613,7 +613,7 @@ int tls1_setup_key_block(SSL *s)
 	int ret=0;
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_setup_key_block()\n");
+	fprintf(stderr,"tls1_setup_key_block()\n");
 #endif	/* KSSL_DEBUG */
 
 	if (s->s3->tmp.key_block_length != 0)
@@ -762,7 +762,7 @@ int tls1_enc(SSL *s, int send)
 		}
 
 #ifdef KSSL_DEBUG
-	printf("tls1_enc(%d)\n", send);
+	fprintf(stderr,"tls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
 	if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
@@ -834,18 +834,18 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long ui;
-		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+		fprintf(stderr,"EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
 			ds,rec->data,rec->input,l);
-		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+		fprintf(stderr,"\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
 			ds->buf_len, ds->cipher->key_len,
 			DES_KEY_SZ, DES_SCHEDULE_SZ,
 			ds->cipher->iv_len);
-		printf("\t\tIV: ");
-		for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]);
-		printf("\n");
-		printf("\trec->input=");
-		for (ui=0; uiinput[ui]);
-		printf("\n");
+		fprintf(stderr,"\t\tIV: ");
+		for (i=0; icipher->iv_len; i++) fprintf(stderr,"%02X", ds->iv[i]);
+		fprintf(stderr,"\n");
+		fprintf(stderr,"\trec->input=");
+		for (ui=0; uiinput[ui]);
+		fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -870,9 +870,9 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long i;
-		printf("\trec->data=");
+		fprintf(stderr,"\trec->data=");
 		for (i=0; idata[i]);  printf("\n");
+			fprintf(stderr," %02x", rec->data[i]);  fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -1064,10 +1064,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	if (!stream_mac)
 		EVP_MD_CTX_cleanup(&hmac);
 #ifdef TLS_DEBUG
-printf("seq=");
-{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("rec=");
-{unsigned int z; for (z=0; zlength; z++) printf("%02X ",rec->data[z]); printf("\n"); }
+fprintf(stderr,"seq=");
+{int z; for (z=0; z<8; z++) fprintf(stderr,"%02X ",seq[z]); fprintf(stderr,"\n"); }
+fprintf(stderr,"rec=");
+{unsigned int z; for (z=0; zlength; z++) fprintf(stderr,"%02X ",rec->data[z]); fprintf(stderr,"\n"); }
 #endif
 
 	if (!SSL_IS_DTLS(ssl))
@@ -1080,7 +1080,7 @@ printf("rec=");
 		}
 
 #ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  1fe8304db04e581037778c4389fd1c731538f368 (commit)
      from  bfd19df6d06918c98a52a90e53712a8883d18db0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1fe8304db04e581037778c4389fd1c731538f368
Author: Bodo M?ller 
Date:   Thu Oct 13 12:35:10 2011 +0000

    Backport regression test
    
    master branch has a specific regression test for a bug in x86_64-mont5 code,
    see commit cdfe0fdde6a966bdb0447de66aa04a85d99a0551.
    
    This code is now in 1.0.2/1.0.1, so also backport the test.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit bb565cd29e34caeeaf12ecfdbe6273c2c794f5a2)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bntest.c |   76 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 06f5954..7771e92 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -107,6 +107,7 @@ int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
 int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_gf2m_add(BIO *bp);
 int test_gf2m_mod(BIO *bp);
@@ -249,6 +250,7 @@ int main(int argc, char *argv[])
 
 	message(out,"BN_mod_exp_mont_consttime");
 	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	if (!test_mod_exp_mont5(out,ctx)) goto err;
 	(void)BIO_flush(out);
 
 	message(out,"BN_exp");
@@ -1012,6 +1014,80 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+/* Test constant-time modular exponentiation with 1024-bit inputs,
+ * which on x86_64 cause a different code branch to be taken.
+ */
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*p,*m,*d,*e;
+
+	BN_MONT_CTX *mont;
+
+	a=BN_new();
+	p=BN_new();
+	m=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	mont = BN_MONT_CTX_new();
+
+	BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
+	/* Zero exponent */
+	BN_bntest_rand(a,1024,0,0);
+	BN_zero(p);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_one(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Zero input */
+	BN_bntest_rand(p,1024,0,0);
+	BN_zero(a);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_zero(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Craft an input whose Montgomery representation is 1,
+	 * i.e., shorter than the modulus m, in order to test
+	 * the const time precomputation scattering/gathering.
+	 */
+	BN_one(a);
+	BN_MONT_CTX_set(mont,m,ctx);
+	if(!BN_from_montgomery(e,a,mont,ctx))
+		return 0;
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Finally, some regular test vectors. */
+	BN_bntest_rand(e,1024,0,0);
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	BN_free(a);
+	BN_free(p);
+	BN_free(m);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 11:05:09 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 12:05:09 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-110-gbb565cd
Message-ID: <20141217110509.8501B1DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  bb565cd29e34caeeaf12ecfdbe6273c2c794f5a2 (commit)
      from  a43bcd9e96c5180e5c6c82164ece643c0097485e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bb565cd29e34caeeaf12ecfdbe6273c2c794f5a2
Author: Bodo M?ller 
Date:   Thu Oct 13 12:35:10 2011 +0000

    Backport regression test
    
    master branch has a specific regression test for a bug in x86_64-mont5 code,
    see commit cdfe0fdde6a966bdb0447de66aa04a85d99a0551.
    
    This code is now in 1.0.2/1.0.1, so also backport the test.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bntest.c |   76 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 06f5954..7771e92 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -107,6 +107,7 @@ int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
 int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_gf2m_add(BIO *bp);
 int test_gf2m_mod(BIO *bp);
@@ -249,6 +250,7 @@ int main(int argc, char *argv[])
 
 	message(out,"BN_mod_exp_mont_consttime");
 	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	if (!test_mod_exp_mont5(out,ctx)) goto err;
 	(void)BIO_flush(out);
 
 	message(out,"BN_exp");
@@ -1012,6 +1014,80 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+/* Test constant-time modular exponentiation with 1024-bit inputs,
+ * which on x86_64 cause a different code branch to be taken.
+ */
+int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*p,*m,*d,*e;
+
+	BN_MONT_CTX *mont;
+
+	a=BN_new();
+	p=BN_new();
+	m=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	mont = BN_MONT_CTX_new();
+
+	BN_bntest_rand(m,1024,0,1); /* must be odd for montgomery */
+	/* Zero exponent */
+	BN_bntest_rand(a,1024,0,0);
+	BN_zero(p);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_one(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Zero input */
+	BN_bntest_rand(p,1024,0,0);
+	BN_zero(a);
+	if(!BN_mod_exp_mont_consttime(d,a,p,m,ctx,NULL))
+		return 0;
+	if(!BN_is_zero(d))
+		{
+		fprintf(stderr, "Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Craft an input whose Montgomery representation is 1,
+	 * i.e., shorter than the modulus m, in order to test
+	 * the const time precomputation scattering/gathering.
+	 */
+	BN_one(a);
+	BN_MONT_CTX_set(mont,m,ctx);
+	if(!BN_from_montgomery(e,a,mont,ctx))
+		return 0;
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	/* Finally, some regular test vectors. */
+	BN_bntest_rand(e,1024,0,0);
+	if(!BN_mod_exp_mont_consttime(d,e,p,m,ctx,NULL))
+		return 0;
+	if(!BN_mod_exp_simple(a,e,p,m,ctx))
+		return 0;
+	if(BN_cmp(a,d) != 0)
+		{
+		fprintf(stderr,"Modular exponentiation test failed!\n");
+		return 0;
+		}
+	BN_free(a);
+	BN_free(p);
+	BN_free(m);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:07:38 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:07:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-49-g40c2812
Message-ID: <20141217130738.497151DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  40c2812f5656b1c78fa18b14c264fd48421c2d24 (commit)
      from  2e3e3d278ec4984d352c65e2df8270ecf658d5b4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 40c2812f5656b1c78fa18b14c264fd48421c2d24
Author: Adam Langley 
Date:   Tue Dec 16 14:03:47 2014 +0100

    Premaster secret handling fixes
    
    From BoringSSL
    - Send an alert when the client key exchange isn't correctly formatted.
    - Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4573ec8..20c6fa0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2015,6 +2015,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
 		int decrypt_len;
 		unsigned char decrypt_good, version_good;
+		size_t j;
 
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
@@ -2053,8 +2054,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2063,6 +2065,20 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
+			}
+
 		/* We must not leak whether a decryption failure occurs because
 		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
 		 * RFC 2246, section 7.4.7.1). The code follows that advice of
@@ -2110,19 +2126,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		 * to remain non-zero (0xff). */
 		decrypt_good &= version_good;
 
-		/* Now copy rand_premaster_secret over p using
-		 * decrypt_good_mask. */
-		for (i = 0; i < (int) sizeof(rand_premaster_secret); i++)
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			p[i] = constant_time_select_8(decrypt_good, p[i],
-						      rand_premaster_secret[i]);
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:07:38 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:07:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 4aecfd4d9f366c849c9627ab666d1b1addc024e6
Message-ID: <20141217130738.D37D41DFC74@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  4aecfd4d9f366c849c9627ab666d1b1addc024e6 (commit)
      from  57dc72e018ddecf222b6c5e598793b75069d42a2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6
Author: Adam Langley 
Date:   Tue Dec 16 14:03:47 2014 +0100

    Premaster secret handling fixes
    
    From BoringSSL
    - Send an alert when the client key exchange isn't correctly formatted.
    - Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
    
    Reviewed-by: Kurt Roeckx 

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 7a61864..02c8c10 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2276,6 +2276,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
 		int decrypt_len;
 		unsigned char decrypt_good, version_good;
+		size_t j;
 
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
@@ -2314,8 +2315,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2324,6 +2326,20 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
+			}
+
 		/* We must not leak whether a decryption failure occurs because
 		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
 		 * RFC 2246, section 7.4.7.1). The code follows that advice of
@@ -2371,19 +2387,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		 * to remain non-zero (0xff). */
 		decrypt_good &= version_good;
 
-		/* Now copy rand_premaster_secret over p using
-		 * decrypt_good_mask. */
-		for (i = 0; i < (int) sizeof(rand_premaster_secret); i++)
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			p[i] = constant_time_select_8(decrypt_good, p[i],
-						      rand_premaster_secret[i]);
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:07:38 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:07:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-72-gdc1e493
Message-ID: <20141217130738.89F711DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  dc1e4938083e7c50b27a96412db9dd834737cb8b (commit)
      from  1fe8304db04e581037778c4389fd1c731538f368 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit dc1e4938083e7c50b27a96412db9dd834737cb8b
Author: Adam Langley 
Date:   Tue Dec 16 14:03:47 2014 +0100

    Premaster secret handling fixes
    
    From BoringSSL
    - Send an alert when the client key exchange isn't correctly formatted.
    - Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 719e6d3..b5b3ecb 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2215,6 +2215,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
 		int decrypt_len;
 		unsigned char decrypt_good, version_good;
+		size_t j;
 
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
@@ -2253,8 +2254,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2263,6 +2265,20 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
+			}
+
 		/* We must not leak whether a decryption failure occurs because
 		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
 		 * RFC 2246, section 7.4.7.1). The code follows that advice of
@@ -2310,19 +2326,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		 * to remain non-zero (0xff). */
 		decrypt_good &= version_good;
 
-		/* Now copy rand_premaster_secret over p using
-		 * decrypt_good_mask. */
-		for (i = 0; i < (int) sizeof(rand_premaster_secret); i++)
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			p[i] = constant_time_select_8(decrypt_good, p[i],
-						      rand_premaster_secret[i]);
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:07:38 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:07:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-111-g1ecfb67
Message-ID: <20141217130738.B4F841DF122@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  1ecfb673358ccc1129899e5854e6275520b2be65 (commit)
      from  bb565cd29e34caeeaf12ecfdbe6273c2c794f5a2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1ecfb673358ccc1129899e5854e6275520b2be65
Author: Adam Langley 
Date:   Tue Dec 16 14:03:47 2014 +0100

    Premaster secret handling fixes
    
    From BoringSSL
    - Send an alert when the client key exchange isn't correctly formatted.
    - Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6)

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c |   36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 83d110f..2290ed6 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2237,6 +2237,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 		unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
 		int decrypt_len;
 		unsigned char decrypt_good, version_good;
+		size_t j;
 
 		/* FIX THIS UP EAY EAY EAY EAY */
 		if (s->s3->tmp.use_rsa_tmp)
@@ -2275,8 +2276,9 @@ int ssl3_get_client_key_exchange(SSL *s)
 				{
 				if (!(s->options & SSL_OP_TLS_D5_BUG))
 					{
+					al = SSL_AD_DECODE_ERROR;
 					SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
-					goto err;
+					goto f_err;
 					}
 				else
 					p-=2;
@@ -2285,6 +2287,20 @@ int ssl3_get_client_key_exchange(SSL *s)
 				n=i;
 			}
 
+		/*
+		 * Reject overly short RSA ciphertext because we want to be sure
+		 * that the buffer size makes it safe to iterate over the entire
+		 * size of a premaster secret (SSL_MAX_MASTER_KEY_LENGTH). The
+		 * actual expected size is larger due to RSA padding, but the
+		 * bound is sufficient to be safe.
+		 */
+		if (n < SSL_MAX_MASTER_KEY_LENGTH)
+			{
+			al = SSL_AD_DECRYPT_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
+			goto f_err;
+			}
+
 		/* We must not leak whether a decryption failure occurs because
 		 * of Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see
 		 * RFC 2246, section 7.4.7.1). The code follows that advice of
@@ -2332,19 +2348,23 @@ int ssl3_get_client_key_exchange(SSL *s)
 		 * to remain non-zero (0xff). */
 		decrypt_good &= version_good;
 
-		/* Now copy rand_premaster_secret over p using
-		 * decrypt_good_mask. */
-		for (i = 0; i < (int) sizeof(rand_premaster_secret); i++)
+		/*
+		 * Now copy rand_premaster_secret over from p using
+		 * decrypt_good_mask. If decryption failed, then p does not
+		 * contain valid plaintext, however, a check above guarantees
+		 * it is still sufficiently large to read from.
+		 */
+		for (j = 0; j < sizeof(rand_premaster_secret); j++)
 			{
-			p[i] = constant_time_select_8(decrypt_good, p[i],
-						      rand_premaster_secret[i]);
+			p[j] = constant_time_select_8(decrypt_good, p[j],
+						      rand_premaster_secret[j]);
 			}
 
 		s->session->master_key_length=
 			s->method->ssl3_enc->generate_master_secret(s,
 				s->session->master_key,
-				p,i);
-		OPENSSL_cleanse(p,i);
+				p,sizeof(rand_premaster_secret));
+		OPENSSL_cleanse(p,sizeof(rand_premaster_secret));
 		}
 	else
 #endif


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Wed Dec 17 13:20:29 2014
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 17 Dec 2014 14:20:29 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-117-g8bc8450
Message-ID: <20141217132029.7A2C01DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  8bc8450a26329e3c890df60026f969e7caabff3d (commit)
       via  bf68456f538cacc9dcfd00986962aef0e8538289 (commit)
       via  53332a75d16a5bb3b9d90c15fcf38d2e87160a52 (commit)
       via  cd387d21daa939862e081f00be0a98dbc5a85351 (commit)
       via  0c403e80a9952c83a38eab3c8a4ce42e17a2cee0 (commit)
       via  553affbef7bb5dd313514e06dab5cd9b1de1835f (commit)
      from  1ecfb673358ccc1129899e5854e6275520b2be65 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8bc8450a26329e3c890df60026f969e7caabff3d
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:53 2014 +0100

    Clear warnings/errors within RL_DEBUG code sections (RL_DEBUG should be renamed)
    
    Reviewed-by: Andy Polyakov 

commit bf68456f538cacc9dcfd00986962aef0e8538289
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:19 2014 +0100

    Clear warnings/errors within TLS_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 

commit 53332a75d16a5bb3b9d90c15fcf38d2e87160a52
Author: Richard Levitte 
Date:   Tue Dec 16 04:13:41 2014 +0100

    Clear warnings/errors within KSSL_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 

commit cd387d21daa939862e081f00be0a98dbc5a85351
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:50 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 

commit 0c403e80a9952c83a38eab3c8a4ce42e17a2cee0
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:03 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 

commit 553affbef7bb5dd313514e06dab5cd9b1de1835f
Author: Richard Levitte 
Date:   Tue Dec 16 01:38:39 2014 +0100

    Clear warnings/errors within BN_CTX_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c           |    2 +-
 crypto/bn/bn_ctx.c  |    2 +-
 crypto/evp/e_des3.c |   22 ++++++++-------
 ssl/kssl.c          |   72 ++++++++++++++++++++++++-------------------------
 ssl/s3_clnt.c       |   12 ++++-----
 ssl/s3_lib.c        |   14 +++++-----
 ssl/s3_srvr.c       |   15 ++++++-----
 ssl/ssl_ciph.c      |   12 ++++-----
 ssl/ssl_lib.c       |    2 +-
 ssl/t1_enc.c        |   74 ++++++++++++++++++++++++---------------------------
 10 files changed, 113 insertions(+), 114 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 5c98543..f667223 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -709,7 +709,7 @@ bad:
 		ERR_clear_error();
 #ifdef RL_DEBUG
 	if (!p)
-		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
 #endif
 #ifdef RL_DEBUG
 	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 3f2256f..90aa3ae 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -158,7 +158,7 @@ static void ctxdbg(BN_CTX *ctx)
 	unsigned int bnidx = 0, fpidx = 0;
 	BN_POOL_ITEM *item = ctx->pool.head;
 	BN_STACK *stack = &ctx->stack;
-	fprintf(stderr,"(%08x): ", (unsigned int)ctx);
+	fprintf(stderr,"(%16p): ", ctx);
 	while(bnidx < ctx->used)
 		{
 		fprintf(stderr,"%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index 24e9fec..ad7be6b 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -148,12 +148,11 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        char *cp;
-	printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
-	printf("\t iv= ");
+	fprintf(stderr,"des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, ctx->buf_len);
+	fprintf(stderr,"\t iv= ");
         for(i=0;i<8;i++)
-                printf("%02X",ctx->iv[i]);
-	printf("\n");
+                fprintf(stderr,"%02X",ctx->iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif    /* KSSL_DEBUG */
 	if (dat->stream.cbc)
@@ -307,11 +306,14 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
-	printf("\tKEY= ");
-        for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
-	printf("\t IV= ");
-        for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
+        fprintf(stderr,"des_ede3_init_key(ctx=%p)\n", ctx);
+	fprintf(stderr,"\tKEY= ");
+        for(i=0;i<24;i++) fprintf(stderr,"%02X",key[i]); fprintf(stderr,"\n");
+	if (iv) 
+		{
+		fprintf(stderr,"\t IV= ");
+		for(i=0;i<8;i++) fprintf(stderr,"%02X",iv[i]); fprintf(stderr,"\n");
+		}
 	}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/kssl.c b/ssl/kssl.c
index fd7c67b..950a0c5 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -954,15 +954,15 @@ print_krb5_data(char *label, krb5_data *kdata)
         {
 	int i;
 
-	printf("%s[%d] ", label, kdata->length);
+	fprintf(stderr,"%s[%d] ", label, kdata->length);
 	for (i=0; i < (int)kdata->length; i++)
                 {
 		if (0 &&  isprint((int) kdata->data[i]))
-                        printf(	"%c ",  kdata->data[i]);
+                        fprintf(stderr,	"%c ",  kdata->data[i]);
 		else
-                        printf(	"%02x ", (unsigned char) kdata->data[i]);
+                        fprintf(stderr,	"%02x ", (unsigned char) kdata->data[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
         }
 
 
@@ -973,20 +973,20 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
         {
 	if (adata == NULL)
                 {
-		printf("%s, authdata==0\n", label);
+		fprintf(stderr,"%s, authdata==0\n", label);
 		return;
 		}
-	printf("%s [%p]\n", label, (void *)adata);
+	fprintf(stderr,"%s [%p]\n", label, (void *)adata);
 #if 0
 	{
         int 	i;
-	printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+	fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length);
 	for (i=0; i < adata->length; i++)
                 {
-                printf((isprint(adata->contents[i]))? "%c ": "%02x",
+                fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x",
                         adata->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 	}
 #endif
 	}
@@ -1001,24 +1001,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 	if (keyblk == NULL)
                 {
-		printf("%s, keyblk==0\n", label);
+		fprintf(stderr,"%s, keyblk==0\n", label);
 		return;
 		}
 #ifdef KRB5_HEIMDAL
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype,
 					   keyblk->keyvalue->length);
 	for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
-		printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+		fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #else
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
 	for (i=0; i < (int)keyblk->length; i++)
                 {
-		printf("%02x",keyblk->contents[i]);
+		fprintf(stderr,"%02x",keyblk->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #endif
         }
 
@@ -1031,17 +1031,17 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         {
 	int i, ui, uj;
 
-	printf("%s principal Realm: ", label);
+	fprintf(stderr,"%s principal Realm: ", label);
 	if (princ == NULL)  return;
 	for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
-	printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+	fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length);
 	for (i=0; i < (int)princ->length; i++)
                 {
-		printf("\t%d [%d]: ", i, princ->data[i].length);
+		fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length);
 		for (uj=0; uj < (int)princ->data[i].length; uj++)  {
 			putchar(princ->data[i].data[uj]);
 			}
-		printf("\n");
+		fprintf(stderr,"\n");
 		}
 	return;
         }
@@ -1332,7 +1332,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		}
 
 #ifdef KSSL_DEBUG
-	printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+	fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
 #endif	/* KSSL_DEBUG */
 
 	if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
@@ -1481,18 +1481,18 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 #ifdef KSSL_DEBUG
 		{
 		int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
-		printf("Decrypted ticket fields:\n");
-		printf("\tflags: %X, transit-type: %X",
+		fprintf(stderr,"Decrypted ticket fields:\n");
+		fprintf(stderr,"\tflags: %X, transit-type: %X",
 			krb5ticket->enc_part2->flags,
 			krb5ticket->enc_part2->transited.tr_type);
 		print_krb5_data("\ttransit-data: ",
 			&(krb5ticket->enc_part2->transited.tr_contents));
-		printf("\tcaddrs: %p, authdata: %p\n",
+		fprintf(stderr,"\tcaddrs: %p, authdata: %p\n",
 			krb5ticket->enc_part2->caddrs,
 			krb5ticket->enc_part2->authorization_data);
 		if (paddr)
 			{
-			printf("\tcaddrs:\n");
+			fprintf(stderr,"\tcaddrs:\n");
 			for (i=0; paddr[i] != NULL; i++)
 				{
 				krb5_data d;
@@ -1501,7 +1501,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 				print_krb5_data("\t\tIP: ", &d);
 				}
 			}
-		printf("\tstart/auth/end times: %d / %d / %d\n",
+		fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n",
 			krb5ticket->enc_part2->times.starttime,
 			krb5ticket->enc_part2->times.authtime,
 			krb5ticket->enc_part2->times.endtime);
@@ -1976,7 +1976,7 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 	if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
 
 #ifdef KSSL_DEBUG
-	printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
+	fprintf(stderr,"kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
 		start, atime, now, skew, ttimes->endtime);
 #endif	/* KSSL_DEBUG */
 
@@ -2027,10 +2027,10 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
         {
         unsigned int ui;
-	printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+	fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length);
 	p = authentp->data; 
-	for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
-	printf("\n");
+	for (ui=0; ui < authentp->length; ui++)  fprintf(stderr,"%02x ",p[ui]);
+	fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -2095,9 +2095,9 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
 	{
 	int padl;
-	printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
-	for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
-	printf("\n");
+	fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+	for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -2132,10 +2132,10 @@ krb5_error_code  kssl_check_authent(
  		}
 
 #ifdef KSSL_DEBUG
-	printf("kssl_check_authent: returns %d for client time ", *atimep);
+	fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep);
 	if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
-		printf("%.*s\n", auth->ctime->length, auth->ctime->data);
-	else	printf("NULL\n");
+		fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data);
+	else	fprintf(stderr,"NULL\n");
 #endif	/* KSSL_DEBUG */
 
  err:
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 2b9fdb0..47cb93d 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1263,9 +1263,9 @@ int ssl3_get_server_certificate(SSL *s)
 	            ? 0 : 1;
 
 #ifdef KSSL_DEBUG
-	printf("pkey,x = %p, %p\n", pkey,x);
-	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
+	fprintf(stderr,"pkey,x = %p, %p\n", pkey,x);
+	fprintf(stderr,"ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
+	fprintf(stderr,"cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
 		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
 #endif    /* KSSL_DEBUG */
 
@@ -2537,7 +2537,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			EVP_CIPHER_CTX_init(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
-			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+			fprintf(stderr,"ssl3_send_client_key_exchange(%lx & %lx)\n",
 				alg_k, SSL_kKRB5);
 #endif	/* KSSL_DEBUG */
 
@@ -2553,9 +2553,9 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    goto err;
 #ifdef KSSL_DEBUG
 			{
-			printf("kssl_cget_tkt rtn %d\n", krb5rc);
+			fprintf(stderr,"kssl_cget_tkt rtn %d\n", krb5rc);
 			if (krb5rc && kssl_err.text)
-			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+			  fprintf(stderr,"kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
 			}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 713de72..82fc5a8 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4114,17 +4114,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 
 #ifdef CIPHER_DEBUG
-	printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
+	fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
 	for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
 		{
 		c=sk_SSL_CIPHER_value(srvr,i);
-		printf("%p:%s\n",(void *)c,c->name);
+		fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 		}
-	printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
+	fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
 	for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
 	    {
 	    c=sk_SSL_CIPHER_value(clnt,i);
-	    printf("%p:%s\n",(void *)c,c->name);
+	    fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 	    }
 #endif
 
@@ -4166,7 +4166,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 			
 #ifdef KSSL_DEBUG
-/*		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
+/*		fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
 #endif    /* KSSL_DEBUG */
 
 		alg_k=c->algorithm_mkey;
@@ -4189,7 +4189,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & emask_k) && (alg_a & emask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
 			       (void *)c,c->name);
 #endif
 			}
@@ -4197,7 +4197,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
 			       c->name);
 #endif
 			}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 2290ed6..453d58b 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1183,14 +1183,15 @@ int ssl3_get_client_hello(SSL *s)
 		id=s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-		printf("client sent %d ciphers\n",sk_num(ciphers));
+		fprintf(stderr,"client sent %d ciphers\n",sk_SSL_CIPHER_num(ciphers));
 #endif
 		for (i=0; iid == id)
 				{
@@ -2541,10 +2542,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_sget_tkt rtn %d [%d]\n",
+			fprintf(stderr,"kssl_sget_tkt rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
@@ -2558,10 +2559,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&authtime, &kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_check_authent rtn %d [%d]\n",
+			fprintf(stderr,"kssl_check_authent rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 0ad11dd..a6182dd 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -837,7 +837,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 			co_list[co_list_num].active = 0;
 			co_list_num++;
 #ifdef KSSL_DEBUG
-			printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
+			fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
 #endif	/* KSSL_DEBUG */
 			/*
 			if (!sk_push(ca_list,(char *)c)) goto err;
@@ -954,7 +954,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 	int reverse = 0;
 
 #ifdef CIPHER_DEBUG
-	printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
+	fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
 		rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
 #endif
 
@@ -1000,7 +1000,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		else
 			{
 #ifdef CIPHER_DEBUG
-			printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
+			fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 			if (cipher_id && cipher_id != cp->id)
@@ -1023,7 +1023,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			}
 
 #ifdef CIPHER_DEBUG
-		printf("Action = %d\n", rule);
+		fprintf(stderr, "Action = %d\n", rule);
 #endif
 
 		/* add the cipher if it has not been added yet. */
@@ -1482,7 +1482,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	num_of_ciphers = ssl_method->num_ciphers();
 #ifdef KSSL_DEBUG
-	printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
+	fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
 #endif    /* KSSL_DEBUG */
 	co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
 	if (co_list == NULL)
@@ -1609,7 +1609,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 			{
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
-			printf("<%s>\n",curr->cipher->name);
+			fprintf(stderr, "<%s>\n",curr->cipher->name);
 #endif
 			}
 		}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8c269c4..d56459f 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2277,7 +2277,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	
 
 #ifdef CIPHER_DEBUG
-	printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+	fprintf(stderr,"rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
 	        rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
 		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 7974762..8332467 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -302,15 +302,15 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 		 s->session->master_key,s->session->master_key_length,
 		 km,tmp,num);
 #ifdef KSSL_DEBUG
-	printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
+	fprintf(stderr,"tls1_generate_key_block() ==> %d byte master_key =\n\t",
                 s->session->master_key_length);
 	{
         int i;
         for (i=0; i < s->session->master_key_length; i++)
                 {
-                printf("%02X", s->session->master_key[i]);
+                fprintf(stderr,"%02X", s->session->master_key[i]);
                 }
-        printf("\n");  }
+        fprintf(stderr,"\n");  }
 #endif    /* KSSL_DEBUG */
 	return ret;
 	}
@@ -348,19 +348,19 @@ int tls1_change_cipher_state(SSL *s, int which)
 #endif
 
 #ifdef KSSL_DEBUG
-	printf("tls1_change_cipher_state(which= %d) w/\n", which);
-	printf("\talg= %ld/%ld, comp= %p\n",
+	fprintf(stderr,"tls1_change_cipher_state(which= %d) w/\n", which);
+	fprintf(stderr,"\talg= %ld/%ld, comp= %p\n",
 	       s->s3->tmp.new_cipher->algorithm_mkey,
 	       s->s3->tmp.new_cipher->algorithm_auth,
 	       comp);
-	printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
-	printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+	fprintf(stderr,"\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+	fprintf(stderr,"\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
                 c->nid,c->block_size,c->key_len,c->iv_len);
-	printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+	fprintf(stderr,"\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
 	{
         int i;
         for (i=0; is3->tmp.key_block_length; i++)
-		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
+		fprintf(stderr,"%02x", s->s3->tmp.key_block[i]);  fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -539,11 +539,11 @@ printf("which = %04X\nmac key=",which);
 #ifdef KSSL_DEBUG
 	{
         int i;
-	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
-	printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]);
-	printf("\n");
-	printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]);
-	printf("\n");
+	fprintf(stderr,"EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+	fprintf(stderr,"\tkey= "); for (i=0; ikey_len; i++) fprintf(stderr,"%02x", key[i]);
+	fprintf(stderr,"\n");
+	fprintf(stderr,"\t iv= "); for (i=0; iiv_len; i++) fprintf(stderr,"%02x", iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -614,7 +614,7 @@ int tls1_setup_key_block(SSL *s)
 	int ret=0;
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_setup_key_block()\n");
+	fprintf(stderr,"tls1_setup_key_block()\n");
 #endif	/* KSSL_DEBUG */
 
 	if (s->s3->tmp.key_block_length != 0)
@@ -763,7 +763,7 @@ int tls1_enc(SSL *s, int send)
 		}
 
 #ifdef KSSL_DEBUG
-	printf("tls1_enc(%d)\n", send);
+	fprintf(stderr,"tls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
 	if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
@@ -835,18 +835,18 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long ui;
-		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+		fprintf(stderr,"EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
 			ds,rec->data,rec->input,l);
-		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+		fprintf(stderr,"\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
 			ds->buf_len, ds->cipher->key_len,
 			DES_KEY_SZ, DES_SCHEDULE_SZ,
 			ds->cipher->iv_len);
-		printf("\t\tIV: ");
-		for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]);
-		printf("\n");
-		printf("\trec->input=");
-		for (ui=0; uiinput[ui]);
-		printf("\n");
+		fprintf(stderr,"\t\tIV: ");
+		for (i=0; icipher->iv_len; i++) fprintf(stderr,"%02X", ds->iv[i]);
+		fprintf(stderr,"\n");
+		fprintf(stderr,"\trec->input=");
+		for (ui=0; uiinput[ui]);
+		fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -871,9 +871,9 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long i;
-		printf("\trec->data=");
+		fprintf(stderr,"\trec->data=");
 		for (i=0; idata[i]);  printf("\n");
+			fprintf(stderr," %02x", rec->data[i]);  fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -1071,14 +1071,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	if (!stream_mac)
 		EVP_MD_CTX_cleanup(&hmac);
 #ifdef TLS_DEBUG
-printf("sec=");
-{unsigned int z; for (z=0; zdata[z]); fprintf(stderr,"\n"); }
 #endif
 
 	if (!SSL_IS_DTLS(ssl))
@@ -1091,7 +1087,7 @@ printf("rec=");
 		}
 
 #ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  b3147fcbe6c4bb750c51edd28c18bd2187d5e939 (commit)
       via  feefb73ad9e5dc3f98ecdf2f1b4eee035567a185 (commit)
       via  8932b82f7d20159ca6264e811e0b67dadb26c969 (commit)
       via  a4a759acecac67d7c41fa47e724f634c709ea65c (commit)
       via  6e5a5545337c339242253b59bf079cd2d61270fd (commit)
       via  2164a17a7d85ab7953a18b1e50bc7d1e3c814b4e (commit)
      from  dc1e4938083e7c50b27a96412db9dd834737cb8b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b3147fcbe6c4bb750c51edd28c18bd2187d5e939
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:53 2014 +0100

    Clear warnings/errors within RL_DEBUG code sections (RL_DEBUG should be renamed)
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 8bc8450a26329e3c890df60026f969e7caabff3d)

commit feefb73ad9e5dc3f98ecdf2f1b4eee035567a185
Author: Richard Levitte 
Date:   Tue Dec 16 11:04:19 2014 +0100

    Clear warnings/errors within TLS_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit bf68456f538cacc9dcfd00986962aef0e8538289)

commit 8932b82f7d20159ca6264e811e0b67dadb26c969
Author: Richard Levitte 
Date:   Tue Dec 16 04:13:41 2014 +0100

    Clear warnings/errors within KSSL_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 53332a75d16a5bb3b9d90c15fcf38d2e87160a52)

commit a4a759acecac67d7c41fa47e724f634c709ea65c
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:50 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit cd387d21daa939862e081f00be0a98dbc5a85351)

commit 6e5a5545337c339242253b59bf079cd2d61270fd
Author: Richard Levitte 
Date:   Tue Dec 16 02:54:03 2014 +0100

    Clear warnings/errors within CIPHER_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 0c403e80a9952c83a38eab3c8a4ce42e17a2cee0)

commit 2164a17a7d85ab7953a18b1e50bc7d1e3c814b4e
Author: Richard Levitte 
Date:   Tue Dec 16 01:38:39 2014 +0100

    Clear warnings/errors within BN_CTX_DEBUG code sections
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 553affbef7bb5dd313514e06dab5cd9b1de1835f)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c           |    2 +-
 crypto/bn/bn_ctx.c  |    2 +-
 crypto/evp/e_des3.c |   22 +++++++++-------
 ssl/kssl.c          |   72 +++++++++++++++++++++++++--------------------------
 ssl/s3_clnt.c       |   12 ++++-----
 ssl/s3_lib.c        |   14 +++++-----
 ssl/s3_srvr.c       |   15 ++++++-----
 ssl/ssl_ciph.c      |   12 ++++-----
 ssl/ssl_lib.c       |    2 +-
 ssl/t1_enc.c        |   70 ++++++++++++++++++++++++-------------------------
 10 files changed, 113 insertions(+), 110 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 9c25026..613f5be 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -703,7 +703,7 @@ bad:
 		ERR_clear_error();
 #ifdef RL_DEBUG
 	if (!p)
-		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
 #endif
 #ifdef RL_DEBUG
 	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 3f2256f..90aa3ae 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -158,7 +158,7 @@ static void ctxdbg(BN_CTX *ctx)
 	unsigned int bnidx = 0, fpidx = 0;
 	BN_POOL_ITEM *item = ctx->pool.head;
 	BN_STACK *stack = &ctx->stack;
-	fprintf(stderr,"(%08x): ", (unsigned int)ctx);
+	fprintf(stderr,"(%16p): ", ctx);
 	while(bnidx < ctx->used)
 		{
 		fprintf(stderr,"%03x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax);
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index 8d7b7de..7e1e8b3 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -124,12 +124,11 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        char *cp;
-	printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
-	printf("\t iv= ");
+	fprintf(stderr,"des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, ctx->buf_len);
+	fprintf(stderr,"\t iv= ");
         for(i=0;i<8;i++)
-                printf("%02X",ctx->iv[i]);
-	printf("\n");
+                fprintf(stderr,"%02X",ctx->iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif    /* KSSL_DEBUG */
 	while (inl>=EVP_MAXCHUNK)
@@ -260,11 +259,14 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 #ifdef KSSL_DEBUG
 	{
         int i;
-        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
-	printf("\tKEY= ");
-        for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
-	printf("\t IV= ");
-        for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
+        fprintf(stderr,"des_ede3_init_key(ctx=%p)\n", ctx);
+	fprintf(stderr,"\tKEY= ");
+        for(i=0;i<24;i++) fprintf(stderr,"%02X",key[i]); fprintf(stderr,"\n");
+	if (iv) 
+		{
+		fprintf(stderr,"\t IV= ");
+		for(i=0;i<8;i++) fprintf(stderr,"%02X",iv[i]); fprintf(stderr,"\n");
+		}
 	}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/kssl.c b/ssl/kssl.c
index fd7c67b..950a0c5 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -954,15 +954,15 @@ print_krb5_data(char *label, krb5_data *kdata)
         {
 	int i;
 
-	printf("%s[%d] ", label, kdata->length);
+	fprintf(stderr,"%s[%d] ", label, kdata->length);
 	for (i=0; i < (int)kdata->length; i++)
                 {
 		if (0 &&  isprint((int) kdata->data[i]))
-                        printf(	"%c ",  kdata->data[i]);
+                        fprintf(stderr,	"%c ",  kdata->data[i]);
 		else
-                        printf(	"%02x ", (unsigned char) kdata->data[i]);
+                        fprintf(stderr,	"%02x ", (unsigned char) kdata->data[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
         }
 
 
@@ -973,20 +973,20 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
         {
 	if (adata == NULL)
                 {
-		printf("%s, authdata==0\n", label);
+		fprintf(stderr,"%s, authdata==0\n", label);
 		return;
 		}
-	printf("%s [%p]\n", label, (void *)adata);
+	fprintf(stderr,"%s [%p]\n", label, (void *)adata);
 #if 0
 	{
         int 	i;
-	printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+	fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length);
 	for (i=0; i < adata->length; i++)
                 {
-                printf((isprint(adata->contents[i]))? "%c ": "%02x",
+                fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x",
                         adata->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 	}
 #endif
 	}
@@ -1001,24 +1001,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 	if (keyblk == NULL)
                 {
-		printf("%s, keyblk==0\n", label);
+		fprintf(stderr,"%s, keyblk==0\n", label);
 		return;
 		}
 #ifdef KRB5_HEIMDAL
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype,
 					   keyblk->keyvalue->length);
 	for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
-		printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+		fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #else
-	printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+	fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
 	for (i=0; i < (int)keyblk->length; i++)
                 {
-		printf("%02x",keyblk->contents[i]);
+		fprintf(stderr,"%02x",keyblk->contents[i]);
 		}
-	printf("\n");
+	fprintf(stderr,"\n");
 #endif
         }
 
@@ -1031,17 +1031,17 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         {
 	int i, ui, uj;
 
-	printf("%s principal Realm: ", label);
+	fprintf(stderr,"%s principal Realm: ", label);
 	if (princ == NULL)  return;
 	for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
-	printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+	fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length);
 	for (i=0; i < (int)princ->length; i++)
                 {
-		printf("\t%d [%d]: ", i, princ->data[i].length);
+		fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length);
 		for (uj=0; uj < (int)princ->data[i].length; uj++)  {
 			putchar(princ->data[i].data[uj]);
 			}
-		printf("\n");
+		fprintf(stderr,"\n");
 		}
 	return;
         }
@@ -1332,7 +1332,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		}
 
 #ifdef KSSL_DEBUG
-	printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+	fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
 #endif	/* KSSL_DEBUG */
 
 	if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
@@ -1481,18 +1481,18 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 #ifdef KSSL_DEBUG
 		{
 		int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
-		printf("Decrypted ticket fields:\n");
-		printf("\tflags: %X, transit-type: %X",
+		fprintf(stderr,"Decrypted ticket fields:\n");
+		fprintf(stderr,"\tflags: %X, transit-type: %X",
 			krb5ticket->enc_part2->flags,
 			krb5ticket->enc_part2->transited.tr_type);
 		print_krb5_data("\ttransit-data: ",
 			&(krb5ticket->enc_part2->transited.tr_contents));
-		printf("\tcaddrs: %p, authdata: %p\n",
+		fprintf(stderr,"\tcaddrs: %p, authdata: %p\n",
 			krb5ticket->enc_part2->caddrs,
 			krb5ticket->enc_part2->authorization_data);
 		if (paddr)
 			{
-			printf("\tcaddrs:\n");
+			fprintf(stderr,"\tcaddrs:\n");
 			for (i=0; paddr[i] != NULL; i++)
 				{
 				krb5_data d;
@@ -1501,7 +1501,7 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 				print_krb5_data("\t\tIP: ", &d);
 				}
 			}
-		printf("\tstart/auth/end times: %d / %d / %d\n",
+		fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n",
 			krb5ticket->enc_part2->times.starttime,
 			krb5ticket->enc_part2->times.authtime,
 			krb5ticket->enc_part2->times.endtime);
@@ -1976,7 +1976,7 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 	if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
 
 #ifdef KSSL_DEBUG
-	printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
+	fprintf(stderr,"kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
 		start, atime, now, skew, ttimes->endtime);
 #endif	/* KSSL_DEBUG */
 
@@ -2027,10 +2027,10 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
         {
         unsigned int ui;
-	printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+	fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length);
 	p = authentp->data; 
-	for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
-	printf("\n");
+	for (ui=0; ui < authentp->length; ui++)  fprintf(stderr,"%02x ",p[ui]);
+	fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -2095,9 +2095,9 @@ krb5_error_code  kssl_check_authent(
 #ifdef KSSL_DEBUG
 	{
 	int padl;
-	printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
-	for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
-	printf("\n");
+	fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+	for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -2132,10 +2132,10 @@ krb5_error_code  kssl_check_authent(
  		}
 
 #ifdef KSSL_DEBUG
-	printf("kssl_check_authent: returns %d for client time ", *atimep);
+	fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep);
 	if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
-		printf("%.*s\n", auth->ctime->length, auth->ctime->data);
-	else	printf("NULL\n");
+		fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data);
+	else	fprintf(stderr,"NULL\n");
 #endif	/* KSSL_DEBUG */
 
  err:
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f10e1aa..7a95d5a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1185,9 +1185,9 @@ int ssl3_get_server_certificate(SSL *s)
 	            ? 0 : 1;
 
 #ifdef KSSL_DEBUG
-	printf("pkey,x = %p, %p\n", pkey,x);
-	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
+	fprintf(stderr,"pkey,x = %p, %p\n", pkey,x);
+	fprintf(stderr,"ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
+	fprintf(stderr,"cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
 		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
 #endif    /* KSSL_DEBUG */
 
@@ -2433,7 +2433,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 			EVP_CIPHER_CTX_init(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
-			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+			fprintf(stderr,"ssl3_send_client_key_exchange(%lx & %lx)\n",
 				alg_k, SSL_kKRB5);
 #endif	/* KSSL_DEBUG */
 
@@ -2449,9 +2449,9 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    goto err;
 #ifdef KSSL_DEBUG
 			{
-			printf("kssl_cget_tkt rtn %d\n", krb5rc);
+			fprintf(stderr,"kssl_cget_tkt rtn %d\n", krb5rc);
 			if (krb5rc && kssl_err.text)
-			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+			  fprintf(stderr,"kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
 			}
 #endif	/* KSSL_DEBUG */
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 73852fb..e7cbef4 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3810,17 +3810,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 
 #ifdef CIPHER_DEBUG
-	printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
+	fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr);
 	for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
 		{
 		c=sk_SSL_CIPHER_value(srvr,i);
-		printf("%p:%s\n",(void *)c,c->name);
+		fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 		}
-	printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
+	fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt);
 	for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
 	    {
 	    c=sk_SSL_CIPHER_value(clnt,i);
-	    printf("%p:%s\n",(void *)c,c->name);
+	    fprintf(stderr, "%p:%s\n",(void *)c,c->name);
 	    }
 #endif
 
@@ -3860,7 +3860,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif
 
 #ifdef KSSL_DEBUG
-/*		printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
+/*		fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
 #endif    /* KSSL_DEBUG */
 
 		alg_k=c->algorithm_mkey;
@@ -3883,7 +3883,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & emask_k) && (alg_a & emask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
 			       (void *)c,c->name);
 #endif
 			}
@@ -3891,7 +3891,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 			{
 			ok = (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
-			printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
+			fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c,
 			       c->name);
 #endif
 			}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b5b3ecb..ac2cc3d 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1156,14 +1156,15 @@ int ssl3_get_client_hello(SSL *s)
 		id=s->session->cipher->id;
 
 #ifdef CIPHER_DEBUG
-		printf("client sent %d ciphers\n",sk_num(ciphers));
+		fprintf(stderr,"client sent %d ciphers\n",sk_SSL_CIPHER_num(ciphers));
 #endif
 		for (i=0; iid == id)
 				{
@@ -2484,10 +2485,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_sget_tkt rtn %d [%d]\n",
+			fprintf(stderr,"kssl_sget_tkt rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
@@ -2501,10 +2502,10 @@ int ssl3_get_client_key_exchange(SSL *s)
 					&authtime, &kssl_err)) != 0)
 			{
 #ifdef KSSL_DEBUG
-			printf("kssl_check_authent rtn %d [%d]\n",
+			fprintf(stderr,"kssl_check_authent rtn %d [%d]\n",
 				krb5rc, kssl_err.reason);
 			if (kssl_err.text)
-				printf("kssl_err text= %s\n", kssl_err.text);
+				fprintf(stderr,"kssl_err text= %s\n", kssl_err.text);
 #endif	/* KSSL_DEBUG */
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				kssl_err.reason);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 8188ff5..b767361 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -814,7 +814,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 			co_list[co_list_num].active = 0;
 			co_list_num++;
 #ifdef KSSL_DEBUG
-			printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
+			fprintf(stderr,"\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
 #endif	/* KSSL_DEBUG */
 			/*
 			if (!sk_push(ca_list,(char *)c)) goto err;
@@ -931,7 +931,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 	int reverse = 0;
 
 #ifdef CIPHER_DEBUG
-	printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
+	fprintf(stderr, "Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
 		rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
 #endif
 
@@ -977,7 +977,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		else
 			{
 #ifdef CIPHER_DEBUG
-			printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
+			fprintf(stderr, "\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
 
 			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
@@ -997,7 +997,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			}
 
 #ifdef CIPHER_DEBUG
-		printf("Action = %d\n", rule);
+		fprintf(stderr, "Action = %d\n", rule);
 #endif
 
 		/* add the cipher if it has not been added yet. */
@@ -1386,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	num_of_ciphers = ssl_method->num_ciphers();
 #ifdef KSSL_DEBUG
-	printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
+	fprintf(stderr,"ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
 #endif    /* KSSL_DEBUG */
 	co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
 	if (co_list == NULL)
@@ -1513,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 			{
 			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
-			printf("<%s>\n",curr->cipher->name);
+			fprintf(stderr, "<%s>\n",curr->cipher->name);
 #endif
 			}
 		}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 81f976a..2fab2f1 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2094,7 +2094,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	
 
 #ifdef CIPHER_DEBUG
-	printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+	fprintf(stderr,"rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
 	        rsa_tmp,rsa_tmp_export,dh_tmp,have_ecdh_tmp,
 		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 1923cf3..1308c03 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -303,15 +303,15 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 		 s->session->master_key,s->session->master_key_length,
 		 km,tmp,num);
 #ifdef KSSL_DEBUG
-	printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
+	fprintf(stderr,"tls1_generate_key_block() ==> %d byte master_key =\n\t",
                 s->session->master_key_length);
 	{
         int i;
         for (i=0; i < s->session->master_key_length; i++)
                 {
-                printf("%02X", s->session->master_key[i]);
+                fprintf(stderr,"%02X", s->session->master_key[i]);
                 }
-        printf("\n");  }
+        fprintf(stderr,"\n");  }
 #endif    /* KSSL_DEBUG */
 	return ret;
 	}
@@ -349,19 +349,19 @@ int tls1_change_cipher_state(SSL *s, int which)
 #endif
 
 #ifdef KSSL_DEBUG
-	printf("tls1_change_cipher_state(which= %d) w/\n", which);
-	printf("\talg= %ld/%ld, comp= %p\n",
+	fprintf(stderr,"tls1_change_cipher_state(which= %d) w/\n", which);
+	fprintf(stderr,"\talg= %ld/%ld, comp= %p\n",
 	       s->s3->tmp.new_cipher->algorithm_mkey,
 	       s->s3->tmp.new_cipher->algorithm_auth,
 	       comp);
-	printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
-	printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+	fprintf(stderr,"\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+	fprintf(stderr,"\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
                 c->nid,c->block_size,c->key_len,c->iv_len);
-	printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+	fprintf(stderr,"\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
 	{
         int i;
         for (i=0; is3->tmp.key_block_length; i++)
-		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
+		fprintf(stderr,"%02x", s->s3->tmp.key_block[i]);  fprintf(stderr,"\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -540,11 +540,11 @@ printf("which = %04X\nmac key=",which);
 #ifdef KSSL_DEBUG
 	{
         int i;
-	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
-	printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]);
-	printf("\n");
-	printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]);
-	printf("\n");
+	fprintf(stderr,"EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+	fprintf(stderr,"\tkey= "); for (i=0; ikey_len; i++) fprintf(stderr,"%02x", key[i]);
+	fprintf(stderr,"\n");
+	fprintf(stderr,"\t iv= "); for (i=0; iiv_len; i++) fprintf(stderr,"%02x", iv[i]);
+	fprintf(stderr,"\n");
 	}
 #endif	/* KSSL_DEBUG */
 
@@ -591,7 +591,7 @@ int tls1_setup_key_block(SSL *s)
 	int ret=0;
 
 #ifdef KSSL_DEBUG
-	printf ("tls1_setup_key_block()\n");
+	fprintf(stderr,"tls1_setup_key_block()\n");
 #endif	/* KSSL_DEBUG */
 
 	if (s->s3->tmp.key_block_length != 0)
@@ -740,7 +740,7 @@ int tls1_enc(SSL *s, int send)
 		}
 
 #ifdef KSSL_DEBUG
-	printf("tls1_enc(%d)\n", send);
+	fprintf(stderr,"tls1_enc(%d)\n", send);
 #endif    /* KSSL_DEBUG */
 
 	if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
@@ -812,18 +812,18 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long ui;
-		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+		fprintf(stderr,"EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
 			ds,rec->data,rec->input,l);
-		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+		fprintf(stderr,"\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n",
 			ds->buf_len, ds->cipher->key_len,
 			DES_KEY_SZ, DES_SCHEDULE_SZ,
 			ds->cipher->iv_len);
-		printf("\t\tIV: ");
-		for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]);
-		printf("\n");
-		printf("\trec->input=");
-		for (ui=0; uiinput[ui]);
-		printf("\n");
+		fprintf(stderr,"\t\tIV: ");
+		for (i=0; icipher->iv_len; i++) fprintf(stderr,"%02X", ds->iv[i]);
+		fprintf(stderr,"\n");
+		fprintf(stderr,"\trec->input=");
+		for (ui=0; uiinput[ui]);
+		fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -848,9 +848,9 @@ int tls1_enc(SSL *s, int send)
 #ifdef KSSL_DEBUG
 		{
 		unsigned long i;
-		printf("\trec->data=");
+		fprintf(stderr,"\trec->data=");
 		for (i=0; idata[i]);  printf("\n");
+			fprintf(stderr," %02x", rec->data[i]);  fprintf(stderr,"\n");
 		}
 #endif	/* KSSL_DEBUG */
 
@@ -1048,10 +1048,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	if (!stream_mac)
 		EVP_MD_CTX_cleanup(&hmac);
 #ifdef TLS_DEBUG
-printf("seq=");
-{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("rec=");
-{unsigned int z; for (z=0; zlength; z++) printf("%02X ",rec->data[z]); printf("\n"); }
+fprintf(stderr,"seq=");
+{int z; for (z=0; z<8; z++) fprintf(stderr,"%02X ",seq[z]); fprintf(stderr,"\n"); }
+fprintf(stderr,"rec=");
+{unsigned int z; for (z=0; zlength; z++) fprintf(stderr,"%02X ",rec->data[z]); fprintf(stderr,"\n"); }
 #endif
 
 	if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
@@ -1064,7 +1064,7 @@ printf("rec=");
 		}
 
 #ifdef TLS_DEBUG
-{unsigned int z; for (z=0; z

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  7e9d42ce9783a0070cabda81744ebe87a63c1c65 (commit)
      from  b3147fcbe6c4bb750c51edd28c18bd2187d5e939 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7e9d42ce9783a0070cabda81744ebe87a63c1c65
Author: Emilia Kasper 
Date:   Mon Dec 15 16:37:13 2014 +0100

    Build fixes
    
    Various build fixes, mostly uncovered by clang's unused-const-variable
    and unused-function errors.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit 0e1c318ece3c82e96ae95a34a1badf58198d6b28)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_lib.c       |    2 +-
 crypto/ec/ecp_nistp256.c |    1 -
 crypto/ec/ectest.c       |    4 ++--
 crypto/engine/eng_dyn.c  |    3 ---
 engines/e_padlock.c      |    2 ++
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index e2c4741..0992c39 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -68,7 +68,7 @@
 
 #include "ec_lcl.h"
 
-static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
 
 
 /* functions for EC_GROUP objects */
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 4bc0f5d..b884f73 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -113,7 +113,6 @@ typedef u64 smallfelem[NLIMBS];
 
 /* This is the value of the prime as four 64-bit words, little-endian. */
 static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
-static const limb bottom32bits = 0xffffffff;
 static const u64 bottom63bits = 0x7ffffffffffffffful;
 
 /* bin32_to_felem takes a little-endian byte array and converts it into felem
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index d1bf980..8e4154d 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -1366,7 +1366,7 @@ static const struct nistp_test_params nistp_tests_params[] =
 		},
 	};
 
-void nistp_single_test(const struct nistp_test_params *test)
+static void nistp_single_test(const struct nistp_test_params *test)
 	{
 	BN_CTX *ctx;
 	BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
@@ -1469,7 +1469,7 @@ void nistp_single_test(const struct nistp_test_params *test)
 	BN_CTX_free(ctx);
 	}
 
-void nistp_tests()
+static void nistp_tests()
 	{
 	unsigned i;
 
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 807da7a..01db455 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -114,9 +114,6 @@ static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
 		ENGINE_CMD_FLAG_NO_INPUT},
 	{0, NULL, NULL, 0}
 	};
-static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
-	{0, NULL, NULL, 0}
-	};
 
 /* Loading code stores state inside the ENGINE structure via the "ex_data"
  * element. We load all our state into a single structure and use that as a
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 9f7a85a..5d252f6 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -384,6 +384,7 @@ padlock_available(void)
 }
 
 #ifndef OPENSSL_NO_AES
+#ifndef AES_ASM
 /* Our own htonl()/ntohl() */
 static inline void
 padlock_bswapl(AES_KEY *ks)
@@ -397,6 +398,7 @@ padlock_bswapl(AES_KEY *ks)
 	}
 }
 #endif
+#endif
 
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:34:10 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:34:10 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-118-g0e1c318
Message-ID: <20141217133411.090AC1DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  0e1c318ece3c82e96ae95a34a1badf58198d6b28 (commit)
      from  8bc8450a26329e3c890df60026f969e7caabff3d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0e1c318ece3c82e96ae95a34a1badf58198d6b28
Author: Emilia Kasper 
Date:   Mon Dec 15 16:37:13 2014 +0100

    Build fixes
    
    Various build fixes, mostly uncovered by clang's unused-const-variable
    and unused-function errors.
    
