From rsalz at openssl.org  Sat Aug  1 18:32:40 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 01 Aug 2015 18:32:40 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438453960.270715.11084.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e36ce2d986a5edbd33d6d176fb95c8046fae9725 (commit)
      from  34750dc25d74e3db4c1ba43cd219d3f4825e4c65 (commit)


- Log -----------------------------------------------------------------
commit e36ce2d986a5edbd33d6d176fb95c8046fae9725
Author: Dirk Wetter <dirk at testssl.sh>
Date:   Fri Jul 31 13:02:51 2015 -0400

    GH336: Return an exit code if report fails
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 util/selftest.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/selftest.pl b/util/selftest.pl
index 7b32e9f..59842ef 100644
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -199,3 +199,4 @@ while (<IN>) {
 }
 print "\nTest report in file $report\n";
 
+die if $ok != 2;

From rsalz at openssl.org  Sat Aug  1 18:33:15 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 01 Aug 2015 18:33:15 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1438453995.849591.12027.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  49cc3f4038d81ffdad95c9e49e72bc497f4d3954 (commit)
      from  a5e26349f73de74019892eb9e592965e633fe7d5 (commit)


- Log -----------------------------------------------------------------
commit 49cc3f4038d81ffdad95c9e49e72bc497f4d3954
Author: Dirk Wetter <dirk at testssl.sh>
Date:   Fri Jul 31 13:02:51 2015 -0400

    GH336: Return an exit code if report fails
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit e36ce2d986a5edbd33d6d176fb95c8046fae9725)

-----------------------------------------------------------------------

Summary of changes:
 util/selftest.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/selftest.pl b/util/selftest.pl
index 7b32e9f..59842ef 100644
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -199,3 +199,4 @@ while (<IN>) {
 }
 print "\nTest report in file $report\n";
 
+die if $ok != 2;

From rsalz at openssl.org  Sat Aug  1 18:33:26 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 01 Aug 2015 18:33:26 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1438454006.017590.12303.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  556803fc3d0c3a957056665d0eef1c6c80cf556e (commit)
      from  1a9a506cfbb3a57215dae72aadab8943b977bcf7 (commit)


- Log -----------------------------------------------------------------
commit 556803fc3d0c3a957056665d0eef1c6c80cf556e
Author: Dirk Wetter <dirk at testssl.sh>
Date:   Fri Jul 31 13:02:51 2015 -0400

    GH336: Return an exit code if report fails
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit e36ce2d986a5edbd33d6d176fb95c8046fae9725)

-----------------------------------------------------------------------

Summary of changes:
 util/selftest.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/selftest.pl b/util/selftest.pl
index 7b32e9f..59842ef 100644
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -199,3 +199,4 @@ while (<IN>) {
 }
 print "\nTest report in file $report\n";
 
+die if $ok != 2;

From rsalz at openssl.org  Sat Aug  1 18:33:39 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 01 Aug 2015 18:33:39 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_0-stable update
Message-ID: <1438454019.811748.12581.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_0-stable has been updated
       via  519bd5013446d511d8d55e6770d1cc2641238da3 (commit)
      from  895c1b79dd7a76caea46d3185c8c2d3a27506b9d (commit)


- Log -----------------------------------------------------------------
commit 519bd5013446d511d8d55e6770d1cc2641238da3
Author: Dirk Wetter <dirk at testssl.sh>
Date:   Fri Jul 31 13:02:51 2015 -0400

    GH336: Return an exit code if report fails
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit e36ce2d986a5edbd33d6d176fb95c8046fae9725)

-----------------------------------------------------------------------

Summary of changes:
 util/selftest.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/util/selftest.pl b/util/selftest.pl
index 7b32e9f..59842ef 100644
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -199,3 +199,4 @@ while (<IN>) {
 }
 print "\nTest report in file $report\n";
 
+die if $ok != 2;

From ben at openssl.org  Sat Aug  1 21:10:16 2015
From: ben at openssl.org (Ben Laurie)
Date: Sat, 01 Aug 2015 21:10:16 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438463416.426965.329.nullmailer@dev.openssl.org>

The branch master has been updated
       via  9e83e6cda97ae9cb3167e5d8548a7ca0b54cc4e6 (commit)
      from  e36ce2d986a5edbd33d6d176fb95c8046fae9725 (commit)


- Log -----------------------------------------------------------------
commit 9e83e6cda97ae9cb3167e5d8548a7ca0b54cc4e6
Author: Ben Laurie <ben at links.org>
Date:   Sat Aug 1 15:55:19 2015 +0100

    Make BSD make happy with subdirectories.
    
    Reviewed-by: Richard Levitte

-----------------------------------------------------------------------

Summary of changes:
 ssl/Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/Makefile b/ssl/Makefile
index d1fc049..973276a 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -45,6 +45,10 @@ HEADER=	ssl_locl.h record/record_locl.h record/record.h
 
 ALL=	$(GENERAL) $(SRC) $(HEADER)
 
+# BSD make and GNU make disagree on where output goes
+.c.o:
+	$(CC) $(CFLAGS) -c $< -o $@
+
 top:
 	(cd ..; $(MAKE) DIRS=$(DIR) all)
 

From ben at openssl.org  Sun Aug  2 06:08:11 2015
From: ben at openssl.org (Ben Laurie)
Date: Sun, 02 Aug 2015 06:08:11 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438495691.622632.13532.nullmailer@dev.openssl.org>

The branch master has been updated
       via  480405e4a9a8f791324850c4f6b3d36d4e4de4f9 (commit)
       via  d237a2739c91eb97a7be57989de0a18051f98963 (commit)
      from  9e83e6cda97ae9cb3167e5d8548a7ca0b54cc4e6 (commit)


- Log -----------------------------------------------------------------
commit 480405e4a9a8f791324850c4f6b3d36d4e4de4f9
Author: Ben Laurie <ben at links.org>
Date:   Sun Aug 2 02:45:44 2015 +0100

    Add -Wconditional-uninitialized to clang strict warnings.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit d237a2739c91eb97a7be57989de0a18051f98963
Author: Ben Laurie <ben at links.org>
Date:   Sun Aug 2 02:21:46 2015 +0100

    Build with --strict-warnings on FreeBSD.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 Configurations/10-main.conf |  2 +-
 Configure                   |  4 ++--
 apps/s_client.c             |  2 +-
 apps/verify.c               | 46 ++++++++++++++++++++++-----------------------
 4 files changed, 26 insertions(+), 28 deletions(-)

diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index b5d32b6..15af87e 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -830,7 +830,7 @@
         # expands it as -lc_r, which has to be accompanied by explicit
         # -D_THREAD_SAFE and sometimes -D_REENTRANT. FreeBSD 5.x
         # expands it as -lc_r, which seems to be sufficient?
-        cc               => "gcc",
+        cc               => "cc",
         cflags           => "-Wall",
         debug_cflags     => "-O0 -g",
         release_cflags   => "-O3",
diff --git a/Configure b/Configure
index 6cc05bd..fb20e85 100755
--- a/Configure
+++ b/Configure
@@ -101,13 +101,13 @@ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare
 
 # These are used in addition to $gcc_devteam_warn when the compiler is clang.
 # TODO(openssl-team): fix problems and investigate if (at least) the
-# following warnings can also be enabled: -Wconditional-uninitialized,
+# following warnings can also be enabled:
 # -Wswitch-enum, -Wunused-macros, -Wmissing-field-initializers,
 # -Wmissing-variable-declarations,
 # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align,
 # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token
 # -Wextended-offsetof
-my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof";
+my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Qunused-arguments";
 
 my $strict_warnings = 0;
 
diff --git a/apps/s_client.c b/apps/s_client.c
index f4132c8..5971f8a 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -656,7 +656,7 @@ int s_client_main(int argc, char **argv)
     int prexit = 0;
     int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer;
     int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
-    int ret = 1, in_init = 1, i, nbio_test = 0, s, k, width, state = 0;
+    int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
     int sbuf_len, sbuf_off, socket_type = SOCK_STREAM, cmdletters = 1;
     int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
     int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
diff --git a/apps/verify.c b/apps/verify.c
index 7fcd32a..8abc708 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -272,37 +272,35 @@ static int check(X509_STORE *ctx, char *file,
     if (crls)
         X509_STORE_CTX_set0_crls(csc, crls);
     i = X509_verify_cert(csc);
-    if (i > 0 && show_chain) {
-        chain = X509_STORE_CTX_get1_chain(csc);
-        num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
+    if (i > 0) {
+        printf("OK\n");
+        ret = 1;
+	if (show_chain) {
+	    chain = X509_STORE_CTX_get1_chain(csc);
+	    num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
+	    printf("Chain:\n");
+	    for (i = 0; i < sk_X509_num(chain); i++) {
+		X509 *cert = sk_X509_value(chain, i);
+		printf("depth=%d: ", i);
+		X509_NAME_print_ex_fp(stdout,
+				      X509_get_subject_name(cert),
+				      0, XN_FLAG_ONELINE);
+		if (i < num_untrusted)
+		    printf(" (untrusted)");
+		printf("\n");
+	    }
+	    sk_X509_pop_free(chain, X509_free);
+	}
     }
     X509_STORE_CTX_free(csc);
 
     ret = 0;
  end:
-    if (i > 0) {
-        printf("OK\n");
-        ret = 1;
-    } else
-        ERR_print_errors(bio_err);
-    if (chain) {
-        printf("Chain:\n");
-        for (i = 0; i < sk_X509_num(chain); i++) {
-            X509 *cert = sk_X509_value(chain, i);
-            printf("depth=%d: ", i);
-            X509_NAME_print_ex_fp(stdout,
-                                  X509_get_subject_name(cert),
-                                  0, XN_FLAG_ONELINE);
-            if (i < num_untrusted) {
-                printf(" (untrusted)");
-            }
-            printf("\n");
-        }
-        sk_X509_pop_free(chain, X509_free);
-    }
+    if (i <= 0)
+	ERR_print_errors(bio_err);
     X509_free(x);
 
-    return (ret);
+    return ret;
 }
 
 static int cb(int ok, X509_STORE_CTX *ctx)

From steve at openssl.org  Sun Aug  2 13:49:20 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Sun, 02 Aug 2015 13:49:20 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438523360.630756.8048.nullmailer@dev.openssl.org>

The branch master has been updated
       via  5a168057bc1cdf4151226545c4f2ed4d4ad9622b (commit)
      from  480405e4a9a8f791324850c4f6b3d36d4e4de4f9 (commit)


- Log -----------------------------------------------------------------
commit 5a168057bc1cdf4151226545c4f2ed4d4ad9622b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sun Aug 2 14:28:50 2015 +0100

    don't reset return value to 0
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/verify.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/verify.c b/apps/verify.c
index 8abc708..740dae2 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -294,7 +294,6 @@ static int check(X509_STORE *ctx, char *file,
     }
     X509_STORE_CTX_free(csc);
 
-    ret = 0;
  end:
     if (i <= 0)
 	ERR_print_errors(bio_err);

From ben at openssl.org  Sun Aug  2 17:58:49 2015
From: ben at openssl.org (Ben Laurie)
Date: Sun, 02 Aug 2015 17:58:49 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438538329.111187.14130.nullmailer@dev.openssl.org>

The branch master has been updated
       via  bb484020c3f22bcb76cc3d18b5965c8b132770dc (commit)
      from  5a168057bc1cdf4151226545c4f2ed4d4ad9622b (commit)


- Log -----------------------------------------------------------------
commit bb484020c3f22bcb76cc3d18b5965c8b132770dc
Author: Ben Laurie <ben at links.org>
Date:   Sun Aug 2 16:04:27 2015 +0100

    Fix refactoring breakage.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/verify.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/verify.c b/apps/verify.c
index 740dae2..ce0ad24 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -276,16 +276,18 @@ static int check(X509_STORE *ctx, char *file,
         printf("OK\n");
         ret = 1;
 	if (show_chain) {
+	    int j;
+
 	    chain = X509_STORE_CTX_get1_chain(csc);
 	    num_untrusted = X509_STORE_CTX_get_num_untrusted(csc);
 	    printf("Chain:\n");
-	    for (i = 0; i < sk_X509_num(chain); i++) {
-		X509 *cert = sk_X509_value(chain, i);
-		printf("depth=%d: ", i);
+	    for (j = 0; j < sk_X509_num(chain); j++) {
+		X509 *cert = sk_X509_value(chain, j);
+		printf("depth=%d: ", j);
 		X509_NAME_print_ex_fp(stdout,
 				      X509_get_subject_name(cert),
 				      0, XN_FLAG_ONELINE);
-		if (i < num_untrusted)
+		if (j < num_untrusted)
 		    printf(" (untrusted)");
 		printf("\n");
 	    }

From matt at openssl.org  Mon Aug  3 10:02:57 2015
From: matt at openssl.org (Matt Caswell)
Date: Mon, 03 Aug 2015 10:02:57 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438596177.695684.24637.nullmailer@dev.openssl.org>

The branch master has been updated
       via  9ceb2426b0a7972434a49a34e78bdcc6437e04ad (commit)
       via  6fc2ef20a92a318aa5aacf9c907fa70df98f6a41 (commit)
       via  7e729bb5a3ff1b940061045d1f83b7fc01d32b4b (commit)
      from  bb484020c3f22bcb76cc3d18b5965c8b132770dc (commit)


- Log -----------------------------------------------------------------
commit 9ceb2426b0a7972434a49a34e78bdcc6437e04ad
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Apr 16 10:06:25 2015 +0100

    PACKETise ClientHello processing
    
    Uses the new PACKET code to process the incoming ClientHello including all
    extensions etc.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 6fc2ef20a92a318aa5aacf9c907fa70df98f6a41
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 17 16:10:23 2015 +0100

    PACKET unit tests
    
    Add some unit tests for the new PACKET API
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 7e729bb5a3ff1b940061045d1f83b7fc01d32b4b
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Apr 14 17:01:29 2015 +0100

    Add initial packet parsing code
    
    Provide more robust (inline) functions to replace n2s, n2l, etc. These
    functions do the same thing as the previous macros, but also keep track
    of the amount of data remaining and return an error if we try to read more
    data than we've got.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/Makefile      | 1246 +++++++++++++++++++++++++++--------------------------
 ssl/d1_srtp.c     |   57 +--
 ssl/packet_locl.h |  394 +++++++++++++++++
 ssl/s3_srvr.c     |  169 ++++----
 ssl/ssl_locl.h    |   18 +-
 ssl/ssl_sess.c    |   11 +-
 ssl/t1_lib.c      |  407 +++++++++--------
 ssl/t1_reneg.c    |   19 +-
 test/Makefile     |   49 ++-
 test/packettest.c |  317 ++++++++++++++
 10 files changed, 1730 insertions(+), 957 deletions(-)
 create mode 100644 ssl/packet_locl.h
 create mode 100644 test/packettest.c

diff --git a/ssl/Makefile b/ssl/Makefile
index 973276a..b8ae9c3 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -95,43 +95,45 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 bio_ssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-bio_ssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-bio_ssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-bio_ssl.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-bio_ssl.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-bio_ssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-bio_ssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-bio_ssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bio_ssl.c
+bio_ssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+bio_ssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+bio_ssl.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+bio_ssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+bio_ssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+bio_ssl.o: ../include/openssl/err.h ../include/openssl/evp.h
+bio_ssl.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+bio_ssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+bio_ssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bio_ssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+bio_ssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c packet_locl.h
 bio_ssl.o: record/record.h ssl_locl.h
 d1_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-d1_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-d1_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-d1_both.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-d1_both.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-d1_both.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_both.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-d1_both.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-d1_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-d1_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-d1_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-d1_both.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-d1_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-d1_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-d1_both.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-d1_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-d1_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-d1_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-d1_both.o: ../include/openssl/x509_vfy.h d1_both.c record/record.h ssl_locl.h
+d1_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_both.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_both.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+d1_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_both.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+d1_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+d1_both.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+d1_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+d1_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+d1_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+d1_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_both.c
+d1_both.o: packet_locl.h record/record.h ssl_locl.h
 d1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 d1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -152,82 +154,86 @@ d1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 d1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 d1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 d1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_clnt.c
-d1_clnt.o: record/record.h ssl_locl.h
+d1_clnt.o: packet_locl.h record/record.h ssl_locl.h
 d1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-d1_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-d1_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-d1_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-d1_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-d1_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-d1_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-d1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-d1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-d1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-d1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-d1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-d1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_lib.c
-d1_lib.o: record/record.h ssl_locl.h
+d1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_lib.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+d1_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+d1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+d1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_lib.o: ../include/openssl/x509_vfy.h d1_lib.c packet_locl.h record/record.h
+d1_lib.o: ssl_locl.h
 d1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-d1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-d1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-d1_meth.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-d1_meth.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-d1_meth.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_meth.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-d1_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-d1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-d1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-d1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-d1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-d1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-d1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_meth.c
+d1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_meth.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+d1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+d1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+d1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_meth.o: ../include/openssl/x509_vfy.h d1_meth.c packet_locl.h
 d1_meth.o: record/record.h ssl_locl.h
 d1_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-d1_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-d1_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-d1_msg.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-d1_msg.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-d1_msg.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_msg.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-d1_msg.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-d1_msg.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-d1_msg.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-d1_msg.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-d1_msg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-d1_msg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_msg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-d1_msg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_msg.c
-d1_msg.o: record/record.h ssl_locl.h
+d1_msg.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_msg.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_msg.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_msg.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_msg.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_msg.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_msg.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+d1_msg.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_msg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_msg.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_msg.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_msg.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_msg.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_msg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+d1_msg.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+d1_msg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_msg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_msg.o: ../include/openssl/x509_vfy.h d1_msg.c packet_locl.h record/record.h
+d1_msg.o: ssl_locl.h
 d1_srtp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-d1_srtp.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-d1_srtp.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-d1_srtp.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-d1_srtp.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-d1_srtp.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-d1_srtp.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-d1_srtp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-d1_srtp.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-d1_srtp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-d1_srtp.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-d1_srtp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-d1_srtp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-d1_srtp.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-d1_srtp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-d1_srtp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-d1_srtp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-d1_srtp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srtp.c
+d1_srtp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+d1_srtp.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+d1_srtp.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+d1_srtp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+d1_srtp.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+d1_srtp.o: ../include/openssl/err.h ../include/openssl/evp.h
+d1_srtp.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+d1_srtp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+d1_srtp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+d1_srtp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+d1_srtp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+d1_srtp.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+d1_srtp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+d1_srtp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+d1_srtp.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+d1_srtp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+d1_srtp.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+d1_srtp.o: ../include/openssl/x509_vfy.h d1_srtp.c packet_locl.h
 d1_srtp.o: record/record.h ssl_locl.h
 d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -249,108 +255,113 @@ d1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c
-d1_srvr.o: record/record.h ssl_locl.h
+d1_srvr.o: packet_locl.h record/record.h ssl_locl.h
 dtls1_bitmap.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dtls1_bitmap.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-dtls1_bitmap.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-dtls1_bitmap.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-dtls1_bitmap.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-dtls1_bitmap.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-dtls1_bitmap.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-dtls1_bitmap.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dtls1_bitmap.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dtls1_bitmap.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dtls1_bitmap.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dtls1_bitmap.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-dtls1_bitmap.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dtls1_bitmap.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-dtls1_bitmap.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-dtls1_bitmap.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-dtls1_bitmap.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-dtls1_bitmap.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-dtls1_bitmap.o: dtls1_bitmap.c record/../record/record.h record/../ssl_locl.h
-dtls1_bitmap.o: record/dtls1_bitmap.c record/record_locl.h
+dtls1_bitmap.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dtls1_bitmap.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+dtls1_bitmap.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+dtls1_bitmap.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+dtls1_bitmap.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+dtls1_bitmap.o: ../include/openssl/err.h ../include/openssl/evp.h
+dtls1_bitmap.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+dtls1_bitmap.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dtls1_bitmap.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dtls1_bitmap.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dtls1_bitmap.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dtls1_bitmap.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+dtls1_bitmap.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dtls1_bitmap.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+dtls1_bitmap.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+dtls1_bitmap.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+dtls1_bitmap.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+dtls1_bitmap.o: ../include/openssl/x509_vfy.h dtls1_bitmap.c
+dtls1_bitmap.o: record/../packet_locl.h record/../record/record.h
+dtls1_bitmap.o: record/../ssl_locl.h record/dtls1_bitmap.c record/record_locl.h
 rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rec_layer_d1.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-rec_layer_d1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-rec_layer_d1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-rec_layer_d1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-rec_layer_d1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-rec_layer_d1.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-rec_layer_d1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rec_layer_d1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rec_layer_d1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rec_layer_d1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rec_layer_d1.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-rec_layer_d1.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-rec_layer_d1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rec_layer_d1.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-rec_layer_d1.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-rec_layer_d1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rec_layer_d1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-rec_layer_d1.o: ../include/openssl/x509_vfy.h rec_layer_d1.c
+rec_layer_d1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rec_layer_d1.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+rec_layer_d1.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+rec_layer_d1.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+rec_layer_d1.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+rec_layer_d1.o: ../include/openssl/err.h ../include/openssl/evp.h
+rec_layer_d1.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+rec_layer_d1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rec_layer_d1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rec_layer_d1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+rec_layer_d1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rec_layer_d1.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+rec_layer_d1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rec_layer_d1.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+rec_layer_d1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+rec_layer_d1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+rec_layer_d1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+rec_layer_d1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+rec_layer_d1.o: rec_layer_d1.c record/../packet_locl.h
 rec_layer_d1.o: record/../record/record.h record/../ssl_locl.h
 rec_layer_d1.o: record/rec_layer_d1.c record/record_locl.h
 rec_layer_s3.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rec_layer_s3.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-rec_layer_s3.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-rec_layer_s3.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-rec_layer_s3.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-rec_layer_s3.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-rec_layer_s3.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-rec_layer_s3.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rec_layer_s3.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rec_layer_s3.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rec_layer_s3.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rec_layer_s3.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-rec_layer_s3.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-rec_layer_s3.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rec_layer_s3.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-rec_layer_s3.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-rec_layer_s3.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rec_layer_s3.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-rec_layer_s3.o: ../include/openssl/x509_vfy.h rec_layer_s3.c
+rec_layer_s3.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rec_layer_s3.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+rec_layer_s3.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+rec_layer_s3.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+rec_layer_s3.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+rec_layer_s3.o: ../include/openssl/err.h ../include/openssl/evp.h
+rec_layer_s3.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+rec_layer_s3.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+rec_layer_s3.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+rec_layer_s3.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+rec_layer_s3.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rec_layer_s3.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+rec_layer_s3.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rec_layer_s3.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+rec_layer_s3.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+rec_layer_s3.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+rec_layer_s3.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+rec_layer_s3.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+rec_layer_s3.o: rec_layer_s3.c record/../packet_locl.h
 rec_layer_s3.o: record/../record/record.h record/../ssl_locl.h
 rec_layer_s3.o: record/rec_layer_s3.c record/record_locl.h
 s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_both.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_both.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_both.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_both.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_both.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_both.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_both.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_both.o: ../include/openssl/x509_vfy.h record/record.h s3_both.c ssl_locl.h
+s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_both.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_both.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+s3_both.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_both.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_both.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_both.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s3_both.o: packet_locl.h record/record.h s3_both.c ssl_locl.h
 s3_cbc.o: ../e_os.h ../include/internal/constant_time_locl.h
 s3_cbc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_cbc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_cbc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_cbc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_cbc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_cbc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_cbc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-s3_cbc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_cbc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_cbc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_cbc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_cbc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_cbc.o: ../include/openssl/x509_vfy.h record/record.h s3_cbc.c ssl_locl.h
+s3_cbc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_cbc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_cbc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_cbc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_cbc.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_cbc.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s3_cbc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_cbc.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h packet_locl.h
+s3_cbc.o: record/record.h s3_cbc.c ssl_locl.h
 s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -371,65 +382,69 @@ s3_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
 s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
 s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_clnt.o: ../include/openssl/x509_vfy.h record/record.h s3_clnt.c ssl_locl.h
+s3_clnt.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+s3_clnt.o: s3_clnt.c ssl_locl.h
 s3_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_enc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_enc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-s3_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s3_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s3_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_enc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_enc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_enc.o: ../include/openssl/x509_vfy.h record/record.h s3_enc.c ssl_locl.h
+s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_enc.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h packet_locl.h
+s3_enc.o: record/record.h s3_enc.c ssl_locl.h
 s3_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-s3_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
-s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-s3_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-s3_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-s3_lib.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-s3_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_lib.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_lib.o: ../include/openssl/x509_vfy.h record/record.h s3_lib.c ssl_locl.h
+s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+s3_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+s3_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+s3_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+s3_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h packet_locl.h
+s3_lib.o: record/record.h s3_lib.c ssl_locl.h
 s3_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s3_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-s3_msg.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s3_msg.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s3_msg.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-s3_msg.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s3_msg.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s3_msg.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_msg.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s3_msg.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s3_msg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s3_msg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_msg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s3_msg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_msg.o: record/record.h s3_msg.c ssl_locl.h
+s3_msg.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_msg.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_msg.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+s3_msg.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s3_msg.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s3_msg.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_msg.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+s3_msg.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_msg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_msg.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s3_msg.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_msg.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+s3_msg.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_msg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s3_msg.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+s3_msg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_msg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_msg.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h s3_msg.c
+s3_msg.o: ssl_locl.h
 s3_srvr.o: ../e_os.h ../include/internal/constant_time_locl.h
 s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -451,87 +466,91 @@ s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s3_srvr.o: record/record.h s3_srvr.c ssl_locl.h
+s3_srvr.o: packet_locl.h record/record.h s3_srvr.c ssl_locl.h
 ssl3_buffer.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl3_buffer.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl3_buffer.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl3_buffer.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl3_buffer.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl3_buffer.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl3_buffer.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl3_buffer.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl3_buffer.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl3_buffer.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl3_buffer.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl3_buffer.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl3_buffer.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl3_buffer.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl3_buffer.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl3_buffer.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl3_buffer.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl3_buffer.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl3_buffer.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl3_buffer.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl3_buffer.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl3_buffer.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl3_buffer.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl3_buffer.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl3_buffer.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl3_buffer.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl3_buffer.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl3_buffer.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl3_buffer.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl3_buffer.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl3_buffer.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl3_buffer.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl3_buffer.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl3_buffer.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl3_buffer.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl3_buffer.o: ../include/openssl/x509_vfy.h record/../packet_locl.h
 ssl3_buffer.o: record/../record/record.h record/../ssl_locl.h
 ssl3_buffer.o: record/record_locl.h record/ssl3_buffer.c ssl3_buffer.c
 ssl3_record.o: ../e_os.h ../include/internal/constant_time_locl.h
 ssl3_record.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl3_record.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl3_record.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl3_record.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl3_record.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl3_record.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl3_record.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl3_record.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl3_record.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl3_record.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl3_record.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl3_record.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl3_record.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-ssl3_record.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl3_record.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl3_record.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-ssl3_record.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl3_record.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl3_record.o: ../include/openssl/x509_vfy.h record/../record/record.h
+ssl3_record.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl3_record.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl3_record.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl3_record.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl3_record.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl3_record.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl3_record.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl3_record.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl3_record.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl3_record.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl3_record.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl3_record.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+ssl3_record.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl3_record.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ssl3_record.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl3_record.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl3_record.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl3_record.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl3_record.o: record/../packet_locl.h record/../record/record.h
 ssl3_record.o: record/../ssl_locl.h record/record_locl.h record/ssl3_record.c
 ssl3_record.o: ssl3_record.c
 ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_algs.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_algs.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_algs.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_algs.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_algs.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_algs.o: record/record.h ssl_algs.c ssl_locl.h
+ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_algs.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_algs.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_algs.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_algs.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_algs.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_algs.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_algs.o: ssl_algs.c ssl_locl.h
 ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1t.h
-ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
-ssl_asn1.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ssl_asn1.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_asn1.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_asn1.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_asn1.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_asn1.o: ../include/openssl/x509_vfy.h record/record.h ssl_asn1.c ssl_locl.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/bn.h
+ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+ssl_asn1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
+ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_asn1.o: packet_locl.h record/record.h ssl_asn1.c ssl_locl.h
 ssl_cert.o: ../e_os.h ../include/internal/o_dir.h ../include/openssl/asn1.h
 ssl_cert.o: ../include/openssl/bio.h ../include/openssl/bn.h
 ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/comp.h
@@ -552,46 +571,49 @@ ssl_cert.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_cert.o: ../include/openssl/x509v3.h record/record.h ssl_cert.c ssl_locl.h
+ssl_cert.o: ../include/openssl/x509v3.h packet_locl.h record/record.h
+ssl_cert.o: ssl_cert.c ssl_locl.h
 ssl_ciph.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_ciph.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_ciph.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_ciph.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_ciph.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-ssl_ciph.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_ciph.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_ciph.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_ciph.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
-ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_ciph.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_ciph.o: ../include/openssl/x509_vfy.h record/record.h ssl_ciph.c ssl_locl.h
+ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_ciph.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_ciph.o: ../include/openssl/engine.h ../include/openssl/err.h
+ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_ciph.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_ciph.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_ciph.o: packet_locl.h record/record.h ssl_ciph.c ssl_locl.h
 ssl_conf.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_conf.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_conf.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ssl_conf.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_conf.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_conf.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_conf.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_conf.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_conf.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_conf.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_conf.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_conf.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_conf.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_conf.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_conf.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_conf.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_conf.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_conf.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_conf.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_conf.o: record/record.h ssl_conf.c ssl_locl.h
+ssl_conf.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_conf.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_conf.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+ssl_conf.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_conf.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_conf.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_conf.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_conf.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_conf.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_conf.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_conf.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_conf.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_conf.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_conf.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_conf.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_conf.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_conf.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_conf.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_conf.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_conf.o: ssl_conf.c ssl_locl.h
 ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 ssl_err.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 ssl_err.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
@@ -627,181 +649,190 @@ ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
 ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_lib.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_lib.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_lib.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_lib.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_lib.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ssl_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-ssl_lib.o: record/record.h ssl_lib.c ssl_locl.h
+ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h
+ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_lib.o: ../include/openssl/engine.h ../include/openssl/err.h
+ssl_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_lib.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_lib.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h packet_locl.h record/record.h ssl_lib.c
+ssl_lib.o: ssl_locl.h
 ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_rsa.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_rsa.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_rsa.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_rsa.o: record/record.h ssl_locl.h ssl_rsa.c
+ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_rsa.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_rsa.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_rsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_rsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_rsa.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_rsa.o: ssl_locl.h ssl_rsa.c
 ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_sess.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_sess.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_sess.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_sess.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_sess.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_sess.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_sess.o: record/record.h ssl_locl.h ssl_sess.c
+ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_sess.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_sess.o: ../include/openssl/engine.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_sess.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_sess.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_sess.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_sess.o: ssl_locl.h ssl_sess.c
 ssl_stat.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_stat.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_stat.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_stat.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_stat.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_stat.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_stat.o: record/record.h ssl_locl.h ssl_stat.c
+ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_stat.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_stat.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_stat.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_stat.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_stat.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_stat.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_stat.o: ssl_locl.h ssl_stat.c
 ssl_txt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_txt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_txt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_txt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_txt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_txt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_txt.o: record/record.h ssl_locl.h ssl_txt.c
+ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_txt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_txt.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_txt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_txt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_txt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_txt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_txt.o: ssl_locl.h ssl_txt.c
 ssl_utst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_utst.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ssl_utst.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-ssl_utst.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ssl_utst.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ssl_utst.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-ssl_utst.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ssl_utst.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ssl_utst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_utst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ssl_utst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ssl_utst.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-ssl_utst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_utst.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ssl_utst.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ssl_utst.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_utst.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_utst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_utst.o: record/record.h ssl_locl.h ssl_utst.c
+ssl_utst.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_utst.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_utst.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+ssl_utst.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ssl_utst.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ssl_utst.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_utst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+ssl_utst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_utst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_utst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ssl_utst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_utst.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+ssl_utst.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_utst.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ssl_utst.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+ssl_utst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_utst.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_utst.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+ssl_utst.o: ssl_locl.h ssl_utst.c
 t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_clnt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_clnt.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_clnt.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_clnt.c
+t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_clnt.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_clnt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_clnt.o: packet_locl.h record/record.h ssl_locl.h t1_clnt.c
 t1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_enc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_enc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_enc.o: ../include/openssl/lhash.h ../include/openssl/md5.h
-t1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-t1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-t1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_enc.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_enc.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_enc.o: record/record.h ssl_locl.h t1_enc.c
+t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_enc.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_enc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
+t1_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+t1_enc.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_enc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_enc.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+t1_enc.o: ssl_locl.h t1_enc.c
 t1_ext.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_ext.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_ext.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_ext.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_ext.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_ext.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_ext.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_ext.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_ext.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_ext.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_ext.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_ext.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_ext.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_ext.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-t1_ext.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_ext.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_ext.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_ext.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_ext.o: record/record.h ssl_locl.h t1_ext.c
+t1_ext.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_ext.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_ext.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_ext.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_ext.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_ext.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_ext.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_ext.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_ext.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_ext.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_ext.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_ext.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+t1_ext.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_ext.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+t1_ext.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_ext.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_ext.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_ext.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+t1_ext.o: ssl_locl.h t1_ext.c
 t1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 t1_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -823,83 +854,87 @@ t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
 t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
 t1_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-t1_lib.o: record/record.h ssl_locl.h t1_lib.c
+t1_lib.o: packet_locl.h record/record.h ssl_locl.h t1_lib.c
 t1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_meth.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_meth.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_meth.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_meth.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_meth.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_meth.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_meth.o: record/record.h ssl_locl.h t1_meth.c
+t1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_meth.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_meth.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_meth.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_meth.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_meth.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+t1_meth.o: ssl_locl.h t1_meth.c
 t1_reneg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_reneg.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_reneg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_reneg.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_reneg.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_reneg.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_reneg.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_reneg.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_reneg.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_reneg.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_reneg.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_reneg.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_reneg.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_reneg.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-t1_reneg.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_reneg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_reneg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_reneg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_reneg.o: record/record.h ssl_locl.h t1_reneg.c
+t1_reneg.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_reneg.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_reneg.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_reneg.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_reneg.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_reneg.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_reneg.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_reneg.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_reneg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_reneg.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_reneg.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_reneg.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+t1_reneg.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_reneg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+t1_reneg.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_reneg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_reneg.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_reneg.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+t1_reneg.o: ssl_locl.h t1_reneg.c
 t1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_srvr.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_srvr.c
+t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_srvr.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+t1_srvr.o: packet_locl.h record/record.h ssl_locl.h t1_srvr.c
 t1_trce.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_trce.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-t1_trce.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-t1_trce.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-t1_trce.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-t1_trce.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-t1_trce.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_trce.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-t1_trce.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_trce.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-t1_trce.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_trce.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-t1_trce.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_trce.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-t1_trce.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_trce.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_trce.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_trce.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-t1_trce.o: record/record.h ssl_locl.h t1_trce.c
+t1_trce.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_trce.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_trce.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+t1_trce.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+t1_trce.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+t1_trce.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_trce.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+t1_trce.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+t1_trce.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_trce.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_trce.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_trce.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
+t1_trce.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_trce.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+t1_trce.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
+t1_trce.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_trce.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_trce.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+t1_trce.o: ssl_locl.h t1_trce.c
 tls_srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 tls_srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 tls_srp.o: ../include/openssl/comp.h ../include/openssl/crypto.h
@@ -919,4 +954,5 @@ tls_srp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
 tls_srp.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
 tls_srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 tls_srp.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-tls_srp.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h tls_srp.c
+tls_srp.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h
+tls_srp.o: ssl_locl.h tls_srp.c
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index 19cf6ff..4384eda 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -266,38 +266,18 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
     return 0;
 }
 
-int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,
-                                       int *al)
+int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
 {
     SRTP_PROTECTION_PROFILE *sprof;
     STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
-    int ct;
-    int mki_len;
+    unsigned int ct, mki_len, id;
     int i, srtp_pref;
-    unsigned int id;
-
-    /* Length value + the MKI length */
-    if (len < 3) {
-        SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
-               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-        *al = SSL_AD_DECODE_ERROR;
-        return 1;
-    }
-
-    /* Pull off the length of the cipher suite list */
-    n2s(d, ct);
-    len -= 2;
+    PACKET subpkt;
 
-    /* Check that it is even */
-    if (ct % 2) {
-        SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
-               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-        *al = SSL_AD_DECODE_ERROR;
-        return 1;
-    }
-
-    /* Check that lengths are consistent */
-    if (len < (ct + 1)) {
+    /* Pull off the length of the cipher suite list  and check it is even */
+    if (!PACKET_get_net_2(pkt, &ct)
+            || (ct & 1) != 0
+            || !PACKET_get_sub_packet(pkt, &subpkt, ct)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
                SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
         *al = SSL_AD_DECODE_ERROR;
@@ -309,10 +289,13 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,
     /* Search all profiles for a match initially */
     srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
 
-    while (ct) {
-        n2s(d, id);
-        ct -= 2;
-        len -= 2;
+    while (PACKET_remaining(&subpkt)) {
+        if (!PACKET_get_net_2(&subpkt, &id)) {
+            SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+                   SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+            *al = SSL_AD_DECODE_ERROR;
+            return 1;
+        }
 
         /*
          * Only look for match in profiles of higher preference than
@@ -333,11 +316,15 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,
     /*
      * Now extract the MKI value as a sanity check, but discard it for now
      */
-    mki_len = *d;
-    d++;
-    len--;
+    if (!PACKET_get_1(pkt, &mki_len)) {
+        SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
+               SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
+        *al = SSL_AD_DECODE_ERROR;
+        return 1;
+    }
 
-    if (mki_len != len) {
+    if (!PACKET_forward(pkt, mki_len)
+            || PACKET_remaining(pkt)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,
                SSL_R_BAD_SRTP_MKI_VALUE);
         *al = SSL_AD_DECODE_ERROR;
diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
new file mode 100644
index 0000000..4aab5cb
--- /dev/null
+++ b/ssl/packet_locl.h
@@ -0,0 +1,394 @@
+/* ssl/packet_locl.h */
+/*
+ * Written by Matt Caswell for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_PACKET_LOCL_H
+# define HEADER_PACKET_LOCL_H
+
+# include <string.h>
+# include <openssl/bn.h>
+# include <openssl/buffer.h>
+# include "e_os.h"
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+typedef struct {
+    /* Pointer to the start of the buffer data */
+    unsigned char *start;
+
+    /* Pointer to the first byte after the end of the buffer data */
+    unsigned char *end;
+
+    /* Pointer to where we are currently reading from */
+    unsigned char *curr;
+} PACKET;
+
+/*
+ * Returns 1 if there are exactly |len| bytes left to be read from |pkt|
+ * and 0 otherwise
+ */
+__owur static inline size_t PACKET_remaining(PACKET *pkt)
+{
+    return (size_t)(pkt->end - pkt->curr);
+}
+
+/*
+ * Initialise a PACKET with |len| bytes held in |buf|. This does not make a
+ * copy of the data so |buf| must be present for the whole time that the PACKET
+ * is being used.
+ */
+static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf, size_t len)
+{
+    pkt->start = pkt->curr = buf;
+    pkt->end = pkt->start + len;
+
+    /* Sanity checks */
+    if (pkt->start > pkt->end
+            || pkt->curr < pkt->start
+            || pkt->curr > pkt->end
+            || len != (size_t)(pkt->end - pkt->start)) {
+        return 0;
+    }
+
+    return 1;
+}
+
+/*
+ * Peek ahead and initialize |subpkt| with the next |len| bytes read from |pkt|.
+ * Data is not copied: the |subpkt| packet will share its underlying buffer with
+ * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
+ */
+__owur static inline int PACKET_peek_sub_packet(PACKET *pkt, PACKET *subpkt,
+                                               size_t len)
+{
+    if (PACKET_remaining(pkt) < len)
+        return 0;
+
+    PACKET_buf_init(subpkt, pkt->curr, len);
+
+    return 1;
+}
+
+/*
+ * Initialize |subpkt| with the next |len| bytes read from |pkt|. Data is not
+ * copied: the |subpkt| packet will share its underlying buffer with the
+ * original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
+ */
+__owur static inline int PACKET_get_sub_packet(PACKET *pkt, PACKET *subpkt,
+                                               size_t len)
+{
+    if (!PACKET_peek_sub_packet(pkt, subpkt, len))
+        return 0;
+
+    pkt->curr += len;
+
+    return 1;
+}
+
+/* Peek ahead at 2 bytes in network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static inline int PACKET_peek_net_2(PACKET *pkt, unsigned int *data)
+{
+    if (PACKET_remaining(pkt) < 2)
+        return 0;
+
+    *data  = ((unsigned int)(*pkt->curr)) <<  8;
+    *data |= *(pkt->curr + 1);
+
+    return 1;
+}
+
+/* Equivalent of n2s */
+/* Get 2 bytes in network order from |pkt| and store the value in |*data| */
+__owur static inline int PACKET_get_net_2(PACKET *pkt, unsigned int *data)
+{
+    if (!PACKET_peek_net_2(pkt, data))
+        return 0;
+
+    pkt->curr += 2;
+
+    return 1;
+}
+
+/* Peek ahead at 3 bytes in network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static inline int PACKET_peek_net_3(PACKET *pkt, unsigned long *data)
+{
+    if (PACKET_remaining(pkt) < 3)
+        return 0;
+
+    *data  = ((unsigned long)(*pkt->curr)) << 16;
+    *data |= ((unsigned long)(*pkt->curr + 1)) <<  8;
+    *data |= *pkt->curr + 2;
+
+    return 1;
+}
+
+/* Equivalent of n2l3 */
+/* Get 3 bytes in network order from |pkt| and store the value in |*data| */
+__owur static inline int PACKET_get_net_3(PACKET *pkt, unsigned long *data)
+{
+    if (!PACKET_peek_net_3(pkt, data))
+        return 0;
+
+    pkt->curr += 3;
+
+    return 1;
+}
+
+/* Peek ahead at 4 bytes in network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static inline int PACKET_peek_net_4(PACKET *pkt, unsigned long *data)
+{
+    if (PACKET_remaining(pkt) < 4)
+        return 0;
+
+    *data  = ((unsigned long)(*pkt->curr)) << 24;
+    *data |= ((unsigned long)(*pkt->curr + 1)) << 16;
+    *data |= ((unsigned long)(*pkt->curr + 2)) <<  8;
+    *data |= *pkt->curr+3;
+
+    return 1;
+}
+
+/* Equivalent of n2l */
+/* Get 4 bytes in network order from |pkt| and store the value in |*data| */
+__owur static inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data)
+{
+    if (!PACKET_peek_net_4(pkt, data))
+        return 0;
+
+    pkt->curr += 4;
+
+    return 1;
+}
+
+/* Peek ahead at 1 byte from |pkt| and store the value in |*data| */
+__owur static inline int PACKET_peek_1(PACKET *pkt, unsigned int *data)
+{
+    if (!PACKET_remaining(pkt))
+        return 0;
+
+    *data = *pkt->curr;
+
+    return 1;
+}
+
+/* Get 1 byte from |pkt| and store the value in |*data| */
+__owur static inline int PACKET_get_1(PACKET *pkt, unsigned int *data)
+{
+    if (!PACKET_peek_1(pkt, data))
+        return 0;
+
+    pkt->curr++;
+
+    return 1;
+}
+
+/*
+ * Peek ahead at 4 bytes in reverse network order from |pkt| and store the value
+ * in |*data|
+ */
+__owur static inline int PACKET_peek_4(PACKET *pkt, unsigned long *data)
+{
+    if (PACKET_remaining(pkt) < 4)
+        return 0;
+
+    *data  = *pkt->curr;
+    *data |= ((unsigned long)(*pkt->curr + 1)) <<  8;
+    *data |= ((unsigned long)(*pkt->curr + 2)) << 16;
+    *data |= ((unsigned long)(*pkt->curr + 3)) << 24;
+
+    return 1;
+}
+
+/* Equivalent of c2l */
+/*
+ * Get 4 bytes in reverse network order from |pkt| and store the value in
+ * |*data|
+ */
+__owur static inline int PACKET_get_4(PACKET *pkt, unsigned long *data)
+{
+    if (!PACKET_peek_4(pkt, data))
+        return 0;
+
+    pkt->curr += 4;
+
+    return 1;
+}
+
+/*
+ * Peek ahead at |len| bytes from the |pkt| and store a pointer to them in
+ * |*data|. This just points at the underlying buffer that |pkt| is using. The
+ * caller should not free this data directly (it will be freed when the
+ * underlying buffer gets freed
+ */
+__owur static inline int PACKET_peek_bytes(PACKET *pkt, unsigned char **data,
+                                          size_t len)
+{
+    if (PACKET_remaining(pkt) < len)
+        return 0;
+
+    *data = pkt->curr;
+
+    return 1;
+}
+
+/*
+ * Read |len| bytes from the |pkt| and store a pointer to them in |*data|. This
+ * just points at the underlying buffer that |pkt| is using. The caller should
+ * not free this data directly (it will be freed when the underlying buffer gets
+ * freed
+ */
+__owur static inline int PACKET_get_bytes(PACKET *pkt, unsigned char **data,
+                                          size_t len)
+{
+    if (!PACKET_peek_bytes(pkt, data, len))
+        return 0;
+
+    pkt->curr += len;
+
+    return 1;
+}
+
+/* Peek ahead at |len| bytes from |pkt| and copy them to |data| */
+__owur static inline int PACKET_peek_copy_bytes(PACKET *pkt,
+                                                unsigned char *data, size_t len)
+{
+    if (PACKET_remaining(pkt) < len)
+        return 0;
+
+    memcpy(data, pkt->curr, len);
+
+    return 1;
+}
+
+/* Read |len| bytes from |pkt| and copy them to |data| */
+__owur static inline int PACKET_copy_bytes(PACKET *pkt, unsigned char *data,
+                                          size_t len)
+{
+    if (!PACKET_peek_copy_bytes(pkt, data, len))
+        return 0;
+
+    pkt->curr += len;
+
+    return 1;
+}
+
+/* Move the current reading position back |len| bytes */
+__owur static inline int PACKET_back(PACKET *pkt, size_t len)
+{
+    if (len > (size_t)(pkt->curr - pkt->start))
+        return 0;
+
+    pkt->curr -= len;
+
+    return 1;
+}
+
+/* Move the current reading position forward |len| bytes */
+__owur static inline int PACKET_forward(PACKET *pkt, size_t len)
+{
+    if (PACKET_remaining(pkt) < len)
+        return 0;
+
+    pkt->curr += len;
+
+    return 1;
+}
+
+/* Store a bookmark for the current reading position in |*bm| */
+__owur static inline int PACKET_get_bookmark(PACKET *pkt, size_t *bm)
+{
+    *bm = pkt->curr - pkt->start;
+
+    return 1;
+}
+
+/* Set the current reading position to the bookmark |bm| */
+__owur static inline int PACKET_goto_bookmark(PACKET *pkt, size_t bm)
+{
+    if (bm > (size_t)(pkt->end - pkt->start))
+        return 0;
+
+    pkt->curr = pkt->start + bm;
+
+    return 1;
+}
+
+/*
+ * Stores the total length of the packet we have in the underlying buffer in
+ * |*len|
+ */
+__owur static inline int PACKET_length(PACKET *pkt, size_t *len)
+{
+    *len = pkt->end - pkt->start;
+
+    return 1;
+}
+
+# ifdef __cplusplus
+}
+# endif
+
+#endif /* HEADER_PACKET_LOCL_H */
+
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 718ca2c..bc7f84f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -862,11 +862,11 @@ int ssl3_send_hello_request(SSL *s)
 
 int ssl3_get_client_hello(SSL *s)
 {
-    int i, complen, j, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
-    unsigned int cookie_len;
+    int i, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
+    unsigned int j, cipherlen, complen;
+    unsigned int cookie_len = 0;
     long n;
     unsigned long id;
-    unsigned char *p, *d;
     SSL_CIPHER *c;
 #ifndef OPENSSL_NO_COMP
     unsigned char *q = NULL;
@@ -874,6 +874,8 @@ int ssl3_get_client_hello(SSL *s)
 #endif
     STACK_OF(SSL_CIPHER) *ciphers = NULL;
     int protverr = 1;
+    PACKET pkt;
+    unsigned char *sess, *cdata;
 
     if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
         goto retry_cert;
@@ -897,10 +899,12 @@ int ssl3_get_client_hello(SSL *s)
     if (!ok)
         return ((int)n);
     s->first_packet = 0;
-    d = p = (unsigned char *)s->init_msg;
+    PACKET_buf_init(&pkt, s->init_msg, n);
 
     /* First lets get s->client_version set correctly */
     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
+        unsigned int version;
+        unsigned int mt;
         /*-
          * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
          * header is sent directly on the wire, not wrapped as a TLS
@@ -916,7 +920,8 @@ int ssl3_get_client_hello(SSL *s)
          * ...   ...
          */
 
-        if (p[0] != SSL2_MT_CLIENT_HELLO) {
+        if (!PACKET_get_1(&pkt, &mt)
+                || mt != SSL2_MT_CLIENT_HELLO) {
             /*
              * Should never happen. We should have tested this in the record
              * layer in order to have determined that this is a SSLv2 record
@@ -926,13 +931,18 @@ int ssl3_get_client_hello(SSL *s)
             goto err;
         }
 