    Reviewed-by: Kurt Roeckx 

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_lib.c       |    2 +-
 crypto/ec/ecp_nistp256.c |    1 -
 crypto/ec/ectest.c       |    4 ++--
 crypto/engine/eng_dyn.c  |    3 ---
 engines/e_padlock.c      |    2 ++
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 3799030..298a105 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -68,7 +68,7 @@
 
 #include "ec_lcl.h"
 
-static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
 
 
 /* functions for EC_GROUP objects */
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 4bc0f5d..b884f73 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -113,7 +113,6 @@ typedef u64 smallfelem[NLIMBS];
 
 /* This is the value of the prime as four 64-bit words, little-endian. */
 static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
-static const limb bottom32bits = 0xffffffff;
 static const u64 bottom63bits = 0x7ffffffffffffffful;
 
 /* bin32_to_felem takes a little-endian byte array and converts it into felem
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index d1bf980..8e4154d 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -1366,7 +1366,7 @@ static const struct nistp_test_params nistp_tests_params[] =
 		},
 	};
 
-void nistp_single_test(const struct nistp_test_params *test)
+static void nistp_single_test(const struct nistp_test_params *test)
 	{
 	BN_CTX *ctx;
 	BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
@@ -1469,7 +1469,7 @@ void nistp_single_test(const struct nistp_test_params *test)
 	BN_CTX_free(ctx);
 	}
 
-void nistp_tests()
+static void nistp_tests()
 	{
 	unsigned i;
 
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 807da7a..01db455 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -114,9 +114,6 @@ static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
 		ENGINE_CMD_FLAG_NO_INPUT},
 	{0, NULL, NULL, 0}
 	};
-static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
-	{0, NULL, NULL, 0}
-	};
 
 /* Loading code stores state inside the ENGINE structure via the "ex_data"
  * element. We load all our state into a single structure and use that as a
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 9f7a85a..5d252f6 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -384,6 +384,7 @@ padlock_available(void)
 }
 
 #ifndef OPENSSL_NO_AES
+#ifndef AES_ASM
 /* Our own htonl()/ntohl() */
 static inline void
 padlock_bswapl(AES_KEY *ks)
@@ -397,6 +398,7 @@ padlock_bswapl(AES_KEY *ks)
 	}
 }
 #endif
+#endif
 
 /* Force key reload from memory to the CPU microcode.
    Loading EFLAGS from the stack clears EFLAGS[30] 


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:34:11 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:34:11 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. b597aab84e4258ffee2430113f0cac8900e0a499
Message-ID: <20141217133411.56D711DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  b597aab84e4258ffee2430113f0cac8900e0a499 (commit)
      from  4aecfd4d9f366c849c9627ab666d1b1addc024e6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b597aab84e4258ffee2430113f0cac8900e0a499
Author: Emilia Kasper 
Date:   Mon Dec 15 16:37:13 2014 +0100

    Build fixes
    
    Various build fixes, mostly uncovered by clang's unused-const-variable
    and unused-function errors.
    
    Reviewed-by: Kurt Roeckx 
    (cherry picked from commit 0e1c318ece3c82e96ae95a34a1badf58198d6b28)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_lib.c       |    2 +-
 crypto/ec/ecp_nistp256.c |    1 -
 crypto/ec/ectest.c       |    4 ++--
 crypto/engine/eng_dyn.c  |    3 ---
 4 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 8fb8b08..a553740 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -70,7 +70,7 @@
 
 #include "ec_lcl.h"
 
-static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
 
 
 /* functions for EC_GROUP objects */
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index aa125d3..2f9bb57 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -108,7 +108,6 @@ typedef u64 smallfelem[NLIMBS];
 
 /* This is the value of the prime as four 64-bit words, little-endian. */
 static const u64 kPrime[4] = { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
-static const limb bottom32bits = 0xffffffff;
 static const u64 bottom63bits = 0x7ffffffffffffffful;
 
 /* bin32_to_felem takes a little-endian byte array and converts it into felem
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index 22f7ea0..6da9279 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -1367,7 +1367,7 @@ static const struct nistp_test_params nistp_tests_params[] =
 		},
 	};
 
-void nistp_single_test(const struct nistp_test_params *test)
+static void nistp_single_test(const struct nistp_test_params *test)
 	{
 	BN_CTX *ctx;
 	BIGNUM *p, *a, *b, *x, *y, *n, *m, *order;
@@ -1470,7 +1470,7 @@ void nistp_single_test(const struct nistp_test_params *test)
 	BN_CTX_free(ctx);
 	}
 
-void nistp_tests()
+static void nistp_tests()
 	{
 	unsigned i;
 
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index 807da7a..01db455 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -114,9 +114,6 @@ static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
 		ENGINE_CMD_FLAG_NO_INPUT},
 	{0, NULL, NULL, 0}
 	};
-static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
-	{0, NULL, NULL, 0}
-	};
 
 /* Loading code stores state inside the ENGINE structure via the "ex_data"
  * element. We load all our state into a single structure and use that as a


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:58:55 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:58:55 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-50-gd8c8a71
Message-ID: <20141217135855.8A7501DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  d8c8a718a296d653b7f01a449e3adbcd8fb5a34b (commit)
      from  40c2812f5656b1c78fa18b14c264fd48421c2d24 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d8c8a718a296d653b7f01a449e3adbcd8fb5a34b
Author: Emilia Kasper 
Date:   Wed Dec 17 14:51:07 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit b55ff319f880adc874b8c95957adf2003117d42b.
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    2 +-
 crypto/evp/evp_enc.c |   49 +++++++++++++++++++++----------------------------
 2 files changed, 22 insertions(+), 29 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index 9613353..82825e5 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -340,7 +340,7 @@ evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_enc.o: ../constant_time_locl.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 426ac10..e95cbe1 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include 
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
@@ -439,11 +438,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-	unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 
 	*outl=0;
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -462,34 +461,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
 			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
 			}
-
-		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
-		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		for (i=0; ifinal[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; ifinal[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:58:55 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:58:55 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_0_9_8-stable updated. OpenSSL_0_9_8zc-16-g1cb10d9
Message-ID: <20141217135855.511B01DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_0_9_8-stable has been updated
       via  1cb10d9c7d95e36fcc8ed0ade3eafda90e5e3172 (commit)
      from  62abc80540c4adf5b0d50ad604001a39024f5c21 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1cb10d9c7d95e36fcc8ed0ade3eafda90e5e3172
Author: Emilia Kasper 
Date:   Wed Dec 17 14:52:13 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9.
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    3 +--
 crypto/evp/evp_enc.c |   49 +++++++++++++++++++++----------------------------
 2 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index e5082b7..c204f84 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -385,8 +385,7 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 2cbf992..30e0ca4 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include 
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -302,11 +301,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-	unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 
 	*outl=0;
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -325,34 +324,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
 			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
 			}
-
-		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
-		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		for (i=0; ifinal[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; ifinal[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:58:55 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:58:55 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-81-g036df29
Message-ID: <20141217135855.CFA5E1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  036df29387e994d665259065e5c11c0e5b41f826 (commit)
       via  60b7d3bbb509e2be874824c8fa1a0fa2379ed5ff (commit)
      from  7e9d42ce9783a0070cabda81744ebe87a63c1c65 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 036df29387e994d665259065e5c11c0e5b41f826
Author: Emilia Kasper 
Date:   Wed Dec 17 12:25:28 2014 +0100

    Add a comment noting the padding oracle.
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 03af843039af758fc9bbb4ae6c09ec2bc715f2c5)

commit 60b7d3bbb509e2be874824c8fa1a0fa2379ed5ff
Author: Emilia Kasper 
Date:   Wed Dec 17 14:49:28 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit f2df488a1c7402e48c21c83e937955dfe9f40bee.
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    2 +-
 crypto/evp/evp_enc.c |   58 ++++++++++++++++++++++++--------------------------
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index fa25bff..5d0c6b7 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -383,7 +383,7 @@ evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_enc.o: ../constant_time_locl.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 7b1842a..2e863ac 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -67,7 +67,6 @@
 #ifdef OPENSSL_FIPS
 #include 
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -501,21 +500,21 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-        unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 	*outl=0;
 
 	if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
 		{
-		int ret = M_do_cipher(ctx, out, NULL, 0);
-		if (ret < 0)
+		i = M_do_cipher(ctx, out, NULL, 0);
+		if (i < 0)
 			return 0;
 		else
-			*outl = ret;
+			*outl = i;
 		return 1;
 		}
 
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -534,34 +533,33 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
-			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
-			}
 
 		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
+		 * The following assumes that the ciphertext has been authenticated.
+		 * Otherwise it provides a padding oracle.
 		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
+			{
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
+			}
+		for (i=0; ifinal[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; ifinal[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:58:55 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:58:55 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-120-g9ca2cc7
Message-ID: <20141217135856.7CAD31DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  9ca2cc78a98297091f4e264e2378312ab906a93c (commit)
       via  0cf552230ee1508b903e8b76462ce4c648e68bc5 (commit)
      from  0e1c318ece3c82e96ae95a34a1badf58198d6b28 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9ca2cc78a98297091f4e264e2378312ab906a93c
Author: Emilia Kasper 
Date:   Wed Dec 17 12:25:28 2014 +0100

    Add a comment noting the padding oracle.
    
    Reviewed-by: Andy Polyakov 
    (cherry picked from commit 03af843039af758fc9bbb4ae6c09ec2bc715f2c5)

commit 0cf552230ee1508b903e8b76462ce4c648e68bc5
Author: Emilia Kasper 
Date:   Wed Dec 17 14:47:33 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit 738911cde68b2b3706e502cf8daf5b14738f2f42.
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    2 +-
 crypto/evp/evp_enc.c |   58 ++++++++++++++++++++++++--------------------------
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index cacfea9..30590d5 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -406,7 +406,7 @@ evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_enc.o: ../constant_time_locl.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index a5fada5..757c5ae 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -67,7 +67,6 @@
 #ifdef OPENSSL_FIPS
 #include 
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -517,21 +516,21 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-        unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 	*outl=0;
 
 	if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
 		{
-		int ret = M_do_cipher(ctx, out, NULL, 0);
-		if (ret < 0)
+		i = M_do_cipher(ctx, out, NULL, 0);
+		if (i < 0)
 			return 0;
 		else
-			*outl = ret;
+			*outl = i;
 		return 1;
 		}
 
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -550,34 +549,33 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
-			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
-			}
 
 		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
+		 * The following assumes that the ciphertext has been authenticated.
+		 * Otherwise it provides a padding oracle.
 		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
+			{
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
+			}
+		for (i=0; ifinal[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; ifinal[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

From emilia at openssl.org  Wed Dec 17 13:58:56 2014
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 17 Dec 2014 14:58:56 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 03af843039af758fc9bbb4ae6c09ec2bc715f2c5
Message-ID: <20141217135856.B245F1DF120@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  03af843039af758fc9bbb4ae6c09ec2bc715f2c5 (commit)
       via  4ad2d3ac0ef338a064c6df3b5437d974def538ba (commit)
      from  b597aab84e4258ffee2430113f0cac8900e0a499 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 03af843039af758fc9bbb4ae6c09ec2bc715f2c5
Author: Emilia Kasper 
Date:   Wed Dec 17 12:25:28 2014 +0100

    Add a comment noting the padding oracle.
    
    Reviewed-by: Andy Polyakov 

commit 4ad2d3ac0ef338a064c6df3b5437d974def538ba
Author: Emilia Kasper 
Date:   Wed Dec 17 12:08:27 2014 +0100

    Revert "RT3425: constant-time evp_enc"
    
    Causes more problems than it fixes: even though error codes
    are not part of the stable API, several users rely on the
    specific error code, and the change breaks them. Conversely,
    we don't have any concrete use-cases for constant-time behaviour here.
    
    This reverts commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e.
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/Makefile  |    2 +-
 crypto/evp/evp_enc.c |   58 ++++++++++++++++++++++++--------------------------
 2 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
index 1062afc..fd5727d 100644
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -406,7 +406,7 @@ evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_enc.o: ../constant_time_locl.h ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 2f121ff..2b62bf6 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include 
 #endif
-#include "constant_time_locl.h"
 #include "evp_locl.h"
 
 const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
@@ -492,21 +491,21 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-        unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 	*outl=0;
 
 	if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)
 		{
-		int ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
-		if (ret < 0)
+		i = ctx->cipher->do_cipher(ctx, out, NULL, 0);
+		if (i < 0)
 			return 0;
 		else
-			*outl = ret;
+			*outl = i;
 		return 1;
 		}
 
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -525,34 +524,33 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
-			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
-			}
 
 		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
+		 * The following assumes that the ciphertext has been authenticated.
+		 * Otherwise it provides a padding oracle.
 		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
+			{
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
+			}
+		for (i=0; ifinal[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; ifinal[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Wed Dec 17 14:26:40 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Wed, 17 Dec 2014 15:26:40 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 89f40f369f414b52e00f7230b0e3ce99e430a508
Message-ID: <20141217142641.0E56E1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  89f40f369f414b52e00f7230b0e3ce99e430a508 (commit)
      from  03af843039af758fc9bbb4ae6c09ec2bc715f2c5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 89f40f369f414b52e00f7230b0e3ce99e430a508
Author: Dr. Stephen Henson 
Date:   Tue Dec 16 23:13:19 2014 +0000

    Reject invalid constructed encodings.
    
    According to X6.90 null, object identifier, boolean, integer and enumerated
    types can only have primitive encodings: return an error if any of
    these are received with a constructed encoding.
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    4 ++--
 crypto/asn1/tasn_dec.c |    8 ++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 925fdba..ed1a28a 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1401,6 +1401,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 195
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index f09f49b..0217049 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2012 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -300,6 +300,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
@@ -310,7 +311,6 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
 {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_TAG)          ,"unknown tag"},
-{ERR_REASON(ASN1_R_UNKNOWN_FORMAT)       ,"unknown format"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 87d7dfd..2cbfa81 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Wed Dec 17 14:39:16 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Wed, 17 Dec 2014 15:39:16 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-121-gf5e4b6b
Message-ID: <20141217143916.DC1021DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  f5e4b6b5b566320a8d774f9475540f7d0e6a704d (commit)
      from  9ca2cc78a98297091f4e264e2378312ab906a93c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f5e4b6b5b566320a8d774f9475540f7d0e6a704d
Author: Dr. Stephen Henson 
Date:   Wed Dec 17 14:34:36 2014 +0000

    Reject invalid constructed encodings.
    
    According to X6.90 null, object identifier, boolean, integer and enumerated
    types can only have primitive encodings: return an error if any of
    these are received with a constructed encoding.
    Reviewed-by: Emilia K?sper 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    3 ++-
 crypto/asn1/tasn_dec.c |    8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 1e59ee0..b57e2cd 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1380,6 +1380,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index aa60203..73686de 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -295,6 +295,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 87d7dfd..2cbfa81 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Wed Dec 17 14:40:36 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Wed, 17 Dec 2014 15:40:36 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-82-gfcd9b10
Message-ID: <20141217144036.5FD5A1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  fcd9b1073addc83890e60dd81d63e749ced01428 (commit)
      from  036df29387e994d665259065e5c11c0e5b41f826 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fcd9b1073addc83890e60dd81d63e749ced01428
Author: Dr. Stephen Henson 
Date:   Wed Dec 17 14:34:36 2014 +0000

    Reject invalid constructed encodings.
    
    According to X6.90 null, object identifier, boolean, integer and enumerated
    types can only have primitive encodings: return an error if any of
    these are received with a constructed encoding.
    Reviewed-by: Emilia K?sper 
    
    (cherry picked from commit f5e4b6b5b566320a8d774f9475540f7d0e6a704d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    3 ++-
 crypto/asn1/tasn_dec.c |    8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 220a0c8..89a2ad4 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1378,6 +1378,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index aa60203..73686de 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -295,6 +295,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 87d7dfd..2cbfa81 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;


hooks/post-receive
-- 
OpenSSL source code

From Rajshree.LeSieur at Teradata.com  Wed Dec 17 16:04:32 2014
From: Rajshree.LeSieur at Teradata.com (LeSieur, Rajshree)
Date: Wed, 17 Dec 2014 16:04:32 +0000
Subject: [openssl-commits] unsubscribe from openssl-commits
Message-ID: <00DF22AB538DF54CB1728645B602500C1687310C@SUSHDC8002.TD.TERADATA.COM>

Hello,

I would like to unsubscribe from this mailing list.  My inbox is getting full fairly quickly and I am not able to get to the overwhelming amount of emails.

Thank,
Ra LeSieur



-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From crystal.b.moore.civ at mail.mil  Wed Dec 17 16:30:01 2014
From: crystal.b.moore.civ at mail.mil (Moore, Crystal B CIV DISA PEO-C2C (US))
Date: Wed, 17 Dec 2014 16:30:01 +0000
Subject: [openssl-commits] unsubscribe from openssl-commits
In-Reply-To: <00DF22AB538DF54CB1728645B602500C1687310C@SUSHDC8002.TD.TERADATA.COM>
References: <00DF22AB538DF54CB1728645B602500C1687310C@SUSHDC8002.TD.TERADATA.COM>
Message-ID: 

I would like to unsubscribe as well.

-----Original Message-----
From: openssl-commits [mailto:openssl-commits-bounces at openssl.org] On Behalf Of LeSieur, Rajshree
Sent: Wednesday, December 17, 2014 11:05 AM
To: openssl-commits at mta.opensslfoundation.net
Subject: [openssl-commits] unsubscribe from openssl-commits

Hello,

 

I would like to unsubscribe from this mailing list.  My inbox is getting full fairly quickly and I am not able to get to the overwhelming amount of emails.

 

Thank,

Ra LeSieur

 

 

 


From rsalz at openssl.org  Wed Dec 17 22:21:25 2014
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 17 Dec 2014 23:21:25 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 179f6b2f552adb2740f30634d75edc4448f516b5
Message-ID: <20141217222128.055D21DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  179f6b2f552adb2740f30634d75edc4448f516b5 (commit)
      from  89f40f369f414b52e00f7230b0e3ce99e430a508 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 179f6b2f552adb2740f30634d75edc4448f516b5
Author: Rich Salz 
Date:   Wed Dec 17 17:20:42 2014 -0500

    RT3544: Restore MWERKS for NetWare
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 crypto/rand/rand_nw.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/crypto/rand/rand_nw.c b/crypto/rand/rand_nw.c
index 9239a72..91158b8 100644
--- a/crypto/rand/rand_nw.c
+++ b/crypto/rand/rand_nw.c
@@ -154,7 +154,13 @@ int RAND_poll(void)
 
    for( i=2; i=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+#ifdef __MWERKS__
+      asm
+      {
+         rdtsc
+         mov tsc, eax
+      }
+#elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
       asm volatile("rdtsc":"=a"(tsc)::"edx");
 #endif
 


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Thu Dec 18 05:14:59 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 18 Dec 2014 06:14:59 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 040b60f6fa50de325ecace8a6a06e02485942d94
Message-ID: <20141218051459.9CA101DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  040b60f6fa50de325ecace8a6a06e02485942d94 (commit)
       via  b317819b2e74f1f84925695596aa3c7487a2264d (commit)
      from  179f6b2f552adb2740f30634d75edc4448f516b5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 040b60f6fa50de325ecace8a6a06e02485942d94
Author: Rich Salz 
Date:   Thu Dec 18 00:13:46 2014 -0500

    Fix yet anoither 'make clean' breakage.
    
    Reviewed-by: Tim Hudson 

commit b317819b2e74f1f84925695596aa3c7487a2264d
Author: Rich Salz 
Date:   Wed Dec 17 17:24:51 2014 -0500

    RT3548: Remove some obsolete platforms
    
    This commit removes BEOS.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                  |    3 +
 apps/Makefile            |    2 +-
 apps/s_client.c          |   34 +-----
 apps/s_server.c          |   19 +---
 crypto/bio/b_sock.c      |    4 -
 crypto/dso/Makefile      |   12 +--
 crypto/dso/dso_beos.c    |  270 ----------------------------------------------
 crypto/dso/dso_openssl.c |    2 -
 crypto/rand/rand_egd.c   |    2 +-
 crypto/rand/rand_unix.c  |   19 +---
 crypto/thr_id.c          |    4 -
 crypto/threads/mttest.c  |   97 -----------------
 crypto/ui/ui_openssl.c   |    2 +-
 e_os.h                   |   19 +---
 e_os2.h                  |   11 --
 15 files changed, 15 insertions(+), 485 deletions(-)
 delete mode 100644 crypto/dso/dso_beos.c

diff --git a/CHANGES b/CHANGES
index a8b55bf..770ece4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,6 +17,9 @@
      done while fixing the error code for the key-too-small case.
      [Annie Yousar ]
 
+  *) Remove BEOS and BEOS_R5 code.
+     [Rich Salz]
+
   *) Experimental support for a new, fast, unbiased prime candidate generator,
      bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
      [Felix Laurie von Massenbach ]
diff --git a/apps/Makefile b/apps/Makefile
index a952a85..76fa21b 100644
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -140,7 +140,7 @@ dclean:
 
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
-	rm -f req CA.pl
+	rm -f req
 
 $(DLIBSSL):
 	(cd ..; $(MAKE) DIRS=ssl all)
diff --git a/apps/s_client.c b/apps/s_client.c
index 1a30ef2..30ea743 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -174,10 +174,6 @@ typedef unsigned int u_int;
 #undef FIONBIO
 #endif
 
-#if defined(OPENSSL_SYS_BEOS_R5)
-#include 
-#endif
-
 #undef PROG
 #define PROG	s_client_main
 
@@ -629,11 +625,8 @@ int MAIN(int argc, char **argv)
 	ENGINE *ssl_client_engine=NULL;
 #endif
 	ENGINE *e=NULL;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 	struct timeval tv;
-#if defined(OPENSSL_SYS_BEOS_R5)
-	int stdin_set = 0;
-#endif
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 	char *servername = NULL; 
@@ -1806,7 +1799,7 @@ SSL_set_tlsext_status_ids(con, ids);
 
 		if (!ssl_pending)
 			{
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
 			if (tty_on)
 				{
 				if (read_tty)  openssl_fdset(fileno(stdin),&readfds);
@@ -1866,25 +1859,6 @@ SSL_set_tlsext_status_ids(con, ids);
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					NULL,timeoutp);
 			}
-#elif defined(OPENSSL_SYS_BEOS_R5)
-			/* Under BeOS-R5 the situation is similar to DOS */
-			i=0;
-			stdin_set = 0;
-			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
-			if(!write_tty) {
-				if(read_tty) {
-					tv.tv_sec = 1;
-					tv.tv_usec = 0;
-					i=select(width,(void *)&readfds,(void *)&writefds,
-						 NULL,&tv);
-					if (read(fileno(stdin), sbuf, 0) >= 0)
-						stdin_set = 1;
-					if (!i && (stdin_set != 1 || !read_tty))
-						continue;
-				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
-					 NULL,timeoutp);
-			}
-			(void)fcntl(fileno(stdin), F_SETFL, 0);
 #else
 			i=select(width,(void *)&readfds,(void *)&writefds,
 				 NULL,timeoutp);
@@ -1971,7 +1945,7 @@ SSL_set_tlsext_status_ids(con, ids);
 				goto shut;
 				}
 			}
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 		/* Assume Windows/DOS/BeOS can always write */
 		else if (!ssl_pending && write_tty)
 #else
@@ -2066,8 +2040,6 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 #endif
 #elif defined (OPENSSL_SYS_NETWARE)
 		else if (_kbhit())
-#elif defined(OPENSSL_SYS_BEOS_R5)
-		else if (stdin_set)
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
diff --git a/apps/s_server.c b/apps/s_server.c
index 504d3d9..21f7e04 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -197,10 +197,6 @@ typedef unsigned int u_int;
 #undef FIONBIO
 #endif
 
-#if defined(OPENSSL_SYS_BEOS_R5)
-#include 
-#endif
-
 #ifndef OPENSSL_NO_RSA
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
@@ -2214,7 +2210,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
 	KSSL_CTX *kctx;
 #endif
 	struct timeval timeout;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
 	struct timeval tv;
 #else
 	struct timeval *timeoutp;
@@ -2368,7 +2364,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
 		if (!read_from_sslcon)
 			{
 			FD_ZERO(&readfds);
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
 			openssl_fdset(fileno(stdin),&readfds);
 #endif
 			openssl_fdset(s,&readfds);
@@ -2390,17 +2386,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
 			if((i < 0) || (!i && !_kbhit() ) )continue;
 			if(_kbhit())
 				read_from_terminal = 1;
-#elif defined(OPENSSL_SYS_BEOS_R5)
-			/* Under BeOS-R5 the situation is similar to DOS */
-			tv.tv_sec = 1;
-			tv.tv_usec = 0;
-			(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
-			i=select(width,(void *)&readfds,NULL,NULL,&tv);
-			if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
-				continue;
-			if (read(fileno(stdin), buf, 0) >= 0)
-				read_from_terminal = 1;
-			(void)fcntl(fileno(stdin), F_SETFL, 0);
 #else
 			if ((SSL_version(con) == DTLS1_VERSION) &&
 				DTLSv1_get_timeout(con, &timeout))
diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c
index a026b3e..e96667d 100644
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -235,10 +235,6 @@ int BIO_sock_error(int sock)
 	int j,i;
 	union { size_t s; int i; } size;
 		 
-#if defined(OPENSSL_SYS_BEOS_R5)
-	return 0;
-#endif
- 
 	/* heuristic way to adapt for platforms that expect 64-bit optlen */
 	size.s=0, size.i=sizeof(j);
 	/* Note: under Windows the third parameter is of type (char *)
diff --git a/crypto/dso/Makefile b/crypto/dso/Makefile
index fb2709e..07f5d8d 100644
--- a/crypto/dso/Makefile
+++ b/crypto/dso/Makefile
@@ -18,9 +18,9 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= dso_dl.c dso_dlfcn.c dso_err.c dso_lib.c dso_null.c \
-	dso_openssl.c dso_win32.c dso_vms.c dso_beos.c
+	dso_openssl.c dso_win32.c dso_vms.c
 LIBOBJ= dso_dl.o dso_dlfcn.o dso_err.o dso_lib.o dso_null.o \
-	dso_openssl.o dso_win32.o dso_vms.o dso_beos.o
+	dso_openssl.o dso_win32.o dso_vms.o
 
 SRC= $(LIBSRC)
 
@@ -76,14 +76,6 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-dso_beos.o: ../../e_os.h ../../include/openssl/bio.h
-dso_beos.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dso_beos.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-dso_beos.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dso_beos.o: ../../include/openssl/opensslconf.h
-dso_beos.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dso_beos.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_beos.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_beos.c
 dso_dl.o: ../../e_os.h ../../include/openssl/bio.h
 dso_dl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dso_dl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
diff --git a/crypto/dso/dso_beos.c b/crypto/dso/dso_beos.c
deleted file mode 100644
index 553966e..0000000
--- a/crypto/dso/dso_beos.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/* dso_beos.c */
-/* Written by Marcin Konicki (ahwayakchih at neoni.net) for the OpenSSL
- * project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing at OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay at cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh at cryptsoft.com).
- *
- */
-
-#include 
-#include 
-#include "cryptlib.h"
-#include 
-
-#if !defined(OPENSSL_SYS_BEOS)
-DSO_METHOD *DSO_METHOD_beos(void)
-	{
-	return NULL;
-	}
-#else
-
-#include 
-
-static int beos_load(DSO *dso);
-static int beos_unload(DSO *dso);
-static void *beos_bind_var(DSO *dso, const char *symname);
-static DSO_FUNC_TYPE beos_bind_func(DSO *dso, const char *symname);
-#if 0
-static int beos_unbind_var(DSO *dso, char *symname, void *symptr);
-static int beos_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
-static int beos_init(DSO *dso);
-static int beos_finish(DSO *dso);
-static long beos_ctrl(DSO *dso, int cmd, long larg, void *parg);
-#endif
-static char *beos_name_converter(DSO *dso, const char *filename);
-
-static DSO_METHOD dso_meth_beos = {
-	"OpenSSL 'beos' shared library method",
-	beos_load,
-	beos_unload,
-	beos_bind_var,
-	beos_bind_func,
-/* For now, "unbind" doesn't exist */
-#if 0
-	NULL, /* unbind_var */
-	NULL, /* unbind_func */
-#endif
-	NULL, /* ctrl */
-	beos_name_converter,
-	NULL, /* init */
-	NULL  /* finish */
-	};
-
-DSO_METHOD *DSO_METHOD_beos(void)
-	{
-	return(&dso_meth_beos);
-	}
-
-/* For this DSO_METHOD, our meth_data STACK will contain;
- * (i) a pointer to the handle (image_id) returned from
- *     load_add_on().
- */
-
-static int beos_load(DSO *dso)
-	{
-	image_id id;
-	/* See applicable comments from dso_dl.c */
-	char *filename = DSO_convert_filename(dso, NULL);
-
-	if(filename == NULL)
-		{
-		DSOerr(DSO_F_BEOS_LOAD,DSO_R_NO_FILENAME);
-		goto err;
-		}
-	id = load_add_on(filename);
-	if(id < 1)
-		{
-		DSOerr(DSO_F_BEOS_LOAD,DSO_R_LOAD_FAILED);
-		ERR_add_error_data(3, "filename(", filename, ")");
-		goto err;
-		}
-	if(!sk_push(dso->meth_data, (char *)id))
-		{
-		DSOerr(DSO_F_BEOS_LOAD,DSO_R_STACK_ERROR);
-		goto err;
-		}
-	/* Success */
-	dso->loaded_filename = filename;
-	return(1);
-err:
-	/* Cleanup !*/
-	if(filename != NULL)
-		OPENSSL_free(filename);
-	if(id > 0)
-		unload_add_on(id);
-	return(0);
-	}
-
-static int beos_unload(DSO *dso)
-	{
-	image_id id;
-	if(dso == NULL)
-		{
-		DSOerr(DSO_F_BEOS_UNLOAD,ERR_R_PASSED_NULL_PARAMETER);
-		return(0);
-		}
-	if(sk_num(dso->meth_data) < 1)
-		return(1);
-	id = (image_id)sk_pop(dso->meth_data);
-	if(id < 1)
-		{
-		DSOerr(DSO_F_BEOS_UNLOAD,DSO_R_NULL_HANDLE);
-		return(0);
-		}
-	if(unload_add_on(id) != B_OK)
-		{
-		DSOerr(DSO_F_BEOS_UNLOAD,DSO_R_UNLOAD_FAILED);
-		/* We should push the value back onto the stack in
-		 * case of a retry. */
-		sk_push(dso->meth_data, (char *)id);
-		return(0);
-		}
-	return(1);
-	}
-
-static void *beos_bind_var(DSO *dso, const char *symname)
-	{
-	image_id id;
-	void *sym;
-
-	if((dso == NULL) || (symname == NULL))
-		{
-		DSOerr(DSO_F_BEOS_BIND_VAR,ERR_R_PASSED_NULL_PARAMETER);
-		return(NULL);
-		}
-	if(sk_num(dso->meth_data) < 1)
-		{
-		DSOerr(DSO_F_BEOS_BIND_VAR,DSO_R_STACK_ERROR);
-		return(NULL);
-		}
-	id = (image_id)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
-	if(id < 1)
-		{
-		DSOerr(DSO_F_BEOS_BIND_VAR,DSO_R_NULL_HANDLE);
-		return(NULL);
-		}
-	if(get_image_symbol(id, symname, B_SYMBOL_TYPE_DATA, &sym) != B_OK)
-		{
-		DSOerr(DSO_F_BEOS_BIND_VAR,DSO_R_SYM_FAILURE);
-		ERR_add_error_data(3, "symname(", symname, ")");
-		return(NULL);
-		}
-	return(sym);
-	}
-
-static DSO_FUNC_TYPE beos_bind_func(DSO *dso, const char *symname)
-	{
-	image_id id;
-	void *sym;
-
-	if((dso == NULL) || (symname == NULL))
-		{
-		DSOerr(DSO_F_BEOS_BIND_FUNC,ERR_R_PASSED_NULL_PARAMETER);
-		return(NULL);
-		}
-	if(sk_num(dso->meth_data) < 1)
-		{
-		DSOerr(DSO_F_BEOS_BIND_FUNC,DSO_R_STACK_ERROR);
-		return(NULL);
-		}
-	id = (image_id)sk_value(dso->meth_data, sk_num(dso->meth_data) - 1);
-	if(id < 1)
-		{
-		DSOerr(DSO_F_BEOS_BIND_FUNC,DSO_R_NULL_HANDLE);
-		return(NULL);
-		}
-	if(get_image_symbol(id, symname, B_SYMBOL_TYPE_TEXT, &sym) != B_OK)
-		{
-		DSOerr(DSO_F_BEOS_BIND_FUNC,DSO_R_SYM_FAILURE);
-		ERR_add_error_data(3, "symname(", symname, ")");
-		return(NULL);
-		}
-	return((DSO_FUNC_TYPE)sym);
-	}
-
-/* This one is the same as the one in dlfcn */
-static char *beos_name_converter(DSO *dso, const char *filename)
-	{
-	char *translated;
-	int len, rsize, transform;
-
-	len = strlen(filename);
-	rsize = len + 1;
-	transform = (strstr(filename, "/") == NULL);
-	if(transform)
-		{
-		/* We will convert this to "%s.so" or "lib%s.so" */
-		rsize += 3;	/* The length of ".so" */
-		if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-			rsize += 3; /* The length of "lib" */
-		}
-	translated = OPENSSL_malloc(rsize);
-	if(translated == NULL)
-		{
-		DSOerr(DSO_F_BEOS_NAME_CONVERTER,
-				DSO_R_NAME_TRANSLATION_FAILED);
-		return(NULL);
-		}
-	if(transform)
-		{
-		if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-			sprintf(translated, "lib%s.so", filename);
-		else
-			sprintf(translated, "%s.so", filename);
-		}
-	else
-		sprintf(translated, "%s", filename);
-	return(translated);
-	}
-
-#endif
diff --git a/crypto/dso/dso_openssl.c b/crypto/dso/dso_openssl.c
index b17e8e8..a4395eb 100644
--- a/crypto/dso/dso_openssl.c
+++ b/crypto/dso/dso_openssl.c
@@ -74,8 +74,6 @@ DSO_METHOD *DSO_METHOD_openssl(void)
 	return(DSO_METHOD_win32());
 #elif defined(DSO_VMS)
 	return(DSO_METHOD_vms());
-#elif defined(DSO_BEOS)
-	return(DSO_METHOD_beos());
 #else
 	return(DSO_METHOD_null());
 #endif
diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c
index 7351f4e..0a74e40 100644
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_BEOS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	{
 	return(-1);
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index e3a6557..04fbc90 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -295,12 +295,7 @@ int RAND_poll(void)
 				{
 				int try_read = 0;
 
-#if defined(OPENSSL_SYS_BEOS_R5)
-				/* select() is broken in BeOS R5, so we simply
-				 *  try to read something and snooze if we couldn't */
-				try_read = 1;
-
-#elif defined(OPENSSL_SYS_LINUX)
+#if defined(OPENSSL_SYS_LINUX)
 				/* use poll() */
 				struct pollfd pset;
 				
@@ -347,10 +342,6 @@ int RAND_poll(void)
 					r = read(fd,(unsigned char *)tmpbuf+n, ENTROPY_NEEDED-n);
 					if (r > 0)
 						n += r;
-#if defined(OPENSSL_SYS_BEOS_R5)
-					if (r == 0)
-						snooze(t.tv_usec);
-#endif
 					}
 				else
 					r = -1;
@@ -404,14 +395,6 @@ int RAND_poll(void)
 	l=time(NULL);
 	RAND_add(&l,sizeof(l),0.0);
 
-#if defined(OPENSSL_SYS_BEOS)
-	{
-	system_info sysInfo;
-	get_system_info(&sysInfo);
-	RAND_add(&sysInfo,sizeof(sysInfo),0);
-	}
-#endif
-
 #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
 	return 1;
 #else
diff --git a/crypto/thr_id.c b/crypto/thr_id.c
index adad72e..8de9033 100644
--- a/crypto/thr_id.c
+++ b/crypto/thr_id.c
@@ -199,8 +199,6 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
 	CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentTask());
 #elif defined(OPENSSL_SYS_WIN32)
 	CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentThreadId());
-#elif defined(OPENSSL_SYS_BEOS)
-	CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL));
 #else
 	/* For everything else, default to using the address of 'errno' */
 	CRYPTO_THREADID_set_pointer(id, (void*)&errno);
@@ -245,8 +243,6 @@ unsigned long CRYPTO_thread_id(void)
 		ret=(unsigned long)GetCurrentThreadId();
 #elif defined(GETPID_IS_MEANINGLESS)
 		ret=1L;
-#elif defined(OPENSSL_SYS_BEOS)
-		ret=(unsigned long)find_thread(NULL);
 #else
 		ret=(unsigned long)getpid();
 #endif
diff --git a/crypto/threads/mttest.c b/crypto/threads/mttest.c
index da2707e..fc686dd 100644
--- a/crypto/threads/mttest.c
+++ b/crypto/threads/mttest.c
@@ -1209,100 +1209,3 @@ unsigned long netware_thread_id(void)
    return(ret);
 }
 #endif /* NETWARE */
-
-#ifdef BEOS_THREADS
-
-#include 
-
-static BLocker** lock_cs;
-static long* lock_count;
-
-void thread_setup(void)
-	{
-	int i;
-
-	lock_cs=(BLocker**)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(BLocker*));
-	lock_count=(long*)OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
-	for (i=0; iLock();
-		lock_count[type]++;
-		}
-	else
-		{
-		lock_cs[type]->Unlock();
-		}
-	}
-
-void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
-	{
-	SSL_CTX *ssl_ctx[2];
-	thread_id thread_ctx[MAX_THREAD_NUMBER];
-	int i;
-
-	ssl_ctx[0]=s_ctx;
-	ssl_ctx[1]=c_ctx;
-
-	for (i=0; ireferences,c_ctx->references);
-	}
-
-unsigned long beos_thread_id(void)
-	{
-	unsigned long ret;
-
-	ret=(unsigned long)find_thread(NULL);
-	return(ret);
-	}
-
-#endif /* BEOS_THREADS */
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 6d4c4e1..46128fe 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -484,7 +484,7 @@ static int open_console(UI *ui)
 	CRYPTO_w_lock(CRYPTO_LOCK_UI);
 	is_a_tty = 1;
 
-#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS)
+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)
 	tty_in=stdin;
 	tty_out=stderr;
 #else
diff --git a/e_os.h b/e_os.h
index d0217f1..6f5edfb 100644
--- a/e_os.h
+++ b/e_os.h
@@ -157,13 +157,6 @@ extern "C" {
 #define closesocket(s)		    close(s)
 #define readsocket(s,b,n)	    read((s),(b),(n))
 #define writesocket(s,b,n)	    write((s),(char *)(b),(n))
-#elif defined(OPENSSL_SYS_BEOS_R5)
-#define get_last_socket_error() errno
-#define clear_socket_error()    errno=0
-#define FIONBIO SO_NONBLOCK
-#define ioctlsocket(a,b,c)		  setsockopt((a),SOL_SOCKET,(b),(c),sizeof(*(c)))
-#define readsocket(s,b,n)       recv((s),(b),(n),0)
-#define writesocket(s,b,n)      send((s),(b),(n),0)
 #elif defined(OPENSSL_SYS_NETWARE)
 #if defined(NETWARE_BSDSOCK)
 #define get_last_socket_error() errno
@@ -568,10 +561,8 @@ static __inline unsigned int _strlen31(const char *str)
 #        include  /* Added for FIONBIO under unixware */
 #      endif
 #      include 
-#      if !defined(OPENSSL_SYS_BEOS_R5)
 #      include 
 #    endif
-#    endif
 
 #    if defined(NeXT) || defined(_NEXT_SOURCE)
 #      include 
@@ -619,7 +610,7 @@ static __inline unsigned int _strlen31(const char *str)
  * versions.
  */
 #  if !defined(OPENSSL_USE_IPV6)
-#    if defined(AF_INET6) && !defined(OPENSSL_SYS_BEOS_BONE) && !defined(NETWARE_CLIB)
+#    if defined(AF_INET6) && !defined(NETWARE_CLIB)
 #      define OPENSSL_USE_IPV6 1
 #    else
 #      define OPENSSL_USE_IPV6 0
@@ -714,14 +705,6 @@ struct servent *getservbyname(const char *name, const char *proto);
 #endif
 /* end vxworks */
 
-/* beos */
-#if defined(OPENSSL_SYS_BEOS_R5)
-#define SO_ERROR 0
-#define NO_SYS_UN
-#define IPPROTO_IP 0
-#include 
-#endif
-
 #if !defined(inline) && !defined(__cplusplus)
 # if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901L
    /* do nothing, inline works */
diff --git a/e_os2.h b/e_os2.h
index bbb2ab6..bfc9606 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -198,17 +198,6 @@ extern "C" {
 # define OPENSSL_SYS_VXWORKS
 #endif
 
-/* --------------------------------- BeOS ---------------------------------- */
-#if defined(__BEOS__)
-# define OPENSSL_SYS_BEOS
-# include 
-# if defined(BONE_VERSION)
-#  define OPENSSL_SYS_BEOS_BONE
-# else
-#  define OPENSSL_SYS_BEOS_R5
-# endif
-#endif
-
 /**
  * That's it for OS-specific stuff
  *****************************************************************************/


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Thu Dec 18 14:04:38 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Thu, 18 Dec 2014 15:04:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 5a1e8c67a90aead86ccc2dda324e8f897d1a044d
Message-ID: <20141218140438.D24F51DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  5a1e8c67a90aead86ccc2dda324e8f897d1a044d (commit)
      from  040b60f6fa50de325ecace8a6a06e02485942d94 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5a1e8c67a90aead86ccc2dda324e8f897d1a044d
Author: Kurt Roeckx 
Date:   Mon Dec 15 17:15:16 2014 +0100

    Return error when a bit string indicates an invalid amount of bits left
    
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_bitstr.c |    7 ++++++-
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 0cb899f..4ca4a56 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index ed1a28a..37adcb3 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1350,6 +1350,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 205
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 0217049..6eb47f7 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -249,6 +249,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Thu Dec 18 14:11:39 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Thu, 18 Dec 2014 15:11:39 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-122-ga760dde
Message-ID: <20141218141139.926B71DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  a760dde68185d0f2e7415268defcb9e618875992 (commit)
      from  f5e4b6b5b566320a8d774f9475540f7d0e6a704d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a760dde68185d0f2e7415268defcb9e618875992
Author: Kurt Roeckx 
Date:   Mon Dec 15 17:15:16 2014 +0100

    Return error when a bit string indicates an invalid amount of bits left
    
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_bitstr.c |    7 ++++++-
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 3417996..4117a67 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index b57e2cd..9bd30ac 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1331,6 +1331,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 205
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 73686de..568a841 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Thu Dec 18 14:12:05 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Thu, 18 Dec 2014 15:12:05 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-83-g86edf13
Message-ID: <20141218141205.C7FC71DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  86edf13b1c97526c0cf63c37342aaa01f5442688 (commit)
      from  fcd9b1073addc83890e60dd81d63e749ced01428 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 86edf13b1c97526c0cf63c37342aaa01f5442688
Author: Kurt Roeckx 
Date:   Mon Dec 15 17:15:16 2014 +0100

    Return error when a bit string indicates an invalid amount of bits left
    
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_bitstr.c |    7 ++++++-
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 3417996..4117a67 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 89a2ad4..672c97f 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 205
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 73686de..568a841 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Thu Dec 18 14:12:38 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Thu, 18 Dec 2014 15:12:38 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-51-gbfb2e4b
Message-ID: <20141218141238.A31261DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  bfb2e4b280b613350717c9b69a33d497e01c3a42 (commit)
      from  d8c8a718a296d653b7f01a449e3adbcd8fb5a34b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bfb2e4b280b613350717c9b69a33d497e01c3a42
Author: Kurt Roeckx 
Date:   Mon Dec 15 17:15:16 2014 +0100

    Return error when a bit string indicates an invalid amount of bits left
    
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_bitstr.c |    7 ++++++-
 crypto/asn1/asn1.h     |    1 +
 crypto/asn1/asn1_err.c |    1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 3417996..4117a67 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 59540e4..f6f491f 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1327,6 +1327,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 205
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 2975e02..35293f2 100644
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -243,6 +243,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Thu Dec 18 19:18:18 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 18 Dec 2014 20:18:18 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 59ff1ce06108508eba0f289b295dd89582c9fbfc
Message-ID: <20141218191818.3A2771DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  59ff1ce06108508eba0f289b295dd89582c9fbfc (commit)
      from  5a1e8c67a90aead86ccc2dda324e8f897d1a044d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 59ff1ce06108508eba0f289b295dd89582c9fbfc
Author: Rich Salz 
Date:   Thu Dec 18 14:17:33 2014 -0500

    RT3548: Remove some obsolete platforms
    
    This commit removes Sony NEWS4
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES   |    4 +++-
 Configure |    3 ---
 e_os.h    |    6 +-----
 e_os2.h   |    5 +----
 4 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 770ece4..4510706 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,7 +17,9 @@
      done while fixing the error code for the key-too-small case.
      [Annie Yousar ]
 
-  *) Remove BEOS and BEOS_R5 code.
+  *) Remove various unsupported platforms:
+	Sony NEWS4
+	Remove BEOS and BEOS_R5
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/Configure b/Configure
index b59f807..43f1b30 100755
--- a/Configure
+++ b/Configure
@@ -626,9 +626,6 @@ my %table=(
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 
-##### Sony NEWS-OS 4.x
-"newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
-
 ##### GNU Hurd
 "hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
 
diff --git a/e_os.h b/e_os.h
index 6f5edfb..d0c8ed5 100644
--- a/e_os.h
+++ b/e_os.h
@@ -432,15 +432,11 @@ static __inline unsigned int _strlen31(const char *str)
 #    ifndef NO_SYS_TYPES_H
 #      include 
 #    endif
-#    if defined(NeXT) || defined(OPENSSL_SYS_NEWS4)
+#    if defined(NeXT)
 #      define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
                          * (unless when compiling with -D_POSIX_SOURCE,
                          * which doesn't work for us) */
 #    endif
-#    ifdef OPENSSL_SYS_NEWS4 /* setvbuf is missing on mips-sony-bsd */
-#      define setvbuf(a, b, c, d) setbuffer((a), (b), (d))
-       typedef unsigned long clock_t;
-#    endif
 #    ifdef OPENSSL_SYS_WIN32_CYGWIN
 #      include 
 #      include 
diff --git a/e_os2.h b/e_os2.h
index bfc9606..68801f4 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -165,9 +165,6 @@ extern "C" {
 # ifdef OPENSSL_SYSNAME_ULTRASPARC
 #  define OPENSSL_SYS_ULTRASPARC
 # endif
-# ifdef OPENSSL_SYSNAME_NEWS4
-#  define OPENSSL_SYS_NEWS4
-# endif
 # ifdef OPENSSL_SYSNAME_MACOSX
 #  define OPENSSL_SYS_MACOSX
 # endif
@@ -272,7 +269,7 @@ extern "C" {
 #  define ossl_ssize_t long
 #endif
 
-#if defined(NeXT) || defined(OPENSSL_SYS_NEWS4) || defined(OPENSSL_SYS_SUNOS)
+#if defined(NeXT) || defined(OPENSSL_SYS_SUNOS)
 #  define ssize_t int
 #endif
 


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Thu Dec 18 19:58:33 2014
From: matt at openssl.org (Matt Caswell)
Date: Thu, 18 Dec 2014 20:58:33 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. c0fc27f88ea0933a3e201325fc683b52fe55d848
Message-ID: <20141218195833.B0B1A1DF107@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  c0fc27f88ea0933a3e201325fc683b52fe55d848 (commit)
       via  bd2bd374b37a3718be4a6c0c198be8ff3123c81a (commit)
       via  6385043fa165491e67fc1eff3c14143465dd2f81 (commit)
       via  53e95716f5c11a8a9cbdcbbb3be0e8e538b5a2ea (commit)
       via  5bafb04d2e8a792afbc97395410ef3291f3fbc8b (commit)
       via  07c4c14c4739da0c44562328afb6e7273e51298c (commit)
      from  59ff1ce06108508eba0f289b295dd89582c9fbfc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c0fc27f88ea0933a3e201325fc683b52fe55d848
Author: Matt Caswell 
Date:   Thu Dec 18 15:03:09 2014 +0000