-        if ((p[1] == 0x00) && (p[2] == 0x02)) {
+        if (!PACKET_get_net_2(&pkt, &version)) {
+            /* No protocol version supplied! */
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+            goto err;
+        }
+        if (version == 0x0002) {
             /* This is real SSLv2. We don't support it. */
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
             goto err;
-        } else if (p[1] == SSL3_VERSION_MAJOR) {
+        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
             /* SSLv3/TLS */
-            s->client_version = (((int)p[1]) << 8) | (int)p[2];
+            s->client_version = version;
         } else {
             /* No idea what protocol this is */
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
@@ -940,20 +950,14 @@ int ssl3_get_client_hello(SSL *s)
         }
     } else {
         /*
-         * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte
-         * for session id length
+         * use version from inside client hello, not from record header (may
+         * differ: see RFC 2246, Appendix E, second paragraph)
          */
-        if (n < 2 + SSL3_RANDOM_SIZE + 1) {
+        if(!PACKET_get_net_2(&pkt, (unsigned int *)&s->client_version)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
         }
-
-        /*
-         * use version from inside client hello, not from record header (may
-         * differ: see RFC 2246, Appendix E, second paragraph)
-         */
-        s->client_version = (((int)p[0]) << 8) | (int)p[1];
     }
 
     /* Do SSL/TLS version negotiation if applicable */
@@ -1032,15 +1036,9 @@ int ssl3_get_client_hello(SSL *s)
          */
         unsigned int csl, sil, cl;
 
-        p += 3;
-        n2s(p, csl);
-        n2s(p, sil);
-        n2s(p, cl);
-
-        if (csl + sil + cl + MIN_SSL2_RECORD_LEN != (unsigned int) n) {
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
-            al = SSL_AD_DECODE_ERROR;
-            goto f_err;
+        if (!PACKET_get_net_2(&pkt, &csl)
+                || !PACKET_get_net_2(&pkt, &sil)
+                || !PACKET_get_net_2(&pkt, &cl)) {
         }
 
         if (csl == 0) {
@@ -1050,7 +1048,13 @@ int ssl3_get_client_hello(SSL *s)
             goto f_err;
         }
 
-        if (ssl_bytes_to_cipher_list(s, p, csl, &(ciphers), 1) == NULL) {
+        if (!PACKET_get_bytes(&pkt, &cdata, csl)) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
+            al = SSL_AD_DECODE_ERROR;
+            goto f_err;
+        }
+
+        if (ssl_bytes_to_cipher_list(s, cdata, csl, &(ciphers), 1) == NULL) {
             goto err;
         }
 
@@ -1058,6 +1062,11 @@ int ssl3_get_client_hello(SSL *s)
          * Ignore any session id. We don't allow resumption in a backwards
          * compatible ClientHello
          */
+        if (!PACKET_forward(&pkt, sil)) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
+            al = SSL_AD_DECODE_ERROR;
+            goto f_err;
+        }
         s->hit = 0;
 
         if (!ssl_get_new_session(s, 1))
@@ -1066,17 +1075,27 @@ int ssl3_get_client_hello(SSL *s)
         /* Load the client random */
         i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl;
         memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
-        memcpy(s->s3->client_random, &(p[csl + sil]), i);
-
-        /* Set p to end of packet to ensure we don't look for extensions */
-        p = d + n;
+        if (!PACKET_peek_copy_bytes(&pkt, s->s3->client_random, i)
+                || !PACKET_forward(&pkt, cl)
+                || !PACKET_remaining(&pkt) == 0) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
+            al = SSL_AD_DECODE_ERROR;
+            goto f_err;
+        }
 
         /* No compression, so set complen to 0 */
         complen = 0;
     } else {
         /* If we get here we've got SSLv3+ in an SSLv3+ record */
 
-        p += 2;
+        /* load the client random and get the session-id */
+        if (!PACKET_copy_bytes(&pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
+                || !PACKET_get_1(&pkt, &j)
+                || !PACKET_get_bytes(&pkt, &sess, j)) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+            goto f_err;
+        }
 
         /*
          * If we require cookies and this ClientHello doesn't contain one, just
@@ -1084,34 +1103,17 @@ int ssl3_get_client_hello(SSL *s)
          * cookie length...
          */
         if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
-            unsigned int session_length, cookie_length;
 
-            session_length = *(p + SSL3_RANDOM_SIZE);
-
-            if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
+            if (!PACKET_peek_1(&pkt, &cookie_len)) {
                 al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
             }
-            cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
 
-            if (cookie_length == 0)
+            if (cookie_len == 0)
                 return 1;
         }
 
-        /* load the client random */
-        memcpy(s->s3->client_random, p, SSL3_RANDOM_SIZE);
-        p += SSL3_RANDOM_SIZE;
-
-        /* get the session-id */
-        j = *(p++);
-
-        if (p + j > d + n) {
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-            goto f_err;
-        }
-
         s->hit = 0;
         /*
          * Versions before 0.9.7 always allow clients to resume sessions in
@@ -1131,7 +1133,7 @@ int ssl3_get_client_hello(SSL *s)
             if (!ssl_get_new_session(s, 1))
                 goto err;
         } else {
-            i = ssl_get_prev_session(s, p, j, d + n);
+            i = ssl_get_prev_session(s, &pkt, sess, j);
             /*
              * Only resume if the session's version matches the negotiated
              * version.
@@ -1153,23 +1155,12 @@ int ssl3_get_client_hello(SSL *s)
             }
         }
 
-        p += j;
-
         if (SSL_IS_DTLS(s)) {
-            /* cookie stuff */
-            if (p + 1 > d + n) {
+            if (!PACKET_get_1(&pkt, &cookie_len)) {
                 al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
             }
-            cookie_len = *(p++);
-
-            if (p + cookie_len > d + n) {
-                al = SSL_AD_DECODE_ERROR;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-                goto f_err;
-            }
-
             /*
              * The ClientHello may contain a cookie even if the
              * HelloVerify message has not been sent--make sure that it
@@ -1185,7 +1176,13 @@ int ssl3_get_client_hello(SSL *s)
             /* verify the cookie if appropriate option is set. */
             if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
                     && cookie_len > 0) {
-                memcpy(s->d1->rcvd_cookie, p, cookie_len);
+                /* Get cookie */
+                if (!PACKET_copy_bytes(&pkt, s->d1->rcvd_cookie,
+                                              cookie_len)) {
+                    al = SSL_AD_DECODE_ERROR;
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+                    goto f_err;
+                }
 
                 if (s->ctx->app_verify_cookie_cb != NULL) {
                     if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
@@ -1206,9 +1203,15 @@ int ssl3_get_client_hello(SSL *s)
                 }
                 /* Set to -2 so if successful we return 2 */
                 ret = -2;
+            } else {
+                /* Skip over cookie */
+                if (!PACKET_forward(&pkt, cookie_len)) {
+                    al = SSL_AD_DECODE_ERROR;
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+                    goto f_err;
+                }
             }
 
-            p += cookie_len;
             if (s->method->version == DTLS_ANY_VERSION) {
                 /* Select version to use */
                 if (s->client_version <= DTLS1_2_VERSION &&
@@ -1236,30 +1239,28 @@ int ssl3_get_client_hello(SSL *s)
             }
         }
 
-        if (p + 2 > d + n) {
+        if (!PACKET_get_net_2(&pkt, &cipherlen)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
         }
-        n2s(p, i);
 
-        if (i == 0) {
+        if (cipherlen == 0) {
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
             goto f_err;
         }
 
-        /* i bytes of cipher data + 1 byte for compression length later */
-        if ((p + i + 1) > (d + n)) {
+        if (!PACKET_get_bytes(&pkt, &cdata, cipherlen)) {
             /* not enough data */
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
             goto f_err;
         }
-        if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers), 0) == NULL) {
+
+        if (ssl_bytes_to_cipher_list(s, cdata, cipherlen, &(ciphers), 0) == NULL) {
             goto err;
         }
-        p += i;
 
         /* If it is a hit, check that the cipher is in the list */
         if (s->hit) {
@@ -1316,22 +1317,22 @@ int ssl3_get_client_hello(SSL *s)
         }
 
         /* compression */
-        complen = *(p++);
-        if ((p + complen) > (d + n)) {
+        if (!PACKET_get_1(&pkt, &complen)
+            || !PACKET_get_bytes(&pkt, &cdata, complen)) {
             /* not enough data */
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
             goto f_err;
         }
+
 #ifndef OPENSSL_NO_COMP
-        q = p;
+        q = cdata;
 #endif
         for (j = 0; j < complen; j++) {
-            if (p[j] == 0)
+            if (cdata[j] == 0)
                 break;
         }
 
-        p += complen;
         if (j >= complen) {
             /* no compress */
             al = SSL_AD_DECODE_ERROR;
@@ -1342,7 +1343,7 @@ int ssl3_get_client_hello(SSL *s)
 
     /* TLS extensions */
     if (s->version >= SSL3_VERSION) {
-        if (!ssl_parse_clienthello_tlsext(s, &p, d, n)) {
+        if (!ssl_parse_clienthello_tlsext(s, &pkt)) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
             goto err;
         }
@@ -1407,6 +1408,7 @@ int ssl3_get_client_hello(SSL *s)
     /* This only happens if we have a cache hit */
     if (s->session->compress_meth != 0) {
         int m, comp_id = s->session->compress_meth;
+        unsigned int k;
         /* Perform sanity checks on resumed compression algorithm */
         /* Can't disable compression */
         if (!ssl_allow_compression(s)) {
@@ -1428,11 +1430,11 @@ int ssl3_get_client_hello(SSL *s)
             goto f_err;
         }
         /* Look for resumed method in compression list */
-        for (m = 0; m < complen; m++) {
-            if (q[m] == comp_id)
+        for (k = 0; k < complen; k++) {
+            if (q[k] == comp_id)
                 break;
         }
-        if (m >= complen) {
+        if (k >= complen) {
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
                    SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
@@ -1442,7 +1444,8 @@ int ssl3_get_client_hello(SSL *s)
         comp = NULL;
     else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
         /* See if we have a match */
-        int m, nn, o, v, done = 0;
+        int m, nn, v, done = 0;
+        unsigned int o;
 
         nn = sk_SSL_COMP_num(s->ctx->comp_methods);
         for (m = 0; m < nn; m++) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c75219b..0997566 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -166,6 +166,7 @@
 # include <openssl/symhacks.h>
 
 #include "record/record.h"
+#include "packet_locl.h"
 
 # ifdef OPENSSL_BUILD_SHLIBSSL
 #  undef OPENSSL_EXTERN
@@ -1853,8 +1854,8 @@ __owur CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 __owur int ssl_get_new_session(SSL *s, int session);
-__owur int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
-                         const unsigned char *limit);
+__owur int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session,
+                                int len);
 __owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
 __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
 DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
@@ -2087,8 +2088,7 @@ __owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
                                           unsigned char *limit, int *al);
 __owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
                                           unsigned char *limit, int *al);
-__owur int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data,
-                                 unsigned char *d, int n);
+__owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt);
 __owur int tls1_set_server_sigalgs(SSL *s);
 __owur int ssl_check_clienthello_tlsext_late(SSL *s);
 __owur int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
@@ -2103,8 +2103,8 @@ __owur int tls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length)
 __owur int dtls1_process_heartbeat(SSL *s, unsigned char *p, unsigned int length);
 #  endif
 
-__owur int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-                        const unsigned char *limit, SSL_SESSION **ret);
+__owur int tls1_process_ticket(SSL *s, PACKET *pkt,  unsigned char *session_id,
+                        int len, SSL_SESSION **ret);
 
 __owur int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
                          const EVP_MD *md);
@@ -2133,8 +2133,7 @@ __owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int l
                                           int *al);
 __owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
                                         int maxlen);
-__owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
-                                          int *al);
+__owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
 __owur long ssl_get_algorithm2(SSL *s);
 __owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
                           const unsigned char *psig, size_t psiglen);
@@ -2148,8 +2147,7 @@ __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
 
 __owur int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
                                      int maxlen);
-__owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,
-                                       int *al);
+__owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
 __owur int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
                                      int maxlen);
 __owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9063bca..26a3c43 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -547,8 +547,8 @@ int ssl_get_new_session(SSL *s, int session)
  *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
  *     if the server should issue a new session ticket (to 0 otherwise).
  */
-int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-                         const unsigned char *limit)
+int ssl_get_prev_session(SSL *s, PACKET *pkt, unsigned char *session_id,
+                         int len)
 {
     /* This is used only by servers. */
 
@@ -560,16 +560,11 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
     if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH)
         goto err;
 
-    if (session_id + len > limit) {
-        fatal = 1;
-        goto err;
-    }
-
     if (len == 0)
         try_session_cache = 0;
 
     /* sets s->tlsext_ticket_expected */
-    r = tls1_process_ticket(s, session_id, len, limit, &ret);
+    r = tls1_process_ticket(s, pkt, session_id, len, &ret);
     switch (r) {
     case -1:                   /* Error during processing */
         fatal = 1;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 47abf2b..c0dd35f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1756,46 +1756,33 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
  * alert value to send in the event of a non-zero return.  returns: 0 on
  * success.
  */
-static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
-                                         unsigned data_len, int *al)
+static int tls1_alpn_handle_client_hello(SSL *s, PACKET *pkt, int *al)
 {
-    unsigned i;
-    unsigned proto_len;
+    unsigned int data_len;
+    unsigned int proto_len;
     const unsigned char *selected;
+    unsigned char *data;
     unsigned char selected_len;
     int r;
 
     if (s->ctx->alpn_select_cb == NULL)
         return 0;
 
-    if (data_len < 2)
-        goto parse_error;
-
     /*
      * data should contain a uint16 length followed by a series of 8-bit,
      * length-prefixed strings.
      */
-    i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
-    data_len -= 2;
-    data += 2;
-    if (data_len != i)
-        goto parse_error;
-
-    if (data_len < 2)
+    if (!PACKET_get_net_2(pkt, &data_len)
+            || PACKET_remaining(pkt) != data_len
+            || !PACKET_peek_bytes(pkt, &data, data_len))
         goto parse_error;
 
-    for (i = 0; i < data_len;) {
-        proto_len = data[i];
-        i++;
-
-        if (proto_len == 0)
-            goto parse_error;
-
-        if (i + proto_len < i || i + proto_len > data_len)
+    do {
+        if (!PACKET_get_1(pkt, &proto_len)
+                || proto_len == 0
+                || !PACKET_forward(pkt, proto_len))
             goto parse_error;
-
-        i += proto_len;
-    }
+    } while (PACKET_remaining(pkt));
 
     r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len,
                                s->ctx->alpn_select_cb_arg);
@@ -1830,10 +1817,11 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
  * 10.8..10.8.3 (which don't work).
  */
-static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-                                 const unsigned char *d, int n)
+static void ssl_check_for_safari(SSL *s, PACKET *pkt)
 {
-    unsigned short type, size;
+    unsigned int type, size;
+    unsigned char *eblock1, *eblock2;
+
     static const unsigned char kSafariExtensionsBlock[] = {
         0x00, 0x0a,             /* elliptic_curves extension */
         0x00, 0x08,             /* 8 bytes */
@@ -1860,38 +1848,34 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
         0x02, 0x03,             /* SHA-1/ECDSA */
     };
 
-    if (data >= (d + n - 2))
+    if (!PACKET_forward(pkt, 2)
+            || !PACKET_get_net_2(pkt, &type)
+            || !PACKET_get_net_2(pkt, &size)
+            || !PACKET_forward(pkt, size))
         return;
-    data += 2;
-
-    if (data > (d + n - 4))
-        return;
-    n2s(data, type);
-    n2s(data, size);
 
     if (type != TLSEXT_TYPE_server_name)
         return;
 
-    if (data + size > d + n)
-        return;
-    data += size;
-
     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
         const size_t len1 = sizeof(kSafariExtensionsBlock);
         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
 
-        if (data + len1 + len2 != d + n)
+        if (!PACKET_get_bytes(pkt, &eblock1, len1)
+                || !PACKET_get_bytes(pkt, &eblock2, len2)
+                || PACKET_remaining(pkt))
             return;
-        if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len1) != 0)
             return;
-        if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+        if (memcmp(eblock2, kSafariTLS12ExtensionsBlock, len2) != 0)
             return;
     } else {
         const size_t len = sizeof(kSafariExtensionsBlock);
 
-        if (data + len != d + n)
+        if (!PACKET_get_bytes(pkt, &eblock1, len)
+                || PACKET_remaining(pkt))
             return;
-        if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+        if (memcmp(eblock1, kSafariExtensionsBlock, len) != 0)
             return;
     }
 
@@ -1899,13 +1883,12 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
 }
 #endif                         /* !OPENSSL_NO_EC */
 
-static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-                                       unsigned char *d, int n, int *al)
+static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
 {
-    unsigned short type;
-    unsigned short size;
-    unsigned short len;
-    unsigned char *data = *p;
+    unsigned int type;
+    unsigned int size;
+    unsigned int len;
+    unsigned char *data;
     int renegotiate_seen = 0;
 
     s->servername_done = 0;
@@ -1923,8 +1906,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
 #ifndef OPENSSL_NO_EC
     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-        ssl_check_for_safari(s, data, d, n);
-#endif                         /* !OPENSSL_NO_EC */
+        ssl_check_for_safari(s, pkt);
+# endif /* !OPENSSL_NO_EC */
 
     /* Clear any signature algorithms extension received */
     OPENSSL_free(s->s3->tmp.peer_sigalgs);
@@ -1940,27 +1923,26 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
     s->srtp_profile = NULL;
 
-    if (data == d + n)
+    if (PACKET_remaining(pkt) == 0)
         goto ri_check;
 
-    if (data > (d + n - 2))
-        goto err;
-
-    n2s(data, len);
-
-    if (data > (d + n - len))
+    if (!PACKET_get_net_2(pkt, &len))
         goto err;
 
-    while (data <= (d + n - 4)) {
-        n2s(data, type);
-        n2s(data, size);
+    while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
+        PACKET subpkt;
 
-        if (data + size > (d + n))
+        if (!PACKET_peek_bytes(pkt, &data, size))
             goto err;
+
         if (s->tlsext_debug_cb)
             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
+
+        if (!PACKET_get_sub_packet(pkt, &subpkt, size))
+            goto err;
+
         if (type == TLSEXT_TYPE_renegotiate) {
-            if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
+            if (!ssl_parse_clienthello_renegotiate_ext(s, &subpkt, al))
                 return 0;
             renegotiate_seen = 1;
         } else if (s->version == SSL3_VERSION) {
@@ -1992,23 +1974,18 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
         else if (type == TLSEXT_TYPE_server_name) {
             unsigned char *sdata;
-            int servname_type;
-            int dsize;
+            unsigned int servname_type;
+            unsigned int dsize;
+            PACKET ssubpkt;
 
-            if (size < 2)
+            if (!PACKET_get_net_2(&subpkt, &dsize)
+                    || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
                 goto err;
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize > size)
-                goto err;
-
-            sdata = data;
-            while (dsize > 3) {
-                servname_type = *(sdata++);
-                n2s(sdata, len);
-                dsize -= 3;
 
-                if (len > dsize)
+            while (PACKET_remaining(&ssubpkt) > 3) {
+                if (!PACKET_get_1(&ssubpkt, &servname_type)
+                        || !PACKET_get_net_2(&ssubpkt, &len)
+                        || PACKET_remaining(&ssubpkt) < len)
                     goto err;
 
                 if (s->servername_done == 0)
@@ -2027,7 +2004,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                                 *al = TLS1_AD_INTERNAL_ERROR;
                                 return 0;
                             }
-                            memcpy(s->session->tlsext_hostname, sdata, len);
+                            if (!PACKET_copy_bytes(&ssubpkt,
+                                    (unsigned char *)s->session
+                                        ->tlsext_hostname,
+                                    len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                             s->session->tlsext_hostname[len] = '\0';
                             if (strlen(s->session->tlsext_hostname) != len) {
                                 OPENSSL_free(s->session->tlsext_hostname);
@@ -2037,48 +2020,55 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                             }
                             s->servername_done = 1;
 
-                        } else
+                        } else {
+                            if (!PACKET_get_bytes(&ssubpkt, &sdata, len)) {
+                                *al = SSL_AD_DECODE_ERROR;
+                                return 0;
+                            }
                             s->servername_done = s->session->tlsext_hostname
                                 && strlen(s->session->tlsext_hostname) == len
                                 && strncmp(s->session->tlsext_hostname,
                                            (char *)sdata, len) == 0;
+                        }
 
                         break;
 
                     default:
                         break;
                     }
-
-                dsize -= len;
             }
-            if (dsize != 0)
+            /* We shouldn't have any bytes left */
+            if (PACKET_remaining(&ssubpkt))
                 goto err;
 
         }
 #ifndef OPENSSL_NO_SRP
         else if (type == TLSEXT_TYPE_srp) {
-            if (size == 0 || ((len = data[0])) != (size - 1))
-                goto err;
-            if (s->srp_ctx.login != NULL)
+            if (!PACKET_get_1(&subpkt, &len)
+                    || s->srp_ctx.login != NULL)
                 goto err;
+
             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
                 return -1;
-            memcpy(s->srp_ctx.login, &data[1], len);
+            if (!PACKET_copy_bytes(&subpkt, (unsigned char *)s->srp_ctx.login,
+                                   len))
+                goto err;
             s->srp_ctx.login[len] = '\0';
 
-            if (strlen(s->srp_ctx.login) != len)
+            if (strlen(s->srp_ctx.login) != len
+                    || PACKET_remaining(&subpkt))
                 goto err;
         }
 #endif
 
 #ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
-            unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
+            unsigned int ecpointformatlist_length;
 
-            if (ecpointformatlist_length != size - 1 ||
-                ecpointformatlist_length < 1)
+            if (!PACKET_get_1(&subpkt, &ecpointformatlist_length)
+                    || ecpointformatlist_length == 0)
                 goto err;
+
             if (!s->hit) {
                 OPENSSL_free(s->session->tlsext_ecpointformatlist);
                 s->session->tlsext_ecpointformatlist = NULL;
@@ -2090,19 +2080,26 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
                 s->session->tlsext_ecpointformatlist_length =
                     ecpointformatlist_length;
-                memcpy(s->session->tlsext_ecpointformatlist, sdata,
-                       ecpointformatlist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ecpointformatlist,
+                        ecpointformatlist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ecpointformatlist_length)) {
+                goto err;
+            }
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
+                *al = TLS1_AD_DECODE_ERROR;
+                return 0;
             }
         } else if (type == TLSEXT_TYPE_elliptic_curves) {
-            unsigned char *sdata = data;
-            int ellipticcurvelist_length = (*(sdata++) << 8);
-            ellipticcurvelist_length += (*(sdata++));
+            unsigned int ellipticcurvelist_length;
 
-            if (ellipticcurvelist_length != size - 2 ||
-                ellipticcurvelist_length < 1 ||
-                /* Each NamedCurve is 2 bytes. */
-                ellipticcurvelist_length & 1)
-                    goto err;
+            /* Each NamedCurve is 2 bytes and we must have at least 1 */
+            if (!PACKET_get_net_2(&subpkt, &ellipticcurvelist_length)
+                    || ellipticcurvelist_length == 0
+                    || (ellipticcurvelist_length & 1) != 0)
+                goto err;
 
             if (!s->hit) {
                 if (s->session->tlsext_ellipticcurvelist)
@@ -2116,54 +2113,63 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
                 s->session->tlsext_ellipticcurvelist_length =
                     ellipticcurvelist_length;
-                memcpy(s->session->tlsext_ellipticcurvelist, sdata,
-                       ellipticcurvelist_length);
+                if (!PACKET_copy_bytes(&subpkt,
+                        s->session->tlsext_ellipticcurvelist,
+                        ellipticcurvelist_length))
+                    goto err;
+            } else if (!PACKET_forward(&subpkt, ellipticcurvelist_length)) {
+                goto err;
+            }
+            /* We should have consumed all the bytes by now */
+            if (PACKET_remaining(&subpkt)) {
+                goto err;
             }
         }
 #endif                         /* OPENSSL_NO_EC */
         else if (type == TLSEXT_TYPE_session_ticket) {
-            if (s->tls_session_ticket_ext_cb &&
-                !s->tls_session_ticket_ext_cb(s, data, size,
-                                              s->tls_session_ticket_ext_cb_arg))
-            {
+            if (!PACKET_forward(&subpkt, size)
+                || (s->tls_session_ticket_ext_cb &&
+                    !s->tls_session_ticket_ext_cb(s, data, size,
+                                        s->tls_session_ticket_ext_cb_arg))) {
                 *al = TLS1_AD_INTERNAL_ERROR;
                 return 0;
             }
         } else if (type == TLSEXT_TYPE_signature_algorithms) {
-            int dsize;
-            if (s->s3->tmp.peer_sigalgs || size < 2)
-                goto err;
-            n2s(data, dsize);
-            size -= 2;
-            if (dsize != size || dsize & 1 || !dsize)
-                goto err;
-            if (!tls1_save_sigalgs(s, data, dsize))
+            unsigned int dsize;
+
+            if (s->s3->tmp.peer_sigalgs
+                    || !PACKET_get_net_2(&subpkt, &dsize)
+                    || (dsize & 1) != 0
+                    || (dsize == 0)
+                    || !PACKET_get_bytes(&subpkt, &data, dsize)
+                    || PACKET_remaining(&subpkt)
+                    || !tls1_save_sigalgs(s, data, dsize)) {
                 goto err;
+            }
         } else if (type == TLSEXT_TYPE_status_request) {
+            PACKET ssubpkt;
 
-            if (size < 5)
+            if (!PACKET_get_1(&subpkt,
+                              (unsigned int *)&s->tlsext_status_type))
                 goto err;
 
-            s->tlsext_status_type = *data++;
-            size--;
             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
                 const unsigned char *sdata;
-                int dsize;
+                unsigned int dsize;
                 /* Read in responder_id_list */
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize > size)
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_sub_packet(&subpkt, &ssubpkt, dsize))
                     goto err;
-                while (dsize > 0) {
+
+                while (PACKET_remaining(&ssubpkt)) {
                     OCSP_RESPID *id;
-                    int idsize;
-                    if (dsize < 4)
-                        goto err;
-                    n2s(data, idsize);
-                    dsize -= 2 + idsize;
-                    size -= 2 + idsize;
-                    if (dsize < 0)
+                    unsigned int idsize;
+
+                    if (PACKET_remaining(&ssubpkt) < 4
+                            || !PACKET_get_net_2(&ssubpkt, &idsize)
+                            || !PACKET_get_bytes(&ssubpkt, &data, idsize)) {
                         goto err;
+                    }
                     sdata = data;
                     data += idsize;
                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
@@ -2188,12 +2194,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 }
 
                 /* Read in request_extensions */
-                if (size < 2)
-                    goto err;
-                n2s(data, dsize);
-                size -= 2;
-                if (dsize != size)
+                if (!PACKET_get_net_2(&subpkt, &dsize)
+                        || !PACKET_get_bytes(&subpkt, &data, dsize)
+                        || PACKET_remaining(&subpkt)) {
                     goto err;
+                }
                 sdata = data;
                 if (dsize > 0) {
                     sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
@@ -2212,7 +2217,14 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
         }
 #ifndef OPENSSL_NO_HEARTBEATS
         else if (type == TLSEXT_TYPE_heartbeat) {
-            switch (data[0]) {
+            unsigned int hbtype;
+
+            if (!PACKET_get_1(&subpkt, &hbtype)
+                    || PACKET_remaining(&subpkt)) {
+                *al = SSL_AD_DECODE_ERROR;
+                return 0;
+            }
+            switch (hbtype) {
             case 0x01:         /* Client allows us to send HB requests */
                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
                 break;
@@ -2253,7 +2265,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
                  s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) {
-            if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
+            if (tls1_alpn_handle_client_hello(s, &subpkt, al) != 0)
                 return 0;
 #ifndef OPENSSL_NO_NEXTPROTONEG
             /* ALPN takes precedence over NPN. */
@@ -2265,7 +2277,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 #ifndef OPENSSL_NO_SRTP
         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
                  && type == TLSEXT_TYPE_use_srtp) {
-            if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
+            if (ssl_parse_clienthello_use_srtp_ext(s, &subpkt, al))
                 return 0;
         }
 #endif
@@ -2288,16 +2300,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
             if (custom_ext_parse(s, 1, type, data, size, al) <= 0)
                 return 0;
         }
-
-        data += size;
     }
 
     /* Spurious data on the end */
-    if (data != d + n)
+    if (PACKET_remaining(pkt) != 0)
         goto err;
 
-    *p = data;
-
  ri_check:
 
     /* Need RI if renegotiating */
@@ -2316,12 +2324,11 @@ err:
     return 0;
 }
 
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
-                                 int n)
+int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
 {
     int al = -1;
     custom_ext_init(&s->cert->srv_ext);
-    if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) {
+    if (ssl_scan_clienthello_tlsext(s, pkt, &al) <= 0) {
         ssl3_send_alert(s, SSL3_AL_FATAL, al);
         return 0;
     }
@@ -2934,12 +2941,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
  *   Otherwise, s->tlsext_ticket_expected is set to 0.
  */
-int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-                        const unsigned char *limit, SSL_SESSION **ret)
+int tls1_process_ticket(SSL *s, PACKET *pkt,  unsigned char *session_id,
+                        int len, SSL_SESSION **ret)
 {
-    /* Point after session ID in client hello */
-    const unsigned char *p = session_id + len;
-    unsigned short i;
+    unsigned int i;
+    size_t bookmark = 0;
+    int retv = -1;
 
     *ret = NULL;
     s->tlsext_ticket_expected = 0;
@@ -2950,46 +2957,60 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
      */
     if (!tls_use_ticket(s))
         return 0;
-    if ((s->version <= SSL3_VERSION) || !limit)
+    if ((s->version <= SSL3_VERSION))
         return 0;
-    if (p >= limit)
+
+    if (!PACKET_get_bookmark(pkt, &bookmark)) {
         return -1;
+    }
+
     /* Skip past DTLS cookie */
     if (SSL_IS_DTLS(s)) {
-        i = *(p++);
-        p += i;
-        if (p >= limit)
-            return -1;
+        if (!PACKET_get_1(pkt, &i)
+                || !PACKET_forward(pkt, i)) {
+            retv = -1;
+            goto end;
+        }
     }
-    /* Skip past cipher list */
-    n2s(p, i);
-    p += i;
-    if (p >= limit)
-        return -1;
-    /* Skip past compression algorithm list */
-    i = *(p++);
-    p += i;
-    if (p > limit)
-        return -1;
+    /* Skip past cipher list and compression algorithm list */
+    if (!PACKET_get_net_2(pkt, &i)
+            || !PACKET_forward(pkt, i)
+            || !PACKET_get_1(pkt, &i)
+            || !PACKET_forward(pkt, i)) {
+        retv = -1;
+        goto end;
+    }
+
     /* Now at start of extensions */
-    if ((p + 2) >= limit)
-        return 0;
-    n2s(p, i);
-    while ((p + 4) <= limit) {
-        unsigned short type, size;
-        n2s(p, type);
-        n2s(p, size);
-        if (p + size > limit)
-            return 0;
+    if (!PACKET_get_net_2(pkt, &i)) {
+        retv = 0;
+        goto end;
+    }
+    while (PACKET_remaining (pkt) >= 4) {
+        unsigned int type, size;
+
+        if (!PACKET_get_net_2(pkt, &type)
+                || !PACKET_get_net_2(pkt, &size)) {
+            /* Shouldn't ever happen */
+            retv = -1;
+            goto end;
+        }
+        if (PACKET_remaining(pkt) < size) {
+            retv = 0;
+            goto end;
+        }
         if (type == TLSEXT_TYPE_session_ticket) {
             int r;
+            unsigned char *etick;
+
             if (size == 0) {
                 /*
                  * The client will accept a ticket but doesn't currently have
                  * one.
                  */
                 s->tlsext_ticket_expected = 1;
-                return 1;
+                retv = 1;
+                goto end;
             }
             if (s->tls_session_secret_cb) {
                 /*
@@ -2998,25 +3019,39 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                  * abbreviated handshake based on external mechanism to
                  * calculate the master secret later.
                  */
-                return 2;
+                retv = 2;
+                goto end;
             }
-            r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
+            if (!PACKET_get_bytes(pkt, &etick, size)) {
+                /* Shouldn't ever happen */
+                retv = -1;
+                goto end;
+            }
+            r = tls_decrypt_ticket(s, etick, size, session_id, len, ret);
             switch (r) {
             case 2:            /* ticket couldn't be decrypted */
                 s->tlsext_ticket_expected = 1;
-                return 2;
+                retv = 2;
+                break;
             case 3:            /* ticket was decrypted */
-                return r;
+                retv = r;
+                break;
             case 4:            /* ticket decrypted but need to renew */
                 s->tlsext_ticket_expected = 1;
-                return 3;
+                retv = 3;
+                break;
             default:           /* fatal error */
-                return -1;
+                retv = -1;
+                break;
             }
+            goto end;
         }
-        p += size;
     }
-    return 0;
+    retv = 0;
+end:
+    if (!PACKET_goto_bookmark(pkt, bookmark))
+        return -1;
+    return retv;
 }
 
 /*-
diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index b9a35c7..22a71fe 100644
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -143,23 +143,14 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
 /*
  * Parse the client's renegotiation binding and abort if it's not right
  */
-int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
-                                          int *al)
+int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
 {
-    int ilen;
+    unsigned int ilen;
+    unsigned char *d;
 
     /* Parse the length byte */
-    if (len < 1) {
-        SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
-               SSL_R_RENEGOTIATION_ENCODING_ERR);
-        *al = SSL_AD_ILLEGAL_PARAMETER;
-        return 0;
-    }
-    ilen = *d;
-    d++;
-
-    /* Consistency check */
-    if ((ilen + 1) != len) {
+    if (!PACKET_get_1(pkt, &ilen)
+            || !PACKET_get_bytes(pkt, &d, ilen)) {
         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,
                SSL_R_RENEGOTIATION_ENCODING_ERR);
         *al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/test/Makefile b/test/Makefile
index 2e699dc..f49dc76 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -70,6 +70,7 @@ HEARTBEATTEST=  heartbeat_test
 CONSTTIMETEST=  constant_time_test
 VERIFYEXTRATEST=	verify_extra_test
 CLIENTHELLOTEST=	clienthellotest
+PACKETTEST=	packettest
 
 TESTS=		alltests
 
@@ -87,7 +88,7 @@ EXE=	$(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT)  $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)
 	$(SRPTEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) \
 	$(HEARTBEATTEST)$(EXE_EXT) $(P5_CRPT2_TEST)$(EXE_EXT) \
 	$(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
-	$(CLIENTHELLOTEST)$(EXE_EXT)
+	$(CLIENTHELLOTEST)$(EXE_EXT) $(PACKETTEST)$(EXE_EXT)
 
 # $(METHTEST)$(EXE_EXT)
 
@@ -101,7 +102,8 @@ OBJ=	$(BNTEST).o $(ECTEST).o  $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \
 	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o \
 	$(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(V3NAMETEST).o \
 	$(GOST2814789TEST).o $(HEARTBEATTEST).o $(P5_CRPT2_TEST).o \
-	$(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o testutil.o
+	$(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \
+	$(PACKETTEST).o testutil.o
 
 SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
 	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \
@@ -112,7 +114,8 @@ SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
 	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c \
 	$(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(V3NAMETEST).c \
 	$(GOST2814789TEST).c $(HEARTBEATTEST).c $(P5_CRPT2_TEST).c \
-	$(CONSTTIMETEST).c $(VERIFYEXTRATEST).c $(CLIENTHELLOTEST).c testutil.c
+	$(CONSTTIMETEST).c $(VERIFYEXTRATEST).c $(CLIENTHELLOTEST).c \
+	$(PACKETTEST).c testutil.c
 
 HEADER=	testutil.h
 
@@ -153,7 +156,7 @@ alltests: \
 	test_ige test_jpake test_secmem \
 	test_srp test_cms test_v3name test_ocsp \
 	test_gost2814789 test_heartbeat test_p5_crpt2 \
-	test_constant_time test_verify_extra test_clienthello
+	test_constant_time test_verify_extra test_clienthello test_packet
 
 test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
 	@echo $(START) $@
@@ -410,6 +413,10 @@ test_clienthello: $(CLIENTHELLOTEST)$(EXE_EXT)
 	@echo $(START) $@
 	../util/shlib_wrap.sh ./$(CLIENTHELLOTEST)
 
+test_packet: $(PACKETTEST)$(EXE_EXT)
+	@echo $(START) $@
+	../util/shlib_wrap.sh ./$(PACKETTEST)
+
 update: local_depend
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
@@ -603,6 +610,9 @@ $(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
 $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
 	@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
 
+$(PACKETTEST)$(EXE_EXT): $(PACKETTEST).o
+	@target=$(PACKETTEST) $(BUILD_CMD)
+
 #$(AESTEST).o: $(AESTEST).c
 #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
 
@@ -774,14 +784,15 @@ gost2814789test.o: ../include/openssl/sha.h ../include/openssl/stack.h
 gost2814789test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
 gost2814789test.o: ../include/openssl/x509_vfy.h gost2814789test.c
 heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
-heartbeat_test.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-heartbeat_test.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-heartbeat_test.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
-heartbeat_test.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-heartbeat_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-heartbeat_test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+heartbeat_test.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+heartbeat_test.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+heartbeat_test.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
+heartbeat_test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+heartbeat_test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+heartbeat_test.o: ../include/openssl/err.h ../include/openssl/evp.h
+heartbeat_test.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
+heartbeat_test.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+heartbeat_test.o: ../include/openssl/opensslconf.h
 heartbeat_test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 heartbeat_test.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 heartbeat_test.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
@@ -791,8 +802,8 @@ heartbeat_test.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 heartbeat_test.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 heartbeat_test.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 heartbeat_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-heartbeat_test.o: ../ssl/record/record.h ../ssl/ssl_locl.h heartbeat_test.c
-heartbeat_test.o: testutil.h
+heartbeat_test.o: ../ssl/packet_locl.h ../ssl/record/record.h ../ssl/ssl_locl.h
+heartbeat_test.o: heartbeat_test.c testutil.h
 hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 hmactest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
@@ -846,6 +857,12 @@ p5_crpt2_test.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
 p5_crpt2_test.o: ../include/openssl/sha.h ../include/openssl/stack.h
 p5_crpt2_test.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
 p5_crpt2_test.o: ../include/openssl/x509_vfy.h p5_crpt2_test.c
+packettest.o: ../e_os.h ../include/openssl/bn.h ../include/openssl/buffer.h
+packettest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+packettest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+packettest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
+packettest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+packettest.o: ../ssl/packet_locl.h packettest.c
 randtest.o: ../e_os.h ../include/openssl/e_os2.h
 randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
 randtest.o: ../include/openssl/rand.h randtest.c
@@ -899,8 +916,8 @@ ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssltest.o: ../include/openssl/x509v3.h ../ssl/record/record.h ../ssl/ssl_locl.h
-ssltest.o: ssltest.c
+ssltest.o: ../include/openssl/x509v3.h ../ssl/packet_locl.h
+ssltest.o: ../ssl/record/record.h ../ssl/ssl_locl.h ssltest.c
 testutil.o: ../e_os.h ../include/openssl/e_os2.h
 testutil.o: ../include/openssl/opensslconf.h testutil.c testutil.h
 v3nametest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
diff --git a/test/packettest.c b/test/packettest.c
new file mode 100644
index 0000000..92181e6
--- /dev/null
+++ b/test/packettest.c
@@ -0,0 +1,317 @@
+/* test/packettest.c */
+/*
+ * Written by Matt Caswell for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+
+#include "../ssl/packet_locl.h"
+
+#define BUF_LEN 255
+
+static int test_PACKET_remaining(PACKET *pkt)
+{
+    if (        PACKET_remaining(pkt) != BUF_LEN
+            || !PACKET_forward(pkt, BUF_LEN - 1)
+            ||  PACKET_remaining(pkt) != 1
+            || !PACKET_forward(pkt, 1)
+            ||  PACKET_remaining(pkt)) {
+        fprintf(stderr, "test_PACKET_remaining() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_1(PACKET *pkt, size_t start)
+{
+    unsigned int i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_1(pkt, &i)
+            ||  i != 0x01
+            || !PACKET_forward(pkt, BUF_LEN - 2)
+            || !PACKET_get_1(pkt, &i)
+            ||  i != 0xff
+            ||  PACKET_get_1(pkt, &i)) {
+        fprintf(stderr, "test_PACKET_get_1() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_4(PACKET *pkt, size_t start)
+{
+    unsigned long i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_4(pkt, &i)
+            ||  i != 0x04030201UL
+            || !PACKET_forward(pkt, BUF_LEN - 8)
+            || !PACKET_get_4(pkt, &i)
+            ||  i != 0xfffefdfcUL
+            ||  PACKET_get_4(pkt, &i)) {
+        fprintf(stderr, "test_PACKET_get_4() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_net_2(PACKET *pkt, size_t start)
+{
+    unsigned int i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_net_2(pkt, &i)
+            ||  i != 0x0102
+            || !PACKET_forward(pkt, BUF_LEN - 4)
+            || !PACKET_get_net_2(pkt, &i)
+            ||  i != 0xfeff
+            ||  PACKET_get_net_2(pkt, &i)) {
+        fprintf(stderr, "test_PACKET_get_net_2() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_net_3(PACKET *pkt, size_t start)
+{
+    unsigned long i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_net_3(pkt, &i)
+            ||  i != 0x010203UL
+            || !PACKET_forward(pkt, BUF_LEN - 6)
+            || !PACKET_get_net_3(pkt, &i)
+            ||  i != 0xfdfeffUL
+            ||  PACKET_get_net_3(pkt, &i)) {
+        fprintf(stderr, "test_PACKET_get_net_3() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_net_4(PACKET *pkt, size_t start)
+{
+    unsigned long i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_net_4(pkt, &i)
+            ||  i != 0x01020304UL
+            || !PACKET_forward(pkt, BUF_LEN - 8)
+            || !PACKET_get_net_4(pkt, &i)
+            ||  i != 0xfcfdfeffUL
+            ||  PACKET_get_net_4(pkt, &i)) {
+        fprintf(stderr, "test_PACKET_get_net_4() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_sub_packet(PACKET *pkt, size_t start)
+{
+    PACKET subpkt;
+    unsigned long i;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_sub_packet(pkt, &subpkt, 4)
+            || !PACKET_get_net_4(&subpkt, &i)
+            ||  i != 0x01020304UL
+            ||  PACKET_remaining(&subpkt)
+            || !PACKET_forward(pkt, BUF_LEN - 8)
+            || !PACKET_get_sub_packet(pkt, &subpkt, 4)
+            || !PACKET_get_net_4(&subpkt, &i)
+            ||  i != 0xfcfdfeffUL
+            ||  PACKET_remaining(&subpkt)
+            ||  PACKET_get_sub_packet(pkt, &subpkt, 4)) {
+        fprintf(stderr, "test_PACKET_get_sub_packet() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_bytes(PACKET *pkt, size_t start)
+{
+    unsigned char *bytes;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_get_bytes(pkt, &bytes, 4)
+            ||  bytes[0] != 1 || bytes[1] != 2
+            ||  bytes[2] != 3 || bytes[3] != 4
+            ||  PACKET_remaining(pkt) != BUF_LEN -4
+            || !PACKET_forward(pkt, BUF_LEN - 8)
+            || !PACKET_get_bytes(pkt, &bytes, 4)
+            ||  bytes[0] != 0xfc || bytes[1] != 0xfd
+            ||  bytes[2] != 0xfe || bytes[3] != 0xff
+            ||  PACKET_remaining(pkt)) {
+        fprintf(stderr, "test_PACKET_get_bytes() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_copy_bytes(PACKET *pkt, size_t start)
+{
+    unsigned char bytes[4];
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            || !PACKET_copy_bytes(pkt, bytes, 4)
+            ||  bytes[0] != 1 || bytes[1] != 2
+            ||  bytes[2] != 3 || bytes[3] != 4
+            ||  PACKET_remaining(pkt) != BUF_LEN - 4
+            || !PACKET_forward(pkt, BUF_LEN - 8)
+            || !PACKET_copy_bytes(pkt, bytes, 4)
+            ||  bytes[0] != 0xfc || bytes[1] != 0xfd
+            ||  bytes[2] != 0xfe || bytes[3] != 0xff
+            ||  PACKET_remaining(pkt)) {
+        fprintf(stderr, "test_PACKET_copy_bytes() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_move_funcs(PACKET *pkt, size_t start)
+{
+    unsigned char *byte;
+    size_t bm;
+
+    if (       !PACKET_goto_bookmark(pkt, start)
+            ||  PACKET_back(pkt, 1)
+            || !PACKET_forward(pkt, 1)
+            || !PACKET_get_bytes(pkt, &byte, 1)
+            ||  byte[0] != 2
+            || !PACKET_get_bookmark(pkt, &bm)
+            || !PACKET_forward(pkt, BUF_LEN - 2)
+            ||  PACKET_forward(pkt, 1)
+            || !PACKET_back(pkt, 1)
+            || !PACKET_get_bytes(pkt, &byte, 1)
+            ||  byte[0] != 0xff
+            || !PACKET_goto_bookmark(pkt, bm)
+            || !PACKET_get_bytes(pkt, &byte, 1)
+            ||  byte[0] != 3) {
+        fprintf(stderr, "test_PACKET_move_funcs() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_buf_init()
+{
+    unsigned char buf[BUF_LEN];
+    size_t len;
+    PACKET pkt;
+
+    /* Also tests PACKET_get_len() */
+    if (       !PACKET_buf_init(&pkt, buf, 4)
+            || !PACKET_length(&pkt, &len)
+            ||  len != 4
+            || !PACKET_buf_init(&pkt, buf, BUF_LEN)
+            || !PACKET_length(&pkt, &len)
+            ||  len != BUF_LEN
+            ||  pkt.end - pkt.start != BUF_LEN
+            ||  pkt.end < pkt.start
+            ||  pkt.curr < pkt.start
+            ||  pkt.curr > pkt.end
+            ||  PACKET_buf_init(&pkt, buf, -1)) {
+        fprintf(stderr, "test_PACKET_buf_init() failed\n");
+        return 0;
+        }
+
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    unsigned char buf[BUF_LEN];
+    unsigned int i;
+    size_t start = 0;
+    PACKET pkt;
+
+    for (i=1; i<=BUF_LEN; i++) {
+        buf[i-1] = i;
+    }
+    i = 0;
+
+    if (       !PACKET_buf_init(&pkt, buf, BUF_LEN)
+            || !PACKET_get_bookmark(&pkt, &start)) {
+        fprintf(stderr, "setup failed\n");
+        return 0;
+    }
+
+    if (       !test_PACKET_buf_init()
+            || !test_PACKET_remaining(&pkt)
+            || !test_PACKET_get_1(&pkt, start)
+            || !test_PACKET_get_4(&pkt, start)
+            || !test_PACKET_get_net_2(&pkt, start)
+            || !test_PACKET_get_net_3(&pkt, start)
+            || !test_PACKET_get_net_4(&pkt, start)
+            || !test_PACKET_get_sub_packet(&pkt, start)
+            || !test_PACKET_get_bytes(&pkt, start)
+            || !test_PACKET_copy_bytes(&pkt, start)
+            || !test_PACKET_move_funcs(&pkt, start)) {
+        return 1;
+    }
+    printf("PASS\n");
+    return 0;
+}

From matt at openssl.org  Mon Aug  3 12:02:37 2015
From: matt at openssl.org (Matt Caswell)
Date: Mon, 03 Aug 2015 12:02:37 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438603357.145033.24816.nullmailer@dev.openssl.org>

The branch master has been updated
       via  496dbe1855b486c39f42d673d56924d5f9ae3c78 (commit)
       via  e9f6b9a1a5ba9feaeeef88d9f45508996ce43468 (commit)
       via  c69f2adf71d888ba1a2090ec0be3319eb024efe3 (commit)
       via  657da85eea3a5825b2dd25ff25b99ec206c48136 (commit)
      from  9ceb2426b0a7972434a49a34e78bdcc6437e04ad (commit)


- Log -----------------------------------------------------------------
commit 496dbe1855b486c39f42d673d56924d5f9ae3c78
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jul 30 11:14:44 2015 +0100

    Fix make errors for the CCS changes
    
    The move of CCS into the state machine was causing make errors to fail. This
    fixes it.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit e9f6b9a1a5ba9feaeeef88d9f45508996ce43468
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 30 11:30:44 2015 +0100

    Fix ssl3_read_bytes handshake fragment bug
    
    The move of CCS into the state machine introduced a bug in ssl3_read_bytes.
    The value of |recvd_type| was not being set if we are satisfying the request
    from handshake fragment storage. This can occur, for example, with
    renegotiation and causes the handshake to fail.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit c69f2adf71d888ba1a2090ec0be3319eb024efe3
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 2 11:33:07 2015 +0100

    Move DTLS CCS processing into the state machine
    
    Continuing on from the previous commit this moves the processing of DTLS
    CCS messages out of the record layer and into the state machine.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 657da85eea3a5825b2dd25ff25b99ec206c48136
Author: Matt Caswell <matt at openssl.org>
Date:   Mon May 11 09:35:41 2015 +0100

    Move TLS CCS processing into the state machine
    
    The handling of incoming CCS records is a little strange. Since CCS is not
    a handshake message it is handled differently to normal handshake messages.
    Unfortunately whilst technically it is not a handhshake message the reality
    is that it must be processed in accordance with the state of the handshake.
    Currently CCS records are processed entirely within the record layer. In
    order to ensure that it is handled in accordance with the handshake state
    a flag is used to indicate that it is an acceptable time to receive a CCS.
    
    Previously this flag did not exist (see CVE-2014-0224), but the flag should
    only really be considered a workaround for the problem that CCS is not
    visible to the state machine.
    
    Outgoing CCS messages are already handled within the state machine.
    
    This patch makes CCS visible to the TLS state machine. A separate commit
    will handle DTLS.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 include/openssl/ssl.h     |   1 +
 include/openssl/ssl3.h    |   8 ++--
 ssl/d1_both.c             |  69 ++++++++++++++++++++++++++-----
 ssl/d1_clnt.c             |  19 ++++++---
 ssl/d1_srvr.c             |  31 +++++++-------
 ssl/record/rec_layer_d1.c |  73 ++++++++-------------------------
 ssl/record/rec_layer_s3.c |  86 ++++++++++++++++++---------------------
 ssl/record/record.h       |   6 ++-
 ssl/s3_both.c             | 101 ++++++++++++++++++++++++++++++++++++++++++++--
 ssl/s3_clnt.c             |  46 ++++++++++-----------
 ssl/s3_lib.c              |   8 ++--
 ssl/s3_srvr.c             |  69 ++++++++++---------------------
 ssl/ssl_err.c             |   2 +
 ssl/ssl_locl.h            |  10 ++---
 14 files changed, 301 insertions(+), 228 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 6b6560d..06ac5c1 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1943,6 +1943,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
 # define SSL_F_SSL3_GET_CERT_STATUS                       289
 # define SSL_F_SSL3_GET_CERT_VERIFY                       136
+# define SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC                349
 # define SSL_F_SSL3_GET_CLIENT_CERTIFICATE                137
 # define SSL_F_SSL3_GET_CLIENT_HELLO                      138
 # define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE               139
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 43df925..ec339de 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -365,11 +365,6 @@ extern "C" {
 # define TLS1_FLAGS_TLS_PADDING_BUG              0x0
 
 # define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
-/*
- * Set when the handshake is ready to process peer's ChangeCipherSpec message.
- * Cleared after the message has been processed.
- */
-# define SSL3_FLAGS_CCS_OK                       0x0080
 
 /* Set if we encrypt then mac instead of usual mac then encrypt */
 # define TLS1_FLAGS_ENCRYPT_THEN_MAC             0x0100
@@ -499,6 +494,9 @@ extern "C" {
 # endif
 # define DTLS1_MT_HELLO_VERIFY_REQUEST    3
 
+/* Dummy message type for handling CCS like a normal handshake message */
+# define SSL3_MT_CHANGE_CIPHER_SPEC              0x0101
+
 # define SSL3_MT_CCS                             1
 
 /* These are used when changing over to a new cipher */
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 155b8bf..ec47b94 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -160,8 +160,8 @@ static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
                                          unsigned short seq_num,
                                          unsigned long frag_off,
                                          unsigned long frag_len);
-static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max,
-                                       int *ok);
+static long dtls1_get_message_fragment(SSL *s, int st1, int stn, int mt,
+                                       long max, int *ok);
 
 static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
                                           int reassembly)
@@ -470,7 +470,7 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
     memset(msg_hdr, 0, sizeof(*msg_hdr));
 
  again:
-    i = dtls1_get_message_fragment(s, st1, stn, max, ok);
+    i = dtls1_get_message_fragment(s, st1, stn, mt, max, ok);
     if (i == DTLS1_HM_BAD_FRAGMENT || i == DTLS1_HM_FRAGMENT_RETRY) {
         /* bad fragment received */
         goto again;
@@ -485,6 +485,20 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
     }
 
     p = (unsigned char *)s->init_buf->data;
+
+    if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+        if (s->msg_callback) {
+            s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
+                            p, 1, s, s->msg_callback_arg);
+        }
+        /*
+         * This isn't a real handshake message so skip the processing below.
+         * dtls1_get_message_fragment() will never return a CCS if mt == -1,
+         * so we are ok to continue in that case.
+         */
+        return i;
+    }
+
     msg_len = msg_hdr->msg_len;
 
     /* reconstruct message header */
@@ -679,7 +693,7 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok)
         unsigned char devnull[256];
 
         while (frag_len) {
-            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
                                           devnull,
                                           frag_len >
                                           sizeof(devnull) ? sizeof(devnull) :
@@ -692,7 +706,7 @@ dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok)
     }
 
     /* read the body of the fragment (header has already been read */
-    i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+    i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
                                   frag->fragment + msg_hdr->frag_off,
                                   frag_len, 0);
     if ((unsigned long)i != frag_len)
@@ -775,7 +789,7 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
         unsigned char devnull[256];
 
         while (frag_len) {
-            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
                                           devnull,
                                           frag_len >
                                           sizeof(devnull) ? sizeof(devnull) :
@@ -801,7 +815,7 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
             /*
              * read the body of the fragment (header has already been read
              */
-            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+            i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
                                           frag->fragment, frag_len, 0);
             if ((unsigned long)i != frag_len)
                 i = -1;
@@ -835,11 +849,11 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
 }
 
 static long
-dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+dtls1_get_message_fragment(SSL *s, int st1, int stn, int mt, long max, int *ok)
 {
     unsigned char wire[DTLS1_HM_HEADER_LENGTH];
     unsigned long len, frag_off, frag_len;
-    int i, al;
+    int i, al, recvd_type;
     struct hm_header_st msg_hdr;
 
  redo:
@@ -851,13 +865,46 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
     }
 
     /* read handshake message header */
-    i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
+    i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire,
                                   DTLS1_HM_HEADER_LENGTH, 0);
     if (i <= 0) {               /* nbio, or an error */
         s->rwstate = SSL_READING;
         *ok = 0;
         return i;
     }
+    if(recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
+        /* This isn't a real handshake message - its a CCS.
+         * There is no message sequence number in a CCS to give us confidence
+         * that this was really intended to be at this point in the handshake
+         * sequence. Therefore we only allow this if we were explicitly looking
+         * for it (i.e. if |mt| is -1 we still don't allow it).
+         */
+        if(mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+            if (wire[0] != SSL3_MT_CCS) {
+                al = SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                goto f_err;
+            }
+
+            memcpy(s->init_buf->data, wire, i);
+            s->init_num = i - 1;
+            s->init_msg = s->init_buf->data + 1;
+            s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC;
+            s->s3->tmp.message_size = i - 1;
+            s->state = stn;
+            *ok = 1;
+            return i-1;
+        } else {
+            /*
+             * We weren't expecting a CCS yet. Probably something got
+             * re-ordered or this is a retransmit. We should drop this and try
+             * again.
+             */
+            s->init_num = 0;
+            goto redo;
+        }
+    }
+
     /* Handshake fails if message header is incomplete */
     if (i != DTLS1_HM_HEADER_LENGTH) {
         al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -926,7 +973,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
         unsigned char *p =
             (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
 
-        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
                                       &p[frag_off], frag_len, 0);
 
         /*
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index fde0def..566c154 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -271,7 +271,6 @@ int dtls1_connect(SSL *s)
             memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
             s->d1->send_cookie = 0;
             s->hit = 0;
-            s->d1->change_cipher_spec_ok = 0;
             /*
              * Should have been reset by ssl3_get_finished, too.
              */
@@ -376,7 +375,7 @@ int dtls1_connect(SSL *s)
                              sizeof(sctpauthkey), sctpauthkey);
 #endif
 
-                    s->state = SSL3_ST_CR_FINISHED_A;
+                    s->state = SSL3_ST_CR_CHANGE_A;
                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }
@@ -628,7 +627,7 @@ int dtls1_connect(SSL *s)
                 if (s->tlsext_ticket_expected)
                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                 else
-                    s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
+                    s->s3->tmp.next_state = SSL3_ST_CR_CHANGE_A;
             }
             s->init_num = 0;
             break;
@@ -638,7 +637,7 @@ int dtls1_connect(SSL *s)
             ret = ssl3_get_new_session_ticket(s);
             if (ret <= 0)
                 goto end;
-            s->state = SSL3_ST_CR_FINISHED_A;
+            s->state = SSL3_ST_CR_CHANGE_A;
             s->init_num = 0;
             break;
 
@@ -651,9 +650,19 @@ int dtls1_connect(SSL *s)
             s->init_num = 0;
             break;
 
+        case SSL3_ST_CR_CHANGE_A:
+        case SSL3_ST_CR_CHANGE_B:
+            ret = ssl3_get_change_cipher_spec(s, SSL3_ST_CR_CHANGE_A,
+                                              SSL3_ST_CR_CHANGE_B);
+            if (ret <= 0)
+                goto end;
+
+            s->state = SSL3_ST_CR_FINISHED_A;
+            s->init_num = 0;
+            break;
+
         case SSL3_ST_CR_FINISHED_A:
         case SSL3_ST_CR_FINISHED_B:
-            s->d1->change_cipher_spec_ok = 1;
             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
                                     SSL3_ST_CR_FINISHED_B);
             if (ret <= 0)
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 7a40d66..19562e1 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -257,7 +257,6 @@ int dtls1_accept(SSL *s)
             }
 
             s->init_num = 0;
-            s->d1->change_cipher_spec_ok = 0;
             /*
              * Should have been reset by ssl3_get_finished, too.
              */
@@ -378,7 +377,7 @@ int dtls1_accept(SSL *s)
                 goto end;
             }
 
-            s->state = SSL3_ST_SR_FINISHED_A;
+            s->state = SSL3_ST_SR_CHANGE_A;
             break;
 
         case DTLS1_SCTP_ST_SW_WRITE_SOCK:
@@ -624,7 +623,7 @@ int dtls1_accept(SSL *s)
                  * pub key in a certificate, the CertificateVerify message is
                  * not sent.
                  */
-                s->state = SSL3_ST_SR_FINISHED_A;
+                s->state = SSL3_ST_SR_CHANGE_A;
                 s->init_num = 0;
             } else if (SSL_USE_SIGALGS(s)) {
                 s->state = SSL3_ST_SR_CERT_VRFY_A;
@@ -675,23 +674,23 @@ int dtls1_accept(SSL *s)
                 s->state = DTLS1_SCTP_ST_SR_READ_SOCK;
             else
 #endif
-                s->state = SSL3_ST_SR_FINISHED_A;
+                s->state = SSL3_ST_SR_CHANGE_A;
+            s->init_num = 0;
+            break;
+
+        case SSL3_ST_SR_CHANGE_A:
+        case SSL3_ST_SR_CHANGE_B:
+            ret = ssl3_get_change_cipher_spec(s, SSL3_ST_SR_CHANGE_A,
+                                              SSL3_ST_SR_CHANGE_B);
+            if (ret <= 0)
+                goto end;
+
+            s->state = SSL3_ST_SR_FINISHED_A;
             s->init_num = 0;
             break;
 
         case SSL3_ST_SR_FINISHED_A:
         case SSL3_ST_SR_FINISHED_B:
-            /*
-             * Enable CCS. Receiving a CCS clears the flag, so make
-             * sure not to re-enable it to ban duplicates. This *should* be the
-             * first time we have received one - but we check anyway to be
-             * cautious.
-             * s->s3->change_cipher_spec is set when a CCS is
-             * processed in d1_pkt.c, and remains set until
-             * the client's Finished message is read.
-             */
-            if (!s->s3->change_cipher_spec)
-                s->d1->change_cipher_spec_ok = 1;
             ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
                                     SSL3_ST_SR_FINISHED_B);
             if (ret <= 0)
@@ -779,7 +778,7 @@ int dtls1_accept(SSL *s)
                 goto end;
             s->state = SSL3_ST_SW_FLUSH;
             if (s->hit) {
-                s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
+                s->s3->tmp.next_state = SSL3_ST_SR_CHANGE_A;
 
 #ifndef OPENSSL_NO_SCTP
                 /*
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 52ef8f0..3da4f11 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -379,8 +379,9 @@ int dtls1_process_buffered_records(SSL *s)
  * (possibly multiple records if we still don't have anything to return).
  *
  * This function must handle any surprises the peer may have for us, such as
- * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
- * a surprise, but handled as if it were), or renegotiation requests.
+ * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
+ * messages are treated as if they were handshake messages *if* the |recd_type|
+ * argument is non NULL.
  * Also if record payloads contain fragments too small to process, we store
  * them until there is enough for the respective protocol (the record protocol
  * may use arbitrary fragmentation and even interleaving):
@@ -395,7 +396,8 @@ int dtls1_process_buffered_records(SSL *s)
  *     Application data protocol
  *             none of our business
  */
-int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
+                     int len, int peek)
 {
     int al, i, j, ret;
     unsigned int n;
@@ -537,9 +539,14 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         return (0);
     }
 
-    if (type == SSL3_RECORD_get_type(rr)) {
-        /* SSL3_RT_APPLICATION_DATA or
-         * SSL3_RT_HANDSHAKE */
+    if (type == SSL3_RECORD_get_type(rr)
+            || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+                && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
+        /*
+         * SSL3_RT_APPLICATION_DATA or
+         * SSL3_RT_HANDSHAKE or
+         * SSL3_RT_CHANGE_CIPHER_SPEC
+         */
         /*
          * make sure that we are not getting application data when we are
          * doing a handshake for the first time
@@ -551,6 +558,9 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
             goto f_err;
         }
 
+        if (recvd_type != NULL)
+            *recvd_type = SSL3_RECORD_get_type(rr);
+
         if (len <= 0)
             return (len);
 
@@ -857,59 +867,11 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
     }
 
     if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
-        unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
-
-        if (s->version == DTLS1_BAD_VER)
-            ccs_hdr_len = 3;
-
-        /*
-         * 'Change Cipher Spec' is just a single byte, so we know exactly
-         * what the record payload has to look like
-         */
-        /* XDTLS: check that epoch is consistent */
-        if ((SSL3_RECORD_get_length(rr) != ccs_hdr_len)
-                || (SSL3_RECORD_get_off(rr) != 0)
-                || (SSL3_RECORD_get_data(rr)[0] != SSL3_MT_CCS)) {
-            i = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
-            goto err;
-        }
-
-        SSL3_RECORD_set_length(rr, 0);
-
-        if (s->msg_callback)
-            s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
-                SSL3_RECORD_get_data(rr), 1, s, s->msg_callback_arg);
-
         /*
          * We can't process a CCS now, because previous handshake messages
          * are still missing, so just drop it.
          */
-        if (!s->d1->change_cipher_spec_ok) {
-            goto start;
-        }
-
-        s->d1->change_cipher_spec_ok = 0;
-
-        s->s3->change_cipher_spec = 1;
-        if (!ssl3_do_change_cipher_spec(s))
-            goto err;
-
-        /* do this whenever CCS is processed */
-        dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-
-        if (s->version == DTLS1_BAD_VER)
-            s->d1->handshake_read_seq++;
-
-#ifndef OPENSSL_NO_SCTP
-        /*
-         * Remember that a CCS has been received, so that an old key of
-         * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
-         * SCTP is used
-         */
-        BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
-#endif
-
+        SSL3_RECORD_set_length(rr, 0);
         goto start;
     }
 
@@ -1025,7 +987,6 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
  f_err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
     return (-1);
 }
 
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index d6e922c..8a9e303 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -955,8 +955,9 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
  * (possibly multiple records if we still don't have anything to return).
  *
  * This function must handle any surprises the peer may have for us, such as
- * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
- * a surprise, but handled as if it were), or renegotiation requests.
+ * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
+ * messages are treated as if they were handshake messages *if* the |recd_type|
+ * argument is non NULL.
  * Also if record payloads contain fragments too small to process, we store
  * them until there is enough for the respective protocol (the record protocol
  * may use arbitrary fragmentation and even interleaving):
@@ -971,7 +972,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
  *     Application data protocol
  *             none of our business
  */
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
+                    int len, int peek)
 {
     int al, i, j, ret;
     unsigned int n;
@@ -1010,6 +1012,10 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         /* move any remaining fragment bytes: */
         for (k = 0; k < s->rlayer.handshake_fragment_len; k++)
             s->rlayer.handshake_fragment[k] = *src++;
+
+        if (recvd_type != NULL)
+            *recvd_type = SSL3_RT_HANDSHAKE;
+
         return n;
     }
 
@@ -1066,9 +1072,14 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
         return (0);
     }
 
-    if (type == SSL3_RECORD_get_type(rr)) {
-        /* SSL3_RT_APPLICATION_DATA or
-         * SSL3_RT_HANDSHAKE */
+    if (type == SSL3_RECORD_get_type(rr)
+            || (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+                && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
+        /*
+         * SSL3_RT_APPLICATION_DATA or
+         * SSL3_RT_HANDSHAKE or
+         * SSL3_RT_CHANGE_CIPHER_SPEC
+         */
         /*
          * make sure that we are not getting application data when we are
          * doing a handshake for the first time
@@ -1080,6 +1091,17 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
             goto f_err;
         }
 
+        if (type == SSL3_RT_HANDSHAKE
+                && SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC
+                && s->rlayer.handshake_fragment_len > 0) {
+            al = SSL_AD_UNEXPECTED_MESSAGE;
+            SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
+            goto f_err;
+        }
+
+        if (recvd_type != NULL)
+            *recvd_type = SSL3_RECORD_get_type(rr);
+
         if (len <= 0)
             return (len);
 
@@ -1105,9 +1127,16 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
     /*
      * If we get here, then type != rr->type; if we have a handshake message,
-     * then it was unexpected (Hello Request or Client Hello).
+     * then it was unexpected (Hello Request or Client Hello) or invalid (we
+     * were actually expecting a CCS).
      */
 
+    if (rr->type == SSL3_RT_HANDSHAKE && type == SSL3_RT_CHANGE_CIPHER_SPEC) {
+        al = SSL_AD_UNEXPECTED_MESSAGE;
+        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_MESSAGE);
+        goto f_err;
+    }
+
     /*
      * Lets just double check that we've not got an SSLv2 record
      */
@@ -1344,45 +1373,9 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
     }
 
     if (SSL3_RECORD_get_type(rr) == SSL3_RT_CHANGE_CIPHER_SPEC) {
-        /*
-         * 'Change Cipher Spec' is just a single byte, so we know exactly
-         * what the record payload has to look like
-         */
-        if ((SSL3_RECORD_get_length(rr) != 1)
-            || (SSL3_RECORD_get_off(rr) != 0)
-            || (SSL3_RECORD_get_data(rr)[0] != SSL3_MT_CCS)) {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC);
-            goto f_err;
-        }
-
-        /* Check we have a cipher to change to */
-        if (s->s3->tmp.new_cipher == NULL) {
-            al = SSL_AD_UNEXPECTED_MESSAGE;
-            SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
-            goto f_err;
-        }
-
-        if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) {
-            al = SSL_AD_UNEXPECTED_MESSAGE;
-            SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
-            goto f_err;
-        }
-
-        s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-
-        SSL3_RECORD_set_length(rr, 0);
-
-        if (s->msg_callback)
-            s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
-                            SSL3_RECORD_get_data(rr), 1, s,
-                            s->msg_callback_arg);
-
-        s->s3->change_cipher_spec = 1;
-        if (!ssl3_do_change_cipher_spec(s))
-            goto err;
-        else
-            goto start;
+        al = SSL_AD_UNEXPECTED_MESSAGE;
+        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_CCS_RECEIVED_EARLY);
+        goto f_err;
     }
 
     /*
@@ -1477,7 +1470,6 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
  f_err:
     ssl3_send_alert(s, SSL3_AL_FATAL, al);
- err:
     return (-1);
 }
 
diff --git a/ssl/record/record.h b/ssl/record/record.h
index 6931bb4..5c8fead 100644
--- a/ssl/record/record.h
+++ b/ssl/record/record.h
@@ -331,7 +331,8 @@ __owur int ssl3_pending(const SSL *s);
 __owur int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
 __owur int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                          unsigned int len, int create_empty_fragment);
-__owur int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
+__owur int ssl3_read_bytes(SSL *s, int type, int *recvd_type,
+                           unsigned char *buf, int len, int peek);
 __owur int ssl3_setup_buffers(SSL *s);
 __owur int ssl3_enc(SSL *s, int send_data);
 __owur int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
@@ -345,7 +346,8 @@ void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl);
 void DTLS_RECORD_LAYER_set_saved_w_epoch(RECORD_LAYER *rl, unsigned short e);
 void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl);
 void DTLS_RECORD_LAYER_resync_write(RECORD_LAYER *rl);
-__owur int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
+__owur int dtls1_read_bytes(SSL *s, int type, int *recvd_type,
+                            unsigned char *buf, int len, int peek);
 __owur int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 __owur int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
                    unsigned int len, int create_empty_fragement);
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 17a8054..943cf73 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -228,6 +228,74 @@ static void ssl3_take_mac(SSL *s)
 }
 #endif
 
+int ssl3_get_change_cipher_spec(SSL *s, int a, int b)
+{
+    int ok, al;
+    long n;
+
+    n = s->method->ssl_get_message(s, a, b, SSL3_MT_CHANGE_CIPHER_SPEC, 1, &ok);
+
+    if (!ok)
+        return ((int)n);
+
+    /*
+     * 'Change Cipher Spec' is just a single byte, which should already have
+     * been consumed by ssl_get_message() so there should be no bytes left,
+     * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
+     */
+    if (SSL_IS_DTLS(s)) {
+        if ((s->version == DTLS1_BAD_VER && n != DTLS1_CCS_HEADER_LENGTH + 1)
+                    || (s->version != DTLS1_BAD_VER
+                        && n != DTLS1_CCS_HEADER_LENGTH - 1)) {
+                al = SSL_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC, SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                goto f_err;
+        }
+    } else {
+        if (n != 0) {
+            al = SSL_AD_ILLEGAL_PARAMETER;
+            SSLerr(SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC, SSL_R_BAD_CHANGE_CIPHER_SPEC);
+            goto f_err;
+        }
+    }
+
+    /* Check we have a cipher to change to */
+    if (s->s3->tmp.new_cipher == NULL) {
+        al = SSL_AD_UNEXPECTED_MESSAGE;
+        SSLerr(SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
+        goto f_err;
+    }
+
+    s->s3->change_cipher_spec = 1;
+    if (!ssl3_do_change_cipher_spec(s)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
+
+    if (SSL_IS_DTLS(s)) {
+        dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+
+        if (s->version == DTLS1_BAD_VER)
+            s->d1->handshake_read_seq++;
+
+#ifndef OPENSSL_NO_SCTP
+        /*
+         * Remember that a CCS has been received, so that an old key of
+         * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
+         * SCTP is used
+         */
+        BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
+#endif
+    }
+
+    return 1;
+ f_err:
+    ssl3_send_alert(s, SSL3_AL_FATAL, al);
+    return 0;
+}
+
+
 int ssl3_get_finished(SSL *s, int a, int b)
 {
     int al, i, ok;
@@ -345,7 +413,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
     unsigned char *p;
     unsigned long l;
     long n;
-    int i, al;
+    int i, al, recvd_type;
 
     if (s->s3->tmp.reuse_message) {
         s->s3->tmp.reuse_message = 0;
@@ -369,13 +437,38 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 
         do {
             while (s->init_num < SSL3_HM_HEADER_LENGTH) {
-                i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
+                i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
                     &p[s->init_num], SSL3_HM_HEADER_LENGTH - s->init_num, 0);
                 if (i <= 0) {
                     s->rwstate = SSL_READING;
                     *ok = 0;
                     return i;
                 }
+                if (s->init_num == 0
+                        && recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC
+                        && (mt < 0 || mt == SSL3_MT_CHANGE_CIPHER_SPEC)) {
+                    if (*p != SSL3_MT_CCS) {
+                        al = SSL_AD_UNEXPECTED_MESSAGE;
+                        SSLerr(SSL_F_SSL3_GET_MESSAGE,
+                               SSL_R_UNEXPECTED_MESSAGE);
+                        goto f_err;
+                    }
+                    s->init_num = i - 1;
+                    s->init_msg = p + 1;
+                    s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC;
+                    s->s3->tmp.message_size = i - 1;
+                    s->state = stn;
+                    *ok = 1;
+                    if (s->msg_callback)
+                        s->msg_callback(0, s->version,
+                                        SSL3_RT_CHANGE_CIPHER_SPEC, p, 1, s,
+                                        s->msg_callback_arg);
+                    return i - 1;
+                } else if (recvd_type != SSL3_RT_HANDSHAKE) {
+                    al = SSL_AD_UNEXPECTED_MESSAGE;
+                    SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
+                    goto f_err;
+                }
                 s->init_num += i;
             }
 
@@ -458,8 +551,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
     p = s->init_msg;
     n = s->s3->tmp.message_size - s->init_num;
     while (n > 0) {
-        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[s->init_num],
-                                      n, 0);
+        i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
+                                      &p[s->init_num], n, 0);
         if (i <= 0) {
             s->rwstate = SSL_READING;
             *ok = 0;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 080dbf0..cd6918a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -165,7 +165,7 @@
 
 static int ssl_set_version(SSL *s);
 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
-static int ssl3_check_finished(SSL *s);
+static int ssl3_check_change(SSL *s);
 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
                                     unsigned char *p,
                                     int (*put_cb) (const SSL_CIPHER *,
@@ -276,7 +276,6 @@ int ssl3_connect(SSL *s)
             s->state = SSL3_ST_CW_CLNT_HELLO_A;
             s->ctx->stats.sess_connect++;
             s->init_num = 0;
-            s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
             /*
              * Should have been reset by ssl3_get_finished, too.
              */
@@ -306,7 +305,7 @@ int ssl3_connect(SSL *s)
                 goto end;
 
             if (s->hit) {
-                s->state = SSL3_ST_CR_FINISHED_A;
+                s->state = SSL3_ST_CR_CHANGE_A;
                 if (s->tlsext_ticket_expected) {
                     /* receive renewed session ticket */
                     s->state = SSL3_ST_CR_SESSION_TICKET_A;
@@ -319,12 +318,12 @@ int ssl3_connect(SSL *s)
         case SSL3_ST_CR_CERT_A:
         case SSL3_ST_CR_CERT_B:
             /* Noop (ret = 0) for everything but EAP-FAST. */
-            ret = ssl3_check_finished(s);
+            ret = ssl3_check_change(s);
             if (ret < 0)
                 goto end;
             if (ret == 1) {
                 s->hit = 1;
-                s->state = SSL3_ST_CR_FINISHED_A;
+                s->state = SSL3_ST_CR_CHANGE_A;
                 s->init_num = 0;
                 break;
             }
@@ -525,7 +524,7 @@ int ssl3_connect(SSL *s)
                 if (s->tlsext_ticket_expected)
                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
                 else
-                    s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
+                    s->s3->tmp.next_state = SSL3_ST_CR_CHANGE_A;
             }
             s->init_num = 0;
             break;
@@ -535,7 +534,7 @@ int ssl3_connect(SSL *s)
             ret = ssl3_get_new_session_ticket(s);
             if (ret <= 0)
                 goto end;
-            s->state = SSL3_ST_CR_FINISHED_A;
+            s->state = SSL3_ST_CR_CHANGE_A;
             s->init_num = 0;
             break;
 
@@ -548,10 +547,19 @@ int ssl3_connect(SSL *s)
             s->init_num = 0;
             break;
 
+        case SSL3_ST_CR_CHANGE_A:
+        case SSL3_ST_CR_CHANGE_B:
+            ret = ssl3_get_change_cipher_spec(s, SSL3_ST_CR_CHANGE_A,
+                                              SSL3_ST_CR_CHANGE_B);
+            if (ret <= 0)
+                goto end;
+
+            s->state = SSL3_ST_CR_FINISHED_A;
+            s->init_num = 0;
+            break;
+
         case SSL3_ST_CR_FINISHED_A:
         case SSL3_ST_CR_FINISHED_B:
-            if (!s->s3->change_cipher_spec)
-                s->s3->flags |= SSL3_FLAGS_CCS_OK;
             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
                                     SSL3_ST_CR_FINISHED_B);
             if (ret <= 0)
@@ -3368,11 +3376,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
  * the session ID. EAP-FAST (RFC 4851), however, relies on the next server
  * message after the ServerHello to determine if the server is resuming.
  * Therefore, we allow EAP-FAST to peek ahead.
- * ssl3_check_finished returns 1 if we are resuming from an external
- * pre-shared secret, we have a "ticket" and the next server handshake message
- * is Finished; and 0 otherwise. It returns -1 upon an error.
+ * ssl3_check_change returns 1 if we are resuming from an external
+ * pre-shared secret, we have a "ticket" and the next server message
+ * is CCS; and 0 otherwise. It returns -1 upon an error.
  */
-static int ssl3_check_finished(SSL *s)
+static int ssl3_check_change(SSL *s)
 {
     int ok = 0;
 
@@ -3380,8 +3388,6 @@ static int ssl3_check_finished(SSL *s)
         !s->session->tlsext_tick)
         return 0;
 
-    /* Need to permit this temporarily, in case the next message is Finished. */
-    s->s3->flags |= SSL3_FLAGS_CCS_OK;
     /*
      * This function is called when we might get a Certificate message instead,
      * so permit appropriate message length.
@@ -3392,23 +3398,15 @@ static int ssl3_check_finished(SSL *s)
                                SSL3_ST_CR_CERT_A,
                                SSL3_ST_CR_CERT_B,
                                -1, s->max_cert_list, &ok);
-    s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
 
     if (!ok)
         return -1;
 
     s->s3->tmp.reuse_message = 1;
 
-    if (s->s3->tmp.message_type == SSL3_MT_FINISHED)
+    if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC)
         return 1;
 
-    /* If we're not done, then the CCS arrived early and we should bail. */
-    if (s->s3->change_cipher_spec) {
-        SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY);
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-        return -1;
-    }
-
     return 0;
 }
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0fc0881..d39346a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4808,7 +4808,7 @@ int ssl3_shutdown(SSL *s)
         /*
          * If we are waiting for a close from our peer, we are closed
          */
-        s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
+        s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0);
         if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
             return (-1);        /* return WANT_READ */
         }
@@ -4840,7 +4840,7 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
         ssl3_renegotiate_check(s);
     s->s3->in_read_app_data = 1;
     ret =
-        s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
+        s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len,
                                   peek);
     if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
         /*
@@ -4852,8 +4852,8 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
          */
         s->in_handshake++;
         ret =
-            s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
-                                      peek);
+            s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf,
+                                      len, peek);
         s->in_handshake--;
     } else
         s->s3->in_read_app_data = 0;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index bc7f84f..fd4c87e 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -281,7 +281,6 @@ int ssl3_accept(SSL *s)
 
             s->init_num = 0;
             s->s3->flags &= ~TLS1_FLAGS_SKIP_CERT_VERIFY;
-            s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
             /*
              * Should have been reset by ssl3_get_finished, too.
              */
@@ -576,14 +575,7 @@ int ssl3_accept(SSL *s)
                  * not sent. Also for GOST ciphersuites when the client uses
                  * its key from the certificate for key exchange.
                  */
-#if defined(OPENSSL_NO_NEXTPROTONEG)
-                s->state = SSL3_ST_SR_FINISHED_A;
-#else
-                if (s->s3->next_proto_neg_seen)
-                    s->state = SSL3_ST_SR_NEXT_PROTO_A;
-                else
-                    s->state = SSL3_ST_SR_FINISHED_A;
-#endif
+                s->state = SSL3_ST_SR_CHANGE_A;
                 s->init_num = 0;
             } else if (SSL_USE_SIGALGS(s)) {
                 s->state = SSL3_ST_SR_CERT_VRFY_A;
@@ -650,32 +642,13 @@ int ssl3_accept(SSL *s)
             if (ret <= 0)
                 goto end;
 
-#if defined(OPENSSL_NO_NEXTPROTONEG)
-            s->state = SSL3_ST_SR_FINISHED_A;
-#else
-            if (s->s3->next_proto_neg_seen)
-                s->state = SSL3_ST_SR_NEXT_PROTO_A;
-            else
-                s->state = SSL3_ST_SR_FINISHED_A;
-#endif
+            s->state = SSL3_ST_SR_CHANGE_A;
             s->init_num = 0;
             break;
 
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
         case SSL3_ST_SR_NEXT_PROTO_A:
         case SSL3_ST_SR_NEXT_PROTO_B:
-            /*
-             * Enable CCS for NPN. Receiving a CCS clears the flag, so make
-             * sure not to re-enable it to ban duplicates. This *should* be the
-             * first time we have received one - but we check anyway to be
-             * cautious.
-             * s->s3->change_cipher_spec is set when a CCS is
-             * processed in s3_pkt.c, and remains set until
-             * the client's Finished message is read.
-             */
-            if (!s->s3->change_cipher_spec)
-                s->s3->flags |= SSL3_FLAGS_CCS_OK;
-
             ret = ssl3_get_next_proto(s);
             if (ret <= 0)
                 goto end;
@@ -684,18 +657,27 @@ int ssl3_accept(SSL *s)
             break;
 #endif
 
+
+        case SSL3_ST_SR_CHANGE_A:
+        case SSL3_ST_SR_CHANGE_B:
+            ret = ssl3_get_change_cipher_spec(s, SSL3_ST_SR_CHANGE_A,
+                                              SSL3_ST_SR_CHANGE_B);
+            if (ret <= 0)
+                goto end;
+
+#if defined(OPENSSL_NO_NEXTPROTONEG)
+            s->state = SSL3_ST_SR_FINISHED_A;
+#else
+            if (s->s3->next_proto_neg_seen)
+                s->state = SSL3_ST_SR_NEXT_PROTO_A;
+            else
+                s->state = SSL3_ST_SR_FINISHED_A;
+#endif
+            s->init_num = 0;
+            break;
+
         case SSL3_ST_SR_FINISHED_A:
         case SSL3_ST_SR_FINISHED_B:
-            /*
-             * Enable CCS for handshakes without NPN. In NPN the CCS flag has
-             * already been set. Receiving a CCS clears the flag, so make
-             * sure not to re-enable it to ban duplicates.
-             * s->s3->change_cipher_spec is set when a CCS is
-             * processed in s3_pkt.c, and remains set until
-             * the client's Finished message is read.
-             */
-            if (!s->s3->change_cipher_spec)
-                s->s3->flags |= SSL3_FLAGS_CCS_OK;
             ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
                                     SSL3_ST_SR_FINISHED_B);
             if (ret <= 0)
@@ -769,14 +751,7 @@ int ssl3_accept(SSL *s)
                 goto end;
             s->state = SSL3_ST_SW_FLUSH;
             if (s->hit) {
-#if defined(OPENSSL_NO_NEXTPROTONEG)
-                s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
-#else
-                if (s->s3->next_proto_neg_seen) {
-                    s->s3->tmp.next_state = SSL3_ST_SR_NEXT_PROTO_A;
-                } else
-                    s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
-#endif
+                s->s3->tmp.next_state = SSL3_ST_SR_CHANGE_A;
             } else
                 s->s3->tmp.next_state = SSL_ST_OK;
             s->init_num = 0;
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 4b4d89c..539146f 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -131,6 +131,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
      "ssl3_get_certificate_request"},
     {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "ssl3_get_cert_status"},
     {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "ssl3_get_cert_verify"},
+    {ERR_FUNC(SSL_F_SSL3_GET_CHANGE_CIPHER_SPEC),
+     "ssl3_get_change_cipher_spec"},
     {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),
      "ssl3_get_client_certificate"},
     {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "ssl3_get_client_hello"},
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 0997566..bc8388a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -563,8 +563,8 @@ struct ssl_method_st {
     int (*ssl_renegotiate_check) (SSL *s);
     long (*ssl_get_message) (SSL *s, int st1, int stn, int mt, long
                              max, int *ok);
-    int (*ssl_read_bytes) (SSL *s, int type, unsigned char *buf, int len,
-                           int peek);
+    int (*ssl_read_bytes) (SSL *s, int type, int *recvd_type,
+                           unsigned char *buf, int len, int peek);
     int (*ssl_write_bytes) (SSL *s, int type, const void *buf_, int len);
     int (*ssl_dispatch_alert) (SSL *s);
     long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg);
@@ -1437,11 +1437,6 @@ typedef struct dtls1_state_st {
     unsigned short timeout_duration;
 
     unsigned int retransmitting;
-    /*
-     * Set when the handshake is ready to process peer's ChangeCipherSpec message.
-     * Cleared after the message has been processed.
-     */
-    unsigned int change_cipher_spec_ok;
 #  ifndef OPENSSL_NO_SCTP
     /* used when SSL_ST_XX_FLUSH is entered */
     int next_state;
@@ -1912,6 +1907,7 @@ void ssl3_init_finished_mac(SSL *s);
 __owur int ssl3_send_server_certificate(SSL *s);
 __owur int ssl3_send_newsession_ticket(SSL *s);
 __owur int ssl3_send_cert_status(SSL *s);
+__owur int ssl3_get_change_cipher_spec(SSL *s, int a, int b);
 __owur int ssl3_get_finished(SSL *s, int state_a, int state_b);
 __owur int ssl3_setup_key_block(SSL *s);
 __owur int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);

From matt at openssl.org  Tue Aug  4 09:55:32 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 09:55:32 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438682132.706719.20501.nullmailer@dev.openssl.org>

The branch master has been updated
       via  8d11b7c7ee84ad0aa243476088285d15b22c5470 (commit)
      from  496dbe1855b486c39f42d673d56924d5f9ae3c78 (commit)


- Log -----------------------------------------------------------------
commit 8d11b7c7ee84ad0aa243476088285d15b22c5470
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jul 9 16:37:54 2015 +0100

    Fix warning when compiling with no-ec2m
    
    EC_KEY_set_public_key_affine_coordinates was using some variables that only
    apply if OPENSSL_NO_EC2M is not defined.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_key.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 620860c..a954c8e 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -346,7 +346,10 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     BN_CTX *ctx = NULL;
     BIGNUM *tx, *ty;
     EC_POINT *point = NULL;
-    int ok = 0, tmp_nid, is_char_two = 0;
+    int ok = 0;
+#ifndef OPENSSL_NO_EC2M
+    int tmp_nid, is_char_two = 0;
+#endif
 
     if (!key || !key->group || !x || !y) {
         ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
@@ -362,14 +365,15 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     if (!point)
         goto err;
 
+    tx = BN_CTX_get(ctx);
+    ty = BN_CTX_get(ctx);
+
+#ifndef OPENSSL_NO_EC2M
     tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
 
     if (tmp_nid == NID_X9_62_characteristic_two_field)
         is_char_two = 1;
 
-    tx = BN_CTX_get(ctx);
-    ty = BN_CTX_get(ctx);
-#ifndef OPENSSL_NO_EC2M
     if (is_char_two) {
         if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
                                                   x, y, ctx))

From matt at openssl.org  Tue Aug  4 09:55:43 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 09:55:43 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1438682143.055234.21425.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  5438e17de05cfd383790c63bd5770945ac1ccc7f (commit)
      from  49cc3f4038d81ffdad95c9e49e72bc497f4d3954 (commit)


- Log -----------------------------------------------------------------
commit 5438e17de05cfd383790c63bd5770945ac1ccc7f
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jul 9 16:37:54 2015 +0100

    Fix warning when compiling with no-ec2m
    
    EC_KEY_set_public_key_affine_coordinates was using some variables that only
    apply if OPENSSL_NO_EC2M is not defined.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    (cherry picked from commit 8d11b7c7ee84ad0aa243476088285d15b22c5470)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_key.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 55ce3fe..c784b6f 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -366,7 +366,10 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     BN_CTX *ctx = NULL;
     BIGNUM *tx, *ty;
     EC_POINT *point = NULL;
-    int ok = 0, tmp_nid, is_char_two = 0;
+    int ok = 0;
+#ifndef OPENSSL_NO_EC2M
+    int tmp_nid, is_char_two = 0;
+#endif
 
     if (!key || !key->group || !x || !y) {
         ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
@@ -382,14 +385,15 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     if (!point)
         goto err;
 
+    tx = BN_CTX_get(ctx);
+    ty = BN_CTX_get(ctx);
+
+#ifndef OPENSSL_NO_EC2M
     tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
 
     if (tmp_nid == NID_X9_62_characteristic_two_field)
         is_char_two = 1;
 
-    tx = BN_CTX_get(ctx);
-    ty = BN_CTX_get(ctx);
-#ifndef OPENSSL_NO_EC2M
     if (is_char_two) {
         if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
                                                   x, y, ctx))

From matt at openssl.org  Tue Aug  4 09:55:53 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 09:55:53 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1438682153.546594.21779.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  507ea77b82f99af8cdae22bebb49fb2772d95330 (commit)
      from  556803fc3d0c3a957056665d0eef1c6c80cf556e (commit)


- Log -----------------------------------------------------------------
commit 507ea77b82f99af8cdae22bebb49fb2772d95330
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Jul 9 16:37:54 2015 +0100

    Fix warning when compiling with no-ec2m
    
    EC_KEY_set_public_key_affine_coordinates was using some variables that only
    apply if OPENSSL_NO_EC2M is not defined.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    (cherry picked from commit 8d11b7c7ee84ad0aa243476088285d15b22c5470)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ec/ec_key.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 55ce3fe..c784b6f 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -366,7 +366,10 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     BN_CTX *ctx = NULL;
     BIGNUM *tx, *ty;
     EC_POINT *point = NULL;
-    int ok = 0, tmp_nid, is_char_two = 0;
+    int ok = 0;
+#ifndef OPENSSL_NO_EC2M
+    int tmp_nid, is_char_two = 0;
+#endif
 
     if (!key || !key->group || !x || !y) {
         ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
@@ -382,14 +385,15 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
     if (!point)
         goto err;
 
+    tx = BN_CTX_get(ctx);
+    ty = BN_CTX_get(ctx);
+
+#ifndef OPENSSL_NO_EC2M
     tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
 
     if (tmp_nid == NID_X9_62_characteristic_two_field)
         is_char_two = 1;
 
-    tx = BN_CTX_get(ctx);
-    ty = BN_CTX_get(ctx);
-#ifndef OPENSSL_NO_EC2M
     if (is_char_two) {
         if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
                                                   x, y, ctx))

From matt at openssl.org  Tue Aug  4 12:29:49 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 12:29:49 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438691389.896207.5318.nullmailer@dev.openssl.org>

The branch master has been updated
       via  0bc09ecd263acb25f04f373f31a50f50af8541bb (commit)
       via  44128847e8965ec64384ac48c65f5d28126b3666 (commit)
      from  8d11b7c7ee84ad0aa243476088285d15b22c5470 (commit)


- Log -----------------------------------------------------------------
commit 0bc09ecd263acb25f04f373f31a50f50af8541bb
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 11:44:52 2015 +0100

    PACKETise ClientCertificate processing
    
    Use the PACKET API for processing ClientCertificate messages
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 44128847e8965ec64384ac48c65f5d28126b3666
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 13:03:20 2015 +0100

    Fix a bug in the new PACKET implementation
    
    Some of the PACKET functions were returning incorrect data. An unfortunate
    choice of test data in the unit test was masking the failure.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/packet_locl.h | 16 ++++++++--------
 ssl/s3_srvr.c     | 33 ++++++++++++++++++++-------------
 test/packettest.c | 49 +++++++++++++++++++++++++------------------------
 3 files changed, 53 insertions(+), 45 deletions(-)

diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 4aab5cb..80d0b93 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -176,8 +176,8 @@ __owur static inline int PACKET_peek_net_3(PACKET *pkt, unsigned long *data)
         return 0;
 
     *data  = ((unsigned long)(*pkt->curr)) << 16;
-    *data |= ((unsigned long)(*pkt->curr + 1)) <<  8;
-    *data |= *pkt->curr + 2;
+    *data |= ((unsigned long)(*(pkt->curr + 1))) <<  8;
+    *data |= *(pkt->curr + 2);
 
     return 1;
 }
@@ -203,9 +203,9 @@ __owur static inline int PACKET_peek_net_4(PACKET *pkt, unsigned long *data)
         return 0;
 
     *data  = ((unsigned long)(*pkt->curr)) << 24;
-    *data |= ((unsigned long)(*pkt->curr + 1)) << 16;
-    *data |= ((unsigned long)(*pkt->curr + 2)) <<  8;
-    *data |= *pkt->curr+3;
+    *data |= ((unsigned long)(*(pkt->curr + 1))) << 16;
+    *data |= ((unsigned long)(*(pkt->curr + 2))) <<  8;
+    *data |= *(pkt->curr+3);
 
     return 1;
 }
@@ -254,9 +254,9 @@ __owur static inline int PACKET_peek_4(PACKET *pkt, unsigned long *data)
         return 0;
 
     *data  = *pkt->curr;
-    *data |= ((unsigned long)(*pkt->curr + 1)) <<  8;
-    *data |= ((unsigned long)(*pkt->curr + 2)) << 16;
-    *data |= ((unsigned long)(*pkt->curr + 3)) << 24;
+    *data |= ((unsigned long)(*(pkt->curr + 1))) <<  8;
+    *data |= ((unsigned long)(*(pkt->curr + 2))) << 16;
+    *data |= ((unsigned long)(*(pkt->curr + 3))) << 24;
 
     return 1;
 }
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index fd4c87e..079d9be 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3012,10 +3012,11 @@ int ssl3_get_client_certificate(SSL *s)
 {
     int i, ok, al, ret = -1;
     X509 *x = NULL;
-    unsigned long l, nc, llen, n;
-    const unsigned char *p, *q;
-    unsigned char *d;
+    unsigned long l, llen, n;
+    const unsigned char *certstart;
+    unsigned char *certbytes;
     STACK_OF(X509) *sk = NULL;
+    PACKET pkt, spkt;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_SR_CERT_A,
@@ -3051,35 +3052,42 @@ int ssl3_get_client_certificate(SSL *s)
         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_WRONG_MESSAGE_TYPE);
         goto f_err;
     }
-    p = d = (unsigned char *)s->init_msg;
+
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
 
     if ((sk = sk_X509_new_null()) == NULL) {
         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
         goto done;
     }
 
-    n2l3(p, llen);
-    if (llen + 3 != n) {
+    if (!PACKET_get_net_3(&pkt, &llen)
+            || !PACKET_get_sub_packet(&pkt, &spkt, llen)
+            || PACKET_remaining(&pkt) != 0) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
-    for (nc = 0; nc < llen;) {
-        n2l3(p, l);
-        if ((l + nc + 3) > llen) {
+
+    while (PACKET_remaining(&spkt) > 0) {
+        if (!PACKET_get_net_3(&spkt, &l)
+                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
             goto f_err;
         }
 