    Made it an error to define OPENSSL_USE_DEPRECATED if OpenSSL has been built
    with OPENSSL_NO_DEPRECATED defined
    
    Reviewed-by: Rich Salz 

commit bd2bd374b37a3718be4a6c0c198be8ff3123c81a
Author: Matt Caswell 
Date:   Wed Dec 17 14:27:22 2014 +0000

    Update CHANGES for deprecated updates
    
    Reviewed-by: Rich Salz 

commit 6385043fa165491e67fc1eff3c14143465dd2f81
Author: Matt Caswell 
Date:   Wed Dec 17 14:24:21 2014 +0000

    make update following changes to default config settings
    
    Reviewed-by: Rich Salz 

commit 53e95716f5c11a8a9cbdcbbb3be0e8e538b5a2ea
Author: Matt Caswell 
Date:   Wed Dec 17 13:30:41 2014 +0000

    Change all instances of OPENSSL_NO_DEPRECATED to OPENSSL_USE_DEPRECATED
    Introduce use of DECLARE_DEPRECATED
    
    Reviewed-by: Rich Salz 

commit 5bafb04d2e8a792afbc97395410ef3291f3fbc8b
Author: Matt Caswell 
Date:   Wed Dec 17 13:21:54 2014 +0000

    Remove redundant OPENSSL_NO_DEPRECATED suppression
    
    Reviewed-by: Rich Salz 

commit 07c4c14c4739da0c44562328afb6e7273e51298c
Author: Matt Caswell 
Date:   Wed Dec 17 13:17:26 2014 +0000

    Turn on OPENSSL_NO_DEPRECATED by default.
    Also introduce OPENSSL_USE_DEPRECATED. If OPENSSL_NO_DEPRECATED is
    defined at config stage then OPENSSL_USE_DEPRECATED has no effect -
    deprecated functions are not available.
    If OPENSSL_NO_DEPRECATED is not defined at config stage then
    applications must define OPENSSL_USE_DEPRECATED in order to access
    deprecated functions.
    Also introduce compiler warnings for gcc for applications using
    deprecated functions
    
    Reviewed-by: Rich Salz 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 |    9 ++++
 Configure               |    9 +++-
 apps/Makefile           |  118 ++++++++++++++++++++++-------------------------
 apps/dsaparam.c         |    5 --
 apps/gendh.c            |    5 --
 apps/genrsa.c           |    5 --
 apps/req.c              |    6 ---
 apps/s_server.c         |    5 --
 crypto/asn1/asn1.h      |    2 +-
 crypto/bn/bn.h          |   34 +++++++-------
 crypto/bn/bntest.c      |    6 ---
 crypto/crypto.h         |   10 ++--
 crypto/dh/dh.h          |   10 ++--
 crypto/dh/dhtest.c      |    6 ---
 crypto/dsa/dsa.h        |   10 ++--
 crypto/dsa/dsatest.c    |    6 ---
 crypto/ec/ec.h          |    2 +-
 crypto/ecdh/ecdh.h      |    2 +-
 crypto/ecdsa/ecdsa.h    |    2 +-
 crypto/engine/engine.h  |    2 +-
 crypto/err/err.h        |    4 +-
 crypto/opensslconf.h.in |   17 +++++++
 crypto/rsa/rsa.h        |   12 ++---
 crypto/store/store.h    |    2 +-
 crypto/ui/ui.h          |    2 +-
 crypto/x509/x509.h      |    2 +-
 ssl/ssl.h               |    2 +-
 test/Makefile           |   24 +++++-----
 util/mkdef.pl           |   28 +++++++++++
 29 files changed, 179 insertions(+), 168 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4510706..34a85b2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,10 +4,19 @@
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 
+  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
+     Access to deprecated functions can be re-enabled by running config with
+     "enable-deprecated". In addition applications wishing to use deprecated
+     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
+     will, by default, disable some transitive includes that previously existed
+     in the header files (e.g. ec.h will no longer, by default, include bn.h)
+     [Matt Caswell]
+
   *) Added support for OCB mode. OpenSSL has been granted a patent license
      compatible with the OpenSSL license for use of OCB. Details are available
      at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
      for OCB can be removed by calling config with no-ocb.
+     [Matt Caswell]
 
   *) SSLv2 support has been removed.  It still supports receiving a SSLv2
      compatible client hello.
diff --git a/Configure b/Configure
index 43f1b30..b97f961 100755
--- a/Configure
+++ b/Configure
@@ -740,6 +740,7 @@ my $fips=0;
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 my %disabled = ( # "what"         => "comment" [or special keyword "experimental"]
+		 "deprecated" => "default",
 		 "ec_nistp_64_gcc_128" => "default",
 		 "gmp"		  => "default",
 		 "jpake"          => "experimental",
@@ -758,7 +759,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
+my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -1418,6 +1419,12 @@ if ($zlib)
 		}
 	}
 
+#Build the library with OPENSSL_USE_DEPRECATED if deprecation is not disabled
+if(!defined($disabled{"deprecated"}))
+	{
+	$cflags = "-DOPENSSL_USE_DEPRECATED $cflags";
+	}
+
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
 if ($shared_target eq "")
diff --git a/apps/Makefile b/apps/Makefile
index 76fa21b..6ced2bd 100644
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -349,20 +349,18 @@ dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c
 dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsaparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-dsaparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-dsaparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-dsaparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dsaparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dsaparam.o: ../include/openssl/ui.h ../include/openssl/x509.h
+dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsaparam.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+dsaparam.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h
+dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dsaparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+dsaparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
 dsaparam.o: dsaparam.c
 ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
@@ -457,22 +455,20 @@ errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
 gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gendh.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-gendh.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-gendh.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
-gendh.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-gendh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-gendh.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h
+gendh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+gendh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+gendh.o: ../include/openssl/err.h ../include/openssl/evp.h
+gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendh.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
 gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-gendh.o: ../include/openssl/ui.h ../include/openssl/x509.h
-gendh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-gendh.o: gendh.c
+gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+gendh.o: ../include/openssl/x509v3.h apps.h gendh.c
 gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -509,7 +505,6 @@ genpkey.o: genpkey.c
 genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-genrsa.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 genrsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
 genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
@@ -522,9 +517,8 @@ genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
 genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-genrsa.o: ../include/openssl/ui.h ../include/openssl/x509.h
-genrsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-genrsa.o: genrsa.c
+genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c
 nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -729,21 +723,20 @@ rand.o: ../include/openssl/x509v3.h apps.h rand.c
 req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-req.o: ../include/openssl/engine.h ../include/openssl/err.h
-req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-req.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+req.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+req.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+req.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+req.o: ../include/openssl/err.h ../include/openssl/evp.h
+req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 req.o: ../include/openssl/sha.h ../include/openssl/stack.h
 req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-req.o: ../include/openssl/ui.h ../include/openssl/x509.h
-req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
+req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+req.o: ../include/openssl/x509v3.h apps.h req.c
 rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -826,25 +819,24 @@ s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
 s_server.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-s_server.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
-s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-s_server.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s_server.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_server.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h
-s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s_server.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s_server.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_server.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_server.o: ../include/openssl/sha.h ../include/openssl/srp.h
+s_server.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
 s_server.o: s_apps.h s_server.c timeouts.h
 s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index 8ee5d42..fcbd794 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -57,11 +57,6 @@
  */
 
 #include 	/* for OPENSSL_NO_DSA */
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
 
 #ifndef OPENSSL_NO_DSA
 #include 
diff --git a/apps/gendh.c b/apps/gendh.c
index c8645a4..4581bfa 100644
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -58,11 +58,6 @@
  */
 
 #include 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
 
 #ifndef OPENSSL_NO_DH
 #include 
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 54e30d3..fe00af9 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -57,11 +57,6 @@
  */
 
 #include 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
 
 #ifndef OPENSSL_NO_RSA
 #include 
diff --git a/apps/req.c b/apps/req.c
index 87ab412..a69915f 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -56,12 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
-
 #include 
 #include 
 #include 
diff --git a/apps/s_server.c b/apps/s_server.c
index 21f7e04..1e40769 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -140,11 +140,6 @@
  * OTHERWISE.
  */
 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
 
 #include 
 #include 
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 37adcb3..68be533 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -70,7 +70,7 @@
 #include 
 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 
diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 6bccbfe..5daee38 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -263,13 +263,13 @@ extern "C" {
                                       * BN_mod_inverse() will call BN_mod_inverse_no_branch.
                                       */
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */
                                       /* avoid leaking exponent information through timings
                                       * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
 #endif
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #define BN_FLG_FREE		0x8000	/* used for debuging */
 #endif
 
@@ -342,7 +342,7 @@ int BN_is_odd(const BIGNUM *a);
 
 void BN_zero_ex(BIGNUM *a);
 
-#ifdef OPENSSL_NO_DEPRECATED
+#ifndef OPENSSL_USE_DEPRECATED
 #define BN_zero(a)	BN_zero_ex(a)
 #else
 #define BN_zero(a)	(BN_set_word((a),0))
@@ -464,17 +464,17 @@ BIGNUM *BN_mod_sqrt(BIGNUM *ret,
 void	BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
 
 /* Deprecated versions */
-#ifndef OPENSSL_NO_DEPRECATED
-BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
 	const BIGNUM *add, const BIGNUM *rem,
-	void (*callback)(int,int,void *),void *cb_arg);
-int	BN_is_prime(const BIGNUM *p,int nchecks,
+	void (*callback)(int,int,void *),void *cb_arg));
+DECLARE_DEPRECATED(int	BN_is_prime(const BIGNUM *p,int nchecks,
 	void (*callback)(int,int,void *),
-	BN_CTX *ctx,void *cb_arg);
-int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
+	BN_CTX *ctx,void *cb_arg));
+DECLARE_DEPRECATED(int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
 	void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
-	int do_trial_division);
-#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+	int do_trial_division));
+#endif /* defined(OPENSSL_USE_DEPRECATED) */
 
 /* Newer versions */
 int	BN_generate_prime_ex(BIGNUM *ret,int bits,int safe, const BIGNUM *add,
@@ -517,9 +517,9 @@ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
-#ifndef OPENSSL_NO_DEPRECATED
-unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
-void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *));
+DECLARE_DEPRECATED(void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long));
 #endif
 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
@@ -530,9 +530,9 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
 			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
 	BN_MONT_CTX *m_ctx);
 
-#ifndef OPENSSL_NO_DEPRECATED
-void BN_set_params(int mul,int high,int low,int mont);
-int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(void BN_set_params(int mul,int high,int low,int mont));
+DECLARE_DEPRECATED(int BN_get_params(int which)); /* 0, mul, 1 high, 2 low, 3 mont */
 #endif
 
 BN_RECP_CTX *BN_RECP_CTX_new(void);
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 6e18a69..0fa2504 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -69,12 +69,6 @@
  *
  */
 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
-
 #include 
 #include 
 #include 
diff --git a/crypto/crypto.h b/crypto/crypto.h
index c4c173f..d4be37b 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -442,10 +442,14 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
 int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b);
 void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src);
 unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
-#ifndef OPENSSL_NO_DEPRECATED
-void CRYPTO_set_id_callback(unsigned long (*func)(void));
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(void CRYPTO_set_id_callback(unsigned long (*func)(void)));
+/*
+ * mkdef.pl cannot handle this next one so not inside DECLARE_DEPRECATED,
+ * but still inside OPENSSL_USE_DEPRECATED
+ */
 unsigned long (*CRYPTO_get_id_callback(void))(void);
-unsigned long CRYPTO_thread_id(void);
+DECLARE_DEPRECATED(unsigned long CRYPTO_thread_id(void));
 #endif
 
 const char *CRYPTO_get_lock_name(int type);
diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
index beaeac9..3f7dca1 100644
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -69,7 +69,7 @@
 #include 
 #endif
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 	
@@ -204,10 +204,10 @@ int DH_set_ex_data(DH *d, int idx, void *arg);
 void *DH_get_ex_data(DH *d, int idx);
 
 /* Deprecated version */
-#ifndef OPENSSL_NO_DEPRECATED
-DH *	DH_generate_parameters(int prime_len,int generator,
-		void (*callback)(int,int,void *),void *cb_arg);
-#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(DH *	DH_generate_parameters(int prime_len,int generator,
+		void (*callback)(int,int,void *),void *cb_arg));
+#endif /* defined(OPENSSL_USE_DEPRECATED) */
 
 /* New version */
 int	DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb);
diff --git a/crypto/dh/dhtest.c b/crypto/dh/dhtest.c
index c98c804..f4c2fd9 100644
--- a/crypto/dh/dhtest.c
+++ b/crypto/dh/dhtest.c
@@ -56,12 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
-
 #include 
 #include 
 #include 
diff --git a/crypto/dsa/dsa.h b/crypto/dsa/dsa.h
index 34d0704..8feb2a1 100644
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -77,7 +77,7 @@
 #include 
 #include 
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #ifndef OPENSSL_NO_DH
 # include 
@@ -236,12 +236,12 @@ DSA *	d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
 DSA * 	d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
 
 /* Deprecated version */
-#ifndef OPENSSL_NO_DEPRECATED
-DSA *	DSA_generate_parameters(int bits,
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(DSA *	DSA_generate_parameters(int bits,
 		unsigned char *seed,int seed_len,
 		int *counter_ret, unsigned long *h_ret,void
-		(*callback)(int, int, void *),void *cb_arg);
-#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+		(*callback)(int, int, void *),void *cb_arg));
+#endif /* defined(OPENSSL_USE_DEPRECATED) */
 
 /* New version */
 int	DSA_generate_parameters_ex(DSA *dsa, int bits,
diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c
index 271a8e0..152205f 100644
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -56,12 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-/* Until the key-gen callbacks are modified to use newer prototypes, we allow
- * deprecated functions for openssl-internal code */
-#ifdef OPENSSL_NO_DEPRECATED
-#undef OPENSSL_NO_DEPRECATED
-#endif
-
 #include 
 #include 
 #include 
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index f8c927a..f448aac 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -84,7 +84,7 @@
 
 #include 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 
diff --git a/crypto/ecdh/ecdh.h b/crypto/ecdh/ecdh.h
index 539e212..c030728 100644
--- a/crypto/ecdh/ecdh.h
+++ b/crypto/ecdh/ecdh.h
@@ -77,7 +77,7 @@
 
 #include 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 
diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index 28a4d1c..657f0b9 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -67,7 +67,7 @@
 
 #include 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 
diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
index 830d391..5d382fa 100644
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -70,7 +70,7 @@
 #error ENGINE is disabled.
 #endif
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #ifndef OPENSSL_NO_RSA
 #include 
diff --git a/crypto/err/err.h b/crypto/err/err.h
index 974cc9c..2a00e28 100644
--- a/crypto/err/err.h
+++ b/crypto/err/err.h
@@ -354,8 +354,8 @@ void ERR_load_crypto_strings(void);
 void ERR_free_strings(void);
 
 void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
-#ifndef OPENSSL_NO_DEPRECATED
-void ERR_remove_state(unsigned long pid); /* if zero we look it up */
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(void ERR_remove_state(unsigned long pid)); /* if zero we look it up */
 #endif
 ERR_STATE *ERR_get_state(void);
 
diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index 97e3745..faa33a4 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -1,5 +1,22 @@
 /* crypto/opensslconf.h.in */
 
+/*
+ * Applications should use -DOPENSSL_USE_DEPRECATED to enable access to
+ * deprecated functions. But if the library has been built to disable
+ * deprecated functions then this will not work
+ */
+#if defined(OPENSSL_NO_DEPRECATED) && defined(OPENSSL_USE_DEPRECATED)
+#error "OPENSSL_USE_DEPRECATED has been defined, but OpenSSL has been built without support for deprecated functions"
+#endif
+
+/* Test for support for deprecated attribute */
+#if __GNUC__ > 3 || \
+  (__GNUC__ == 3 && __GNUC_MINOR__ > 0)
+#define DECLARE_DEPRECATED(f)    f __attribute__ ((deprecated))
+#else
+#define DECLARE_DEPRECATED(f)    f
+#endif
+
 /* Generate 80386 code? */
 #undef I386_ONLY
 
diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index f164d74..10e187e 100644
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -66,7 +66,7 @@
 #endif
 #include 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 
@@ -208,7 +208,7 @@ struct rsa_st
                                                 * operations and results in faster RSA 
                                                 * private key operations.
                                                 */ 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
                                                 /* new with 0.9.7h; the built-in RSA
                                                 * implementation now uses constant time
@@ -310,10 +310,10 @@ int	RSA_size(const RSA *rsa);
 int	RSA_security_bits(const RSA *rsa);
 
 /* Deprecated version */
-#ifndef OPENSSL_NO_DEPRECATED
-RSA *	RSA_generate_key(int bits, unsigned long e,void
-		(*callback)(int,int,void *),void *cb_arg);
-#endif /* !defined(OPENSSL_NO_DEPRECATED) */
+#ifdef OPENSSL_USE_DEPRECATED
+DECLARE_DEPRECATED(RSA *	RSA_generate_key(int bits, unsigned long e,void
+		(*callback)(int,int,void *),void *cb_arg));
+#endif /* defined(OPENSSL_USE_DEPRECATED) */
 
 /* New version */
 int	RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
diff --git a/crypto/store/store.h b/crypto/store/store.h
index 0a28c7d..8b472a7 100644
--- a/crypto/store/store.h
+++ b/crypto/store/store.h
@@ -66,7 +66,7 @@
 #endif
 
 #include 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #include 
 #include 
diff --git a/crypto/ui/ui.h b/crypto/ui/ui.h
index bd78aa4..5c4ff49 100644
--- a/crypto/ui/ui.h
+++ b/crypto/ui/ui.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_UI_H
 #define HEADER_UI_H
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #include 
 #endif
 #include 
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 2fcc107..ad804f2 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -91,7 +91,7 @@
 #include 
 #endif
 
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #ifndef OPENSSL_NO_RSA
 #include 
 #endif
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 02c53c7..0318d04 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -151,7 +151,7 @@
 #ifndef OPENSSL_NO_BIO
 #include 
 #endif
-#ifndef OPENSSL_NO_DEPRECATED
+#ifdef OPENSSL_USE_DEPRECATED
 #ifndef OPENSSL_NO_X509
 #include 
 #endif
diff --git a/test/Makefile b/test/Makefile
index 3eb551c..8d95239 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -557,18 +557,17 @@ bftest.o: ../include/openssl/opensslconf.h bftest.c
 bntest.o: ../crypto/bn/bn_lcl.h ../crypto/include/internal/bn_int.h ../e_os.h
 bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 bntest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-bntest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-bntest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+bntest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 bntest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
 bntest.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
 bntest.o: ../include/openssl/evp.h ../include/openssl/lhash.h
 bntest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 bntest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 bntest.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
-bntest.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-bntest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-bntest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bntest.c
+bntest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h
+bntest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
+bntest.o: ../include/openssl/x509_vfy.h bntest.c
 casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
 casttest.o: ../include/openssl/opensslconf.h casttest.c
 constant_time_test.o: ../crypto/constant_time_locl.h ../e_os.h
@@ -587,13 +586,12 @@ dhtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dhtest.c
 dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h
-dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h
-dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsatest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-dsatest.o: ../include/openssl/symhacks.h dsatest.c
+dsatest.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
+dsatest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+dsatest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+dsatest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h
+dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dsatest.c
 ecdhtest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 ecdhtest.o: ../include/openssl/bn.h ../include/openssl/crypto.h
 ecdhtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 03a9b40..fa3f3db 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -433,6 +433,7 @@ sub do_defs
 				# is the same name as the original.
 	my $cpp;
 	my %unknown_algorithms = ();
+	my $parens = 0;
 
 	foreach $file (split(/\s+/,$symhacksfile." ".$files))
 		{
@@ -443,6 +444,7 @@ sub do_defs
 			(map { $_ => 0 } @known_platforms),
 			(map { "OPENSSL_SYS_".$_ => 0 } @known_ossl_platforms),
 			(map { "OPENSSL_NO_".$_ => 0 } @known_algorithms),
+			(map { "OPENSSL_USE_".$_ => 0 } @known_algorithms),
 			NOPROTO		=> 0,
 			PERL5		=> 0,
 			_WINDLL		=> 0,
@@ -505,6 +507,11 @@ sub do_defs
 
 		print STDERR "DEBUG: parsing ----------\n" if $debug;
 		while() {
+			if($parens > 0) {
+				#Inside a DECLARE_DEPRECATED
+				$parens += count_parens($_);
+				next;
+			}
 			if (/\/\* Error codes for the \w+ functions\. \*\//)
 				{
 				undef @tag;
@@ -608,6 +615,8 @@ sub do_defs
 					pop(@tag);
 					if ($t =~ /^OPENSSL_NO_([A-Z0-9_]+)$/) {
 						$t=$1;
+					} elsif($t =~ /^OPENSSL_USE_([A-Z0-9_]+)$/) {
+						$t=$1;
 					} else {
 						$t="";
 					}
@@ -657,10 +666,15 @@ sub do_defs
 					   map { $tag{"OPENSSL_SYS_".$_} == 1 ? $_ :
 						     $tag{"OPENSSL_SYS_".$_} == -1 ? "!".$_  : "" }
 					   @known_ossl_platforms);
+				@current_algorithms = ();
 				@current_algorithms =
 				    grep(!/^$/,
 					 map { $tag{"OPENSSL_NO_".$_} == -1 ? $_ : "" }
 					 @known_algorithms);
+				push @current_algorithms
+				    , grep(!/^$/,
+					 map { $tag{"OPENSSL_USE_".$_} == 1 ? $_ : "" }
+					 @known_algorithms);
 				$def .=
 				    "#INFO:"
 					.join(',', at current_platforms).":"
@@ -891,6 +905,10 @@ sub do_defs
 					&$make_variant("_shadow_$2","_shadow_$2",
 						      "EXPORT_VAR_AS_FUNCTION",
 						      "FUNCTION");
+				} elsif (/^\s*DECLARE_DEPRECATED\s*\(\s*(\w*(\s|\*|\w)*)/) {
+					$def .= "$1(void);";
+					$parens = count_parens($_);
+					next;
 				} elsif ($tag{'CONST_STRICT'} != 1) {
 					if (/\{|\/\*|\([^\)]*$/) {
 						$line = $_;
@@ -1549,3 +1567,13 @@ sub check_existing
 	}
 }
 
+sub count_parens
+{
+	my $line = shift(@_);
+
+	my $open = $line =~ tr/\(//;
+	my $close = $line =~ tr/\)//;
+
+	return $open - $close;
+}
+


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 19 14:12:48 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 19 Dec 2014 15:12:48 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_0-stable updated. OpenSSL_1_0_0o-52-gc4b9696
Message-ID: <20141219141252.B07B71DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_0-stable has been updated
       via  c4b969639a4ace587f67b7cda86f8fbdcb0e79ce (commit)
      from  bfb2e4b280b613350717c9b69a33d497e01c3a42 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c4b969639a4ace587f67b7cda86f8fbdcb0e79ce
Author: Matt Caswell 
Date:   Fri Dec 19 10:55:54 2014 +0000

    Fix a problem if CFLAGS is too long cversion.c fails to compile when config
    is run with --strict-warnings.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit 488f16e31b8f5ec2513410929325d0830d76762d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/Makefile    |    7 +------
 crypto/cversion.c  |   15 +++------------
 util/mkbuildinf.pl |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 18 deletions(-)
 create mode 100755 util/mkbuildinf.pl

diff --git a/crypto/Makefile b/crypto/Makefile
index b2e85df..70e3b84 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -53,12 +53,7 @@ top:
 all: shared
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
diff --git a/crypto/cversion.c b/crypto/cversion.c
index ea9f25f..0336ada 100644
--- a/crypto/cversion.c
+++ b/crypto/cversion.c
@@ -69,10 +69,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_BUILT_ON)
 		{
 #ifdef DATE
-		static char buf[sizeof(DATE)+11];
-
-		BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
-		return(buf);
+		return(DATE);
 #else
 		return("built on: date not available");
 #endif
@@ -80,10 +77,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_CFLAGS)
 		{
 #ifdef CFLAGS
-		static char buf[sizeof(CFLAGS)+11];
-
-		BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
-		return(buf);
+		return(cflags);
 #else
 		return("compiler: information not available");
 #endif
@@ -91,10 +85,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_PLATFORM)
 		{
 #ifdef PLATFORM
-		static char buf[sizeof(PLATFORM)+11];
-
-		BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
-		return(buf);
+		return(PLATFORM);
 #else
 		return("platform: information not available");
 #endif
diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl
new file mode 100755
index 0000000..ca02d7b
--- /dev/null
+++ b/util/mkbuildinf.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+
+my ($cflags, $platform) = @ARGV;
+
+$cflags = "compiler: $cflags";
+$date = localtime();
+print <<"END_OUTPUT";
+#ifndef MK1MF_BUILD
+    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
+    #define CFLAGS
+    /*
+     * Generate CFLAGS as an array of individual characters. This is a
+     * workaround for the situation where CFLAGS gets too long for a C90 string
+     * literal
+     */
+    static const char cflags[] = {
+END_OUTPUT
+my $ctr = 0;
+foreach my $c (split //, $cflags) {
+    # Max 18 characters per line
+    if  (($ctr++ % 18) == 0) {
+        if ($ctr != 0) {
+            print "\n";
+        }
+        print "        ";
+    }
+    print "'$c',";
+}
+print <<"END_OUTPUT";
+'\\0'
+    };
+    #define PLATFORM "platform: $platform"
+    #define DATE "built on: $date"
+#endif
+END_OUTPUT


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 19 14:13:05 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 19 Dec 2014 15:13:05 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-84-g8c46748
Message-ID: <20141219141306.26C8D1DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  8c46748bcb601972faf2426fc42d80099af84df9 (commit)
      from  86edf13b1c97526c0cf63c37342aaa01f5442688 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8c46748bcb601972faf2426fc42d80099af84df9
Author: Matt Caswell 
Date:   Fri Dec 19 10:55:54 2014 +0000

    Fix a problem if CFLAGS is too long cversion.c fails to compile when config
    is run with --strict-warnings.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit 488f16e31b8f5ec2513410929325d0830d76762d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/Makefile    |    7 +------
 crypto/cversion.c  |   15 +++------------
 util/mkbuildinf.pl |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 18 deletions(-)
 create mode 100755 util/mkbuildinf.pl

diff --git a/crypto/Makefile b/crypto/Makefile
index ee5bfbd..2b6397a 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -55,12 +55,7 @@ top:
 all: shared
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
diff --git a/crypto/cversion.c b/crypto/cversion.c
index ea9f25f..0336ada 100644
--- a/crypto/cversion.c
+++ b/crypto/cversion.c
@@ -69,10 +69,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_BUILT_ON)
 		{
 #ifdef DATE
-		static char buf[sizeof(DATE)+11];
-
-		BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
-		return(buf);
+		return(DATE);
 #else
 		return("built on: date not available");
 #endif
@@ -80,10 +77,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_CFLAGS)
 		{
 #ifdef CFLAGS
-		static char buf[sizeof(CFLAGS)+11];
-
-		BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
-		return(buf);
+		return(cflags);
 #else
 		return("compiler: information not available");
 #endif
@@ -91,10 +85,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_PLATFORM)
 		{
 #ifdef PLATFORM
-		static char buf[sizeof(PLATFORM)+11];
-
-		BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
-		return(buf);
+		return(PLATFORM);
 #else
 		return("platform: information not available");
 #endif
diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl
new file mode 100755
index 0000000..ca02d7b
--- /dev/null
+++ b/util/mkbuildinf.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+
+my ($cflags, $platform) = @ARGV;
+
+$cflags = "compiler: $cflags";
+$date = localtime();
+print <<"END_OUTPUT";
+#ifndef MK1MF_BUILD
+    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
+    #define CFLAGS
+    /*
+     * Generate CFLAGS as an array of individual characters. This is a
+     * workaround for the situation where CFLAGS gets too long for a C90 string
+     * literal
+     */
+    static const char cflags[] = {
+END_OUTPUT
+my $ctr = 0;
+foreach my $c (split //, $cflags) {
+    # Max 18 characters per line
+    if  (($ctr++ % 18) == 0) {
+        if ($ctr != 0) {
+            print "\n";
+        }
+        print "        ";
+    }
+    print "'$c',";
+}
+print <<"END_OUTPUT";
+'\\0'
+    };
+    #define PLATFORM "platform: $platform"
+    #define DATE "built on: $date"
+#endif
+END_OUTPUT


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 19 14:13:20 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 19 Dec 2014 15:13:20 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-123-gb651407
Message-ID: <20141219141321.69B131DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  b651407268ade15b290648d5b02628a2d27eaf63 (commit)
      from  a760dde68185d0f2e7415268defcb9e618875992 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b651407268ade15b290648d5b02628a2d27eaf63
Author: Matt Caswell 
Date:   Fri Dec 19 10:55:54 2014 +0000

    Fix a problem if CFLAGS is too long cversion.c fails to compile when config
    is run with --strict-warnings.
    
    Reviewed-by: Richard Levitte 
    (cherry picked from commit 488f16e31b8f5ec2513410929325d0830d76762d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/Makefile    |    7 +------
 crypto/cversion.c  |   15 +++------------
 util/mkbuildinf.pl |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 18 deletions(-)
 create mode 100755 util/mkbuildinf.pl

diff --git a/crypto/Makefile b/crypto/Makefile
index e340afb..1969fc3 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -55,12 +55,7 @@ top:
 all: shared
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
diff --git a/crypto/cversion.c b/crypto/cversion.c
index ea9f25f..0336ada 100644
--- a/crypto/cversion.c
+++ b/crypto/cversion.c
@@ -69,10 +69,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_BUILT_ON)
 		{
 #ifdef DATE
-		static char buf[sizeof(DATE)+11];
-
-		BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
-		return(buf);
+		return(DATE);
 #else
 		return("built on: date not available");
 #endif
@@ -80,10 +77,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_CFLAGS)
 		{
 #ifdef CFLAGS
-		static char buf[sizeof(CFLAGS)+11];
-
-		BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
-		return(buf);
+		return(cflags);
 #else
 		return("compiler: information not available");
 #endif
@@ -91,10 +85,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_PLATFORM)
 		{
 #ifdef PLATFORM
-		static char buf[sizeof(PLATFORM)+11];
-
-		BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
-		return(buf);
+		return(PLATFORM);
 #else
 		return("platform: information not available");
 #endif
diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl
new file mode 100755
index 0000000..ca02d7b
--- /dev/null
+++ b/util/mkbuildinf.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+
+my ($cflags, $platform) = @ARGV;
+
+$cflags = "compiler: $cflags";
+$date = localtime();
+print <<"END_OUTPUT";
+#ifndef MK1MF_BUILD
+    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
+    #define CFLAGS
+    /*
+     * Generate CFLAGS as an array of individual characters. This is a
+     * workaround for the situation where CFLAGS gets too long for a C90 string
+     * literal
+     */
+    static const char cflags[] = {
+END_OUTPUT
+my $ctr = 0;
+foreach my $c (split //, $cflags) {
+    # Max 18 characters per line
+    if  (($ctr++ % 18) == 0) {
+        if ($ctr != 0) {
+            print "\n";
+        }
+        print "        ";
+    }
+    print "'$c',";
+}
+print <<"END_OUTPUT";
+'\\0'
+    };
+    #define PLATFORM "platform: $platform"
+    #define DATE "built on: $date"
+#endif
+END_OUTPUT


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Fri Dec 19 14:14:00 2014
From: matt at openssl.org (Matt Caswell)
Date: Fri, 19 Dec 2014 15:14:00 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 488f16e31b8f5ec2513410929325d0830d76762d
Message-ID: <20141219141401.831611DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  488f16e31b8f5ec2513410929325d0830d76762d (commit)
      from  c0fc27f88ea0933a3e201325fc683b52fe55d848 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 488f16e31b8f5ec2513410929325d0830d76762d
Author: Matt Caswell 
Date:   Fri Dec 19 10:55:54 2014 +0000

    Fix a problem if CFLAGS is too long cversion.c fails to compile when config
    is run with --strict-warnings.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 crypto/Makefile    |    7 +------
 crypto/cversion.c  |   15 +++------------
 util/mkbuildinf.pl |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 18 deletions(-)
 create mode 100755 util/mkbuildinf.pl

diff --git a/crypto/Makefile b/crypto/Makefile
index 0029b1b..d4c7712 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -64,12 +64,7 @@ fips: cryptlib.o thr_id.o uid.o $(CPUID_OBJ)
 		done;
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
diff --git a/crypto/cversion.c b/crypto/cversion.c
index ea9f25f..0336ada 100644
--- a/crypto/cversion.c
+++ b/crypto/cversion.c
@@ -69,10 +69,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_BUILT_ON)
 		{
 #ifdef DATE
-		static char buf[sizeof(DATE)+11];
-
-		BIO_snprintf(buf,sizeof buf,"built on: %s",DATE);
-		return(buf);
+		return(DATE);
 #else
 		return("built on: date not available");
 #endif
@@ -80,10 +77,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_CFLAGS)
 		{
 #ifdef CFLAGS
-		static char buf[sizeof(CFLAGS)+11];
-
-		BIO_snprintf(buf,sizeof buf,"compiler: %s",CFLAGS);
-		return(buf);
+		return(cflags);
 #else
 		return("compiler: information not available");
 #endif
@@ -91,10 +85,7 @@ const char *SSLeay_version(int t)
 	if (t == SSLEAY_PLATFORM)
 		{
 #ifdef PLATFORM
-		static char buf[sizeof(PLATFORM)+11];
-
-		BIO_snprintf(buf,sizeof buf,"platform: %s", PLATFORM);
-		return(buf);
+		return(PLATFORM);
 #else
 		return("platform: information not available");
 #endif
diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl
new file mode 100755
index 0000000..ca02d7b
--- /dev/null
+++ b/util/mkbuildinf.pl
@@ -0,0 +1,35 @@
+#!/usr/local/bin/perl
+
+my ($cflags, $platform) = @ARGV;
+
+$cflags = "compiler: $cflags";
+$date = localtime();
+print <<"END_OUTPUT";
+#ifndef MK1MF_BUILD
+    /* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
+    #define CFLAGS
+    /*
+     * Generate CFLAGS as an array of individual characters. This is a
+     * workaround for the situation where CFLAGS gets too long for a C90 string
+     * literal
+     */
+    static const char cflags[] = {
+END_OUTPUT
+my $ctr = 0;
+foreach my $c (split //, $cflags) {
+    # Max 18 characters per line
+    if  (($ctr++ % 18) == 0) {
+        if ($ctr != 0) {
+            print "\n";
+        }
+        print "        ";
+    }
+    print "'$c',";
+}
+print <<"END_OUTPUT";
+'\\0'
+    };
+    #define PLATFORM "platform: $platform"
+    #define DATE "built on: $date"
+#endif
+END_OUTPUT


hooks/post-receive
-- 
OpenSSL source code

From root at openssl.org  Fri Dec 19 22:18:18 2014
From: root at openssl.org (root)
Date: Fri, 19 Dec 2014 23:18:18 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	9c7240f8f615cd0962891c294a51debf09864c74
Message-ID: <20141219221819.968911DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  9c7240f8f615cd0962891c294a51debf09864c74 (commit)
      from  5d5b987a68d97f30f947df7dc268e59ca1ebbaf8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 9c7240f8f615cd0962891c294a51debf09864c74
Author: root 
Date:   Fri Dec 19 17:17:45 2014 -0500

    Add WML files to make the old archive listings look pretty.
    
    Author: Rich Salz 

-----------------------------------------------------------------------

Summary of changes:
 source/old/0.9.x/index.wml |   18 ++++++++++++++++++
 source/old/1.0.0/index.wml |   19 +++++++++++++++++++
 source/old/1.0.1/index.wml |   18 ++++++++++++++++++
 source/old/1.0.2/index.wml |   20 ++++++++++++++++++++
 source/old/fips/index.wml  |   17 +++++++++++++++++
 source/old/index.wml       |   18 ++++++++++++++++++
 6 files changed, 110 insertions(+)
 create mode 100644 source/old/0.9.x/index.wml
 create mode 100644 source/old/1.0.0/index.wml
 create mode 100644 source/old/1.0.1/index.wml
 create mode 100644 source/old/1.0.2/index.wml
 create mode 100644 source/old/fips/index.wml
 create mode 100644 source/old/index.wml

diff --git a/source/old/0.9.x/index.wml b/source/old/0.9.x/index.wml
new file mode 100644
index 0000000..1ecb0be
--- /dev/null
+++ b/source/old/0.9.x/index.wml
@@ -0,0 +1,18 @@
+#use wml::openssl area=source page=old/0.9.x
+
+Old 0.9.x Releases
+
+Old 0.9.x Releases
+
+
+The table below lists the outdated FIPS releases.
+Note that The 0.9.8 stream has been announced as end-of-life.
+
+
+
+
+
+
Legalities
+
+
+
diff --git a/source/old/1.0.0/index.wml b/source/old/1.0.0/index.wml
new file mode 100644
index 0000000..ac386b1
--- /dev/null
+++ b/source/old/1.0.0/index.wml
@@ -0,0 +1,19 @@
+#use wml::openssl area=source page=old/1.0.0
+
+Old 1.0.0 Releases
+
+Old 1.0.0 Releases
+
+
+The table below lists the outdated 1.0.0 releases.
+
+
+
+
+
+
Legalities
+
+
+
+
+
diff --git a/source/old/1.0.1/index.wml b/source/old/1.0.1/index.wml
new file mode 100644
index 0000000..c9acfc4
--- /dev/null
+++ b/source/old/1.0.1/index.wml
@@ -0,0 +1,18 @@
+#use wml::openssl area=source page=old/1.0.1
+
+Old 1.0.1 Releases
+
+Old 1.0.1 Releases
+
+
+The table below lists the outdated 1.0.1 releases.
+
+
+
+
+
+
Legalities
+
+
+
+
diff --git a/source/old/1.0.2/index.wml b/source/old/1.0.2/index.wml
new file mode 100644
index 0000000..f6f1b84
--- /dev/null
+++ b/source/old/1.0.2/index.wml
@@ -0,0 +1,20 @@
+#use wml::openssl area=source page=old/1.0.2
+
+Old 1.0.2 Releases
+
+Old 1.0.2 Releases
+
+
+The table below lists the outdated 1.0.2 releases.
+
+
+
+
+
+
Legalities
+
+
+
+
+
+
diff --git a/source/old/fips/index.wml b/source/old/fips/index.wml
new file mode 100644
index 0000000..2c95798
--- /dev/null
+++ b/source/old/fips/index.wml
@@ -0,0 +1,17 @@
+#use wml::openssl area=source page=old/fips
+
+Old FIPS Releases
+
+Old FIPS Releases
+
+
+The table below lists the outdated FIPS releases.
+
+
+
+
+
+
Legalities
+
+
+
diff --git a/source/old/index.wml b/source/old/index.wml
new file mode 100644
index 0000000..a82799c
--- /dev/null
+++ b/source/old/index.wml
@@ -0,0 +1,18 @@
+
+#use wml::openssl area=source page=old
+
+Old Releases
+
+Old Releases
+
+
+The table below lists the latest releases for every branch.
+
+
+
+
+
+
Legalities
+
+
+


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Sat Dec 20 02:11:50 2014
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 20 Dec 2014 03:11:50 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. e03b29871b2b87af9a4ec21c49eb3e1826eb772a
Message-ID: <20141220021155.263C51DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  e03b29871b2b87af9a4ec21c49eb3e1826eb772a (commit)
      from  488f16e31b8f5ec2513410929325d0830d76762d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit e03b29871b2b87af9a4ec21c49eb3e1826eb772a
Author: Rich Salz 
Date:   Fri Dec 19 21:11:09 2014 -0500

    RT3548: Remove outdated platforms
    
    This commit removes all mention of NeXT and NextStep.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              |    3 ++-
 crypto/des/des_old.h |    4 ++--
 crypto/ec/ectest.c   |    2 --
 e_os.h               |   10 ----------
 e_os2.h              |    2 +-
 ssl/ssltest.c        |    2 --
 util/mkdef.pl        |    2 +-
 7 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index 34a85b2..5a32715 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,7 +28,8 @@
 
   *) Remove various unsupported platforms:
 	Sony NEWS4
-	Remove BEOS and BEOS_R5
+	BEOS and BEOS_R5
+	NeXT
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/crypto/des/des_old.h b/crypto/des/des_old.h
index 2b2c372..fab1c06 100644
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -178,7 +178,7 @@ typedef struct _ossl_old_des_ks_struct
 #if 0
 #define des_crypt(b,s)\
 	DES_crypt((b),(s))
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(__OpenBSD__)
 #define crypt(b,s)\
 	DES_crypt((b),(s))
 #endif
@@ -375,7 +375,7 @@ int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule
 	_ossl_old_des_cblock *iv);
 char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
 char *_ossl_old_des_crypt(const char *buf,const char *salt);
-#if !defined(PERL5) && !defined(NeXT)
+#if !defined(PERL5)
 char *_ossl_old_crypt(const char *buf,const char *salt);
 #endif
 void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index 6da9279..16cf43f 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -164,8 +164,6 @@ static void timings(EC_GROUP *group, int type, BN_CTX *ctx)
 	 *                                       -- ISO/IEC 9899 */
 #	define UNIT "s"
 #else
-	/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
-	 *                            -- cc on NeXTstep/OpenStep */
 #	define UNIT "units"
 #	define CLOCKS_PER_SEC 1
 #endif
diff --git a/e_os.h b/e_os.h
index d0c8ed5..23daaf1 100644
--- a/e_os.h
+++ b/e_os.h
@@ -432,11 +432,6 @@ static __inline unsigned int _strlen31(const char *str)
 #    ifndef NO_SYS_TYPES_H
 #      include 
 #    endif
-#    if defined(NeXT)
-#      define pid_t int /* pid_t is missing on NEXTSTEP/OPENSTEP
-                         * (unless when compiling with -D_POSIX_SOURCE,
-                         * which doesn't work for us) */
-#    endif
 #    ifdef OPENSSL_SYS_WIN32_CYGWIN
 #      include 
 #      include 
@@ -560,11 +555,6 @@ static __inline unsigned int _strlen31(const char *str)
 #      include 
 #    endif
 
-#    if defined(NeXT) || defined(_NEXT_SOURCE)
-#      include 
-#      include 
-#    endif
-
 #    ifdef OPENSSL_SYS_AIX
 #      include 
 #    endif
diff --git a/e_os2.h b/e_os2.h
index 68801f4..aa4c10c 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -269,7 +269,7 @@ extern "C" {
 #  define ossl_ssize_t long
 #endif
 
-#if defined(NeXT) || defined(OPENSSL_SYS_SUNOS)
+#if defined(OPENSSL_SYS_SUNOS)
 #  define ssize_t int
 #endif
 
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 05f75aa..e5be634 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -1852,8 +1852,6 @@ bad:
 			(double)s_time/CLOCKS_PER_SEC,
 			(double)c_time/CLOCKS_PER_SEC);
 #else
-		/* "`CLOCKS_PER_SEC' undeclared (first use this function)"
-		 *                            -- cc on NeXTstep/OpenStep */
 		BIO_printf(bio_stdout,
 			"Approximate total server time: %6.2f units\n"
 			"Approximate total client time: %6.2f units\n",
diff --git a/util/mkdef.pl b/util/mkdef.pl
index fa3f3db..ccd72f5 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -78,7 +78,7 @@ my $OS2=0;
 # Set this to make typesafe STACK definitions appear in DEF
 my $safe_stack_def = 0;
 
-my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
+my @known_platforms = ( "__FreeBSD__", "PERL5",
 			"EXPORT_VAR_AS_FUNCTION", "ZLIB",
 			"OPENSSL_FIPS", "OPENSSL_FIPSCAPABLE" );
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Sat Dec 20 14:46:09 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Sat, 20 Dec 2014 15:46:09 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef
Message-ID: <20141220144610.4F7D71DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  2521fcd8527008ceb3e4748f95b0ed4e2d70cfef (commit)
      from  e03b29871b2b87af9a4ec21c49eb3e1826eb772a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef
Author: Michael Tuexen 
Date:   Sun Nov 16 17:29:08 2014 +0000

    Fix incorrect OPENSSL_assert() usage.
    
    Return an error code for I/O errors instead of an assertion failure.
    
    PR#3470
    Reviewed-by: Stephen Henson 
    Reviewed-by: Tim Hudson 

-----------------------------------------------------------------------

Summary of changes:
 crypto/bio/bss_dgram.c |   86 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index bf1e39b..88ee559 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -975,10 +975,18 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
 	auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 	auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	/* Test if activation was successful. When using accept(),
 	 * SCTP-AUTH has to be activated for the listening socket
@@ -987,7 +995,13 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	authchunks = OPENSSL_malloc(sockopt_len);
 	memset(authchunks, 0, sockopt_len);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+
+	if (ret < 0)
+		{
+		OPENSSL_free(authchunks);
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
@@ -1009,16 +1023,28 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	event.se_type = SCTP_AUTHENTICATION_EVENT;
 	event.se_on = 1;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #else
 	sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	event.sctp_authentication_event = 1;
 
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #endif
 #endif
 
@@ -1026,7 +1052,11 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	 * larger than the max record size of 2^14 + 2048 + 13
 	 */
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	return(bio);
 	}
@@ -1191,16 +1221,28 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 					event.se_type = SCTP_SENDER_DRY_EVENT;
 					event.se_on = 0;
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #else
 					eventsize = sizeof(struct sctp_event_subscribe);
 					i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 
 					event.sctp_sender_dry_event = 0;
 
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #endif
 					}
 
@@ -1233,8 +1275,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			 */
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Test if SCTP doesn't partially deliver below
 			 * max record size (2^14 + 2048 + 13)
@@ -1242,8 +1284,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
 			                 &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Partially delivered notification??? Probably a bug.... */
 			OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1277,15 +1319,15 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			authchunks = OPENSSL_malloc(optlen);
 			memset(authchunks, 0, optlen);
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
-			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks->gauth_chunks;
-				 p < (unsigned char*) authchunks + optlen;
-				 p += sizeof(uint8_t))
-				{
-				if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
-				if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
-				}
+			if (ii >= 0)
+				for (p = (unsigned char*) authchunks->gauth_chunks;
+				     p < (unsigned char*) authchunks + optlen;
+				     p += sizeof(uint8_t))
+					{
+					if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+					if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+					}
 
 			OPENSSL_free(authchunks);
 


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Sat Dec 20 14:47:30 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Sat, 20 Dec 2014 15:47:30 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-85-gd6c2e3e
Message-ID: <20141220144731.0A9F61DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  d6c2e3e621bbf592f6ba0b53853face625b9f740 (commit)
      from  8c46748bcb601972faf2426fc42d80099af84df9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d6c2e3e621bbf592f6ba0b53853face625b9f740
Author: Michael Tuexen 
Date:   Sun Nov 16 17:29:08 2014 +0000

    Fix incorrect OPENSSL_assert() usage.
    
    Return an error code for I/O errors instead of an assertion failure.
    
    PR#3470
    Reviewed-by: Stephen Henson 
    Reviewed-by: Tim Hudson 
    
    (cherry picked from commit 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bio/bss_dgram.c |   86 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 7bed08e..53588e1 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -927,10 +927,18 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
 	auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 	auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	/* Test if activation was successful. When using accept(),
 	 * SCTP-AUTH has to be activated for the listening socket
@@ -939,7 +947,13 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	authchunks = OPENSSL_malloc(sockopt_len);
 	memset(authchunks, 0, sizeof(sockopt_len));
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+
+	if (ret < 0)
+		{
+		OPENSSL_free(authchunks);
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
@@ -961,16 +975,28 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	event.se_type = SCTP_AUTHENTICATION_EVENT;
 	event.se_on = 1;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #else
 	sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	event.sctp_authentication_event = 1;
 
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #endif
 #endif
 
@@ -978,7 +1004,11 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	 * larger than the max record size of 2^14 + 2048 + 13
 	 */
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	return(bio);
 	}
@@ -1143,16 +1173,28 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 					event.se_type = SCTP_SENDER_DRY_EVENT;
 					event.se_on = 0;
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #else
 					eventsize = sizeof(struct sctp_event_subscribe);
 					i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 
 					event.sctp_sender_dry_event = 0;
 
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #endif
 					}
 
@@ -1185,8 +1227,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			 */
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Test if SCTP doesn't partially deliver below
 			 * max record size (2^14 + 2048 + 13)
@@ -1194,8 +1236,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
 			                 &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Partially delivered notification??? Probably a bug.... */
 			OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1229,15 +1271,15 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			authchunks = OPENSSL_malloc(optlen);
 			memset(authchunks, 0, sizeof(optlen));
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
-			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks->gauth_chunks;
-				 p < (unsigned char*) authchunks + optlen;
-				 p += sizeof(uint8_t))
-				{
-				if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
-				if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
-				}
+			if (ii >= 0)
+				for (p = (unsigned char*) authchunks->gauth_chunks;
+				     p < (unsigned char*) authchunks + optlen;
+				     p += sizeof(uint8_t))
+					{
+					if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+					if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+					}
 
 			OPENSSL_free(authchunks);
 


hooks/post-receive
-- 
OpenSSL source code

From steve at openssl.org  Sat Dec 20 14:47:31 2014
From: steve at openssl.org (Dr. Stephen Henson)
Date: Sat, 20 Dec 2014 15:47:31 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-124-g5760c8b
Message-ID: <20141220144731.8C4651DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  5760c8b82fde3e3cc495dc0c05806ba1b55ecf5f (commit)
      from  b651407268ade15b290648d5b02628a2d27eaf63 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5760c8b82fde3e3cc495dc0c05806ba1b55ecf5f
Author: Michael Tuexen 
Date:   Sun Nov 16 17:29:08 2014 +0000

    Fix incorrect OPENSSL_assert() usage.
    
    Return an error code for I/O errors instead of an assertion failure.
    