-        q = p;
-        x = d2i_X509(NULL, &p, l);
+        certstart = certbytes;
+        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
         if (x == NULL) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
             goto done;
         }
-        if (p != (q + l)) {
+        if (certbytes != (certstart + l)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
@@ -3090,7 +3098,6 @@ int ssl3_get_client_certificate(SSL *s)
             goto done;
         }
         x = NULL;
-        nc += l + 3;
     }
 
     if (sk_X509_num(sk) <= 0) {
diff --git a/test/packettest.c b/test/packettest.c
index 92181e6..1ddb837 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -81,10 +81,10 @@ static int test_PACKET_get_1(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_1(pkt, &i)
-            ||  i != 0x01
+            ||  i != 0x02
             || !PACKET_forward(pkt, BUF_LEN - 2)
             || !PACKET_get_1(pkt, &i)
-            ||  i != 0xff
+            ||  i != 0xfe
             ||  PACKET_get_1(pkt, &i)) {
         fprintf(stderr, "test_PACKET_get_1() failed\n");
         return 0;
@@ -99,10 +99,10 @@ static int test_PACKET_get_4(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_4(pkt, &i)
-            ||  i != 0x04030201UL
+            ||  i != 0x08060402UL
             || !PACKET_forward(pkt, BUF_LEN - 8)
             || !PACKET_get_4(pkt, &i)
-            ||  i != 0xfffefdfcUL
+            ||  i != 0xfefcfaf8UL
             ||  PACKET_get_4(pkt, &i)) {
         fprintf(stderr, "test_PACKET_get_4() failed\n");
         return 0;
@@ -117,10 +117,10 @@ static int test_PACKET_get_net_2(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_net_2(pkt, &i)
-            ||  i != 0x0102
+            ||  i != 0x0204
             || !PACKET_forward(pkt, BUF_LEN - 4)
             || !PACKET_get_net_2(pkt, &i)
-            ||  i != 0xfeff
+            ||  i != 0xfcfe
             ||  PACKET_get_net_2(pkt, &i)) {
         fprintf(stderr, "test_PACKET_get_net_2() failed\n");
         return 0;
@@ -135,11 +135,12 @@ static int test_PACKET_get_net_3(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_net_3(pkt, &i)
-            ||  i != 0x010203UL
+            ||  i != 0x020406UL
             || !PACKET_forward(pkt, BUF_LEN - 6)
             || !PACKET_get_net_3(pkt, &i)
-            ||  i != 0xfdfeffUL
+            ||  i != 0xfafcfeUL
             ||  PACKET_get_net_3(pkt, &i)) {
+        fprintf(stderr, "i is %ld\n", i);
         fprintf(stderr, "test_PACKET_get_net_3() failed\n");
         return 0;
     }
@@ -153,10 +154,10 @@ static int test_PACKET_get_net_4(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_net_4(pkt, &i)
-            ||  i != 0x01020304UL
+            ||  i != 0x02040608UL
             || !PACKET_forward(pkt, BUF_LEN - 8)
             || !PACKET_get_net_4(pkt, &i)
-            ||  i != 0xfcfdfeffUL
+            ||  i != 0xf8fafcfeUL
             ||  PACKET_get_net_4(pkt, &i)) {
         fprintf(stderr, "test_PACKET_get_net_4() failed\n");
         return 0;
@@ -173,12 +174,12 @@ static int test_PACKET_get_sub_packet(PACKET *pkt, size_t start)
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_sub_packet(pkt, &subpkt, 4)
             || !PACKET_get_net_4(&subpkt, &i)
-            ||  i != 0x01020304UL
+            ||  i != 0x02040608UL
             ||  PACKET_remaining(&subpkt)
             || !PACKET_forward(pkt, BUF_LEN - 8)
             || !PACKET_get_sub_packet(pkt, &subpkt, 4)
             || !PACKET_get_net_4(&subpkt, &i)
-            ||  i != 0xfcfdfeffUL
+            ||  i != 0xf8fafcfeUL
             ||  PACKET_remaining(&subpkt)
             ||  PACKET_get_sub_packet(pkt, &subpkt, 4)) {
         fprintf(stderr, "test_PACKET_get_sub_packet() failed\n");
@@ -194,13 +195,13 @@ static int test_PACKET_get_bytes(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_bytes(pkt, &bytes, 4)
-            ||  bytes[0] != 1 || bytes[1] != 2
-            ||  bytes[2] != 3 || bytes[3] != 4
+            ||  bytes[0] != 2 || bytes[1] != 4
+            ||  bytes[2] != 6 || bytes[3] != 8
             ||  PACKET_remaining(pkt) != BUF_LEN -4
             || !PACKET_forward(pkt, BUF_LEN - 8)
             || !PACKET_get_bytes(pkt, &bytes, 4)
-            ||  bytes[0] != 0xfc || bytes[1] != 0xfd
-            ||  bytes[2] != 0xfe || bytes[3] != 0xff
+            ||  bytes[0] != 0xf8 || bytes[1] != 0xfa
+            ||  bytes[2] != 0xfc || bytes[3] != 0xfe
             ||  PACKET_remaining(pkt)) {
         fprintf(stderr, "test_PACKET_get_bytes() failed\n");
         return 0;
@@ -215,13 +216,13 @@ static int test_PACKET_copy_bytes(PACKET *pkt, size_t start)
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_copy_bytes(pkt, bytes, 4)
-            ||  bytes[0] != 1 || bytes[1] != 2
-            ||  bytes[2] != 3 || bytes[3] != 4
+            ||  bytes[0] != 2 || bytes[1] != 4
+            ||  bytes[2] != 6 || bytes[3] != 8
             ||  PACKET_remaining(pkt) != BUF_LEN - 4
             || !PACKET_forward(pkt, BUF_LEN - 8)
             || !PACKET_copy_bytes(pkt, bytes, 4)
-            ||  bytes[0] != 0xfc || bytes[1] != 0xfd
-            ||  bytes[2] != 0xfe || bytes[3] != 0xff
+            ||  bytes[0] != 0xf8 || bytes[1] != 0xfa
+            ||  bytes[2] != 0xfc || bytes[3] != 0xfe
             ||  PACKET_remaining(pkt)) {
         fprintf(stderr, "test_PACKET_copy_bytes() failed\n");
         return 0;
@@ -239,16 +240,16 @@ static int test_PACKET_move_funcs(PACKET *pkt, size_t start)
             ||  PACKET_back(pkt, 1)
             || !PACKET_forward(pkt, 1)
             || !PACKET_get_bytes(pkt, &byte, 1)
-            ||  byte[0] != 2
+            ||  byte[0] != 4
             || !PACKET_get_bookmark(pkt, &bm)
             || !PACKET_forward(pkt, BUF_LEN - 2)
             ||  PACKET_forward(pkt, 1)
             || !PACKET_back(pkt, 1)
             || !PACKET_get_bytes(pkt, &byte, 1)
-            ||  byte[0] != 0xff
+            ||  byte[0] != 0xfe
             || !PACKET_goto_bookmark(pkt, bm)
             || !PACKET_get_bytes(pkt, &byte, 1)
-            ||  byte[0] != 3) {
+            ||  byte[0] != 6) {
         fprintf(stderr, "test_PACKET_move_funcs() failed\n");
         return 0;
     }
@@ -289,7 +290,7 @@ int main(int argc, char **argv)
     PACKET pkt;
 
     for (i=1; i<=BUF_LEN; i++) {
-        buf[i-1] = i;
+        buf[i-1] = (i * 2) & 0xff;
     }
     i = 0;
 

From matt at openssl.org  Tue Aug  4 12:59:30 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 12:59:30 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438693170.334573.14288.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f532a35d2ac4364c4ce0f0a68170b2a2228469cc (commit)
      from  0bc09ecd263acb25f04f373f31a50f50af8541bb (commit)


- Log -----------------------------------------------------------------
commit f532a35d2ac4364c4ce0f0a68170b2a2228469cc
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 3 16:56:41 2015 +0100

    PACKETise CertificateVerify processing
    
    Modify CertificateVerify processing to use the new PACKET API.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 47 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 079d9be..3072270 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2816,13 +2816,15 @@ int ssl3_get_client_key_exchange(SSL *s)
 int ssl3_get_cert_verify(SSL *s)
 {
     EVP_PKEY *pkey = NULL;
-    unsigned char *p;
+    unsigned char *sig, *data;
     int al, ok, ret = 0;
     long n;
     int type = 0, i, j;
+    unsigned int len;
     X509 *peer;
     const EVP_MD *md = NULL;
     EVP_MD_CTX mctx;
+    PACKET pkt;
     EVP_MD_CTX_init(&mctx);
 
     /*
@@ -2859,7 +2861,11 @@ int ssl3_get_cert_verify(SSL *s)
     }
 
     /* we now have a signature that we need to verify */
-    p = (unsigned char *)s->init_msg;
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+        al = SSL_AD_INTERNAL_ERROR;
+        goto f_err;
+    }
     /* Check for broken implementations of GOST ciphersuites */
     /*
      * If key is GOST and n is exactly 64, it is bare signature without
@@ -2867,10 +2873,16 @@ int ssl3_get_cert_verify(SSL *s)
      */
     if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
                     pkey->type == NID_id_GostR3410_2001)) {
-        i = 64;
+        len = 64;
     } else {
         if (SSL_USE_SIGALGS(s)) {
-            int rv = tls12_check_peer_sigalg(&md, s, p, pkey);
+            int rv;
+
+            if (!PACKET_get_bytes(&pkt, &sig, 2)) {
+                al = SSL_AD_DECODE_ERROR;
+                goto f_err;
+            }
+            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
             if (rv == -1) {
                 al = SSL_AD_INTERNAL_ERROR;
                 goto f_err;
@@ -2881,23 +2893,24 @@ int ssl3_get_cert_verify(SSL *s)
 #ifdef SSL_DEBUG
             fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
 #endif
-            p += 2;
-            n -= 2;
         }
-        n2s(p, i);
-        n -= 2;
-        if (i > n) {
+        if (!PACKET_get_net_2(&pkt, &len)) {
             SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
         }
     }
     j = EVP_PKEY_size(pkey);
-    if ((i > j) || (n > j) || (n <= 0)) {
+    if (((int)len > j) || ((int)PACKET_remaining(&pkt) > j) || (n <= 0)) {
         SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
         al = SSL_AD_DECODE_ERROR;
         goto f_err;
     }
+    if (!PACKET_get_bytes(&pkt, &data, len)) {
+        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
+        al = SSL_AD_DECODE_ERROR;
+        goto f_err;
+    }
 
     if (SSL_USE_SIGALGS(s)) {
         long hdatalen = 0;
@@ -2919,7 +2932,7 @@ int ssl3_get_cert_verify(SSL *s)
             goto f_err;
         }
 
-        if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) {
+        if (EVP_VerifyFinal(&mctx, data, len, pkey) <= 0) {
             al = SSL_AD_DECRYPT_ERROR;
             SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
             goto f_err;
@@ -2928,7 +2941,7 @@ int ssl3_get_cert_verify(SSL *s)
 #ifndef OPENSSL_NO_RSA
     if (pkey->type == EVP_PKEY_RSA) {
         i = RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
-                       MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i,
+                       MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, data, len,
                        pkey->pkey.rsa);
         if (i < 0) {
             al = SSL_AD_DECRYPT_ERROR;
@@ -2946,7 +2959,7 @@ int ssl3_get_cert_verify(SSL *s)
     if (pkey->type == EVP_PKEY_DSA) {
         j = DSA_verify(pkey->save_type,
                        &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
-                       SHA_DIGEST_LENGTH, p, i, pkey->pkey.dsa);
+                       SHA_DIGEST_LENGTH, data, len, pkey->pkey.dsa);
         if (j <= 0) {
             /* bad signature */
             al = SSL_AD_DECRYPT_ERROR;
@@ -2959,7 +2972,7 @@ int ssl3_get_cert_verify(SSL *s)
     if (pkey->type == EVP_PKEY_EC) {
         j = ECDSA_verify(pkey->save_type,
                          &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
-                         SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec);
+                         SHA_DIGEST_LENGTH, data, len, pkey->pkey.ec);
         if (j <= 0) {
             /* bad signature */
             al = SSL_AD_DECRYPT_ERROR;
@@ -2974,11 +2987,11 @@ int ssl3_get_cert_verify(SSL *s)
         int idx;
         EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
         EVP_PKEY_verify_init(pctx);
-        if (i != 64) {
-            fprintf(stderr, "GOST signature length is %d", i);
+        if (len != 64) {
+            fprintf(stderr, "GOST signature length is %d", len);
         }
         for (idx = 0; idx < 64; idx++) {
-            signature[63 - idx] = p[idx];
+            signature[63 - idx] = data[idx];
         }
         j = EVP_PKEY_verify(pctx, signature, 64, s->s3->tmp.cert_verify_md,
                             32);

From matt at openssl.org  Tue Aug  4 13:11:22 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 13:11:22 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438693882.139298.18404.nullmailer@dev.openssl.org>

The branch master has been updated
       via  c3fc7eeab884b6876a1b4006163f190d325aa047 (commit)
      from  f532a35d2ac4364c4ce0f0a68170b2a2228469cc (commit)


- Log -----------------------------------------------------------------
commit c3fc7eeab884b6876a1b4006163f190d325aa047
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 13:52:03 2015 +0100

    PACKETise NextProto
    
    Change NextProto message processing to use the PACKET API.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 43 ++++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 19 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 3072270..b60c962 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3400,9 +3400,9 @@ int ssl3_send_cert_status(SSL *s)
 int ssl3_get_next_proto(SSL *s)
 {
     int ok;
-    int proto_len, padding_len;
+    unsigned int proto_len, padding_len;
     long n;
-    const unsigned char *p;
+    PACKET pkt;
 
     /*
      * Clients cannot send a NextProtocol message if we didn't see the
@@ -3436,11 +3436,13 @@ int ssl3_get_next_proto(SSL *s)
     }
 
     if (n < 2) {
-        s->state = SSL_ST_ERR;
-        return 0;               /* The body must be > 1 bytes long */
+        goto err;               /* The body must be > 1 bytes long */
     }
 
-    p = (unsigned char *)s->init_msg;
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
 
     /*-
      * The payload looks like:
@@ -3449,27 +3451,30 @@ int ssl3_get_next_proto(SSL *s)
      *   uint8 padding_len;
      *   uint8 padding[padding_len];
      */
-    proto_len = p[0];
-    if (proto_len + 2 > s->init_num) {
-        s->state = SSL_ST_ERR;
-        return 0;
-    }
-    padding_len = p[proto_len + 1];
-    if (proto_len + padding_len + 2 != s->init_num) {
-        s->state = SSL_ST_ERR;
-        return 0;
+    if (!PACKET_get_1(&pkt, &proto_len)){
+        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
+        goto err;
     }
 
     s->next_proto_negotiated = OPENSSL_malloc(proto_len);
-    if (!s->next_proto_negotiated) {
+    if (s->next_proto_negotiated == NULL) {
         SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE);
-        s->state = SSL_ST_ERR;
-        return 0;
+        goto err;
+    }
+
+    if (!PACKET_copy_bytes(&pkt, s->next_proto_negotiated, proto_len)
+            || !PACKET_get_1(&pkt, &padding_len)
+            || PACKET_remaining(&pkt) != padding_len) {
+        OPENSSL_free(s->next_proto_negotiated);
+        s->next_proto_negotiated = NULL;
+        SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
+        goto err;
     }
-    memcpy(s->next_proto_negotiated, p + 1, proto_len);
-    s->next_proto_negotiated_len = proto_len;
 
     return 1;
+err:
+    s->state = SSL_ST_ERR;
+    return 0;
 }
 #endif
 

From matt at openssl.org  Tue Aug  4 18:55:33 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 04 Aug 2015 18:55:33 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438714533.730652.1143.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e77bdc7310fc8fb9e22fd481a991b3576d128b9f (commit)
      from  c3fc7eeab884b6876a1b4006163f190d325aa047 (commit)


- Log -----------------------------------------------------------------
commit e77bdc7310fc8fb9e22fd481a991b3576d128b9f
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 19:18:02 2015 +0100

    Fix SRTP s_client/s_server options
    
    The -use_srtp s_client/s_server option is supposed to take a colon
    separated string as an argument. In master this was incorrectly set to
    expect a filename.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c | 2 +-
 apps/s_server.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 5971f8a..2b69355 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -519,7 +519,7 @@ OPTIONS s_client_options[] = {
      "Load the file(s) into the random number generator"},
     {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
     {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
-    {"use_srtp", OPT_USE_SRTP, '<',
+    {"use_srtp", OPT_USE_SRTP, 's',
      "Offer SRTP key management with a colon-separated profile list"},
     {"keymatexport", OPT_KEYMATEXPORT, 's',
      "Export keying material using label"},
diff --git a/apps/s_server.c b/apps/s_server.c
index a1fcb6e..e7c794c 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -949,7 +949,7 @@ OPTIONS s_server_options[] = {
      "Set the advertised protocols for the NPN extension (comma-separated list)"},
 #endif
 #ifndef OPENSSL_NO_SRTP
-    {"use_srtp", OPT_SRTP_PROFILES, '<',
+    {"use_srtp", OPT_SRTP_PROFILES, 's',
      "Offer SRTP key management with a colon-separated profile list"},
     {"alpn", OPT_ALPN, 's',
      "Set the advertised protocols for the ALPN extension (comma-separated list)"},

From rsalz at openssl.org  Tue Aug  4 20:31:22 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 04 Aug 2015 20:31:22 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1438720282.643444.3760.nullmailer@dev.openssl.org>

The branch master has been updated
       via  596c3f5934df1cbc1fc8fe61d0f690b48af753f5 (commit)
      from  7396e9b0e72bece0d79baa53e1459e8bdeb5cb76 (commit)


- Log -----------------------------------------------------------------
commit 596c3f5934df1cbc1fc8fe61d0f690b48af753f5
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 4 16:31:10 2015 -0400

    Update non-profit org status

-----------------------------------------------------------------------

Summary of changes:
 support/donations.wml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/support/donations.wml b/support/donations.wml
index 04ad7fc..88c48e8 100644
--- a/support/donations.wml
+++ b/support/donations.wml
@@ -8,12 +8,15 @@
 <p>Your donation to the OpenSSL team will support the ongoing development activities of the team members.
 </p>
 
-<p>Please note that the <a href="funding/support-contact.html">OpenSSL Software Foundation</a> (OSF) is incorporated in the United States as a regular for-profit corporation.
-It does not qualify as a non-profit, charitable organisation under Section 501(c)(3)
-of the U.S. Internal Revenue Code.  We looked into it and concluded that 501(c)(3) status would require more of an
-investment in time and money than we can justify at present.  This means that, for individuals within the U.S., donations
-to the OSF are not tax-deductible.  Corporate donations can of course be written off as a business expense.
-</p>
+<p>Please note that the <a href="funding/support-contact.html">OpenSSL
+Software Foundation</a> (OSF) is incorporated in the the state of Delware,
+United States, as a non-profit corporation.  It does not qualify as
+a charitable organisation under Section 501(c)(3) of the U.S. Internal
+Revenue Code.  We looked into it and concluded that 501(c)(3) status
+would require more of an investment in time and money than we can justify
+at present.  This means that, for individuals within the U.S., donations
+to the OSF are not tax-deductible.  Corporate donations can of course be
+written off as a business expense.  </p>
 
 <p>In addition to direct financial contributions in the form of donations or sponsorship you may also
 support the OpenSSL project financially with the purchase of a <a href="funding/contract.html"> support contract</a>,

From matt at openssl.org  Wed Aug  5 10:14:54 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 05 Aug 2015 10:14:54 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438769694.255819.30096.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6f136aa6fc834fd841aee6c5267288ed13aae19d (commit)
       via  6c3cca5793b1ac57daceb8111d842f954a5ecf6a (commit)
      from  e77bdc7310fc8fb9e22fd481a991b3576d128b9f (commit)


- Log -----------------------------------------------------------------
commit 6f136aa6fc834fd841aee6c5267288ed13aae19d
Author: Adam Eijdenberg <eijdenberg at google.com>
Date:   Tue Aug 4 15:15:38 2015 -0700

    Change error reason to match previous behaviour.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 6c3cca5793b1ac57daceb8111d842f954a5ecf6a
Author: Adam Eijdenberg <eijdenberg at google.com>
Date:   Tue Aug 4 14:59:47 2015 -0700

    Fix unhandled error condition in sslv2 client hello parsing.
    
    --strict-warnings started showing warnings for this today...
    
    Surely an error should be raised if these reads fail?
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index b60c962..76f49bd 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1014,6 +1014,9 @@ int ssl3_get_client_hello(SSL *s)
         if (!PACKET_get_net_2(&pkt, &csl)
                 || !PACKET_get_net_2(&pkt, &sil)
                 || !PACKET_get_net_2(&pkt, &cl)) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
+            al = SSL_AD_DECODE_ERROR;
+            goto f_err;
         }
 
         if (csl == 0) {

From stevem at openssl.org  Wed Aug  5 14:11:45 2015
From: stevem at openssl.org (Steve Marquess)
Date: Wed, 05 Aug 2015 14:11:45 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1438783905.391404.13165.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e31df12862d63ba8ad09ec18461fb37c1698cd4b (commit)
      from  596c3f5934df1cbc1fc8fe61d0f690b48af753f5 (commit)


- Log -----------------------------------------------------------------
commit e31df12862d63ba8ad09ec18461fb37c1698cd4b
Author: Steve Marquess <marquess at openssl.com>
Date:   Wed Aug 5 10:11:32 2015 -0400

    Restore Nokia logo

-----------------------------------------------------------------------

Summary of changes:
 support/acknowledgments.wml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/acknowledgments.wml b/support/acknowledgments.wml
index 5c583ac..ca8345e 100644
--- a/support/acknowledgments.wml
+++ b/support/acknowledgments.wml
@@ -60,6 +60,9 @@ Platinum sponsors (listed chronologically, left to right).  The sustainable fund
     <tr>
     
     <td>
+        <a href="http://company.nokia.com/en">
+        <img src="$(IMG)/nokia-logo-med.jpg" align=center border=0>
+        </a>
         <a href="http://www.huawei.com/">
         <img src="$(IMG)/huawei-logo-med.jpg" align=center border=0>
         </a>

From rsalz at openssl.org  Thu Aug  6 02:06:14 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 06 Aug 2015 02:06:14 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438826774.984248.22034.nullmailer@dev.openssl.org>

The branch master has been updated
       via  1125245997dac232a0c0867b6c858cda4e549c6d (commit)
      from  6f136aa6fc834fd841aee6c5267288ed13aae19d (commit)


- Log -----------------------------------------------------------------
commit 1125245997dac232a0c0867b6c858cda4e549c6d
Author: Anton Blanchard <anton at samba.org>
Date:   Wed Aug 5 21:48:35 2015 -0400

    RT3990: Fix #include path.
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/ppccap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ppccap.c b/crypto/ppccap.c
index 2b7f704..74af473 100644
--- a/crypto/ppccap.c
+++ b/crypto/ppccap.c
@@ -7,7 +7,7 @@
 #if defined(__linux) || defined(_AIX)
 # include <sys/utsname.h>
 #endif
-#include <crypto.h>
+#include <openssl/crypto.h>
 #include <openssl/bn.h>
 
 #include "ppc_arch.h"

From rsalz at openssl.org  Thu Aug  6 02:06:30 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 06 Aug 2015 02:06:30 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1438826790.859187.22871.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  9ea70e5b4097a1319d90fca289c2a3940e846f6b (commit)
      from  5438e17de05cfd383790c63bd5770945ac1ccc7f (commit)


- Log -----------------------------------------------------------------
commit 9ea70e5b4097a1319d90fca289c2a3940e846f6b
Author: Anton Blanchard <anton at samba.org>
Date:   Wed Aug 5 21:48:35 2015 -0400

    RT3990: Fix #include path.
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 1125245997dac232a0c0867b6c858cda4e549c6d)

-----------------------------------------------------------------------

Summary of changes:
 crypto/ppccap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ppccap.c b/crypto/ppccap.c
index 2b7f704..74af473 100644
--- a/crypto/ppccap.c
+++ b/crypto/ppccap.c
@@ -7,7 +7,7 @@
 #if defined(__linux) || defined(_AIX)
 # include <sys/utsname.h>
 #endif
-#include <crypto.h>
+#include <openssl/crypto.h>
 #include <openssl/bn.h>
 
 #include "ppc_arch.h"

From stevem at openssl.org  Thu Aug  6 13:59:49 2015
From: stevem at openssl.org (Steve Marquess)
Date: Thu, 06 Aug 2015 13:59:49 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1438869589.102858.16650.nullmailer@dev.openssl.org>

The branch master has been updated
       via  3028310b6b3d3eb66b052f2fb5d065e783cafe76 (commit)
      from  e31df12862d63ba8ad09ec18461fb37c1698cd4b (commit)


- Log -----------------------------------------------------------------
commit 3028310b6b3d3eb66b052f2fb5d065e783cafe76
Author: Steve Marquess <marquess at openssl.com>
Date:   Wed Aug 5 11:45:11 2015 -0400

    Sort out legal entity references (long overdue!)

-----------------------------------------------------------------------

Summary of changes:
 about/contacts.wml                  | 69 +++++++++++++++++++++++++++++++------
 about/openssl-contact.wml           | 22 ++++++++++++
 docs/fips/fipsnotes.wml             |  2 +-
 docs/fips/fipsvalidation.wml        |  6 ++--
 docs/fips/privatelabel.wml          |  6 ++--
 docs/index.wml                      |  2 +-
 support/acknowledgments.wml         |  2 +-
 support/consulting.wml              |  2 +-
 support/donations-cn.wml            |  2 +-
 support/donations.wml               |  8 ++---
 support/funding/contract.wml        |  2 +-
 support/funding/support-contact.wml | 12 +++----
 12 files changed, 102 insertions(+), 33 deletions(-)
 create mode 100644 about/openssl-contact.wml

diff --git a/about/contacts.wml b/about/contacts.wml
index e8d72db..658aa8d 100644
--- a/about/contacts.wml
+++ b/about/contacts.wml
@@ -20,36 +20,83 @@ to dispose of.  You may <i>request</i> support, but it's the contact's
 responsability and freedom alone to decide if he wants to give any support
 or not, regardless of who makes the request.</p>
 
+<p>The <i>OpenSSL Software Foundation</i> represents the OpenSSL project in most capacities including contributor license
+agreements, managing donations, etc.</p>
+</p>
+
 <table>
 <tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
 <tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
 <tr><td>
-OpenSSL SE<br>
-c/o Richard Levitte<br>
-Nordingr?gatan 20<br>
-S-162 53 V?llingby<br>
-Sweden<br>
-<i>E-mail:</i> <a href="mailto:openssl-contact.SE at openssl.org">openssl-contact.SE at openssl.org</a>
+OpenSSL Software Foundation<br>
+20-22 Wenlock Road<br>
+London<br>
+N1 7GU<br>
+United Kingdom<br>
++44 1785508015  (UK)<br>
++1 877-OPENSSL(6775) (US toll free)<br>
++1 301-956-2281 (US)<br>
+<i>E-mail:</i> <a href="mailto:info at opensslfoundation.org">info at opensslfoundation.org</a>
 </td><td valign=top>
-Sweden only
+Worldwide
 </td></tr>
 </table>
 
-<p>The <i>OpenSSL Software Foundation</i> represents the OpenSSL project in some capacities, such as providing formal support contracts, brokering consulting contracts for OpenSSL team members, and disbursing dontations.</p>
+<p><i>OpenSSL Software Services</i> represents the OpenSSL project for selected commercial or quasi-commercial contexts, such
+as providing formal support contracts and brokering consulting contracts for OpenSSL team members</p>
 </p>
 
 <table>
 <tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
 <tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
 <tr><td>
-OpenSSL Software Foundation<br>
+OpenSSL Software Services Inc.<br>
+40 E Main St, Suite 744<br>
+Newark DE 19711<br>
+USA<br>
++1 240-215-3103<br>
+<i>E-mail:</i> <a href="mailto:info at opensslservices.com">info at opensslservices.com</a>
+</td><td valign=top>
+Worldwide
+</td></tr>
+</table>
+
+<p>
+Commercial activities specific to FIPS 140-2 validations and the OpenSSL FIPS Object Module are handled by <i>OpenSSL Validation Services</i>:
+</p>
+
+<table>
+<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
+<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
+<tr><td>
+OpenSSL Validation Services Inc.<br>
 1829 Mount Ephraim Road<br>
 Adamstown, MD  21710<br>
 USA<br>
-+1 877 673 6775
-<i>E-mail:</i> <a href="mailto:info at opensslfoundation.com">info at opensslfoundation.com</a>
++1 301-874-2571<br>
+<i>E-mail:</i> <a href="mailto:info at openssl.com">info at openssl.com</a>
 </td><td valign=top>
 Worldwide
 </td></tr>
 </table>
 
+<p>
+<p>
+Some OpenSSL team members are available for selected consulting engagements:
+<p>
+
+<table>
+<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
+<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
+<tr><td>
+OpenSSL SE<br>
+c/o Richard Levitte<br>
+Nordingr?gatan 20<br>
+S-162 53 V?llingby<br>
+Sweden<br>
+<i>E-mail:</i> <a href="mailto:openssl-contact.SE at openssl.org">openssl-contact.SE at openssl.org</a>
+</td><td valign=top>
+Sweden only
+</td></tr>
+</table>
+
diff --git a/about/openssl-contact.wml b/about/openssl-contact.wml
new file mode 100644
index 0000000..8b9c590
--- /dev/null
+++ b/about/openssl-contact.wml
@@ -0,0 +1,22 @@
+
+#use wml::openssl area=funding page=index
+
+<title>OpenSSL Software Foundation Contact Info</title>
+
+<h1>OpenSSL Software Foundation Queries</h1>
+
+Direct queries concerning any non-commercial activites or issues to:<br>
+<br>
+OpenSSL Software Foundation<br>
+20-22 Wenlock Road<br>
+London<br>
+N1 7GU<br>
+United Kingdom<br>
++44 1785508015  (UK)<br>
++1 877-OPENSSL(6775) (US toll free)<br>
++1 301-956-2281 (US)<br>
+<a href="mailto:info at opensslfoundation.org">info at opensslfoundation.org</a>
+<p>
+You will probably wind up talking to Steve Marquess who currently handles OpenSSL commercial contracting,  he is
+reachable directly at <a href="mailto:marquess at opensslfoundation.org">marquess at opensslfoundation.org</a> or
+the telephone numbers above. 
diff --git a/docs/fips/fipsnotes.wml b/docs/fips/fipsnotes.wml
index 5ce62c8..ef2b234 100644
--- a/docs/fips/fipsnotes.wml
+++ b/docs/fips/fipsnotes.wml
@@ -84,7 +84,7 @@ no longer a suitable model for private label validations in its current form pas
 
 <h2>Upcoming Validations</h2>
 <p>
-No new validations are currently planned. The <a href="http://www.opensslfoundation.com/fips/ig95.html">I.G. 9.5</a>
+No new validations are currently planned. The <a href="http://www.openssl.com/fips/ig95.html">I.G. 9.5</a>
 issue has effectively precluded consideration of new validations for much of 2013, but with the July 25 2013 update of the
 <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf">Implementation Guidance</a>
 (I.G.) document such validations appear to be feasible again. We will be happy to discuss our current understanding of
diff --git a/docs/fips/fipsvalidation.wml b/docs/fips/fipsvalidation.wml
index f910477..b75ffb7 100644
--- a/docs/fips/fipsvalidation.wml
+++ b/docs/fips/fipsvalidation.wml
@@ -15,7 +15,7 @@ is documented in the <a href="UserGuide-1.2.pdf">1.2 User Guide</a>.
 <p>
 <font color="#cc3333">Important Note:</font>
 Due to new requirements introduced in 2013 the current v2.0 Module is no longer suitable as a
-reference for private label validations; see the <a href="http://www.opensslfoundation.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
+reference for private label validations; see the <a href="http://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
 Due to earlier changes in the FIPS 140-2 validation
 requirements the v1.2 Module is no longer be a suitable model for private label validations
 in its current form past the year 2010; see the NIST
@@ -83,7 +83,7 @@ remain valid for the platforms tested at the time those revisions were approved.
 <a name="sponsors">
 <h2>Sponsors</h2>
 </a>
-The OpenSSL Software Foundation receives support from multiple sources for each
+The OpenSSL FIPS Object Module validations receive support from multiple sources for each
 validation effort; however only those sponsors who have elected to be recognised
 for their contribution to OpenSSL are listed below.
 <ul>
@@ -151,7 +151,7 @@ Directorate-sponsored Homeland Open Security Technology (HOST) program</a>, algo
 </ul>
 <p>
 If you have an interest in sponsoring any changes or additions to this validation
-please contact the <a href="http://openssl.org/support/funding/support-contact.html">OSF</a>.
+please contact <a href="http://openssl.com/fips">OpenSSL Validation Services</a>.
 <p>
 Some commercial software vendors ask us "what do we gain from sponsoring a validation
 that our competition can also use?".  Our answer is "nothing, if you think in terms of
diff --git a/docs/fips/privatelabel.wml b/docs/fips/privatelabel.wml
index 81d2e0c..19a4f6e 100644
--- a/docs/fips/privatelabel.wml
+++ b/docs/fips/privatelabel.wml
@@ -21,8 +21,8 @@ The rest of this page is of historical interest only.
 
 <h2>What It Is</h2>
 
-We have found that one of the most popular commercial services offered by the
-OpenSSL Software Foundation is the <a href="fipsnotes.html#privatelabel">private label validation</a>.  It's not a
+We have found that one of the most popular commercial services offered by the OpenSSL team 
+is the <a href="fipsnotes.html#privatelabel">private label validation</a>.  It's not a
 business we ever planned to be in, but as the originators of the source code based
 OpenSSL FIPS Object Module validations, and with lots of practice, we've gotten pretty good at it.
 The revenue we earn from these validations supports the OpenSSL project, and for some
@@ -95,4 +95,4 @@ Note minor software modifications can often be accommodated in a change letter m
 <p>
 <hr>
 
-Interested?  Contact the <a href="/support/funding/support-contact.html">OSF</a>.
+Interested?  Contact <a href="http://openssl.com/fips">OpenSSL Software Services</a>.
diff --git a/docs/index.wml b/docs/index.wml
index bda3dc9..3ad49e6 100644
--- a/docs/index.wml
+++ b/docs/index.wml
@@ -31,7 +31,7 @@ features which are not present in other releases.
     HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.
 <p>
 <li><a href="http://wiki.openssl.org/"><font id=sfl>WIKI</font></a><br>
-    A wiki providing information and guidance about openssl. Operated by the OpenSSL foundation.
+    A wiki providing information and guidance about openssl. Operated by the OpenSSL Software Foundation.
 <p>
 <li><a href="fips/"><font id=sfl>FIPS140</font></a>:<br>
     Data and documentation related to the FIPS140 validation support in OpenSSL
diff --git a/support/acknowledgments.wml b/support/acknowledgments.wml
index ca8345e..151c2fe 100644
--- a/support/acknowledgments.wml
+++ b/support/acknowledgments.wml
@@ -189,4 +189,4 @@ Please note that we ask permission to identify sponsors and that some sponsors w
 inclusion here have requested to remain anonymous.
 <p>
 Additional sponsorship or financial support of any kind is always welcome; for more information please 
-contact the <a href="funding/support-contact.html">OpenSSL Software Foundation</a> 
+contact the <a href="../about/openssl-contact.html">OpenSSL Software Foundation</a> 
diff --git a/support/consulting.wml b/support/consulting.wml
index c0fb199..12e773d 100644
--- a/support/consulting.wml
+++ b/support/consulting.wml
@@ -64,5 +64,5 @@ several formats such as our
 in mailing list announcements.
 
 <p>
-For further information please contact the <a href="funding/support-contact.html">OpenSSL Software Foundation</a>.
+For further information please contact our consulting organization, <a href="funding/support-contact.html">OpenSSL Software Services</a>.
 
diff --git a/support/donations-cn.wml b/support/donations-cn.wml
index 5cad838..eef9802 100644
--- a/support/donations-cn.wml
+++ b/support/donations-cn.wml
@@ -116,4 +116,4 @@ We really appreciate your support of the OpenSSL project!
 <br>
 <br>
 As noted above these donations are currently <em>not</em> tax-deductible!<br>
-For further information please contact the <a href="funding/support-contact.html">OpenSSL Software Foundation</a>.
+For further information please contact the <a href="about/openssl-contact.html">OpenSSL Software Foundation</a>.
diff --git a/support/donations.wml b/support/donations.wml
index 88c48e8..33f0662 100644
--- a/support/donations.wml
+++ b/support/donations.wml
@@ -8,10 +8,10 @@
 <p>Your donation to the OpenSSL team will support the ongoing development activities of the team members.
 </p>
 
-<p>Please note that the <a href="funding/support-contact.html">OpenSSL
-Software Foundation</a> (OSF) is incorporated in the the state of Delware,
+<p>Please note that the <a href="../about/openssl-contact.html">OpenSSL
+Software Foundation</a> (OSF) is incorporated in the the state of Delaware,
 United States, as a non-profit corporation.  It does not qualify as
-a charitable organisation under Section 501(c)(3) of the U.S. Internal
+a tax-exempt charitable organisation under Section 501(c)(3) of the U.S. Internal
 Revenue Code.  We looked into it and concluded that 501(c)(3) status
 would require more of an investment in time and money than we can justify
 at present.  This means that, for individuals within the U.S., donations
@@ -103,4 +103,4 @@ We also accept donations in any amount via credit card or PayPal:
 <br>
 <br>
 As noted above these donations are currently <em>not</em> tax-deductible!<br>
-For further information please contact the <a href="funding/support-contact.html">OpenSSL Software Foundation</a>.
+For further information please contact the <a href="../about/openssl-contact.html">OpenSSL Software Foundation</a>.
diff --git a/support/funding/contract.wml b/support/funding/contract.wml
index cd5c214..d45b6b1 100644
--- a/support/funding/contract.wml
+++ b/support/funding/contract.wml
@@ -33,5 +33,5 @@ custom arrangements.
     Per-incident support.
 <p>
 </ul>
-For further information please contact the <a href="support-contact.html">OSF</a>.
+For further information please contact <a href="support-contact.html">OpenSSL Software Services</a>.
 
diff --git a/support/funding/support-contact.wml b/support/funding/support-contact.wml
index b6fbd07..b66b75a 100644
--- a/support/funding/support-contact.wml
+++ b/support/funding/support-contact.wml
@@ -7,13 +7,13 @@
 
 Direct queries concerning support contracts, donations or consulting services to:<br>
 <br>
-The OpenSSL Software Foundation<br>
-1829 Mount Ephraim Road<br>
-Adamstown, MD  21710<br>
+OpenSSL Software Services, Inc.<br>
+40 E Main St, Suite 744<br>
+Newark DE 19711<br>
 USA<br>
-+1 877-OPENSSL (+1 877 673 6775)<br>
-<a href="mailto:info at opensslfoundation.com">info at opensslfoundation.com</a>
++1 240-215-3103<br>
+<a href="mailto:info at opensslservices.com">info at opensslservices.com</a>
 <p>
 You will probably wind up talking to Steve Marquess who currently handles OpenSSL commercial contracting,  he is
-reachable directly at <a href="mailto:marquess at opensslfoundation.com">marquess at opensslfoundation.com</a> or
+reachable directly at <a href="mailto:marquess at openssl.com">marquess at openssl.com</a> or
 the telephone number above. 

From ben at openssl.org  Thu Aug  6 21:14:29 2015
From: ben at openssl.org (Ben Laurie)
Date: Thu, 06 Aug 2015 21:14:29 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438895669.235719.19033.nullmailer@dev.openssl.org>

The branch master has been updated
       via  704563f04a8401781b359906c1f88a30e12af69c (commit)
      from  1125245997dac232a0c0867b6c858cda4e549c6d (commit)


- Log -----------------------------------------------------------------
commit 704563f04a8401781b359906c1f88a30e12af69c
Author: Ben Laurie <ben at links.org>
Date:   Thu Aug 6 21:32:58 2015 +0100

    Fix uninitalised warning.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/packettest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/packettest.c b/test/packettest.c
index 1ddb837..f7f9ec8 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -131,7 +131,7 @@ static int test_PACKET_get_net_2(PACKET *pkt, size_t start)
 
 static int test_PACKET_get_net_3(PACKET *pkt, size_t start)
 {
-    unsigned long i;
+    unsigned long i = 0;
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_net_3(pkt, &i)

From matt at openssl.org  Thu Aug  6 21:47:50 2015
From: matt at openssl.org (Matt Caswell)
Date: Thu, 06 Aug 2015 21:47:50 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1438897670.651118.28408.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e23a3fc8e38a889035bf0964c70c7699f4a38e5c (commit)
       via  04fe876b5616793b32e92e965a662bbbed7f71d1 (commit)
      from  704563f04a8401781b359906c1f88a30e12af69c (commit)


- Log -----------------------------------------------------------------
commit e23a3fc8e38a889035bf0964c70c7699f4a38e5c
Author: Adam Eijdenberg <adam.eijdenberg at gmail.com>
Date:   Tue Aug 4 16:29:07 2015 -0700

    Fix clang uninitialized variable warning.
    
    We could just initialize it, but to be consistent with the rest of the file
    it seemed to make more sense to just drop.
    
    Reviewed-by: Ben Laurie <ben at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 04fe876b5616793b32e92e965a662bbbed7f71d1
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 6 22:44:29 2015 +0100

    Revert "Fix uninitalised warning."
    
    This reverts commit 704563f04a8401781b359906c1f88a30e12af69c.
    
    Reverting in favour of the next commit which removes the underlying cause
    of the warning.
    
    Reviewed-by: Ben Laurie <ben at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/packettest.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/packettest.c b/test/packettest.c
index f7f9ec8..d6d0c08 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -131,7 +131,7 @@ static int test_PACKET_get_net_2(PACKET *pkt, size_t start)
 
 static int test_PACKET_get_net_3(PACKET *pkt, size_t start)
 {
-    unsigned long i = 0;
+    unsigned long i;
 
     if (       !PACKET_goto_bookmark(pkt, start)
             || !PACKET_get_net_3(pkt, &i)
@@ -140,7 +140,6 @@ static int test_PACKET_get_net_3(PACKET *pkt, size_t start)
             || !PACKET_get_net_3(pkt, &i)
             ||  i != 0xfafcfeUL
             ||  PACKET_get_net_3(pkt, &i)) {
-        fprintf(stderr, "i is %ld\n", i);
         fprintf(stderr, "test_PACKET_get_net_3() failed\n");
         return 0;
     }

From kurt at openssl.org  Fri Aug  7 20:34:26 2015
From: kurt at openssl.org (Kurt Roeckx)
Date: Fri, 07 Aug 2015 20:34:26 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1438979666.646377.19647.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ae7d72147f98d0d1f6d20ca51a97b713446a67fc (commit)
      from  3028310b6b3d3eb66b052f2fb5d065e783cafe76 (commit)


- Log -----------------------------------------------------------------
commit ae7d72147f98d0d1f6d20ca51a97b713446a67fc
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Fri Aug 7 22:33:56 2015 +0200

    1.0.2 is an LTS release

-----------------------------------------------------------------------

Summary of changes:
 about/releasestrat.wml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/releasestrat.wml b/about/releasestrat.wml
index a25b04b..fdd9163 100644
--- a/about/releasestrat.wml
+++ b/about/releasestrat.wml
@@ -55,7 +55,7 @@ fixes will be applied as appropriate.</p>
 <ul>
 <li><p>Version 1.0.1 will be supported until 2016-12-31.</p></li>
 
-<li><p>Version 1.0.2 will be supported until at least 2016-12-31.</p></li>
+<li><p>Version 1.0.2 will be supported until 2019-12-31.</p></li>
 </ul>
 
 <p>At this time, we are not planning a 1.0.3 release.</p>

From rsalz at openssl.org  Sat Aug  8 22:13:45 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 08 Aug 2015 22:13:45 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439072025.652867.14552.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2bfbeb264573342bea475f6dbb5b4c7fec8fdb0a (commit)
      from  e23a3fc8e38a889035bf0964c70c7699f4a38e5c (commit)


- Log -----------------------------------------------------------------
commit 2bfbeb264573342bea475f6dbb5b4c7fec8fdb0a
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Fri Aug 7 22:18:26 2015 -0400

    RT3998: fix X509_check_host.pod release to 1.0.2
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Ben Laurie <ben at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/X509_check_host.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index eab2586..5804115 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -135,6 +135,6 @@ L<X509_VERIFY_PARAM_set1_ipasc(3)|X509_VERIFY_PARAM_set1_ipasc(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.1.0.
+These functions were added in OpenSSL 1.0.2.
 
 =cut

From rsalz at openssl.org  Sat Aug  8 22:14:37 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 08 Aug 2015 22:14:37 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439072077.539107.19540.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  5d786e9e2d08900cb823b73b0095f85eb2cedc7e (commit)
      from  9ea70e5b4097a1319d90fca289c2a3940e846f6b (commit)


- Log -----------------------------------------------------------------
commit 5d786e9e2d08900cb823b73b0095f85eb2cedc7e
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Fri Aug 7 22:18:26 2015 -0400

    RT3998: fix X509_check_host.pod release to 1.0.2
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Ben Laurie <ben at openssl.org>
    (cherry picked from commit 2bfbeb264573342bea475f6dbb5b4c7fec8fdb0a)

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/X509_check_host.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 0def17a..521b9f5 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -135,6 +135,6 @@ L<X509_VERIFY_PARAM_set1_ipasc(3)|X509_VERIFY_PARAM_set1_ipasc(3)>
 
 =head1 HISTORY
 
-These functions were added in OpenSSL 1.1.0.
+These functions were added in OpenSSL 1.0.2.
 
 =cut

From rsalz at openssl.org  Sat Aug  8 22:18:11 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 08 Aug 2015 22:18:11 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439072291.391057.26785.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ff4a9394a2380140209a9ce2849f011063af1ecc (commit)
      from  2bfbeb264573342bea475f6dbb5b4c7fec8fdb0a (commit)


- Log -----------------------------------------------------------------
commit ff4a9394a2380140209a9ce2849f011063af1ecc
Author: bluelineXY <m.schroen at web.de>
Date:   Tue Aug 4 13:23:00 2015 +0200

    GH357: Update ocsp.c
    
    Add Host Header in OCSP query if no host header is set via -header
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Ben Laurie <ben at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ocsp.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 44f5841..5b3092a 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1262,6 +1262,8 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
     BIO *cbio = NULL;
     SSL_CTX *ctx = NULL;
     OCSP_RESPONSE *resp = NULL;
+    int found, i;
+
     cbio = BIO_new_connect(host);
     if (!cbio) {
         BIO_printf(bio_err, "Error creating connect BIO\n");
@@ -1280,6 +1282,17 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
         sbio = BIO_new_ssl(ctx, 1);
         cbio = BIO_push(sbio, cbio);
     }
+    for (found = i = 0; i < sk_CONF_VALUE_num(headers); i++) {
+       CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+       if (strcasecmp("host", hdr->name) == 0) {
+           found = 1;
+           break;
+       }
+    }
+
+    if (!found && !X509V3_add_value("Host", host, &headers))
+        BIO_printf(bio_err, "Error setting HTTP Host header\n");
+
     resp = query_responder(cbio, path, headers, req, req_timeout);
     if (!resp)
         BIO_printf(bio_err, "Error querying OCSP responder\n");

From ben at openssl.org  Mon Aug 10 12:29:13 2015
From: ben at openssl.org (Ben Laurie)
Date: Mon, 10 Aug 2015 12:29:13 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439209753.382449.24187.nullmailer@dev.openssl.org>

The branch master has been updated
       via  4b9cb35d85c32a8ebc973355bdb4833e719af108 (commit)
      from  ff4a9394a2380140209a9ce2849f011063af1ecc (commit)


- Log -----------------------------------------------------------------
commit 4b9cb35d85c32a8ebc973355bdb4833e719af108
Author: Ben Laurie <ben at links.org>
Date:   Sun Aug 9 10:47:03 2015 +0100

    Find the right indent on *BSD.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 util/openssl-format-source | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/util/openssl-format-source b/util/openssl-format-source
index 4ea2f1b..7258836 100755
--- a/util/openssl-format-source
+++ b/util/openssl-format-source
@@ -21,6 +21,9 @@ HERE="`dirname $0`"
 
 set -e
 
+INDENT=indent
+uname -s | grep BSD > /dev/null && type gindent > /dev/null 2>&1 && INDENT=gindent
+
 if [ $# -eq 0 ]; then
   echo "usage: $0 [-v] [-n] [-c] [sourcefile|sourcedir] ..." >&2
   exit 1
@@ -120,11 +123,11 @@ do
 	      -e '/ASN1_(ITEM_ref|ITEM_ptr|ITEM_rptr|PCTX)/ || s/^((ASN1|ADB)_[^\*]*[){=,]+[ \t]*)$/\/**INDENT-OFF**\/\n$1/;' \
 	      -e 's/^(} (ASN1|ADB)_[^\*]*[\){=,;]+)$/$1\n\/**INDENT-ON**\//;' \
 	      | \
-	      $DEBUG indent $INDENT_ARGS | \
+	      $DEBUG $INDENT $INDENT_ARGS | \
 	      perl -np \
 		-e 's/^([ \t]*)\/\*-(.*)\*\/[ \t]*$/$1\/*$2*\//;' \
 		-e 's/^\/\*-((Copyright|=|----).*)$/\/* $1/;' \
-	      | indent | \
+	      | $INDENT | \
 	      perl -0 -np \
 		-e 's/\/\*\*INDENT-(ON|OFF)\*\*\/\n//g;' \
 	      | perl -np \
@@ -133,7 +136,7 @@ do
 	      | perl "$HERE"/su-filter.pl \
 	      > "$tmp"
 	  else
-	    expand "$j" | indent $INDENT_ARGS > "$tmp"
+	    expand "$j" | $INDENT $INDENT_ARGS > "$tmp"
 	  fi;
 	  if cmp -s "$tmp" "$j"; then
 	    if [ "$VERBOSE" = "true" ]; then

From kurt at openssl.org  Mon Aug 10 14:46:22 2015
From: kurt at openssl.org (Kurt Roeckx)
Date: Mon, 10 Aug 2015 14:46:22 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439217982.053423.3089.nullmailer@dev.openssl.org>

The branch master has been updated
       via  7054f23464d7f9062cd62034f4e91e346ddfd4f6 (commit)
      from  ae7d72147f98d0d1f6d20ca51a97b713446a67fc (commit)


- Log -----------------------------------------------------------------
commit 7054f23464d7f9062cd62034f4e91e346ddfd4f6
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Mon Aug 10 16:46:00 2015 +0200

    Update last modified date

-----------------------------------------------------------------------

Summary of changes:
 about/releasestrat.wml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/releasestrat.wml b/about/releasestrat.wml
index fdd9163..cc20ee1 100644
--- a/about/releasestrat.wml
+++ b/about/releasestrat.wml
@@ -4,7 +4,7 @@
 <title>About, Release Strategy</title>
 <h1><center>OpenSSL Release Strategy</center></h1>
 <h2><center>First issued 23rd December 2014</center></h2>
-<h2><center>Last modified 23rd December 2014</center></h2>
+<h2><center>Last modified 9th August 2015</center></h2>
 <p>
 <br>
 </p>

From rsalz at openssl.org  Mon Aug 10 16:00:35 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 10 Aug 2015 16:00:35 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439222435.711915.24168.nullmailer@dev.openssl.org>

The branch master has been updated
       via  82c494276df9f594064688c920c4431c85759121 (commit)
      from  4b9cb35d85c32a8ebc973355bdb4833e719af108 (commit)


- Log -----------------------------------------------------------------
commit 82c494276df9f594064688c920c4431c85759121
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 10 11:37:48 2015 -0400

    Fix build break.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.h | 2 +-
 apps/ocsp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/apps.h b/apps/apps.h
index f2dc812..99c5809 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -450,7 +450,7 @@ ENGINE *setup_engine(const char *engine, int debug);
 OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
                                  const char *host, const char *path,
                                  const char *port, int use_ssl,
-                                 const STACK_OF(CONF_VALUE) *headers,
+                                 STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout);
 # endif
 
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 5b3092a..7193dae 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1256,7 +1256,7 @@ static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
 OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
                                  const char *host, const char *path,
                                  const char *port, int use_ssl,
-                                 const STACK_OF(CONF_VALUE) *headers,
+                                 STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout)
 {
     BIO *cbio = NULL;

From rsalz at openssl.org  Mon Aug 10 16:13:51 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 10 Aug 2015 16:13:51 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439223231.819303.5745.nullmailer@dev.openssl.org>

The branch master has been updated
       via  fbfcb2243941bc84b7585711feb906610f9111c4 (commit)
      from  82c494276df9f594064688c920c4431c85759121 (commit)


- Log -----------------------------------------------------------------
commit fbfcb2243941bc84b7585711feb906610f9111c4
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Aug 7 17:09:30 2015 -0400

    RT3999: Remove sub-component version strings
    
    Especially since after the #ifdef cleanups this is not useful.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/aes/aes_misc.c       | 2 --
 crypto/asn1/asn1_lib.c      | 1 -
 crypto/bf/bf_ecb.c          | 2 --
 crypto/bn/bn_lib.c          | 2 --
 crypto/camellia/cmll_misc.c | 2 --
 crypto/cast/c_ecb.c         | 2 --
 crypto/conf/conf_def.c      | 2 --
 crypto/conf/conf_lib.c      | 2 --
 crypto/des/ecb_enc.c        | 2 --
 crypto/dh/dh_lib.c          | 2 --
 crypto/dsa/dsa_lib.c        | 2 --
 crypto/ec/ec_lib.c          | 2 --
 crypto/ecdh/ech_lib.c       | 2 --
 crypto/ecdsa/ecs_lib.c      | 2 --
 crypto/evp/evp_enc.c        | 2 --
 crypto/idea/i_ecb.c         | 2 --
 crypto/lhash/lhash.c        | 2 --
 crypto/md2/md2_dgst.c       | 2 --
 crypto/md4/md4_dgst.c       | 2 --
 crypto/md5/md5_dgst.c       | 2 --
 crypto/pem/pem_lib.c        | 2 --
 crypto/rand/md_rand.c       | 2 --
 crypto/rc2/rc2_ecb.c        | 2 --
 crypto/rc4/rc4_skey.c       | 2 --
 crypto/rc5/rc5_ecb.c        | 2 --
 crypto/ripemd/rmd_dgst.c    | 2 --
 crypto/rsa/rsa_lib.c        | 2 --
 crypto/sha/sha1dgst.c       | 2 --
 crypto/sha/sha256.c         | 2 --
 crypto/sha/sha512.c         | 2 --
 crypto/stack/stack.c        | 2 --
 crypto/txt_db/txt_db.c      | 2 --
 crypto/x509/x509_vfy.c      | 1 -
 include/openssl/opensslv.h  | 1 -
 ssl/d1_lib.c                | 1 -
 ssl/s3_lib.c                | 2 --
 ssl/t1_lib.c                | 2 --
 37 files changed, 70 deletions(-)

diff --git a/crypto/aes/aes_misc.c b/crypto/aes/aes_misc.c
index 68a48ba..1775442 100644
--- a/crypto/aes/aes_misc.c
+++ b/crypto/aes/aes_misc.c
@@ -53,8 +53,6 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
-const char AES_version[] = "AES" OPENSSL_VERSION_PTEXT;
-
 const char *AES_options(void)
 {
 #ifdef FULL_UNROLL
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index b611f35..94b5ad5 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -64,7 +64,6 @@
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
                            int max);
 static void asn1_put_length(unsigned char **pp, int length);
-const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
 static int _asn1_check_infinite_end(const unsigned char **p, long len)
 {
diff --git a/crypto/bf/bf_ecb.c b/crypto/bf/bf_ecb.c
index 967a7f5..7a45a02 100644
--- a/crypto/bf/bf_ecb.c
+++ b/crypto/bf/bf_ecb.c
@@ -66,8 +66,6 @@
  * SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993)
  */
 
-const char BF_version[] = "Blowfish" OPENSSL_VERSION_PTEXT;
-
 const char *BF_options(void)
 {
 #ifdef BF_PTR
diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index f10f44a..4e133ce 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -66,8 +66,6 @@
 #include "internal/cryptlib.h"
 #include "bn_lcl.h"
 
-const char BN_version[] = "Big Number" OPENSSL_VERSION_PTEXT;
-
 /* This stuff appears to be completely unused, so is deprecated */
 #ifndef OPENSSL_NO_DEPRECATED
 /*-
diff --git a/crypto/camellia/cmll_misc.c b/crypto/camellia/cmll_misc.c
index 4e15906..d73499b 100644
--- a/crypto/camellia/cmll_misc.c
+++ b/crypto/camellia/cmll_misc.c
@@ -53,8 +53,6 @@
 #include <openssl/camellia.h>
 #include "cmll_locl.h"
 
-const char CAMELLIA_version[] = "CAMELLIA" OPENSSL_VERSION_PTEXT;
-
 int Camellia_set_key(const unsigned char *userKey, const int bits,
                      CAMELLIA_KEY *key)
 {
diff --git a/crypto/cast/c_ecb.c b/crypto/cast/c_ecb.c
index 4793f28..2430bb5 100644
--- a/crypto/cast/c_ecb.c
+++ b/crypto/cast/c_ecb.c
@@ -60,8 +60,6 @@
 #include "cast_lcl.h"
 #include <openssl/opensslv.h>
 
-const char CAST_version[] = "CAST" OPENSSL_VERSION_PTEXT;
-
 void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
                       const CAST_KEY *ks, int enc)
 {
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index 098fc8e..b490377 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -88,8 +88,6 @@ static int def_dump(const CONF *conf, BIO *bp);
 static int def_is_number(const CONF *conf, char c);
 static int def_to_int(const CONF *conf, char c);
 
-const char CONF_def_version[] = "CONF_def" OPENSSL_VERSION_PTEXT;
-
 static CONF_METHOD default_method = {
     "OpenSSL default",
     def_create,
diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c
index 838a645..12a061c 100644
--- a/crypto/conf/conf_lib.c
+++ b/crypto/conf/conf_lib.c
@@ -64,8 +64,6 @@
 #include <openssl/conf_api.h>
 #include <openssl/lhash.h>
 
-const char CONF_version[] = "CONF" OPENSSL_VERSION_PTEXT;
-
 static CONF_METHOD *default_CONF_method = NULL;
 
 /* Init a 'CONF' structure from an old LHASH */
diff --git a/crypto/des/ecb_enc.c b/crypto/des/ecb_enc.c
index f97fd97..d638a49 100644
--- a/crypto/des/ecb_enc.c
+++ b/crypto/des/ecb_enc.c
@@ -61,8 +61,6 @@
 #include <openssl/opensslv.h>
 #include <openssl/bio.h>
 
-OPENSSL_GLOBAL const char libdes_version[] = "libdes" OPENSSL_VERSION_PTEXT;
-OPENSSL_GLOBAL const char DES_version[] = "DES" OPENSSL_VERSION_PTEXT;
 
 const char *DES_options(void)
 {
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index cce2514..4e087d0 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -64,8 +64,6 @@
 # include <openssl/engine.h>
 #endif
 
-const char DH_version[] = "Diffie-Hellman" OPENSSL_VERSION_PTEXT;
-
 static const DH_METHOD *default_DH_method = NULL;
 
 void DH_set_default_method(const DH_METHOD *meth)
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index cb59e7e..a4a8163 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -70,8 +70,6 @@
 # include <openssl/dh.h>
 #endif
 
-const char DSA_version[] = "DSA" OPENSSL_VERSION_PTEXT;
-
 static const DSA_METHOD *default_DSA_method = NULL;
 
 void DSA_set_default_method(const DSA_METHOD *meth)
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 3ddaa5d..cd08a55 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -68,8 +68,6 @@
 
 #include "ec_lcl.h"
 
-const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
-
 /* functions for EC_GROUP objects */
 
 EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index 62734bc..363d2fe 100644
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -74,8 +74,6 @@
 #endif
 #include <openssl/err.h>
 
-const char ECDH_version[] = "ECDH" OPENSSL_VERSION_PTEXT;
-
 static const ECDH_METHOD *default_ECDH_method = NULL;
 
 static void *ecdh_data_new(void);
diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index cabf6ec..0db3534 100644
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -61,8 +61,6 @@
 #include <openssl/err.h>
 #include <openssl/bn.h>
 
-const char ECDSA_version[] = "ECDSA" OPENSSL_VERSION_PTEXT;
-
 static const ECDSA_METHOD *default_ECDSA_method = NULL;
 
 static void *ecdsa_data_new(void);
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 125556e..405cbb0 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -66,8 +66,6 @@
 #endif
 #include "evp_locl.h"
 
-const char EVP_version[] = "EVP" OPENSSL_VERSION_PTEXT;
-
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
 {
     memset(ctx, 0, sizeof(*ctx));
diff --git a/crypto/idea/i_ecb.c b/crypto/idea/i_ecb.c
index a6b879a..4ed206e 100644
--- a/crypto/idea/i_ecb.c
+++ b/crypto/idea/i_ecb.c
@@ -60,8 +60,6 @@
 #include "idea_lcl.h"
 #include <openssl/opensslv.h>
 
-const char IDEA_version[] = "IDEA" OPENSSL_VERSION_PTEXT;
-
 const char *idea_options(void)
 {
     if (sizeof(short) != sizeof(IDEA_INT))
diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c
index 083310e..0c9ce8f 100644
--- a/crypto/lhash/lhash.c
+++ b/crypto/lhash/lhash.c
@@ -101,8 +101,6 @@
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
 
-const char lh_version[] = "lhash" OPENSSL_VERSION_PTEXT;
-
 #undef MIN_NODES
 #define MIN_NODES       16
 #define UP_LOAD         (2*LH_LOAD_MULT) /* load times 256 (default 2) */
diff --git a/crypto/md2/md2_dgst.c b/crypto/md2/md2_dgst.c
index 70c19fb..bb0a7a3 100644
--- a/crypto/md2/md2_dgst.c
+++ b/crypto/md2/md2_dgst.c
@@ -63,8 +63,6 @@
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
 
-const char MD2_version[] = "MD2" OPENSSL_VERSION_PTEXT;
-
 /*
  * Implemented from RFC1319 The MD2 Message-Digest Algorithm
  */
diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c
index 966cebe..2b7881e 100644
--- a/crypto/md4/md4_dgst.c
+++ b/crypto/md4/md4_dgst.c
@@ -60,8 +60,6 @@
 #include <openssl/opensslv.h>
 #include "md4_locl.h"
 
-const char MD4_version[] = "MD4" OPENSSL_VERSION_PTEXT;
-
 /*
  * Implemented from RFC1186 The MD4 Message-Digest Algorithm
  */
diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c
index 335126c..f73ca7c 100644
--- a/crypto/md5/md5_dgst.c
+++ b/crypto/md5/md5_dgst.c
@@ -60,8 +60,6 @@
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
 
-const char MD5_version[] = "MD5" OPENSSL_VERSION_PTEXT;
-
 /*
  * Implemented from RFC1321 The MD5 Message-Digest Algorithm
  */
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 47be640..23b347f 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -74,8 +74,6 @@
 # include <openssl/engine.h>
 #endif
 
-const char PEM_version[] = "PEM" OPENSSL_VERSION_PTEXT;
-
 #define MIN_LENGTH      4
 
 static int load_iv(char **fromp, unsigned char *to, int num);
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 27e785d..c7d54ed 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -164,8 +164,6 @@ static CRYPTO_THREADID locking_threadid;
 int rand_predictable = 0;
 #endif
 
-const char RAND_version[] = "RAND" OPENSSL_VERSION_PTEXT;
-
 static void rand_hw_seed(EVP_MD_CTX *ctx);
 
 static void ssleay_rand_cleanup(void);
diff --git a/crypto/rc2/rc2_ecb.c b/crypto/rc2/rc2_ecb.c
index 48442a3..4cb1a80 100644
--- a/crypto/rc2/rc2_ecb.c
+++ b/crypto/rc2/rc2_ecb.c
@@ -60,8 +60,6 @@
 #include "rc2_locl.h"
 #include <openssl/opensslv.h>
 
-const char RC2_version[] = "RC2" OPENSSL_VERSION_PTEXT;
-
 /*-
  * RC2 as implemented frm a posting from
  * Newsgroups: sci.crypt
diff --git a/crypto/rc4/rc4_skey.c b/crypto/rc4/rc4_skey.c
index ce38224..7b198bb 100644
--- a/crypto/rc4/rc4_skey.c
+++ b/crypto/rc4/rc4_skey.c
@@ -60,8 +60,6 @@
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
 
-const char RC4_version[] = "RC4" OPENSSL_VERSION_PTEXT;
-
 const char *RC4_options(void)
 {
 #ifdef RC4_INDEX
diff --git a/crypto/rc5/rc5_ecb.c b/crypto/rc5/rc5_ecb.c
index e657a93..2b5fa2a 100644
--- a/crypto/rc5/rc5_ecb.c
+++ b/crypto/rc5/rc5_ecb.c
@@ -60,8 +60,6 @@
 #include "rc5_locl.h"
 #include <openssl/opensslv.h>
 
-const char RC5_version[] = "RC5" OPENSSL_VERSION_PTEXT;
-
 void RC5_32_ecb_encrypt(const unsigned char *in, unsigned char *out,
                         RC5_32_KEY *ks, int encrypt)
 {
diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c
index 2496c11..f351df1 100644
--- a/crypto/ripemd/rmd_dgst.c
+++ b/crypto/ripemd/rmd_dgst.c
@@ -60,8 +60,6 @@
 #include "rmd_locl.h"
 #include <openssl/opensslv.h>
 
-const char RMD160_version[] = "RIPE-MD160" OPENSSL_VERSION_PTEXT;
-
 #ifdef RMD160_ASM
 void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p, size_t num);
 # define ripemd160_block ripemd160_block_x86
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 2ec39e7..76c9796 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -67,8 +67,6 @@
 # include <openssl/engine.h>
 #endif
 
-const char RSA_version[] = "RSA" OPENSSL_VERSION_PTEXT;
-
 static const RSA_METHOD *default_RSA_meth = NULL;
 
 RSA *RSA_new(void)
diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c
index 9f1b8f0..a6c6338 100644
--- a/crypto/sha/sha1dgst.c
+++ b/crypto/sha/sha1dgst.c
@@ -61,8 +61,6 @@
 
 # include <openssl/opensslv.h>
 
-const char SHA1_version[] = "SHA1" OPENSSL_VERSION_PTEXT;
-
 /* The implementation is in ../md32_common.h */
 
 # include "sha_locl.h"
diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c
index c112b04..096981b 100644
--- a/crypto/sha/sha256.c
+++ b/crypto/sha/sha256.c
@@ -13,8 +13,6 @@
 #include <openssl/sha.h>
 #include <openssl/opensslv.h>
 
-const char SHA256_version[] = "SHA-256" OPENSSL_VERSION_PTEXT;
-
 int SHA224_Init(SHA256_CTX *c)
 {
     memset(c, 0, sizeof(*c));
diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c
index ebae411..427cdf5 100644
--- a/crypto/sha/sha512.c
+++ b/crypto/sha/sha512.c
@@ -49,8 +49,6 @@
 
 #include "internal/cryptlib.h"
 
-const char SHA512_version[] = "SHA-512" OPENSSL_VERSION_PTEXT;
-
 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
     defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
     defined(__s390__) || defined(__s390x__) || \
diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c
index a6182df..c7643db 100644
--- a/crypto/stack/stack.c
+++ b/crypto/stack/stack.c
@@ -71,8 +71,6 @@ struct stack_st {
 #undef MIN_NODES
 #define MIN_NODES       4
 
-const char STACK_version[] = "Stack" OPENSSL_VERSION_PTEXT;
-
 #include <errno.h>
 
 int (*sk_set_cmp_func(_STACK *sk, int (*c) (const void *, const void *)))
diff --git a/crypto/txt_db/txt_db.c b/crypto/txt_db/txt_db.c
index 5b1e592..2c4d2cd 100644
--- a/crypto/txt_db/txt_db.c
+++ b/crypto/txt_db/txt_db.c
@@ -66,8 +66,6 @@
 #undef BUFSIZE
 #define BUFSIZE 512
 
-const char TXT_DB_version[] = "TXT_DB" OPENSSL_VERSION_PTEXT;
-
 TXT_DB *TXT_DB_read(BIO *in, int num)
 {
     TXT_DB *ret = NULL;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index df012dd..26867cb 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -138,7 +138,6 @@ static int check_crl_chain(X509_STORE_CTX *ctx,
                            STACK_OF(X509) *crl_path);
 
 static int internal_verify(X509_STORE_CTX *ctx);
-const char X509_version[] = "X.509" OPENSSL_VERSION_PTEXT;
 
 static int null_callback(int ok, X509_STORE_CTX *e)
 {
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 97c27e7..5b6abdf 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -36,7 +36,6 @@ extern "C" {
 # else
 #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.0-dev xx XXX xxxx"
 # endif
-# define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index c0ed8fb..fc1887a 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -75,7 +75,6 @@
 static void get_current_time(struct timeval *t);
 static int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
 static int dtls1_handshake_write(SSL *s);
-const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
 int dtls1_listen(SSL *s, struct sockaddr *client);
 
 const SSL3_ENC_METHOD DTLSv1_enc_data = {
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index d39346a..83b8f68 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -157,8 +157,6 @@
 #endif
 #include <openssl/rand.h>
 
-const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
-
 #define SSL3_NUM_CIPHERS        OSSL_NELEM(ssl3_ciphers)
 
 /* list of available SSLv3 ciphers (sorted by id) */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c0dd35f..ece2b72 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -121,8 +121,6 @@
 #endif
 #include "ssl_locl.h"
 
-const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
-
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
                               const unsigned char *sess_id, int sesslen,
                               SSL_SESSION **psess);

From rsalz at openssl.org  Mon Aug 10 16:18:00 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 10 Aug 2015 16:18:00 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439223480.895286.10626.nullmailer@dev.openssl.org>

The branch master has been updated
       via  fd682e4cddc44b2869f43c910be49ab4f3a09b08 (commit)
      from  fbfcb2243941bc84b7585711feb906610f9111c4 (commit)


- Log -----------------------------------------------------------------
commit fd682e4cddc44b2869f43c910be49ab4f3a09b08
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 6 12:22:31 2015 -0400

    GH365: Missing #ifdef rename.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/speed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index 1a3027b..ca93d2c 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -429,7 +429,7 @@ OPT_PAIR doit_choices[] = {
 #ifndef OPENSSL_NO_WHIRLPOOL
     {"whirlpool", D_WHIRLPOOL},
 #endif
-#ifndef OPENSSL_NO_RIPEMD
+#ifndef OPENSSL_NO_RMD160
     {"ripemd", D_RMD160},
     {"rmd160", D_RMD160},
     {"ripemd160", D_RMD160},
@@ -605,7 +605,7 @@ int speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_WHIRLPOOL
     unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
 #endif
-#ifndef OPENSSL_NO_RIPEMD
+#ifndef OPENSSL_NO_RMD160
     unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
 #endif
 #ifndef OPENSSL_NO_RC4

From matt at openssl.org  Tue Aug 11 19:26:29 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 19:26:29 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439321189.563068.29686.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6a009812b2e249fed01488f6f19f9fbfd9ee74c4 (commit)
       via  61e72d761c945e128ca13599a98a187ac23650dd (commit)
       via  870063c83db6514b0cb637b86cadbc9f5c2270a9 (commit)
      from  fd682e4cddc44b2869f43c910be49ab4f3a09b08 (commit)


- Log -----------------------------------------------------------------
commit 6a009812b2e249fed01488f6f19f9fbfd9ee74c4
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 10 12:00:29 2015 +0100

    Check for 0 modulus in BN_MONT_CTX_set
    
    The function BN_MONT_CTX_set was assuming that the modulus was non-zero
    and therefore that |mod->top| > 0. In an error situation that may not be
    the case and could cause a seg fault.
    
    This is a follow on from CVE-2015-1794.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 61e72d761c945e128ca13599a98a187ac23650dd
Author: Guy Leaver (guleaver) <guleaver at cisco.com>
Date:   Fri Aug 7 15:45:21 2015 +0100

    Fix seg fault with 0 p val in SKE
    
    If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
    value of p set to 0 then a seg fault can occur. This commits adds a test to
    reject p, g and pub key parameters that have a 0 value (in accordance with
    RFC 5246)
    
    The security vulnerability only affects master and 1.0.2, but the fix is
    additionally applied to 1.0.1 for additional confidence.
    
    CVE-2015-1794
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 870063c83db6514b0cb637b86cadbc9f5c2270a9
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Aug 7 15:42:37 2015 +0100

    Normalise make errors output
    
    make errors wants things in a different order to the way things are
    currently defined in the header files. The easiest fix is to just let it
    reorder it.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_mont.c   |  3 +++
 include/openssl/ssl.h |  5 ++++-
 ssl/s3_clnt.c         | 16 ++++++++++++++++
 ssl/ssl_err.c         |  5 ++++-
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index 1580e97..d4d817a 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -351,6 +351,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     int ret = 0;
     BIGNUM *Ri, *R;
 
+    if (BN_is_zero(mod))
+        return 0;
+
     BN_CTX_start(ctx);
     if ((Ri = BN_CTX_get(ctx)) == NULL)
         goto err;
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 06ac5c1..28c2fb9 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2016,7 +2016,6 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_CTX_SET_TRUST                          229
 # define SSL_F_SSL_CTX_USE_CERTIFICATE                    171
 # define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1               172
-# define SSL_F_USE_CERTIFICATE_CHAIN_FILE                 220
 # define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE               173
 # define SSL_F_SSL_CTX_USE_PRIVATEKEY                     174
 # define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1                175
@@ -2097,6 +2096,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_TLS1_PROCESS_HEARTBEAT                     341
 # define SSL_F_TLS1_SETUP_KEY_BLOCK                       211
 # define SSL_F_TLS1_SET_SERVER_SIGALGS                    335
+# define SSL_F_USE_CERTIFICATE_CHAIN_FILE                 220
 
 /* Reason codes. */
 # define SSL_R_APP_DATA_IN_HANDSHAKE                      100
@@ -2107,8 +2107,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cd6918a..1661b0e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1693,6 +1693,12 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->p)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
+            goto f_err;
+        }
+
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1713,6 +1719,11 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->g)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
+            goto f_err;
+        }
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1734,6 +1745,11 @@ int ssl3_get_key_exchange(SSL *s)
         p += i;
         n -= param_len;
 
+        if (BN_is_zero(dh->pub_key)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
+            goto f_err;
+        }
+
         if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
             al = SSL_AD_HANDSHAKE_FAILURE;
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_DH_KEY_TOO_SMALL);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 539146f..21836d8 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -226,7 +226,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
     {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),
      "SSL_CTX_use_certificate_ASN1"},
-    {ERR_FUNC(SSL_F_USE_CERTIFICATE_CHAIN_FILE), "use_certificate_chain_file"},
     {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),
      "SSL_CTX_use_certificate_file"},
     {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
@@ -331,6 +330,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_TLS1_PROCESS_HEARTBEAT), "tls1_process_heartbeat"},
     {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
     {ERR_FUNC(SSL_F_TLS1_SET_SERVER_SIGALGS), "tls1_set_server_sigalgs"},
+    {ERR_FUNC(SSL_F_USE_CERTIFICATE_CHAIN_FILE), "use_certificate_chain_file"},
     {0, NULL}
 };
 
@@ -345,8 +345,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "bad data returned by callback"},
     {ERR_REASON(SSL_R_BAD_DECOMPRESSION), "bad decompression"},
     {ERR_REASON(SSL_R_BAD_DH_G_LENGTH), "bad dh g length"},
+    {ERR_REASON(SSL_R_BAD_DH_G_VALUE), "bad dh g value"},
     {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH), "bad dh pub key length"},
+    {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_VALUE), "bad dh pub key value"},
     {ERR_REASON(SSL_R_BAD_DH_P_LENGTH), "bad dh p length"},
+    {ERR_REASON(SSL_R_BAD_DH_P_VALUE), "bad dh p value"},
     {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
     {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE), "bad dsa signature"},
     {ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},

From matt at openssl.org  Tue Aug 11 19:26:39 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 19:26:39 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439321199.710729.30602.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  512368c9ed4d53fb230000e83071eb81bf628b22 (commit)
       via  ada57746b6b80beae73111fe1291bf8dd89af91c (commit)
      from  5d786e9e2d08900cb823b73b0095f85eb2cedc7e (commit)


- Log -----------------------------------------------------------------
commit 512368c9ed4d53fb230000e83071eb81bf628b22
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 10 12:00:29 2015 +0100

    Check for 0 modulus in BN_MONT_CTX_set
    
    The function BN_MONT_CTX_set was assuming that the modulus was non-zero
    and therefore that |mod->top| > 0. In an error situation that may not be
    the case and could cause a seg fault.
    
    This is a follow on from CVE-2015-1794.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit ada57746b6b80beae73111fe1291bf8dd89af91c
Author: Guy Leaver (guleaver) <guleaver at cisco.com>
Date:   Fri Aug 7 15:45:21 2015 +0100

    Fix seg fault with 0 p val in SKE
    
    If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
    value of p set to 0 then a seg fault can occur. This commits adds a test to
    reject p, g and pub key parameters that have a 0 value (in accordance with
    RFC 5246)
    
    The security vulnerability only affects master and 1.0.2, but the fix is
    additionally applied to 1.0.1 for additional confidence.
    
    CVE-2015-1794
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_mont.c |  3 +++
 ssl/s3_clnt.c       | 16 ++++++++++++++++
 ssl/ssl.h           |  3 +++
 ssl/ssl_err.c       |  3 +++
 4 files changed, 25 insertions(+)

diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index aafd1b8..be95bd5 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -373,6 +373,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     int ret = 0;
     BIGNUM *Ri, *R;
 
+    if (BN_is_zero(mod))
+        return 0;
+
     BN_CTX_start(ctx);
     if ((Ri = BN_CTX_get(ctx)) == NULL)
         goto err;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 6af145a..2059151 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1699,6 +1699,12 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->p)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
+            goto f_err;
+        }
+
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1719,6 +1725,11 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->g)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
+            goto f_err;
+        }
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1740,6 +1751,11 @@ int ssl3_get_key_exchange(SSL *s)
         p += i;
         n -= param_len;
 
+        if (BN_is_zero(dh->pub_key)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
+            goto f_err;
+        }
+
 # ifndef OPENSSL_NO_RSA
         if (alg_a & SSL_aRSA)
             pkey =
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 6fe1a24..c6c5bce 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2846,8 +2846,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 1a6030e..202228b 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -386,8 +386,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "bad data returned by callback"},
     {ERR_REASON(SSL_R_BAD_DECOMPRESSION), "bad decompression"},
     {ERR_REASON(SSL_R_BAD_DH_G_LENGTH), "bad dh g length"},
+    {ERR_REASON(SSL_R_BAD_DH_G_VALUE), "bad dh g value"},
     {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH), "bad dh pub key length"},
+    {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_VALUE), "bad dh pub key value"},
     {ERR_REASON(SSL_R_BAD_DH_P_LENGTH), "bad dh p length"},
+    {ERR_REASON(SSL_R_BAD_DH_P_VALUE), "bad dh p value"},
     {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
     {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE), "bad dsa signature"},
     {ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},

From matt at openssl.org  Tue Aug 11 19:26:51 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 19:26:51 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439321211.091742.30987.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  b11980d79a52ec08844f08bea0e66c04b691840b (commit)
       via  f15c99f4d4a96b692bdbb6f343c9112f2fa5a8ed (commit)
      from  507ea77b82f99af8cdae22bebb49fb2772d95330 (commit)


- Log -----------------------------------------------------------------
commit b11980d79a52ec08844f08bea0e66c04b691840b
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 10 12:00:29 2015 +0100

    Check for 0 modulus in BN_MONT_CTX_set
    
    The function BN_MONT_CTX_set was assuming that the modulus was non-zero
    and therefore that |mod->top| > 0. In an error situation that may not be
    the case and could cause a seg fault.
    
    This is a follow on from CVE-2015-1794.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit f15c99f4d4a96b692bdbb6f343c9112f2fa5a8ed
Author: Guy Leaver (guleaver) <guleaver at cisco.com>
Date:   Fri Aug 7 15:45:21 2015 +0100

    Fix seg fault with 0 p val in SKE
    
    If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
    value of p set to 0 then a seg fault can occur. This commits adds a test to
    reject p, g and pub key parameters that have a 0 value (in accordance with
    RFC 5246)
    
    The security vulnerability only affects master and 1.0.2, but the fix is
    additionally applied to 1.0.1 for additional confidence.
    
    CVE-2015-1794
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_mont.c |  3 +++
 ssl/s3_clnt.c       | 16 ++++++++++++++++
 ssl/ssl.h           |  3 +++
 ssl/ssl_err.c       |  3 +++
 4 files changed, 25 insertions(+)

diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c
index aafd1b8..be95bd5 100644
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -373,6 +373,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
     int ret = 0;
     BIGNUM *Ri, *R;
 
+    if (BN_is_zero(mod))
+        return 0;
+
     BN_CTX_start(ctx);
     if ((Ri = BN_CTX_get(ctx)) == NULL)
         goto err;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 35ad121..c89564b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1624,6 +1624,12 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->p)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
+            goto f_err;
+        }
+
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1644,6 +1650,11 @@ int ssl3_get_key_exchange(SSL *s)
         }
         p += i;
 
+        if (BN_is_zero(dh->g)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
+            goto f_err;
+        }
+
         if (2 > n - param_len) {
             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1665,6 +1676,11 @@ int ssl3_get_key_exchange(SSL *s)
         p += i;
         n -= param_len;
 
+        if (BN_is_zero(dh->pub_key)) {
+            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
+            goto f_err;
+        }
+
 # ifndef OPENSSL_NO_RSA
         if (alg_a & SSL_aRSA)
             pkey =
diff --git a/ssl/ssl.h b/ssl/ssl.h
index d2ab0c0..d9657eb 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2465,8 +2465,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 88621b7..26f149e 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -369,8 +369,11 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "bad data returned by callback"},
     {ERR_REASON(SSL_R_BAD_DECOMPRESSION), "bad decompression"},
     {ERR_REASON(SSL_R_BAD_DH_G_LENGTH), "bad dh g length"},
+    {ERR_REASON(SSL_R_BAD_DH_G_VALUE), "bad dh g value"},
     {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH), "bad dh pub key length"},
+    {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_VALUE), "bad dh pub key value"},
     {ERR_REASON(SSL_R_BAD_DH_P_LENGTH), "bad dh p length"},
+    {ERR_REASON(SSL_R_BAD_DH_P_VALUE), "bad dh p value"},
     {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
     {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE), "bad dsa signature"},
     {ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},

From matt at openssl.org  Tue Aug 11 19:34:59 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 19:34:59 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439321699.256684.6586.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6142f5c640f98429d4798b8418e8cc2cf6cc1fb8 (commit)
       via  c0cbb4c19bb6e22b338dd17c096be323f7414faf (commit)
       via  c2a34c58f56980b80f034e8295210146b5c247c3 (commit)
       via  a1accbb1d704da9a25b18e7053ee191a8f510d93 (commit)
       via  011467ee55aa82a96cd8a539560c46fd4504a82b (commit)
       via  631c1206334adfb21758220362a56fa157a47596 (commit)
       via  2d5d70b15559f9813054ddb11b30b816daf62ebe (commit)
      from  6a009812b2e249fed01488f6f19f9fbfd9ee74c4 (commit)


- Log -----------------------------------------------------------------
commit 6142f5c640f98429d4798b8418e8cc2cf6cc1fb8
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 11:41:51 2015 +0100

    make update
    
    Run a "make update" for the OSSLTest Engine changes
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit c0cbb4c19bb6e22b338dd17c096be323f7414faf
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 10 10:46:27 2015 +0100

    Use dynamic engine for libssl test harness
    
    Use a dynamic engine for ossltest engine so that we can build it without
    subsequently deploying it during install. We do not want people accidentally
    using this engine.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit c2a34c58f56980b80f034e8295210146b5c247c3
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Aug 7 14:40:00 2015 +0100

    Add a test for 0 p value in anon DH SKE
    
    When using an anon DH ciphersuite a client should reject a 0 value for p.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit a1accbb1d704da9a25b18e7053ee191a8f510d93
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Aug 7 14:38:21 2015 +0100

    Extend TLSProxy capabilities
    
    Add ServerHello parsing to TLSProxy.
    Also add some (very) limited ServerKeyExchange parsing.
    Add the capability to set client and server cipher lists
    Fix a bug with fragment lengths
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 011467ee55aa82a96cd8a539560c46fd4504a82b
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 16 13:12:37 2015 +0100

    Add some libssl tests
    
    Two tests are added: one is a simple version tolerance test; the second is
    a test to ensure that OpenSSL operates correctly in the case of a zero
    length extensions block. The latter was broken inadvertently (now fixed)
    and it would have been helpful to have a test case for it.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 631c1206334adfb21758220362a56fa157a47596
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 16 13:06:41 2015 +0100

    Add a libssl test harness
    
    This commit provides a set of perl modules that support the testing of
    libssl. The test harness operates as a man-in-the-middle proxy between
    s_server and s_client. Both s_server and s_client must be started using the
    "-testmode" option which loads the new OSSLTEST engine.
    
    The test harness enables scripts to be written that can examine the packets
    sent during a handshake, as well as (potentially) modifying them so that
    otherwise illegal handshake messages can be sent.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 2d5d70b15559f9813054ddb11b30b816daf62ebe
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jun 16 12:59:37 2015 +0100

    Add OSSLTest Engine
    
    This engine is for testing purposes only. It provides crippled crypto
    implementations and therefore must not be used in any instance where
    security is required.
    
    This will be used by the forthcoming libssl test harness which will operate
    as a man-in-the-middle proxy. The test harness will be able to modify
    TLS packets and read their contents. By using this test engine packets are
    not encrypted and MAC codes always verify.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 engines/Makefile                          |  29 +-
 engines/e_ossltest.c                      | 542 ++++++++++++++++++++++++++++++
 engines/e_ossltest.ec                     |   1 +
 engines/{e_gmp_err.c => e_ossltest_err.c} |  70 ++--
 engines/{e_gmp_err.h => e_ossltest_err.h} |  23 +-
 test/Makefile                             |  22 +-
 test/sslextensiontest.pl                  |  89 +++++
 test/sslskewith0ptest.pl                  |  89 +++++
 test/sslvertoltest.pl                     |  93 +++++
 util/TLSProxy/ClientHello.pm              | 272 +++++++++++++++
 util/TLSProxy/Message.pm                  | 457 +++++++++++++++++++++++++
 util/TLSProxy/Proxy.pm                    | 394 ++++++++++++++++++++++
 util/TLSProxy/Record.pm                   | 360 ++++++++++++++++++++
 util/TLSProxy/ServerHello.pm              | 235 +++++++++++++
 util/TLSProxy/ServerKeyExchange.pm        | 176 ++++++++++
 15 files changed, 2796 insertions(+), 56 deletions(-)
 create mode 100644 engines/e_ossltest.c
 create mode 100644 engines/e_ossltest.ec
 copy engines/{e_gmp_err.c => e_ossltest_err.c} (65%)
 copy engines/{e_gmp_err.h => e_ossltest_err.h} (80%)
 create mode 100755 test/sslextensiontest.pl
 create mode 100755 test/sslskewith0ptest.pl
 create mode 100755 test/sslvertoltest.pl
 create mode 100644 util/TLSProxy/ClientHello.pm
 create mode 100644 util/TLSProxy/Message.pm
 create mode 100644 util/TLSProxy/Proxy.pm
 create mode 100644 util/TLSProxy/Record.pm
 create mode 100644 util/TLSProxy/ServerHello.pm
 create mode 100644 util/TLSProxy/ServerKeyExchange.pm

diff --git a/engines/Makefile b/engines/Makefile
index e9dc1c4..a1ea0a6 100644
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -32,7 +32,6 @@ GENERAL=Makefile engines.com install.com engine_vector.mar
 
 LIB=$(TOP)/libcrypto.a
 LIBNAMES= 4758cca gmp padlock capi
-
 LIBSRC=	e_4758cca.c \
 	e_gmp.c \
 	e_padlock.c \
@@ -43,6 +42,10 @@ LIBOBJ= e_4758cca.o \
 	e_capi.o \
 	$(ENGINES_ASM_OBJ)
 
+TESTLIBNAMES= ossltest
+TESTLIBSRC= e_ossltest.c
+TESTLIBOBJ= e_ossltest.o
+
 SRC= $(LIBSRC)
 
 HEADER=	e_4758cca_err.c e_4758cca_err.h \
@@ -51,7 +54,8 @@ HEADER=	e_4758cca_err.c e_4758cca_err.h \
 	e_nuron_err.c e_nuron_err.h \
 	e_sureware_err.c e_sureware_err.h \
 	e_ubsec_err.c e_ubsec_err.h \
-	e_capi_err.c e_capi_err.h
+	e_capi_err.c e_capi_err.h \
+	e_ossltest_err.c e_ossltest_err.h
 
 ALL=	$(GENERAL) $(SRC) $(HEADER)
 
@@ -60,10 +64,10 @@ top:
 
 all:	lib subdirs
 
-lib:	$(LIBOBJ)
+lib:	$(LIBOBJ) $(TESTLIBOBJ)
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		set -e; \
-		for l in $(LIBNAMES); do \
+		for l in $(LIBNAMES) $(TESTLIBNAMES); do \
 			$(MAKE) -f ../Makefile.shared -e \
 				LIBNAME=$$l LIBEXTRAS="e_$$l*.o" \
 				LIBDEPS='-L.. -lcrypto $(EX_LIBS)' \
@@ -142,7 +146,7 @@ depend: local_depend
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
 local_depend:
-	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) $(TESTLIBSRC)
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -196,6 +200,21 @@ e_gmp.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 e_gmp.o: ../include/openssl/sha.h ../include/openssl/stack.h
 e_gmp.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
 e_gmp.o: ../include/openssl/x509_vfy.h e_gmp.c
+e_ossltest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+e_ossltest.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+e_ossltest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+e_ossltest.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
+e_ossltest.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
+e_ossltest.o: ../include/openssl/err.h ../include/openssl/evp.h
+e_ossltest.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+e_ossltest.o: ../include/openssl/modes.h ../include/openssl/obj_mac.h
+e_ossltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+e_ossltest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+e_ossltest.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
+e_ossltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+e_ossltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+e_ossltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+e_ossltest.o: e_ossltest.c e_ossltest_err.c e_ossltest_err.h
 e_padlock.o: ../include/openssl/aes.h ../include/openssl/asn1.h
 e_padlock.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 e_padlock.o: ../include/openssl/crypto.h ../include/openssl/dso.h
diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
new file mode 100644
index 0000000..6e50a5f
--- /dev/null
+++ b/engines/e_ossltest.c
@@ -0,0 +1,542 @@
+/* engines/e_ossltest.c */
+/*
+ * Written by Matt Caswell (matt at openssl.org) for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+/*
+ * This is the OSSLTEST engine. It provides deliberately crippled digest
+ * implementations for test purposes. It is highly insecure and must NOT be
+ * used for any purpose except testing
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/engine.h>
+#include <openssl/sha.h>
+#include <openssl/md5.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/modes.h>
+#include <openssl/aes.h>
+
+#define OSSLTEST_LIB_NAME "OSSLTEST"
+#include "e_ossltest_err.c"
+
+/* Engine Id and Name */
+static const char *engine_ossltest_id = "ossltest";
+static const char *engine_ossltest_name = "OpenSSL Test engine support";
+
+
+/* Engine Lifetime functions */
+static int ossltest_destroy(ENGINE *e);
+static int ossltest_init(ENGINE *e);
+static int ossltest_finish(ENGINE *e);
+void ENGINE_load_ossltest(void);
+
+
+/* Set up digests */
+static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
+                          const int **nids, int nid);
+
+static int ossltest_digest_nids[] = {
+    NID_md5, NID_sha1, NID_sha256, NID_sha384, NID_sha512, 0
+};
+
+/* MD5 */
+static int digest_md5_init(EVP_MD_CTX *ctx);
+static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count);
+static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md);
+
+static const EVP_MD digest_md5 = {
+    NID_md5,
+    NID_md5WithRSAEncryption,
+    MD5_DIGEST_LENGTH,
+    0,
+    digest_md5_init,
+    digest_md5_update,
+    digest_md5_final,
+    NULL,
+    NULL,
+    EVP_PKEY_RSA_method,
+    MD5_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(MD5_CTX),
+};
+
+/* SHA1 */
+static int digest_sha1_init(EVP_MD_CTX *ctx);
+static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count);
+static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md);
+
+static const EVP_MD digest_sha1 = {
+    NID_sha1,
+    NID_sha1WithRSAEncryption,
+    SHA_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
+    digest_sha1_init,
+    digest_sha1_update,
+    digest_sha1_final,
+    NULL,
+    NULL,
+    EVP_PKEY_NULL_method,
+    SHA_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA_CTX),
+};
+
+/* SHA256 */
+static int digest_sha256_init(EVP_MD_CTX *ctx);
+static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count);
+static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md);
+
+static const EVP_MD digest_sha256 = {
+    NID_sha256,
+    NID_sha256WithRSAEncryption,
+    SHA256_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
+    digest_sha256_init,
+    digest_sha256_update,
+    digest_sha256_final,
+    NULL,
+    NULL,
+    EVP_PKEY_NULL_method,
+    SHA256_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA256_CTX),
+};
+
+/* SHA384/SHA512 */
+static int digest_sha384_init(EVP_MD_CTX *ctx);
+static int digest_sha512_init(EVP_MD_CTX *ctx);
+static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count);
+static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md);
+static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md);
+
+static const EVP_MD digest_sha384 = {
+    NID_sha384,
+    NID_sha384WithRSAEncryption,
+    SHA384_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
+    digest_sha384_init,
+    digest_sha512_update,
+    digest_sha384_final,
+    NULL,
+    NULL,
+    EVP_PKEY_NULL_method,
+    SHA512_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA512_CTX),
+};
+
+static const EVP_MD digest_sha512 = {
+    NID_sha512,
+    NID_sha512WithRSAEncryption,
+    SHA512_DIGEST_LENGTH,
+    EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT,
+    digest_sha512_init,
+    digest_sha512_update,
+    digest_sha512_final,
+    NULL,
+    NULL,
+    EVP_PKEY_NULL_method,
+    SHA512_CBLOCK,
+    sizeof(EVP_MD *) + sizeof(SHA512_CTX),
+};
+
+/* Setup ciphers */
+static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **,
+                            const int **, int);
+
+static int ossltest_cipher_nids[] = {
+    NID_aes_128_cbc, 0
+};
+
+/* AES128 */
+
+int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv, int enc);
+int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                               const unsigned char *in, size_t inl);
+
+/*
+ * Copy of the definition in crypto/evp/e_aes.c. Only used for the "sizeof"
+ * below
+ */
+typedef struct {
+    union {
+        double align;
+        AES_KEY ks;
+    } ks;
+    block128_f block;
+    union {
+        cbc128_f cbc;
+        ctr128_f ctr;
+    } stream;
+} EVP_AES_KEY;
+
+
+static const EVP_CIPHER ossltest_aes_128_cbc = { \
+    NID_aes_128_cbc,
+    16, /* block size */
+    16, /* key len */
+    16, /* iv len */
+    EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
+    ossltest_aes128_init_key,
+    ossltest_aes128_cbc_cipher,
+    NULL,
+    sizeof(EVP_AES_KEY),
+    NULL,NULL,NULL,NULL
+};
+
+
+static int bind_ossltest(ENGINE *e)
+{
+    /* Ensure the ossltest error handling is set up */
+    ERR_load_OSSLTEST_strings();
+
+    if (!ENGINE_set_id(e, engine_ossltest_id)
+        || !ENGINE_set_name(e, engine_ossltest_name)
+        || !ENGINE_set_digests(e, ossltest_digests)
+        || !ENGINE_set_ciphers(e, ossltest_ciphers)
+        || !ENGINE_set_destroy_function(e, ossltest_destroy)
+        || !ENGINE_set_init_function(e, ossltest_init)
+        || !ENGINE_set_finish_function(e, ossltest_finish)) {
+        OSSLTESTerr(OSSLTEST_F_BIND_OSSLTEST, OSSLTEST_R_INIT_FAILED);
+        return 0;
+    }
+
+    return 1;
+}
+
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+static int bind_helper(ENGINE *e, const char *id)
+{
+    if (id && (strcmp(id, engine_ossltest_id) != 0))
+        return 0;
+    if (!bind_ossltest(e))
+        return 0;
+    return 1;
+}
+
+IMPLEMENT_DYNAMIC_CHECK_FN()
+    IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#endif
+
+static ENGINE *engine_ossltest(void)
+{
+    ENGINE *ret = ENGINE_new();
+    if (!ret)
+        return NULL;
+    if (!bind_ossltest(ret)) {
+        ENGINE_free(ret);
+        return NULL;
+    }
+    return ret;
+}
+
+void ENGINE_load_ossltest(void)
+{
+    /* Copied from eng_[openssl|dyn].c */
+    ENGINE *toadd = engine_ossltest();
+    if (!toadd)
+        return;
+    ENGINE_add(toadd);
+    ENGINE_free(toadd);
+    ERR_clear_error();
+}
+
+
+static int ossltest_init(ENGINE *e)
+{
+    return 1;
+}
+
+
+static int ossltest_finish(ENGINE *e)
+{
+    return 1;
+}
+
+
+static int ossltest_destroy(ENGINE *e)
+{
+    ERR_unload_OSSLTEST_strings();
+    return 1;
+}
+
+static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
+                          const int **nids, int nid)
+{
+    int ok = 1;
+    if (!digest) {
+        /* We are returning a list of supported nids */
+        *nids = ossltest_digest_nids;
+        return (sizeof(ossltest_digest_nids) -
+                1) / sizeof(ossltest_digest_nids[0]);
+    }
+    /* We are being asked for a specific digest */
+    switch (nid) {
+    case NID_md5:
+        *digest = &digest_md5;
+        break;
+    case NID_sha1:
+        *digest = &digest_sha1;
+        break;
+    case NID_sha256:
+        *digest = &digest_sha256;
+        break;
+    case NID_sha384:
+        *digest = &digest_sha384;
+        break;
+    case NID_sha512:
+        *digest = &digest_sha512;
+        break;
+    default:
+        ok = 0;
+        *digest = NULL;
+        break;
+    }
+    return ok;
+}
+
+static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                          const int **nids, int nid)
+{
+    int ok = 1;
+    if (!cipher) {
+        /* We are returning a list of supported nids */
+        *nids = ossltest_cipher_nids;
+        return (sizeof(ossltest_cipher_nids) - 1)
+               / sizeof(ossltest_cipher_nids[0]);
+    }
+    /* We are being asked for a specific cipher */
+    switch (nid) {
+    case NID_aes_128_cbc:
+        *cipher = &ossltest_aes_128_cbc;
+        break;
+    default:
+        ok = 0;
+        *cipher = NULL;
+        break;
+    }
+    return ok;
+}
+
+static void fill_known_data(unsigned char *md, unsigned int len)
+{
+    unsigned int i;
+
+    for (i=0; i<len; i++) {
+        md[i] = (unsigned char)(i & 0xff);
+    }
+}
+
+/*
+ * MD5 implementation. We go through the motions of doing MD5 by deferring to
+ * the standard implementation. Then we overwrite the result with a will defined
+ * value, so that all "MD5" digests using the test engine always end up with
+ * the same value.
+ */
+#undef data
+#define data(ctx) ((MD5_CTX *)(ctx)->md_data)
+static int digest_md5_init(EVP_MD_CTX *ctx)
+{
+    return MD5_Init(data(ctx));
+}
+
+static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
+          unsigned long count)
+{
+    return MD5_Update(data(ctx), data, (size_t)count);
+}
+
+static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    int ret;
+    ret = MD5_Final(md, data(ctx));
+
+    if (ret > 0) {
+        fill_known_data(md, MD5_DIGEST_LENGTH);
+    }
+    return ret;
+}
+
+/*
+ * SHA1 implementation.
+ */
+#undef data
+#define data(ctx) ((SHA_CTX *)(ctx)->md_data)
+static int digest_sha1_init(EVP_MD_CTX *ctx)
+{
+    return SHA1_Init(data(ctx));
+}
+
+static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count)
+{
+    return SHA1_Update(data(ctx), data, (size_t)count);
+}
+
+static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    int ret;
+    ret = SHA1_Final(md, data(ctx));
+
+    if (ret > 0) {
+        fill_known_data(md, SHA_DIGEST_LENGTH);
+    }
+    return ret;
+}
+
+/*
+ * SHA256 implementation.
+ */
+#undef data
+#define data(ctx) ((SHA256_CTX *)(ctx)->md_data)
+static int digest_sha256_init(EVP_MD_CTX *ctx)
+{
+    return SHA256_Init(data(ctx));
+}
+
+static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count)
+{
+    return SHA256_Update(data(ctx), data, (size_t)count);
+}
+
+static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    int ret;
+    ret = SHA256_Final(md, data(ctx));
+
+    if (ret > 0) {
+        fill_known_data(md, SHA256_DIGEST_LENGTH);
+    }
+    return ret;
+}
+
+/*
+ * SHA384/512 implementation.
+ */
+#undef data
+#define data(ctx) ((SHA512_CTX *)(ctx)->md_data)
+static int digest_sha384_init(EVP_MD_CTX *ctx)
+{
+    return SHA384_Init(data(ctx));
+}
+
+static int digest_sha512_init(EVP_MD_CTX *ctx)
+{
+    return SHA512_Init(data(ctx));
+}
+
+static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
+                             unsigned long count)
+{
+    return SHA512_Update(data(ctx), data, (size_t)count);
+}
+
+static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    int ret;
+    /* Actually uses SHA512_Final! */
+    ret = SHA512_Final(md, data(ctx));
+
+    if (ret > 0) {
+        fill_known_data(md, SHA384_DIGEST_LENGTH);
+    }
+    return ret;
+}
+
+static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+    int ret;
+    ret = SHA512_Final(md, data(ctx));
+
+    if (ret > 0) {
+        fill_known_data(md, SHA512_DIGEST_LENGTH);
+    }
+    return ret;
+}
+
+/*
+ * AES128 Implementation
+ */
+
+int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv, int enc)
+{
+    return EVP_aes_128_cbc()->init(ctx, key, iv, enc);
+}
+
+int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                               const unsigned char *in, size_t inl)
+{
+    unsigned char *tmpbuf;
+    int ret;
+
+    tmpbuf = OPENSSL_malloc(inl);
+    if (tmpbuf == NULL)
+        return -1;
+
+    /* Remember what we were asked to encrypt */
+    memcpy(tmpbuf, in, inl);
+
+    /* Go through the motions of encrypting it */
+    ret = EVP_aes_128_cbc()->do_cipher(ctx, out, in, inl);
+
+    /* Throw it all away and just use the plaintext as the output */
+    memcpy(out, tmpbuf, inl);
+    OPENSSL_free(tmpbuf);
+
+    return ret;
+}
diff --git a/engines/e_ossltest.ec b/engines/e_ossltest.ec
new file mode 100644
index 0000000..d8a1bef
--- /dev/null
+++ b/engines/e_ossltest.ec
@@ -0,0 +1 @@
+L       OSSLTEST    e_ossltest_err.h e_ossltest_err.c
diff --git a/engines/e_gmp_err.c b/engines/e_ossltest_err.c
similarity index 65%
copy from engines/e_gmp_err.c
copy to engines/e_ossltest_err.c
index 002a3ab..c1b0063 100644
--- a/engines/e_gmp_err.c
+++ b/engines/e_ossltest_err.c
@@ -1,6 +1,6 @@
-/* e_gmp_err.c */
+/* e_ossltest_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -61,7 +61,7 @@
 