    PR#3470
    Reviewed-by: Stephen Henson 
    Reviewed-by: Tim Hudson 
    
    (cherry picked from commit 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bio/bss_dgram.c |   86 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 64 insertions(+), 22 deletions(-)

diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 6389dd1..a8b9c09 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -975,10 +975,18 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
 	auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 	auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	/* Test if activation was successful. When using accept(),
 	 * SCTP-AUTH has to be activated for the listening socket
@@ -987,7 +995,13 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	authchunks = OPENSSL_malloc(sockopt_len);
 	memset(authchunks, 0, sizeof(sockopt_len));
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+
+	if (ret < 0)
+		{
+		OPENSSL_free(authchunks);
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
@@ -1009,16 +1023,28 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	event.se_type = SCTP_AUTHENTICATION_EVENT;
 	event.se_on = 1;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #else
 	sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	event.sctp_authentication_event = 1;
 
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #endif
 #endif
 
@@ -1026,7 +1052,11 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	 * larger than the max record size of 2^14 + 2048 + 13
 	 */
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	return(bio);
 	}
@@ -1191,16 +1221,28 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 					event.se_type = SCTP_SENDER_DRY_EVENT;
 					event.se_on = 0;
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #else
 					eventsize = sizeof(struct sctp_event_subscribe);
 					i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 
 					event.sctp_sender_dry_event = 0;
 
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #endif
 					}
 
@@ -1233,8 +1275,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			 */
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Test if SCTP doesn't partially deliver below
 			 * max record size (2^14 + 2048 + 13)
@@ -1242,8 +1284,8 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
 			                 &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Partially delivered notification??? Probably a bug.... */
 			OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1277,15 +1319,15 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			authchunks = OPENSSL_malloc(optlen);
 			memset(authchunks, 0, sizeof(optlen));
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
-			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks->gauth_chunks;
-				 p < (unsigned char*) authchunks + optlen;
-				 p += sizeof(uint8_t))
-				{
-				if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
-				if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
-				}
+			if (ii >= 0)
+				for (p = (unsigned char*) authchunks->gauth_chunks;
+				     p < (unsigned char*) authchunks + optlen;
+				     p += sizeof(uint8_t))
+					{
+					if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+					if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+					}
 
 			OPENSSL_free(authchunks);
 


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Mon Dec 22 04:19:12 2014
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 22 Dec 2014 05:19:12 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. f2319414445ef5991d77c015af86276d84b9fec1
Message-ID: <20141222041912.DF2541DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  f2319414445ef5991d77c015af86276d84b9fec1 (commit)
      from  2521fcd8527008ceb3e4748f95b0ed4e2d70cfef (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f2319414445ef5991d77c015af86276d84b9fec1
Author: Rich Salz 
Date:   Sun Dec 21 23:18:02 2014 -0500

    RT3548: Remvoe unsupported platforms
    
    This commit removes SunOS (a sentimental favorite of mine).
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                |    1 +
 Configure              |    4 ----
 crypto/dso/dso_dlfcn.c |    6 +-----
 crypto/o_time.c        |    2 +-
 crypto/ocsp/ocsp_ht.c  |    3 ---
 crypto/ui/ui_openssl.c |    6 +-----
 e_os2.h                |    7 -------
 7 files changed, 4 insertions(+), 25 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5a32715..a8f37be 100644
--- a/CHANGES
+++ b/CHANGES
@@ -30,6 +30,7 @@
 	Sony NEWS4
 	BEOS and BEOS_R5
 	NeXT
+	SUNOS
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/Configure b/Configure
index b97f961..a94b0dc 100755
--- a/Configure
+++ b/Configure
@@ -257,10 +257,6 @@ my %table=(
 "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-#### SunOS configs, assuming sparc for the gcc one.
-#"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::",
-
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
 "irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${mips32_asm}:o32:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index 4a56aac..0135cc1 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -153,11 +153,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 #		endif
 #	endif
 #else
-#	ifdef OPENSSL_SYS_SUNOS
-#		define DLOPEN_FLAG 1
-#	else
-#		define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
-#	endif
+#	define DLOPEN_FLAG RTLD_NOW /* Hope this works everywhere else */
 #endif
 
 /* For this DSO_METHOD, our meth_data STACK will contain;
diff --git a/crypto/o_time.c b/crypto/o_time.c
index 84aa5c3..362e9e7 100644
--- a/crypto/o_time.c
+++ b/crypto/o_time.c
@@ -82,7 +82,7 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 	{
 	struct tm *ts = NULL;
 
-#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_SUNOS)
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
 	/* should return &data, but doesn't on some systems,
 	   so we don't even look at the return value */
 	gmtime_r(timer,result);
diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c
index bac35f8..268f575 100644
--- a/crypto/ocsp/ocsp_ht.c
+++ b/crypto/ocsp/ocsp_ht.c
@@ -65,9 +65,6 @@
 #include 
 #include 
 #include 
-#ifdef OPENSSL_SYS_SUNOS
-#define strtoul (unsigned long)strtol
-#endif /* OPENSSL_SYS_SUNOS */
 
 /* Stateful OCSP request code, supporting non-blocking I/O */
 
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 46128fe..9ec8883 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -244,7 +244,7 @@
 # define TTY_set(tty,data)	ioctl(tty,TIOCSETP,data)
 #endif
 
-#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_SUNOS)
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
 # include 
 #endif
 
@@ -264,10 +264,6 @@ struct IOSB {
 	};
 #endif
 
-#ifdef OPENSSL_SYS_SUNOS
-	typedef int sig_atomic_t;
-#endif
-
 #if defined(MAC_OS_GUSI_SOURCE) || defined(OPENSSL_SYS_NETWARE)
 /*
  * This one needs work. As a matter of fact the code is unoperational
diff --git a/e_os2.h b/e_os2.h
index aa4c10c..7850169 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -168,9 +168,6 @@ extern "C" {
 # ifdef OPENSSL_SYSNAME_MACOSX
 #  define OPENSSL_SYS_MACOSX
 # endif
-# ifdef OPENSSL_SYSNAME_SUNOS
-#  define OPENSSL_SYS_SUNOS
-#endif
 # if defined(_CRAY) || defined(OPENSSL_SYSNAME_CRAY)
 #  define OPENSSL_SYS_CRAY
 # endif
@@ -269,10 +266,6 @@ extern "C" {
 #  define ossl_ssize_t long
 #endif
 
-#if defined(OPENSSL_SYS_SUNOS)
-#  define ssize_t int
-#endif
-
 #if defined(__ultrix) && !defined(ssize_t)
 #  define ossl_ssize_t int 
 #endif


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 14:35:29 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 15:35:29 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 7cfab40f43afac2f46652886e260d1c4de058806
Message-ID: <20141222143529.4C89F1DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  7cfab40f43afac2f46652886e260d1c4de058806 (commit)
      from  f2319414445ef5991d77c015af86276d84b9fec1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 7cfab40f43afac2f46652886e260d1c4de058806
Author: Richard Levitte 
Date:   Mon Dec 22 14:30:23 2014 +0100

    Small typo
    
    Reviewed-by: Stephen Henson 

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/proxy_certificates.txt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/HOWTO/proxy_certificates.txt b/doc/HOWTO/proxy_certificates.txt
index 7d51f60..d78be2f1 100644
--- a/doc/HOWTO/proxy_certificates.txt
+++ b/doc/HOWTO/proxy_certificates.txt
@@ -114,7 +114,7 @@ recognised:
 The 'policy' setting can be split up in multiple lines like this:
 
   0.policy=This is
-  1.polisy= a multi-
+  1.policy= a multi-
   2.policy=line policy.
 
 NOTE: the proxy policy value is the part which determines the rights granted to


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 14:37:49 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 15:37:49 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-86-ga5fad4d
Message-ID: <20141222143750.3E7DA1DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  a5fad4d6bca9dd177bda99e3eab779ad0cb31166 (commit)
      from  d6c2e3e621bbf592f6ba0b53853face625b9f740 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a5fad4d6bca9dd177bda99e3eab779ad0cb31166
Author: Richard Levitte 
Date:   Mon Dec 22 14:30:23 2014 +0100

    Small typo
    
    Reviewed-by: Stephen Henson 
    (cherry picked from commit 7cfab40f43afac2f46652886e260d1c4de058806)

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/proxy_certificates.txt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/HOWTO/proxy_certificates.txt b/doc/HOWTO/proxy_certificates.txt
index 7d51f60..d78be2f1 100644
--- a/doc/HOWTO/proxy_certificates.txt
+++ b/doc/HOWTO/proxy_certificates.txt
@@ -114,7 +114,7 @@ recognised:
 The 'policy' setting can be split up in multiple lines like this:
 
   0.policy=This is
-  1.polisy= a multi-
+  1.policy= a multi-
   2.policy=line policy.
 
 NOTE: the proxy policy value is the part which determines the rights granted to


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 14:37:53 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 15:37:53 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-125-g5819146
Message-ID: <20141222143753.D55B01DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  58191465ef9138e36c7e1d644df109b9cd83ff93 (commit)
      from  5760c8b82fde3e3cc495dc0c05806ba1b55ecf5f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 58191465ef9138e36c7e1d644df109b9cd83ff93
Author: Richard Levitte 
Date:   Mon Dec 22 14:30:23 2014 +0100

    Small typo
    
    Reviewed-by: Stephen Henson 
    (cherry picked from commit 7cfab40f43afac2f46652886e260d1c4de058806)

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/proxy_certificates.txt |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/HOWTO/proxy_certificates.txt b/doc/HOWTO/proxy_certificates.txt
index 7d51f60..d78be2f1 100644
--- a/doc/HOWTO/proxy_certificates.txt
+++ b/doc/HOWTO/proxy_certificates.txt
@@ -114,7 +114,7 @@ recognised:
 The 'policy' setting can be split up in multiple lines like this:
 
   0.policy=This is
-  1.polisy= a multi-
+  1.policy= a multi-
   2.policy=line policy.
 
 NOTE: the proxy policy value is the part which determines the rights granted to


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 15:24:36 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 16:24:36 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 67472bd82bed9d5e481b0d75926aab93618902be
Message-ID: <20141222152436.2987A1DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  67472bd82bed9d5e481b0d75926aab93618902be (commit)
      from  7cfab40f43afac2f46652886e260d1c4de058806 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 67472bd82bed9d5e481b0d75926aab93618902be
Author: Alok Menghrajani 
Date:   Sun Nov 30 19:21:31 2014 -0800

    Improves certificates HOWTO
    
    * adds links to various related documents.
    * fixes a few typos.
    * rewords a few sentences.
    
    Reviewed-by: Richard Levitte 
    Reviewed-by: Rich Salz 

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/certificates.txt |   75 +++++++++++++++++++++++---------------------
 1 file changed, 40 insertions(+), 35 deletions(-)

diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt
index a8a34c7..65f8fc8 100644
--- a/doc/HOWTO/certificates.txt
+++ b/doc/HOWTO/certificates.txt
@@ -3,22 +3,22 @@
 
 1. Introduction
 
-How you handle certificates depend a great deal on what your role is.
+How you handle certificates depends a great deal on what your role is.
 Your role can be one or several of:
 
-  - User of some client software
-  - User of some server software
+  - User of some client application
+  - User of some server application
   - Certificate authority
 
 This file is for users who wish to get a certificate of their own.
-Certificate authorities should read ca.txt.
+Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
 
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
-/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
-is better described in another HOWTO .  If you want to
-use a different configuration file, use the argument '-config {file}'
-with the command shown below.
+/usr/local/ssl/ or somewhere else.  By default the file is named
+openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+You can specify a different configuration file using the
+'-config {file}' argument with the commands shown below.
 
 
 2. Relationship with keys
@@ -29,24 +29,26 @@ somewhere.  With OpenSSL, public keys are easily derived from private
 keys, so before you create a certificate or a certificate request, you
 need to create a private key.
 
-Private keys are generated with 'openssl genrsa' if you want a RSA
-private key, or 'openssl gendsa' if you want a DSA private key.
-Further information on how to create private keys can be found in
-another HOWTO .  The rest of this text assumes you have
-a private key in the file privkey.pem.
+Private keys are generated with 'openssl genrsa -out privkey.pem' if
+you want a RSA private key, or if you want a DSA private key:
+'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.
+
+The private keys created by these commands are not passphrase protected;
+it might or might not be the desirable thing.  Further information on how to
+create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.
+The rest of this text assumes you have a private key in the file privkey.pem.
 
 
 3. Creating a certificate request
 
-To create a certificate, you need to start with a certificate
-request (or, as some certificate authorities like to put
-it, "certificate signing request", since that's exactly what they do,
-they sign it and give you the result back, thus making it authentic
-according to their policies).  A certificate request can then be sent
-to a certificate authority to get it signed into a certificate, or if
-you have your own certificate authority, you may sign it yourself, or
-if you need a self-signed certificate (because you just want a test
-certificate or because you are setting up your own CA).
+To create a certificate, you need to start with a certificate request
+(or, as some certificate authorities like to put it, "certificate
+signing request", since that's exactly what they do, they sign it and
+give you the result back, thus making it authentic according to their
+policies).  A certificate request is sent to a certificate authority
+to get it signed into a certificate. You can also sign the certificate
+yourself if you have your own certificate authority or create a
+self-signed certificate (typically for testing purpose).
 
 The certificate request is created like this:
 
@@ -55,12 +57,14 @@ The certificate request is created like this:
 Now, cert.csr can be sent to the certificate authority, if they can
 handle files in PEM format.  If not, use the extra argument '-outform'
 followed by the keyword for the format to use (see another HOWTO
-).  In some cases, that isn't sufficient and you will
-have to be more creative.
+).  In some cases, -outform does not let you output the
+certificate request in the right format and you will have to use one
+of the various other commands that are exposed by openssl (or get
+creative and use a combination of tools).
 
-When the certificate authority has then done the checks the need to
-do (and probably gotten payment from you), they will hand over your
-new certificate to you.
+The certificate authority performs various checks (according to their
+policies) and usually waits for payment from you. Once that is
+complete, they send you your new certificate.
 
 Section 5 will tell you more on how to handle the certificate you
 received.
@@ -68,11 +72,12 @@ received.
 
 4. Creating a self-signed test certificate
 
-If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself.  This is similar to
-creating a certificate request, but creates a certificate instead of
-a certificate request.  This is NOT the recommended way to create a
-CA certificate, see ca.txt.
+You can create a self-signed certificate if you don't want to deal
+with a certificate authority, or if you just want to create a test
+certificate for yourself.  This is similar to creating a certificate
+request, but creates a certificate instead of a certificate request.
+This is NOT the recommended way to create a CA certificate, see
+https://www.openssl.org/docs/apps/ca.html.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
@@ -93,13 +98,13 @@ certificate and your key to various formats, most often also putting
 them together into one file.  The ways to do this is described in
 another HOWTO , I will just mention the simplest case.
 In the case of a raw DER thing in PEM format, and assuming that's all
-right for yor applications, simply concatenating the certificate and
+right for your applications, simply concatenating the certificate and
 the key into a new file and using that one should be enough.  With
 some applications, you don't even have to do that.
 
 
-By now, you have your cetificate and your private key and can start
-using the software that depend on it.
+By now, you have your certificate and your private key and can start
+using applications that depend on it.
 
 -- 
 Richard Levitte


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 15:26:25 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 16:26:25 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-87-g5dad575
Message-ID: <20141222152625.897ED1DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  5dad57536f943964e082f243430e0a945bcabbad (commit)
      from  a5fad4d6bca9dd177bda99e3eab779ad0cb31166 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5dad57536f943964e082f243430e0a945bcabbad
Author: Alok Menghrajani 
Date:   Sun Nov 30 19:21:31 2014 -0800

    Improves certificates HOWTO
    
    * adds links to various related documents.
    * fixes a few typos.
    * rewords a few sentences.
    
    Reviewed-by: Richard Levitte 
    Reviewed-by: Rich Salz 
    (cherry picked from commit 67472bd82bed9d5e481b0d75926aab93618902be)

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/certificates.txt |   75 +++++++++++++++++++++++---------------------
 1 file changed, 40 insertions(+), 35 deletions(-)

diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt
index a8a34c7..65f8fc8 100644
--- a/doc/HOWTO/certificates.txt
+++ b/doc/HOWTO/certificates.txt
@@ -3,22 +3,22 @@
 
 1. Introduction
 
-How you handle certificates depend a great deal on what your role is.
+How you handle certificates depends a great deal on what your role is.
 Your role can be one or several of:
 
-  - User of some client software
-  - User of some server software
+  - User of some client application
+  - User of some server application
   - Certificate authority
 
 This file is for users who wish to get a certificate of their own.
-Certificate authorities should read ca.txt.
+Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
 
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
-/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
-is better described in another HOWTO .  If you want to
-use a different configuration file, use the argument '-config {file}'
-with the command shown below.
+/usr/local/ssl/ or somewhere else.  By default the file is named
+openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+You can specify a different configuration file using the
+'-config {file}' argument with the commands shown below.
 
 
 2. Relationship with keys
@@ -29,24 +29,26 @@ somewhere.  With OpenSSL, public keys are easily derived from private
 keys, so before you create a certificate or a certificate request, you
 need to create a private key.
 
-Private keys are generated with 'openssl genrsa' if you want a RSA
-private key, or 'openssl gendsa' if you want a DSA private key.
-Further information on how to create private keys can be found in
-another HOWTO .  The rest of this text assumes you have
-a private key in the file privkey.pem.
+Private keys are generated with 'openssl genrsa -out privkey.pem' if
+you want a RSA private key, or if you want a DSA private key:
+'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.
+
+The private keys created by these commands are not passphrase protected;
+it might or might not be the desirable thing.  Further information on how to
+create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.
+The rest of this text assumes you have a private key in the file privkey.pem.
 
 
 3. Creating a certificate request
 
-To create a certificate, you need to start with a certificate
-request (or, as some certificate authorities like to put
-it, "certificate signing request", since that's exactly what they do,
-they sign it and give you the result back, thus making it authentic
-according to their policies).  A certificate request can then be sent
-to a certificate authority to get it signed into a certificate, or if
-you have your own certificate authority, you may sign it yourself, or
-if you need a self-signed certificate (because you just want a test
-certificate or because you are setting up your own CA).
+To create a certificate, you need to start with a certificate request
+(or, as some certificate authorities like to put it, "certificate
+signing request", since that's exactly what they do, they sign it and
+give you the result back, thus making it authentic according to their
+policies).  A certificate request is sent to a certificate authority
+to get it signed into a certificate. You can also sign the certificate
+yourself if you have your own certificate authority or create a
+self-signed certificate (typically for testing purpose).
 
 The certificate request is created like this:
 
@@ -55,12 +57,14 @@ The certificate request is created like this:
 Now, cert.csr can be sent to the certificate authority, if they can
 handle files in PEM format.  If not, use the extra argument '-outform'
 followed by the keyword for the format to use (see another HOWTO
-).  In some cases, that isn't sufficient and you will
-have to be more creative.
+).  In some cases, -outform does not let you output the
+certificate request in the right format and you will have to use one
+of the various other commands that are exposed by openssl (or get
+creative and use a combination of tools).
 
-When the certificate authority has then done the checks the need to
-do (and probably gotten payment from you), they will hand over your
-new certificate to you.
+The certificate authority performs various checks (according to their
+policies) and usually waits for payment from you. Once that is
+complete, they send you your new certificate.
 
 Section 5 will tell you more on how to handle the certificate you
 received.
@@ -68,11 +72,12 @@ received.
 
 4. Creating a self-signed test certificate
 
-If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself.  This is similar to
-creating a certificate request, but creates a certificate instead of
-a certificate request.  This is NOT the recommended way to create a
-CA certificate, see ca.txt.
+You can create a self-signed certificate if you don't want to deal
+with a certificate authority, or if you just want to create a test
+certificate for yourself.  This is similar to creating a certificate
+request, but creates a certificate instead of a certificate request.
+This is NOT the recommended way to create a CA certificate, see
+https://www.openssl.org/docs/apps/ca.html.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
@@ -93,13 +98,13 @@ certificate and your key to various formats, most often also putting
 them together into one file.  The ways to do this is described in
 another HOWTO , I will just mention the simplest case.
 In the case of a raw DER thing in PEM format, and assuming that's all
-right for yor applications, simply concatenating the certificate and
+right for your applications, simply concatenating the certificate and
 the key into a new file and using that one should be enough.  With
 some applications, you don't even have to do that.
 
 
-By now, you have your cetificate and your private key and can start
-using the software that depend on it.
+By now, you have your certificate and your private key and can start
+using applications that depend on it.
 
 -- 
 Richard Levitte


hooks/post-receive
-- 
OpenSSL source code

From levitte at openssl.org  Mon Dec 22 15:26:30 2014
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 22 Dec 2014 16:26:30 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-126-gbeef278
Message-ID: <20141222152630.489E41DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  beef278bd7a4c3658d2bee5d4f2b5301e42e7a4e (commit)
      from  58191465ef9138e36c7e1d644df109b9cd83ff93 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit beef278bd7a4c3658d2bee5d4f2b5301e42e7a4e
Author: Alok Menghrajani 
Date:   Sun Nov 30 19:21:31 2014 -0800

    Improves certificates HOWTO
    
    * adds links to various related documents.
    * fixes a few typos.
    * rewords a few sentences.
    
    Reviewed-by: Richard Levitte 
    Reviewed-by: Rich Salz 
    (cherry picked from commit 67472bd82bed9d5e481b0d75926aab93618902be)

-----------------------------------------------------------------------

Summary of changes:
 doc/HOWTO/certificates.txt |   75 +++++++++++++++++++++++---------------------
 1 file changed, 40 insertions(+), 35 deletions(-)

diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt
index a8a34c7..65f8fc8 100644
--- a/doc/HOWTO/certificates.txt
+++ b/doc/HOWTO/certificates.txt
@@ -3,22 +3,22 @@
 
 1. Introduction
 
-How you handle certificates depend a great deal on what your role is.
+How you handle certificates depends a great deal on what your role is.
 Your role can be one or several of:
 
-  - User of some client software
-  - User of some server software
+  - User of some client application
+  - User of some server application
   - Certificate authority
 
 This file is for users who wish to get a certificate of their own.
-Certificate authorities should read ca.txt.
+Certificate authorities should read https://www.openssl.org/docs/apps/ca.html.
 
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
-/usr/local/ssl/ or somewhere else.  The name is openssl.cnf, and
-is better described in another HOWTO .  If you want to
-use a different configuration file, use the argument '-config {file}'
-with the command shown below.
+/usr/local/ssl/ or somewhere else.  By default the file is named
+openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+You can specify a different configuration file using the
+'-config {file}' argument with the commands shown below.
 
 
 2. Relationship with keys
@@ -29,24 +29,26 @@ somewhere.  With OpenSSL, public keys are easily derived from private
 keys, so before you create a certificate or a certificate request, you
 need to create a private key.
 
-Private keys are generated with 'openssl genrsa' if you want a RSA
-private key, or 'openssl gendsa' if you want a DSA private key.
-Further information on how to create private keys can be found in
-another HOWTO .  The rest of this text assumes you have
-a private key in the file privkey.pem.
+Private keys are generated with 'openssl genrsa -out privkey.pem' if
+you want a RSA private key, or if you want a DSA private key:
+'openssl dsaparam -out dsaparam.pem 2048; openssl gendsa -out privkey.pem dsaparam.pem'.
+
+The private keys created by these commands are not passphrase protected;
+it might or might not be the desirable thing.  Further information on how to
+create private keys can be found at https://www.openssl.org/docs/HOWTO/keys.txt.
+The rest of this text assumes you have a private key in the file privkey.pem.
 
 
 3. Creating a certificate request
 
-To create a certificate, you need to start with a certificate
-request (or, as some certificate authorities like to put
-it, "certificate signing request", since that's exactly what they do,
-they sign it and give you the result back, thus making it authentic
-according to their policies).  A certificate request can then be sent
-to a certificate authority to get it signed into a certificate, or if
-you have your own certificate authority, you may sign it yourself, or
-if you need a self-signed certificate (because you just want a test
-certificate or because you are setting up your own CA).
+To create a certificate, you need to start with a certificate request
+(or, as some certificate authorities like to put it, "certificate
+signing request", since that's exactly what they do, they sign it and
+give you the result back, thus making it authentic according to their
+policies).  A certificate request is sent to a certificate authority
+to get it signed into a certificate. You can also sign the certificate
+yourself if you have your own certificate authority or create a
+self-signed certificate (typically for testing purpose).
 
 The certificate request is created like this:
 
@@ -55,12 +57,14 @@ The certificate request is created like this:
 Now, cert.csr can be sent to the certificate authority, if they can
 handle files in PEM format.  If not, use the extra argument '-outform'
 followed by the keyword for the format to use (see another HOWTO
-).  In some cases, that isn't sufficient and you will
-have to be more creative.
+).  In some cases, -outform does not let you output the
+certificate request in the right format and you will have to use one
+of the various other commands that are exposed by openssl (or get
+creative and use a combination of tools).
 
-When the certificate authority has then done the checks the need to
-do (and probably gotten payment from you), they will hand over your
-new certificate to you.
+The certificate authority performs various checks (according to their
+policies) and usually waits for payment from you. Once that is
+complete, they send you your new certificate.
 
 Section 5 will tell you more on how to handle the certificate you
 received.
@@ -68,11 +72,12 @@ received.
 
 4. Creating a self-signed test certificate
 
-If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself.  This is similar to
-creating a certificate request, but creates a certificate instead of
-a certificate request.  This is NOT the recommended way to create a
-CA certificate, see ca.txt.
+You can create a self-signed certificate if you don't want to deal
+with a certificate authority, or if you just want to create a test
+certificate for yourself.  This is similar to creating a certificate
+request, but creates a certificate instead of a certificate request.
+This is NOT the recommended way to create a CA certificate, see
+https://www.openssl.org/docs/apps/ca.html.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
@@ -93,13 +98,13 @@ certificate and your key to various formats, most often also putting
 them together into one file.  The ways to do this is described in
 another HOWTO , I will just mention the simplest case.
 In the case of a raw DER thing in PEM format, and assuming that's all
-right for yor applications, simply concatenating the certificate and
+right for your applications, simply concatenating the certificate and
 the key into a new file and using that one should be enough.  With
 some applications, you don't even have to do that.
 
 
-By now, you have your cetificate and your private key and can start
-using the software that depend on it.
+By now, you have your certificate and your private key and can start
+using applications that depend on it.
 
 -- 
 Richard Levitte


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Mon Dec 22 22:48:05 2014
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 22 Dec 2014 23:48:05 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 5ad4fdce41bb1ce7762b70fb50f732f70e3772cf
Message-ID: <20141222224805.C20E81DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  5ad4fdce41bb1ce7762b70fb50f732f70e3772cf (commit)
      from  67472bd82bed9d5e481b0d75926aab93618902be (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5ad4fdce41bb1ce7762b70fb50f732f70e3772cf
Author: Rich Salz 
Date:   Mon Dec 22 17:47:28 2014 -0500

    RT3548: Remove unsupported platforms.
    
    This commit removes MPE/iX
    
    Reviewed-by: Andy Polyakov 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES               |    1 +
 apps/s_socket.c       |    2 +-
 crypto/bio/bss_conn.c |    2 +-
 crypto/des/read_pwd.c |    6 ------
 e_os.h                |    5 -----
 e_os2.h               |    3 ---
 6 files changed, 3 insertions(+), 16 deletions(-)

diff --git a/CHANGES b/CHANGES
index a8f37be..4d27975 100644
--- a/CHANGES
+++ b/CHANGES
@@ -31,6 +31,7 @@
 	BEOS and BEOS_R5
 	NeXT
 	SUNOS
+	MPE/iX
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/apps/s_socket.c b/apps/s_socket.c
index e83baf4..7edef15 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -269,7 +269,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
 			
 	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 
-#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+#if defined(SO_KEEPALIVE)
 	if (type == SOCK_STREAM)
 		{
 		i=0;
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 91e47e9..d2c9695 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -236,7 +236,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
 				}
 			c->state=BIO_CONN_S_CONNECT;
 
-#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+#if defined(SO_KEEPALIVE)
 			i=1;
 			i=setsockopt(b->num,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
 			if (i < 0)
diff --git a/crypto/des/read_pwd.c b/crypto/des/read_pwd.c
index ffc458a..9ad8f51 100644
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@@ -289,9 +289,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 #elif defined(OPENSSL_SYS_VXWORKS)
 	tty=stdin;
 #else
-#ifndef OPENSSL_SYS_MPE
 	if ((tty=fopen("/dev/tty","r")) == NULL)
-#endif
 		tty=stdin;
 #endif
 
@@ -332,12 +330,8 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 
 #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
 	if (is_a_tty && (TTY_set(fileno(tty),&tty_new) == -1))
-#ifdef OPENSSL_SYS_MPE 
-		; /* MPE lies -- echo really has been disabled */
-#else
 		return(-1);
 #endif
-#endif
 #ifdef OPENSSL_SYS_VMS
 	tty_new[0] = tty_orig[0];
 	tty_new[1] = tty_orig[1] | TT$M_NOECHO;
diff --git a/e_os.h b/e_os.h
index 23daaf1..ec011c8 100644
--- a/e_os.h
+++ b/e_os.h
@@ -421,9 +421,6 @@ static __inline unsigned int _strlen31(const char *str)
 
 #  else
      /* !defined VMS */
-#    ifdef OPENSSL_SYS_MPE
-#      define NO_SYS_PARAM_H
-#    endif
 #    ifdef OPENSSL_UNISTD
 #      include OPENSSL_UNISTD
 #    else
@@ -527,8 +524,6 @@ static __inline unsigned int _strlen31(const char *str)
 #    endif
 #    ifdef OPENSSL_SYS_VXWORKS
 #      include  
-#    elif !defined(OPENSSL_SYS_MPE)
-#      include  /* Needed under linux for FD_XXX */
 #    endif
 
 #    include 
diff --git a/e_os2.h b/e_os2.h
index 7850169..dc6ee2d 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -156,9 +156,6 @@ extern "C" {
 # if defined(linux) || defined(__linux__) || defined(OPENSSL_SYSNAME_LINUX)
 #  define OPENSSL_SYS_LINUX
 # endif
-# ifdef OPENSSL_SYSNAME_MPE
-#  define OPENSSL_SYS_MPE
-# endif
 # ifdef OPENSSL_SYSNAME_SNI
 #  define OPENSSL_SYS_SNI
 # endif


hooks/post-receive
-- 
OpenSSL source code

From root at openssl.org  Tue Dec 23 20:49:10 2014
From: root at openssl.org (root)
Date: Tue, 23 Dec 2014 21:49:10 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	b0c384abfd6e76e71be3b352226561205207768f
Message-ID: <20141223204910.7731B1DF10F@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  b0c384abfd6e76e71be3b352226561205207768f (commit)
      from  ee52bcedc58368a5ceb827dbd1fd83aee1c6c4bb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b0c384abfd6e76e71be3b352226561205207768f
Author: Rich Salz 
Date:   Tue Dec 23 15:48:12 2014 -0500

    Remove openssl-macros.wml
    
    fix typo and add 
 in community.wml
    Ignore .ssh and .cache directories for git

-----------------------------------------------------------------------

Summary of changes:
 .gitignore            |    2 +
 .wmkrc                |    1 -
 openssl-macros.wml    |  493 -------------------------------------------------
 support/community.wml |   22 +--
 4 files changed, 9 insertions(+), 509 deletions(-)
 delete mode 100644 openssl-macros.wml

diff --git a/.gitignore b/.gitignore
index d6c50ad..953a4cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,5 @@ news/changelog.inc
 news/vulnerabilities.wml
 support/faq.inc
 support/funding/support-faq.inc
+.ssh
+.cache
diff --git a/.wmkrc b/.wmkrc
index 8b76972..b320886 100644
--- a/.wmkrc
+++ b/.wmkrc
@@ -1,2 +1 @@
 -F openssl.wml
--F openssl-macros.wml
diff --git a/openssl-macros.wml b/openssl-macros.wml
deleted file mode 100644
index 3d18122..0000000
--- a/openssl-macros.wml
+++ /dev/null
@@ -1,493 +0,0 @@
-##
-##  openssl.wml -- WML Template for the www.openssl.org website
-##  Written by Ralf S. Engelschall 
-##
-##  Usage: #use wml::openssl area= [page=]
-##
-
-#use wml::std::tags
-#use wml::std::info
-#use wml::des::navbar
-#use wml::des::space
-
-##
-##  The Global Page Layout
-##
-
-#   start of page header
-[PAGE_HEAD:\
-
-
-
-#   insert information about the webpage
-
-
-
-#   insert overideable title container
-OpenSSL: {#PAGE_TITLE#}
-#   predefine it to show errors
-..PAGE_TITLE!>>Error: Undefined Title !!<<..
-#   define override tag
-
-..PAGE_TITLE>>%body<<..
-
-
-#   define a style-sheet for adjusting some HTML layouting things
-#   to conform to some typographically stronger conventions.
-
-
-#   end of header and start of physical body
-#   (use additionally use colors here for older browsers)
-
-
-
-#   now define the page layout by a nested table
-#   structure consisting of a 5x5 cell grid.
-
-  #   visually: the top line of the page
-  \
-    \
-    \
-    \
-    \
-  
-  #   visually: the top of the white body with the subnavbar
-  \
-    \
-    \
-    \
-    \
-    \
-  
-  #   visually: the left main navigation bar and the white body
-  \
-    \
-    \
-    \
-    \
-    \
-  
-  #   visually: the bottom of the white body
-  \
-    \
-    \
-    \
-    \
-    \
-  
-  #   visually: the bottom of the page (only for esthetical
-  #   reasons, i.e. the page doesn't end with the white body)
-  \
-    \
-  
-      
\
-        {#PAGE_SUBNAVBAR#}\
-     
{#PAGE_NAVBAR#}   \
-        

-        :PAGE_HEAD][PAGE_BODY:
-        {#PAGE_BODY#}
-        :PAGE_BODY][PAGE_FOOT:\
-         
     
 
-
-#   the physical end of the body
-
-
-:PAGE_FOOT]
-
-##
-##  The main Navigation Bar [left, vertically]
-##
-
-#   define the navigation bar through a grammar
-
-  #   bar header
-  
-  
-  #   button prolog
-  
-    
-  
-  #   the buttons itself
-  
-  
-  
-  
-  
-  
-  
-  #   button epilog
-  
-    
-  
-  #   bar footer
-  
-  
-
-
-#   and then immediately render it into its layout location
-#   (Hint: The top and buttom images have to be part of the table
-#   structure because only this way we can put them 0pt to the
-#   buttons without a gap)
-..PAGE_NAVBAR>>\
-  \
-    
-    #   render it!
-    
-    
-  


-<<..
-
-##
-##  The Sub Navigation Bar (SNB) [top, horizontally]
-##
-
-#   define the ... container tag
-
-  #   1. define the navigation bar through a grammar
-  
-    #   bar header
-    \
-      
-        
-    
-    #   button prolog (normal)
-    \
-          
-    
-    #   button epilog (selected)
-    \
-           
-    
-    #   last button epilog (normal)
-    \
-           
-    
-    #   last button epilog (selected)
-    \
-           
-    
-    #   bar footer
-    \
-        
-       
-    
-    #   button prolog (selected)
-    \
-           
-    
-    #   ...here the  tags will occur...
-    %body
-    #   button epilog (normal)
-    \
-            | | 
-    
-  
-  #   2. render the navigation bar and divert
-  #      divert it into it's final location
-  ..PAGE_SUBNAVBAR>>\
-  \
-  <<..
-
-
-#   define the  tag for the  container
-#   (this is for consistency with the tag names)
-
-  
-
-
-#   predefine the contents of the SNB location
-#   by diverting a whitespace character to it.
-#   This prevents the table to be folded.
-..PAGE_SUBNAVBAR!>>
- 
-<<..
-
-#   and now the final WML trick: When the page=
-#   attribute is specified for this template, we read in the SNB
-#   spec-file which now can use the .. and
-#    tags to actually define and render a SNB. This
-#   is accomplished by doing some sort of a conditional #include. ;-)
-$(page:*# )$(page:+#include ")$(SNB_RC:-.wmlsnb)$(page:+")
-
-##
-##  Useful tags (for convenience purposes only)
-##
-
-#   define a  tag for / item similar to  but
-#   which is nice for URL lists like the Related area where
-#   we want a special layout.
-
-
-
-
-
-
-
-
\
-    
-    " "" >
-    

-    

-    " "" "" "">
-
-
-
-
-
-
-#   define a  tag which can be used to create a file listing which
-#   is optically more compact than the stuff Apache's mod_autoindex creates.
-#   Especially the current version is marked red, too.
-
--   Bytes      Timestamp       Filename
-________ ____________________ ____________________________
-<:
- at HI = ();
-open(FP, ") {
-   s|\s*\n$||;
-   push(@HI, $_);
-}
-close(FP);
-sub ls {
-    my ($pat) = @_;
-    my (@F, @R, $f, @S, @T);
-    @F = sort { (stat($a))[9] <=> (stat($b))[9]; } (glob($pat));
-    @R = ();
-    foreach $f (@F) {
-        next if ($f =~ m|^index.*|);
-        if ('%1' ne '') {
-            if (! %1 $f) {
-                next;
-            }
-        }
-        @S = stat($f);
-        $f = "$f/" if (-d $f);
-        @T = localtime($S[9]);
-        my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
-                   'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
-             $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
-    }
-    return @R;
-}
- at L = &ls("%0");
-foreach $l (@L) {
-    next if ($l =~ m|^\s*$|);
-    $l =~ s|(\s+)(\S+[^/])(\s*\n)$|$1."$2".$3|e;
-    $l =~ s|(\s+)(\S+/)(\s*\n)$|$1."$2".$3|e;
-    foreach $hi (@HI) {
-        $l =~ s|^(.*$hi.*)$|$1  [LATEST]|;
-        $l =~ s|>($hi)<|>$1<|;
-    }
-    print $l;
-}
-:>
-
-
-
-
--   Bytes      Timestamp       Filename
-________ ____________________ ____________________________
-<:
- at HI = ();
-open(FP, ") {
-   s|\s*\n$||;
-   push(@HI, $_);
-}
-close(FP);
-sub ls {
-    my ($pat) = @_;
-    my (@F, @R, $f, @S, @T);
-    @F = sort { (stat($b))[9] <=> (stat($a))[9]; } (glob($pat));
-    @R = ();
-    foreach $f (@F) {
-        next if ($f =~ m|^index.*|);
-        if ('%1' ne '') {
-            if (! %1 $f) {
-                next;
-            }
-        }
-        @S = stat($f);
-        $f = "$f/" if (-d $f);
-        @T = localtime($S[9]);
-        my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
-                   'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
-             $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
-    }
-    return @R;
-}
- at L = &ls("%0");
-foreach $l (@L) {
-    next if ($l =~ m|^\s*$|);
-    if ($l =~ m|(\s+)(\S+[^/])(\s*\n)$|) {
-	my $h = $`.$1;
-	my $f = $2;
-	my $t = $3;
-	my $r = "$f";
-	if (-f "$f.md5") { $r .= " (MD5)"; }
-	if (-f "$f.sha1") { $r .= " (SHA1)"; }
-	if (-f "$f.asc") { $r .= " (PGP sign)"; }
-	$l = $h.$r.$t;
-    }
-    $l =~ s|(\s+)(\S+/)(\s*\n)$|$1."$2".$3|e;
-    foreach $hi (@HI) {
-        $l =~ s|^(.*$hi.*)$|$1  [LATEST]|;
-        $l =~ s|>($hi)<|>$1<|;
-    }
-    print $l;
-}
-:>
-
-
-
-#
-
-
-
-
-
-
-
-
-<:
-    open(FP, "< ") || die;
-    my $max = ("" eq '' ? 9999 : "");
-    @COL = (
-        '#ffffff',
-        '#f0f0f0',
-    );
-    $ncol = 1;
-    $n = 0;
-    while () {
-        $ncol = ($ncol + 1) % 2;
-        $col  = $COL[$ncol];
-        s|="ROOT|="$(ROOT)|g;
-        if (m|^(.+?):(.+)|) {
-            print "\n";
-            print "  \n";
-            print "\n";
-        }
-        $n++;
-        last if ($n >= $max);
-    }
-    close(FP);
-:>
-" "" "" 
-  
-
->>
-Date     Newsflash
 
$1:    $2
   more...
-
-
-
-
-
-#   define a  tag which displays the usual disclaimer stuff
-
-
-This software package uses strong cryptography, so even if it is created,
-maintained and distributed from liberal countries in Europe (where it is legal
-to do this), it falls under certain export/import and/or use restrictions in
-some other parts of the world.
-
-PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
-SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL
-DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD.
-SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM
-THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE
-AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
-ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL
-ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT
-IS YOUR RESPONSIBILITY.
-
-

-
-CREDIT INFORMATION:
-This product includes cryptographic software written by Eric Young.
-This product includes software written by Tim Hudson (tjh at cryptsoft.com).
-
-
-
-#  a tag displaying the used tools
-
-
-Website designed by
-Ralf S. Engelschall
-and generated with
-
-Website META Language (WML).

-All markup code and graphics on this website
-are Copyright © 1999-2014 The OpenSSL Project,
-All rights reserved.

-This website is served by an
-Apache
-webserver environment.

-
-
-
-#  construct an absolute URL out of a relative URL
-#  (essential for the mirroring of the website!)
-
-<:{
-    my ($cwd, $baseurl, $basedir, $subdir, $page, $url);
-
-    #   determine current working directory
-    $cwd = '';
-
-    #   determine base URL
-    $baseurl = '' || 'file://';
-
-    #   determine base directory
-    $basedir = '' || '';
-    $basedir = &canonpath("$cwd/$basedir") if ($basedir !~ m|^/|);
-
-    #   determine subdir from base dir to current working dir
-    $subdir = &relpath($basedir, $cwd);
-
-    #   determine document
-    $page = '%0';
-
-    #   construct final URL
-    $url = "$baseurl/$subdir/$page";
-    $url = &canonurl($url);
-
-    #   replace this tag with the constructed URL
-    print $url;
-}:>
-
-
-##
-##  Finally, the layout is now rendered, so divert all
-##  following stuff (the code in the local file after the #use
-##  for this template!) into the white body area.
-##
-
-..PAGE_BODY>>
-
diff --git a/support/community.wml b/support/community.wml
index fdd06cf..0ed2d92 100644
--- a/support/community.wml
+++ b/support/community.wml
@@ -9,15 +9,7 @@ We have moved all mailing lists over from to a new server and
 using MailMan.
 If you find any issues please contact postmaster at openssl.org.
 
-We will be installing better certificates and DNS names as soon as possible.
-
-
OpenSSL Mailing Lists
-
-The OpenSSL project uses various mailing lists to coordinate the development
-and to provide support to the user community. They all have an Email address
-of openssl-name@openssl.org and are remote
-controlled by the Majordomo robot under majordomo@openssl.org. 
+We will be installing better DNS names soon.
 
 Overview
 
@@ -38,7 +30,7 @@ Anyone can join.
    openssl-announce
    Official Project Announcements; low-volume read-only.
 
-   openssl-commit
+   openssl-commits
    Commits to the source repository; read-only
 
 
@@ -48,13 +40,13 @@ Anyone can join.
 
 
    openssl-users
-   Application Development, installing and configure OpenSSL,
+   Application Development, installing and configuring OpenSSL,
    etc.
 
 
 
 
-In addition, there is a list "dedicated to the discussion of the effort to
+In addition, there is a list dedicated to the "discussion of the effort to
 improve unit/automated testing for OpenSSL." It is a Google group,
 available at
 
@@ -80,17 +72,17 @@ The mailing lists are automatically archived at the following locations:
     - 
       http://marc.info/?l=openssl-users

     - 
-      http://www.mail-archive.com/openssl-users at openssl.org/
+      http://www.mail-archive.com/openssl-users at openssl.org/

     - 
       http://groups.google.com/groups?group=mailing.openssl.users

 
openssl-dev:

     - 
       http://marc.info/?l=openssl-dev

     - 
-      http://www.mail-archive.com/openssl-dev at openssl.org/
+      http://www.mail-archive.com/openssl-dev at openssl.org/

     - 
       http://groups.google.com/groups?group=mailing.openssl.dev

-
openssl-cvs:

+
openssl-commits:

     - 
       http://marc.info/?l=openssl-cvs

     - 


hooks/post-receive
-- 
OpenSSL Web Pages 

From matt at openssl.org  Tue Dec 23 22:50:35 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 23 Dec 2014 23:50:35 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	fd9452da42ac755ce5a9d6df1aed344cc61d5c0f
Message-ID: <20141223225036.2B2031DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  fd9452da42ac755ce5a9d6df1aed344cc61d5c0f (commit)
      from  b0c384abfd6e76e71be3b352226561205207768f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fd9452da42ac755ce5a9d6df1aed344cc61d5c0f
Author: Matt Caswell 
Date:   Tue Dec 23 22:49:56 2014 +0000

    Add release strategy

-----------------------------------------------------------------------

Summary of changes:
 about/.wmlsnb          |    1 +
 about/releasestrat.wml |   67 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 about/releasestrat.wml

diff --git a/about/.wmlsnb b/about/.wmlsnb
index 743b321..630a28c 100644
--- a/about/.wmlsnb
+++ b/about/.wmlsnb
@@ -8,6 +8,7 @@
   
   
   
+  
   
   
 
diff --git a/about/releasestrat.wml b/about/releasestrat.wml
new file mode 100644
index 0000000..a25b04b
--- /dev/null
+++ b/about/releasestrat.wml
@@ -0,0 +1,67 @@
+
+#use wml::openssl area=about page=releasestrat
+
+About, Release Strategy
+OpenSSL Release Strategy
+First issued 23rd December 2014
+Last modified 23rd December 2014
+
+

+
+As of release 1.0.0 the OpenSSL versioning scheme was improved to
+better meet developers' and vendors' expectations. Letter releases, such as
+1.0.1a, exclusively contain bug and security fixes and no new features.
+Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and
+are likely to contain new features, but in a way that does not break
+binary compatibility. This means that an application compiled and
+dynamically linked with 1.0.0 does not need to be recompiled when the shared
+library is updated to 1.0.2. It should be noted that some features are
+transparent to the application such as the maximum negotiated TLS version and
+cipher suites, performance improvements and so on. There is no need to recompile
+applications to benefit from these features.
+
+Binary compatibility also allows other possibilities. For example, consider an
+application that wishes to utilize a new cipher provided in a specific 1.0.x
+release, but it is also desirable to maintain the application in a 1.0.0 context.
+Customarily this would be resolved at compile time resulting in two binary
+packages targeting different OpenSSL versions. However, depending on the feature,
+it might be possible to check for its availability at run-time, thus cutting
+down on the maintenance of multiple binary packages. Admittedly it takes a certain
+discipline and some extra coding, but we would like to encourage such
+practice. This is because we want to see later releases being adopted
+faster, because new features can improve security.
+
+With regards to current and future releases the OpenSSL project has adopted the
+following policy:
+
+
+Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8
+will be made after that date. Security fixes only will be applied to 0.9.8 until
+then.
+
+Support for version 1.0.0 will cease on 2015-12-31. No further releases of 1.0.0
+will be made after that date. Security fixes only will be applied to 1.0.0 until
+then.
+
+
+We may designate a release as a Long Term Support (LTS) release. LTS releases
+will be supported for at least five years and we will specify one at least every
+four years. Non-LTS releases will be supported for at least two years.
+
+As implied by the above paragraphs, during the final year of support, we do not
+commit to anything other than security fixes. Before that, bug and security
+fixes will be applied as appropriate.
+
+
+Version 1.0.1 will be supported until 2016-12-31.
+
+Version 1.0.2 will be supported until at least 2016-12-31.
+
+
+At this time, we are not planning a 1.0.3 release.
+
+Version 1.1.0 will (moderately) break source compatibility (for example we will
+make most structures opaque etc). We expect a preview version to be available
+mid 2015, with an expected release by the end of 2015. Preview means that we are
+not planning or expecting major API changes between the preview release and the
+final release (but are not categorically precluding that possibility).


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Tue Dec 23 20:29:52 2014
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 23 Dec 2014 21:29:52 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	ee52bcedc58368a5ceb827dbd1fd83aee1c6c4bb
Message-ID: <20141223202952.895641E1C70@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  ee52bcedc58368a5ceb827dbd1fd83aee1c6c4bb (commit)
      from  9c7240f8f615cd0962891c294a51debf09864c74 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit ee52bcedc58368a5ceb827dbd1fd83aee1c6c4bb
Author: Rich Salz 
Date:   Tue Dec 23 15:29:09 2014 -0500

    Misc cleanups
    
    Remove trailing whitespace.
    Start merging openssl.wml and openssl-macros.wml
    Fix wording on all old index files to be consistent.

-----------------------------------------------------------------------

Summary of changes:
 openssl-macros.wml         |   18 +++++++++---------
 openssl.wml                |   18 +++++++++---------
 source/index.wml           |    4 ++--
 source/old/0.9.x/index.wml |    4 +---
 source/old/1.0.0/index.wml |    3 ---
 source/old/1.0.1/index.wml |    2 --
 source/old/1.0.2/index.wml |    4 ----
 source/old/fips/index.wml  |    1 -
 source/old/index.wml       |    3 +--
 9 files changed, 22 insertions(+), 35 deletions(-)

diff --git a/openssl-macros.wml b/openssl-macros.wml
index 29e94c7..3d18122 100644
--- a/openssl-macros.wml
+++ b/openssl-macros.wml
@@ -60,7 +60,7 @@ H3    { font-weight: bold; font-size: 12pt; line-height: 12pt; \
 
 
-#   now define the page layout by a nested table 
+#   now define the page layout by a nested table
 #   structure consisting of a 5x5 cell grid.
 
   #   visually: the top line of the page
@@ -164,7 +164,7 @@ H3    { font-weight: bold; font-size: 12pt; line-height: 12pt; \
 #   define the ... container tag
 
   #   1. define the navigation bar through a grammar
-  
     #   bar header
     \
@@ -288,7 +288,7 @@ sub ls {
         @T = localtime($S[9]);
         my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
                    'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n", 
+        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
              $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
     }
     return @R;
@@ -337,7 +337,7 @@ sub ls {
         @T = localtime($S[9]);
         my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
                    'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n", 
+        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
              $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
     }
     return @R;
@@ -435,18 +435,18 @@ This product includes software written by Tim Hudson (tjh at cryptsoft.com).
 
 
 
-#  a tag displaying the used tools   
+#  a tag displaying the used tools
 
- 
+
 Website designed by
 Ralf S. Engelschall
 and generated with
 
 Website META Language (WML).

 All markup code and graphics on this website
-are Copyright © 1999-2014 The OpenSSL Project, 
+are Copyright © 1999-2014 The OpenSSL Project,
 All rights reserved.

-This website is served by an 
+This website is served by an
 Apache
 webserver environment.

 
@@ -485,7 +485,7 @@ webserver environment.

 
 ##
 ##  Finally, the layout is now rendered, so divert all
-##  following stuff (the code in the local file after the #use 
+##  following stuff (the code in the local file after the #use
 ##  for this template!) into the white body area.
 ##
 
diff --git a/openssl.wml b/openssl.wml
index a10b197..b223977 100644
--- a/openssl.wml
+++ b/openssl.wml
@@ -164,7 +164,7 @@ H3    { font-weight: bold; font-size: 12pt; line-height: 12pt; \
 #   define the ... container tag
 
   #   1. define the navigation bar through a grammar
-  
     #   bar header
     \
@@ -288,7 +288,7 @@ sub ls {
         @T = localtime($S[9]);
         my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
                    'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n", 
+        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
              $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
     }
     return @R;
@@ -351,7 +351,7 @@ sub ls {
         @T = localtime($S[9]);
         my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
                    'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n", 
+        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
              $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
     }
     return @R;
@@ -535,23 +535,23 @@ IS YOUR RESPONSIBILITY.
 
 
 CREDIT INFORMATION:
-This product includes cryptographic software written by Eric Young.  
+This product includes cryptographic software written by Eric Young.
 This product includes software written by Tim Hudson (tjh at cryptsoft.com).
 
 
 
-#  a tag displaying the used tools   
+#  a tag displaying the used tools
 
- 
+
 Website designed by
 Ralf S. Engelschall
 and generated with
 
 Website META Language (WML).

 All markup code and graphics on this website
-are Copyright © 1999-2014 The OpenSSL Project, 
+are Copyright © 1999-2014 The OpenSSL Project,
 All rights reserved.

-This website is served by an 
+This website is served by an
 Apache/
 mod_ssl
 webserver environment.

@@ -591,7 +591,7 @@ webserver environment.

 
 ##
 ##  Finally, the layout is now rendered, so divert all
-##  following stuff (the code in the local file after the #use 
+##  following stuff (the code in the local file after the #use
 ##  for this template!) into the white body area.
 ##
 
diff --git a/source/index.wml b/source/index.wml
index 501c7d9..59c571a 100644
--- a/source/index.wml
+++ b/source/index.wml
@@ -7,7 +7,8 @@
 
 

 The table below lists the latest releases for every branch.
-Old releases can be found here.
+Old releases can be found at
+https://www.openssl.org/source/old.
 

 
 
@@ -31,4 +32,3 @@ We also maintain a clone at GitHub,
 
Legalities
 
 
-
diff --git a/source/old/0.9.x/index.wml b/source/old/0.9.x/index.wml
index 1ecb0be..ebd4c81 100644
--- a/source/old/0.9.x/index.wml
+++ b/source/old/0.9.x/index.wml
@@ -5,8 +5,7 @@
 Old 0.9.x Releases
 
 
-The table below lists the outdated FIPS releases.
-Note that The 0.9.8 stream has been announced as end-of-life.
+The table below lists the outdated 0.9.x releases.
 
 
 
@@ -15,4 +14,3 @@ Note that The 0.9.8 stream has been announced as end-of-life.
 
Legalities
 
 
-
diff --git a/source/old/1.0.0/index.wml b/source/old/1.0.0/index.wml
index ac386b1..d3cb9b5 100644
--- a/source/old/1.0.0/index.wml
+++ b/source/old/1.0.0/index.wml
@@ -14,6 +14,3 @@ The table below lists the outdated 1.0.0 releases.
 Legalities
 
 
-
-
-
diff --git a/source/old/1.0.1/index.wml b/source/old/1.0.1/index.wml
index c9acfc4..ba8b064 100644
--- a/source/old/1.0.1/index.wml
+++ b/source/old/1.0.1/index.wml
@@ -14,5 +14,3 @@ The table below lists the outdated 1.0.1 releases.
 Legalities
 
 
-
-
diff --git a/source/old/1.0.2/index.wml b/source/old/1.0.2/index.wml
index f6f1b84..1876079 100644
--- a/source/old/1.0.2/index.wml
+++ b/source/old/1.0.2/index.wml
@@ -14,7 +14,3 @@ The table below lists the outdated 1.0.2 releases.
 Legalities
 
 
-
-
-
-
diff --git a/source/old/fips/index.wml b/source/old/fips/index.wml
index 2c95798..6df3f3e 100644
--- a/source/old/fips/index.wml
+++ b/source/old/fips/index.wml
@@ -14,4 +14,3 @@ The table below lists the outdated FIPS releases.
 Legalities
 
 
-
diff --git a/source/old/index.wml b/source/old/index.wml
index a82799c..a8213de 100644
--- a/source/old/index.wml
+++ b/source/old/index.wml
@@ -6,7 +6,7 @@
 Old Releases
 
 
-The table below lists the latest releases for every branch.
+The table below lists the different release branches.
 
 
 
@@ -15,4 +15,3 @@ The table below lists the latest releases for every branch.
 
Legalities
 
 
-


hooks/post-receive
-- 
OpenSSL Web Pages 

From root at openssl.org  Wed Dec 24 03:03:08 2014
From: root at openssl.org (root)
Date: Wed, 24 Dec 2014 04:03:08 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	74ee476d64b0502e250791924dfc0750593f9e69
Message-ID: <20141224030308.8FB1F1DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  74ee476d64b0502e250791924dfc0750593f9e69 (commit)
      from  fd9452da42ac755ce5a9d6df1aed344cc61d5c0f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 74ee476d64b0502e250791924dfc0750593f9e69
Author: Rich Salz 
Date:   Tue Dec 23 22:02:43 2014 -0500

    Add links to blog

-----------------------------------------------------------------------

Summary of changes:
 .wmlsnb      |    1 +
 docs/.wmlsnb |    1 +
 2 files changed, 2 insertions(+)

diff --git a/.wmlsnb b/.wmlsnb
index be2a47d..b9a20bb 100644
--- a/.wmlsnb
+++ b/.wmlsnb
@@ -5,6 +5,7 @@
 
 ##  
   
+  
   
   
   
diff --git a/docs/.wmlsnb b/docs/.wmlsnb
index fb1cbb4..e53d69d 100644
--- a/docs/.wmlsnb
+++ b/docs/.wmlsnb
@@ -4,6 +4,7 @@
 
 
   
+  
   
   
   


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Thu Dec 25 03:11:41 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 25 Dec 2014 04:11:41 +0100 (CET)
Subject: [openssl-commits] [web] OpenSSL Web Pages branch master updated.
	b6a3f656d6e8a670e5e07c801b32684e01f94ba9
Message-ID: <20141225031141.AA4981DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL Web Pages ".

The branch, master has been updated
       via  b6a3f656d6e8a670e5e07c801b32684e01f94ba9 (commit)
      from  74ee476d64b0502e250791924dfc0750593f9e69 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b6a3f656d6e8a670e5e07c801b32684e01f94ba9
Author: Rich Salz 
Date:   Wed Dec 24 22:11:35 2014 -0500

    Update README for external consumption

-----------------------------------------------------------------------

Summary of changes:
 README |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/README b/README
index 28eadfa..61f945f 100644
--- a/README
+++ b/README
@@ -1,8 +1,12 @@
 
-  This is the source tree for the www.openssl.org website.  It's entirely
-  generated with Photoshop (for images) and Website META Language (WML) (for
-  markup).  Never edit any .html files manually. Instead edit the
-  corresponding .wml file. To translate the .wml files to the .html files just
-  run `wmk'. For more information about WML have a look at
-  http://www.engelschall.com/sw/wml/.
+This is the source for www.openssl.org
 
+The images were generated with Photoshop.  The text is written using
+Website META Language (WML) for markup.  WML can (hopefully) be
+found at http://thewml.org; the last release was in 2006.
+
+The Makefile rebuilds the website.  It needs a copy of a checked-out
+tree, pointed to by the SNAP variable.
+
+Not included in the repository are the .tar.gz files for download.
+They are kept in the FTP area and within the URI tree.


hooks/post-receive
-- 
OpenSSL Web Pages 

From rsalz at openssl.org  Thu Dec 25 21:17:08 2014
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 25 Dec 2014 22:17:08 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 6c23ca0cbb0181f803f38694e3f25e53e409a238
Message-ID: <20141225211709.290411DF10D@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  6c23ca0cbb0181f803f38694e3f25e53e409a238 (commit)
      from  5ad4fdce41bb1ce7762b70fb50f732f70e3772cf (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6c23ca0cbb0181f803f38694e3f25e53e409a238
Author: Rich Salz 
Date:   Thu Dec 25 16:16:29 2014 -0500

    RT3548: unsupported platforms
    
    This commit removes Sinix/ReliantUNIX RM400
    (And a missed piece of BEOS fluff)
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES         |    1 +
 Configure       |    6 ------
 Makefile.shared |   28 +---------------------------
 config          |    6 ------
 4 files changed, 2 insertions(+), 39 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4d27975..055d991 100644
--- a/CHANGES
+++ b/CHANGES
@@ -32,6 +32,7 @@
 	NeXT
 	SUNOS
 	MPE/iX
+	Sinix/ReliantUNIX RM400
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/Configure b/Configure
index a94b0dc..f7d1b20 100755
--- a/Configure
+++ b/Configure
@@ -517,12 +517,6 @@ my %table=(
 "dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
 "dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 
-# Sinix/ReliantUNIX RM400
-# NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:${no_asm}:dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
-"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
-
 # SIEMENS BS2000/OSD: an EBCDIC-based mainframe
 "BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 
diff --git a/Makefile.shared b/Makefile.shared
index e753f44..29a1345 100644
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -555,28 +555,10 @@ link_app.aix:
 	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
 
-link_o.reliantunix:
-	@ $(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
-	ALLSYMSFLAGS=; \
-	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS='$(CFLAGS) -G'; \
-	$(LINK_SO_O)
-link_a.reliantunix:
-	@ $(CALC_VERSIONS); \
-	SHLIB=lib$(LIBNAME).so; \
-	SHLIB_SUFFIX=; \
-	ALLSYMSFLAGS=; \
-	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS='$(CFLAGS) -G'; \
-	$(LINK_SO_A_UNPACKED)
-link_app.reliantunix:
-	$(LINK_APP)
 
 # Targets to build symbolic links when needed
 symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
-symlink.aix symlink.reliantunix:
+symlink.aix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
@@ -645,11 +627,3 @@ link_o.aix-shared: link_o.aix
 link_a.aix-shared: link_a.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix
-link_o.reliantunix-shared: link_o.reliantunix
-link_a.reliantunix-shared: link_a.reliantunix
-link_app.reliantunix-shared: link_app.reliantunix
-symlink.reliantunix-shared: symlink.reliantunix
-link_o.beos-shared: link_o.beos
-link_a.beos-shared: link_a.beos
-link_app.beos-shared: link_app.gnu
-symlink.beos-shared: symlink.beos
diff --git a/config b/config
index 634cdab..26a79c9 100755
--- a/config
+++ b/config
@@ -320,10 +320,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-unknown-ultrix"; exit 0
 	;;
 
-    SINIX*|ReliantUNIX*)
-	echo "${MACHINE}-siemens-sysv4"; exit 0
-	;;
-
     POSIX-BC*)
 	echo "${MACHINE}-siemens-sysv4"; exit 0   # Here, $MACHINE == "BS2000"
 	;;
@@ -784,8 +780,6 @@ case "$GUESSOS" in
 	EXE=".pm"
 	OUT="vos-$CC" ;;
   BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
-  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
-  *-siemens-sysv4) OUT="SINIX" ;;
   *-hpux1*)
 	if [ $CC = "gcc" -a $GCC_BITS = "64" ]; then
 	    OUT="hpux64-parisc2-gcc"


hooks/post-receive
-- 
OpenSSL source code

From rsalz at openssl.org  Sun Dec 28 06:18:32 2014
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 28 Dec 2014 07:18:32 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 32dfde107636ac9bc62a5b3233fe2a54dbc27008
Message-ID: <20141228061832.EC8F11DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  32dfde107636ac9bc62a5b3233fe2a54dbc27008 (commit)
      from  6c23ca0cbb0181f803f38694e3f25e53e409a238 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 32dfde107636ac9bc62a5b3233fe2a54dbc27008
Author: Rich Salz 
Date:   Sun Dec 28 01:17:52 2014 -0500

    RT3548: Remove unsupported platforms
    
    This commit removes DG-UX.
    It also flushes out some left-behinds in config.
    And regenerates TABLE from Configure (hadn't been done in awhile).
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 |    1 +
 Configure               |    5 -
 TABLE                   |  340 ++++++++++-------------------------------------
 bugs/dggccbug.c         |   45 -------
 config                  |   23 ----
 crypto/opensslconf.h.in |    2 -
 e_os.h                  |    2 -
 7 files changed, 69 insertions(+), 349 deletions(-)
 delete mode 100644 bugs/dggccbug.c

diff --git a/CHANGES b/CHANGES
index 055d991..0f37df7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -33,6 +33,7 @@
 	SUNOS
 	MPE/iX
 	Sinix/ReliantUNIX RM400
+	DGUX
      [Rich Salz]
 
   *) Experimental support for a new, fast, unbiased prime candidate generator,
diff --git a/Configure b/Configure
index f7d1b20..5c4a460 100755
--- a/Configure
+++ b/Configure
@@ -512,11 +512,6 @@ my %table=(
 # did not like it.
 "cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::",
 
-# DGUX, 88100.
-"dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):::RC4_INDEX DES_UNROLL:::",
-"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
-"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-
 # SIEMENS BS2000/OSD: an EBCDIC-based mainframe
 "BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 
diff --git a/TABLE b/TABLE
index d778dac..3cd660c 100644
--- a/TABLE
+++ b/TABLE
@@ -646,108 +646,6 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
-*** ReliantUNIX
-$cc           = cc
-$cflags       = -KPIC -g -DTERMIOS -DB_ENDIAN
-$unistd       = 
-$thread_cflag = -Kthread
-$sys_id       = SNI
-$lflags       = -lsocket -lnsl -lc -L/usr/ucblib -lucb
-$bn_ops       = BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = void
-$dso_scheme   = dlfcn
-$shared_target= reliantunix-shared
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
-*** SINIX
-$cc           = cc
-$cflags       = -O
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = SNI
-$lflags       = -lsocket -lnsl -lc -L/usr/ucblib -lucb
-$bn_ops       = RC4_INDEX RC4_CHAR
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
-*** SINIX-N
-$cc           = /usr/ucb/cc
-$cflags       = -O2 -misaligned
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = -lucb
-$bn_ops       = RC4_INDEX RC4_CHAR
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
 *** UWIN
 $cc           = cc
 $cflags       = -DTERMIOS -DL_ENDIAN -O -Wall
@@ -1530,6 +1428,40 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
+*** darwin64-debug-test-64-clang
+$cc           = clang
+$cflags       = -arch x86_64 -DL_ENDIAN -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe
+$unistd       = 
+$thread_cflag = -pthread -D_THREAD_SAFE -D_REENTRANT
+$sys_id       = MACOSX
+$lflags       = 
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
+$ec_obj       = ecp_nistz256.o ecp_nistz256-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
+$cast_obj     = 
+$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o aesni-gcm-x86_64.o
+$engines_obj  = e_padlock-x86_64.o
+$perlasm_scheme = macosx
+$dso_scheme   = dlfcn
+$shared_target= darwin-shared
+$shared_cflag = -fPIC -fno-common
+$shared_ldflag = -arch x86_64 -dynamiclib
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
 *** darwin64-ppc-cc
 $cc           = cc
 $cflags       = -arch ppc64 -O3 -DB_ENDIAN
@@ -3094,6 +3026,40 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
+*** debug-test-64-clang
+$cc           = clang
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe
+$unistd       = 
+$thread_cflag = -pthread -D_THREAD_SAFE -D_REENTRANT
+$sys_id       = 
+$lflags       = 
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
+$ec_obj       = ecp_nistz256.o ecp_nistz256-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
+$cast_obj     = 
+$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o aesni-gcm-x86_64.o
+$engines_obj  = e_padlock-x86_64.o
+$perlasm_scheme = elf
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
 *** debug-ulf
 $cc           = gcc
 $cflags       = -DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations
@@ -3162,108 +3128,6 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
-*** dgux-R3-gcc
-$cc           = gcc
-$cflags       = -O3 -fomit-frame-pointer
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = 
-$bn_ops       = RC4_INDEX DES_UNROLL
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
-*** dgux-R4-gcc
-$cc           = gcc
-$cflags       = -O3 -fomit-frame-pointer
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = -lnsl -lsocket
-$bn_ops       = RC4_INDEX DES_UNROLL
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
-*** dgux-R4-x86-gcc
-$cc           = gcc
-$cflags       = -O3 -fomit-frame-pointer -DL_ENDIAN
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = -lnsl -lsocket
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$cpuid_obj    = x86cpuid.o
-$bn_obj       = bn-586.o co-586.o x86-mont.o x86-gf2m.o
-$ec_obj       = 
-$des_obj      = des-586.o crypt586.o
-$aes_obj      = aes-586.o vpaes-x86.o aesni-x86.o
-$bf_obj       = bf-586.o
-$md5_obj      = md5-586.o
-$sha1_obj     = sha1-586.o sha256-586.o sha512-586.o
-$cast_obj     = cast-586.o
-$rc4_obj      = rc4-586.o
-$rmd160_obj   = rmd-586.o
-$rc5_obj      = rc5-586.o
-$wp_obj       = wp_block.o wp-mmx.o
-$cmll_obj     = cmll-x86.o
-$modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
-$perlasm_scheme = elf
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
 *** dist
 $cc           = cc
 $cflags       = -O
@@ -5474,40 +5338,6 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
-*** newsos4-gcc
-$cc           = gcc
-$cflags       = -O -DB_ENDIAN
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = NEWS4
-$lflags       = -lmld -liberty
-$bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
 *** nextstep
 $cc           = cc
 $cflags       = -O -Wall
@@ -6188,40 +6018,6 @@ $ranlib       =
 $arflags      = 
 $multilib     = /64
 
-*** sunos-gcc
-$cc           = gcc
-$cflags       = -O3 -mv8 -Dssize_t=int
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = SUNOS
-$lflags       = 
-$bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1
-$cpuid_obj    = 
-$bn_obj       = 
-$ec_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$wp_obj       = 
-$cmll_obj     = 
-$modes_obj    = 
-$engines_obj  = 
-$perlasm_scheme = void
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-$multilib     = 
-
 *** tandem-c89
 $cc           = c89
 $cflags       = -Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN
diff --git a/bugs/dggccbug.c b/bugs/dggccbug.c
deleted file mode 100644
index 30e07a6..0000000
--- a/bugs/dggccbug.c
+++ /dev/null
@@ -1,45 +0,0 @@
-/* NOCW */
-/* dggccbug.c */
-/* bug found by Eric Young (eay at cryptsoft.com) - May 1995 */
-
-#include 
-
-/* There is a bug in
- * gcc version 2.5.8 (88open OCS/BCS, DG-2.5.8.3, Oct 14 1994)
- * as shipped with DGUX 5.4R3.10 that can be bypassed by defining
- * DG_GCC_BUG in my code.
- * The bug manifests itself by the vaule of a pointer that is
- * used only by reference, not having it's value change when it is used
- * to check for exiting the loop.  Probably caused by there being 2
- * copies of the valiable, one in a register and one being an address
- * that is passed. */
-
-/* compare the out put from
- * gcc dggccbug.c; ./a.out
- * and
- * gcc -O dggccbug.c; ./a.out
- * compile with -DFIXBUG to remove the bug when optimising.
- */
-
-void inc(a)
-int *a;
-	{
-	(*a)++;
-	}
-
-main()
-	{
-	int p=0;
-#ifdef FIXBUG
-	int dummy;
-#endif
-
-	while (p<3)
-		{
-		fprintf(stderr,"%08X\n",p);
-		inc(&p);
-#ifdef FIXBUG
-		dummy+=p;
-#endif
-		}
-	}
diff --git a/config b/config
index 26a79c9..d0c8993 100755
--- a/config
+++ b/config
@@ -102,10 +102,6 @@ fi
 # Now we simply scan though... In most cases, the SYSTEM info is enough
 #
 case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
-    MPE/iX:*)
-	MACHINE=`echo "$MACHINE" | sed -e 's/-/_/g'`
-	echo "parisc-hp-MPE/iX"; exit 0
-	;;
     A/UX:*)
 	echo "m68k-apple-aux3"; exit 0
 	;;
@@ -122,18 +118,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-ibm-aix3"; exit 0
 	;;
 
-    BeOS:*:BePC)
-    if [ -e /boot/develop/headers/be/bone ]; then
-		echo "beos-x86-bone"; exit 0
-	else
-		echo "beos-x86-r5"; exit 0
-	fi
-	;;
-
-    dgux:*)
-	echo "${MACHINE}-dg-dgux"; exit 0
-	;;
-
     HI-UX:*)
 	echo "${MACHINE}-hi-hiux"; exit 0
 	;;
@@ -336,10 +320,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
 	;;
 
-    NEWS-OS:4.*)
-	echo "mips-sony-newsos4"; exit 0;
-	;;
-
     MINGW*)
 	echo "${MACHINE}-whatever-mingw"; exit 0;
 	;;
@@ -845,14 +825,11 @@ case "$GUESSOS" in
 	fi
 	;;
   # these are all covered by the catchall below
-  # *-dgux) OUT="dgux" ;;
-  mips-sony-newsos4) OUT="newsos4-gcc" ;;
   *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
   *-*-cygwin) OUT="Cygwin" ;;
   t3e-cray-unicosmk) OUT="cray-t3e" ;;
   j90-cray-unicos) OUT="cray-j90" ;;
   nsr-tandem-nsk) OUT="tandem-c89" ;;
-  beos-*) OUT="$GUESSOS" ;;
   x86pc-*-qnx6) OUT="QNX6-i386" ;;
   *-*-qnx6) OUT="QNX6" ;;
   x86-*-android|i?86-*-android) OUT="android-x86" ;;
diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index faa33a4..504d93d 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -154,8 +154,6 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
   /* Unknown */
 #elif defined( __aux )		/* 68K */
   /* Unknown */
-#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
 #elif defined( __sgi )		/* Newer MIPS */
 #  define DES_PTR
 #  define DES_RISC2
diff --git a/e_os.h b/e_os.h
index ec011c8..8b7bcf2 100644
--- a/e_os.h
+++ b/e_os.h
@@ -625,8 +625,6 @@ extern char *sys_errlist[]; extern int sys_nerr;
 
 /***********************************************/
 
-#define DG_GCC_BUG	/* gcc < 2.6.3 on DGUX */
-
 #ifdef sgi
 #define IRIX_CC_BUG	/* all version of IRIX I've tested (4.* 5.*) */
 #endif


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Tue Dec 30 15:53:27 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Tue, 30 Dec 2014 16:53:27 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. aa8a9266f91ce05068c5bf7eab44263c99d366f3
Message-ID: <20141230155328.01AB11DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  aa8a9266f91ce05068c5bf7eab44263c99d366f3 (commit)
       via  5075e52e6f055f0dfce5be153e6a4def9e5d8057 (commit)
       via  c18440956dd4a756e778b05d6ceadc27bd034edb (commit)
       via  8c00f4cfd2e4265f39e8fa0e3d10406a542647f0 (commit)
      from  32dfde107636ac9bc62a5b3233fe2a54dbc27008 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit aa8a9266f91ce05068c5bf7eab44263c99d366f3
Author: Kurt Roeckx 
Date:   Tue Dec 16 12:35:21 2014 +0100

    Make "run" volatile
    
    RT#3629
    
    Reviewed-by: Richard Levitte 

commit 5075e52e6f055f0dfce5be153e6a4def9e5d8057
Author: Thorsten Glaser 
Date:   Fri May 22 16:28:05 2009 +0000

    Document openssl dgst -hmac option
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Richard Levitte 

commit c18440956dd4a756e778b05d6ceadc27bd034edb
Author: Kurt Roeckx 
Date:   Mon Dec 23 19:06:34 2013 +0100

    dlfcn: always define _GNU_SOURCE
    
    We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
    ports.  There shouldn't be a problem defining this on systems not using glibc.
    
    Reviewed-by: Richard Levitte 

commit 8c00f4cfd2e4265f39e8fa0e3d10406a542647f0
Author: Kurt Roeckx 
Date:   Sun Dec 7 22:25:39 2014 +0100

    Fix memory leak in the apps
    
    The BIO_free() allocated ex_data again that we already freed.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 apps/dgst.c            |    2 ++
 apps/openssl.c         |    5 +++--
 apps/speed.c           |    2 +-
 crypto/dso/dso_dlfcn.c |    6 ++----
 doc/apps/dgst.pod      |   11 +++++++++++
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/apps/dgst.c b/apps/dgst.c
index 19c9424..9f6954f 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -276,6 +276,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+		BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
diff --git a/apps/openssl.c b/apps/openssl.c
index 71e1e48..5372459 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -435,9 +435,7 @@ end:
 	if (prog != NULL) lh_FUNCTION_free(prog);
 	if (arg.data != NULL) OPENSSL_free(arg.data);
 
-	apps_shutdown();
 
-	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
 		BIO_free(bio_err);
@@ -450,6 +448,9 @@ end:
 		OPENSSL_free(Argv);
 		}
 #endif
+	apps_shutdown();
+	CRYPTO_mem_leaks(bio_err);
+
 	OPENSSL_EXIT(ret);
 	}
 
diff --git a/apps/speed.c b/apps/speed.c
index e5742e6..3dcfb8d 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -209,7 +209,7 @@
 #define BUFSIZE	(1024*8+1)
 #define MAX_MISALIGNMENT 63
 
-int run=0;
+static volatile int run=0;
 
 static int mr=0;
 static int usertime=1;
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index 0135cc1..32386c6 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -60,10 +60,8 @@
    that handle _GNU_SOURCE and other similar macros.  Defining it later
    is simply too late, because those headers are protected from re-
    inclusion.  */
-#ifdef __linux
-# ifndef _GNU_SOURCE
-#  define _GNU_SOURCE	/* make sure dladdr is declared */
-# endif
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE	/* make sure dladdr is declared */
 #endif
 
 #include 
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index d8530ab..8f974ed 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,6 +13,8 @@ B B
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
+[B<-hmac arg>]
+[B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
 [B<-keyform arg>]
@@ -62,6 +64,15 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B.
 
+=item B<-hmac arg>
+
+set the HMAC key to "arg".
+
+=item B<-non-fips-allow>
+
+Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in
+FIPS mode.
+
 =item B<-out filename>
 
 filename to output to, or standard output by default.


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Tue Dec 30 16:00:06 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Tue, 30 Dec 2014 17:00:06 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-130-g73bda31
Message-ID: <20141230160006.D68C61DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  73bda31b4c6e9c692c88f09cd8ec2fd722aa34d7 (commit)
       via  dc00fb9d51595278d033c1e9811b9444cc362d6e (commit)
       via  06c3e65deb062f1ee29c4567eedc50f482a36e70 (commit)
       via  5984c7e3d5672198e08d40db978d7eb4868a16eb (commit)
      from  beef278bd7a4c3658d2bee5d4f2b5301e42e7a4e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 73bda31b4c6e9c692c88f09cd8ec2fd722aa34d7
Author: Kurt Roeckx 
Date:   Tue Dec 16 12:35:21 2014 +0100

    Make "run" volatile
    
    RT#3629
    
    Reviewed-by: Richard Levitte 

commit dc00fb9d51595278d033c1e9811b9444cc362d6e
Author: Thorsten Glaser 
Date:   Fri May 22 16:28:05 2009 +0000

    Document openssl dgst -hmac option
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Richard Levitte 

commit 06c3e65deb062f1ee29c4567eedc50f482a36e70
Author: Kurt Roeckx 
Date:   Mon Dec 23 19:06:34 2013 +0100

    dlfcn: always define _GNU_SOURCE
    
    We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
    ports.  There shouldn't be a problem defining this on systems not using glibc.
    
    Reviewed-by: Richard Levitte 

commit 5984c7e3d5672198e08d40db978d7eb4868a16eb
Author: Kurt Roeckx 
Date:   Sun Dec 7 22:25:39 2014 +0100

    Fix memory leak in the apps
    
    The BIO_free() allocated ex_data again that we already freed.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 apps/dgst.c            |    2 ++
 apps/openssl.c         |    5 +++--
 apps/speed.c           |    2 +-
 crypto/dso/dso_dlfcn.c |    6 ++----
 doc/apps/dgst.pod      |   11 +++++++++++
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/apps/dgst.c b/apps/dgst.c
index 19c9424..9f6954f 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -276,6 +276,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+		BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
diff --git a/apps/openssl.c b/apps/openssl.c
index 71e1e48..5372459 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -435,9 +435,7 @@ end:
 	if (prog != NULL) lh_FUNCTION_free(prog);
 	if (arg.data != NULL) OPENSSL_free(arg.data);
 
-	apps_shutdown();
 
-	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
 		BIO_free(bio_err);
@@ -450,6 +448,9 @@ end:
 		OPENSSL_free(Argv);
 		}
 #endif
+	apps_shutdown();
+	CRYPTO_mem_leaks(bio_err);
+
 	OPENSSL_EXIT(ret);
 	}
 
diff --git a/apps/speed.c b/apps/speed.c
index d722231..6ee5d40 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -225,7 +225,7 @@
 
 #undef BUFSIZE
 #define BUFSIZE	((long)1024*8+1)
-int run=0;
+static volatile int run=0;
 
 static int mr=0;
 static int usertime=1;
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index 4a56aac..faa9d76 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -60,10 +60,8 @@
    that handle _GNU_SOURCE and other similar macros.  Defining it later
    is simply too late, because those headers are protected from re-
    inclusion.  */
-#ifdef __linux
-# ifndef _GNU_SOURCE
-#  define _GNU_SOURCE	/* make sure dladdr is declared */
-# endif
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE	/* make sure dladdr is declared */
 #endif
 
 #include 
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 2414c53..9e15798 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,6 +13,8 @@ B B
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
+[B<-hmac arg>]
+[B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
 [B<-keyform arg>]
@@ -62,6 +64,15 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B.
 
+=item B<-hmac arg>
+
+set the HMAC key to "arg".
+
+=item B<-non-fips-allow>
+
+Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in
+FIPS mode.
+
 =item B<-out filename>
 
 filename to output to, or standard output by default.


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Tue Dec 30 16:04:13 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Tue, 30 Dec 2014 17:04:13 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-91-gc14a808
Message-ID: <20141230160415.057731DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  c14a808c516eea83cf949c5da7fd9e7c77f379c4 (commit)
       via  cdf42d7b4354c198d263ba6476daad3c110d2693 (commit)
       via  7858d304bcfaf4e3af8fd0aec8fc3fe2a8227171 (commit)
       via  f14a6bf5151602d93866059af0f972710446a55c (commit)
      from  5dad57536f943964e082f243430e0a945bcabbad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c14a808c516eea83cf949c5da7fd9e7c77f379c4
Author: Kurt Roeckx 
Date:   Tue Dec 16 12:35:21 2014 +0100

    Make "run" volatile
    
    RT#3629
    
    Reviewed-by: Richard Levitte 

commit cdf42d7b4354c198d263ba6476daad3c110d2693
Author: Thorsten Glaser 
Date:   Fri May 22 16:28:05 2009 +0000

    Document openssl dgst -hmac option
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Richard Levitte 

commit 7858d304bcfaf4e3af8fd0aec8fc3fe2a8227171
Author: Kurt Roeckx 
Date:   Mon Dec 23 19:06:34 2013 +0100

    dlfcn: always define _GNU_SOURCE
    
    We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
    ports.  There shouldn't be a problem defining this on systems not using glibc.
    
    Reviewed-by: Richard Levitte 

commit f14a6bf5151602d93866059af0f972710446a55c
Author: Kurt Roeckx 
Date:   Sun Dec 7 22:25:39 2014 +0100

    Fix memory leak in the apps
    
    The BIO_free() allocated ex_data again that we already freed.
    
    Reviewed-by: Richard Levitte 

-----------------------------------------------------------------------

Summary of changes:
 apps/dgst.c            |    2 ++
 apps/openssl.c         |    5 +++--
 apps/speed.c           |    2 +-
 crypto/dso/dso_dlfcn.c |    6 ++----
 doc/apps/dgst.pod      |   11 +++++++++++
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/apps/dgst.c b/apps/dgst.c
index f4aec77..e31a6b1 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -273,6 +273,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+		BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
diff --git a/apps/openssl.c b/apps/openssl.c
index 71e1e48..5372459 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -435,9 +435,7 @@ end:
 	if (prog != NULL) lh_FUNCTION_free(prog);
 	if (arg.data != NULL) OPENSSL_free(arg.data);
 
-	apps_shutdown();
 
-	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
 		BIO_free(bio_err);
@@ -450,6 +448,9 @@ end:
 		OPENSSL_free(Argv);
 		}
 #endif
+	apps_shutdown();
+	CRYPTO_mem_leaks(bio_err);
+
 	OPENSSL_EXIT(ret);
 	}
 
diff --git a/apps/speed.c b/apps/speed.c
index 691b4b6..24d4122 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -225,7 +225,7 @@
 
 #undef BUFSIZE
 #define BUFSIZE	((long)1024*8+1)
-int run=0;
+static volatile int run=0;
 
 static int mr=0;
 static int usertime=1;
diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c
index 4a56aac..faa9d76 100644
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -60,10 +60,8 @@
    that handle _GNU_SOURCE and other similar macros.  Defining it later
    is simply too late, because those headers are protected from re-
    inclusion.  */
-#ifdef __linux
-# ifndef _GNU_SOURCE
-#  define _GNU_SOURCE	/* make sure dladdr is declared */
-# endif
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE	/* make sure dladdr is declared */
 #endif
 
 #include 
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 2414c53..9e15798 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,6 +13,8 @@ B B
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
+[B<-hmac arg>]
+[B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
 [B<-keyform arg>]
@@ -62,6 +64,15 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B.
 
+=item B<-hmac arg>
+
+set the HMAC key to "arg".
+
+=item B<-non-fips-allow>
+
+Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in
+FIPS mode.
+
 =item B<-out filename>
 
 filename to output to, or standard output by default.


hooks/post-receive
-- 
OpenSSL source code

From matt at openssl.org  Tue Dec 30 22:34:43 2014
From: matt at openssl.org (Matt Caswell)
Date: Tue, 30 Dec 2014 23:34:43 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 1d97c8435171a7af575f73c526d79e1ef0ee5960
Message-ID: <20141230223444.1B9C61DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  1d97c8435171a7af575f73c526d79e1ef0ee5960 (commit)
      from  aa8a9266f91ce05068c5bf7eab44263c99d366f3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 1d97c8435171a7af575f73c526d79e1ef0ee5960
Author: Tim Hudson 
Date:   Sun Dec 28 12:48:40 2014 +1000

    mark all block comments that need format preserving so that
    indent will not alter them when reformatting comments
    
    Reviewed-by: Rich Salz 
    Reviewed-by: Matt Caswell 

-----------------------------------------------------------------------

Summary of changes:
 apps/asn1pars.c                     |    3 +-
 apps/ca.c                           |    3 +-
 apps/crl2p7.c                       |    3 +-
 apps/dh.c                           |    3 +-
 apps/dhparam.c                      |    3 +-
 apps/dsa.c                          |    3 +-
 apps/dsaparam.c                     |    3 +-
 apps/ec.c                           |    3 +-
 apps/ecparam.c                      |    3 +-
 apps/openssl.c                      |    3 +-
 apps/passwd.c                       |    3 +-
 apps/rand.c                         |    3 +-
 apps/req.c                          |    3 +-
 apps/rsa.c                          |    3 +-
 apps/s_socket.c                     |    2 +-
 apps/spkac.c                        |    3 +-
 apps/ts.c                           |    2 +-
 apps/vms_decc_init.c                |    2 +-
 crypto/aes/aes_core.c               |    2 +-
 crypto/aes/aes_x86core.c            |    4 +-
 crypto/asn1/a_sign.c                |    3 +-
 crypto/asn1/a_time.c                |    3 +-
 crypto/asn1/a_utf8.c                |    3 +-
 crypto/asn1/asn1.h                  |    3 +-
 crypto/asn1/asn1t.h                 |    6 +-
 crypto/asn1/x_attrib.c              |    3 +-
 crypto/asn1/x_req.c                 |    3 +-
 crypto/bf/blowfish.h                |    2 +-
 crypto/bio/b_print.c                |    2 +-
 crypto/bio/bio.h                    |    9 +-
 crypto/bio/bss_acpt.c               |    2 +-
 crypto/bio/bss_bio.c                |    6 +-
 crypto/bn/asm/x86_64-gcc.c          |    4 +-
 crypto/bn/bn_add.c                  |    6 +-
 crypto/bn/bn_div.c                  |    3 +-
 crypto/bn/bn_exp.c                  |    3 +-
 crypto/bn/bn_gcd.c                  |   31 +++--
 crypto/bn/bn_lcl.h                  |    5 +-
 crypto/bn/bn_lib.c                  |    3 +-
 crypto/bn/bn_mul.c                  |   33 +++--
 crypto/bn/bn_prime.c                |    6 +-
 crypto/bn/bn_recp.c                 |    3 +-
 crypto/bn/bn_sqr.c                  |    9 +-
 crypto/bn/bn_sqrt.c                 |   12 +-
 crypto/conf/conf_def.c              |    3 +-
 crypto/constant_time_locl.h         |    6 +-
 crypto/constant_time_test.c         |    2 +-
 crypto/crypto.h                     |    3 +-
 crypto/des/des_locl.h               |    3 +-
 crypto/des/des_old.h                |    3 +-
 crypto/des/destest.c                |    2 +-
 crypto/des/enc_read.c               |    2 +-
 crypto/des/enc_writ.c               |    2 +-
 crypto/des/ncbc_enc.c               |    2 +-
 crypto/des/rpc_des.h                |    2 +-
 crypto/des/set_key.c                |    5 +-
 crypto/dh/dh_check.c                |    3 +-
 crypto/dh/dh_gen.c                  |    3 +-
 crypto/dsa/dsa_ameth.c              |    3 +-
 crypto/dsa/dsa_asn1.c               |    3 +-
 crypto/dsa/dsa_ossl.c               |    3 +-
 crypto/dso/dso_vms.c                |    3 +-
 crypto/ec/ec.h                      |    2 +-
 crypto/ec/ec2_mult.c                |    9 +-
 crypto/ec/ec2_smpl.c                |    6 +-
 crypto/ec/ec_lcl.h                  |    3 +-
 crypto/ec/ec_mult.c                 |    6 +-
 crypto/ec/ecp_nistp224.c            |   33 +++--
 crypto/ec/ecp_nistp256.c            |   75 +++++++----
 crypto/ec/ecp_nistp521.c            |   78 +++++++----
 crypto/ec/ecp_nistputil.c           |    2 +-
 crypto/ec/ecp_smpl.c                |   12 +-
 crypto/ecdsa/ecs_vrf.c              |    6 +-
 crypto/engine/eng_all.c             |    2 +-
 crypto/engine/engine.h              |    8 +-
 crypto/evp/bio_enc.c                |    2 +-
 crypto/evp/bio_md.c                 |    2 +-
 crypto/evp/bio_ok.c                 |    2 +-
 crypto/evp/encode.c                 |    9 +-
 crypto/evp/evp.h                    |    2 +-
 crypto/evp/evp_locl.h               |    2 +-
 crypto/evp/p_seal.c                 |    2 +-
 crypto/idea/ideatest.c              |    2 +-
 crypto/jpake/jpake.c                |    8 +-
 crypto/jpake/jpaketest.c            |    4 +-
 crypto/krb5/krb5_asn.h              |  134 +++++++++----------
 crypto/lhash/lhash.c                |    3 +-
 crypto/md32_common.h                |    2 +-
 crypto/md4/md4.h                    |    2 +-
 crypto/modes/gcm128.c               |    2 +-
 crypto/o_time.c                     |    3 +-
 crypto/objects/objects.h            |    5 +-
 crypto/ocsp/ocsp.h                  |   38 +++---
 crypto/opensslv.h                   |    6 +-
 crypto/pkcs7/pkcs7.h                |    2 +-
 crypto/rand/rand_egd.c              |    2 +-
 crypto/rc2/rc2test.c                |    2 +-
 crypto/rc4/rc4_enc.c                |    4 +-
 crypto/rsa/rsa_pss.c                |    4 +-
 crypto/sha/sha.h                    |    2 +-
 crypto/sha/sha512.c                 |    2 +-
 crypto/stack/safestack.h            |    5 +-
 crypto/ts/ts.h                      |   20 +--
 crypto/ts/ts_rsp_verify.c           |    2 +-
 crypto/ui/ui.h                      |    6 +-
 crypto/whrlpool/wp_dgst.c           |    2 +-
 crypto/x509/x509.h                  |    2 +-
 crypto/x509/x509_lu.c               |    3 +-
 crypto/x509/x509_vfy.h              |    2 +-
 crypto/x509/x509_vpm.c              |    3 +-
 crypto/x509/x509name.c              |    6 +-
 crypto/x509v3/pcy_tree.c            |    3 +-
 crypto/x509v3/v3_ncons.c            |    4 +-
 crypto/x509v3/v3_purp.c             |    6 +-
 crypto/x509v3/v3_scts.c             |    6 +-
 crypto/x509v3/v3nametest.c          |    2 +-
 demos/asn1/ocsp.c                   |    3 +-
 demos/easy_tls/easy-tls.c           |    7 +-
 e_os.h                              |    3 +-
 e_os2.h                             |   58 +++++----
 engines/ccgost/gost89.c             |    3 +-
 engines/ccgost/gost_ctl.c           |    2 +-
 engines/ccgost/gost_keywrap.c       |    7 +-
 engines/ccgost/gost_keywrap.h       |    7 +-
 engines/ccgost/gost_sign.c          |    4 +-
 engines/e_chil.c                    |    3 +-
 engines/e_gmp.c                     |    3 +-
 engines/e_padlock.c                 |    2 +-
 engines/vendor_defns/hwcryptohook.h |   62 ++++++---
 engines/vendor_defns/sureware.h     |   67 +++++-----
 ms/tlhelp32.h                       |    2 +-
 ssl/d1_both.c                       |   11 +-
 ssl/d1_pkt.c                        |   15 ++-
 ssl/heartbeat_test.c                |    2 +-
 ssl/kssl.c                          |  245 ++++++++++++++++++-----------------
 ssl/kssl.h                          |   22 ++--
 ssl/s23_srvr.c                      |    3 +-
 ssl/s3_both.c                       |    3 +-
 ssl/s3_cbc.c                        |   21 ++-
 ssl/s3_clnt.c                       |   56 ++++----
 ssl/s3_pkt.c                        |   27 ++--
 ssl/s3_srvr.c                       |   25 ++--
 ssl/ssl.h                           |   11 +-
 ssl/ssl_ciph.c                      |   14 +-
 ssl/ssl_locl.h                      |   11 +-
 ssl/ssl_sess.c                      |    2 +-
 ssl/ssl_task.c                      |    4 +-
 ssl/ssltest.c                       |   20 +--
 ssl/t1_lib.c                        |  106 ++++++++-------
 test/methtest.c                     |    2 +-
 test/testutil.c                     |    2 +-
 test/testutil.h                     |    5 +-
 152 files changed, 971 insertions(+), 704 deletions(-)

diff --git a/apps/asn1pars.c b/apps/asn1pars.c
index 42f37d7..f07d8b6 100644
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -69,7 +69,8 @@
 #include 
 #include 
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -in arg	- input file - default stdin
  * -i		- indent the details by depth
  * -offset	- where in the file to start
diff --git a/apps/ca.c b/apps/ca.c
index baa6a90..6e8fa27 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2829,7 +2829,8 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 	return str;
 	}
 
-/* Convert revocation field to X509_REVOKED entry 
+/*-
+ * Convert revocation field to X509_REVOKED entry 
  * return code:
  * 0 error
  * 1 OK
diff --git a/apps/crl2p7.c b/apps/crl2p7.c
index 42c6886..ce78e76 100644
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -75,7 +75,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
 #undef PROG
 #define PROG	crl2pkcs7_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dh.c b/apps/dh.c
index dee9c01..26107b8 100644
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	dh_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 1127d10..7982222 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -132,7 +132,8 @@
 
 #define DEFBITS	2048
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dsa.c b/apps/dsa.c
index 5222487..03599be 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	dsa_main
 
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg	- input format - default PEM (one of DER, NET or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index fcbd794..a922335 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -75,7 +75,8 @@
 #undef PROG
 #define PROG	dsaparam_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/ec.c b/apps/ec.c
index 896eabc..ec560aa 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -70,7 +70,8 @@
 #undef PROG
 #define PROG	ec_main
 
-/* -inform arg    - input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg    - input format - default PEM (one of DER, NET or PEM)
  * -outform arg   - output format - default PEM
  * -in arg        - input file - default stdin
  * -out arg       - output file - default stdout
diff --git a/apps/ecparam.c b/apps/ecparam.c
index de4e46f..4f6a654 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -87,7 +87,8 @@
 #undef PROG
 #define PROG	ecparam_main
 
-/* -inform arg      - input format - default PEM (DER or PEM)
+/*-
+ * -inform arg      - input format - default PEM (DER or PEM)
  * -outform arg     - output format - default PEM
  * -in  arg         - input file  - default stdin
  * -out arg         - output file - default stdout
diff --git a/apps/openssl.c b/apps/openssl.c
index 5372459..7453e65 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -238,7 +238,8 @@ int main(int Argc, char *ARGV[])
 	long errline;
 
 #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
-	/* 2011-03-22 SMS.
+	/*- 
+	 * 2011-03-22 SMS.
 	 * If we have 32-bit pointers everywhere, then we're safe, and
 	 * we bypass this mess, as on non-VMS systems.  (See ARGV,
 	 * above.)
diff --git a/apps/passwd.c b/apps/passwd.c
index 9ca25dd..8e65ed7 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -43,7 +43,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out, int quiet, int table, int reverse,
 	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
 
-/* -crypt        - standard Unix password algorithm (default)
+/*-
+ * -crypt        - standard Unix password algorithm (default)
  * -1            - MD5-based password algorithm
  * -apr1         - MD5-based password algorithm, Apache variant
  * -salt string  - salt
diff --git a/apps/rand.c b/apps/rand.c
index 790e795..dc93159 100644
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -66,7 +66,8 @@
 #undef PROG
 #define PROG rand_main
 
-/* -out file         - write to file
+/*-
+ * -out file         - write to file
  * -rand file:file   - PRNG seed files
  * -base64           - base64 encode output
  * -hex              - hex encode output
diff --git a/apps/req.c b/apps/req.c
index a69915f..cc1b631 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -99,7 +99,8 @@
 #undef PROG
 #define PROG	req_main
 
-/* -inform arg	- input format - default PEM (DER or PEM)
+/*-
+ * -inform arg	- input format - default PEM (DER or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/rsa.c b/apps/rsa.c
index a17708f..4443d74 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -74,7 +74,8 @@
 #undef PROG
 #define PROG	rsa_main
 
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+/*-
+ * -inform arg	- input format - default PEM (one of DER, NET or PEM)
  * -outform arg - output format - default PEM
  * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
diff --git a/apps/s_socket.c b/apps/s_socket.c
index 7edef15..f44050d 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -532,7 +532,7 @@ redoit:
 		return(0);
 		}
 
-/*
+/*-
 	ling.l_onoff=1;
 	ling.l_linger=0;
 	i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
diff --git a/apps/spkac.c b/apps/spkac.c
index 0e01ea9..149db17 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -73,7 +73,8 @@
 #undef PROG
 #define PROG	spkac_main
 
-/* -in arg	- input file - default stdin
+/*-
+ * -in arg	- input file - default stdin
  * -out arg	- output file - default stdout
  */
 
diff --git a/apps/ts.c b/apps/ts.c
index ae7604c..ace13bd 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -1130,7 +1130,7 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
 
 static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
 	{
-	/*
+	/*-
 	char buf[256];
 
 	if (!ok)
diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c
index f512c8f..1130ae4 100755
--- a/apps/vms_decc_init.c
+++ b/apps/vms_decc_init.c
@@ -5,7 +5,7 @@
 
 #ifdef USE_DECC_INIT
 
-/*
+/*-
  * 2010-04-26 SMS.
  *
  *----------------------------------------------------------------------
diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
index ba90952..de44a58 100644
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -41,7 +41,7 @@
 #include "aes_locl.h"
 
 #ifndef AES_ASM
-/*
+/*-
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
 Te2[x] = S [x].[01, 03, 02, 01];
diff --git a/crypto/aes/aes_x86core.c b/crypto/aes/aes_x86core.c
index e438580..41d3251 100644
--- a/crypto/aes/aes_x86core.c
+++ b/crypto/aes/aes_x86core.c
@@ -105,7 +105,7 @@ typedef unsigned long long u64;
 			})
 # endif
 #endif
-/*
+/*-
 Te [x] = S [x].[02, 01, 01, 03, 02, 01, 01, 03];
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -116,7 +116,7 @@ Te3[x] = S [x].[01, 01, 03, 02];
 #define Te1 (u32)((u64*)((u8*)Te+3))
 #define Te2 (u32)((u64*)((u8*)Te+2))
 #define Te3 (u32)((u64*)((u8*)Te+1))
-/*
+/*-
 Td [x] = Si[x].[0e, 09, 0d, 0b, 0e, 09, 0d, 0b];
 Td0[x] = Si[x].[0e, 09, 0d, 0b];
 Td1[x] = Si[x].[0b, 0e, 09, 0d];
diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c
index 7b4a193..2f7c790 100644
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -254,7 +254,8 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
 						signature);
 		if (rv == 1)
 			outl = signature->length;
-		/* Return value meanings:
+		/*-
+		 * Return value meanings:
 		 * <=0: error.
 		 *   1: method does everything.
 		 *   2: carry on as normal.
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 7036868..311e066 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -54,7 +54,8 @@
  */
 
 
-/* This is an implementation of the ASN1 Time structure which is:
+/*-
+ * This is an implementation of the ASN1 Time structure which is:
  *    Time ::= CHOICE {
  *      utcTime        UTCTime,
  *      generalTime    GeneralizedTime }
diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c
index 508e11e..2105306 100644
--- a/crypto/asn1/a_utf8.c
+++ b/crypto/asn1/a_utf8.c
@@ -63,7 +63,8 @@
 
 /* UTF8 utilities */
 
-/* This parses a UTF8 string one character at a time. It is passed a pointer
+/*-
+ * This parses a UTF8 string one character at a time. It is passed a pointer
  * to the string and the length of the string. It sets 'value' to the value of
  * the current character. It returns the number of characters read or a
  * negative error code:
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 68be533..fc87e0c 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -367,7 +367,8 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
 
 TYPEDEF_D2I2D_OF(void);
 
-/* The following macros and typedefs allow an ASN1_ITEM
+/*-
+ * The following macros and typedefs allow an ASN1_ITEM
  * to be embedded in a structure and referenced. Since
  * the ASN1_ITEM pointers need to be globally accessible
  * (possibly from shared libraries) they may exist in
diff --git a/crypto/asn1/asn1t.h b/crypto/asn1/asn1t.h
index d230e4b..47502a6 100644
--- a/crypto/asn1/asn1t.h
+++ b/crypto/asn1/asn1t.h
@@ -129,7 +129,8 @@ extern "C" {
 
 /* This is a ASN1 type which just embeds a template */
  
-/* This pair helps declare a SEQUENCE. We can do:
+/*- 
+ * This pair helps declare a SEQUENCE. We can do:
  *
  * 	ASN1_SEQUENCE(stname) = {
  * 		... SEQUENCE components ...
@@ -231,7 +232,8 @@ extern "C" {
 	ASN1_ITEM_end(tname)
 
 
-/* This pair helps declare a CHOICE type. We can do:
+/*-
+ * This pair helps declare a CHOICE type. We can do:
  *
  * 	ASN1_CHOICE(chname) = {
  * 		... CHOICE options ...
diff --git a/crypto/asn1/x_attrib.c b/crypto/asn1/x_attrib.c
index 1e3713f..04ae991 100644
--- a/crypto/asn1/x_attrib.c
+++ b/crypto/asn1/x_attrib.c
@@ -62,7 +62,8 @@
 #include 
 #include 
 
-/* X509_ATTRIBUTE: this has the following form:
+/*-
+ * X509_ATTRIBUTE: this has the following form:
  *
  * typedef struct x509_attributes_st
  *	{
diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c
index d575558..529899a 100644
--- a/crypto/asn1/x_req.c
+++ b/crypto/asn1/x_req.c
@@ -61,7 +61,8 @@
 #include 
 #include 
 
-/* X509_REQ_INFO is handled in an unusual way to get round
+/*-
+ * X509_REQ_INFO is handled in an unusual way to get round
  * invalid encodings. Some broken certificate requests don't
  * encode the attributes field if it is empty. This is in
  * violation of PKCS#10 but we need to tolerate it. We do
diff --git a/crypto/bf/blowfish.h b/crypto/bf/blowfish.h
index b97e76f..50787ed 100644
--- a/crypto/bf/blowfish.h
+++ b/crypto/bf/blowfish.h
@@ -72,7 +72,7 @@ extern "C" {
 #define BF_ENCRYPT	1
 #define BF_DECRYPT	0
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! BF_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! BF_LONG_LOG2 has to be defined along.                        !
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 143a7cf..bde51d8 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -94,7 +94,7 @@
  * on all source code distributions.
  */
 
-/*
+/*-
  * This code contains numerious changes and enhancements which were
  * made by lots of contributors over the last years to Patrick Powell's
  * original code:
diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
index 122ec04..3ea44ab 100644
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -218,7 +218,8 @@ extern "C" {
 #define BIO_GHBN_CTRL_FLUSH		5
 
 /* Mostly used in the SSL BIO */
-/* Not used anymore
+/*-
+ * Not used anymore
  * #define BIO_FLAGS_PROTOCOL_DELAYED_READ 0x10
  * #define BIO_FLAGS_PROTOCOL_DELAYED_WRITE 0x20
  * #define BIO_FLAGS_PROTOCOL_STARTUP	0x40
@@ -336,7 +337,8 @@ DECLARE_STACK_OF(BIO)
 
 typedef struct bio_f_buffer_ctx_struct
 	{
-	/* Buffers are setup like this:
+	/*-
+	 * Buffers are setup like this:
 	 *
 	 * <---------------------- size ----------------------->
 	 * +---------------------------------------------------+
@@ -715,7 +717,8 @@ int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
 		   int datalen);
 
 struct hostent *BIO_gethostbyname(const char *name);
-/* We might want a thread-safe interface too:
+/*-
+ * We might want a thread-safe interface too:
  * struct hostent *BIO_gethostbyname_r(const char *name,
  *     struct hostent *result, void *buffer, size_t buflen);
  * or something similar (caller allocates a struct hostent,
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index 4110ff1..0237c0f 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -436,7 +436,7 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
 		ret=(long)data->bind_mode;
 		break;
 	case BIO_CTRL_DUP:
-/*		dbio=(BIO *)ptr;
+/*-		dbio=(BIO *)ptr;
 		if (data->param_port) EAY EAY
 			BIO_set_port(dbio,data->param_port);
 		if (data->param_hostname)
diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c
index 52ef0eb..6d86587 100644
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -269,7 +269,8 @@ static int bio_read(BIO *bio, char *buf, int size_)
 	return size;
 	}
 