 #include <stdio.h>
 #include <openssl/err.h>
-#include "e_gmp_err.h"
+#include "e_ossltest_err.h"
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
@@ -69,69 +69,65 @@
 # define ERR_FUNC(func) ERR_PACK(0,func,0)
 # define ERR_REASON(reason) ERR_PACK(0,0,reason)
 
-static ERR_STRING_DATA GMP_str_functs[] = {
-    {ERR_FUNC(GMP_F_E_GMP_CTRL), "E_GMP_CTRL"},
-    {ERR_FUNC(GMP_F_E_GMP_RSA_MOD_EXP), "E_GMP_RSA_MOD_EXP"},
+static ERR_STRING_DATA OSSLTEST_str_functs[] = {
+    {ERR_FUNC(OSSLTEST_F_BIND_OSSLTEST), "BIND_OSSLTEST"},
     {0, NULL}
 };
 
-static ERR_STRING_DATA GMP_str_reasons[] = {
-    {ERR_REASON(GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED),
-     "ctrl command not implemented"},
-    {ERR_REASON(GMP_R_KEY_CONTEXT_ERROR), "key context error"},
-    {ERR_REASON(GMP_R_MISSING_KEY_COMPONENTS), "missing key components"},
+static ERR_STRING_DATA OSSLTEST_str_reasons[] = {
+    {ERR_REASON(OSSLTEST_R_INIT_FAILED), "init failed"},
     {0, NULL}
 };
 
 #endif
 
-#ifdef GMP_LIB_NAME
-static ERR_STRING_DATA GMP_lib_name[] = {
-    {0, GMP_LIB_NAME},
+#ifdef OSSLTEST_LIB_NAME
+static ERR_STRING_DATA OSSLTEST_lib_name[] = {
+    {0, OSSLTEST_LIB_NAME},
     {0, NULL}
 };
 #endif
 
-static int GMP_lib_error_code = 0;
-static int GMP_error_init = 1;
+static int OSSLTEST_lib_error_code = 0;
+static int OSSLTEST_error_init = 1;
 
-static void ERR_load_GMP_strings(void)
+static void ERR_load_OSSLTEST_strings(void)
 {
-    if (GMP_lib_error_code == 0)
-        GMP_lib_error_code = ERR_get_next_error_library();
+    if (OSSLTEST_lib_error_code == 0)
+        OSSLTEST_lib_error_code = ERR_get_next_error_library();
 
-    if (GMP_error_init) {
-        GMP_error_init = 0;
+    if (OSSLTEST_error_init) {
+        OSSLTEST_error_init = 0;
 #ifndef OPENSSL_NO_ERR
-        ERR_load_strings(GMP_lib_error_code, GMP_str_functs);
-        ERR_load_strings(GMP_lib_error_code, GMP_str_reasons);
+        ERR_load_strings(OSSLTEST_lib_error_code, OSSLTEST_str_functs);
+        ERR_load_strings(OSSLTEST_lib_error_code, OSSLTEST_str_reasons);
 #endif
 
-#ifdef GMP_LIB_NAME
-        GMP_lib_name->error = ERR_PACK(GMP_lib_error_code, 0, 0);
-        ERR_load_strings(0, GMP_lib_name);
+#ifdef OSSLTEST_LIB_NAME
+        OSSLTEST_lib_name->error = ERR_PACK(OSSLTEST_lib_error_code, 0, 0);
+        ERR_load_strings(0, OSSLTEST_lib_name);
 #endif
     }
 }
 
-static void ERR_unload_GMP_strings(void)
+static void ERR_unload_OSSLTEST_strings(void)
 {
-    if (GMP_error_init == 0) {
+    if (OSSLTEST_error_init == 0) {
 #ifndef OPENSSL_NO_ERR
-        ERR_unload_strings(GMP_lib_error_code, GMP_str_functs);
-        ERR_unload_strings(GMP_lib_error_code, GMP_str_reasons);
+        ERR_unload_strings(OSSLTEST_lib_error_code, OSSLTEST_str_functs);
+        ERR_unload_strings(OSSLTEST_lib_error_code, OSSLTEST_str_reasons);
 #endif
 
-#ifdef GMP_LIB_NAME
-        ERR_unload_strings(0, GMP_lib_name);
+#ifdef OSSLTEST_LIB_NAME
+        ERR_unload_strings(0, OSSLTEST_lib_name);
 #endif
-        GMP_error_init = 1;
+        OSSLTEST_error_init = 1;
     }
 }
 
-static void ERR_GMP_error(int function, int reason, char *file, int line)
+static void ERR_OSSLTEST_error(int function, int reason, char *file, int line)
 {
-    if (GMP_lib_error_code == 0)
-        GMP_lib_error_code = ERR_get_next_error_library();
-    ERR_PUT_error(GMP_lib_error_code, function, reason, file, line);
+    if (OSSLTEST_lib_error_code == 0)
+        OSSLTEST_lib_error_code = ERR_get_next_error_library();
+    ERR_PUT_error(OSSLTEST_lib_error_code, function, reason, file, line);
 }
diff --git a/engines/e_gmp_err.h b/engines/e_ossltest_err.h
similarity index 80%
copy from engines/e_gmp_err.h
copy to engines/e_ossltest_err.h
index 637abbc..8f874e0 100644
--- a/engines/e_gmp_err.h
+++ b/engines/e_ossltest_err.h
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,8 +52,8 @@
  *
  */
 
-#ifndef HEADER_GMP_ERR_H
-# define HEADER_GMP_ERR_H
+#ifndef HEADER_OSSLTEST_ERR_H
+# define HEADER_OSSLTEST_ERR_H
 
 #ifdef  __cplusplus
 extern "C" {
@@ -64,21 +64,18 @@ extern "C" {
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
-static void ERR_load_GMP_strings(void);
-static void ERR_unload_GMP_strings(void);
-static void ERR_GMP_error(int function, int reason, char *file, int line);
-# define GMPerr(f,r) ERR_GMP_error((f),(r),__FILE__,__LINE__)
+static void ERR_load_OSSLTEST_strings(void);
+static void ERR_unload_OSSLTEST_strings(void);
+static void ERR_OSSLTEST_error(int function, int reason, char *file, int line);
+# define OSSLTESTerr(f,r) ERR_OSSLTEST_error((f),(r),__FILE__,__LINE__)
 
-/* Error codes for the GMP functions. */
+/* Error codes for the OSSLTEST functions. */
 
 /* Function codes. */
-# define GMP_F_E_GMP_CTRL                                 100
-# define GMP_F_E_GMP_RSA_MOD_EXP                          101
+# define OSSLTEST_F_BIND_OSSLTEST                         100
 
 /* Reason codes. */
-# define GMP_R_CTRL_COMMAND_NOT_IMPLEMENTED               100
-# define GMP_R_KEY_CONTEXT_ERROR                          101
-# define GMP_R_MISSING_KEY_COMPONENTS                     102
+# define OSSLTEST_R_INIT_FAILED                           100
 
 #ifdef  __cplusplus
 }
diff --git a/test/Makefile b/test/Makefile
index f49dc76..31b3796 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -71,6 +71,9 @@ CONSTTIMETEST=  constant_time_test
 VERIFYEXTRATEST=	verify_extra_test
 CLIENTHELLOTEST=	clienthellotest
 PACKETTEST=	packettest
+SSLVERTOLTEST=	sslvertoltest.pl
+SSLEXTENSIONTEST=	sslextensiontest.pl
+SSLSKEWITH0PTEST=	sslskewith0ptest.pl
 
 TESTS=		alltests
 
@@ -156,7 +159,8 @@ alltests: \
 	test_ige test_jpake test_secmem \
 	test_srp test_cms test_v3name test_ocsp \
 	test_gost2814789 test_heartbeat test_p5_crpt2 \
-	test_constant_time test_verify_extra test_clienthello test_packet
+	test_constant_time test_verify_extra test_clienthello test_packet \
+	test_sslvertol test_sslextension test_sslskewith0p
 
 test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
 	@echo $(START) $@
@@ -417,6 +421,22 @@ test_packet: $(PACKETTEST)$(EXE_EXT)
 	@echo $(START) $@
 	../util/shlib_wrap.sh ./$(PACKETTEST)
 
+#OPENSSL_ia32cap=... in ssl tests below ensures AES-NI is switched off (AES-NI does not go through the testmode engine)
+test_sslvertol: ../apps/openssl$(EXE_EXT)
+	@echo $(START) $@
+	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLVERTOLTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	@[ -n "$(SHARED_LIBS)" ] || echo test_sslvertol can only be performed with OpenSSL configured shared
+
+test_sslextension: ../apps/openssl$(EXE_EXT)
+	@echo $(START) $@
+	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	@[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared
+
+test_sslskewith0p: ../apps/openssl$(EXE_EXT)
+	@echo $(START) $@
+	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	@[ -n "$(SHARED_LIBS)" ] || echo test_sslskewith0p can only be performed with OpenSSL configured shared
+
 update: local_depend
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
diff --git a/test/sslextensiontest.pl b/test/sslextensiontest.pl
new file mode 100755
index 0000000..802bac1
--- /dev/null
+++ b/test/sslextensiontest.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+
+my $proxy = TLSProxy::Proxy->new(
+    \&extension_filter,
+    @ARGV
+);
+
+#Test 1: Sending a zero length extension block should pass
+$proxy->start();
+TLSProxy::Message->success or die "FAILED: Zero extension length test\n";
+
+print "SUCCESS: Extension test\n";
+
+sub extension_filter
+{
+    my $proxy = shift;
+
+    # We're only interested in the initial ClientHello
+    if ($proxy->flight != 0) {
+        return;
+    }
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+            #Remove all extensions and set the extension len to zero
+            $message->extension_data({});
+            $message->extensions_len(0);
+            #Extensions have been removed so make sure we don't try to use them
+            $message->process_extensions();
+
+            $message->repack();
+        }
+    }
+}
diff --git a/test/sslskewith0ptest.pl b/test/sslskewith0ptest.pl
new file mode 100755
index 0000000..63f8398
--- /dev/null
+++ b/test/sslskewith0ptest.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+
+my $proxy = TLSProxy::Proxy->new(
+    \&ske_0_p_filter,
+    @ARGV
+);
+
+#We must use an anon DHE cipher for this test
+$proxy->cipherc('ADH-AES128-SHA:@SECLEVEL=0');
+$proxy->ciphers('ADH-AES128-SHA:@SECLEVEL=0');
+
+$proxy->start();
+TLSProxy::Message->fail or die "FAILED: ServerKeyExchange with 0 p\n";
+
+print "SUCCESS: ServerKeyExchange with 0 p\n";
+
+sub ske_0_p_filter
+{
+    my $proxy = shift;
+
+    # We're only interested in the SKE - always in flight 1
+    if ($proxy->flight != 1) {
+        return;
+    }
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_SERVER_KEY_EXCHANGE) {
+            #Set p to a value of 0
+            $message->p(pack('C', 0));
+
+            $message->repack();
+        }
+    }
+}
diff --git a/test/sslvertoltest.pl b/test/sslvertoltest.pl
new file mode 100755
index 0000000..1828a7d
--- /dev/null
+++ b/test/sslvertoltest.pl
@@ -0,0 +1,93 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+
+my $proxy = TLSProxy::Proxy->new(
+    \&vers_tolerance_filter,
+    @ARGV
+);
+
+#Test 1: Asking for TLS1.3 should pass
+my $client_version = TLSProxy::Record::VERS_TLS_1_3;
+$proxy->start();
+TLSProxy::Message->success or die "FAILED: Version tolerance test\n";
+
+#Test 2: Testing something below SSLv3 should fail
+$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1;
+$proxy->restart();
+TLSProxy::Message->success and die "FAILED: Version tolerance test\n";
+
+print "SUCCESS: Version tolerance test\n";
+
+sub vers_tolerance_filter
+{
+    my $proxy = shift;
+
+    # We're only interested in the initial ClientHello
+    if ($proxy->flight != 0) {
+        return;
+    }
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+            #Set the client version
+            #Anything above the max supported version (TLS1.2) should succeed
+            #Anything below SSLv3 should fail
+            $message->client_version($client_version);
+            $message->repack();
+        }
+    }
+}
diff --git a/util/TLSProxy/ClientHello.pm b/util/TLSProxy/ClientHello.pm
new file mode 100644
index 0000000..54fb5bb
--- /dev/null
+++ b/util/TLSProxy/ClientHello.pm
@@ -0,0 +1,272 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+package TLSProxy::ClientHello;
+
+use parent 'TLSProxy::Message';
+
+use constant {
+    EXT_ENCRYPT_THEN_MAC => 22
+};
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+    
+    my $self = $class->SUPER::new(
+        $server,
+        1,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    $self->{client_version} = 0;
+    $self->{random} = [];
+    $self->{session_id_len} = 0;
+    $self->{session} = "";
+    $self->{ciphersuite_len} = 0;
+    $self->{ciphersuites} = [];
+    $self->{comp_meth_len} = 0;
+    $self->{comp_meths} = [];
+    $self->{extensions_len} = 0;
+    $self->{extensions_data} = "";
+
+    return $self;
+}
+
+sub parse
+{
+    my $self = shift;
+    my $ptr = 2;
+    my ($client_version) = unpack('n', $self->data);
+    my $random = substr($self->data, $ptr, 32);
+    $ptr += 32;
+    my $session_id_len = unpack('C', substr($self->data, $ptr));
+    $ptr++;
+    my $session = substr($self->data, $ptr, $session_id_len);
+    $ptr += $session_id_len;
+    my $ciphersuite_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    my @ciphersuites = unpack('n*', substr($self->data, $ptr,
+                                           $ciphersuite_len));
+    $ptr += $ciphersuite_len;
+    my $comp_meth_len = unpack('C', substr($self->data, $ptr));
+    $ptr++;
+    my @comp_meths = unpack('C*', substr($self->data, $ptr, $comp_meth_len));
+    $ptr += $comp_meth_len;
+    my $extensions_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    #For now we just deal with this as a block of data. In the future we will
+    #want to parse this
+    my $extension_data = substr($self->data, $ptr);
+    
+    if (length($extension_data) != $extensions_len) {
+        die "Invalid extension length\n";
+    }
+    my %extensions = ();
+    while (length($extension_data) >= 4) {
+        my ($type, $size) = unpack("nn", $extension_data);
+        my $extdata = substr($extension_data, 4, $size);
+        $extension_data = substr($extension_data, 4 + $size);
+        $extensions{$type} = $extdata;
+    }
+
+    $self->client_version($client_version);
+    $self->random($random);
+    $self->session_id_len($session_id_len);
+    $self->session($session);
+    $self->ciphersuite_len($ciphersuite_len);
+    $self->ciphersuites(\@ciphersuites);
+    $self->comp_meth_len($comp_meth_len);
+    $self->comp_meths(\@comp_meths);
+    $self->extensions_len($extensions_len);
+    $self->extension_data(\%extensions);
+
+    $self->process_extensions();
+
+    print "    Client Version:".$client_version."\n";
+    print "    Session ID Len:".$session_id_len."\n";
+    print "    Ciphersuite len:".$ciphersuite_len."\n";
+    print "    Compression Method Len:".$comp_meth_len."\n";
+    print "    Extensions Len:".$extensions_len."\n";
+}
+
+#Perform any actions necessary based on the extensions we've seen
+sub process_extensions
+{
+    my $self = shift;
+    my %extensions = %{$self->extension_data};
+
+    #Clear any state from a previous run
+    TLSProxy::Record->etm(0);
+
+    if (exists $extensions{&EXT_ENCRYPT_THEN_MAC}) {
+        TLSProxy::Record->etm(1);
+    }
+}
+
+#Reconstruct the on-the-wire message data following changes
+sub set_message_contents
+{
+    my $self = shift;
+    my $data;
+
+    $data = pack('n', $self->client_version);
+    $data .= $self->random;
+    $data .= pack('C', $self->session_id_len);
+    $data .= $self->session;
+    $data .= pack('n', $self->ciphersuite_len);
+    $data .= pack("n*", @{$self->ciphersuites});
+    $data .= pack('C', $self->comp_meth_len);
+    $data .= pack("C*", @{$self->comp_meths});
+    $data .= pack('n', $self->extensions_len);
+    foreach my $key (keys %{$self->extension_data}) {
+        my $extdata = ${$self->extension_data}{$key};
+        $data .= pack("n", $key);
+        $data .= pack("n", length($extdata));
+        $data .= $extdata;
+    }
+
+    $self->data($data);
+}
+
+#Read/write accessors
+sub client_version
+{
+    my $self = shift;
+    if (@_) {
+      $self->{client_version} = shift;
+    }
+    return $self->{client_version};
+}
+sub random
+{
+    my $self = shift;
+    if (@_) {
+      $self->{random} = shift;
+    }
+    return $self->{random};
+}
+sub session_id_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{session_id_len} = shift;
+    }
+    return $self->{session_id_len};
+}
+sub session
+{
+    my $self = shift;
+    if (@_) {
+      $self->{session} = shift;
+    }
+    return $self->{session};
+}
+sub ciphersuite_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{ciphersuite_len} = shift;
+    }
+    return $self->{ciphersuite_len};
+}
+sub ciphersuites
+{
+    my $self = shift;
+    if (@_) {
+      $self->{ciphersuites} = shift;
+    }
+    return $self->{ciphersuites};
+}
+sub comp_meth_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{comp_meth_len} = shift;
+    }
+    return $self->{comp_meth_len};
+}
+sub comp_meths
+{
+    my $self = shift;
+    if (@_) {
+      $self->{comp_meths} = shift;
+    }
+    return $self->{comp_meths};
+}
+sub extensions_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{extensions_len} = shift;
+    }
+    return $self->{extensions_len};
+}
+sub extension_data
+{
+    my $self = shift;
+    if (@_) {
+      $self->{extension_data} = shift;
+    }
+    return $self->{extension_data};
+}
+1;
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
new file mode 100644
index 0000000..66a4a7b
--- /dev/null
+++ b/util/TLSProxy/Message.pm
@@ -0,0 +1,457 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+package TLSProxy::Message;
+
+use constant TLS_MESSAGE_HEADER_LENGTH => 4;
+
+#Message types
+use constant {
+    MT_HELLO_REQUEST => 0,
+    MT_CLIENT_HELLO => 1,
+    MT_SERVER_HELLO => 2,
+    MT_NEW_SESSION_TICKET => 4,
+    MT_CERTIFICATE => 11,
+    MT_SERVER_KEY_EXCHANGE => 12,
+    MT_CERTIFICATE_REQUEST => 13,
+    MT_SERVER_HELLO_DONE => 14,
+    MT_CERTIFICATE_VERIFY => 15,
+    MT_CLIENT_KEY_EXCHANGE => 16,
+    MT_FINISHED => 20,
+    MT_CERTIFICATE_STATUS => 22,
+    MT_NEXT_PROTO => 67
+};
+my %message_type = (
+    MT_HELLO_REQUEST, "HelloRequest",
+    MT_CLIENT_HELLO, "ClientHello",
+    MT_SERVER_HELLO, "ServerHello",
+    MT_NEW_SESSION_TICKET, "NewSessionTicket",
+    MT_CERTIFICATE, "Certificate",
+    MT_SERVER_KEY_EXCHANGE, "ServerKeyExchange",
+    MT_CERTIFICATE_REQUEST, "CertificateRequest",
+    MT_SERVER_HELLO_DONE, "ServerHelloDone",
+    MT_CERTIFICATE_VERIFY, "CertificateVerify",
+    MT_CLIENT_KEY_EXCHANGE, "ClientKeyExchange",
+    MT_FINISHED, "Finished",
+    MT_CERTIFICATE_STATUS, "CertificateStatus",
+    MT_NEXT_PROTO, "NextProto"
+);
+
+my $payload = "";
+my $messlen = -1;
+my $mt;
+my $startoffset = -1;
+my $server = 0;
+my $success = 0;
+my $end = 0;
+my @message_rec_list = ();
+my @message_frag_lens = ();
+my $ciphersuite = 0;
+
+sub clear
+{
+    $payload = "";
+    $messlen = -1;
+    $startoffset = -1;
+    $server = 0;
+    $success = 0;
+    $end = 0;
+    @message_rec_list = ();
+    @message_frag_lens = ();
+}
+
+#Class method to extract messages from a record
+sub get_messages
+{
+    my $class = shift;
+    my $serverin = shift;
+    my $record = shift;
+    my @messages = ();
+    my $message;
+
+    @message_frag_lens = ();
+
+    if ($serverin != $server && length($payload) != 0) {
+        die "Changed peer, but we still have fragment data\n";
+    }
+    $server = $serverin;
+
+    if ($record->content_type == TLSProxy::Record::RT_CCS) {
+        if ($payload ne "") {
+            #We can't handle this yet
+            die "CCS received before message data complete\n";
+        }
+        if ($server) {
+            TLSProxy::Record->server_ccs_seen(1);
+        } else {
+            TLSProxy::Record->client_ccs_seen(1);
+        }
+    } elsif ($record->content_type == TLSProxy::Record::RT_HANDSHAKE) {
+        if ($record->len == 0 || $record->len_real == 0) {
+            print "  Message truncated\n";
+        } else {
+            my $recoffset = 0;
+
+            if (length $payload > 0) {
+                #We are continuing processing a message started in a previous
+                #record. Add this record to the list associated with this
+                #message
+                push @message_rec_list, $record;
+
+                if ($messlen <= length($payload)) {
+                    #Shouldn't happen
+                    die "Internal error: invalid messlen: ".$messlen
+                        ." payload length:".length($payload)."\n";
+                }
+                if (length($payload) + $record->decrypt_len >= $messlen) {
+                    #We can complete the message with this record
+                    $recoffset = $messlen - length($payload);
+                    $payload .= substr($record->decrypt_data, 0, $recoffset);
+                    push @message_frag_lens, $recoffset;
+                    $message = create_message($server, $mt, $payload,
+                                              $startoffset);
+                    push @messages, $message;
+
+                    #Check if we have finished the handshake
+                    if ($mt == MT_FINISHED && $server) {
+                        $success = 1;
+                        $end = 1;
+                    }
+                    $payload = "";
+                } else {
+                    #This is just part of the total message
+                    $payload .= $record->decrypt_data;
+                    $recoffset = $record->decrypt_len;
+                    push @message_frag_lens, $record->decrypt_len;
+                }
+                print "  Partial message data read: ".$recoffset." bytes\n";
+            }
+
+            while ($record->decrypt_len > $recoffset) {
+                #We are at the start of a new message
+                if ($record->decrypt_len - $recoffset < 4) {
+                    #Whilst technically probably valid we can't cope with this
+                    die "End of record in the middle of a message header\n";
+                }
+                @message_rec_list = ($record);
+                my $lenhi;
+                my $lenlo;
+                ($mt, $lenhi, $lenlo) = unpack('CnC',
+                                               substr($record->decrypt_data,
+                                                      $recoffset));
+                $messlen = ($lenhi << 8) | $lenlo;
+                print "  Message type: $message_type{$mt}\n";
+                print "  Message Length: $messlen\n";
+                $startoffset = $recoffset;
+                $recoffset += 4;
+                $payload = "";
+                
+                if ($recoffset < $record->decrypt_len) {
+                    #Some payload data is present in this record
+                    if ($record->decrypt_len - $recoffset >= $messlen) {
+                        #We can complete the message with this record
+                        $payload .= substr($record->decrypt_data, $recoffset,
+                                           $messlen);
+                        $recoffset += $messlen;
+                        push @message_frag_lens, $messlen;
+                        $message = create_message($server, $mt, $payload,
+                                                  $startoffset);
+                        push @messages, $message;
+
+                        #Check if we have finished the handshake
+                        if ($mt == MT_FINISHED && $server) {
+                            $success = 1;
+                            $end = 1;
+                        }
+                        $payload = "";
+                    } else {
+                        #This is just part of the total message
+                        $payload .= substr($record->decrypt_data, $recoffset,
+                                           $record->decrypt_len - $recoffset);
+                        $recoffset = $record->decrypt_len;
+                        push @message_frag_lens, $recoffset;
+                    }
+                }
+            }
+        }
+    } elsif ($record->content_type == TLSProxy::Record::RT_APPLICATION_DATA) {
+        print "  [ENCRYPTED APPLICATION DATA]\n";
+        print "  [".$record->decrypt_data."]\n";
+    } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
+        #For now assume all alerts are fatal
+        $end = 1;
+    }
+
+    return @messages;
+}
+
+#Function to work out which sub-class we need to create and then
+#construct it
+sub create_message
+{
+    my ($server, $mt, $data, $startoffset) = @_;
+    my $message;
+
+    #We only support ClientHello in this version...needs to be extended for
+    #others
+    if ($mt == MT_CLIENT_HELLO) {
+        $message = TLSProxy::ClientHello->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
+    } elsif ($mt == MT_SERVER_HELLO) {
+        $message = TLSProxy::ServerHello->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
+    } elsif ($mt == MT_SERVER_KEY_EXCHANGE) {
+        $message = TLSProxy::ServerKeyExchange->new(
+            $server,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+        $message->parse();
+    } else {
+        #Unknown message type
+        $message = TLSProxy::Message->new(
+            $server,
+            $mt,
+            $data,
+            [@message_rec_list],
+            $startoffset,
+            [@message_frag_lens]
+        );
+    }
+
+    return $message;
+}
+
+sub end
+{
+    my $class = shift;
+    return $end;
+}
+sub success
+{
+    my $class = shift;
+    return $success;
+}
+sub fail
+{
+    my $class = shift;
+    return !$success && $end;
+}
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $mt,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+    
+    my $self = {
+        server => $server,
+        data => $data,
+        records => $records,
+        mt => $mt,
+        startoffset => $startoffset,
+        message_frag_lens => $message_frag_lens
+    };
+
+    return bless $self, $class;
+}
+
+sub ciphersuite
+{
+    my $class = shift;
+    if (@_) {
+      $ciphersuite = shift;
+    }
+    return $ciphersuite;
+}
+
+#Update all the underlying records with the modified data from this message
+#Note: Does not currently support re-encrypting
+sub repack
+{
+    my $self = shift;
+    my $msgdata;
+
+    my $numrecs = $#{$self->records};
+
+    $self->set_message_contents();
+
+    my $lenhi;
+    my $lenlo;
+
+    $lenlo = length($self->data) & 0xff;
+    $lenhi = length($self->data) >> 8;
+    my $msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data;
+
+
+    if ($numrecs == 0) {
+        #The message is fully contained within one record
+        my ($rec) = @{$self->records};
+        my $recdata = $rec->decrypt_data;
+
+        if (length($msgdata) != ${$self->message_frag_lens}[0]
+                                + TLS_MESSAGE_HEADER_LENGTH) {
+            #Message length has changed! Better adjust the record length
+            my $diff = length($msgdata) - ${$self->message_frag_lens}[0]
+                                        - TLS_MESSAGE_HEADER_LENGTH;
+            $rec->len($rec->len + $diff);
+        }
+
+        $rec->data(substr($recdata, 0, $self->startoffset)
+                   .($msgdata)
+                   .substr($recdata, ${$self->message_frag_lens}[0]
+                                     + TLS_MESSAGE_HEADER_LENGTH));
+
+        #Update the fragment len in case we changed it above
+        ${$self->message_frag_lens}[0] = length($msgdata)
+                                         - TLS_MESSAGE_HEADER_LENGTH;
+        return;
+    }
+
+    #Note we don't currently support changing a fragmented message length
+    my $recctr = 0;
+    my $datadone = 0;
+    foreach my $rec (@{$self->records}) {
+        my $recdata = $rec->decrypt_data;
+        if ($recctr == 0) {
+            #This is the first record
+            my $remainlen = length($recdata) - $self->startoffset;
+            $rec->data(substr($recdata, 0, $self->startoffset)
+                       .substr(($msgdata), 0, $remainlen));
+            $datadone += $remainlen;
+        } elsif ($recctr + 1 == $numrecs) {
+            #This is the last record
+            $rec->data(substr($msgdata, $datadone));
+        } else {
+            #This is a middle record
+            $rec->data(substr($msgdata, $datadone, length($rec->data)));
+            $datadone += length($rec->data);
+        }
+        $recctr++;
+    }
+}
+
+#To be overridden by sub-classes
+sub set_message_contents
+{
+}
+
+#Read only accessors
+sub server
+{
+    my $self = shift;
+    return $self->{server};
+}
+
+#Read/write accessors
+sub mt
+{
+    my $self = shift;
+    if (@_) {
+      $self->{mt} = shift;
+    }
+    return $self->{mt};
+}
+sub data
+{
+    my $self = shift;
+    if (@_) {
+      $self->{data} = shift;
+    }
+    return $self->{data};
+}
+sub records
+{
+    my $self = shift;
+    if (@_) {
+      $self->{records} = shift;
+    }
+    return $self->{records};
+}
+sub startoffset
+{
+    my $self = shift;
+    if (@_) {
+      $self->{startoffset} = shift;
+    }
+    return $self->{startoffset};
+}
+sub message_frag_lens
+{
+    my $self = shift;
+    if (@_) {
+      $self->{message_frag_lens} = shift;
+    }
+    return $self->{message_frag_lens};
+}
+
+1;
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
new file mode 100644
index 0000000..c033c29
--- /dev/null
+++ b/util/TLSProxy/Proxy.pm
@@ -0,0 +1,394 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+package TLSProxy::Proxy;
+
+use File::Spec;
+use IO::Socket;
+use IO::Select;
+use TLSProxy::Record;
+use TLSProxy::Message;
+use TLSProxy::ClientHello;
+use TLSProxy::ServerHello;
+use TLSProxy::ServerKeyExchange;
+
+sub new
+{
+    my $class = shift;
+    my ($filter,
+        $execute,
+        $cert,
+        $debug) = @_;
+
+    my $self = {
+        #Public read/write
+        proxy_addr => "localhost",
+        proxy_port => 4453,
+        server_addr => "localhost",
+        server_port => 4443,
+        filter => $filter,
+
+        #Public read
+        execute => $execute,
+        cert => $cert,
+        debug => $debug,
+        cipherc => "AES128-SHA",
+        ciphers => "",
+        flight => 0,
+        record_list => [],
+        message_list => [],
+
+        #Private
+        message_rec_list => []
+    };
+
+    return bless $self, $class;
+}
+
+sub clear
+{
+    my $self = shift;
+
+    $self->{cipherc} = "AES128-SHA";
+    $self->{ciphers} = "";
+    $self->{flight} = 0;
+    $self->{record_list} = [];
+    $self->{message_list} = [];
+    $self->{message_rec_list} = [];
+
+    TLSProxy::Message->clear();
+    TLSProxy::Record->clear();
+}
+
+sub restart
+{
+    my $self = shift;
+
+    $self->clear;
+    $self->start;
+}
+
+sub start
+{
+    my ($self) = shift;
+    my $pid;
+
+    $pid = fork();
+    if ($pid == 0) {
+        open(STDOUT, ">", File::Spec->devnull())
+            or die "Failed to redirect stdout";
+        open(STDERR, ">&STDOUT");
+        my $execcmd = $self->execute." s_server -engine ossltest -accept "
+            .($self->server_port)
+            ." -cert ".$self->cert." -naccept 1";
+        if ($self->ciphers ne "") {
+            $execcmd .= " -cipher ".$self->ciphers;
+        }
+        exec($execcmd);
+    }
+
+    my $oldstdout;
+
+    if(!$self->debug) {
+        $oldstdout = select(File::Spec->devnull());
+    }
+
+    # Create the Proxy socket
+    my $proxy_sock = new IO::Socket::INET(
+        LocalHost   => $self->proxy_addr,
+        LocalPort   => $self->proxy_port,
+        Proto       => "tcp",
+        Listen      => SOMAXCONN,
+        Reuse       => 1
+    );
+
+    if ($proxy_sock) {
+        print "Proxy started on port ".$self->proxy_port."\n";
+    } else {
+        die "Failed creating proxy socket\n";
+    }
+
+    if ($self->execute) {
+        my $pid = fork();
+        if ($pid == 0) {
+            open(STDOUT, ">", File::Spec->devnull())
+                or die "Failed to redirect stdout";
+            open(STDERR, ">&STDOUT");
+            my $execcmd = $self->execute
+                 ." s_client -engine ossltest -connect "
+                 .($self->proxy_addr).":".($self->proxy_port);
+            if ($self->cipherc ne "") {
+                $execcmd .= " -cipher ".$self->cipherc;
+            }
+            exec($execcmd);
+        }
+    }
+
+    # Wait for incoming connection from client
+    my $client_sock = $proxy_sock->accept() 
+        or die "Failed accepting incoming connection\n";
+
+    print "Connection opened\n";
+
+    # Now connect to the server
+    my $retry = 3;
+    my $server_sock;
+    #We loop over this a few times because sometimes s_server can take a while
+    #to start up
+    do {
+        $server_sock = new IO::Socket::INET(
+            PeerAddr => $self->server_addr,
+            PeerPort => $self->server_port,
+            Proto => 'tcp'
+        ); 
+
+        $retry--;
+        if (!$server_sock) {
+            if ($retry) {
+                #Sleep for a short while
+                select(undef, undef, undef, 0.1);
+            } else {
+                die "Failed to start up server\n";
+            }
+        }
+    } while (!$server_sock);
+
+    my $sel = IO::Select->new($server_sock, $client_sock);
+    my $indata;
+    my @handles = ($server_sock, $client_sock);
+
+    #Wait for either the server socket or the client socket to become readable
+    my @ready;
+    while(!(TLSProxy::Message->end) && (@ready = $sel->can_read)) {
+        foreach my $hand (@ready) {
+            if ($hand == $server_sock) {
+                $server_sock->sysread($indata, 16384) or goto END;
+                $indata = $self->process_packet(1, $indata);
+                $client_sock->syswrite($indata);
+            } elsif ($hand == $client_sock) {
+                $client_sock->sysread($indata, 16384) or goto END;
+                $indata = $self->process_packet(0, $indata);
+                $server_sock->syswrite($indata);
+            } else {
+                print "Err\n";
+                goto END;
+            }
+        }
+    }
+
+    END:
+    print "Connection closed\n";
+    if($server_sock) {
+        $server_sock->close();
+    }
+    if($client_sock) {
+        #Closing this also kills the child process
+        $client_sock->close();
+    }
+    if($proxy_sock) {
+        $proxy_sock->close();
+    }
+    if(!$self->debug) {
+        select($oldstdout);
+    }
+}
+
+
+sub process_packet
+{
+    my ($self, $server, $packet) = @_;
+    my $len_real;
+    my $decrypt_len;
+    my $data;
+    my $recnum;
+
+    if ($server) {
+        print "Received server packet\n";
+    } else {
+        print "Received client packet\n";
+    }
+
+    print "Packet length = ".length($packet)."\n";
+    print "Processing flight ".$self->flight."\n";
+
+    #Return contains the list of record found in the packet followed by the
+    #list of messages in those records
+    my @ret = TLSProxy::Record->get_records($server, $self->flight, $packet);
+    push @{$self->record_list}, @{$ret[0]};
+    $self->{message_rec_list} = $ret[0];
+    push @{$self->{message_list}}, @{$ret[1]};
+
+    print "\n";
+
+    #Finished parsing. Call user provided filter here
+    $self->filter->($self);
+
+    #Reconstruct the packet
+    $packet = "";
+    foreach my $record (@{$self->record_list}) {
+        #We only replay the records for the current flight
+        if ($record->flight != $self->flight) {
+            next;
+        }
+        $packet .= $record->reconstruct_record();
+    }
+
+    $self->{flight} = $self->{flight} + 1;
+
+    print "Forwarded packet length = ".length($packet)."\n\n";
+
+    return $packet;
+}
+
+#Read accessors
+sub execute
+{
+    my $self = shift;
+    return $self->{execute};
+}
+sub cert
+{
+    my $self = shift;
+    return $self->{cert};
+}
+sub debug
+{
+    my $self = shift;
+    return $self->{debug};
+}
+sub flight
+{
+    my $self = shift;
+    return $self->{flight};
+}
+sub record_list
+{
+    my $self = shift;
+    return $self->{record_list};
+}
+sub message_list
+{
+    my $self = shift;
+    return $self->{message_list};
+}
+sub success
+{
+    my $self = shift;
+    return $self->{success};
+}
+sub end
+{
+    my $self = shift;
+    return $self->{end};
+}
+
+#Read/write accessors
+sub proxy_addr
+{
+    my $self = shift;
+    if (@_) {
+      $self->{proxy_addr} = shift;
+    }
+    return $self->{proxy_addr};
+}
+sub proxy_port
+{
+    my $self = shift;
+    if (@_) {
+      $self->{proxy_port} = shift;
+    }
+    return $self->{proxy_port};
+}
+sub server_addr
+{
+    my $self = shift;
+    if (@_) {
+      $self->{server_addr} = shift;
+    }
+    return $self->{server_addr};
+}
+sub server_port
+{
+    my $self = shift;
+    if (@_) {
+      $self->{server_port} = shift;
+    }
+    return $self->{server_port};
+}
+sub filter
+{
+    my $self = shift;
+    if (@_) {
+      $self->{filter} = shift;
+    }
+    return $self->{filter};
+}
+sub cipherc
+{
+    my $self = shift;
+    if (@_) {
+      $self->{cipherc} = shift;
+    }
+    return $self->{cipherc};
+}
+sub ciphers
+{
+    my $self = shift;
+    if (@_) {
+      $self->{ciphers} = shift;
+    }
+    return $self->{ciphers};
+}
+1;
diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm
new file mode 100644
index 0000000..1d10508
--- /dev/null
+++ b/util/TLSProxy/Record.pm
@@ -0,0 +1,360 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+use TLSProxy::Proxy;
+
+package TLSProxy::Record;
+
+my $server_ccs_seen = 0;
+my $client_ccs_seen = 0;
+my $etm = 0;
+
+use constant TLS_RECORD_HEADER_LENGTH => 5;
+
+#Record types
+use constant {
+    RT_APPLICATION_DATA => 23,
+    RT_HANDSHAKE => 22,
+    RT_ALERT => 21,
+    RT_CCS => 20
+};
+
+my %record_type = (
+    RT_APPLICATION_DATA, "APPLICATION DATA",
+    RT_HANDSHAKE, "HANDSHAKE",
+    RT_ALERT, "ALERT",
+    RT_CCS, "CCS"
+);
+
+use constant {
+    VERS_TLS_1_3 => 772,
+    VERS_TLS_1_2 => 771,
+    VERS_TLS_1_1 => 770,
+    VERS_TLS_1_0 => 769,
+    VERS_SSL_3_0 => 768
+};
+
+my %tls_version = (
+    VERS_TLS_1_3, "TLS1.3",
+    VERS_TLS_1_2, "TLS1.2",
+    VERS_TLS_1_1, "TLS1.1",
+    VERS_TLS_1_0, "TLS1.0",
+    VERS_SSL_3_0, "SSL3"
+);
+
+#Class method to extract records from a packet of data
+sub get_records
+{
+    my $class = shift;
+    my $server = shift;
+    my $flight = shift;
+    my $packet = shift;
+    my @record_list = ();
+    my @message_list = ();
+    my $data;
+    my $content_type;
+    my $version;
+    my $len;
+    my $len_real;
+    my $decrypt_len;
+
+    my $recnum = 1;
+    while (length ($packet) > 0) {
+        print " Record $recnum";
+        if ($server) {
+            print " (server -> client)\n";
+        } else {
+            print " (client -> server)\n";
+        }
+        #Get the record header
+        if (length($packet) < TLS_RECORD_HEADER_LENGTH) {
+            print "Partial data : ".length($packet)." bytes\n";
+            $packet = "";
+        } else {
+            ($content_type, $version, $len) = unpack('CnnC*', $packet);
+            $data = substr($packet, 5, $len);
+
+            print "  Content type: ".$record_type{$content_type}."\n";
+            print "  Version: $tls_version{$version}\n";
+            print "  Length: $len";
+            if ($len == length($data)) {
+                print "\n";
+                $decrypt_len = $len_real = $len;
+            } else {
+                print " (expected), ".length($data)." (actual)\n";
+                $decrypt_len = $len_real = length($data);
+            }
+
+            my $record = TLSProxy::Record->new(
+                $flight,
+                $content_type,
+                $version,
+                $len,
+                $len_real,
+                $decrypt_len,
+                substr($packet, TLS_RECORD_HEADER_LENGTH, $len_real),
+                substr($packet, TLS_RECORD_HEADER_LENGTH, $len_real)
+            );
+
+            if (($server && $server_ccs_seen)
+                     || (!$server && $client_ccs_seen)) {
+                if ($etm) {
+                    $record->decryptETM();
+                } else {
+                    $record->decrypt();
+                }
+            }
+
+            push @record_list, $record;
+
+            #Now figure out what messages are contained within this record
+            my @messages = TLSProxy::Message->get_messages($server, $record);
+            push @message_list, @messages;
+
+            $packet = substr($packet, TLS_RECORD_HEADER_LENGTH + $len_real);
+            $recnum++;
+        }
+    }
+
+    return (\@record_list, \@message_list);
+}
+
+sub clear
+{
+    $server_ccs_seen = 0;
+    $client_ccs_seen = 0;
+}
+
+#Class level accessors
+sub server_ccs_seen
+{
+    my $class = shift;
+    if (@_) {
+      $server_ccs_seen = shift;
+    }
+    return $server_ccs_seen;
+}
+sub client_ccs_seen
+{
+    my $class = shift;
+    if (@_) {
+      $client_ccs_seen = shift;
+    }
+    return $client_ccs_seen;
+}
+#Enable/Disable Encrypt-then-MAC
+sub etm
+{
+    my $class = shift;
+    if (@_) {
+      $etm = shift;
+    }
+    return $etm;
+}
+
+sub new
+{
+    my $class = shift;
+    my ($flight,
+        $content_type,
+        $version,
+        $len,
+        $len_real,
+        $decrypt_len,
+        $data,
+        $decrypt_data) = @_;
+    
+    my $self = {
+        flight => $flight,
+        content_type => $content_type,
+        version => $version,
+        len => $len,
+        len_real => $len_real,
+        decrypt_len => $decrypt_len,
+        data => $data,
+        decrypt_data => $decrypt_data,
+        orig_decrypt_data => $decrypt_data
+    };
+
+    return bless $self, $class;
+}
+
+#Decrypt using encrypt-then-MAC
+sub decryptETM
+{
+    my ($self) = shift;
+
+    my $data = $self->data;
+
+    if($self->version >= VERS_TLS_1_1()) {
+        #TLS1.1+ has an explicit IV. Throw it away
+        $data = substr($data, 16);
+    }
+
+    #Throw away the MAC (assumes MAC is 20 bytes for now. FIXME)
+    $data = substr($data, 0, length($data) - 20);
+
+    #Find out what the padding byte is
+    my $padval = unpack("C", substr($data, length($data) - 1));
+
+    #Throw away the padding
+    $data = substr($data, 0, length($data) - ($padval + 1));
+
+    $self->decrypt_data($data);
+    $self->decrypt_len(length($data));
+
+    return $data;
+}
+
+#Standard decrypt
+sub decrypt()
+{
+    my ($self) = shift;
+
+    my $data = $self->data;
+
+    if($self->version >= VERS_TLS_1_1()) {
+        #TLS1.1+ has an explicit IV. Throw it away
+        $data = substr($data, 16);
+    }
+
+    #Find out what the padding byte is
+    my $padval = unpack("C", substr($data, length($data) - 1));
+
+    #Throw away the padding
+    $data = substr($data, 0, length($data) - ($padval + 1));
+
+    #Throw away the MAC (assumes MAC is 20 bytes for now. FIXME)
+    $data = substr($data, 0, length($data) - 20);
+
+    $self->decrypt_data($data);
+    $self->decrypt_len(length($data));
+
+    return $data;
+}
+
+#Reconstruct the on-the-wire record representation
+sub reconstruct_record
+{
+    my $self = shift;
+    my $data;
+
+    $data = pack('Cnn', $self->content_type, $self->version, $self->len);
+    $data .= $self->data;
+
+    return $data;
+}
+
+#Read only accessors
+sub flight
+{
+    my $self = shift;
+    return $self->{flight};
+}
+sub content_type
+{
+    my $self = shift;
+    return $self->{content_type};
+}
+sub version
+{
+    my $self = shift;
+    return $self->{version};
+}
+sub len_real
+{
+    my $self = shift;
+    return $self->{len_real};
+}
+sub orig_decrypt_data
+{
+    my $self = shift;
+    return $self->{orig_decrypt_data};
+}
+
+#Read/write accessors
+sub decrypt_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{decrypt_len} = shift;
+    }
+    return $self->{decrypt_len};
+}
+sub data
+{
+    my $self = shift;
+    if (@_) {
+      $self->{data} = shift;
+    }
+    return $self->{data};
+}
+sub decrypt_data
+{
+    my $self = shift;
+    if (@_) {
+      $self->{decrypt_data} = shift;
+    }
+    return $self->{decrypt_data};
+}
+sub len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{len} = shift;
+    }
+    return $self->{len};
+}
+1;
diff --git a/util/TLSProxy/ServerHello.pm b/util/TLSProxy/ServerHello.pm
new file mode 100644
index 0000000..693430e
--- /dev/null
+++ b/util/TLSProxy/ServerHello.pm
@@ -0,0 +1,235 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+package TLSProxy::ServerHello;
+
+use parent 'TLSProxy::Message';
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+    
+    my $self = $class->SUPER::new(
+        $server,
+        TLSProxy::Message::MT_SERVER_HELLO,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    $self->{server_version} = 0;
+    $self->{random} = [];
+    $self->{session_id_len} = 0;
+    $self->{session} = "";
+    $self->{ciphersuite} = 0;
+    $self->{comp_meth} = 0;
+    $self->{extensions_len} = 0;
+    $self->{extensions_data} = "";
+
+    return $self;
+}
+
+sub parse
+{
+    my $self = shift;
+    my $ptr = 2;
+    my ($server_version) = unpack('n', $self->data);
+    my $random = substr($self->data, $ptr, 32);
+    $ptr += 32;
+    my $session_id_len = unpack('C', substr($self->data, $ptr));
+    $ptr++;
+    my $session = substr($self->data, $ptr, $session_id_len);
+    $ptr += $session_id_len;
+    my $ciphersuite = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    my $comp_meth = unpack('C', substr($self->data, $ptr));
+    $ptr++;
+    my $extensions_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    #For now we just deal with this as a block of data. In the future we will
+    #want to parse this
+    my $extension_data = substr($self->data, $ptr);
+    
+    if (length($extension_data) != $extensions_len) {
+        die "Invalid extension length\n";
+    }
+    my %extensions = ();
+    while (length($extension_data) >= 4) {
+        my ($type, $size) = unpack("nn", $extension_data);
+        my $extdata = substr($extension_data, 4, $size);
+        $extension_data = substr($extension_data, 4 + $size);
+        $extensions{$type} = $extdata;
+    }
+
+    $self->server_version($server_version);
+    $self->random($random);
+    $self->session_id_len($session_id_len);
+    $self->session($session);
+    $self->ciphersuite($ciphersuite);
+    $self->comp_meth($comp_meth);
+    $self->extensions_len($extensions_len);
+    $self->extension_data(\%extensions);
+
+    $self->process_data();
+
+    print "    Server Version:".$server_version."\n";
+    print "    Session ID Len:".$session_id_len."\n";
+    print "    Ciphersuite:".$ciphersuite."\n";
+    print "    Compression Method:".$comp_meth."\n";
+    print "    Extensions Len:".$extensions_len."\n";
+}
+
+#Perform any actions necessary based on the data we've seen
+sub process_data
+{
+    my $self = shift;
+
+    TLSProxy::Message->ciphersuite($self->ciphersuite);
+}
+
+#Reconstruct the on-the-wire message data following changes
+sub set_message_contents
+{
+    my $self = shift;
+    my $data;
+
+    $data = pack('n', $self->server_version);
+    $data .= $self->random;
+    $data .= pack('C', $self->session_id_len);
+    $data .= $self->session;
+    $data .= pack('n', $self->ciphersuite);
+    $data .= pack('C', $self->comp_meth);
+    $data .= pack('n', $self->extensions_len);
+    foreach my $key (keys %{$self->extension_data}) {
+        my $extdata = ${$self->extension_data}{$key};
+        $data .= pack("n", $key);
+        $data .= pack("n", length($extdata));
+        $data .= $extdata;
+    }
+
+    $self->data($data);
+}
+
+#Read/write accessors
+sub server_version
+{
+    my $self = shift;
+    if (@_) {
+      $self->{client_version} = shift;
+    }
+    return $self->{client_version};
+}
+sub random
+{
+    my $self = shift;
+    if (@_) {
+      $self->{random} = shift;
+    }
+    return $self->{random};
+}
+sub session_id_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{session_id_len} = shift;
+    }
+    return $self->{session_id_len};
+}
+sub session
+{
+    my $self = shift;
+    if (@_) {
+      $self->{session} = shift;
+    }
+    return $self->{session};
+}
+sub ciphersuite
+{
+    my $self = shift;
+    if (@_) {
+      $self->{ciphersuite} = shift;
+    }
+    return $self->{ciphersuite};
+}
+sub comp_meth
+{
+    my $self = shift;
+    if (@_) {
+      $self->{comp_meth} = shift;
+    }
+    return $self->{comp_meth};
+}
+sub extensions_len
+{
+    my $self = shift;
+    if (@_) {
+      $self->{extensions_len} = shift;
+    }
+    return $self->{extensions_len};
+}
+sub extension_data
+{
+    my $self = shift;
+    if (@_) {
+      $self->{extension_data} = shift;
+    }
+    return $self->{extension_data};
+}
+1;
diff --git a/util/TLSProxy/ServerKeyExchange.pm b/util/TLSProxy/ServerKeyExchange.pm
new file mode 100644
index 0000000..3a91d17
--- /dev/null
+++ b/util/TLSProxy/ServerKeyExchange.pm
@@ -0,0 +1,176 @@
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+
+package TLSProxy::ServerKeyExchange;
+
+use parent 'TLSProxy::Message';
+
+sub new
+{
+    my $class = shift;
+    my ($server,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens) = @_;
+    
+    my $self = $class->SUPER::new(
+        $server,
+        TLSProxy::Message::MT_SERVER_KEY_EXCHANGE,
+        $data,
+        $records,
+        $startoffset,
+        $message_frag_lens);
+
+    #DHE
+    $self->{p} = "";
+    $self->{g} = "";
+    $self->{pub_key} = "";
+    $self->{sig} = "";
+
+    return $self;
+}
+
+sub parse
+{
+    my $self = shift;
+
+    #Minimal SKE parsing. Only supports DHE at the moment (if its not DHE
+    #the parsing data will be trash...which is ok as long as we don't try to
+    #use it)
+
+    my $p_len = unpack('n', $self->data);
+    my $ptr = 2;
+    my $p = substr($self->data, $ptr, $p_len);
+    $ptr += $p_len;
+
+    my $g_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    my $g = substr($self->data, $ptr, $g_len);
+    $ptr += $g_len;
+
+    my $pub_key_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    my $pub_key = substr($self->data, $ptr, $pub_key_len);
+    $ptr += $g_len;
+
+    #We assume its signed
+    my $sig_len = unpack('n', substr($self->data, $ptr));
+    $ptr += 2;
+    my $sig = substr($self->data, $ptr, $sig_len);
+    $ptr += $sig_len;
+
+    $self->p($p);
+    $self->g($g);
+    $self->pub_key($pub_key);
+    $self->sig($sig);
+}
+
+
+#Reconstruct the on-the-wire message data following changes
+sub set_message_contents
+{
+    my $self = shift;
+    my $data;
+
+    $data = pack('n', length($self->p));
+    $data .= $self->p;
+    $data .= pack('n', length($self->g));
+    $data .= $self->g;
+    $data .= pack('n', length($self->pub_key));
+    $data .= $self->pub_key;
+    if (length($self->sig) > 0) {
+        $data .= pack('n', length($self->sig));
+        $data .= $self->sig;
+    }
+
+    $self->data($data);
+}
+
+#Read/write accessors
+#DHE
+sub p
+{
+    my $self = shift;
+    if (@_) {
+      $self->{p} = shift;
+    }
+    return $self->{p};
+}
+sub g
+{
+    my $self = shift;
+    if (@_) {
+      $self->{g} = shift;
+    }
+    return $self->{g};
+}
+sub pub_key
+{
+    my $self = shift;
+    if (@_) {
+      $self->{pub_key} = shift;
+    }
+    return $self->{pub_key};
+}
+sub sig
+{
+    my $self = shift;
+    if (@_) {
+      $self->{sig} = shift;
+    }
+    return $self->{sig};
+}
+1;

From matt at openssl.org  Tue Aug 11 21:21:47 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 21:21:47 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439328107.223090.22666.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f75d5171be0b3b5419c8974133e1573cf976a8bb (commit)
       via  d8e8590ed90eba6ef651d09d77befb14f980de2c (commit)
      from  6142f5c640f98429d4798b8418e8cc2cf6cc1fb8 (commit)


- Log -----------------------------------------------------------------
commit f75d5171be0b3b5419c8974133e1573cf976a8bb
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:38:39 2015 +0100

    Fix "make test" seg fault with SCTP enabled
    
    When config'd with "sctp" running "make test" causes a seg fault. This is
    actually due to the way ssltest works - it dives under the covers and frees
    up BIOs manually and so some BIOs are NULL when the SCTP code does not
    expect it. The simplest fix is just to add some sanity checks to make sure
    the BIOs aren't NULL before we use them.
    