-/* non-copying interface: provide pointer to available data in buffer
+/*-
+ * non-copying interface: provide pointer to available data in buffer
  *    bio_nread0:  return number of available bytes
  *    bio_nread:   also advance index
  * (example usage:  bio_nread0(), read from buffer, bio_nread()
@@ -422,7 +423,8 @@ static int bio_write(BIO *bio, const char *buf, int num_)
 	return num;
 	}
 
-/* non-copying interface: provide pointer to region to write to
+/*-
+ * non-copying interface: provide pointer to region to write to
  *   bio_nwrite0:  check how much space is available
  *   bio_nwrite:   also increase length
  * (example usage:  bio_nwrite0(), write to buffer, bio_nwrite()
diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
index 7d97c0b..c6d12f4 100644
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@@ -2,7 +2,7 @@
 #if !(defined(__GNUC__) && __GNUC__>=2)
 # include "../bn_asm.c"	/* kind of dirty hack for Sun Studio */
 #else
-/*
+/*-
  * x86_64 BIGNUM accelerator version 0.1, December 2002.
  *
  * Implemented by Andy Polyakov  for the OpenSSL
@@ -64,7 +64,7 @@
 #undef mul
 #undef mul_add
 
-/*
+/*-
  * "m"(a), "+m"(r)	is the way to favor DirectPath ?-code;
  * "g"(0)		let the compiler to decide where does it
  *			want to keep the value of zero;
diff --git a/crypto/bn/bn_add.c b/crypto/bn/bn_add.c
index 659e1d2..2584234 100644
--- a/crypto/bn/bn_add.c
+++ b/crypto/bn/bn_add.c
@@ -70,7 +70,8 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	bn_check_top(a);
 	bn_check_top(b);
 
-	/*  a +  b	a+b
+	/*-
+	 *  a +  b	a+b
 	 *  a + -b	a-b
 	 * -a +  b	b-a
 	 * -a + -b	-(a+b)
@@ -266,7 +267,8 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	bn_check_top(a);
 	bn_check_top(b);
 
-	/*  a -  b	a-b
+	/*-
+	 *  a -  b	a-b
 	 *  a - -b	a+b
 	 * -a -  b	-(a+b)
 	 * -a - -b	b-a
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 1b5c29c..da6b4cf 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -172,7 +172,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 #endif /* OPENSSL_NO_ASM */
 
 
-/* BN_div computes  dv := num / divisor,  rounding towards
+/*-
+ * BN_div computes  dv := num / divisor,  rounding towards
  * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
  * Thus:
  *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 3a1941a..45760a8 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -200,7 +200,8 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	bn_check_top(p);
 	bn_check_top(m);
 
-	/* For even modulus  m = 2^k*m_odd,  it might make sense to compute
+	/*-
+	 * For even modulus  m = 2^k*m_odd,  it might make sense to compute
 	 * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
 	 * exponentiation for the odd part), using appropriate exponent
 	 * reductions, and combine the results using the CRT.
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 63a77d2..233e3f5 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -263,7 +263,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 		if (!BN_nnmod(B, B, A, ctx)) goto err;
 		}
 	sign = -1;
-	/* From  B = a mod |n|,  A = |n|  it follows that
+	/*-
+	 * From  B = a mod |n|,  A = |n|  it follows that
 	 *
 	 *      0 <= B < A,
 	 *     -sign*X*a  ==  B   (mod |n|),
@@ -280,7 +281,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 		
 		while (!BN_is_zero(B))
 			{
-			/*
+			/*-
 			 *      0 < B < |n|,
 			 *      0 < A <= |n|,
 			 * (1) -sign*X*a  ==  B   (mod |n|),
@@ -327,7 +328,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 				}
 
 			
-			/* We still have (1) and (2).
+			/*-
+			 * We still have (1) and (2).
 			 * Both  A  and  B  are odd.
 			 * The following computations ensure that
 			 *
@@ -363,7 +365,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			{
 			BIGNUM *tmp;
 			
-			/*
+			/*-
 			 *      0 < B < A,
 			 * (*) -sign*X*a  ==  B   (mod |n|),
 			 *      sign*Y*a  ==  A   (mod |n|)
@@ -410,7 +412,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 				if (!BN_div(D,M,A,B,ctx)) goto err;
 				}
 			
-			/* Now
+			/*-
+			 * Now
 			 *      A = D*B + M;
 			 * thus we have
 			 * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
@@ -423,7 +426,8 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			B=M;
 			/* ... so we have  0 <= B < A  again */
 			
-			/* Since the former  M  is now  B  and the former  B  is now  A,
+			/*-
+			 * Since the former  M  is now  B  and the former  B  is now  A,
 			 * (**) translates into
 			 *       sign*Y*a  ==  D*A + B    (mod |n|),
 			 * i.e.
@@ -476,7 +480,7 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
 			}
 		}
 		
-	/*
+	/*-
 	 * The while loop (Euclid's algorithm) ends when
 	 *      A == gcd(a,n);
 	 * we have
@@ -565,7 +569,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		if (!BN_nnmod(B, pB, A, ctx)) goto err;
 		}
 	sign = -1;
-	/* From  B = a mod |n|,  A = |n|  it follows that
+	/*-
+	 * From  B = a mod |n|,  A = |n|  it follows that
 	 *
 	 *      0 <= B < A,
 	 *     -sign*X*a  ==  B   (mod |n|),
@@ -576,7 +581,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		{
 		BIGNUM *tmp;
 		
-		/*
+		/*-
 		 *      0 < B < A,
 		 * (*) -sign*X*a  ==  B   (mod |n|),
 		 *      sign*Y*a  ==  A   (mod |n|)
@@ -591,7 +596,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		/* (D, M) := (A/B, A%B) ... */		
 		if (!BN_div(D,M,pA,B,ctx)) goto err;
 		
-		/* Now
+		/*-
+		 * Now
 		 *      A = D*B + M;
 		 * thus we have
 		 * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
@@ -604,7 +610,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		B=M;
 		/* ... so we have  0 <= B < A  again */
 		
-		/* Since the former  M  is now  B  and the former  B  is now  A,
+		/*-
+		 * Since the former  M  is now  B  and the former  B  is now  A,
 		 * (**) translates into
 		 *       sign*Y*a  ==  D*A + B    (mod |n|),
 		 * i.e.
@@ -632,7 +639,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
 		sign = -sign;
 		}
 		
-	/*
+	/*-
 	 * The while loop (Euclid's algorithm) ends when
 	 *      A == gcd(a,n);
 	 * we have
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 260f67b..993579e 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -118,7 +118,8 @@
 extern "C" {
 #endif
 
-/* Bignum consistency macros
+/*-
+ * Bignum consistency macros
  * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from
  * bignum data after direct manipulations on the data. There is also an
  * "internal" macro, bn_check_top(), for verifying that there are no leading
@@ -268,7 +269,7 @@ struct bn_gencb_st
 	};
 
 
-/*
+/*-
  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  *
  *
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index f0b449d..886de0d 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -72,7 +72,8 @@ const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT;
 
 /* This stuff appears to be completely unused, so is deprecated */
 #ifndef OPENSSL_NO_DEPRECATED
-/* For a 32 bit machine
+/*-
+ * For a 32 bit machine
  * 2 -   4 ==  128
  * 3 -   8 ==  256
  * 4 -  16 ==  512
diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c
index dde0919..a98e607 100644
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -348,7 +348,8 @@ BN_ULONG bn_add_part_words(BN_ULONG *r,
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
 
-/* r is 2*n2 words in size,
+/*-
+ * r is 2*n2 words in size,
  * a and b are both n2 words in size.
  * n2 must be a power of 2.
  * We multiply and return the result.
@@ -466,7 +467,8 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -483,7 +485,8 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 * c1 holds the carry bits
@@ -638,7 +641,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 			}
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -655,7 +659,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		c1+=(int)(bn_add_words(&(t[n2]),&(t[n2]),t,n2));
 		}
 
-	/* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 * c1 holds the carry bits
@@ -682,7 +687,8 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
 		}
 	}
 
-/* a and b must be the same size, which is n2.
+/*-
+ * a and b must be the same size, which is n2.
  * r needs to be n2 words and t needs to be n2*2
  */
 void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
@@ -707,7 +713,8 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		}
 	}
 
-/* a and b must be the same size, which is n2.
+/*-
+ * a and b must be the same size, which is n2.
  * r needs to be n2 words and t needs to be n2*2
  * l is the low words of the output.
  * t needs to be n2*3
@@ -775,7 +782,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 		bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
 		}
 
-	/* s0 == low(al*bl)
+	/*-
+	 * s0 == low(al*bl)
 	 * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
 	 * We know s0 and s1 so the only unknown is high(al*bl)
 	 * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
@@ -812,16 +820,19 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
 			lp[i]=((~mp[i])+1)&BN_MASK2;
 		}
 
-	/* s[0] = low(al*bl)
+	/*-
+	 * s[0] = low(al*bl)
 	 * t[3] = high(al*bl)
 	 * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
 	 * r[10] = (a[1]*b[1])
 	 */
-	/* R[10] = al*bl
+	/*-
+	 * R[10] = al*bl
 	 * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
 	 * R[32] = ah*bh
 	 */
-	/* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
+	/*-
+	 * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
 	 * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
 	 * R[3]=r[1]+(carry/borrow)
 	 */
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 2d66b61..9f39005 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -524,7 +524,8 @@ loop:
 		{
 		BN_ULONG rnd_word = BN_get_word(rnd);
 
-		/* In the case that the candidate prime is a single word then
+		/*-
+		 * In the case that the candidate prime is a single word then
 		 * we check that:
 		 *   1) It's greater than primes[i] because we shouldn't reject
 		 *      3 as being a prime number because it's a multiple of
@@ -532,7 +533,8 @@ loop:
 		 *   2) That it's not a multiple of a known prime. We don't
 		 *      check that rnd-1 is also coprime to all the known
 		 *      primes because there aren't many small primes where
-		 *      that's true. */
+		 *      that's true. 
+		 */
 		for (i=1; ishift == -1) goto err;
 
-	/* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
+	/*-
+	 * d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
 	 *    = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i - BN_num_bits(N)))|
 	 *   <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
 	 *    = |m/N|
diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c
index 74d7df6..57da1e4 100644
--- a/crypto/bn/bn_sqr.c
+++ b/crypto/bn/bn_sqr.c
@@ -190,7 +190,8 @@ void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp)
 	}
 
 #ifdef BN_RECURSION
-/* r is 2*n words in size,
+/*-
+ * r is 2*n words in size,
  * a and b are both n words in size.    (There's not actually a 'b' here ...)
  * n must be a power of 2.
  * We multiply and return the result.
@@ -249,7 +250,8 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
 	bn_sqr_recursive(r,a,n,p);
 	bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
 
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+	/*-
+	 * t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
 	 * r[10] holds (a[0]*b[0])
 	 * r[32] holds (b[1]*b[1])
 	 */
@@ -259,7 +261,8 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
 	/* t[32] is negative */
 	c1-=(int)(bn_sub_words(&(t[n2]),t,&(t[n2]),n2));
 
-	/* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+	/*-
+	 * t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
 	 * r[10] holds (a[0]*a[0])
 	 * r[32] holds (a[1]*a[1])
 	 * c1 holds the carry bits
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
index 6beaf9e..04cf4a0 100644
--- a/crypto/bn/bn_sqrt.c
+++ b/crypto/bn/bn_sqrt.c
@@ -135,7 +135,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
 	if (e == 1)
 		{
-		/* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+		/*-
+		 * The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
 		 * modulo  (|p|-1)/2,  and square roots can be computed
 		 * directly by modular exponentiation.
 		 * We have
@@ -152,7 +153,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	
 	if (e == 2)
 		{
-		/* |p| == 5  (mod 8)
+		/*-
+		 * |p| == 5  (mod 8)
 		 *
 		 * In this case  2  is always a non-square since
 		 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
@@ -262,7 +264,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 		goto end;
 		}
 
-	/* Now we know that (if  p  is indeed prime) there is an integer
+	/*-
+	 * Now we know that (if  p  is indeed prime) there is an integer
 	 * k,  0 <= k < 2^e,  such that
 	 *
 	 *      a^q * y^k == 1   (mod p).
@@ -318,7 +321,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
 	while (1)
 		{
-		/* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+		/*- 
+		 * Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
 		 * where  E  refers to the original value of  e,  which we
 		 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
 		 *
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index ff55876..7204c09 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -601,7 +601,8 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 					}
 				e++;
 				}
-			/* So at this point we have
+			/*-
+			 * So at this point we have
 			 * np which is the start of the name string which is
 			 *   '\0' terminated. 
 			 * cp which is the start of the section string which is
diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h
index 8af98c1..6410ca7 100644
--- a/crypto/constant_time_locl.h
+++ b/crypto/constant_time_locl.h
@@ -1,5 +1,5 @@
 /* crypto/constant_time_locl.h */
-/*
+/*-
  * Utilities for constant-time cryptography.
  *
  * Author: Emilia Kasper (emilia at openssl.org)
@@ -53,7 +53,7 @@
 extern "C" {
 #endif
 
-/*
+/*-
  * The boolean methods return a bitmask of all ones (0xff...f) for true
  * and 0 for false. This is useful for choosing a value based on the result
  * of a conditional in constant time. For example,
@@ -112,7 +112,7 @@ static inline unsigned int constant_time_eq_int(int a, int b);
 static inline unsigned char constant_time_eq_int_8(int a, int b);
 
 
-/*
+/*-
  * Returns (mask & a) | (~mask & b).
  *
  * When |mask| is all 1s or all 0s (as returned by the methods above),
diff --git a/crypto/constant_time_test.c b/crypto/constant_time_test.c
index d9c6a44..82c2d96 100644
--- a/crypto/constant_time_test.c
+++ b/crypto/constant_time_test.c
@@ -1,5 +1,5 @@
 /* crypto/constant_time_test.c */
-/*
+/*-
  * Utilities for constant-time cryptography.
  *
  * Author: Emilia Kasper (emilia at openssl.org)
diff --git a/crypto/crypto.h b/crypto/crypto.h
index d4be37b..f5cb4c7 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -525,7 +525,8 @@ int CRYPTO_remove_all_info(void);
 void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_free(void *addr,int before_p);
-/* Tell the debugging code about options.  By default, the following values
+/*-
+ * Tell the debugging code about options.  By default, the following values
  * apply:
  *
  * 0:                           Clear all options.
diff --git a/crypto/des/des_locl.h b/crypto/des/des_locl.h
index 5b53da9..3075c72 100644
--- a/crypto/des/des_locl.h
+++ b/crypto/des/des_locl.h
@@ -362,7 +362,8 @@
 #endif
 #endif
 
-	/* IP and FP
+	/*-
+	 * IP and FP
 	 * The problem is more of a geometric problem that random bit fiddling.
 	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
 	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
diff --git a/crypto/des/des_old.h b/crypto/des/des_old.h
index fab1c06..33169ad 100644
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -1,6 +1,7 @@
 /* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
 
-/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+/*- 
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
  *
  * The function names in here are deprecated and are only present to
  * provide an interface compatible with openssl 0.9.6 and older as
diff --git a/crypto/des/destest.c b/crypto/des/destest.c
index 64b92a3..b5bcf8f 100644
--- a/crypto/des/destest.c
+++ b/crypto/des/destest.c
@@ -380,7 +380,7 @@ int main(int argc, char *argv[])
 			      DES_ENCRYPT);
 	DES_ede3_cbcm_encrypt(&cbc_data[16],&cbc_out[16],i-16,&ks,&ks2,&ks3,
 			      &iv3,&iv2,DES_ENCRYPT);
-	/*	if (memcmp(cbc_out,cbc3_ok,
+	/*-	if (memcmp(cbc_out,cbc3_ok,
 		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
 		{
 		printf("des_ede3_cbc_encrypt encrypt error\n");
diff --git a/crypto/des/enc_read.c b/crypto/des/enc_read.c
index edb6620..e6c4769 100644
--- a/crypto/des/enc_read.c
+++ b/crypto/des/enc_read.c
@@ -66,7 +66,7 @@
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_rw_mode,DES_PCBC_MODE)
 
 
-/*
+/*-
  * WARNINGS:
  *
  *  -  The data format used by DES_enc_write() and DES_enc_read()
diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c
index 2353ac1..cd5d676 100644
--- a/crypto/des/enc_writ.c
+++ b/crypto/des/enc_writ.c
@@ -63,7 +63,7 @@
 #include "des_locl.h"
 #include 
 
-/*
+/*-
  * WARNINGS:
  *
  *  -  The data format used by DES_enc_write() and DES_enc_read()
diff --git a/crypto/des/ncbc_enc.c b/crypto/des/ncbc_enc.c
index fda23d5..fdd8655 100644
--- a/crypto/des/ncbc_enc.c
+++ b/crypto/des/ncbc_enc.c
@@ -1,5 +1,5 @@
 /* crypto/des/ncbc_enc.c */
-/*
+/*-
  * #included by:
  *    cbc_enc.c  (DES_cbc_encrypt)
  *    des_enc.c  (DES_ncbc_encrypt)
diff --git a/crypto/des/rpc_des.h b/crypto/des/rpc_des.h
index 41328d7..94a1d11 100644
--- a/crypto/des/rpc_des.h
+++ b/crypto/des/rpc_des.h
@@ -57,7 +57,7 @@
  */
 
 /*  @(#)des.h	2.2 88/08/10 4.0 RPCSRC; from 2.7 88/02/08 SMI  */
-/*
+/*-
  * Sun RPC is a product of Sun Microsystems, Inc. and is provided for
  * unrestricted use provided that this legend is included on all tape
  * media and as a part of the software program in whole or part.  Users
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index ce4faf2..37dec3c 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -106,7 +106,8 @@ int DES_check_key_parity(const_DES_cblock *key)
 	return(1);
 	}
 
-/* Weak and semi week keys as take from
+/*-
+ * Weak and semi week keys as take from
  * %A D.W. Davies
  * %A W.L. Price
  * %T Security for Computer Networks
@@ -399,7 +400,7 @@ int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule)
 	{
 	return(DES_set_key(key,schedule));
 	}
-/*
+/*-
 #undef des_fixup_key_parity
 void des_fixup_key_parity(des_cblock *key)
 	{
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 9c4f613..0acd775 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -61,7 +61,8 @@
 #include 
 #include 
 
-/* Check that p is a safe prime and
+/*-
+ * Check that p is a safe prime and
  * if g is 2, 3 or 5, check that it is a suitable generator
  * where
  * for 2, p mod 24 == 11
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 3da2792..1d3cbe8 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -77,7 +77,8 @@ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *c
 	return dh_builtin_genparams(ret, prime_len, generator, cb);
 	}
 
-/* We generate DH parameters as follows
+/*-
+ * We generate DH parameters as follows
  * find a prime q which is prime_len/2 bits long.
  * p=(2*q)+1 or (p-1)/2 = q
  * For this case, g is a generator if
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 61a1b01..b8394fd 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -213,7 +213,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
 			goto decerr;
 		if (sk_ASN1_TYPE_num(ndsa) != 2)
 			goto decerr;
-		/* Handle Two broken types:
+		/*-
+		 * Handle Two broken types:
 	    	 * SEQUENCE {parameters, priv_key}
 		 * SEQUENCE {pub_key, priv_key}
 		 */
diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
index 9e441fa..55c75b5 100644
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -167,7 +167,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 	}
 
 /* data has already been hashed (probably with SHA or SHA-1). */
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index ff29e55..dc8afa5 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -93,7 +93,8 @@ NULL,
 NULL
 };
 
-/* These macro wrappers replace attempts to use the dsa_mod_exp() and
+/*-
+ * These macro wrappers replace attempts to use the dsa_mod_exp() and
  * bn_mod_exp() handlers in the DSA_METHOD structure. We avoid the problem of
  * having a the macro work as an expression by bundling an "err_instr". So;
  * 
diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c
index 868513c..d08de5e 100644
--- a/crypto/dso/dso_vms.c
+++ b/crypto/dso/dso_vms.c
@@ -174,7 +174,8 @@ static int vms_load(DSO *dso)
 		goto err;
 		}
 
-	/* A file specification may look like this:
+	/*-
+	 * A file specification may look like this:
 	 *
 	 *	node::dev:[dir-spec]name.type;ver
 	 *
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index f448aac..477e476 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -118,7 +118,7 @@ typedef enum {
 typedef struct ec_method_st EC_METHOD;
 
 typedef struct ec_group_st
-	/*
+	/*-
 	 EC_METHOD *meth;
 	 -- field definition
 	 -- curve coefficients
diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
index cc3ec83..c261b81 100644
--- a/crypto/ec/ec2_mult.c
+++ b/crypto/ec/ec2_mult.c
@@ -143,7 +143,8 @@ static int gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM
 	return ret;
 	}
 
-/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
+/*-
+ * Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) 
  * using Montgomery point multiplication algorithm Mxy() in appendix of 
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
@@ -212,7 +213,8 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
 	}
 
 
-/* Computes scalar*point and stores the result in r.
+/*-
+ * Computes scalar*point and stores the result in r.
  * point can not equal r.
  * Uses a modified algorithm 2P of
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
@@ -318,7 +320,8 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 	}
 
 
-/* Computes the sum
+/*-
+ * Computes the sum
  *     scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1]
  * gracefully ignoring NULL scalar values.
  */
diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c
index 0bf87e6..7160360 100644
--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@@ -586,7 +586,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
 	lh = BN_CTX_get(ctx);
 	if (lh == NULL) goto err;
 
-	/* We have a curve defined by a Weierstrass equation
+	/*-
+	 * We have a curve defined by a Weierstrass equation
 	 *      y^2 + x*y = x^3 + a*x^2 + b.
 	 *  <=> x^3 + a*x^2 + x*y + b + y^2 = 0
 	 *  <=> ((x + a) * x + y ) * x + b + y^2 = 0
@@ -606,7 +607,8 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
 	}
 
 
-/* Indicates whether two points are equal.
+/*-
+ * Indicates whether two points are equal.
  * Return values:
  *  -1   error
  *   0   equal (in affine coordinates)
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index abd73ee..b7982d9 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -117,7 +117,8 @@ struct ec_method_st {
 	void (*point_clear_finish)(EC_POINT *);
 	int (*point_copy)(EC_POINT *, const EC_POINT *);
 
-	/* used by EC_POINT_set_to_infinity,
+	/*-
+	 * used by EC_POINT_set_to_infinity,
 	 * EC_POINT_set_Jprojective_coordinates_GFp,
 	 * EC_POINT_get_Jprojective_coordinates_GFp,
 	 * EC_POINT_set_affine_coordinates_GFp,     ..._GF2m,
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 3b5be30..eb83c62 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -482,7 +482,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	if (!(tmp = EC_POINT_new(group)))
 		goto err;
 
-	/* prepare precomputed values:
+	/*-
+	 * prepare precomputed values:
 	 *    val_sub[i][0] :=     points[i]
 	 *    val_sub[i][1] := 3 * points[i]
 	 *    val_sub[i][2] := 5 * points[i]
@@ -607,7 +608,8 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	}
 
 
-/* ec_wNAF_precompute_mult()
+/*-
+ * ec_wNAF_precompute_mult()
  * creates an EC_PRE_COMP object with preprecomputed multiples of the generator
  * for use with wNAF splitting as implemented in ec_wNAF_mul().
  * 
diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
index bf8021c..4c76827 100644
--- a/crypto/ec/ecp_nistp224.c
+++ b/crypto/ec/ecp_nistp224.c
@@ -46,7 +46,8 @@ typedef int64_t s64;
 
 
 /******************************************************************************/
-/*		    INTERNAL REPRESENTATION OF FIELD ELEMENTS
+/*-
+ * INTERNAL REPRESENTATION OF FIELD ELEMENTS
  *
  * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
  * using 64-bit coefficients called 'limbs',
@@ -94,7 +95,8 @@ static const felem_bytearray nistp224_curve_params[5] = {
 	 0x44,0xd5,0x81,0x99,0x85,0x00,0x7e,0x34}
 };
 
-/* Precomputed multiples of the standard generator
+/*-
+ * Precomputed multiples of the standard generator
  * Points are given in coordinates (X, Y, Z) where Z normally is 1
  * (0 for the point at infinity).
  * For each field element, slice a_0 is word 0, etc.
@@ -573,9 +575,11 @@ static void felem_reduce(felem out, const widefelem in)
 	/* output[3] <= 2^56 + 2^16 */
 	out[2] = output[2] & 0x00ffffffffffffff;
 
-	/* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
+	/*-
+	 * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
 	 * out[3] <= 2^56 + 2^16 (due to final carry),
-	 * so out < 2*p */
+	 * so out < 2*p 
+	 */
 	out[3] = output[3];
 	}
 
@@ -752,13 +756,15 @@ copy_conditional(felem out, const felem in, limb icopy)
  *
  */
 
-/* Double an elliptic curve point:
+/*-
+ * Double an elliptic curve point:
  * (X', Y', Z') = 2 * (X, Y, Z), where
  * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
  * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
  * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
  * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
- * while x_out == y_in is not (maybe this works, but it's not tested). */
+ * while x_out == y_in is not (maybe this works, but it's not tested). 
+ */
 static void
 point_double(felem x_out, felem y_out, felem z_out,
              const felem x_in, const felem y_in, const felem z_in)
@@ -830,7 +836,8 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_reduce(y_out, tmp);
 	}
 
-/* Add two elliptic curve points:
+/*-
+ * Add two elliptic curve points:
  * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
  * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
  * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
@@ -968,8 +975,10 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_scalar(ftmp5, 2);
 	/* ftmp5[i] < 2 * 2^57 = 2^58 */
 
-	/* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
-	   2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
+	/*-
+	 * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
+	 *  2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 
+	 */
 	felem_diff_128_64(tmp2, ftmp5);
 	/* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
 	felem_reduce(x_out, tmp2);
@@ -982,8 +991,10 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_mul(tmp2, ftmp3, ftmp2);
 	/* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
 
-	/* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
-	   z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
+	/*-
+	 * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
+	 *  z2^3*y1*(z1^2*x2 - z2^2*x1)^3 
+	 */
 	widefelem_diff(tmp2, tmp);
 	/* tmp2[i] < 2^118 + 2^120 < 2^121 */
 	felem_reduce(y_out, tmp2);
diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
index 2f9bb57..cd87161 100644
--- a/crypto/ec/ecp_nistp256.c
+++ b/crypto/ec/ecp_nistp256.c
@@ -79,7 +79,8 @@ static const felem_bytearray nistp256_curve_params[5] = {
 	 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}
 };
 
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
  * ------------------------------------
  *
  * We represent field elements with either four 128-bit values, eight 128-bit
@@ -248,7 +249,8 @@ static void longfelem_scalar(longfelem out, const u64 scalar)
 /* zero105 is 0 mod p */
 static const felem zero105 = { two105m41m9, two105, two105m41p9, two105m41p9 };
 
-/* smallfelem_neg sets |out| to |-small|
+/*-
+ * smallfelem_neg sets |out| to |-small|
  * On exit:
  *   out[i] < out[i] + 2^105
  */
@@ -261,7 +263,8 @@ static void smallfelem_neg(felem out, const smallfelem small)
 	out[3] = zero105[3] - small[3];
 	}
 
-/* felem_diff subtracts |in| from |out|
+/*-
+ * felem_diff subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^104
  * On exit:
@@ -288,7 +291,8 @@ static void felem_diff(felem out, const felem in)
 /* zero107 is 0 mod p */
 static const felem zero107 = { two107m43m11, two107, two107m43p11, two107m43p11 };
 
-/* An alternative felem_diff for larger inputs |in|
+/*-
+ * An alternative felem_diff for larger inputs |in|
  * felem_diff_zero107 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^106
@@ -309,7 +313,8 @@ static void felem_diff_zero107(felem out, const felem in)
 	out[3] -= in[3];
 	}
 
-/* longfelem_diff subtracts |in| from |out|
+/*-
+ * longfelem_diff subtracts |in| from |out|
  * On entry:
  *   in[i] < 7*2^67
  * On exit:
@@ -352,7 +357,8 @@ static void longfelem_diff(longfelem out, const longfelem in)
 /* zero110 is 0 mod p */
 static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
 
-/* felem_shrink converts an felem into a smallfelem. The result isn't quite
+/*-
+ * felem_shrink converts an felem into a smallfelem. The result isn't quite
  * minimal as the value may be greater than p.
  *
  * On entry:
@@ -404,12 +410,14 @@ static void felem_shrink(smallfelem out, const felem in)
 	/* As tmp[3] < 2^65, high is either 1 or 0 */
 	high <<= 63;
 	high >>= 63;
-	/* high is:
+	/*-
+	 * high is:
 	 *   all ones   if the high word of tmp[3] is 1
 	 *   all zeros  if the high word of tmp[3] if 0 */
 	low = tmp[3];
 	mask = low >> 63;
-	/* mask is:
+	/*-
+	 * mask is:
 	 *   all ones   if the MSB of low is 1
 	 *   all zeros  if the MSB of low if 0 */
 	low &= bottom63bits;
@@ -417,7 +425,8 @@ static void felem_shrink(smallfelem out, const felem in)
 	/* if low was greater than kPrime3Test then the MSB is zero */
 	low = ~low;
 	low >>= 63;
-	/* low is:
+	/*-
+	 * low is:
 	 *   all ones   if low was > kPrime3Test
 	 *   all zeros  if low was <= kPrime3Test */
 	mask = (mask & low) | high;
@@ -447,7 +456,8 @@ static void smallfelem_expand(felem out, const smallfelem in)
 	out[3] = in[3];
 	}
 
-/* smallfelem_square sets |out| = |small|^2
+/*- 
+ * smallfelem_square sets |out| = |small|^2
  * On entry:
  *   small[i] < 2^64
  * On exit:
@@ -525,7 +535,8 @@ static void smallfelem_square(longfelem out, const smallfelem small)
 	out[7] = high;
 	}
 
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
  * On entry:
  *   in[i] < 2^109
  * On exit:
@@ -538,7 +549,8 @@ static void felem_square(longfelem out, const felem in)
 	smallfelem_square(out, small);
 	}
 
-/* smallfelem_mul sets |out| = |small1| * |small2|
+/*-
+ * smallfelem_mul sets |out| = |small1| * |small2|
  * On entry:
  *   small1[i] < 2^64
  *   small2[i] < 2^64
@@ -653,7 +665,8 @@ static void smallfelem_mul(longfelem out, const smallfelem small1, const smallfe
 	out[7] = high;
 	}
 
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
  * On entry:
  *   in1[i] < 2^109
  *   in2[i] < 2^109
@@ -668,7 +681,8 @@ static void felem_mul(longfelem out, const felem in1, const felem in2)
 	smallfelem_mul(out, small1, small2);
 	}
 
-/* felem_small_mul sets |out| = |small1| * |in2|
+/*-
+ * felem_small_mul sets |out| = |small1| * |in2|
  * On entry:
  *   small1[i] < 2^64
  *   in2[i] < 2^109
@@ -688,7 +702,8 @@ static void felem_small_mul(longfelem out, const smallfelem small1, const felem
 /* zero100 is 0 mod p */
 static const felem zero100 = { two100m36m4, two100, two100m36p4, two100m36p4 };
 
-/* Internal function for the different flavours of felem_reduce.
+/*-
+ * Internal function for the different flavours of felem_reduce.
  * felem_reduce_ reduces the higher coefficients in[4]-in[7].
  * On entry:
  *   out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7] 
@@ -735,7 +750,8 @@ static void felem_reduce_(felem out, const longfelem in)
 	out[3] += (in[7] * 3);
 	}
 
-/* felem_reduce converts a longfelem into an felem.
+/*-
+ * felem_reduce converts a longfelem into an felem.
  * To be called directly after felem_square or felem_mul.
  * On entry:
  *   in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
@@ -752,7 +768,8 @@ static void felem_reduce(felem out, const longfelem in)
 
 	felem_reduce_(out, in);
 
-	/* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+	/*-
+	 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
 	 * out[1] > 2^100 - 2^64 - 7*2^96 > 0
 	 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
 	 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
@@ -764,7 +781,8 @@ static void felem_reduce(felem out, const longfelem in)
 	 */
 	}
 
-/* felem_reduce_zero105 converts a larger longfelem into an felem.
+/*-
+ * felem_reduce_zero105 converts a larger longfelem into an felem.
  * On entry:
  *   in[0] < 2^71
  * On exit:
@@ -779,7 +797,8 @@ static void felem_reduce_zero105(felem out, const longfelem in)
 
 	felem_reduce_(out, in);
 
-	/* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+	/*-
+	 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
 	 * out[1] > 2^105 - 2^71 - 2^103 > 0
 	 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
 	 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
@@ -881,7 +900,8 @@ static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const
 	felem_contract(out, tmp);
 	}
 
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
  * otherwise.
  * On entry:
  *   small[i] < 2^64
@@ -926,7 +946,8 @@ static int smallfelem_is_zero_int(const smallfelem small)
 	return (int) (smallfelem_is_zero(small) & ((limb)1));
 	}
 
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
  *
  * Based on Fermat's Little Theorem:
  *   a^p = a (mod p)
@@ -1005,14 +1026,16 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
 	felem_contract(out, tmp);
 	}
 
-/* Group operations
+/*-
+ * Group operations
  * ----------------
  *
  * Building on top of the field operations we have the operations on the
  * elliptic curve group itself. Points on the curve are represented in Jacobian
  * coordinates */
 
-/* point_double calculates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calculates 2*(x_in, y_in, z_in)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -1140,7 +1163,8 @@ copy_small_conditional(felem out, const smallfelem in, limb mask)
 		}
 	}
 
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
@@ -1329,7 +1353,8 @@ static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
 	felem_shrink(z3, felem_z3);
 	}
 
-/* Base point pre computation
+/*-
+ * Base point pre computation
  * --------------------------
  *
  * Two different sorts of precomputed tables are used in the following code.
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 178b655..7ff3a0b 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -109,7 +109,8 @@ static const felem_bytearray nistp521_curve_params[5] =
 	 0x66, 0x50}
 	};
 
-/* The representation of field elements.
+/*-
+ * The representation of field elements.
  * ------------------------------------
  *
  * We represent field elements with nine values. These values are either 64 or
@@ -291,7 +292,8 @@ static void felem_scalar128(largefelem out, limb scalar)
 	out[8] *= scalar;
 	}
 
-/* felem_neg sets |out| to |-in|
+/*-
+ * felem_neg sets |out| to |-in|
  * On entry:
  *   in[i] < 2^59 + 2^14
  * On exit:
@@ -314,7 +316,8 @@ static void felem_neg(felem out, const felem in)
 	out[8] = two62m2 - in[8];
 	}
 
-/* felem_diff64 subtracts |in| from |out|
+/*-
+ * felem_diff64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^59 + 2^14
  * On exit:
@@ -337,7 +340,8 @@ static void felem_diff64(felem out, const felem in)
 	out[8] += two62m2 - in[8];
 	}
 
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^62 + 2^17
  * On exit:
@@ -360,7 +364,8 @@ static void felem_diff_128_64(largefelem out, const felem in)
 	out[8] += two63m5 - in[8];
 	}
 
-/* felem_diff_128_64 subtracts |in| from |out|
+/*-
+ * felem_diff_128_64 subtracts |in| from |out|
  * On entry:
  *   in[i] < 2^126
  * On exit:
@@ -383,7 +388,8 @@ static void felem_diff128(largefelem out, const largefelem in)
 	out[8] += (two127m69 - in[8]);
 	}
 
-/* felem_square sets |out| = |in|^2
+/*-
+ * felem_square sets |out| = |in|^2
  * On entry:
  *   in[i] < 2^62
  * On exit:
@@ -395,7 +401,8 @@ static void felem_square(largefelem out, const felem in)
 	felem_scalar(inx2, in, 2);
 	felem_scalar(inx4, in, 4);
 
-	/* We have many cases were we want to do
+	/*-
+	 * We have many cases were we want to do
 	 *   in[x] * in[y] +
 	 *   in[y] * in[x]
 	 * This is obviously just
@@ -474,7 +481,8 @@ static void felem_square(largefelem out, const felem in)
 	out[7] += ((uint128_t) in[8]) * inx2[8];
 	}
 
-/* felem_mul sets |out| = |in1| * |in2|
+/*-
+ * felem_mul sets |out| = |in1| * |in2|
  * On entry:
  *   in1[i] < 2^64
  *   in2[i] < 2^63
@@ -589,7 +597,8 @@ static void felem_mul(largefelem out, const felem in1, const felem in2)
 
 static const limb bottom52bits = 0xfffffffffffff;
 
-/* felem_reduce converts a largefelem to an felem.
+/*-
+ * felem_reduce converts a largefelem to an felem.
  * On entry:
  *   in[i] < 2^128
  * On exit:
@@ -677,7 +686,8 @@ static void felem_mul_reduce(felem out, const felem in1, const felem in2)
 	felem_reduce(out, tmp);
 	}
 
-/* felem_inv calculates |out| = |in|^{-1}
+/*-
+ * felem_inv calculates |out| = |in|^{-1}
  *
  * Based on Fermat's Little Theorem:
  *   a^p = a (mod p)
@@ -769,7 +779,8 @@ static const felem kPrime =
 	0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
 	};
 
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+/*-
+ * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
  * otherwise.
  * On entry:
  *   in[i] < 2^59 + 2^14
@@ -834,7 +845,8 @@ static int felem_is_zero_int(const felem in)
 	return (int) (felem_is_zero(in) & ((limb)1));
 	}
 
-/* felem_contract converts |in| to its unique, minimal representation.
+/*-
+ * felem_contract converts |in| to its unique, minimal representation.
  * On entry:
  *   in[i] < 2^59 + 2^14
  */
@@ -930,14 +942,16 @@ static void felem_contract(felem out, const felem in)
 	sign = -(out[7] >> 63); out[7] += (two58 & sign); out[8] -= (1 & sign);
 	}
 
-/* Group operations
+/*-
+ * Group operations
  * ----------------
  *
  * Building on top of the field operations we have the operations on the
  * elliptic curve group itself. Points on the curve are represented in Jacobian
  * coordinates */
 
-/* point_double calcuates 2*(x_in, y_in, z_in)
+/*-
+ * point_double calcuates 2*(x_in, y_in, z_in)
  *
  * The method is taken from:
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
@@ -974,11 +988,13 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_scalar64(ftmp2, 3);
 	/* ftmp2[i] < 3*2^60 + 3*2^15 */
 	felem_mul(tmp, ftmp, ftmp2);
-	/* tmp[i] < 17(3*2^121 + 3*2^76)
+	/*-
+	 * tmp[i] < 17(3*2^121 + 3*2^76)
 	 *        = 61*2^121 + 61*2^76
 	 *        < 64*2^121 + 64*2^76
 	 *        = 2^127 + 2^82
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_reduce(alpha, tmp);
 
 	/* x' = alpha^2 - 8*beta */
@@ -1011,22 +1027,30 @@ point_double(felem x_out, felem y_out, felem z_out,
 	felem_diff64(beta, x_out);
 	/* beta[i] < 2^61 + 2^60 + 2^16 */
 	felem_mul(tmp, alpha, beta);
-	/* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
+	/*-
+	 * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
 	 *        = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) 
 	 *        = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_square(tmp2, gamma);
-	/* tmp2[i] < 17*(2^59 + 2^14)^2
-	 *         = 17*(2^118 + 2^74 + 2^28) */
+	/*-
+	 * tmp2[i] < 17*(2^59 + 2^14)^2
+	 *         = 17*(2^118 + 2^74 + 2^28) 
+	 */
 	felem_scalar128(tmp2, 8);
-	/* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
+	/*- 
+	 * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
 	 *         = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
-	 *         < 2^126 */
+	 *         < 2^126 
+	 */
 	felem_diff128(tmp, tmp2);
-	/* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
+	/*-
+	 * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
 	 *        = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
 	 *          2^74 + 2^69 + 2^34 + 2^30
-	 *        < 2^128 */
+	 *        < 2^128 
+	 */
 	felem_reduce(y_out, tmp);
 	}
 
@@ -1042,7 +1066,8 @@ copy_conditional(felem out, const felem in, limb mask)
 		}
 	}
 
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+/*-
+ * point_add calcuates (x1, y1, z1) + (x2, y2, z2)
  *
  * The method is taken from
  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
@@ -1205,7 +1230,8 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_assign(z3, z_out);
 	}
 
-/* Base point pre computation
+/*-
+ * Base point pre computation
  * --------------------------
  *
  * Two different sorts of precomputed tables are used in the following code.
diff --git a/crypto/ec/ecp_nistputil.c b/crypto/ec/ecp_nistputil.c
index c8140c8..4ab42d8 100644
--- a/crypto/ec/ecp_nistputil.c
+++ b/crypto/ec/ecp_nistputil.c
@@ -107,7 +107,7 @@ void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array,
 		}
 	}
 
-/*
+/*-
  * This function looks at 5+1 scalar bits (5 current, 1 adjacent less
  * significant bit), and recodes them into a signed digit for use in fast point
  * multiplication: the use of signed rather than unsigned digits means that
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index c2192b3..bd9f7df 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -320,9 +320,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
 		if (!BN_copy(b, group->b)) goto err;
 		}
 	
-	/* check the discriminant:
+	/*-
+	 * check the discriminant:
 	 * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) 
-         * 0 =< a, b < p */
+         * 0 =< a, b < p 
+	 */
 	if (BN_is_zero(a))
 		{
 		if (BN_is_zero(b)) goto err;
@@ -975,7 +977,8 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_C
 	Z6 = BN_CTX_get(ctx);
 	if (Z6 == NULL) goto err;
 
-	/* We have a curve defined by a Weierstrass equation
+	/*-
+	 * We have a curve defined by a Weierstrass equation
 	 *      y^2 = x^3 + a*x + b.
 	 * The point to consider is given in Jacobian projective coordinates
 	 * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
@@ -1081,7 +1084,8 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
 	Zb23 = BN_CTX_get(ctx);
 	if (Zb23 == NULL) goto end;
 
-	/* We have to decide whether
+	/*-
+	 * We have to decide whether
 	 *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
 	 * or equivalently, whether
 	 *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c
index ef9acf7..ae14625 100644
--- a/crypto/ecdsa/ecs_vrf.c
+++ b/crypto/ecdsa/ecs_vrf.c
@@ -61,7 +61,8 @@
 #include 
 #endif
 
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
@@ -75,7 +76,8 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
 	return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey);
 	}
 
-/* returns
+/*-
+ * returns
  *      1: correct signature
  *      0: incorrect signature
  *     -1: error
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 63bd1f5..fa6febf 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -82,7 +82,7 @@ void ENGINE_load_builtin_engines(void)
 #ifndef OPENSSL_NO_HW_4758_CCA
 	ENGINE_load_4758cca();
 #endif
-/*
+/*-
  * These engines have been disabled as they do not currently build
 #ifndef OPENSSL_NO_HW_AEP
 	ENGINE_load_aep();
diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
index 5d382fa..a6f5dbc 100644
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -291,7 +291,8 @@ typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
 typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
 	STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
 	STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
-/* These callback types are for an ENGINE's handler for cipher and digest logic.
+/*-
+ * These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
  *   int foo(ENGINE *e, const EVP_MD **digest, const int **nids, int nid);
@@ -359,13 +360,14 @@ void ENGINE_load_builtin_engines(void);
 unsigned int ENGINE_get_table_flags(void);
 void ENGINE_set_table_flags(unsigned int flags);
 
-/* Manage registration of ENGINEs per "table". For each type, there are 3
+/*- Manage registration of ENGINEs per "table". For each type, there are 3
  * functions;
  *   ENGINE_register_***(e) - registers the implementation from 'e' (if it has one)
  *   ENGINE_unregister_***(e) - unregister the implementation from 'e'
  *   ENGINE_register_all_***() - call ENGINE_register_***() for each 'e' in the list
  * Cleanup is automatically registered from each table when required, so
- * ENGINE_cleanup() will reverse any "register" operations. */
+ * ENGINE_cleanup() will reverse any "register" operations. 
+ */
 
 int ENGINE_register_RSA(ENGINE *e);
 void ENGINE_unregister_RSA(ENGINE *e);
diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c
index 3cf75f0..2ceb802 100644
--- a/crypto/evp/bio_enc.c
+++ b/crypto/evp/bio_enc.c
@@ -396,7 +396,7 @@ static long enc_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 	return(ret);
 	}
 
-/*
+/*-
 void BIO_set_cipher_ctx(b,c)
 BIO *b;
 EVP_CIPHER_ctx *c;
diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c
index 144fdfd..6190156 100644
--- a/crypto/evp/bio_md.c
+++ b/crypto/evp/bio_md.c
@@ -264,7 +264,7 @@ static int md_gets(BIO *bp, char *buf, int size)
 	return((int)ret);
 	}
 
-/*
+/*-
 static int md_puts(bp,str)
 BIO *bp;
 char *str;
diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c
index ad8cad8..973439a 100644
--- a/crypto/evp/bio_ok.c
+++ b/crypto/evp/bio_ok.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-/*
+/*-
 	From: Arne Ansper 
 
 	Why BIO_f_reliable?
diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index a4f7674..e612fd1 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -74,7 +74,8 @@
 #define conv_ascii2bin(a)	(data_ascii2bin[os_toascii[a]&0x7f])
 #endif
 
-/* 64 char lines
+/*-
+ * 64 char lines
  * pad input with 0
  * left over chars are set to =
  * 1 byte  => xx==
@@ -88,7 +89,8 @@
 static const unsigned char data_bin2ascii[65]="ABCDEFGHIJKLMNOPQRSTUVWXYZ\
 abcdefghijklmnopqrstuvwxyz0123456789+/";
 
-/* 0xF0 is a EOLN
+/*-
+ * 0xF0 is a EOLN
  * 0xF1 is ignore but next needs to be 0xF0 (for \r\n processing).
  * 0xF2 is EOF
  * 0xE0 is ignore at start of line.
@@ -228,7 +230,8 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
 	ctx->expect_nl=0;
 	}
 
-/* -1 for error
+/*-
+ * -1 for error
  *  0 for last line
  *  1 for full line
  */
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 757b796..7290c10 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -75,7 +75,7 @@
 #include 
 #endif
 
-/*
+/*-
 #define EVP_RC2_KEY_SIZE		16
 #define EVP_RC4_KEY_SIZE		16
 #define EVP_BLOWFISH_KEY_SIZE		16
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 94162d6..cff2942 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -185,7 +185,7 @@ BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
 		     init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 
-/*
+/*-
 #define BLOCK_CIPHER_defs(cname, kstruct, \
 				nid, block_size, key_len, iv_len, flags,\
 				 init_key, cleanup, set_asn1, get_asn1, ctrl)\
diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c
index e5919b0..6658302 100644
--- a/crypto/evp/p_seal.c
+++ b/crypto/evp/p_seal.c
@@ -94,7 +94,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek
 	return(npubk);
 	}
 
-/* MACRO
+/*- MACRO
 void EVP_SealUpdate(ctx,out,outl,in,inl)
 EVP_CIPHER_CTX *ctx;
 unsigned char *out;
diff --git a/crypto/idea/ideatest.c b/crypto/idea/ideatest.c
index d509f81..9764c0c 100644
--- a/crypto/idea/ideatest.c
+++ b/crypto/idea/ideatest.c
@@ -100,7 +100,7 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
 	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
 	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
 
-/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+/*-	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
 	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
 	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 	}; 
diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c
index 9167a8d..e3003ad 100644
--- a/crypto/jpake/jpake.c
+++ b/crypto/jpake/jpake.c
@@ -370,7 +370,7 @@ int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
     BIGNUM *t1 = BN_new();
     BIGNUM *t2 = BN_new();
 
-   /*
+   /*-
     * X = g^{(xa + xc + xd) * xb * s}
     * t1 = g^xa
     */
@@ -382,7 +382,7 @@ int JPAKE_STEP2_generate(JPAKE_STEP2 *send, JPAKE_CTX *ctx)
    /* t2 = xb * s */
     BN_mod_mul(t2, ctx->xb, ctx->secret, ctx->p.q, ctx->ctx);
 
-   /*
+   /*-
     * ZKP(xb * s)
     * XXX: this is kinda funky, because we're using
     *
@@ -407,7 +407,7 @@ static int compute_key(JPAKE_CTX *ctx, const BIGNUM *gx)
     BIGNUM *t2 = BN_new();
     BIGNUM *t3 = BN_new();
 
-   /*
+   /*-
     * K = (gx/g^{xb * xd * s})^{xb}
     *   = (g^{(xc + xa + xb) * xd * s - xb * xd *s})^{xb}
     *   = (g^{(xa + xc) * xd * s})^{xb}
@@ -440,7 +440,7 @@ int JPAKE_STEP2_process(JPAKE_CTX *ctx, const JPAKE_STEP2 *received)
     BIGNUM *t2 = BN_new();
     int ret = 0;
 
-   /*
+   /*-
     * g' = g^{xc + xa + xb} [from our POV]
     * t1 = xa + xb
     */
diff --git a/crypto/jpake/jpaketest.c b/crypto/jpake/jpaketest.c
index eaba75e..a183262 100644
--- a/crypto/jpake/jpaketest.c
+++ b/crypto/jpake/jpaketest.c
@@ -128,12 +128,12 @@ int main(int argc, char **argv)
 
     ERR_load_crypto_strings();
 
-    /*
+    /*-
     BN_hex2bn(&p, "fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7");
     BN_hex2bn(&g, "f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a");
     BN_hex2bn(&q, "9760508f15230bccb292b982a2eb840bf0581cf5");
     */
-    /*
+    /*-
     p = BN_new();
     BN_generate_prime(p, 1024, 1, NULL, NULL, NULL, NULL);
     */
diff --git a/crypto/krb5/krb5_asn.h b/crypto/krb5/krb5_asn.h
index 41725d0..7d7868d 100644
--- a/crypto/krb5/krb5_asn.h
+++ b/crypto/krb5/krb5_asn.h
@@ -71,14 +71,14 @@ extern "C" {
 
 
 /*	ASN.1 from Kerberos RFC 1510
-*/
+ */
 
-/*	EncryptedData ::=   SEQUENCE {
-**		etype[0]                      INTEGER, -- EncryptionType
-**		kvno[1]                       INTEGER OPTIONAL,
-**		cipher[2]                     OCTET STRING -- ciphertext
-**	}
-*/
+/*-	EncryptedData ::=   SEQUENCE {
+ *		etype[0]                      INTEGER, -- EncryptionType
+ *		kvno[1]                       INTEGER OPTIONAL,
+ *		cipher[2]                     OCTET STRING -- ciphertext
+ *	}
+ */
 typedef	struct	krb5_encdata_st
 	{
 	ASN1_INTEGER			*etype;
@@ -88,11 +88,11 @@ typedef	struct	krb5_encdata_st
 
 DECLARE_STACK_OF(KRB5_ENCDATA)
 
-/*	PrincipalName ::=   SEQUENCE {
-**		name-type[0]                  INTEGER,
-**		name-string[1]                SEQUENCE OF GeneralString
-**	}
-*/
+/*-	PrincipalName ::=   SEQUENCE {
+ *		name-type[0]                  INTEGER,
+ *		name-string[1]                SEQUENCE OF GeneralString
+ *	}
+ */
 typedef	struct	krb5_princname_st
 	{
 	ASN1_INTEGER			*nametype;
@@ -102,13 +102,13 @@ typedef	struct	krb5_princname_st
 DECLARE_STACK_OF(KRB5_PRINCNAME)
 
 
-/*	Ticket ::=	[APPLICATION 1] SEQUENCE {
-**		tkt-vno[0]                    INTEGER,
-**		realm[1]                      Realm,
-**		sname[2]                      PrincipalName,
-**		enc-part[3]                   EncryptedData
-**	}
-*/
+/*-	Ticket ::=	[APPLICATION 1] SEQUENCE {
+ *		tkt-vno[0]                    INTEGER,
+ *		realm[1]                      Realm,
+ *		sname[2]                      PrincipalName,
+ *		enc-part[3]                   EncryptedData
+ *	}
+ */
 typedef	struct	krb5_tktbody_st
 	{
 	ASN1_INTEGER			*tktvno;
@@ -121,17 +121,17 @@ typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET;
 DECLARE_STACK_OF(KRB5_TKTBODY)
 
 
-/*	AP-REQ ::=      [APPLICATION 14] SEQUENCE {
-**		pvno[0]                       INTEGER,
-**		msg-type[1]                   INTEGER,
-**		ap-options[2]                 APOptions,
-**		ticket[3]                     Ticket,
-**		authenticator[4]              EncryptedData
-**	}
-**
-**	APOptions ::=   BIT STRING {
-**		reserved(0), use-session-key(1), mutual-required(2) }
-*/
+/*-	AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+ *		pvno[0]                       INTEGER,
+ *		msg-type[1]                   INTEGER,
+ *		ap-options[2]                 APOptions,
+ *		ticket[3]                     Ticket,
+ *		authenticator[4]              EncryptedData
+ *	}
+ *
+ *	APOptions ::=   BIT STRING {
+ *		reserved(0), use-session-key(1), mutual-required(2) }
+ */
 typedef	struct	krb5_ap_req_st
 	{
 	ASN1_INTEGER			*pvno;
@@ -148,11 +148,11 @@ DECLARE_STACK_OF(KRB5_APREQBODY)
 /*	Authenticator Stuff	*/
 
 
-/*	Checksum ::=   SEQUENCE {
-**		cksumtype[0]                  INTEGER,
-**		checksum[1]                   OCTET STRING
-**	}
-*/
+/*-	Checksum ::=   SEQUENCE {
+ *		cksumtype[0]                  INTEGER,
+ *		checksum[1]                   OCTET STRING
+ *	}
+ */
 typedef	struct	krb5_checksum_st
 	{
 	ASN1_INTEGER			*ctype;
@@ -162,11 +162,11 @@ typedef	struct	krb5_checksum_st
 DECLARE_STACK_OF(KRB5_CHECKSUM)
 
 
-/*	EncryptionKey ::=   SEQUENCE {
-**		keytype[0]                    INTEGER,
-**		keyvalue[1]                   OCTET STRING
-**	}
-*/
+/*-	EncryptionKey ::=   SEQUENCE {
+ *		keytype[0]                    INTEGER,
+ *		keyvalue[1]                   OCTET STRING
+ *	}
+ */
 typedef struct  krb5_encryptionkey_st
 	{
 	ASN1_INTEGER			*ktype;
@@ -176,11 +176,11 @@ typedef struct  krb5_encryptionkey_st
 DECLARE_STACK_OF(KRB5_ENCKEY)
 
 
-/*	AuthorizationData ::=   SEQUENCE OF SEQUENCE {
-**		ad-type[0]                    INTEGER,
-**              ad-data[1]                    OCTET STRING
-**	}
-*/
+/*-	AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+ *		ad-type[0]                    INTEGER,
+ *              ad-data[1]                    OCTET STRING
+ *	}
+ */
 typedef struct	krb5_authorization_st
 	{
 	ASN1_INTEGER			*adtype;
@@ -190,19 +190,19 @@ typedef struct	krb5_authorization_st
 DECLARE_STACK_OF(KRB5_AUTHDATA)
 
 			
-/*	-- Unencrypted authenticator
-**	Authenticator ::=    [APPLICATION 2] SEQUENCE    {
-**		authenticator-vno[0]          INTEGER,
-**		crealm[1]                     Realm,
-**		cname[2]                      PrincipalName,
-**		cksum[3]                      Checksum OPTIONAL,
-**		cusec[4]                      INTEGER,
-**		ctime[5]                      KerberosTime,
-**		subkey[6]                     EncryptionKey OPTIONAL,
-**		seq-number[7]                 INTEGER OPTIONAL,
-**		authorization-data[8]         AuthorizationData OPTIONAL
-**	}
-*/
+/*-	-- Unencrypted authenticator
+ *	Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+ *		authenticator-vno[0]          INTEGER,
+ *		crealm[1]                     Realm,
+ *		cname[2]                      PrincipalName,
+ *		cksum[3]                      Checksum OPTIONAL,
+ *		cusec[4]                      INTEGER,
+ *		ctime[5]                      KerberosTime,
+ *		subkey[6]                     EncryptionKey OPTIONAL,
+ *		seq-number[7]                 INTEGER OPTIONAL,
+ *		authorization-data[8]         AuthorizationData OPTIONAL
+ *	}
+ */
 typedef struct	krb5_authenticator_st
 	{
 	ASN1_INTEGER			*avno;
@@ -220,15 +220,15 @@ typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT;
 DECLARE_STACK_OF(KRB5_AUTHENTBODY)
 
 
-/*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
-**	type *name##_new(void);
-**	void name##_free(type *a);
-**	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
-**	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
-**	  type *d2i_##name(type **a, const unsigned char **in, long len);
-**	  int i2d_##name(type *a, unsigned char **out);
-**	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
-*/
+/*-  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
+ *	type *name##_new(void);
+ *	void name##_free(type *a);
+ *	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
+ *	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
+ *	  type *d2i_##name(type **a, const unsigned char **in, long len);
+ *	  int i2d_##name(type *a, unsigned char **out);
+ *	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
+ */
 
 DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA)
 DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME)
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 47f7480..a60914a 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -56,7 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-/* Code for dynamic hash table routines
+/*-
+ * Code for dynamic hash table routines
  * Author - Eric Young v 2.0
  *
  * 2.2 eay - added #include "crypto.h" so the memory leak checking code is
diff --git a/crypto/md32_common.h b/crypto/md32_common.h
index 2146154..9388dad 100644
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -49,7 +49,7 @@
  *
  */
 
-/*
+/*-
  * This is a generic 32 bit "collector" for message digest algorithms.
  * Whenever needed it collects input character stream into chunks of
  * 32 bit values and invokes a block function that performs actual hash
diff --git a/crypto/md4/md4.h b/crypto/md4/md4.h
index c3ed9b3..631c1b2 100644
--- a/crypto/md4/md4.h
+++ b/crypto/md4/md4.h
@@ -70,7 +70,7 @@ extern "C" {
 #error MD4 is disabled.
 #endif
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! MD4_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! MD4_LONG_LOG2 has to be defined along.			   !
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 662b6ff..261dc59 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -82,7 +82,7 @@
 	} \
 } while(0)
 
-/*
+/*-
  * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
  * never be set to 8. 8 is effectively reserved for testing purposes.
  * TABLE_BITS>1 are lookup-table-driven implementations referred to as
diff --git a/crypto/o_time.c b/crypto/o_time.c
index 362e9e7..e02b651 100644
--- a/crypto/o_time.c
+++ b/crypto/o_time.c
@@ -148,7 +148,8 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 		/* Since there was no gmtime_r() to do this stuff for us,
 		   we have to do it the hard way. */
 		{
-		/* The VMS epoch is the astronomical Smithsonian date,
+		/*-
+		 * The VMS epoch is the astronomical Smithsonian date,
 		   if I remember correctly, which is November 17, 1858.
 		   Furthermore, time is measure in thenths of microseconds
 		   and stored in quadwords (64 bit integers).  unix_epoch
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index bd0ee52..42d2457 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -639,7 +639,8 @@
 #define NID_ripemd160WithRSA		119
 #define OBJ_ripemd160WithRSA		1L,3L,36L,3L,3L,1L,2L
 
-/* Taken from rfc2040
+/*-
+ * Taken from rfc2040
  *  RC5_CBC_Parameters ::= SEQUENCE {
  *	version           INTEGER (v1_0(16)),
  *	rounds            INTEGER (8..127),
@@ -1028,7 +1029,7 @@ const void *	OBJ_bsearch_ex_(const void *key,const void *base,int num,
 #define DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, nm)	\
   type2 * OBJ_bsearch_##nm(type1 *key, type2 const *base, int num)
 
-/*
+/*-
  * Unsolved problem: if a type is actually a pointer type, like
  * nid_triple is, then its impossible to get a const where you need
  * it. Consider:
diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index b2acebe..e033191 100644
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -90,7 +90,7 @@ extern "C" {
 #define OCSP_RESPID_KEY			0x400
 #define OCSP_NOTIME			0x800
 
-/*   CertID ::= SEQUENCE {
+/*-  CertID ::= SEQUENCE {
  *       hashAlgorithm            AlgorithmIdentifier,
  *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
  *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
@@ -106,7 +106,7 @@ typedef struct ocsp_cert_id_st
 
 DECLARE_STACK_OF(OCSP_CERTID)
 
-/*   Request ::=     SEQUENCE {
+/*-  Request ::=     SEQUENCE {
  *       reqCert                    CertID,
  *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
  */
@@ -120,7 +120,7 @@ DECLARE_STACK_OF(OCSP_ONEREQ)
 DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
 
 
-/*   TBSRequest      ::=     SEQUENCE {
+/*-  TBSRequest      ::=     SEQUENCE {
  *       version             [0] EXPLICIT Version DEFAULT v1,
  *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
  *       requestList             SEQUENCE OF Request,
@@ -134,7 +134,7 @@ typedef struct ocsp_req_info_st
 	STACK_OF(X509_EXTENSION) *requestExtensions;
 	} OCSP_REQINFO;
 
-/*   Signature       ::=     SEQUENCE {
+/*-  Signature       ::=     SEQUENCE {
  *       signatureAlgorithm   AlgorithmIdentifier,
  *       signature            BIT STRING,
  *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
@@ -146,7 +146,7 @@ typedef struct ocsp_signature_st
 	STACK_OF(X509) *certs;
 	} OCSP_SIGNATURE;
 
-/*   OCSPRequest     ::=     SEQUENCE {
+/*-  OCSPRequest     ::=     SEQUENCE {
  *       tbsRequest                  TBSRequest,
  *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
  */
@@ -156,7 +156,7 @@ typedef struct ocsp_request_st
 	OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
 	} OCSP_REQUEST;
 
-/*   OCSPResponseStatus ::= ENUMERATED {
+/*-  OCSPResponseStatus ::= ENUMERATED {
  *       successful            (0),      --Response has valid confirmations
  *       malformedRequest      (1),      --Illegal confirmation request
  *       internalError         (2),      --Internal error in issuer
@@ -173,7 +173,7 @@ typedef struct ocsp_request_st
 #define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
 #define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
 
-/*   ResponseBytes ::=       SEQUENCE {
+/*-  ResponseBytes ::=       SEQUENCE {
  *       responseType   OBJECT IDENTIFIER,
  *       response       OCTET STRING }
  */
@@ -183,7 +183,7 @@ typedef struct ocsp_resp_bytes_st
 	ASN1_OCTET_STRING *response;
 	} OCSP_RESPBYTES;
 
-/*   OCSPResponse ::= SEQUENCE {
+/*-  OCSPResponse ::= SEQUENCE {
  *      responseStatus         OCSPResponseStatus,
  *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
  */
@@ -193,7 +193,7 @@ struct ocsp_response_st
 	OCSP_RESPBYTES  *responseBytes;
 	};
 
-/*   ResponderID ::= CHOICE {
+/*-  ResponderID ::= CHOICE {
  *      byName   [1] Name,
  *      byKey    [2] KeyHash }
  */
@@ -211,11 +211,11 @@ struct ocsp_responder_id_st
 DECLARE_STACK_OF(OCSP_RESPID)
 DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
 
-/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+/*-  KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
  *                            --(excluding the tag and length fields)
  */
 
-/*   RevokedInfo ::= SEQUENCE {
+/*-  RevokedInfo ::= SEQUENCE {
  *       revocationTime              GeneralizedTime,
  *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
  */
@@ -225,7 +225,7 @@ typedef struct ocsp_revoked_info_st
 	ASN1_ENUMERATED *revocationReason;
 	} OCSP_REVOKEDINFO;
 
-/*   CertStatus ::= CHOICE {
+/*-  CertStatus ::= CHOICE {
  *       good                [0]     IMPLICIT NULL,
  *       revoked             [1]     IMPLICIT RevokedInfo,
  *       unknown             [2]     IMPLICIT UnknownInfo }
@@ -243,7 +243,7 @@ typedef struct ocsp_cert_status_st
 		} value;
 	} OCSP_CERTSTATUS;
 
-/*   SingleResponse ::= SEQUENCE {
+/*-  SingleResponse ::= SEQUENCE {
  *      certID                       CertID,
  *      certStatus                   CertStatus,
  *      thisUpdate                   GeneralizedTime,
@@ -262,7 +262,7 @@ typedef struct ocsp_single_response_st
 DECLARE_STACK_OF(OCSP_SINGLERESP)
 DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
 
-/*   ResponseData ::= SEQUENCE {
+/*-  ResponseData ::= SEQUENCE {
  *      version              [0] EXPLICIT Version DEFAULT v1,
  *      responderID              ResponderID,
  *      producedAt               GeneralizedTime,
@@ -278,7 +278,7 @@ typedef struct ocsp_response_data_st
 	STACK_OF(X509_EXTENSION) *responseExtensions;
 	} OCSP_RESPDATA;
 
-/*   BasicOCSPResponse       ::= SEQUENCE {
+/*-  BasicOCSPResponse       ::= SEQUENCE {
  *      tbsResponseData      ResponseData,
  *      signatureAlgorithm   AlgorithmIdentifier,
  *      signature            BIT STRING,
@@ -308,7 +308,7 @@ typedef struct ocsp_basic_response_st
 	STACK_OF(X509) *certs;
 	} OCSP_BASICRESP;
 
-/*
+/*-
  *   CRLReason ::= ENUMERATED {
  *        unspecified             (0),
  *        keyCompromise           (1),
@@ -329,7 +329,8 @@ typedef struct ocsp_basic_response_st
 #define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
 #define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
 
-/* CrlID ::= SEQUENCE {
+/*-
+ * CrlID ::= SEQUENCE {
  *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
  *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
  *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
@@ -341,7 +342,8 @@ typedef struct ocsp_crl_id_st
 	ASN1_GENERALIZEDTIME *crlTime;
         } OCSP_CRLID;
 
-/* ServiceLocator ::= SEQUENCE {
+/*-
+ * ServiceLocator ::= SEQUENCE {
  *      issuer    Name,
  *      locator   AuthorityInfoAccessSyntax OPTIONAL }
  */
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 22b87f9..f40abf4 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -5,7 +5,8 @@
 extern "C" {
 #endif
 
-/* Numeric release version identifier:
+/*-
+ * Numeric release version identifier:
  * MNNFFPPS: major minor fix patch status
  * The status nibble has one of the values 0 for development, 1 to e for betas
  * 1 to 14, and f for release.  The patch level is exactly that.
@@ -38,7 +39,8 @@ extern "C" {
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 
-/* The macros below are to be used for shared library (.so, .dll, ...)
+/*-
+ * The macros below are to be used for shared library (.so, .dll, ...)
  * versioning.  That kind of versioning works a bit differently between
  * operating systems.  The most usual scheme is to set a major and a minor
  * number, and have the runtime loader check that the major number is equal
diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
index b7f1efa..7078637 100644
--- a/crypto/pkcs7/pkcs7.h
+++ b/crypto/pkcs7/pkcs7.h
@@ -76,7 +76,7 @@ extern "C" {
 #undef PKCS7_SIGNER_INFO
 #endif
 
-/*
+/*-
 Encryption_ID		DES-CBC
 Digest_ID		MD5
 Digest_Encryption_ID	rsaEncryption
diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c
index 0a74e40..0f32094 100644
--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -58,7 +58,7 @@
 #include 
 #include 
 
-/*
+/*-
  * Query the EGD .
  *
  * This module supplies three routines:
diff --git a/crypto/rc2/rc2test.c b/crypto/rc2/rc2test.c
index 0e11743..945b179 100644
--- a/crypto/rc2/rc2test.c
+++ b/crypto/rc2/rc2test.c
@@ -129,7 +129,7 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE]={
 	0x2C,0x17,0x25,0xD0,0x1A,0x38,0xB7,0x2A,
 	0x39,0x61,0x37,0xDC,0x79,0xFB,0x9F,0x45
 
-/*	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
+/*-	0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
 	0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
 	0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
 	}; 
diff --git a/crypto/rc4/rc4_enc.c b/crypto/rc4/rc4_enc.c
index 0cc5ac4..ee0fe8d 100644
--- a/crypto/rc4/rc4_enc.c
+++ b/crypto/rc4/rc4_enc.c
@@ -79,7 +79,7 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
         d=key->data; 
 
 #if defined(RC4_CHUNK) && !defined(PEDANTIC)
-	/*
+	/*-
 	 * The original reason for implementing this(*) was the fact that
 	 * pre-21164a Alpha CPUs don't have byte load/store instructions
 	 * and e.g. a byte store has to be done with 64-bit load, shift,
@@ -126,7 +126,7 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
 		RC4_CHUNK ichunk,otp;
 		const union { long one; char little; } is_endian = {1};
 
-		/*
+		/*-
 		 * I reckon we can afford to implement both endian
 		 * cases and to decide which way to take at run-time
 		 * because the machine code appears to be very compact
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index f890f89..4b79332 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -98,7 +98,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
 	hLen = M_EVP_MD_size(Hash);
 	if (hLen < 0)
 		goto err;
-	/*
+	/*-
 	 * Negative sLen has special meanings:
 	 *	-1	sLen == hLen
 	 *	-2	salt length is autorecovered from signature
@@ -210,7 +210,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
 	hLen = M_EVP_MD_size(Hash);
 	if (hLen < 0)
 		goto err;
-	/*
+	/*-
 	 * Negative sLen has special meanings:
 	 *	-1	sLen == hLen
 	 *	-2	salt length is maximized
diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h
index 7cbca26..c5dd660 100644
--- a/crypto/sha/sha.h
+++ b/crypto/sha/sha.h
@@ -70,7 +70,7 @@ extern "C" {
 #error SHA is disabled.
 #endif
 
-/*
+/*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
  * ! SHA_LONG_LOG2 has to be defined along.                        !
diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c
index 080b33e..5be98d3 100644
--- a/crypto/sha/sha512.c
+++ b/crypto/sha/sha512.c
@@ -6,7 +6,7 @@
  */
 #include 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
-/*
+/*-
  * IMPLEMENTATION NOTES.
  *
  * As you might have noticed 32-bit hash algorithms:
diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h
index 5327cb8..99393cb 100644
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -101,7 +101,8 @@ STACK_OF(type) \
 #define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/
 
 
-/* Strings are special: normally an lhash entry will point to a single
+/*-
+ * Strings are special: normally an lhash entry will point to a single
  * (somewhat) mutable object. In the case of strings:
  *
  * a) Instead of a single char, there is an array of chars, NUL-terminated.
@@ -110,7 +111,7 @@ STACK_OF(type) \
  * So, they need their own declarations. Especially important for
  * type-checking tools, such as Deputy.
  *
-o * In practice, however, it appears to be hard to have a const
+ * In practice, however, it appears to be hard to have a const
  * string. For now, I'm settling for dealing with the fact it is a
  * string at all.
  */
diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h
index c2448e3..b5fe7ae 100644
--- a/crypto/ts/ts.h
+++ b/crypto/ts/ts.h
@@ -98,7 +98,7 @@ extern "C" {
 #include 
 #include 
 
-/*
+/*-
 MessageImprint ::= SEQUENCE  {
      hashAlgorithm                AlgorithmIdentifier,
      hashedMessage                OCTET STRING  }
@@ -110,7 +110,7 @@ typedef struct TS_msg_imprint_st
 	ASN1_OCTET_STRING *hashed_msg;
 	} TS_MSG_IMPRINT;
 
-/*
+/*-
 TimeStampReq ::= SEQUENCE  {
    version                  INTEGER  { v1(1) },
    messageImprint           MessageImprint,
@@ -132,7 +132,7 @@ typedef struct TS_req_st
 	STACK_OF(X509_EXTENSION) *extensions;	/* [0] OPTIONAL */
 	} TS_REQ;
 
-/*
+/*-
 Accuracy ::= SEQUENCE {
                 seconds        INTEGER           OPTIONAL,
                 millis     [0] INTEGER  (1..999) OPTIONAL,
@@ -146,7 +146,7 @@ typedef struct TS_accuracy_st
 	ASN1_INTEGER *micros;
 	} TS_ACCURACY;
 
-/*
+/*-
 TSTInfo ::= SEQUENCE  {
     version                      INTEGER  { v1(1) },
     policy                       TSAPolicyId,
@@ -180,7 +180,7 @@ typedef struct TS_tst_info_st
 	STACK_OF(X509_EXTENSION) *extensions;
 	} TS_TST_INFO;	
 
-/*
+/*-
 PKIStatusInfo ::= SEQUENCE {
     status        PKIStatus,
     statusString  PKIFreeText     OPTIONAL,
@@ -223,7 +223,7 @@ typedef struct TS_status_info_st
 DECLARE_STACK_OF(ASN1_UTF8STRING)
 DECLARE_ASN1_SET_OF(ASN1_UTF8STRING)
 
-/*
+/*-
 TimeStampResp ::= SEQUENCE  {
      status                  PKIStatusInfo,
      timeStampToken          TimeStampToken     OPTIONAL }
@@ -238,7 +238,7 @@ typedef struct TS_resp_st
 
 /* The structure below would belong to the ESS component. */
 
-/*
+/*-
 IssuerSerial ::= SEQUENCE {
 	issuer                   GeneralNames,
 	serialNumber             CertificateSerialNumber
@@ -251,7 +251,7 @@ typedef struct ESS_issuer_serial
 	ASN1_INTEGER		*serial;
 	} ESS_ISSUER_SERIAL;
 
-/*
+/*-
 ESSCertID ::=  SEQUENCE {
         certHash                 Hash,
         issuerSerial             IssuerSerial OPTIONAL
@@ -267,7 +267,7 @@ typedef struct ESS_cert_id
 DECLARE_STACK_OF(ESS_CERT_ID)
 DECLARE_ASN1_SET_OF(ESS_CERT_ID)
 
-/*
+/*-
 SigningCertificate ::=  SEQUENCE {
        certs        SEQUENCE OF ESSCertID,
        policies     SEQUENCE OF PolicyInformation OPTIONAL
@@ -691,7 +691,7 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
 
-/* 
+/*-
  * If ctx is NULL, it allocates and returns a new object, otherwise
  * it returns ctx. It initialises all the members as follows:
  * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 3c7f816..cee1398 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -393,7 +393,7 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
 	return ret;
 	}
 
-/*
+/*-
  * Verifies whether the 'token' contains a valid time stamp token 
  * with regards to the settings of the context. Only those checks are
  * carried out that are specified in the context:
diff --git a/crypto/ui/ui.h b/crypto/ui/ui.h
index 5c4ff49..f23ae16 100644
--- a/crypto/ui/ui.h
+++ b/crypto/ui/ui.h
@@ -84,7 +84,8 @@ UI *UI_new(void);
 UI *UI_new_method(const UI_METHOD *method);
 void UI_free(UI *ui);
 
-/* The following functions are used to add strings to be printed and prompt
+/*-
+   The following functions are used to add strings to be printed and prompt
    strings to prompt for data.  The names are UI_{add,dup}__string
    and UI_{add,dup}_input_boolean.
 
@@ -243,7 +244,8 @@ UI_METHOD *UI_OpenSSL(void);
 
 
 /* ---------- For method writers ---------- */
-/* A method contains a number of functions that implement the low level
+/*-
+   A method contains a number of functions that implement the low level
    of the User Interface.  The functions are:
 
 	an opener	This function starts a session, maybe by opening
diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c
index ee5c5c1..1b782e2 100644
--- a/crypto/whrlpool/wp_dgst.c
+++ b/crypto/whrlpool/wp_dgst.c
@@ -140,7 +140,7 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *_inp,size_t bits)
 	else				/* bit-oriented loop */
 #endif
 		{
-		/*
+		/*-
 			   inp
 			   |
 			   +-------+-------+-------
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index ad804f2..46c1d44 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -549,7 +549,7 @@ typedef struct Netscape_certificate_sequence
 	STACK_OF(X509) *certs;
 	} NETSCAPE_CERT_SEQUENCE;
 
-/* Unused (and iv length is wrong)
+/*- Unused (and iv length is wrong)
 typedef struct CBCParameter_st
 	{
 	unsigned char iv[8];
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 79281c6..47426c7 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -624,7 +624,8 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
 	}
 
 
-/* Try to get issuer certificate from store. Due to limitations
+/*-
+ * Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
  * matching certificates, so we can examine the cache for all
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 8a6f10d..aff2b0c 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -97,7 +97,7 @@ typedef struct x509_file_st
 	} X509_CERT_FILE_CTX;
 
 /*******************************/
-/*
+/*-
 SSL_CTX -> X509_STORE    
 		-> X509_LOOKUP
 			->X509_LOOKUP_METHOD
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index a809219..92ac038 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -193,7 +193,8 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 	OPENSSL_free(param);
 	}
 
-/* This function determines how parameters are "inherited" from one structure
+/*-
+ * This function determines how parameters are "inherited" from one structure
  * to another. There are several different ways this can happen.
  *
  * 1. If a child structure needs to have its values initialized from a parent
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
index 27bc4dc..81f40f5 100644
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@@ -157,14 +157,16 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
 		set_prev=ret->set-1;
 	set_next=sk_X509_NAME_ENTRY_value(sk,loc)->set;
 
-	/* set_prev is the previous set
+	/*-
+	 * set_prev is the previous set
 	 * set is the current set
 	 * set_next is the following
 	 * prev  1 1	1 1	1 1	1 1
 	 * set   1	1	2	2
 	 * next  1 1	2 2	2 2	3 2
 	 * so basically only if prev and next differ by 2, then
-	 * re-number down by 1 */
+	 * re-number down by 1 
+	 */
 	if (set_prev+1 < set_next)
 		for (i=loc; iset--;
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 93470c3..361bc32 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -758,7 +758,8 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree)
 
 	}
 
-/* Application policy checking function.
+/*-
+ * Application policy checking function.
  * Return codes:
  *  0 	Internal Error.
  *  1   Successful.
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 26a6f67..06520fe 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -225,7 +225,8 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
 	return 1;
 	}
 
-/* Check a certificate conforms to a specified set of constraints.
+/*-
+ * Check a certificate conforms to a specified set of constraints.
  * Return values:
  *  X509_V_OK: All constraints obeyed.
  *  X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
@@ -234,7 +235,6 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
  *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:  Unsupported constraint type.
  *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
  *  X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
-
  */
 
 int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 5f931db..8e0a685 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -497,7 +497,8 @@ static void x509v3_cache_extensions(X509 *x)
 	x->ex_flags |= EXFLAG_SET;
 }
 
-/* CA checks common to all purposes
+/*-
+ * CA checks common to all purposes
  * return codes:
  * 0 not a CA
  * 1 is a CA
@@ -700,7 +701,8 @@ static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 	return 1;
 }
 
-/* Various checks to see if one certificate issued the second.
+/*-
+ * Various checks to see if one certificate issued the second.
  * This can be used to prune a set of possible issuer certificates
  * which have been looked up using some simple method such as by
  * subject name.
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
index 3bf1579..5367271 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c
@@ -226,7 +226,8 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
 		sct->version = *p2++;
 		if (sct->version == 0)		/* SCT v1 */
 			{
-			/* Fixed-length header:
+			/*- 
+			 * Fixed-length header:
 			 *		struct {
 			 * (1 byte)	  Version sct_version;
 			 * (32 bytes)	  LogID id;
@@ -251,7 +252,8 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
 			p2 += fieldlen;
 			sctlen -= fieldlen;
 
-			/* digitally-signed struct header:
+			/*-
+			 * digitally-signed struct header:
 			 * (1 byte)       Hash algorithm
 			 * (1 byte)       Signature algorithm
 			 * (2 bytes + ?)  Signature
diff --git a/crypto/x509v3/v3nametest.c b/crypto/x509v3/v3nametest.c
index dd5f9f8..fbf82d0 100644
--- a/crypto/x509v3/v3nametest.c
+++ b/crypto/x509v3/v3nametest.c
@@ -91,7 +91,7 @@ static int set_cn(X509 *crt, ...)
 	return ret;
 	}
 
-/*
+/*-
 int		X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
 			int nid, int crit, ASN1_OCTET_STRING *data);
diff --git a/demos/asn1/ocsp.c b/demos/asn1/ocsp.c
index e89f1f7..e2535f3 100644
--- a/demos/asn1/ocsp.c
+++ b/demos/asn1/ocsp.c
@@ -62,7 +62,8 @@
 
 
 
-/* Example of new ASN1 code, OCSP request
+/*- 
+   Example of new ASN1 code, OCSP request
 
 	OCSPRequest     ::=     SEQUENCE {
 	    tbsRequest                  TBSRequest,
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c
index 864017d..22ea442 100644
--- a/demos/easy_tls/easy-tls.c
+++ b/demos/easy_tls/easy-tls.c
@@ -3,7 +3,7 @@
  * easy-tls.c -- generic TLS proxy.
  * $Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $
  */
-/*
+/*-
  (c) Copyright 1999 Bodo Moeller.  All rights reserved.
 
  This is free software; you can redistributed and/or modify it
@@ -14,7 +14,7 @@
  or
    -  the following license:
 */
-/*
+/*-
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that each of the following
  * conditions is met:
@@ -185,7 +185,8 @@ tls_start_proxy_defaultargs(void)
     return ret;
 }
 
-/* Slice in TLS proxy process at fd.
+/*- 
+ * Slice in TLS proxy process at fd.
  * Return value:
  *   0    ok  (*pid is set to child's PID if pid != NULL),
  *   < 0  look at errno
diff --git a/e_os.h b/e_os.h
index 8b7bcf2..1d27b63 100644
--- a/e_os.h
+++ b/e_os.h
@@ -371,7 +371,8 @@ static __inline unsigned int _strlen31(const char *str)
 #    define NUL_DEV		"NLA0:"
   /* We don't have any well-defined random devices on VMS, yet... */
 #    undef DEVRANDOM
-  /* We need to do this since VMS has the following coding on status codes:
+  /*-
+     We need to do this since VMS has the following coding on status codes:
 
      Bits 0-2: status type: 0 = warning, 1 = success, 2 = error, 3 = info ...
                The important thing to know is that odd numbers are considered
diff --git a/e_os2.h b/e_os2.h
index dc6ee2d..3789bd4 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -203,24 +203,25 @@ extern "C" {
 # define OPENSSL_DECLARE_EXIT /* declared in unistd.h */
 #endif
 
-/* Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN, to define and declare
-   certain global symbols that, with some compilers under VMS, have to be
-   defined and declared explicitely with globaldef and globalref.
-   Definitions of OPENSSL_EXPORT and OPENSSL_IMPORT, to define and declare
-   DLL exports and imports for compilers under Win32.  These are a little
-   more complicated to use.  Basically, for any library that exports some
-   global variables, the following code must be present in the header file
-   that declares them, before OPENSSL_EXTERN is used:
-
-   #ifdef SOME_BUILD_FLAG_MACRO
-   # undef OPENSSL_EXTERN
-   # define OPENSSL_EXTERN OPENSSL_EXPORT
-   #endif
-
-   The default is to have OPENSSL_EXPORT, OPENSSL_IMPORT and OPENSSL_GLOBAL
-   have some generally sensible values, and for OPENSSL_EXTERN to have the
-   value OPENSSL_IMPORT.
-*/
+/*-
+ * Definitions of OPENSSL_GLOBAL and OPENSSL_EXTERN, to define and declare
+ * certain global symbols that, with some compilers under VMS, have to be
+ * defined and declared explicitely with globaldef and globalref.
+ * Definitions of OPENSSL_EXPORT and OPENSSL_IMPORT, to define and declare
+ * DLL exports and imports for compilers under Win32.  These are a little
+ * more complicated to use.  Basically, for any library that exports some
+ * global variables, the following code must be present in the header file
+ * that declares them, before OPENSSL_EXTERN is used:
+ *
+ * #ifdef SOME_BUILD_FLAG_MACRO
+ * # undef OPENSSL_EXTERN
+ * # define OPENSSL_EXTERN OPENSSL_EXPORT
+ * #endif
+ *
+ * The default is to have OPENSSL_EXPORT, OPENSSL_IMPORT and OPENSSL_GLOBAL
+ * have some generally sensible values, and for OPENSSL_EXTERN to have the
+ * value OPENSSL_IMPORT.
+ */
 
 #if defined(OPENSSL_SYS_VMS_NODECC)
 # define OPENSSL_EXPORT globalref
@@ -237,16 +238,17 @@ extern "C" {
 #endif
 #define OPENSSL_EXTERN OPENSSL_IMPORT
 
-/* Macros to allow global variables to be reached through function calls when
-   required (if a shared library version requires it, for example.
-   The way it's done allows definitions like this:
-
-	// in foobar.c
-	OPENSSL_IMPLEMENT_GLOBAL(int,foobar,0)
-	// in foobar.h
-	OPENSSL_DECLARE_GLOBAL(int,foobar);
-	#define foobar OPENSSL_GLOBAL_REF(foobar)
-*/
+/*-
+ * Macros to allow global variables to be reached through function calls when
+ * required (if a shared library version requires it, for example.
+ * The way it's done allows definitions like this:
+ *
+ *	// in foobar.c
+ *	OPENSSL_IMPLEMENT_GLOBAL(int,foobar,0)
+ *	// in foobar.h
+ *	OPENSSL_DECLARE_GLOBAL(int,foobar);
+ *	#define foobar OPENSSL_GLOBAL_REF(foobar)
+ */
 #ifdef OPENSSL_EXPORT_VAR_AS_FUNCTION
 # define OPENSSL_IMPLEMENT_GLOBAL(type,name,value)			\
 	type *_shadow_##name(void)					\
diff --git a/engines/ccgost/gost89.c b/engines/ccgost/gost89.c
index c1474cb..2b6201b 100644
--- a/engines/ccgost/gost89.c
+++ b/engines/ccgost/gost89.c
@@ -9,7 +9,8 @@
  **********************************************************************/ 
 #include 
 #include "gost89.h"
-/* Substitution blocks from RFC 4357 
+/*-
+   Substitution blocks from RFC 4357 
    
    Note: our implementation of gost 28147-89 algorithm 
    uses S-box matrix rotated 90 degrees counterclockwise, relative to 
diff --git a/engines/ccgost/gost_ctl.c b/engines/ccgost/gost_ctl.c
index d3cd171..4b0fa19 100644
--- a/engines/ccgost/gost_ctl.c
+++ b/engines/ccgost/gost_ctl.c
@@ -18,7 +18,7 @@ static char *gost_params[GOST_PARAM_MAX+1]={NULL};
 static const char *gost_envnames[]={"CRYPT_PARAMS"};
 const ENGINE_CMD_DEFN gost_cmds[]=
 	{
-/*	{ GOST_CTRL_RNG,
+/*-	{ GOST_CTRL_RNG,
 	"RNG",
 	"Type of random number generator to use",
 	ENGINE_CMD_FLAG_STRING
diff --git a/engines/ccgost/gost_keywrap.c b/engines/ccgost/gost_keywrap.c
index c618f6d..c8a4508 100644
--- a/engines/ccgost/gost_keywrap.c
+++ b/engines/ccgost/gost_keywrap.c
@@ -11,7 +11,8 @@
 #include "gost89.h"
 #include "gost_keywrap.h"
 
-/* Diversifies key using random UserKey Material
+/*-
+ * Diversifies key using random UserKey Material
  * Implements RFC 4357 p 6.5 key diversification algorithm 
  * 
  * inputKey - 32byte key to be diversified
@@ -58,7 +59,7 @@ void keyDiversifyCryptoPro(gost_ctx *ctx,const unsigned char *inputKey, const un
 	}	
 	
 
-/*
+/*-
  * Wraps key using RFC 4357 6.3
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey (KEK) 32-byte (256-bit) shared key
@@ -78,7 +79,7 @@ int keyWrapCryptoPro(gost_ctx *ctx,const unsigned char *keyExchangeKey, const un
 	gost_mac_iv(ctx,32,ukm,sessionKey,32,wrappedKey+40);
 	return 1;
 	}
-/*
+/*-
  * Unwraps key using RFC 4357 6.4
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey 32-byte shared key
diff --git a/engines/ccgost/gost_keywrap.h b/engines/ccgost/gost_keywrap.h
index 37c2a0f..80c7927 100644
--- a/engines/ccgost/gost_keywrap.h
+++ b/engines/ccgost/gost_keywrap.h
@@ -11,7 +11,8 @@
 #define GOST_KEYWRAP_H
 #include 
 #include "gost89.h"
-/* Diversifies key using random UserKey Material
+/*-
+ * Diversifies key using random UserKey Material
  * Implements RFC 4357 p 6.5 key diversification algorithm 
  * 
  * inputKey - 32byte key to be diversified
@@ -23,7 +24,7 @@ void keyDiversifyCryptoPro(gost_ctx *ctx,
 	const unsigned char *inputKey, 
 	const unsigned char *ukm, 
 	unsigned char *outputKey);
-/*
+/*-
  * Wraps key using RFC 4357 6.3
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey (KEK) 32-byte (256-bit) shared key
@@ -37,7 +38,7 @@ int keyWrapCryptoPro(gost_ctx *ctx,
 	const unsigned char *ukm,
 	const	unsigned char *sessionKey, 
 	unsigned char *wrappedKey) ;
-/*
+/*-
  * Unwraps key using RFC 4357 6.4
  * ctx - gost encryption context, initialized with some S-boxes 
  * keyExchangeKey 32-byte shared key
diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c
index 93a1f27..17e9f13 100644
--- a/engines/ccgost/gost_sign.c
+++ b/engines/ccgost/gost_sign.c
@@ -101,7 +101,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst,int dlen, DSA *dsa)
  * Packs signature according to Cryptocom rules
  * and frees up DSA_SIG structure
  */
-/*
+/*-
 int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
 	{
 	*siglen = 2*order;
@@ -248,7 +248,7 @@ int gost_sign_keygen(DSA *dsa)
 	}
 
 /* Unpack signature according to cryptocom rules  */
-/*
+/*-
 DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen)
 	{
 	DSA_SIG *s;
diff --git a/engines/e_chil.c b/engines/e_chil.c
index fdc2100..9999fcc 100644
--- a/engines/e_chil.c
+++ b/engines/e_chil.c
@@ -76,7 +76,8 @@
 #ifndef OPENSSL_NO_HW
 #ifndef OPENSSL_NO_HW_CHIL
 
-/* Attribution notice: nCipher have said several times that it's OK for
+/*-
+ * Attribution notice: nCipher have said several times that it's OK for
  * us to implement a general interface to their boxes, and recently declared
  * their HWCryptoHook to be public, and therefore available for us to use.
  * Thanks, nCipher.
diff --git a/engines/e_gmp.c b/engines/e_gmp.c
index a3d4715..6166e9b 100644
--- a/engines/e_gmp.c
+++ b/engines/e_gmp.c
@@ -62,7 +62,8 @@
  * otherwise paths must be specified - eg. try configuring with
  * "enable-gmp -I -L -lgmp". YMMV. */
 
-/* As for what this does - it's a largely unoptimised implementation of an
+/*-
+ * As for what this does - it's a largely unoptimised implementation of an
  * ENGINE that uses the GMP library to perform RSA private key operations. To
  * obtain more information about what "unoptimised" means, see my original mail
  * on the subject (though ignore the build instructions which have since
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 26e2edf..42a11b5 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -1,4 +1,4 @@
-/* 
+/*-
  * Support for VIA PadLock Advanced Cryptography Engine (ACE)
  * Written by Michal Ludvig 
  *            http://www.logix.cz/michal
diff --git a/engines/vendor_defns/hwcryptohook.h b/engines/vendor_defns/hwcryptohook.h
index 482f1f2..f84f9d0 100644
--- a/engines/vendor_defns/hwcryptohook.h
+++ b/engines/vendor_defns/hwcryptohook.h
@@ -1,4 +1,4 @@
-/*
+/*-
  * ModExp / RSA (with/without KM) plugin API
  *
  * The application will load a dynamic library which
@@ -84,7 +84,8 @@
 
 #if HWCRYPTOHOOK_DECLARE_APPTYPES
 
-/* These structs are defined by the application and opaque to the
+/*-
+ * These structs are defined by the application and opaque to the
  * crypto plugin.  The application may define these as it sees fit.
  * Default declarations are provided here, but the application may
  *  #define HWCRYPTOHOOK_DECLARE_APPTYPES 0
@@ -100,7 +101,8 @@ typedef struct HWCryptoHook_CallerContextValue HWCryptoHook_CallerContext;
 
 #endif /* HWCRYPTOHOOK_DECLARE_APPTYPES */
 
-/* These next two structs are opaque to the application.  The crypto
+/*- 
+ * These next two structs are opaque to the application.  The crypto
  * plugin will return pointers to them; the caller simply manipulates
  * the pointers.
  */
@@ -111,7 +113,8 @@ typedef struct {
   char *buf;
   size_t size;
 } HWCryptoHook_ErrMsgBuf;
-/* Used for error reporting.  When a HWCryptoHook function fails it
+/*-
+ * Used for error reporting.  When a HWCryptoHook function fails it
  * will return a sentinel value (0 for pointer-valued functions, or a
  * negative number, usually HWCRYPTOHOOK_ERROR_FAILED, for
  * integer-valued ones).  It will, if an ErrMsgBuf is passed, also put
@@ -130,7 +133,8 @@ typedef struct HWCryptoHook_MPIStruct {
   unsigned char *buf;
   size_t size;
 } HWCryptoHook_MPI;
-/* When one of these is returned, a pointer is passed to the function.
+/*-
+ * When one of these is returned, a pointer is passed to the function.
  * At call, size is the space available.  Afterwards it is updated to
  * be set to the actual length (which may be more than the space available,
  * if there was not enough room and the result was truncated).
@@ -143,7 +147,8 @@ typedef struct HWCryptoHook_MPIStruct {
 
 #define HWCryptoHook_InitFlags_FallbackModExp    0x0002UL
 #define HWCryptoHook_InitFlags_FallbackRSAImmed  0x0004UL
-/* Enable requesting fallback to software in case of problems with the
+/*- 
+ * Enable requesting fallback to software in case of problems with the
  * hardware support.  This indicates to the crypto provider that the
  * application is prepared to fall back to software operation if the
  * ModExp* or RSAImmed* functions return HWCRYPTOHOOK_ERROR_FALLBACK.
@@ -154,7 +159,8 @@ typedef struct HWCryptoHook_MPIStruct {
  */
 
 #define HWCryptoHook_InitFlags_SimpleForkCheck   0x0010UL
-/* Without _SimpleForkCheck the library is allowed to assume that the
+/*-
+ * Without _SimpleForkCheck the library is allowed to assume that the
  * application will not fork and call the library in the child(ren).
  *
  * When it is specified, this is allowed.  However, after a fork
@@ -174,7 +180,8 @@ typedef struct {
   int mslimbfirst; /* 0 or 1 */
   int msbytefirst; /* 0 or 1; -1 = native */
 
-  /* All the callback functions should return 0 on success, or a
+  /*-
+   * All the callback functions should return 0 on success, or a
    * nonzero integer (whose value will be visible in the error message
    * put in the buffer passed to the call).
    *
@@ -183,7 +190,8 @@ typedef struct {
    * The callbacks may not call down again into the crypto plugin.
    */
   
-  /* For thread-safety.  Set everything to 0 if you promise only to be
+  /*-
+   * For thread-safety.  Set everything to 0 if you promise only to be
    * singlethreaded.  maxsimultaneous is the number of calls to
    * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA.  If you don't know what to
    * put there then say 0 and the hook library will use a default.
@@ -207,7 +215,8 @@ typedef struct {
   void (*mutex_release)(HWCryptoHook_Mutex*);
   void (*mutex_destroy)(HWCryptoHook_Mutex*);
 
-  /* For greater efficiency, can use condition vars internally for
+  /*-
+   * For greater efficiency, can use condition vars internally for
    * synchronisation.  In this case maxsimultaneous is ignored, but
    * the other mutex stuff must be available.  In singlethreaded
    * programs, set everything to 0.
@@ -219,7 +228,8 @@ typedef struct {
   void (*condvar_broadcast)(HWCryptoHook_CondVar*);
   void (*condvar_destroy)(HWCryptoHook_CondVar*);
   
-  /* The semantics of acquiring and releasing mutexes and broadcasting
+  /*-
+   * The semantics of acquiring and releasing mutexes and broadcasting
    * and waiting on condition variables are expected to be those from
    * POSIX threads (pthreads).  The mutexes may be (in pthread-speak)
    * fast mutexes, recursive mutexes, or nonrecursive ones.
@@ -234,7 +244,8 @@ typedef struct {
                        int *len_io, char *buf,
                        HWCryptoHook_PassphraseContext *ppctx,
                        HWCryptoHook_CallerContext *cactx);
-  /* Passphrases and the prompt_info, if they contain high-bit-set
+  /*-
+   * Passphrases and the prompt_info, if they contain high-bit-set
    * characters, are UTF-8.  The prompt_info may be a null pointer if
    * no prompt information is available (it should not be an empty
    * string).  It will not contain text like `enter passphrase';
@@ -251,7 +262,8 @@ typedef struct {
                       const char *wrong_info,
                       HWCryptoHook_PassphraseContext *ppctx,
                       HWCryptoHook_CallerContext *cactx);
-  /* Requests that the human user physically insert a different
+  /*-
+   * Requests that the human user physically insert a different
    * smartcard, DataKey, etc.  The plugin should check whether the
    * currently inserted token(s) are appropriate, and if they are it
    * should not make this call.
@@ -263,7 +275,8 @@ typedef struct {
    * syntactically similar to that of prompt_info. 
    */
   
-  /* Note that a single LoadKey operation might cause several calls to
+  /*-
+   * Note that a single LoadKey operation might cause several calls to
    * getpassphrase and/or requestphystoken.  If requestphystoken is
    * not provided (ie, a null pointer is passed) then the plugin may
    * not support loading keys for which authorisation by several cards
@@ -285,7 +298,8 @@ typedef struct {
    */
 
   void (*logmessage)(void *logstream, const char *message);
-  /* A log message will be generated at least every time something goes
+  /*-
+   * A log message will be generated at least every time something goes
    * wrong and an ErrMsgBuf is filled in (or would be if one was
    * provided).  Other diagnostic information may be written there too,
    * including more detailed reasons for errors which are reported in an
@@ -325,7 +339,8 @@ HWCryptoHook_ContextHandle HWCryptoHook_Init_t(const HWCryptoHook_InitInfo *init
                                                HWCryptoHook_CallerContext *cactx);
 extern HWCryptoHook_Init_t HWCryptoHook_Init;
 
-/* Caller should set initinfosize to the size of the HWCryptoHook struct,
+/*-
+ * Caller should set initinfosize to the size of the HWCryptoHook struct,
  * so it can be extended later.
  *
  * On success, a message for display or logging by the server,
@@ -334,7 +349,8 @@ extern HWCryptoHook_Init_t HWCryptoHook_Init;
  * usual.
  */
 
-/* All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
+/*-
+ * All these functions return 0 on success, HWCRYPTOHOOK_ERROR_FAILED
  * on most failures.  HWCRYPTOHOOK_ERROR_MPISIZE means at least one of
  * the output MPI buffer(s) was too small; the sizes of all have been
  * set to the desired size (and for those where the buffer was large
@@ -345,7 +361,8 @@ extern HWCryptoHook_Init_t HWCryptoHook_Init;
  * _NoStderr at init time then messages may be reported to stderr.
  */
 
-/* The RSAImmed* functions (and key managed RSA) only work with
+/*-
+ * The RSAImmed* functions (and key managed RSA) only work with
  * modules which have an RSA patent licence - currently that means KM
  * units; the ModExp* ones work with all modules, so you need a patent
  * licence in the software in the US.  They are otherwise identical.
@@ -404,7 +421,8 @@ int HWCryptoHook_RSAImmedPriv_t(HWCryptoHook_ContextHandle hwctx,
                                 const HWCryptoHook_ErrMsgBuf *errors);
 extern HWCryptoHook_RSAImmedPriv_t HWCryptoHook_RSAImmedPriv;
 
-/* The RSAImmed* and ModExp* functions may return E_FAILED or
+/*-
+ * The RSAImmed* and ModExp* functions may return E_FAILED or
  * E_FALLBACK for failure.
  *
  * E_FAILED means the failure is permanent and definite and there
@@ -426,7 +444,8 @@ int HWCryptoHook_RSALoadKey_t(HWCryptoHook_ContextHandle hwctx,
                               const HWCryptoHook_ErrMsgBuf *errors,
                               HWCryptoHook_PassphraseContext *ppctx);
 extern HWCryptoHook_RSALoadKey_t HWCryptoHook_RSALoadKey;
-/* The key_ident is a null-terminated string configured by the
+/*-
+ * The key_ident is a null-terminated string configured by the
  * user via the application's usual configuration mechanisms.
  * It is provided to the user by the crypto provider's key management
  * system.  The user must be able to enter at least any string of between
@@ -449,7 +468,8 @@ int HWCryptoHook_RSAGetPublicKey_t(HWCryptoHook_RSAKeyHandle k,
                                    HWCryptoHook_MPI *e,
                                    const HWCryptoHook_ErrMsgBuf *errors);
 extern HWCryptoHook_RSAGetPublicKey_t HWCryptoHook_RSAGetPublicKey;
-/* The crypto plugin will not store certificates.
+/*-
+ * The crypto plugin will not store certificates.
  *
  * Although this function for acquiring the public key value is
  * provided, it is not the purpose of this API to deal fully with the
diff --git a/engines/vendor_defns/sureware.h b/engines/vendor_defns/sureware.h
index e46b000..f878674 100644
--- a/engines/vendor_defns/sureware.h
+++ b/engines/vendor_defns/sureware.h
@@ -1,22 +1,21 @@
-/*
-* Written by Corinne Dive-Reclus(cdive at baltimore.com)
-*
-* Copyright at 2001 Baltimore Technologies Ltd.
-*																								*	
-*		THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND																			*
-*		ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE					* 
-*		IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE				*
-*		ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE						*
-*		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL				*
-*		DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS					*
-*		OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)					*
-*		HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT				*
-*		LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY				*
-*		OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF					*
-*		SUCH DAMAGE.																			*
-*
-* 
-*/
+/*-
+ * Written by Corinne Dive-Reclus(cdive at baltimore.com)
+ *
+ * Copyright at 2001 Baltimore Technologies Ltd.
+ *
+ * THIS FILE IS PROVIDED BY BALTIMORE TECHNOLOGIES ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL BALTIMORE TECHNOLOGIES BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
 #ifdef WIN32
 #define SW_EXPORT	__declspec ( dllexport )
 #else
@@ -31,29 +30,29 @@
 #define SUREWAREHOOK_ERROR_UNIT_FAILURE -3
 #define SUREWAREHOOK_ERROR_DATA_SIZE -4
 #define SUREWAREHOOK_ERROR_INVALID_PAD -5
-/*
+/*-
 * -----------------WARNING-----------------------------------
 * In all the following functions:
 * msg is a string with at least 24 bytes free.
 * A 24 bytes string will be concatenated to the existing content of msg. 
 */
-/*
+/*-
 *	SureWare Initialisation function
 *	in param threadsafe, if !=0, thread safe enabled
 *	return SureWareHOOK_ERROR_UNIT_FAILURE if failure, 1 if success
 */
 typedef int SureWareHook_Init_t(char*const msg,int threadsafe);
 extern SW_EXPORT SureWareHook_Init_t SureWareHook_Init;
-/*
+/*-
 *	SureWare Finish function
 */
 typedef void SureWareHook_Finish_t(void);
 extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
-/*
+/*-
 *	 PRE_CONDITION:
 *		DO NOT CALL ANY OF THE FOLLOWING FUNCTIONS IN CASE OF INIT FAILURE
 */
-/*
+/*-
 *	SureWare RAND Bytes function
 *	In case of failure, the content of buf is unpredictable.
 *	return 1 if success
@@ -68,7 +67,7 @@ extern SW_EXPORT SureWareHook_Finish_t SureWareHook_Finish;
 typedef int SureWareHook_Rand_Bytes_t(char*const msg,unsigned char *buf, int num);
 extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
 
-/*
+/*-
 *	SureWare RAND Seed function
 *	Adds some seed to the Hardware Random Number Generator
 *	return 1 if success
@@ -83,7 +82,7 @@ extern SW_EXPORT SureWareHook_Rand_Bytes_t SureWareHook_Rand_Bytes;
 typedef int SureWareHook_Rand_Seed_t(char*const msg,const void *buf, int num);
 extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
 
-/*
+/*-
 *	SureWare Load Private Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -98,7 +97,7 @@ extern SW_EXPORT SureWareHook_Rand_Seed_t SureWareHook_Rand_Seed;
 typedef int SureWareHook_Load_Privkey_t(char*const msg,const char *key_id,char **hptr,unsigned long *num,char *keytype);
 extern SW_EXPORT SureWareHook_Load_Privkey_t SureWareHook_Load_Privkey;
 
-/*
+/*-
 *	SureWare Info Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -114,7 +113,7 @@ typedef int SureWareHook_Info_Pubkey_t(char*const msg,const char *key_id,unsigne
 										char *keytype);
 extern SW_EXPORT SureWareHook_Info_Pubkey_t SureWareHook_Info_Pubkey;
 
-/*
+/*-
 *	SureWare Load Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -130,7 +129,7 @@ typedef int SureWareHook_Load_Rsa_Pubkey_t(char*const msg,const char *key_id,uns
 										unsigned long *n, unsigned long *e);
 extern SW_EXPORT SureWareHook_Load_Rsa_Pubkey_t SureWareHook_Load_Rsa_Pubkey;
 
-/*
+/*-
 *	SureWare Load DSA Public Key function
 *	return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -149,7 +148,7 @@ typedef int SureWareHook_Load_Dsa_Pubkey_t(char*const msg,const char *key_id,uns
 										unsigned long *g);
 extern SW_EXPORT SureWareHook_Load_Dsa_Pubkey_t SureWareHook_Load_Dsa_Pubkey;
 
-/*
+/*-
 *	SureWare Free function
 *	Destroy the key into the hardware if destroy==1
 */
@@ -159,7 +158,7 @@ extern SW_EXPORT SureWareHook_Free_t SureWareHook_Free;
 #define SUREWARE_PKCS1_PAD 1
 #define SUREWARE_ISO9796_PAD 2
 #define SUREWARE_NO_PAD 0
-/*
+/*-
 * SureWare RSA Private Decryption
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -180,7 +179,7 @@ typedef int SureWareHook_Rsa_Priv_Dec_t(char*const msg,int flen,unsigned char *f
 										int *tlen,unsigned char *to,
 										char *prsa,int padding);
 extern SW_EXPORT SureWareHook_Rsa_Priv_Dec_t SureWareHook_Rsa_Priv_Dec;
-/*
+/*-
 * SureWare RSA Signature
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -201,7 +200,7 @@ typedef int SureWareHook_Rsa_Sign_t(char*const msg,int flen,unsigned char *from,
 										int *tlen,unsigned char *to,
 										char *prsa,int padding);
 extern SW_EXPORT SureWareHook_Rsa_Sign_t SureWareHook_Rsa_Sign;
-/*
+/*-
 * SureWare DSA Signature
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
@@ -219,7 +218,7 @@ typedef int SureWareHook_Dsa_Sign_t(char*const msg,int flen,const unsigned char
 extern SW_EXPORT SureWareHook_Dsa_Sign_t SureWareHook_Dsa_Sign;
 
 
-/*
+/*-
 * SureWare Mod Exp
 * return 1 if success
 *			SureWareHOOK_ERROR_FAILED if error while processing
diff --git a/ms/tlhelp32.h b/ms/tlhelp32.h
index 8f4222e..e15b7e2 100644
--- a/ms/tlhelp32.h
+++ b/ms/tlhelp32.h
@@ -1,4 +1,4 @@
-/*
+/*-
 	tlhelp32.h - Include file for Tool help functions.
 