    This problem occurs in master and 1.0.2. The fix has also been applied to
    1.0.1 to keep the code in sync.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit d8e8590ed90eba6ef651d09d77befb14f980de2c
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:36:43 2015 +0100

    Fix missing return value checks in SCTP
    
    There are some missing return value checks in the SCTP code. In master this
    was causing a compilation failure when config'd with
    "--strict-warnings sctp".
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |  7 +++++--
 ssl/d1_clnt.c | 16 ++++++++++++----
 ssl/d1_srvr.c | 18 +++++++++++++-----
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ec47b94..2c3ab54 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1365,9 +1365,12 @@ int dtls1_shutdown(SSL *s)
 {
     int ret;
 #ifndef OPENSSL_NO_SCTP
-    if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+    BIO *wbio;
+
+    wbio = SSL_get_wbio(s);
+    if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
         !(s->shutdown & SSL_SENT_SHUTDOWN)) {
-        ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
+        ret = BIO_dgram_sctp_wait_for_dry(wbio);
         if (ret < 0)
             return -1;
 
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 566c154..d411614 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -364,11 +364,15 @@ int dtls1_connect(SSL *s)
                              sizeof(DTLS1_SCTP_AUTH_LABEL),
                              DTLS1_SCTP_AUTH_LABEL);
 
-                    SSL_export_keying_material(s, sctpauthkey,
+                    if (SSL_export_keying_material(s, sctpauthkey,
                                                sizeof(sctpauthkey),
                                                labelbuffer,
                                                sizeof(labelbuffer), NULL, 0,
-                                               0);
+                                               0) <= 0) {
+                        ret = -1;
+                        s->state = SSL_ST_ERR;
+                        goto end;
+                    }
 
                     BIO_ctrl(SSL_get_wbio(s),
                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
@@ -493,9 +497,13 @@ int dtls1_connect(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 19562e1..555bbdf 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -417,9 +417,13 @@ int dtls1_accept(SSL *s)
                 snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                          DTLS1_SCTP_AUTH_LABEL);
 
-                SSL_export_keying_material(s, sctpauthkey,
-                                           sizeof(sctpauthkey), labelbuffer,
-                                           sizeof(labelbuffer), NULL, 0, 0);
+                if (SSL_export_keying_material(s, sctpauthkey,
+                        sizeof(sctpauthkey), labelbuffer,
+                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                    ret = -1;
+                    s->state = SSL_ST_ERR;
+                    goto end;
+                }
 
                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                          sizeof(sctpauthkey), sctpauthkey);
@@ -606,9 +610,13 @@ int dtls1_accept(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);

From matt at openssl.org  Tue Aug 11 21:26:45 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 21:26:45 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439328405.003681.28472.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  0b12fa75c9df5c2c9c2f5094514323360c0af981 (commit)
       via  b3a62dc0323082b30121b3232c572a43172b47b9 (commit)
      from  512368c9ed4d53fb230000e83071eb81bf628b22 (commit)


- Log -----------------------------------------------------------------
commit 0b12fa75c9df5c2c9c2f5094514323360c0af981
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:38:39 2015 +0100

    Fix "make test" seg fault with SCTP enabled
    
    When config'd with "sctp" running "make test" causes a seg fault. This is
    actually due to the way ssltest works - it dives under the covers and frees
    up BIOs manually and so some BIOs are NULL when the SCTP code does not
    expect it. The simplest fix is just to add some sanity checks to make sure
    the BIOs aren't NULL before we use them.
    
    This problem occurs in master and 1.0.2. The fix has also been applied to
    1.0.1 to keep the code in sync.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit f75d5171be0b3b5419c8974133e1573cf976a8bb)

commit b3a62dc0323082b30121b3232c572a43172b47b9
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:36:43 2015 +0100

    Fix missing return value checks in SCTP
    
    There are some missing return value checks in the SCTP code. In master this
    was causing a compilation failure when config'd with
    "--strict-warnings sctp".
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit d8e8590ed90eba6ef651d09d77befb14f980de2c)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |  7 +++++--
 ssl/d1_clnt.c | 16 ++++++++++++----
 ssl/d1_srvr.c | 18 +++++++++++++-----
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index b4ee7ab..c2c8d57 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1370,9 +1370,12 @@ int dtls1_shutdown(SSL *s)
 {
     int ret;
 #ifndef OPENSSL_NO_SCTP
-    if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+    BIO *wbio;
+
+    wbio = SSL_get_wbio(s);
+    if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
         !(s->shutdown & SSL_SENT_SHUTDOWN)) {
-        ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
+        ret = BIO_dgram_sctp_wait_for_dry(wbio);
         if (ret < 0)
             return -1;
 
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 4c2ccbf..c84df98 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -366,11 +366,15 @@ int dtls1_connect(SSL *s)
                              sizeof(DTLS1_SCTP_AUTH_LABEL),
                              DTLS1_SCTP_AUTH_LABEL);
 
-                    SSL_export_keying_material(s, sctpauthkey,
+                    if (SSL_export_keying_material(s, sctpauthkey,
                                                sizeof(sctpauthkey),
                                                labelbuffer,
                                                sizeof(labelbuffer), NULL, 0,
-                                               0);
+                                               0) <= 0) {
+                        ret = -1;
+                        s->state = SSL_ST_ERR;
+                        goto end;
+                    }
 
                     BIO_ctrl(SSL_get_wbio(s),
                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
@@ -500,9 +504,13 @@ int dtls1_connect(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 655333a..6c3bfb8 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -421,9 +421,13 @@ int dtls1_accept(SSL *s)
                 snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                          DTLS1_SCTP_AUTH_LABEL);
 
-                SSL_export_keying_material(s, sctpauthkey,
-                                           sizeof(sctpauthkey), labelbuffer,
-                                           sizeof(labelbuffer), NULL, 0, 0);
+                if (SSL_export_keying_material(s, sctpauthkey,
+                        sizeof(sctpauthkey), labelbuffer,
+                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                    ret = -1;
+                    s->state = SSL_ST_ERR;
+                    goto end;
+                }
 
                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                          sizeof(sctpauthkey), sctpauthkey);
@@ -635,9 +639,13 @@ int dtls1_accept(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);

From matt at openssl.org  Tue Aug 11 21:30:13 2015
From: matt at openssl.org (Matt Caswell)
Date: Tue, 11 Aug 2015 21:30:13 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439328613.582206.32362.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  396e30044910df29b81a416de42a94eb4355cd70 (commit)
       via  402634f8aaf2f2c83b2cc648a0ae376247b029f4 (commit)
      from  b11980d79a52ec08844f08bea0e66c04b691840b (commit)


- Log -----------------------------------------------------------------
commit 396e30044910df29b81a416de42a94eb4355cd70
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:38:39 2015 +0100

    Fix "make test" seg fault with SCTP enabled
    
    When config'd with "sctp" running "make test" causes a seg fault. This is
    actually due to the way ssltest works - it dives under the covers and frees
    up BIOs manually and so some BIOs are NULL when the SCTP code does not
    expect it. The simplest fix is just to add some sanity checks to make sure
    the BIOs aren't NULL before we use them.
    
    This problem occurs in master and 1.0.2. The fix has also been applied to
    1.0.1 to keep the code in sync.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit f75d5171be0b3b5419c8974133e1573cf976a8bb)

commit 402634f8aaf2f2c83b2cc648a0ae376247b029f4
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 11 19:36:43 2015 +0100

    Fix missing return value checks in SCTP
    
    There are some missing return value checks in the SCTP code. In master this
    was causing a compilation failure when config'd with
    "--strict-warnings sctp".
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit d8e8590ed90eba6ef651d09d77befb14f980de2c)

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_both.c |  7 +++++--
 ssl/d1_clnt.c | 16 ++++++++++++----
 ssl/d1_srvr.c | 18 +++++++++++++-----
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 8dd8ea3..d453c07 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1490,9 +1490,12 @@ int dtls1_shutdown(SSL *s)
 {
     int ret;
 #ifndef OPENSSL_NO_SCTP
-    if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+    BIO *wbio;
+
+    wbio = SSL_get_wbio(s);
+    if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
         !(s->shutdown & SSL_SENT_SHUTDOWN)) {
-        ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
+        ret = BIO_dgram_sctp_wait_for_dry(wbio);
         if (ret < 0)
             return -1;
 
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 377c1e6..a9c4ed0 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -350,11 +350,15 @@ int dtls1_connect(SSL *s)
                              sizeof(DTLS1_SCTP_AUTH_LABEL),
                              DTLS1_SCTP_AUTH_LABEL);
 
-                    SSL_export_keying_material(s, sctpauthkey,
+                    if (SSL_export_keying_material(s, sctpauthkey,
                                                sizeof(sctpauthkey),
                                                labelbuffer,
                                                sizeof(labelbuffer), NULL, 0,
-                                               0);
+                                               0) <= 0) {
+                        ret = -1;
+                        s->state = SSL_ST_ERR;
+                        goto end;
+                    }
 
                     BIO_ctrl(SSL_get_wbio(s),
                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
@@ -484,9 +488,13 @@ int dtls1_connect(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 41c7dc5..d716f0a 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -405,9 +405,13 @@ int dtls1_accept(SSL *s)
                 snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                          DTLS1_SCTP_AUTH_LABEL);
 
-                SSL_export_keying_material(s, sctpauthkey,
-                                           sizeof(sctpauthkey), labelbuffer,
-                                           sizeof(labelbuffer), NULL, 0, 0);
+                if (SSL_export_keying_material(s, sctpauthkey,
+                        sizeof(sctpauthkey), labelbuffer,
+                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                    ret = -1;
+                    s->state = SSL_ST_ERR;
+                    goto end;
+                }
 
                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                          sizeof(sctpauthkey), sctpauthkey);
@@ -628,9 +632,13 @@ int dtls1_accept(SSL *s)
             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
                      DTLS1_SCTP_AUTH_LABEL);
 
-            SSL_export_keying_material(s, sctpauthkey,
+            if (SSL_export_keying_material(s, sctpauthkey,
                                        sizeof(sctpauthkey), labelbuffer,
-                                       sizeof(labelbuffer), NULL, 0, 0);
+                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+                ret = -1;
+                s->state = SSL_ST_ERR;
+                goto end;
+            }
 
             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                      sizeof(sctpauthkey), sctpauthkey);

From rsalz at openssl.org  Tue Aug 11 22:27:24 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 11 Aug 2015 22:27:24 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439332044.855632.29681.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ade44dcb16141c8a30ca6c56a1fd1a0b14dcc360 (commit)
      from  f75d5171be0b3b5419c8974133e1573cf976a8bb (commit)


- Log -----------------------------------------------------------------
commit ade44dcb16141c8a30ca6c56a1fd1a0b14dcc360
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 4 12:32:40 2015 -0400

    Remove Gost94 signature algorithm.
    
    This was obsolete in 2001.  This is not the same as Gost94 digest.
    Thanks to Dmitry Belyavsky <beldmit at gmail.com> for review and advice.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c                  |   1 -
 crypto/x509/x509type.c       |   1 -
 doc/apps/ciphers.pod         |   5 -
 engines/ccgost/Makefile      |  63 ++------
 engines/ccgost/e_gost_err.c  |  18 ---
 engines/ccgost/gost2001.c    |   1 -
 engines/ccgost/gost94_keyx.c | 281 ---------------------------------
 engines/ccgost/gost_ameth.c  | 316 +++----------------------------------
 engines/ccgost/gost_asn1.c   |  16 ++
 engines/ccgost/gost_crypt.c  |   1 -
 engines/ccgost/gost_eng.c    |  41 ++---
 engines/ccgost/gost_lcl.h    |  28 ++--
 engines/ccgost/gost_params.c | 129 +--------------
 engines/ccgost/gost_params.h |  34 ----
 engines/ccgost/gost_pmeth.c  | 164 +++----------------
 engines/ccgost/gost_sign.c   | 365 -------------------------------------------
 include/openssl/tls1.h       |   1 -
 ssl/s3_both.c                |   4 +-
 ssl/s3_clnt.c                |   3 +-
 ssl/s3_lib.c                 |  90 +----------
 ssl/s3_srvr.c                |  10 +-
 ssl/ssl_ciph.c               |  12 +-
 ssl/ssl_lib.c                |   5 -
 ssl/ssl_locl.h               |   3 -
 24 files changed, 118 insertions(+), 1474 deletions(-)
 delete mode 100644 engines/ccgost/gost94_keyx.c
 delete mode 100644 engines/ccgost/gost_params.h
 delete mode 100644 engines/ccgost/gost_sign.c

diff --git a/apps/s_cb.c b/apps/s_cb.c
index a14e00c..2a18f74 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -288,7 +288,6 @@ static STRINT_PAIR cert_type_list[] = {
     {"ECDSA sign", TLS_CT_ECDSA_SIGN},
     {"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
     {"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
-    {"GOST94 Sign", TLS_CT_GOST94_SIGN},
     {"GOST01 Sign", TLS_CT_GOST01_SIGN},
     {NULL}
 };
diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c
index 97e5bab..232ba9b 100644
--- a/crypto/x509/x509type.c
+++ b/crypto/x509/x509type.c
@@ -93,7 +93,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
     case EVP_PKEY_DH:
         ret = EVP_PK_DH | EVP_PKT_EXCH;
         break;
-    case NID_id_GostR3410_94:
     case NID_id_GostR3410_2001:
         ret = EVP_PKT_EXCH | EVP_PKT_SIGN;
         break;
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index d7b7bea..5a4a4fd 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -310,11 +310,6 @@ cipher suites using GOST R 34.10 (either 2001 or 94) for authentication
 
 cipher suites using GOST R 34.10-2001 authentication.
 
-=item B<aGOST94>
-
-cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94
-standard has been expired so use GOST R 34.10-2001)
-
 =item B<kGOST>
 
 cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.
diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile
index 57b9c59..3c1e4f9 100644
--- a/engines/ccgost/Makefile
+++ b/engines/ccgost/Makefile
@@ -8,9 +8,9 @@ AR= ar r
 CFLAGS= $(INCLUDES) $(CFLAG)
 LIB=$(TOP)/libcrypto.a
 
-LIBSRC= gost2001.c gost2001_keyx.c gost89.c gost94_keyx.c gost_ameth.c gost_asn1.c gost_crypt.c gost_ctl.c gost_eng.c gosthash.c gost_keywrap.c gost_md.c gost_params.c gost_pmeth.c gost_sign.c
+LIBSRC= gost2001.c gost2001_keyx.c gost89.c gost_ameth.c gost_asn1.c gost_crypt.c gost_ctl.c gost_eng.c gosthash.c gost_keywrap.c gost_md.c gost_pmeth.c gost_params.c
 
-LIBOBJ= e_gost_err.o gost2001_keyx.o gost2001.o gost89.o gost94_keyx.o gost_ameth.o gost_asn1.o gost_crypt.o gost_ctl.o gost_eng.o gosthash.o gost_keywrap.o gost_md.o gost_params.o gost_pmeth.o gost_sign.o
+LIBOBJ= e_gost_err.o gost2001_keyx.o gost2001.o gost89.o gost_ameth.o gost_asn1.o gost_crypt.o gost_ctl.o gost_eng.o gosthash.o gost_keywrap.o gost_md.o gost_pmeth.o gost_params.o
 
 SRC=$(LIBSRC)
 
@@ -100,8 +100,7 @@ gost2001.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 gost2001.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 gost2001.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 gost2001.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-gost2001.o: e_gost_err.h gost2001.c gost89.h gost_lcl.h gost_params.h
-gost2001.o: gosthash.h
+gost2001.o: e_gost_err.h gost2001.c gost89.h gost_lcl.h gosthash.h
 gost2001_keyx.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 gost2001_keyx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 gost2001_keyx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -120,23 +119,6 @@ gost2001_keyx.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 gost2001_keyx.o: ../../include/openssl/x509_vfy.h e_gost_err.h gost2001_keyx.c
 gost2001_keyx.o: gost2001_keyx.h gost89.h gost_keywrap.h gost_lcl.h gosthash.h
 gost89.o: gost89.c gost89.h
-gost94_keyx.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-gost94_keyx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-gost94_keyx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-gost94_keyx.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-gost94_keyx.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-gost94_keyx.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-gost94_keyx.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-gost94_keyx.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-gost94_keyx.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-gost94_keyx.o: ../../include/openssl/opensslconf.h
-gost94_keyx.o: ../../include/openssl/opensslv.h
-gost94_keyx.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-gost94_keyx.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-gost94_keyx.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-gost94_keyx.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-gost94_keyx.o: ../../include/openssl/x509_vfy.h e_gost_err.h gost89.h
-gost94_keyx.o: gost94_keyx.c gost_keywrap.h gost_lcl.h gosthash.h
 gost_ameth.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 gost_ameth.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 gost_ameth.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h
@@ -152,7 +134,7 @@ gost_ameth.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 gost_ameth.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 gost_ameth.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 gost_ameth.o: ../../include/openssl/x509_vfy.h e_gost_err.h gost89.h
-gost_ameth.o: gost_ameth.c gost_lcl.h gost_params.h gosthash.h
+gost_ameth.o: gost_ameth.c gost_lcl.h gosthash.h
 gost_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 gost_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 gost_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -229,14 +211,21 @@ gost_md.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 gost_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 gost_md.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 gost_md.o: e_gost_err.h gost89.h gost_lcl.h gost_md.c gosthash.h
-gost_params.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-gost_params.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+gost_params.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+gost_params.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+gost_params.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+gost_params.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+gost_params.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+gost_params.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+gost_params.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 gost_params.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 gost_params.o: ../../include/openssl/opensslconf.h
 gost_params.o: ../../include/openssl/opensslv.h
-gost_params.o: ../../include/openssl/ossl_typ.h
-gost_params.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-gost_params.o: ../../include/openssl/symhacks.h gost_params.c gost_params.h
+gost_params.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+gost_params.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+gost_params.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+gost_params.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+gost_params.o: gost89.h gost_lcl.h gost_params.c gosthash.h
 gost_pmeth.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 gost_pmeth.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 gost_pmeth.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
@@ -252,23 +241,5 @@ gost_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 gost_pmeth.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 gost_pmeth.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 gost_pmeth.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-gost_pmeth.o: e_gost_err.h gost89.h gost_lcl.h gost_params.h gost_pmeth.c
-gost_pmeth.o: gosthash.h
-gost_sign.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
-gost_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-gost_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-gost_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-gost_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-gost_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-gost_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-gost_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-gost_sign.o: ../../include/openssl/objects.h
-gost_sign.o: ../../include/openssl/opensslconf.h
-gost_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-gost_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-gost_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-gost_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-gost_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-gost_sign.o: e_gost_err.h gost89.h gost_lcl.h gost_params.h gost_sign.c
-gost_sign.o: gosthash.h
+gost_pmeth.o: e_gost_err.h gost89.h gost_lcl.h gost_pmeth.c gosthash.h
 gosthash.o: gost89.h gosthash.c gosthash.h
diff --git a/engines/ccgost/e_gost_err.c b/engines/ccgost/e_gost_err.c
index 0afd913..d05ef61 100644
--- a/engines/ccgost/e_gost_err.c
+++ b/engines/ccgost/e_gost_err.c
@@ -73,7 +73,6 @@ static ERR_STRING_DATA GOST_str_functs[] = {
     {ERR_FUNC(GOST_F_DECODE_GOST_ALGOR_PARAMS), "DECODE_GOST_ALGOR_PARAMS"},
     {ERR_FUNC(GOST_F_ENCODE_GOST_ALGOR_PARAMS), "ENCODE_GOST_ALGOR_PARAMS"},
     {ERR_FUNC(GOST_F_FILL_GOST2001_PARAMS), "FILL_GOST2001_PARAMS"},
-    {ERR_FUNC(GOST_F_FILL_GOST94_PARAMS), "FILL_GOST94_PARAMS"},
     {ERR_FUNC(GOST_F_GET_ENCRYPTION_PARAMS), "GET_ENCRYPTION_PARAMS"},
     {ERR_FUNC(GOST_F_GOST2001_COMPUTE_PUBLIC), "GOST2001_COMPUTE_PUBLIC"},
     {ERR_FUNC(GOST_F_GOST2001_DO_SIGN), "GOST2001_DO_SIGN"},
@@ -83,37 +82,24 @@ static ERR_STRING_DATA GOST_str_functs[] = {
      "GOST89_GET_ASN1_PARAMETERS"},
     {ERR_FUNC(GOST_F_GOST89_SET_ASN1_PARAMETERS),
      "GOST89_SET_ASN1_PARAMETERS"},
-    {ERR_FUNC(GOST_F_GOST94_COMPUTE_PUBLIC), "GOST94_COMPUTE_PUBLIC"},
     {ERR_FUNC(GOST_F_GOST_CIPHER_CTL), "GOST_CIPHER_CTL"},
-    {ERR_FUNC(GOST_F_GOST_DO_SIGN), "GOST_DO_SIGN"},
-    {ERR_FUNC(GOST_F_GOST_DO_VERIFY), "GOST_DO_VERIFY"},
     {ERR_FUNC(GOST_F_GOST_IMIT_CTRL), "GOST_IMIT_CTRL"},
     {ERR_FUNC(GOST_F_GOST_IMIT_FINAL), "GOST_IMIT_FINAL"},
     {ERR_FUNC(GOST_F_GOST_IMIT_UPDATE), "GOST_IMIT_UPDATE"},
-    {ERR_FUNC(GOST_F_GOST_SIGN_KEYGEN), "GOST_SIGN_KEYGEN"},
     {ERR_FUNC(GOST_F_PARAM_COPY_GOST01), "PARAM_COPY_GOST01"},
-    {ERR_FUNC(GOST_F_PARAM_COPY_GOST94), "PARAM_COPY_GOST94"},
     {ERR_FUNC(GOST_F_PKEY_GOST01CP_DECRYPT), "PKEY_GOST01CP_DECRYPT"},
     {ERR_FUNC(GOST_F_PKEY_GOST01CP_ENCRYPT), "PKEY_GOST01CP_ENCRYPT"},
-    {ERR_FUNC(GOST_F_PKEY_GOST01CP_KEYGEN), "PKEY_GOST01CP_KEYGEN"},
     {ERR_FUNC(GOST_F_PKEY_GOST01_PARAMGEN), "PKEY_GOST01_PARAMGEN"},
     {ERR_FUNC(GOST_F_PKEY_GOST2001_DERIVE), "PKEY_GOST2001_DERIVE"},
-    {ERR_FUNC(GOST_F_PKEY_GOST94CP_DECRYPT), "PKEY_GOST94CP_DECRYPT"},
-    {ERR_FUNC(GOST_F_PKEY_GOST94CP_ENCRYPT), "PKEY_GOST94CP_ENCRYPT"},
-    {ERR_FUNC(GOST_F_PKEY_GOST94CP_KEYGEN), "PKEY_GOST94CP_KEYGEN"},
-    {ERR_FUNC(GOST_F_PKEY_GOST94_PARAMGEN), "PKEY_GOST94_PARAMGEN"},
     {ERR_FUNC(GOST_F_PKEY_GOST_CTRL), "PKEY_GOST_CTRL"},
     {ERR_FUNC(GOST_F_PKEY_GOST_CTRL01_STR), "PKEY_GOST_CTRL01_STR"},
-    {ERR_FUNC(GOST_F_PKEY_GOST_CTRL94_STR), "PKEY_GOST_CTRL94_STR"},
     {ERR_FUNC(GOST_F_PKEY_GOST_MAC_CTRL), "PKEY_GOST_MAC_CTRL"},
     {ERR_FUNC(GOST_F_PKEY_GOST_MAC_CTRL_STR), "PKEY_GOST_MAC_CTRL_STR"},
     {ERR_FUNC(GOST_F_PKEY_GOST_MAC_KEYGEN), "PKEY_GOST_MAC_KEYGEN"},
     {ERR_FUNC(GOST_F_PRINT_GOST_01), "PRINT_GOST_01"},
     {ERR_FUNC(GOST_F_PRIV_DECODE_GOST), "PRIV_DECODE_GOST"},
     {ERR_FUNC(GOST_F_PUB_DECODE_GOST01), "PUB_DECODE_GOST01"},
-    {ERR_FUNC(GOST_F_PUB_DECODE_GOST94), "PUB_DECODE_GOST94"},
     {ERR_FUNC(GOST_F_PUB_ENCODE_GOST01), "PUB_ENCODE_GOST01"},
-    {ERR_FUNC(GOST_F_UNPACK_CC_SIGNATURE), "UNPACK_CC_SIGNATURE"},
     {ERR_FUNC(GOST_F_UNPACK_CP_SIGNATURE), "UNPACK_CP_SIGNATURE"},
     {0, NULL}
 };
@@ -128,8 +114,6 @@ static ERR_STRING_DATA GOST_str_reasons[] = {
     {ERR_REASON(GOST_R_CTRL_CALL_FAILED), "ctrl call failed"},
     {ERR_REASON(GOST_R_ERROR_COMPUTING_SHARED_KEY),
      "error computing shared key"},
-    {ERR_REASON(GOST_R_ERROR_PACKING_KEY_TRANSPORT_INFO),
-     "error packing key transport info"},
     {ERR_REASON(GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO),
      "error parsing key transport info"},
     {ERR_REASON(GOST_R_INCOMPATIBLE_ALGORITHMS), "incompatible algorithms"},
@@ -137,11 +121,9 @@ static ERR_STRING_DATA GOST_str_reasons[] = {
     {ERR_REASON(GOST_R_INVALID_CIPHER_PARAMS), "invalid cipher params"},
     {ERR_REASON(GOST_R_INVALID_CIPHER_PARAM_OID), "invalid cipher param oid"},
     {ERR_REASON(GOST_R_INVALID_DIGEST_TYPE), "invalid digest type"},
-    {ERR_REASON(GOST_R_INVALID_GOST94_PARMSET), "invalid gost94 parmset"},
     {ERR_REASON(GOST_R_INVALID_IV_LENGTH), "invalid iv length"},
     {ERR_REASON(GOST_R_INVALID_MAC_KEY_LENGTH), "invalid mac key length"},
     {ERR_REASON(GOST_R_INVALID_PARAMSET), "invalid paramset"},
-    {ERR_REASON(GOST_R_KEY_IS_NOT_INITALIZED), "key is not initalized"},
     {ERR_REASON(GOST_R_KEY_IS_NOT_INITIALIZED), "key is not initialized"},
     {ERR_REASON(GOST_R_KEY_PARAMETERS_MISSING), "key parameters missing"},
     {ERR_REASON(GOST_R_MAC_KEY_NOT_SET), "mac key not set"},
diff --git a/engines/ccgost/gost2001.c b/engines/ccgost/gost2001.c
index 6d41f31..985795e 100644
--- a/engines/ccgost/gost2001.c
+++ b/engines/ccgost/gost2001.c
@@ -7,7 +7,6 @@
  *          Requires OpenSSL 0.9.9 for compilation                    *
  **********************************************************************/
 #include "gost_lcl.h"
-#include "gost_params.h"
 #include <string.h>
 #include <openssl/rand.h>
 #include <openssl/ecdsa.h>
diff --git a/engines/ccgost/gost94_keyx.c b/engines/ccgost/gost94_keyx.c
deleted file mode 100644
index b529c8e..0000000
--- a/engines/ccgost/gost94_keyx.c
+++ /dev/null
@@ -1,281 +0,0 @@
-/**********************************************************************
- *                             gost94_keyx.c                          *
- *             Copyright (c) 2005-2006 Cryptocom LTD                  *
- *         This file is distributed under the same license as OpenSSL *
- *                                                                    *
- *     Implements generation and parsing of GOST_KEY_TRANSPORT for    *
- *              GOST R 34.10-94 algorithms                            *
- *                                                                    *
- *          Requires OpenSSL 0.9.9 for compilation                    *
- **********************************************************************/
-#include <string.h>
-#include <openssl/dh.h>
-#include <openssl/rand.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-
-#include "gost89.h"
-#include "gosthash.h"
-#include "e_gost_err.h"
-#include "gost_keywrap.h"
-#include "gost_lcl.h"
-/* Common functions for both 94 and 2001 key exchange schemes */
-/*
- * Implementation of the Diffi-Hellman key agreement scheme based on GOST-94
- * keys
- */
-
-/*
- * Computes Diffie-Hellman key and stores it into buffer in little-endian
- * byte order as expected by both versions of GOST 94 algorithm
- */
-static int compute_pair_key_le(unsigned char *pair_key, BIGNUM *pub_key,
-                               DH *dh)
-{
-    unsigned char be_key[128];
-    int i, key_size;
-    key_size = DH_compute_key(be_key, pub_key, dh);
-    if (!key_size)
-        return 0;
-    memset(pair_key, 0, 128);
-    for (i = 0; i < key_size; i++) {
-        pair_key[i] = be_key[key_size - 1 - i];
-    }
-    return key_size;
-}
-
-/*
- * Computes 256 bit Key exchange key as specified in RFC 4357
- */
-static int make_cp_exchange_key(BIGNUM *priv_key, EVP_PKEY *pubk,
-                                unsigned char *shared_key)
-{
-    unsigned char dh_key[128];
-    int ret;
-    gost_hash_ctx hash_ctx;
-    DH *dh = DH_new();
-
-    if (!dh)
-        return 0;
-    memset(dh_key, 0, 128);
-    dh->g = BN_dup(pubk->pkey.dsa->g);
-    dh->p = BN_dup(pubk->pkey.dsa->p);
-    dh->priv_key = BN_dup(priv_key);
-    ret =
-        compute_pair_key_le(dh_key, ((DSA *)(EVP_PKEY_get0(pubk)))->pub_key,
-                            dh);
-    DH_free(dh);
-    if (!ret)
-        return 0;
-    init_gost_hash_ctx(&hash_ctx, &GostR3411_94_CryptoProParamSet);
-    start_hash(&hash_ctx);
-    hash_block(&hash_ctx, dh_key, 128);
-    finish_hash(&hash_ctx, shared_key);
-    done_gost_hash_ctx(&hash_ctx);
-    return 1;
-}
-
-/* EVP_PKEY_METHOD callback derive. Implements VKO R 34.10-94 */
-
-int pkey_gost94_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
-{
-    EVP_PKEY *pubk = EVP_PKEY_CTX_get0_peerkey(ctx);
-    EVP_PKEY *mykey = EVP_PKEY_CTX_get0_pkey(ctx);
-    *keylen = 32;
-    if (key == NULL)
-        return 1;
-
-    return make_cp_exchange_key(gost_get0_priv_key(mykey), pubk, key);
-}
-
-/*
- * EVP_PKEY_METHOD callback encrypt for GOST R 34.10-94 cryptopro
- * modification
- */
-
-int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                          size_t *outlen, const unsigned char *key,
-                          size_t key_len)
-{
-    GOST_KEY_TRANSPORT *gkt = NULL;
-    unsigned char shared_key[32], ukm[8], crypted_key[44];
-    const struct gost_cipher_info *param = get_encryption_params(NULL);
-    EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(ctx);
-    struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx);
-    gost_ctx cctx;
-    int key_is_ephemeral = 1;
-    int tmp_outlen;
-    EVP_PKEY *mykey = EVP_PKEY_CTX_get0_peerkey(ctx);
-
-    /* Do not use vizir cipher parameters with cryptopro */
-    if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS)
-        && param == gost_cipher_list) {
-        param = gost_cipher_list + 1;
-    }
-
-    if (mykey) {
-        /* If key already set, it is not ephemeral */
-        key_is_ephemeral = 0;
-        if (!gost_get0_priv_key(mykey)) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
-                    GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR);
-            goto err;
-        }
-    } else {
-        /* Otherwise generate ephemeral key */
-        key_is_ephemeral = 1;
-        if (out) {
-            mykey = EVP_PKEY_new();
-            EVP_PKEY_assign(mykey, EVP_PKEY_base_id(pubk), DSA_new());
-            EVP_PKEY_copy_parameters(mykey, pubk);
-            if (!gost_sign_keygen(EVP_PKEY_get0(mykey))) {
-                goto err;
-            }
-        }
-    }
-    if (out)
-        make_cp_exchange_key(gost_get0_priv_key(mykey), pubk, shared_key);
-    if (data->shared_ukm) {
-        memcpy(ukm, data->shared_ukm, 8);
-    } else if (out) {
-        if (RAND_bytes(ukm, 8) <= 0) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
-                    GOST_R_RANDOM_GENERATOR_FAILURE);
-            goto err;
-        }
-    }
-
-    if (out) {
-        gost_init(&cctx, param->sblock);
-        keyWrapCryptoPro(&cctx, shared_key, ukm, key, crypted_key);
-    }
-    gkt = GOST_KEY_TRANSPORT_new();
-    if (!gkt) {
-        goto memerr;
-    }
-    if (!ASN1_OCTET_STRING_set(gkt->key_agreement_info->eph_iv, ukm, 8)) {
-        goto memerr;
-    }
-    if (!ASN1_OCTET_STRING_set(gkt->key_info->imit, crypted_key + 40, 4)) {
-        goto memerr;
-    }
-    if (!ASN1_OCTET_STRING_set
-        (gkt->key_info->encrypted_key, crypted_key + 8, 32)) {
-        goto memerr;
-    }
-    if (key_is_ephemeral) {
-        if (!X509_PUBKEY_set
-            (&gkt->key_agreement_info->ephem_key, out ? mykey : pubk)) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
-                    GOST_R_CANNOT_PACK_EPHEMERAL_KEY);
-            goto err;
-        }
-        if (out)
-            EVP_PKEY_free(mykey);
-    }
-    ASN1_OBJECT_free(gkt->key_agreement_info->cipher);
-    gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid);
-    tmp_outlen = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL);
-    if (tmp_outlen <= 0) {
-        GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT,
-                GOST_R_ERROR_PACKING_KEY_TRANSPORT_INFO);
-        goto err;
-    }
-    *outlen = tmp_outlen;
-    if (!key_is_ephemeral) {
-        /* Set control "public key from client certificate used" */
-        if (EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) <=
-            0) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT, GOST_R_CTRL_CALL_FAILED);
-            goto err;
-        }
-    }
-    GOST_KEY_TRANSPORT_free(gkt);
-    return 1;
- memerr:
-    if (key_is_ephemeral) {
-        EVP_PKEY_free(mykey);
-    }
-    GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT, ERR_R_MALLOC_FAILURE);
- err:
-    GOST_KEY_TRANSPORT_free(gkt);
-    return -1;
-}
-
-/*
- * EVP_PLEY_METHOD callback decrypt for GOST R 34.10-94 cryptopro
- * modification
- */
-int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *key,
-                          size_t *key_len, const unsigned char *in,
-                          size_t in_len)
-{
-    const unsigned char *p = in;
-    GOST_KEY_TRANSPORT *gkt = NULL;
-    unsigned char wrappedKey[44];
-    unsigned char sharedKey[32];
-    gost_ctx cctx;
-    const struct gost_cipher_info *param = NULL;
-    EVP_PKEY *eph_key = NULL, *peerkey = NULL;
-    EVP_PKEY *priv = EVP_PKEY_CTX_get0_pkey(ctx);
-
-    if (!key) {
-        *key_len = 32;
-        return 1;
-    }
-
-    gkt = d2i_GOST_KEY_TRANSPORT(NULL, (const unsigned char **)&p, in_len);
-    if (!gkt) {
-        GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
-                GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO);
-        return 0;
-    }
-    eph_key = X509_PUBKEY_get(gkt->key_agreement_info->ephem_key);
-    if (eph_key) {
-        if (EVP_PKEY_derive_set_peer(ctx, eph_key) <= 0) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
-                    GOST_R_INCOMPATIBLE_PEER_KEY);
-            goto err;
-        }
-    } else {
-        /* Set control "public key from client certificate used" */
-        if (EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) <=
-            0) {
-            GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT, GOST_R_CTRL_CALL_FAILED);
-            goto err;
-        }
-    }
-    peerkey = EVP_PKEY_CTX_get0_peerkey(ctx);
-    if (!peerkey) {
-        GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT, GOST_R_NO_PEER_KEY);
-        goto err;
-    }
-
-    param = get_encryption_params(gkt->key_agreement_info->cipher);
-    if (!param) {
-        goto err;
-    }
-
-    gost_init(&cctx, param->sblock);
-    OPENSSL_assert(gkt->key_agreement_info->eph_iv->length == 8);
-    memcpy(wrappedKey, gkt->key_agreement_info->eph_iv->data, 8);
-    OPENSSL_assert(gkt->key_info->encrypted_key->length == 32);
-    memcpy(wrappedKey + 8, gkt->key_info->encrypted_key->data, 32);
-    OPENSSL_assert(gkt->key_info->imit->length == 4);
-    memcpy(wrappedKey + 40, gkt->key_info->imit->data, 4);
-    make_cp_exchange_key(gost_get0_priv_key(priv), peerkey, sharedKey);
-    if (!keyUnwrapCryptoPro(&cctx, sharedKey, wrappedKey, key)) {
-        GOSTerr(GOST_F_PKEY_GOST94CP_DECRYPT,
-                GOST_R_ERROR_COMPUTING_SHARED_KEY);
-        goto err;
-    }
-
-    EVP_PKEY_free(eph_key);
-    GOST_KEY_TRANSPORT_free(gkt);
-    return 1;
- err:
-    EVP_PKEY_free(eph_key);
-    GOST_KEY_TRANSPORT_free(gkt);
-    return -1;
-}
diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c
index 5ca3a6e..4f3bd90 100644
--- a/engines/ccgost/gost_ameth.c
+++ b/engines/ccgost/gost_ameth.c
@@ -16,23 +16,32 @@
 #ifndef OPENSSL_NO_CMS
 # include <openssl/cms.h>
 #endif
-#include "gost_params.h"
 #include "gost_lcl.h"
 #include "e_gost_err.h"
 
-int gost94_nid_by_params(DSA *p)
+
+/* Convert little-endian byte array into bignum */
+BIGNUM *hashsum2bn(const unsigned char *dgst)
 {
-    R3410_params *gost_params;
-    BIGNUM *q = BN_new();
-    for (gost_params = R3410_paramset; gost_params->q != NULL; gost_params++) {
-        BN_dec2bn(&q, gost_params->q);
-        if (!BN_cmp(q, p->q)) {
-            BN_free(q);
-            return gost_params->nid;
-        }
-    }
-    BN_free(q);
-    return NID_undef;
+    unsigned char buf[32];
+
+    BUF_reverse(buf, (unsigned char*)dgst, 32);
+    return BN_bin2bn(buf, 32, NULL);
+}
+
+/*
+ * Pack bignum into byte buffer of given size, filling all leading bytes by
+ * zeros
+ */
+int store_bignum(BIGNUM *bn, unsigned char *buf, int len)
+{
+    int bytes = BN_num_bytes(bn);
+
+    if (bytes > len)
+        return 0;
+    memset(buf, 0, len);
+    BN_bn2bin(bn, buf + len - bytes);
+    return 1;
 }
 
 static ASN1_STRING *encode_gost_algor_params(const EVP_PKEY *key)
@@ -53,17 +62,6 @@ static ASN1_STRING *encode_gost_algor_params(const EVP_PKEY *key)
             EC_GROUP_get_curve_name(EC_KEY_get0_group
                                     (EVP_PKEY_get0((EVP_PKEY *)key)));
         break;
-    case NID_id_GostR3410_94:
-        pkey_param_nid =
-            (int)gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)key));
-        if (pkey_param_nid == NID_undef) {
-            GOSTerr(GOST_F_ENCODE_GOST_ALGOR_PARAMS,
-                    GOST_R_INVALID_GOST94_PARMSET);
-            ASN1_STRING_free(params);
-            params = NULL;
-            goto err;
-        }
-        break;
     }
     gkp->key_params = OBJ_nid2obj(pkey_param_nid);
     gkp->hash_params = OBJ_nid2obj(NID_id_GostR3411_94_CryptoProParamSet);
@@ -120,18 +118,6 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg)
         return 0;
     }
     switch (pkey_nid) {
-    case NID_id_GostR3410_94:
-        {
-            DSA *dsa = EVP_PKEY_get0(pkey);
-            if (!dsa) {
-                dsa = DSA_new();
-                if (!EVP_PKEY_assign(pkey, pkey_nid, dsa))
-                    return 0;
-            }
-            if (!fill_GOST94_params(dsa, param_nid))
-                return 0;
-            break;
-        }
     case NID_id_GostR3410_2001:
         {
             EC_KEY *ec = EVP_PKEY_get0(pkey);
@@ -151,18 +137,6 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg)
 static int gost_set_priv_key(EVP_PKEY *pkey, BIGNUM *priv)
 {
     switch (EVP_PKEY_base_id(pkey)) {
-    case NID_id_GostR3410_94:
-        {
-            DSA *dsa = EVP_PKEY_get0(pkey);
-            if (!dsa) {
-                dsa = DSA_new();
-                EVP_PKEY_assign(pkey, EVP_PKEY_base_id(pkey), dsa);
-            }
-            dsa->priv_key = BN_dup(priv);
-            if (!EVP_PKEY_missing_parameters(pkey))
-                gost94_compute_public(dsa);
-            break;
-        }
     case NID_id_GostR3410_2001:
         {
             EC_KEY *ec = EVP_PKEY_get0(pkey);
@@ -183,16 +157,6 @@ static int gost_set_priv_key(EVP_PKEY *pkey, BIGNUM *priv)
 BIGNUM *gost_get0_priv_key(const EVP_PKEY *pkey)
 {
     switch (EVP_PKEY_base_id(pkey)) {
-    case NID_id_GostR3410_94:
-        {
-            DSA *dsa = EVP_PKEY_get0((EVP_PKEY *)pkey);
-            if (!dsa) {
-                return NULL;
-            }
-            if (!dsa->priv_key)
-                return NULL;
-            return dsa->priv_key;
-        }
     case NID_id_GostR3410_2001:
         {
             EC_KEY *ec = EVP_PKEY_get0((EVP_PKEY *)pkey);
@@ -277,11 +241,6 @@ static int pkey_ctrl_gost(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 }
 
 /* --------------------- free functions * ------------------------------*/
-static void pkey_free_gost94(EVP_PKEY *key)
-{
-    DSA_free(key->pkey.dsa);
-}
-
 static void pkey_free_gost01(EVP_PKEY *key)
 {
     EC_KEY_free(key->pkey.ec);
@@ -355,58 +314,6 @@ static int priv_encode_gost(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk)
 }
 
 /* --------- printing keys --------------------------------*/
-static int print_gost_94(BIO *out, const EVP_PKEY *pkey, int indent,
-                         ASN1_PCTX *pctx, int type)
-{
-    int param_nid = NID_undef;
-
-    if (type == 2) {
-        BIGNUM *key;
-
-        if (!BIO_indent(out, indent, 128))
-            return 0;
-        BIO_printf(out, "Private key: ");
-        key = gost_get0_priv_key(pkey);
-        if (!key)
-            BIO_printf(out, "<undefined>");
-        else
-            BN_print(out, key);
-        BIO_printf(out, "\n");
-    }
-    if (type >= 1) {
-        BIGNUM *pubkey;
-
-        pubkey = ((DSA *)EVP_PKEY_get0((EVP_PKEY *)pkey))->pub_key;
-        BIO_indent(out, indent, 128);
-        BIO_printf(out, "Public key: ");
-        BN_print(out, pubkey);
-        BIO_printf(out, "\n");
-    }
-
-    param_nid = gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)pkey));
-    BIO_indent(out, indent, 128);
-    BIO_printf(out, "Parameter set: %s\n", OBJ_nid2ln(param_nid));
-    return 1;
-}
-
-static int param_print_gost94(BIO *out, const EVP_PKEY *pkey, int indent,
-                              ASN1_PCTX *pctx)
-{
-    return print_gost_94(out, pkey, indent, pctx, 0);
-}
-
-static int pub_print_gost94(BIO *out, const EVP_PKEY *pkey, int indent,
-                            ASN1_PCTX *pctx)
-{
-    return print_gost_94(out, pkey, indent, pctx, 1);
-}
-
-static int priv_print_gost94(BIO *out, const EVP_PKEY *pkey, int indent,
-                             ASN1_PCTX *pctx)
-{
-    return print_gost_94(out, pkey, indent, pctx, 2);
-}
-
 static int print_gost_01(BIO *out, const EVP_PKEY *pkey, int indent,
                          ASN1_PCTX *pctx, int type)
 {
@@ -489,16 +396,6 @@ static int priv_print_gost01(BIO *out, const EVP_PKEY *pkey, int indent,
 }
 