 	Written by Mumit Khan 
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 14d45b5..26e1da2 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -574,7 +574,8 @@ static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 	{
-	/* (0) check whether the desired fragment is available
+	/*-
+	 * (0) check whether the desired fragment is available
 	 * if so:
 	 * (1) copy over the fragment to s->init_buf->data[]
 	 * (2) update s->init_num
@@ -964,7 +965,8 @@ f_err:
 	return(-1);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
@@ -1165,7 +1167,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 	struct dtls1_retransmit_state saved_state;
 	unsigned char save_write_sequence[8];
 
-	/*
+	/*-
 	  OPENSSL_assert(s->init_num == 0);
 	  OPENSSL_assert(s->init_off == 0);
 	 */
@@ -1493,7 +1495,8 @@ dtls1_heartbeat(SSL *s)
 	 */
 	OPENSSL_assert(payload + padding <= 16381);
 
-	/* Create HeartBeat message, we just use a sequence number
+	/*-
+	 * Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
 	 * some random stuff.
 	 *  - Message Type, 1 byte
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 2952bcc..208d244 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -518,7 +518,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -538,7 +539,8 @@ err:
 }
 
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -720,7 +722,8 @@ again:
 
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -797,10 +800,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* We are not handshaking and have no data yet,
diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
index fc19259..c77e7f7 100644
--- a/ssl/heartbeat_test.c
+++ b/ssl/heartbeat_test.c
@@ -1,5 +1,5 @@
 /* test/heartbeat_test.c */
-/*
+/*-
  * Unit test for TLS heartbeats.
  *
  * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 10687f0..7009a58 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -56,15 +56,16 @@
  */
 
 
-/*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
-**
-**  19990701	VRS 	Started.
-**  200011??	Jeffrey Altman, Richard Levitte
-**          		Generalized for Heimdal, Newer MIT, & Win32.
-**          		Integrated into main OpenSSL 0.9.7 snapshots.
-**  20010413	Simon Wilkinson, VRS
-**          		Real RFC2712 KerberosWrapper replaces AP_REQ.
-*/
+/*-
+ * ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
+ *
+ *  19990701	VRS 	Started.
+ *  200011??	Jeffrey Altman, Richard Levitte
+ *          		Generalized for Heimdal, Newer MIT, & Win32.
+ *          		Integrated into main OpenSSL 0.9.7 snapshots.
+ *  20010413	Simon Wilkinson, VRS
+ *          		Real RFC2712 KerberosWrapper replaces AP_REQ.
+ */
 
 #include 
 
@@ -808,10 +809,10 @@ char
         }
 
 /*	Given KRB5 enctype (basically DES or 3DES),
-**	return closest match openssl EVP_ encryption algorithm.
-**	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
-**	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
-*/
+ *	return closest match openssl EVP_ encryption algorithm.
+ *	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+ *	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
+ */
 const EVP_CIPHER *
 kssl_map_enc(krb5_enctype enctype)
         {
@@ -836,10 +837,10 @@ kssl_map_enc(krb5_enctype enctype)
 
 
 /*	Return true:1 if p "looks like" the start of the real authenticator
-**	described in kssl_skip_confound() below.  The ASN.1 pattern is
-**	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
-**	xx and yy are possibly multi-byte length fields.
-*/
+ *	described in kssl_skip_confound() below.  The ASN.1 pattern is
+ *	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
+ *	xx and yy are possibly multi-byte length fields.
+ */
 static int 	kssl_test_confound(unsigned char *p)
 	{
 	int 	len = 2;
@@ -866,15 +867,15 @@ static int 	kssl_test_confound(unsigned char *p)
 	}
 
 /*	Allocate, fill, and return cksumlens array of checksum lengths.
-**	This array holds just the unique elements from the krb5_cksumarray[].
-**	array[n] == 0 signals end of data.
-**
-**      The krb5_cksumarray[] was an internal variable that has since been
-**      replaced by a more general method for storing the data.  It should
-**      not be used.  Instead we use real API calls and make a guess for 
-**      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
-**      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
-*/
+ *	This array holds just the unique elements from the krb5_cksumarray[].
+ *	array[n] == 0 signals end of data.
+ *
+ *      The krb5_cksumarray[] was an internal variable that has since been
+ *      replaced by a more general method for storing the data.  It should
+ *      not be used.  Instead we use real API calls and make a guess for 
+ *      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
+ *      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
+ */
 static size_t  *populate_cksumlens(void)
 	{
 	int 		i, j, n;
@@ -907,12 +908,12 @@ static size_t  *populate_cksumlens(void)
 	}
 
 /*	Return pointer to start of real authenticator within authenticator, or
-**	return NULL on error.
-**	Decrypted authenticator looks like this:
-**		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
-**	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
-**	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
-*/
+ *	return NULL on error.
+ *	Decrypted authenticator looks like this:
+ *		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
+ *	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
+ *	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
+ */
 unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 	{
 	int 		i, conlen;
@@ -934,8 +935,8 @@ unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 
 
 /*	Set kssl_err error info when reason text is a simple string
-**		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
-*/
+ *		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
+ */
 void
 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
         {
@@ -1024,8 +1025,8 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 
 /*	Display contents of krb5_principal_data struct, for debugging
-**	(krb5_principal is typedef'd == krb5_principal_data *)
-*/
+ *	(krb5_principal is typedef'd == krb5_principal_data *)
+ */
 static void
 print_krb5_princ(char *label, krb5_principal_data *princ)
         {
@@ -1047,16 +1048,16 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         }
 
 
-/*	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
-**	Return encrypted Kerberos ticket for service @ hostname.
-**	If authenp is non-NULL, also return encrypted authenticator,
-**	whose data should be freed by caller.
-**	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
-**
-**	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
-**	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
-**	20010606	VRS 	May also return optional authenticator.
-*/
+/*-	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
+ *	Return encrypted Kerberos ticket for service @ hostname.
+ *	If authenp is non-NULL, also return encrypted authenticator,
+ *	whose data should be freed by caller.
+ *	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
+ *
+ *	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
+ *	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
+ *	20010606	VRS 	May also return optional authenticator.
+ */
 krb5_error_code
 kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
                 /* OUT    */	krb5_data **enc_ticketp,
@@ -1141,8 +1142,8 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	krb5rc = KRB5KRB_ERR_GENERIC;
 	/*	caller should free data of krb5_app_req  */
 	/*  20010406 VRS deleted for real KerberosWrapper
-	**  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
-	*/
+	 *  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
+	 */
 	krb5_app_req.length = 0;
 	if (authenp)
                 {
@@ -1214,17 +1215,18 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	}
 
 
-/*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
-**  Return Kerberos error code and kssl_err struct on error.
-**  Allocates krb5_ticket and krb5_principal; caller should free these.
-**
-**	20010410	VRS	Implemented krb5_decode_ticket() as
-**				old_krb5_decode_ticket(). Missing from MIT1.0.6.
-**	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
-**				Re-used some of the old krb5_decode_ticket()
-**				code here.  This tkt should alloc/free just
-**				like the real thing.
-*/
+/*-
+ *  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
+ *  Return Kerberos error code and kssl_err struct on error.
+ *  Allocates krb5_ticket and krb5_principal; caller should free these.
+ *
+ *	20010410	VRS	Implemented krb5_decode_ticket() as
+ *				old_krb5_decode_ticket(). Missing from MIT1.0.6.
+ *	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
+ *				Re-used some of the old krb5_decode_ticket()
+ *				code here.  This tkt should alloc/free just
+ *				like the real thing.
+ */
 static krb5_error_code
 kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 		/* IN     */	KRB5_TKTBODY	*asn1ticket,
@@ -1299,12 +1301,12 @@ kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 
 
 /*	Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
-**		and krb5 AP_REQ message & message length,
-**	Return Kerberos session key and client principle
-**		to SSL Server in KSSL_CTX *kssl_ctx.
-**
-**	19990702	VRS 	Started.
-*/
+ *		and krb5 AP_REQ message & message length,
+ *	Return Kerberos session key and client principle
+ *		to SSL Server in KSSL_CTX *kssl_ctx.
+ *
+ *	19990702	VRS 	Started.
+ */
 krb5_error_code
 kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		/* IN     */	krb5_data		*indata,
@@ -1419,19 +1421,20 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 			}
 		}
 
-	/*	Actual Kerberos5 krb5_recvauth() has initial conversation here
-	**	o	check KRB5_SENDAUTH_BADAUTHVERS
-	**		unless KRB5_RECVAUTH_SKIP_VERSION
-	**	o	check KRB5_SENDAUTH_BADAPPLVERS
-	**	o	send "0" msg if all OK
-	*/
+	/*-	Actual Kerberos5 krb5_recvauth() has initial conversation here
+	 *	o	check KRB5_SENDAUTH_BADAUTHVERS
+	 *		unless KRB5_RECVAUTH_SKIP_VERSION
+	 *	o	check KRB5_SENDAUTH_BADAPPLVERS
+	 *	o	send "0" msg if all OK
+	 */
 
-	/*  20010411 was using AP_REQ instead of true KerberosWrapper
-	**
-	**  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
-	**			&krb5in_data, krb5server, krb5keytab,
-	**			&ap_option, &krb5ticket)) != 0)  { Error }
-	*/
+	/*- 
+	 * 20010411 was using AP_REQ instead of true KerberosWrapper
+	 *
+	 *  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
+	 *			&krb5in_data, krb5server, krb5keytab,
+	 *			&ap_option, &krb5ticket)) != 0)  { Error }
+	 */
 
 	p = (unsigned char *)indata->data;
 	if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
@@ -1568,8 +1571,8 @@ kssl_ctx_new(void)
 
 
 /*	Frees a kssl_ctx struct and any allocated memory it holds.
-**	Returns NULL.
-*/
+ *	Returns NULL.
+ */
 KSSL_CTX	*
 kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
@@ -1589,9 +1592,9 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
 
 
 /*	Given an array of (krb5_data *) entity (and optional realm),
-**	set the plain (char *) client_princ or service_host member
-**	of the kssl_ctx struct.
-*/
+ *	set the plain (char *) client_princ or service_host member
+ *	of the kssl_ctx struct.
+ */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         krb5_data *realm, krb5_data *entity, int nentities)
@@ -1644,11 +1647,11 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         }
 
 
-/*	Set one of the plain (char *) string members of the kssl_ctx struct.
-**	Default values should be:
-**		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
-**		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
-*/
+/*-	Set one of the plain (char *) string members of the kssl_ctx struct.
+ *	Default values should be:
+ *		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
+ *		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
+ */
 krb5_error_code
 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
         {
@@ -1682,8 +1685,8 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
 
 
 /*	Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
-**	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
-*/
+ *	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
+ */
 krb5_error_code
 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
         {
@@ -1897,12 +1900,12 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
 
 
 /*  Given pointers to KerberosTime and struct tm structs, convert the
-**  KerberosTime string to struct tm.  Note that KerberosTime is a
-**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
-**  seconds as defined in RFC 1510.
-**  Return pointer to the (partially) filled in struct tm on success,
-**  return NULL on failure.
-*/
+ *  KerberosTime string to struct tm.  Note that KerberosTime is a
+ *  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+ *  seconds as defined in RFC 1510.
+ *  Return pointer to the (partially) filled in struct tm on success,
+ *  return NULL on failure.
+ */
 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 	{
 	char 		c, *p;
@@ -1925,10 +1928,10 @@ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 
 
 /*  Helper function for kssl_validate_times().
-**  We need context->clockskew, but krb5_context is an opaque struct.
-**  So we try to sneek the clockskew out through the replay cache.
-**	If that fails just return a likely default (300 seconds).
-*/
+ *  We need context->clockskew, but krb5_context is an opaque struct.
+ *  So we try to sneek the clockskew out through the replay cache.
+ *	If that fails just return a likely default (300 seconds).
+ */
 static krb5_deltat get_rc_clockskew(krb5_context context)
 	{
 	krb5_rcache 	rc;
@@ -1945,15 +1948,15 @@ static krb5_deltat get_rc_clockskew(krb5_context context)
 
 
 /*  kssl_validate_times() combines (and more importantly exposes)
-**  the MIT KRB5 internal function krb5_validate_times() and the
-**  in_clock_skew() macro.  The authenticator client time is checked
-**  to be within clockskew secs of the current time and the current
-**  time is checked to be within the ticket start and expire times.
-**  Either check may be omitted by supplying a NULL value.
-**  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
-**  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
-**  20010420 VRS
-*/
+ *  the MIT KRB5 internal function krb5_validate_times() and the
+ *  in_clock_skew() macro.  The authenticator client time is checked
+ *  to be within clockskew secs of the current time and the current
+ *  time is checked to be within the ticket start and expire times.
+ *  Either check may be omitted by supplying a NULL value.
+ *  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
+ *  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
+ *  20010420 VRS
+ */
 krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 					krb5_ticket_times *ttimes)
 	{
@@ -1985,12 +1988,12 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 
 
 /*  Decode and decrypt given DER-encoded authenticator, then pass
-**  authenticator ctime back in *atimep (or 0 if time unavailable).
-**  Returns krb5_error_code and kssl_err on error.  A NULL 
-**  authenticator (authentp->length == 0) is not considered an error.
-**  Note that kssl_check_authent() makes use of the KRB5 session key;
-**  you must call kssl_sget_tkt() to get the key before calling this routine.
-*/
+ *  authenticator ctime back in *atimep (or 0 if time unavailable).
+ *  Returns krb5_error_code and kssl_err on error.  A NULL 
+ *  authenticator (authentp->length == 0) is not considered an error.
+ *  Note that kssl_check_authent() makes use of the KRB5 session key;
+ *  you must call kssl_sget_tkt() to get the key before calling this routine.
+ */
 krb5_error_code  kssl_check_authent(
 			/* IN     */	KSSL_CTX	*kssl_ctx,
                         /* IN     */   	krb5_data	*authentp,
@@ -2069,9 +2072,9 @@ krb5_error_code  kssl_check_authent(
 	if (enc == NULL)
 		{
 		/*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
-		**  This enctype indicates the authenticator was encrypted
-		**  using key-usage derived keys which openssl cannot decrypt.
-		*/
+		 *  This enctype indicates the authenticator was encrypted
+		 *  using key-usage derived keys which openssl cannot decrypt.
+		 */
 		goto err;
 		}
 
@@ -2148,10 +2151,10 @@ krb5_error_code  kssl_check_authent(
 
 
 /*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
-**  because I don't know how to stub varargs.
-**  Returns krb5_error_code == ENOMEM on alloc error, otherwise
-**  passes back newly constructed principal, which should be freed by caller.
-*/
+ *  because I don't know how to stub varargs.
+ *  Returns krb5_error_code == ENOMEM on alloc error, otherwise
+ *  passes back newly constructed principal, which should be freed by caller.
+ */
 krb5_error_code  kssl_build_principal_2(
 			/* UPDATE */	krb5_context	context,
 			/* OUT    */	krb5_principal	*princ,
diff --git a/ssl/kssl.h b/ssl/kssl.h
index e4df843..c3d5492 100644
--- a/ssl/kssl.h
+++ b/ssl/kssl.h
@@ -85,9 +85,9 @@ extern "C" {
 #endif
 
 /*
-**	Depending on which KRB5 implementation used, some types from
-**	the other may be missing.  Resolve that here and now
-*/
+ *	Depending on which KRB5 implementation used, some types from
+ *	the other may be missing.  Resolve that here and now
+ */
 #ifdef KRB5_HEIMDAL
 typedef unsigned char krb5_octet;
 #define FAR
@@ -100,10 +100,10 @@ typedef unsigned char krb5_octet;
 #endif
 
 /*	Uncomment this to debug kssl problems or
-**	to trace usage of the Kerberos session key
-**
-**	#define		KSSL_DEBUG
-*/
+ *	to trace usage of the Kerberos session key
+ *
+ *	#define		KSSL_DEBUG
+ */
 
 #ifndef	KRB5SVC
 #define KRB5SVC	"host"
@@ -132,10 +132,10 @@ typedef struct kssl_err_st  {
 	} KSSL_ERR;
 
 
-/*	Context for passing
-**		(1) Kerberos session key to SSL, and
-**		(2)	Config data between application and SSL lib
-*/
+/*-	Context for passing
+ *		(1) Kerberos session key to SSL, and
+ *		(2)	Config data between application and SSL lib
+ */
 typedef struct kssl_ctx_st
         {
                                 /*	used by:    disposition:            */
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 6e44e0c..9193d7b 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -440,7 +440,8 @@ int ssl23_get_client_hello(SSL *s)
 		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
 		v[1] = p[4];
 
-		/* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
+		/*-
+		 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
 		 * header is sent directly on the wire, not wrapped as a TLS
 		 * record. It's format is:
 		 * Byte  Content
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index b110e3c..6c0fb37 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -294,7 +294,8 @@ f_err:
 	return(0);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 6087ee3..9910306 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -68,14 +68,16 @@
  * supported by TLS.) */
 #define MAX_HASH_BLOCK_SIZE 128
 
-/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
+/*-
+ * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  * record in |rec| by updating |rec->length| in constant time.
  *
  * block_size: the block size of the cipher used to encrypt the record.
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int ssl3_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -97,7 +99,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
+/*- 
+ * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
  * record in |rec| in constant time and returns 1 if the padding is valid and
  * -1 otherwise. It also removes any explicit IV from the start of the record
  * without leaking any timing about whether there was enough space after the
@@ -107,7 +110,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int tls1_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -193,7 +197,8 @@ int tls1_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
+/*-
+ * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
  * constant time (independent of the concrete value of rec->length, which may
  * vary within a 256-byte window).
  *
@@ -373,7 +378,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 		}
 	}
 
-/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
+/*-
+ * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  * record.
  *
  *   ctx: the EVP_MD_CTX from which we take the hash function.
@@ -391,7 +397,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  * On entry: by virtue of having been through one of the remove_padding
  * functions, above, we know that data_plus_mac_size is large enough to contain
  * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+ * padding too. ) 
+ */
 void ssl3_cbc_digest_record(
 	const EVP_MD_CTX *ctx,
 	unsigned char* md_out,
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 321afc1..4ca2774 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -730,7 +730,8 @@ int ssl3_client_hello(SSL *s)
 		/* Do the message type and length last */
 		d=p= ssl_handshake_start(s);
 
-		/* version indicates the negotiated version: for example from
+		/*-
+		 * version indicates the negotiated version: for example from
 		 * an SSLv2/v3 compatible client hello). The client_version
 		 * field is the maximum version we permit and it is also
 		 * used in RSA encrypted premaster secrets. Some servers can
@@ -2593,24 +2594,25 @@ int ssl3_send_client_key_exchange(SSL *s)
 				goto err;
 				}
 
-			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-			**  in place of RFC 2712 KerberosWrapper, as in:
-			**
-			**  Send ticket (copy to *p, set n = length)
-			**  n = krb5_ap_req.length;
-			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-			**  if (krb5_ap_req.data)  
-			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-			**
-			**  Now using real RFC 2712 KerberosWrapper
-			**  (Thanks to Simon Wilkinson )
-			**  Note: 2712 "opaque" types are here replaced
-			**  with a 2-byte length followed by the value.
-			**  Example:
-			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-			**  Where "xx xx" = length bytes.  Shown here with
-			**  optional authenticator omitted.
-			*/
+			/*-
+			 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
+			 * in place of RFC 2712 KerberosWrapper, as in:
+			 *
+			 * Send ticket (copy to *p, set n = length)
+			 * n = krb5_ap_req.length;
+			 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+			 * if (krb5_ap_req.data)  
+			 *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+			 *
+			 * Now using real RFC 2712 KerberosWrapper
+			 * (Thanks to Simon Wilkinson )
+			 * Note: 2712 "opaque" types are here replaced
+			 * with a 2-byte length followed by the value.
+			 * Example:
+			 * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+			 * Where "xx xx" = length bytes.  Shown here with
+			 * optional authenticator omitted.
+			 */
 
 			/*  KerberosWrapper.Ticket		*/
 			s2n(enc_ticket->length,p);
@@ -2641,12 +2643,13 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
 				goto err;
 
-			/*  20010420 VRS.  Tried it this way; failed.
-			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-			**				kssl_ctx->length);
-			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-			*/
+			/*-
+			 * 20010420 VRS.  Tried it this way; failed.
+			 *	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+			 *	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+			 *				kssl_ctx->length);
+			 *	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+			 */
 
 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
@@ -2803,7 +2806,8 @@ int ssl3_send_client_key_exchange(SSL *s)
 			 */
 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 
 				{
-				/* XXX: For now, we do not support client
+				/*-
+				 * XXX: For now, we do not support client
 				 * authentication using ECDH certificates.
 				 * To add such support, one needs to add
 				 * code that checks for appropriate 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8fedf5a..2de10d6 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -293,7 +293,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
  * ssl3_get_record to loop forever. */
 #define MAX_EMPTY_RECORDS 32
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -449,10 +450,12 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 		}
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
-	/* enc_err is:
+	/*-
+	 * enc_err is:
 	 *    0: (in non-constant time) if the record is publically invalid.
 	 *    1: if the padding is valid
-	 *    -1: if the padding is invalid */
+	 *    -1: if the padding is invalid 
+	 */
 	if (enc_err == 0)
 		{
 		al=SSL_AD_DECRYPTION_FAILED;
@@ -556,7 +559,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -1215,7 +1219,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
 		}
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -1297,10 +1302,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* get new packet if necessary */
@@ -1422,9 +1429,11 @@ start:
 			}
 		}
 
-	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
+	/*-
+	 * s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
 	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
-	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 
+	 */
 
 	/* If we are a client, check for an incoming 'Hello Request': */
 	if ((!s->server) &&
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 02c8c10..a308577 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1501,7 +1501,8 @@ int ssl3_get_client_hello(SSL *s)
 			goto f_err;
 		}
 	
-	/* we now have the following setup. 
+	/*-
+	 * we now have the following setup. 
 	 * client_random
 	 * cipher_list 		- our prefered list of ciphers
 	 * ciphers 		- the clients prefered list of ciphers
@@ -1559,7 +1560,8 @@ int ssl3_send_server_hello(SSL *s)
 		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
 		p+=SSL3_RANDOM_SIZE;
 
-		/* There are several cases for the session ID to send
+		/*-
+		 * There are several cases for the session ID to send
 		 * back in the server hello:
 		 * - For session reuse from the session cache,
 		 *   we send back the old session ID.
@@ -2690,11 +2692,11 @@ int ssl3_get_client_key_exchange(SSL *s)
 			}
 
 
-		/*  Was doing kssl_ctx_free() here,
-		**  but it caused problems for apache.
-		**  kssl_ctx = kssl_ctx_free(kssl_ctx);
-		**  if (s->kssl_ctx)  s->kssl_ctx = NULL;
-		*/
+		/*- Was doing kssl_ctx_free() here,
+		 *  but it caused problems for apache.
+		 *  kssl_ctx = kssl_ctx_free(kssl_ctx);
+		 *  if (s->kssl_ctx)  s->kssl_ctx = NULL;
+		 */
 		}
 	else
 #endif	/* OPENSSL_NO_KRB5 */
@@ -3587,7 +3589,8 @@ int ssl3_send_newsession_ticket(SSL *s)
 		i2d_SSL_SESSION(sess, &p);
 		SSL_SESSION_free(sess);
 
-		/* Grow buffer if need be: the length calculation is as
+		/*-
+		 * Grow buffer if need be: the length calculation is as
  		 * follows handshake_header_length +
  		 * 4 (ticket lifetime hint) + 2 (ticket length) +
  		 * 16 (key name) + max_iv_len (iv length) +
@@ -3671,7 +3674,8 @@ int ssl3_send_cert_status(SSL *s)
 	if (s->state == SSL3_ST_SW_CERT_STATUS_A)
 		{
 		unsigned char *p;
-		/* Grow buffer if need be: the length calculation is as
+		/*-
+		 * Grow buffer if need be: the length calculation is as
  		 * follows 1 (message type) + 3 (message length) +
  		 * 1 (ocsp response type) + 3 (ocsp response length)
  		 * + (ocsp response)
@@ -3743,7 +3747,8 @@ int ssl3_get_next_proto(SSL *s)
 
 	p=(unsigned char *)s->init_msg;
 
-	/* The payload looks like:
+	/*-
+	 * The payload looks like:
 	 *   uint8 proto_len;
 	 *   uint8 proto[proto_len];
 	 *   uint8 padding_len;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 0318d04..31d01b6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -305,7 +305,7 @@ extern "C" {
 
 #define SSL_TXT_ALL		"ALL"
 
-/*
+/*-
  * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
  * ciphers normally not being used.
  * Example: "RC4" will activate all ciphers using RC4 including ciphers
@@ -453,7 +453,8 @@ struct ssl_method_st
 	long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
 	};
 
-/* Lets make this into an ASN.1 type structure as follows
+/*-
+ * Lets make this into an ASN.1 type structure as follows
  * SSL_SESSION_ID ::= SEQUENCE {
  *	version 		INTEGER,	-- structure version number
  *	SSLversion 		INTEGER,	-- SSL version number
@@ -1086,14 +1087,16 @@ struct ssl_ctx_st
 	/* ALPN information
 	 * (we are in the process of transitioning from NPN to ALPN.) */
 
-	/* For a server, this contains a callback function that allows the
+	/*-
+	 * For a server, this contains a callback function that allows the
 	 * server to select the protocol for the connection.
 	 *   out: on successful return, this must point to the raw protocol
 	 *        name (without the length prefix).
 	 *   outlen: on successful return, this contains the length of |*out|.
 	 *   in: points to the client's list of supported protocols in
 	 *       wire-format.
-	 *   inlen: the length of |in|. */
+	 *   inlen: the length of |in|. 
+	 */
 	int (*alpn_select_cb)(SSL *s,
 			      const unsigned char **out,
 			      unsigned char *outlen,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 4d65a2b..a046c71 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1953,12 +1953,14 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
         if (cm == NULL || cm->type == NID_undef)
                 return 1;
 
-	/* According to draft-ietf-tls-compression-04.txt, the
-	   compression number ranges should be the following:
-
-	   0 to 63:    methods defined by the IETF
-	   64 to 192:  external party methods assigned by IANA
-	   193 to 255: reserved for private use */
+	/*-
+	 * According to draft-ietf-tls-compression-04.txt, the
+	 * compression number ranges should be the following:
+         *
+         *   0 to  63:  methods defined by the IETF
+	 *  64 to 192:  external party methods assigned by IANA
+	 * 193 to 255:  reserved for private use 
+	 */
 	if (id < 193 || id > 255)
 		{
 		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 5212bc9..facfec5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -413,7 +413,7 @@
 
 /* we have used 000001ff - 23 bits left to go */
 
-/*
+/*-
  * Macros to check the export status and cipher strength for export ciphers.
  * Even though the macros for EXPORT and EXPORT40/56 have similar names,
  * their meaning is different:
@@ -479,7 +479,8 @@
 #define SSL_PKEY_GOST01		7
 #define SSL_PKEY_NUM		8
 
-/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
+/*-
+ * SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
  * 	    <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
  * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
  * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
@@ -511,11 +512,13 @@ typedef struct cert_pkey_st
 	/* Chain for this certificate */
 	STACK_OF(X509) *chain;
 #ifndef OPENSSL_NO_TLSEXT
-	/* serverinfo data for this certificate.  The data is in TLS Extension
+	/*-
+	 * serverinfo data for this certificate.  The data is in TLS Extension
 	 * wire format, specifically it's a series of records like:
 	 *   uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
 	 *   uint16_t length;
-	 *   uint8_t data[length]; */
+	 *   uint8_t data[length]; 
+	 */
 	unsigned char *serverinfo;
 	size_t serverinfo_length;
 #endif
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index a85f279..493b0fd 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -335,7 +335,7 @@ int ssl_get_new_session(SSL *s, int session)
 			return(0);
 			}
 #ifndef OPENSSL_NO_TLSEXT
-		/*
+		/*-
 		 * If RFC5077 ticket, use empty session ID (as server).
 		 * Note that:
 		 * (a) ssl_get_prev_session() does lookahead into the
diff --git a/ssl/ssl_task.c b/ssl/ssl_task.c
index 9c4982c..592e858 100644
--- a/ssl/ssl_task.c
+++ b/ssl/ssl_task.c
@@ -57,7 +57,7 @@
  */
 
 /* VMS */
-/*
+/*-
  * DECnet object for servicing SSL.  We accept the inbound and speak a
  * simple protocol for multiplexing the 2 data streams (application and
  * ssl data) over this logical link.
@@ -270,7 +270,7 @@ int doit(io_channel chan, SSL_CTX *s_ctx )
 	c_to_s=BIO_new(BIO_s_rtcp());
 	s_to_c=BIO_new(BIO_s_rtcp());
 	if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
-/* original, DRM 24-SEP-1997
+/*- original, DRM 24-SEP-1997
 	BIO_set_fd ( c_to_s, "", chan );
 	BIO_set_fd ( s_to_c, "", chan );
 */
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index e5be634..c699b61 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -545,7 +545,8 @@ static int verify_serverinfo()
 	return 0;
 	}
 
-/* Four test cases for custom extensions:
+/*-
+ * Four test cases for custom extensions:
  * 0 - no ClientHello extension or ServerHello response
  * 1 - ClientHello with "abc", no response
  * 2 - ClientHello with "abc", empty response
@@ -1924,7 +1925,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
 
 	do
 		{
-		/* c_ssl_bio:          SSL filter BIO
+		/*-
+		 * c_ssl_bio:          SSL filter BIO
 		 *
 		 * client:             pseudo-I/O for SSL library
 		 *
@@ -2796,11 +2798,12 @@ static void process_proxy_debug(int indent, const char *format, ...)
 	vfprintf(stderr, my_format, args);
 	va_end(args);
 	}
-/* Priority levels:
-   0	[!]var, ()
-   1	& ^
-   2	|
-*/
+/*-
+ * Priority levels:
+ *  0	[!]var, ()
+ *  1	& ^
+ *  2	|
+ */
 static int process_proxy_cond_adders(unsigned int letters[26],
 	const char *cond, const char **cond_end, int *pos, int indent);
 static int process_proxy_cond_val(unsigned int letters[26],
@@ -3152,7 +3155,8 @@ static void free_tmp_rsa(void)
 #endif
 
 #ifndef OPENSSL_NO_DH
-/* These DH parameters have been generated as follows:
+/*-
+ * These DH parameters have been generated as follows:
  *    $ openssl dhparam -C -noout 512
  *    $ openssl dhparam -C -noout 1024
  *    $ openssl dhparam -C -noout -dsaparam 1024
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f0291b1..31b1c36 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -504,7 +504,7 @@ int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
 	return 0;
 	}
 
-/*
+/*-
  * Return |nmatch|th shared curve or NID_undef if there is no match.
  * For nmatch == -1, return number of  matches
  * For nmatch == -2, return the NID of the curve to use for
@@ -1222,13 +1222,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 		unsigned long size_str;
 		long lenmax; 
 
-		/* check for enough space.
-		   4 for the servername type and entension length
-		   2 for servernamelist length
-		   1 for the hostname type
-		   2 for hostname length
-		   + hostname length 
-		*/
+		/*-
+		 * check for enough space.
+		 * 4 for the servername type and entension length
+		 * 2 for servernamelist length
+		 * 1 for the hostname type
+		 * 2 for hostname length
+		 * + hostname length 
+		 */
 		   
 		if ((lenmax = limit - ret - 9) < 0 
 		    || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
@@ -1260,11 +1261,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			return NULL;
 			} 
 
-		/* check for enough space.
-		   4 for the srp type type and entension length
-		   1 for the srp user identity
-		   + srp user identity length 
-		*/
+		/*-
+		 * check for enough space.
+		 * 4 for the srp type type and entension length
+		 * 1 for the srp user identity
+		 * + srp user identity length 
+		 */
 		if ((limit - ret - 5 - login_len) < 0) return NULL; 
 
 		/* fill in the extension */
@@ -1464,7 +1466,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 		return NULL;
 	s2n(TLSEXT_TYPE_heartbeat,ret);
 	s2n(1,ret);
-	/* Set mode:
+	/*-
+	 * Set mode:
 	 * 1: peer may send requests
 	 * 2: peer not allowed to send requests
 	 */
@@ -1720,7 +1723,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			return NULL;
 		s2n(TLSEXT_TYPE_heartbeat,ret);
 		s2n(1,ret);
-		/* Set mode:
+		/*-
+		 * Set mode:
 		 * 1: peer may send requests
 		 * 2: peer not allowed to send requests
 		 */
@@ -1867,7 +1871,8 @@ parse_error:
 	}
 
 #ifndef OPENSSL_NO_EC
-/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+/*-
+ * ssl_check_for_safari attempts to fingerprint Safari using OS X
  * SecureTransport using the TLS extension block in |d|, of length |n|.
  * Safari, since 10.6, sends exactly these extensions, in this order:
  *   SNI,
@@ -2019,28 +2024,30 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			}
 		else if (s->version == SSL3_VERSION)
 			{}
-/* The servername extension is treated as follows:
-
-   - Only the hostname type is supported with a maximum length of 255.
-   - The servername is rejected if too long or if it contains zeros,
-     in which case an fatal alert is generated.
-   - The servername field is maintained together with the session cache.
-   - When a session is resumed, the servername call back invoked in order
-     to allow the application to position itself to the right context. 
-   - The servername is acknowledged if it is new for a session or when 
-     it is identical to a previously used for the same session. 
-     Applications can control the behaviour.  They can at any time
-     set a 'desirable' servername for a new SSL object. This can be the
-     case for example with HTTPS when a Host: header field is received and
-     a renegotiation is requested. In this case, a possible servername
-     presented in the new client hello is only acknowledged if it matches
-     the value of the Host: field. 
-   - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-     if they provide for changing an explicit servername context for the session,
-     i.e. when the session has been established with a servername extension. 
-   - On session reconnect, the servername extension may be absent. 
-
-*/      
+/*-
+ * The servername extension is treated as follows:
+ *
+ * - Only the hostname type is supported with a maximum length of 255.
+ * - The servername is rejected if too long or if it contains zeros,
+ *   in which case an fatal alert is generated.
+ * - The servername field is maintained together with the session cache.
+ * - When a session is resumed, the servername call back invoked in order
+ *   to allow the application to position itself to the right context. 
+ * - The servername is acknowledged if it is new for a session or when 
+ *   it is identical to a previously used for the same session. 
+ *   Applications can control the behaviour.  They can at any time
+ *   set a 'desirable' servername for a new SSL object. This can be the
+ *   case for example with HTTPS when a Host: header field is received and
+ *   a renegotiation is requested. In this case, a possible servername
+ *   presented in the new client hello is only acknowledged if it matches
+ *   the value of the Host: field. 
+ * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ *   if they provide for changing an explicit servername context for the 
+ *   session, i.e. when the session has been established with a servername 
+ *   extension. 
+ * - On session reconnect, the servername extension may be absent. 
+ *
+ */      
 
 		else if (type == TLSEXT_TYPE_server_name)
 			{
@@ -2419,7 +2426,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			 s->s3->tmp.finish_md_len == 0 &&
 			 s->s3->alpn_selected == NULL)
 			{
-			/* We shouldn't accept this extension on a
+			/*-
+			 * We shouldn't accept this extension on a
 			 * renegotiation.
 			 *
 			 * s->new_session will be set on renegotiation, but we
@@ -2428,12 +2436,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			 * there's some other reason to disallow resuming an
 			 * earlier session -- the current code won't be doing
 			 * anything like that, but this might change).
-
+			 *
 			 * A valid sign that there's been a previous handshake
 			 * in this connection is if s->s3->tmp.finish_md_len >
 			 * 0.  (We are talking about a check that will happen
 			 * in the Hello protocol round, well before a new
-			 * Finished message could have been computed.) */
+			 * Finished message could have been computed.) 
+			 */
 			s->s3->next_proto_neg_seen = 1;
 			}
 #endif
@@ -2746,10 +2755,12 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
-			/* The extension data consists of:
+			/*- 
+			 * The extension data consists of:
 			 *   uint16 list_length
 			 *   uint8 proto_length;
-			 *   uint8 proto[proto_length]; */
+			 *   uint8 proto[proto_length]; 
+			 */
 			len = data[0];
 			len <<= 8;
 			len |= data[1];
@@ -3248,7 +3259,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	return 1;
 }
 
-/* Since the server cache lookup is done early on in the processing of the
+/*-
+ * Since the server cache lookup is done early on in the processing of the
  * ClientHello, and other operations depend on the result, we need to handle
  * any TLS session ticket extension at the same time.
  *
@@ -3368,7 +3380,8 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
 	return 0;
 	}
 
-/* tls_decrypt_ticket attempts to decrypt a session ticket.
+/*-
+ * tls_decrypt_ticket attempts to decrypt a session ticket.
  *
  *   etick: points to the body of the session ticket extension.
  *   eticklen: the length of the session tickets extenion.
@@ -4086,7 +4099,8 @@ tls1_heartbeat(SSL *s)
 	 */
 	OPENSSL_assert(payload + padding <= 16381);
 
-	/* Create HeartBeat message, we just use a sequence number
+	/*-
+	 * Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
 	 * some random stuff.
 	 *  - Message Type, 1 byte
diff --git a/test/methtest.c b/test/methtest.c
index 005c2f4..b734217 100644
--- a/test/methtest.c
+++ b/test/methtest.c
@@ -84,7 +84,7 @@ char *argv[];
 	METH_arg(tmp2,METH_TYPE_DIR,"/usr/local/ssl/certs");
 	METH_push(top,METH_X509_CA_BY_SUBJECT,tmp2);
 
-/*	tmp=METH_new(x509_by_issuer_dir);
+/*-	tmp=METH_new(x509_by_issuer_dir);
 	METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
 	METH_push(top,METH_X509_BY_ISSUER,tmp);
 
diff --git a/test/testutil.c b/test/testutil.c
index 89e8141..908eb5b 100644
--- a/test/testutil.c
+++ b/test/testutil.c
@@ -1,5 +1,5 @@
 /* test/testutil.c */
-/*
+/*-
  * Utilities for writing OpenSSL unit tests.
  *
  * More information:
diff --git a/test/testutil.h b/test/testutil.h
index adb092a..502be2e 100644
--- a/test/testutil.h
+++ b/test/testutil.h
@@ -1,5 +1,5 @@
 /* test/testutil.h */
-/*
+/*-
  * Utilities for writing OpenSSL unit tests.
  *
  * More information:
@@ -59,7 +59,8 @@
 #ifndef HEADER_TESTUTIL_H
 #define HEADER_TESTUTIL_H
 
-/* SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
+/*-
+ * SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
  *
  * SETUP_TEST_FIXTURE will call set_up() to create a new TEST_FIXTURE_TYPE
  * object called "fixture". It will also allocate the "result" variable used


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Wed Dec 31 10:16:49 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Wed, 31 Dec 2014 11:16:49 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch master
	updated. 2a9338ee31b8448186b79c4a8115dc76f6a431d7
Message-ID: <20141231101649.9893E1DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, master has been updated
       via  2a9338ee31b8448186b79c4a8115dc76f6a431d7 (commit)
       via  b17dcb0d63cc41aa58bf356fda203670085fc83d (commit)
       via  d97ed219860b3188b833a130a61d2438f3f249cf (commit)
       via  97d5809c2b70fdd240990b940c564bcbd77a19c6 (commit)
      from  1d97c8435171a7af575f73c526d79e1ef0ee5960 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2a9338ee31b8448186b79c4a8115dc76f6a431d7
Author: Dominik Neubauer 
Date:   Tue Mar 4 22:22:29 2014 +0100

    typo in s_client
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Geoff Thorpe 

commit b17dcb0d63cc41aa58bf356fda203670085fc83d
Author: Martin Nowak 
Date:   Mon Apr 21 20:03:07 2014 +0200

    remove duplicate defines
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Geoff Thorpe 

commit d97ed219860b3188b833a130a61d2438f3f249cf
Author: Cristian Rodr?guez 
Date:   Sun Apr 20 18:41:15 2014 -0300

    constify tls 1.2 lookup tables.
    
    None of this should live in writable memory
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Geoff Thorpe 

commit 97d5809c2b70fdd240990b940c564bcbd77a19c6
Author: Kurt Roeckx 
Date:   Tue Dec 30 17:14:49 2014 +0100

    Add missing include of sys/time.h
    
    gettimeofday was undefined
    
    Reviewed-by: Geoff Thorpe 

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c        |    2 +-
 crypto/bio/bss_dgram.c |    3 +++
 ssl/t1_lib.c           |   12 ++++++------
 ssl/tls1.h             |    2 --
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 30ea743..fe14b36 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -329,7 +329,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
-	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+	BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
 #ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 88ee559..d45dd95 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -66,6 +66,9 @@
 #include 
 #ifndef OPENSSL_NO_DGRAM
 
+#if !(defined(_WIN32) || defined(OPENSSL_SYS_VMS))
+# include 
+#endif
 #if defined(OPENSSL_SYS_VMS)
 #include 
 #endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 31b1c36..fec7ace 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -935,7 +935,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
 		tlsext_sigalg_dsa(md) \
 		tlsext_sigalg_ecdsa(md)
 
-static unsigned char tls12_sigalgs[] = {
+static const unsigned char tls12_sigalgs[] = {
 #ifndef OPENSSL_NO_SHA512
 	tlsext_sigalg(TLSEXT_hash_sha512)
 	tlsext_sigalg(TLSEXT_hash_sha384)
@@ -949,7 +949,7 @@ static unsigned char tls12_sigalgs[] = {
 #endif
 };
 #ifndef OPENSSL_NO_ECDSA
-static unsigned char suiteb_sigalgs[] = {
+static const unsigned char suiteb_sigalgs[] = {
 	tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
 	tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
 };
@@ -3508,7 +3508,7 @@ typedef struct
 	int id;
 	} tls12_lookup;
 
-static tls12_lookup tls12_md[] = {
+static const tls12_lookup tls12_md[] = {
 	{NID_md5, TLSEXT_hash_md5},
 	{NID_sha1, TLSEXT_hash_sha1},
 	{NID_sha224, TLSEXT_hash_sha224},
@@ -3517,13 +3517,13 @@ static tls12_lookup tls12_md[] = {
 	{NID_sha512, TLSEXT_hash_sha512}
 };
 
-static tls12_lookup tls12_sig[] = {
+static const tls12_lookup tls12_sig[] = {
 	{EVP_PKEY_RSA, TLSEXT_signature_rsa},
 	{EVP_PKEY_DSA, TLSEXT_signature_dsa},
 	{EVP_PKEY_EC, TLSEXT_signature_ecdsa}
 };
 
-static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
+static int tls12_find_id(int nid, const tls12_lookup *table, size_t tlen)
 	{
 	size_t i;
 	for (i = 0; i < tlen; i++)
@@ -3534,7 +3534,7 @@ static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
 	return -1;
 	}
 
-static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
+static int tls12_find_nid(int id, const tls12_lookup *table, size_t tlen)
 	{
 	size_t i;
 	for (i = 0; i < tlen; i++)
diff --git a/ssl/tls1.h b/ssl/tls1.h
index e8188ec..7596429 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -784,8 +784,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS_MD_CLIENT_FINISH_CONST_SIZE		15
 #define TLS_MD_SERVER_FINISH_CONST		"server finished"
 #define TLS_MD_SERVER_FINISH_CONST_SIZE		15
-#define TLS_MD_SERVER_WRITE_KEY_CONST		"server write key"
-#define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE	16
 #define TLS_MD_KEY_EXPANSION_CONST		"key expansion"
 #define TLS_MD_KEY_EXPANSION_CONST_SIZE		13
 #define TLS_MD_CLIENT_WRITE_KEY_CONST		"client write key"


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Wed Dec 31 10:19:35 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Wed, 31 Dec 2014 11:19:35 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_2-stable updated. OpenSSL_1_0_2-beta3-131-gc30c876
Message-ID: <20141231101935.6809C1DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_2-stable has been updated
       via  c30c8761766d98c7fcd257b7332df5cd56c40a6f (commit)
      from  73bda31b4c6e9c692c88f09cd8ec2fd722aa34d7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c30c8761766d98c7fcd257b7332df5cd56c40a6f
Author: Dominik Neubauer 
Date:   Tue Mar 4 22:22:29 2014 +0100

    typo in s_client
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Geoff Thorpe 

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 45ca637..e6e8a07 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -335,7 +335,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
-	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+	BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD


hooks/post-receive
-- 
OpenSSL source code

From kurt at openssl.org  Wed Dec 31 10:20:02 2014
From: kurt at openssl.org (Kurt Roeckx)
Date: Wed, 31 Dec 2014 11:20:02 +0100 (CET)
Subject: [openssl-commits] [openssl] OpenSSL source code branch
	OpenSSL_1_0_1-stable updated. OpenSSL_1_0_1j-92-g40fb858
Message-ID: <20141231102002.2357C1DF10B@openssl.net>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSSL source code".

The branch, OpenSSL_1_0_1-stable has been updated
       via  40fb8587ed854eaa6bbe703a4480b5b20ff7b71c (commit)
      from  c14a808c516eea83cf949c5da7fd9e7c77f379c4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 40fb8587ed854eaa6bbe703a4480b5b20ff7b71c
Author: Dominik Neubauer 
Date:   Tue Mar 4 22:22:29 2014 +0100

    typo in s_client
    
    Signed-off-by: Kurt Roeckx 
    Reviewed-by: Geoff Thorpe 

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 8b96b40..19545e2 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -329,7 +329,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
-	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+	BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 #ifndef OPENSSL_NO_SSL3_METHOD


hooks/post-receive
-- 
OpenSSL source code



List Address	Subscription	Posting	List	Usage

openssl-announce	open	core team	Official Project Announcements	openssl-announce	Official Project Announcements; low-volume read-only.
openssl-core	closed	subscribers	Internal Core Team Discussions
openssl-cvs	open	subscribers	Git (formerly CVS) Repository Messages	openssl-commit	Commits to the source repository; read-only
openssl-dev	open	subscribers	Discussions on development of the OpenSSL library. Not for application - development questions!	openssl-dev	Discussions on development of the OpenSSL library. + This is not the place for application development questions!
openssl-users	open	subscribers	Application Development, OpenSSL Usage, Installation Problems, +	openssl-users	Application Development, installing and configure OpenSSL, etc.


		\ - {#PAGE_SUBNAVBAR#}\ -
{#PAGE_NAVBAR#}		\ - - :PAGE_HEAD][PAGE_BODY: - {#PAGE_BODY#} - :PAGE_BODY][PAGE_FOOT:\ -

Date	Newsflash

$1:	$2
	more...

Temporary Mailing List Freeze

Mailing List Update

OpenSSL Mailing Lists

Overview

Subscription

Archive

Reporting a security vulnerability

Notification of security vulnerabilities

OpenSSL vulnerabilities

Reporting a security vulnerability

Notification of security vulnerabilities

Security vulnerabilities and advisories

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Notification of security vulnerabilities

Old 0.9.x Releases

Legalities

Old 1.0.0 Releases

Legalities

Old 1.0.1 Releases

Legalities

Old 1.0.2 Releases

Legalities

Old FIPS Releases

Legalities

Old Releases

Legalities

OpenSSL Mailing Lists

Overview

OpenSSL Release Strategy

First issued 23rd December 2014

Last modified 23rd December 2014

Legalities

Old 0.9.x Releases

Legalities

Legalities

Legalities

Legalities

Legalities

Old Releases

Legalities