 /* ---------------------------------------------------------------------*/
-static int param_missing_gost94(const EVP_PKEY *pk)
-{
-    const DSA *dsa = EVP_PKEY_get0((EVP_PKEY *)pk);
-    if (!dsa)
-        return 1;
-    if (!dsa->q)
-        return 1;
-    return 0;
-}
-
 static int param_missing_gost01(const EVP_PKEY *pk)
 {
     const EC_KEY *ec = EVP_PKEY_get0((EVP_PKEY *)pk);
@@ -509,33 +406,6 @@ static int param_missing_gost01(const EVP_PKEY *pk)
     return 0;
 }
 
-static int param_copy_gost94(EVP_PKEY *to, const EVP_PKEY *from)
-{
-    const DSA *dfrom = EVP_PKEY_get0((EVP_PKEY *)from);
-    DSA *dto = EVP_PKEY_get0(to);
-    if (EVP_PKEY_base_id(from) != EVP_PKEY_base_id(to)) {
-        GOSTerr(GOST_F_PARAM_COPY_GOST94, GOST_R_INCOMPATIBLE_ALGORITHMS);
-        return 0;
-    }
-    if (!dfrom) {
-        GOSTerr(GOST_F_PARAM_COPY_GOST94, GOST_R_KEY_PARAMETERS_MISSING);
-        return 0;
-    }
-    if (!dto) {
-        dto = DSA_new();
-        EVP_PKEY_assign(to, EVP_PKEY_base_id(from), dto);
-    }
-    BN_free(dto->p);
-    dto->p = BN_dup(dfrom->p);
-    BN_free(dto->q);
-    dto->q = BN_dup(dfrom->q);
-    BN_free(dto->g);
-    dto->g = BN_dup(dfrom->g);
-
-    if (dto->priv_key)
-        gost94_compute_public(dto);
-    return 1;
-}
 
 static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from)
 {
@@ -570,15 +440,6 @@ static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from)
     return 1;
 }
 
-static int param_cmp_gost94(const EVP_PKEY *a, const EVP_PKEY *b)
-{
-    const DSA *da = EVP_PKEY_get0((EVP_PKEY *)a);
-    const DSA *db = EVP_PKEY_get0((EVP_PKEY *)b);
-    if (!BN_cmp(da->q, db->q))
-        return 1;
-    return 0;
-}
-
 static int param_cmp_gost01(const EVP_PKEY *a, const EVP_PKEY *b)
 {
     if (EC_GROUP_get_curve_name
@@ -592,84 +453,6 @@ static int param_cmp_gost01(const EVP_PKEY *a, const EVP_PKEY *b)
 }
 
 /* ---------- Public key functions * --------------------------------------*/
-static int pub_decode_gost94(EVP_PKEY *pk, X509_PUBKEY *pub)
-{
-    X509_ALGOR *palg = NULL;
-    const unsigned char *pubkey_buf = NULL;
-    unsigned char *databuf;
-    ASN1_OBJECT *palgobj = NULL;
-    int pub_len, i, j;
-    DSA *dsa;
-    ASN1_OCTET_STRING *octet = NULL;
-
-    if (!X509_PUBKEY_get0_param(&palgobj, &pubkey_buf, &pub_len, &palg, pub))
-        return 0;
-    EVP_PKEY_assign(pk, OBJ_obj2nid(palgobj), NULL);
-    if (!decode_gost_algor_params(pk, palg))
-        return 0;
-    octet = d2i_ASN1_OCTET_STRING(NULL, &pubkey_buf, pub_len);
-    if (!octet) {
-        GOSTerr(GOST_F_PUB_DECODE_GOST94, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-    databuf = OPENSSL_malloc(octet->length);
-    if (databuf == NULL) {
-        GOSTerr(GOST_F_PUB_DECODE_GOST94, ERR_R_MALLOC_FAILURE);
-        ASN1_OCTET_STRING_free(octet);
-        return 0;
-    }
-    for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) {
-        databuf[j] = octet->data[i];
-    }
-    dsa = EVP_PKEY_get0(pk);
-    dsa->pub_key = BN_bin2bn(databuf, octet->length, NULL);
-    ASN1_OCTET_STRING_free(octet);
-    OPENSSL_free(databuf);
-    return 1;
-
-}
-
-static int pub_encode_gost94(X509_PUBKEY *pub, const EVP_PKEY *pk)
-{
-    ASN1_OBJECT *algobj = NULL;
-    ASN1_OCTET_STRING *octet = NULL;
-    void *pval = NULL;
-    unsigned char *buf = NULL, *databuf, *sptr;
-    int i, j, data_len, ret = 0;
-
-    int ptype = V_ASN1_UNDEF;
-    DSA *dsa = EVP_PKEY_get0((EVP_PKEY *)pk);
-    algobj = OBJ_nid2obj(EVP_PKEY_base_id(pk));
-    if (pk->save_parameters) {
-        ASN1_STRING *params = encode_gost_algor_params(pk);
-        pval = params;
-        ptype = V_ASN1_SEQUENCE;
-    }
-    data_len = BN_num_bytes(dsa->pub_key);
-    databuf = OPENSSL_malloc(data_len);
-    if (databuf == NULL) {
-        GOSTerr(GOST_F_PUB_ENCODE_GOST94, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-    BN_bn2bin(dsa->pub_key, databuf);
-    octet = ASN1_OCTET_STRING_new();
-    if (octet == NULL) {
-        GOSTerr(GOST_F_PUB_ENCODE_GOST94, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(databuf);
-        return 0;
-    }
-    ASN1_STRING_set(octet, NULL, data_len);
-    sptr = ASN1_STRING_data(octet);
-    for (i = 0, j = data_len - 1; i < data_len; i++, j--) {
-        sptr[i] = databuf[j];
-    }
-    OPENSSL_free(databuf);
-    ret = i2d_ASN1_OCTET_STRING(octet, &buf);
-    ASN1_BIT_STRING_free(octet);
-    if (ret < 0)
-        return 0;
-    return X509_PUBKEY_set0_param(pub, algobj, ptype, pval, buf, ret);
-}
 
 static int pub_decode_gost01(EVP_PKEY *pk, X509_PUBKEY *pub)
 {
@@ -808,17 +591,6 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk)
     return X509_PUBKEY_set0_param(pub, algobj, ptype, pval, buf, ret);
 }
 
-static int pub_cmp_gost94(const EVP_PKEY *a, const EVP_PKEY *b)
-{
-    const DSA *da = EVP_PKEY_get0((EVP_PKEY *)a);
-    const DSA *db = EVP_PKEY_get0((EVP_PKEY *)b);
-    if (da && db && da->pub_key && db->pub_key
-        && !BN_cmp(da->pub_key, db->pub_key)) {
-        return 1;
-    }
-    return 0;
-}
-
 static int pub_cmp_gost01(const EVP_PKEY *a, const EVP_PKEY *b)
 {
     const EC_KEY *ea = EVP_PKEY_get0((EVP_PKEY *)a);
@@ -861,12 +633,6 @@ static int mac_ctrl_gost(EVP_PKEY *pkey, int op, long arg1, void *arg2)
     return -2;
 }
 
-static int gost94_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
-{
-    int nid = gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)pkey));
-    return i2d_ASN1_OBJECT(OBJ_nid2obj(nid), pder);
-}
-
 static int gost2001_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
 {
     int nid =
@@ -875,27 +641,6 @@ static int gost2001_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
     return i2d_ASN1_OBJECT(OBJ_nid2obj(nid), pder);
 }
 
-static int gost94_param_decode(EVP_PKEY *pkey, const unsigned char **pder,
-                               int derlen)
-{
-    ASN1_OBJECT *obj = NULL;
-    DSA *dsa = EVP_PKEY_get0(pkey);
-    int nid;
-    if (d2i_ASN1_OBJECT(&obj, pder, derlen) == NULL) {
-        return 0;
-    }
-    nid = OBJ_obj2nid(obj);
-    ASN1_OBJECT_free(obj);
-    if (!dsa) {
-        dsa = DSA_new();
-        if (!EVP_PKEY_assign(pkey, NID_id_GostR3410_94, dsa))
-            return 0;
-    }
-    if (!fill_GOST94_params(dsa, nid))
-        return 0;
-    return 1;
-}
-
 static int gost2001_param_decode(EVP_PKEY *pkey, const unsigned char **pder,
                                  int derlen)
 {
@@ -925,23 +670,6 @@ int register_ameth_gost(int nid, EVP_PKEY_ASN1_METHOD **ameth,
     if (!*ameth)
         return 0;
     switch (nid) {
-    case NID_id_GostR3410_94:
-        EVP_PKEY_asn1_set_free(*ameth, pkey_free_gost94);
-        EVP_PKEY_asn1_set_private(*ameth,
-                                  priv_decode_gost, priv_encode_gost,
-                                  priv_print_gost94);
-
-        EVP_PKEY_asn1_set_param(*ameth,
-                                gost94_param_decode, gost94_param_encode,
-                                param_missing_gost94, param_copy_gost94,
-                                param_cmp_gost94, param_print_gost94);
-        EVP_PKEY_asn1_set_public(*ameth,
-                                 pub_decode_gost94, pub_encode_gost94,
-                                 pub_cmp_gost94, pub_print_gost94,
-                                 pkey_size_gost, pkey_bits_gost);
-
-        EVP_PKEY_asn1_set_ctrl(*ameth, pkey_ctrl_gost);
-        break;
     case NID_id_GostR3410_2001:
         EVP_PKEY_asn1_set_free(*ameth, pkey_free_gost01);
         EVP_PKEY_asn1_set_private(*ameth,
diff --git a/engines/ccgost/gost_asn1.c b/engines/ccgost/gost_asn1.c
index 1168633..0412d2c 100644
--- a/engines/ccgost/gost_asn1.c
+++ b/engines/ccgost/gost_asn1.c
@@ -54,3 +54,19 @@ ASN1_NDEF_SEQUENCE(GOST_CLIENT_KEY_EXCHANGE_PARAMS) = { /* FIXME incomplete */
 
 ASN1_NDEF_SEQUENCE_END(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
 IMPLEMENT_ASN1_FUNCTIONS(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
+
+/* Convert byte buffer to bignum, skipping leading zeros*/
+BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len)
+{
+    BIGNUM *b;
+
+    while (*buf == 0 && len > 0) {
+        buf++;
+        len--;
+    }
+    if (len)
+        return BN_bin2bn(buf, len, NULL);
+    b = BN_new();
+    BN_zero(b);
+    return b;
+}
diff --git a/engines/ccgost/gost_crypt.c b/engines/ccgost/gost_crypt.c
index 5f50fcc..e2a2ff6 100644
--- a/engines/ccgost/gost_crypt.c
+++ b/engines/ccgost/gost_crypt.c
@@ -118,7 +118,6 @@ struct gost_cipher_info gost_cipher_list[] = {
     /*
      * {NID_id_GostR3411_94_CryptoProParamSet,&GostR3411_94_CryptoProParamSet,0},
      */
-    {NID_id_Gost28147_89_cc, &GostR3411_94_CryptoProParamSet, 0},
     {NID_id_Gost28147_89_CryptoPro_A_ParamSet, &Gost28147_CryptoProParamSetA,
      1},
     {NID_id_Gost28147_89_CryptoPro_B_ParamSet, &Gost28147_CryptoProParamSetB,
diff --git a/engines/ccgost/gost_eng.c b/engines/ccgost/gost_eng.c
index 5924791..4129260 100644
--- a/engines/ccgost/gost_eng.c
+++ b/engines/ccgost/gost_eng.c
@@ -19,6 +19,10 @@ static const char *engine_gost_id = "gost";
 static const char *engine_gost_name =
     "Reference implementation of GOST engine";
 
+static int gost_pkey_meth_nids[] = {
+    NID_id_GostR3410_2001, NID_id_Gost28147_89_MAC, 0
+};
+
 /* Symmetric cipher and digest function registrar */
 
 static int gost_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
@@ -38,15 +42,11 @@ static int gost_cipher_nids[] = { NID_id_Gost28147_89, NID_gost89_cnt, 0 };
 static int gost_digest_nids[] =
     { NID_id_GostR3411_94, NID_id_Gost28147_89_MAC, 0 };
 
-static int gost_pkey_meth_nids[] = { NID_id_GostR3410_94,
-    NID_id_GostR3410_2001, NID_id_Gost28147_89_MAC, 0
-};
-
-static EVP_PKEY_METHOD *pmeth_GostR3410_94 = NULL,
-    *pmeth_GostR3410_2001 = NULL, *pmeth_Gost28147_MAC = NULL;
+static EVP_PKEY_METHOD *pmeth_GostR3410_2001 = NULL;
+static EVP_PKEY_METHOD *pmeth_Gost28147_MAC = NULL;
 
-static EVP_PKEY_ASN1_METHOD *ameth_GostR3410_94 = NULL,
-    *ameth_GostR3410_2001 = NULL, *ameth_Gost28147_MAC = NULL;
+static EVP_PKEY_ASN1_METHOD *ameth_GostR3410_2001 = NULL;
+static EVP_PKEY_ASN1_METHOD *ameth_Gost28147_MAC = NULL;
 
 static int gost_engine_init(ENGINE *e)
 {
@@ -62,10 +62,8 @@ static int gost_engine_destroy(ENGINE *e)
 {
     gost_param_free();
 
-    pmeth_GostR3410_94 = NULL;
     pmeth_GostR3410_2001 = NULL;
     pmeth_Gost28147_MAC = NULL;
-    ameth_GostR3410_94 = NULL;
     ameth_GostR3410_2001 = NULL;
     ameth_Gost28147_MAC = NULL;
     return 1;
@@ -76,7 +74,7 @@ static int bind_gost(ENGINE *e, const char *id)
     int ret = 0;
     if (id && strcmp(id, engine_gost_id))
         return 0;
-    if (ameth_GostR3410_94) {
+    if (ameth_GostR3410_2001) {
         printf("GOST engine already loaded\n");
         goto end;
     }
@@ -121,10 +119,6 @@ static int bind_gost(ENGINE *e, const char *id)
     }
 
     if (!register_ameth_gost
-        (NID_id_GostR3410_94, &ameth_GostR3410_94, "GOST94",
-         "GOST R 34.10-94"))
-        goto end;
-    if (!register_ameth_gost
         (NID_id_GostR3410_2001, &ameth_GostR3410_2001, "GOST2001",
          "GOST R 34.10-2001"))
         goto end;
@@ -132,12 +126,9 @@ static int bind_gost(ENGINE *e, const char *id)
                              "GOST-MAC", "GOST 28147-89 MAC"))
         goto end;
 
-    if (!register_pmeth_gost(NID_id_GostR3410_94, &pmeth_GostR3410_94, 0))
-        goto end;
     if (!register_pmeth_gost(NID_id_GostR3410_2001, &pmeth_GostR3410_2001, 0))
         goto end;
-    if (!register_pmeth_gost
-        (NID_id_Gost28147_89_MAC, &pmeth_Gost28147_MAC, 0))
+    if (!register_pmeth_gost(NID_id_Gost28147_89_MAC, &pmeth_Gost28147_MAC, 0))
         goto end;
     if (!ENGINE_register_ciphers(e)
         || !ENGINE_register_digests(e)
@@ -208,13 +199,10 @@ static int gost_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 {
     if (!pmeth) {
         *nids = gost_pkey_meth_nids;
-        return 3;
+        return 2;
     }
 
     switch (nid) {
-    case NID_id_GostR3410_94:
-        *pmeth = pmeth_GostR3410_94;
-        return 1;
     case NID_id_GostR3410_2001:
         *pmeth = pmeth_GostR3410_2001;
         return 1;
@@ -233,12 +221,9 @@ static int gost_pkey_asn1_meths(ENGINE *e, EVP_PKEY_ASN1_METHOD **ameth,
 {
     if (!ameth) {
         *nids = gost_pkey_meth_nids;
-        return 3;
+        return 2;
     }
     switch (nid) {
-    case NID_id_GostR3410_94:
-        *ameth = ameth_GostR3410_94;
-        return 1;
     case NID_id_GostR3410_2001:
         *ameth = ameth_GostR3410_2001;
         return 1;
@@ -269,7 +254,7 @@ static ENGINE *engine_gost(void)
 void ENGINE_load_gost(void)
 {
     ENGINE *toadd;
-    if (pmeth_GostR3410_94)
+    if (pmeth_GostR3410_2001)
         return;
     toadd = engine_gost();
     if (!toadd)
diff --git a/engines/ccgost/gost_lcl.h b/engines/ccgost/gost_lcl.h
index 3a2c7d5..27fe0e7 100644
--- a/engines/ccgost/gost_lcl.h
+++ b/engines/ccgost/gost_lcl.h
@@ -23,6 +23,18 @@
 # define GOST_PARAM_MAX 0
 # define GOST_CTRL_CRYPT_PARAMS (ENGINE_CMD_BASE+GOST_PARAM_CRYPT_PARAMS)
 
+typedef struct R3410_2001 {
+    int nid;
+    char *a;
+    char *b;
+    char *p;
+    char *q;
+    char *x;
+    char *y;
+} R3410_2001_params;
+
+extern R3410_2001_params R3410_2001_paramset[];
+
 extern const ENGINE_CMD_DEFN gost_cmds[];
 int gost_control_func(ENGINE *e, int cmd, long i, void *p, void (*f) (void));
 const char *get_gost_engine_param(int param);
@@ -167,14 +179,6 @@ extern EVP_CIPHER cipher_gost_cpacnt;
 # define EVP_MD_CTRL_KEY_LEN (EVP_MD_CTRL_ALG_CTRL+3)
 # define EVP_MD_CTRL_SET_KEY (EVP_MD_CTRL_ALG_CTRL+4)
 /* EVP_PKEY_METHOD key encryption callbacks */
-/* From gost94_keyx.c */
-int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                          size_t *outlen, const unsigned char *key,
-                          size_t key_len);
-
-int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                          size_t *outlen, const unsigned char *in,
-                          size_t in_len);
 /* From gost2001_keyx.c */
 int pkey_GOST01cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
                           size_t *outlen, const unsigned char *key,
@@ -187,10 +191,7 @@ int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
 /* From gost2001_keyx.c */
 int pkey_gost2001_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
                          size_t *keylen);
-/* From gost94_keyx.c */
-int pkey_gost94_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
 /* Internal functions for signature algorithms */
-int fill_GOST94_params(DSA *dsa, int nid);
 int fill_GOST2001_params(EC_KEY *eckey, int nid);
 int gost_sign_keygen(DSA *dsa);
 int gost2001_keygen(EC_KEY *ec);
@@ -203,7 +204,6 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len,
 int gost2001_do_verify(const unsigned char *dgst, int dgst_len,
                        DSA_SIG *sig, EC_KEY *ec);
 int gost2001_compute_public(EC_KEY *ec);
-int gost94_compute_public(DSA *dsa);
 /*============== miscellaneous functions============================= */
 /* from gost_sign.c */
 /* Convert GOST R 34.11 hash sum to bignum according to standard */
@@ -220,10 +220,8 @@ int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen);
 /* Unpack GOST R 34.10 signature according to CryptoPro rules */
 DSA_SIG *unpack_cp_signature(const unsigned char *sig, size_t siglen);
 /* from ameth.c */
-/* Get private key as BIGNUM from both R 34.10-94 and R 34.10-2001  keys*/
+/* Get private key as BIGNUM from both 34.10-2001 keys*/
 /* Returns pointer into EVP_PKEY structure */
 BIGNUM *gost_get0_priv_key(const EVP_PKEY *pkey);
-/* Find NID by GOST 94 parameters */
-int gost94_nid_by_params(DSA *p);
 
 #endif
diff --git a/engines/ccgost/gost_params.c b/engines/ccgost/gost_params.c
index 0411534..2371c9a 100644
--- a/engines/ccgost/gost_params.c
+++ b/engines/ccgost/gost_params.c
@@ -7,138 +7,11 @@
  *         OpenSSL 0.9.9 libraries required to compile and use        *
  *                              this code                             *
  **********************************************************************/
-#include "gost_params.h"
+#include "gost_lcl.h"
 #include <openssl/objects.h>
 /* Parameters of GOST 34.10 */
 
-R3410_params R3410_paramset[] = {
-/* Paramset A */
-    {NID_id_GostR3410_94_CryptoPro_A_ParamSet,
-     "100997906755055304772081815535925224869"
-     "8410825720534578748235158755771479905292727772441528526992987964833"
-     "5669968284202797289605274717317548059048560713474685214192868091256"
-     "1502802222185647539190902656116367847270145019066794290930185446216"
-     "3997308722217328898303231940973554032134009725883228768509467406639"
-     "62",
-     "127021248288932417465907042777176443525"
-     "7876535089165358128175072657050312609850984974231883334834011809259"
-     "9999512098893413065920561499672425412104927434935707492031276956145"
-     "1689224110579311248812610229678534638401693520013288995000362260684"
-     "2227508135323070045173416336850045410625869714168836867788425378203"
-     "83",
-     "683631961449557007844441656118272528951"
-     "02170888761442055095051287550314083023"}
-    ,
-    {NID_id_GostR3410_94_CryptoPro_B_ParamSet,
-     "429418261486158041438734477379555023926"
-     "7234596860714306679811299408947123142002706038521669956384871995765"
-     "7284814898909770759462613437669456364882730370838934791080835932647"
-     "9767786019153434744009610342313166725786869204821949328786333602033"
-     "8479709268434224762105576023501613261478065276102850944540333865234"
-     "1",
-     "139454871199115825601409655107690713107"
-     "0417070599280317977580014543757653577229840941243685222882398330391"
-     "1468164807668823692122073732267216074074777170091113455043205380464"
-     "7694904686120113087816240740184800477047157336662926249423571248823"
-     "9685422217536601433914856808405203368594584948031873412885804895251"
-     "63",
-     "79885141663410976897627118935756323747307951916507639758300472692338873533959"}
-    ,
-    {NID_id_GostR3410_94_CryptoPro_C_ParamSet,
-     "816552717970881016017893191415300348226"
-     "2544051353358162468249467681876621283478212884286545844013955142622"
-     "2087723485023722868022275009502224827866201744494021697716482008353"
-     "6398202298024892620480898699335508064332313529725332208819456895108"
-     "5155178100221003459370588291073071186553005962149936840737128710832"
-     "3",
-     "110624679233511963040518952417017040248"
-     "5862954819831383774196396298584395948970608956170224210628525560327"
-     "8638246716655439297654402921844747893079518669992827880792192992701"
-     "1428546551433875806377110443534293554066712653034996277099320715774"
-     "3542287621283671843703709141350171945045805050291770503634517804938"
-     "01",
-     "113468861199819350564868233378875198043"
-     "267947776488510997961231672532899549103"}
-    ,
-    {NID_id_GostR3410_94_CryptoPro_D_ParamSet,
-     "756976611021707301782128757801610628085"
-     "5283803109571158829574281419208532589041660017017859858216341400371"
-     "4687551412794400562878935266630754392677014598582103365983119173924"
-     "4732511225464712252386803315902707727668715343476086350472025298282"
-     "7271461690125050616858238384366331089777463541013033926723743254833"
-     "7",
-     "905457649621929965904290958774625315611"
-     "3056083907389766971404812524422262512556054474620855996091570786713"
-     "5849550236741915584185990627801066465809510095784713989819413820871"
-     "5964648914493053407920737078890520482730623038837767710173664838239"
-     "8574828787891286471201460474326612697849693665518073864436497893214"
-     "9",
-     "108988435796353506912374591498972192620"
-     "190487557619582334771735390599299211593"}
-    ,
-
-    {NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,
-     "1335318132727206734338595199483190012179423759678474868994823595993"
-     "6964252873471246159040332773182141032801252925387191478859899310331"
-     "0567744136196364803064721377826656898686468463277710150809401182608"
-     "7702016153249904683329312949209127762411378780302243557466062839716"
-     "59376426832674269780880061631528163475887",
-     "14201174159756348119636828602231808974327613839524373876287257344192"
-     "74593935127189736311660784676003608489466235676257952827747192122419"
-     "29071046134208380636394084512691828894000571524625445295769349356752"
-     "72895683154177544176313938445719175509684710784659566254794231229333"
-     "8483924514339614727760681880609734239",
-     "91771529896554605945588149018382750217296858393520724172743325725474"
-     "374979801"}
-    ,
-    {NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,
-     "8890864727828423151699995801875757891031463338652579140051973659"
-     "3048131440685857067369829407947744496306656291505503608252399443"
-     "7900272386749145996230867832228661977543992816745254823298629859"
-     "8753575466286051738837854736167685769017780335804511440773337196"
-     "2538423532919394477873664752824509986617878992443177",
-     "1028946126624994859676552074360530315217970499989304888248413244"
-     "8474923022758470167998871003604670704877377286176171227694098633"
-     "1539089568784129110109512690503345393869871295783467257264868341"
-     "7200196629860561193666752429682367397084815179752036423595736533"
-     "68957392061769855284593965042530895046088067160269433",
-     "9109671391802626916582318050603555673628769498182593088388796888"
-     "5281641595199"}
-    ,
-    {NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,
-     "4430618464297584182473135030809859326863990650118941756995270074"
-     "8609973181426950235239623239110557450826919295792878938752101867"
-     "7047181623251027516953100431855964837602657827828194249605561893"
-     "6965865325513137194483136247773653468410118796740709840825496997"
-     "9375560722345106704721086025979309968763193072908334",
-     "1246996366993477513607147265794064436203408861395055989217248455"
-     "7299870737698999651480662364723992859320868822848751165438350943"
-     "3276647222625940615560580450040947211826027729977563540237169063"
-     "0448079715771649447778447000597419032457722226253269698374446528"
-     "35352729304393746106576383349151001715930924115499549",
-     "6787876137336591234380295020065682527118129468050147943114675429"
-     "4748422492761"}
-    ,
-
-    {NID_undef, NULL, NULL, NULL}
-};
-
 R3410_2001_params R3410_2001_paramset[] = {
-    /* default_cc_sign01_param 1.2.643.2.9.1.8.1 */
-    {NID_id_GostR3410_2001_ParamSet_cc,
-     /* A */
-     "C0000000000000000000000000000000000000000000000000000000000003c4",
-     /* B */
-     "2d06B4265ebc749ff7d0f1f1f88232e81632e9088fd44b7787d5e407e955080c",
-     /* P */
-     "C0000000000000000000000000000000000000000000000000000000000003C7",
-     /* Q */
-     "5fffffffffffffffffffffffffffffff606117a2f4bde428b7458a54b6e87b85",
-     /* X */
-     "2",
-     /* Y */
-     "a20e034bf8813ef5c18d01105e726a17eb248b264ae9706f440bedc8ccb6b22c"}
-    ,
     /* 1.2.643.2.2.35.0 */
     {NID_id_GostR3410_2001_TestParamSet,
      "7",
diff --git a/engines/ccgost/gost_params.h b/engines/ccgost/gost_params.h
deleted file mode 100644
index 0773cbf..0000000
--- a/engines/ccgost/gost_params.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/**********************************************************************
- *                        gost_params.h                               *
- *             Copyright (c) 2005-2006 Cryptocom LTD                  *
- *       This file is distributed under the same license as OpenSSL   *
- *                                                                    *
- *       Declaration of structures used to represent  GOST R 34.10    *
- *                     parameter sets, defined in RFC 4357                *
- *         OpenSSL 0.9.9 libraries required to compile and use        *
- *                              this code                             *
- **********************************************************************/
-#ifndef GOST_PARAMSET_H
-# define GOST_PARAMSET_H
-typedef struct R3410 {
-    int nid;
-    char *a;
-    char *p;
-    char *q;
-} R3410_params;
-
-extern R3410_params R3410_paramset[];
-
-typedef struct R3410_2001 {
-    int nid;
-    char *a;
-    char *b;
-    char *p;
-    char *q;
-    char *x;
-    char *y;
-} R3410_2001_params;
-
-extern R3410_2001_params R3410_2001_paramset[];
-
-#endif
diff --git a/engines/ccgost/gost_pmeth.c b/engines/ccgost/gost_pmeth.c
index af1d29e..0574d6e 100644
--- a/engines/ccgost/gost_pmeth.c
+++ b/engines/ccgost/gost_pmeth.c
@@ -15,7 +15,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
-#include "gost_params.h"
 #include "gost_lcl.h"
 #include "e_gost_err.h"
 /* -----init, cleanup, copy - uniform for all algs  ---------------*/
@@ -31,9 +30,6 @@ static int pkey_gost_init(EVP_PKEY_CTX *ctx)
     memset(data, 0, sizeof(*data));
     if (pkey && EVP_PKEY_get0(pkey)) {
         switch (EVP_PKEY_base_id(pkey)) {
-        case NID_id_GostR3410_94:
-            data->sign_param_nid = gost94_nid_by_params(EVP_PKEY_get0(pkey));
-            break;
         case NID_id_GostR3410_2001:
             data->sign_param_nid =
                 EC_GROUP_get_curve_name(EC_KEY_get0_group
@@ -126,69 +122,6 @@ static int pkey_gost_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
     return -2;
 }
 
-static int pkey_gost_ctrl94_str(EVP_PKEY_CTX *ctx,
-                                const char *type, const char *value)
-{
-    int param_nid = 0;
-
-    if (strcmp(type, param_ctrl_string) == 0) {
-        if (!value) {
-            return 0;
-        }
-        if (strlen(value) == 1) {
-            switch (toupper((unsigned char)value[0])) {
-            case 'A':
-                param_nid = NID_id_GostR3410_94_CryptoPro_A_ParamSet;
-                break;
-            case 'B':
-                param_nid = NID_id_GostR3410_94_CryptoPro_B_ParamSet;
-                break;
-            case 'C':
-                param_nid = NID_id_GostR3410_94_CryptoPro_C_ParamSet;
-                break;
-            case 'D':
-                param_nid = NID_id_GostR3410_94_CryptoPro_D_ParamSet;
-                break;
-            default:
-                return 0;
-            }
-        } else if ((strlen(value) == 2)
-                   && (toupper((unsigned char)value[0]) == 'X')) {
-            switch (toupper((unsigned char)value[1])) {
-            case 'A':
-                param_nid = NID_id_GostR3410_94_CryptoPro_XchA_ParamSet;
-                break;
-            case 'B':
-                param_nid = NID_id_GostR3410_94_CryptoPro_XchB_ParamSet;
-                break;
-            case 'C':
-                param_nid = NID_id_GostR3410_94_CryptoPro_XchC_ParamSet;
-                break;
-            default:
-                return 0;
-            }
-        } else {
-            R3410_params *p = R3410_paramset;
-            param_nid = OBJ_txt2nid(value);
-            if (param_nid == NID_undef) {
-                return 0;
-            }
-            for (; p->nid != NID_undef; p++) {
-                if (p->nid == param_nid)
-                    break;
-            }
-            if (p->nid == NID_undef) {
-                GOSTerr(GOST_F_PKEY_GOST_CTRL94_STR, GOST_R_INVALID_PARAMSET);
-                return 0;
-            }
-        }
-
-        return pkey_gost_ctrl(ctx, EVP_PKEY_CTRL_GOST_PARAMSET,
-                              param_nid, NULL);
-    }
-    return -2;
-}
-
 static int pkey_gost_ctrl01_str(EVP_PKEY_CTX *ctx,
                                 const char *type, const char *value)
 {
@@ -256,23 +189,6 @@ static int pkey_gost_paramgen_init(EVP_PKEY_CTX *ctx)
     return 1;
 }
 
-static int pkey_gost94_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx);
-    DSA *dsa = NULL;
-    if (data->sign_param_nid == NID_undef) {
-        GOSTerr(GOST_F_PKEY_GOST94_PARAMGEN, GOST_R_NO_PARAMETERS_SET);
-        return 0;
-    }
-    dsa = DSA_new();
-    if (!fill_GOST94_params(dsa, data->sign_param_nid)) {
-        DSA_free(dsa);
-        return 0;
-    }
-    EVP_PKEY_assign(pkey, NID_id_GostR3410_94, dsa);
-    return 1;
-}
-
 static int pkey_gost01_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
     struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx);
@@ -292,17 +208,6 @@ static int pkey_gost01_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     return 1;
 }
 
-/* Generates Gost_R3410_94_cp key */
-static int pkey_gost94cp_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    DSA *dsa;
-    if (!pkey_gost94_paramgen(ctx, pkey))
-        return 0;
-    dsa = EVP_PKEY_get0(pkey);
-    gost_sign_keygen(dsa);
-    return 1;
-}
-
 /* Generates GOST_R3410 2001 key and assigns it using specified type */
 static int pkey_gost01cp_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 {
@@ -315,26 +220,21 @@ static int pkey_gost01cp_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
 }
 
 /* ----------- sign callbacks --------------------------------------*/
-
-static int pkey_gost94_cp_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
-                               size_t *siglen, const unsigned char *tbs,
-                               size_t tbs_len)
+/*
+ * Packs signature according to Cryptopro rules
+ * and frees up DSA_SIG structure
+ */
+int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen)
 {
-    DSA_SIG *unpacked_sig = NULL;
-    EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx);
-    if (!siglen)
-        return 0;
-    if (!sig) {
-        *siglen = 64;           /* better to check size of pkey->pkey.dsa-q */
-        return 1;
-    }
-    unpacked_sig = gost_do_sign(tbs, tbs_len, EVP_PKEY_get0(pkey));
-    if (!unpacked_sig) {
-        return 0;
-    }
-    return pack_sign_cp(unpacked_sig, 32, sig, siglen);
+    *siglen = 2 * order;
+    memset(sig, 0, *siglen);
+    store_bignum(s->s, sig, order);
+    store_bignum(s->r, sig + order, order);
+    DSA_SIG_free(s);
+    return 1;
 }
 
+
 static int pkey_gost01_cp_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
                                size_t *siglen, const unsigned char *tbs,
                                size_t tbs_len)
@@ -355,22 +255,22 @@ static int pkey_gost01_cp_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
 }
 
 /* ------------------- verify callbacks ---------------------------*/
-
-static int pkey_gost94_cp_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig,
-                                 size_t siglen, const unsigned char *tbs,
-                                 size_t tbs_len)
+/* Unpack signature according to cryptopro rules  */
+DSA_SIG *unpack_cp_signature(const unsigned char *sig, size_t siglen)
 {
-    int ok = 0;
-    EVP_PKEY *pub_key = EVP_PKEY_CTX_get0_pkey(ctx);
-    DSA_SIG *s = unpack_cp_signature(sig, siglen);
-    if (!s)
-        return 0;
-    if (pub_key)
-        ok = gost_do_verify(tbs, tbs_len, s, EVP_PKEY_get0(pub_key));
-    DSA_SIG_free(s);
-    return ok;
+    DSA_SIG *s;
+
+    s = DSA_SIG_new();
+    if (s == NULL) {
+        GOSTerr(GOST_F_UNPACK_CP_SIGNATURE, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    s->s = BN_bin2bn(sig, siglen / 2, NULL);
+    s->r = BN_bin2bn(sig + siglen / 2, siglen / 2, NULL);
+    return s;
 }
 
+
 static int pkey_gost01_cp_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig,
                                  size_t siglen, const unsigned char *tbs,
                                  size_t tbs_len)
@@ -570,20 +470,6 @@ int register_pmeth_gost(int id, EVP_PKEY_METHOD **pmeth, int flags)
         return 0;
 
     switch (id) {
-    case NID_id_GostR3410_94:
-        EVP_PKEY_meth_set_ctrl(*pmeth, pkey_gost_ctrl, pkey_gost_ctrl94_str);
-        EVP_PKEY_meth_set_keygen(*pmeth, NULL, pkey_gost94cp_keygen);
-        EVP_PKEY_meth_set_sign(*pmeth, NULL, pkey_gost94_cp_sign);
-        EVP_PKEY_meth_set_verify(*pmeth, NULL, pkey_gost94_cp_verify);
-        EVP_PKEY_meth_set_encrypt(*pmeth,
-                                  pkey_gost_encrypt_init,
-                                  pkey_GOST94cp_encrypt);
-        EVP_PKEY_meth_set_decrypt(*pmeth, NULL, pkey_GOST94cp_decrypt);
-        EVP_PKEY_meth_set_derive(*pmeth,
-                                 pkey_gost_derive_init, pkey_gost94_derive);
-        EVP_PKEY_meth_set_paramgen(*pmeth, pkey_gost_paramgen_init,
-                                   pkey_gost94_paramgen);
-        break;
     case NID_id_GostR3410_2001:
         EVP_PKEY_meth_set_ctrl(*pmeth, pkey_gost_ctrl, pkey_gost_ctrl01_str);
         EVP_PKEY_meth_set_sign(*pmeth, NULL, pkey_gost01_cp_sign);
diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c
deleted file mode 100644
index 543c399..0000000
--- a/engines/ccgost/gost_sign.c
+++ /dev/null
@@ -1,365 +0,0 @@
-/**********************************************************************
- *                          gost_sign.c                               *
- *             Copyright (c) 2005-2006 Cryptocom LTD                  *
- *         This file is distributed under the same license as OpenSSL *
- *                                                                    *
- *       Implementation of GOST R 34.10-94 signature algorithm        *
- *       for OpenSSL                                                  *
- *          Requires OpenSSL 0.9.9 for compilation                    *
- **********************************************************************/
-#include <string.h>
-#include <openssl/rand.h>
-#include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-
-#include "gost_params.h"
-#include "gost_lcl.h"
-#include "e_gost_err.h"
-
-#ifdef DEBUG_SIGN
-void dump_signature(const char *message, const unsigned char *buffer,
-                    size_t len)
-{
-    size_t i;
-    fprintf(stderr, "signature %s Length=%d", message, len);
-    for (i = 0; i < len; i++) {
-        if (i % 16 == 0)
-            fputc('\n', stderr);
-        fprintf(stderr, " %02x", buffer[i]);
-    }
-    fprintf(stderr, "\nEnd of signature\n");
-}
-
-void dump_dsa_sig(const char *message, DSA_SIG *sig)
-{
-    fprintf(stderr, "%s\nR=", message);
-    BN_print_fp(stderr, sig->r);
-    fprintf(stderr, "\nS=");
-    BN_print_fp(stderr, sig->s);
-    fprintf(stderr, "\n");
-}
-
-#else
-
-# define dump_signature(a,b,c)
-# define dump_dsa_sig(a,b)
-#endif
-
-/*
- * Computes signature and returns it as DSA_SIG structure
- */
-DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
-{
-    BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL;
-    DSA_SIG *newsig = NULL, *ret = NULL;
-    BIGNUM *md = hashsum2bn(dgst);
-    /* check if H(M) mod q is zero */
-    BN_CTX *ctx = BN_CTX_new();
-    if (!ctx) {
-        GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    BN_CTX_start(ctx);
-    newsig = DSA_SIG_new();
-    if (!newsig) {
-        GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    tmp = BN_CTX_get(ctx);
-    k = BN_CTX_get(ctx);
-    tmp2 = BN_CTX_get(ctx);
-    if (!tmp || !k || !tmp2) {
-        GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-    BN_mod(tmp, md, dsa->q, ctx);
-    if (BN_is_zero(tmp)) {
-        BN_one(md);
-    }
-    do {
-        do {
-            /*
-             * Generate random number k less than q
-             */
-            BN_rand_range(k, dsa->q);
-            /* generate r = (a^x mod p) mod q */
-            BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx);
-            if (!(newsig->r)) {
-                newsig->r = BN_new();
-                if (!newsig->r) {
-                    GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
-                    goto err;
-                }
-            }
-            BN_mod(newsig->r, tmp, dsa->q, ctx);
-        }
-        while (BN_is_zero(newsig->r));
-        /* generate s = (xr + k(Hm)) mod q */
-        BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx);
-        BN_mod_mul(tmp2, k, md, dsa->q, ctx);
-        if (!newsig->s) {
-            newsig->s = BN_new();
-            if (!newsig->s) {
-                GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE);
-                goto err;
-            }
-        }
-        BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx);
-    }
-    while (BN_is_zero(newsig->s));
-
-    ret = newsig;
- err:
-    BN_free(md);
-    if (ctx)
-        BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    if (!ret)
-        DSA_SIG_free(newsig);
-    return ret;
-}
-
-/*
- * Packs signature according to Cryptocom rules
- * and frees up DSA_SIG structure
- */
-/*-
-int pack_sign_cc(DSA_SIG *s,int order,unsigned char *sig, size_t *siglen)
-        {
-        *siglen = 2*order;
-        memset(sig,0,*siglen);
-        store_bignum(s->r, sig,order);
-        store_bignum(s->s, sig + order,order);
-        dump_signature("serialized",sig,*siglen);
-        DSA_SIG_free(s);
-        return 1;
-        }
-*/
-/*
- * Packs signature according to Cryptopro rules
- * and frees up DSA_SIG structure
- */
-int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen)
-{
-    *siglen = 2 * order;
-    memset(sig, 0, *siglen);
-    store_bignum(s->s, sig, order);
-    store_bignum(s->r, sig + order, order);
-    dump_signature("serialized", sig, *siglen);
-    DSA_SIG_free(s);
-    return 1;
-}
-
-/*
- * Verifies signature passed as DSA_SIG structure
- *
- */
-
-int gost_do_verify(const unsigned char *dgst, int dgst_len,
-                   DSA_SIG *sig, DSA *dsa)
-{
-    BIGNUM *md = NULL, *tmp = NULL;
-    BIGNUM *q2 = NULL;
-    BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL;
-    BIGNUM *tmp2 = NULL, *tmp3 = NULL;
-    int ok = 0;
-    BN_CTX *ctx = BN_CTX_new();
-    if (!ctx) {
-        GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    BN_CTX_start(ctx);
-    if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) {
-        GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
-        goto err;
-    }
-    md = hashsum2bn(dgst);
-
-    tmp = BN_CTX_get(ctx);
-    v = BN_CTX_get(ctx);
-    q2 = BN_CTX_get(ctx);
-    z1 = BN_CTX_get(ctx);
-    z2 = BN_CTX_get(ctx);
-    tmp2 = BN_CTX_get(ctx);
-    tmp3 = BN_CTX_get(ctx);
-    u = BN_CTX_get(ctx);
-    if (!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) {
-        GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE);
-        goto err;
-    }
-
-    BN_mod(tmp, md, dsa->q, ctx);
-    if (BN_is_zero(tmp)) {
-        BN_one(md);
-    }
-    BN_copy(q2, dsa->q);
-    BN_sub_word(q2, 2);
-    BN_mod_exp(v, md, q2, dsa->q, ctx);
-    BN_mod_mul(z1, sig->s, v, dsa->q, ctx);
-    BN_sub(tmp, dsa->q, sig->r);
-    BN_mod_mul(z2, tmp, v, dsa->p, ctx);
-    BN_mod_exp(tmp, dsa->g, z1, dsa->p, ctx);
-    BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx);
-    BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx);
-    BN_mod(u, tmp3, dsa->q, ctx);
-    ok = (BN_cmp(u, sig->r) == 0);
-
-    if (!ok) {
-        GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH);
-    }
-err:
-    BN_free(md);
-    if (ctx)
-        BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    return (ok == 0);
-}
-
-/*
- * Computes public keys for GOST R 34.10-94 algorithm
- *
- */
-int gost94_compute_public(DSA *dsa)
-{
-    /* Now fill algorithm parameters with correct values */
-    BN_CTX *ctx;
-    if (!dsa->g) {
-        GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED);
-        return 0;
-    }
-    ctx = BN_CTX_new();
-    if (!ctx) {
-        GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    dsa->pub_key = BN_new();
-    if (!dsa->pub_key) {
-        GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE);
-        BN_CTX_free(ctx);
-        return 0;
-    }
-    /* Compute public key  y = a^x mod p */
-    BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx);
-    BN_CTX_free(ctx);
-    return 1;
-}
-
-/*
- * Fill GOST 94 params, searching them in R3410_paramset array
- * by nid of paramset
- *
- */
-int fill_GOST94_params(DSA *dsa, int nid)
-{
-    R3410_params *params = R3410_paramset;
-    while (params->nid != NID_undef && params->nid != nid)
-        params++;
-    if (params->nid == NID_undef) {
-        GOSTerr(GOST_F_FILL_GOST94_PARAMS, GOST_R_UNSUPPORTED_PARAMETER_SET);
-        return 0;
-    }
-#define dump_signature(a,b,c)
-    BN_free(dsa->p);
-    dsa->p = NULL;
-    BN_dec2bn(&(dsa->p), params->p);
-    BN_free(dsa->q);
-    dsa->q = NULL;
-    BN_dec2bn(&(dsa->q), params->q);
-    BN_free(dsa->g);
-    dsa->g = NULL;
-    BN_dec2bn(&(dsa->g), params->a);
-    return 1;
-}
-
-/*
- *  Generate GOST R 34.10-94 keypair
- *
- *
- */
-int gost_sign_keygen(DSA *dsa)
-{
-    dsa->priv_key = BN_new();
-    if (!dsa->priv_key) {
-        GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-    BN_rand_range(dsa->priv_key, dsa->q);
-    return gost94_compute_public(dsa);
-}
-
-/* Unpack signature according to cryptocom rules  */
-/*-
-DSA_SIG *unpack_cc_signature(const unsigned char *sig,size_t siglen)
-        {
-        DSA_SIG *s;
-        s = DSA_SIG_new();
-        if (s == NULL)
-                {
-                GOSTerr(GOST_F_UNPACK_CC_SIGNATURE,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        s->r = getbnfrombuf(sig, siglen/2);
-        s->s = getbnfrombuf(sig + siglen/2, siglen/2);
-        return s;
-        }
-*/
-/* Unpack signature according to cryptopro rules  */
-DSA_SIG *unpack_cp_signature(const unsigned char *sig, size_t siglen)
-{
-    DSA_SIG *s;
-
-    s = DSA_SIG_new();
-    if (s == NULL) {
-        GOSTerr(GOST_F_UNPACK_CP_SIGNATURE, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-    s->s = getbnfrombuf(sig, siglen / 2);
-    s->r = getbnfrombuf(sig + siglen / 2, siglen / 2);
-    return s;
-}
-
-/* Convert little-endian byte array into bignum */
-BIGNUM *hashsum2bn(const unsigned char *dgst)
-{
-    unsigned char buf[32];
-    int i;
-    for (i = 0; i < 32; i++) {
-        buf[31 - i] = dgst[i];
-    }
-    return getbnfrombuf(buf, 32);
-}
-
-/* Convert byte buffer to bignum, skipping leading zeros*/
-BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len)
-{
-    while (*buf == 0 && len > 0) {
-        buf++;
-        len--;
-    }
-    if (len) {
-        return BN_bin2bn(buf, len, NULL);
-    } else {
-        BIGNUM *b = BN_new();
-        BN_zero(b);
-        return b;
-    }
-}
-
-/*
- * Pack bignum into byte buffer of given size, filling all leading bytes by
- * zeros
- */
-int store_bignum(BIGNUM *bn, unsigned char *buf, int len)
-{
-    int bytes = BN_num_bytes(bn);
-    if (bytes > len)
-        return 0;
-    memset(buf, 0, len);
-    BN_bn2bin(bn, buf + len - bytes);
-    return 1;
-}
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 1eef9cc..6e98784 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -878,7 +878,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS_CT_ECDSA_SIGN               64
 # define TLS_CT_RSA_FIXED_ECDH           65
 # define TLS_CT_ECDSA_FIXED_ECDH         66
-# define TLS_CT_GOST94_SIGN              21
 # define TLS_CT_GOST01_SIGN              22
 /*
  * when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 943cf73..4d69c2a 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -618,9 +618,7 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
         ret = SSL_PKEY_ECC;
     }
 #endif
-    else if (i == NID_id_GostR3410_94 || i == NID_id_GostR3410_94_cc) {
-        ret = SSL_PKEY_GOST94;
-    } else if (i == NID_id_GostR3410_2001 || i == NID_id_GostR3410_2001_cc) {
+    else if (i == NID_id_GostR3410_2001) {
         ret = SSL_PKEY_GOST01;
     } else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX)) {
         /*
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1661b0e..01a0a8c 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3059,8 +3059,7 @@ int ssl3_send_client_verify(SSL *s)
             n = j + 2;
         } else
 #endif
-        if (pkey->type == NID_id_GostR3410_94
-                || pkey->type == NID_id_GostR3410_2001) {
+        if (pkey->type == NID_id_GostR3410_2001) {
             unsigned char signbuf[64];
             int i;
             size_t sigsize = 64;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 83b8f68..0a3bba4 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1147,19 +1147,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
 
     {
      1,
-     "GOST94-GOST89-GOST89",
-     0x3000080,
-     SSL_kGOST,
-     SSL_aGOST94,
-     SSL_eGOST2814789CNT,
-     SSL_GOST89MAC,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
-     256,
-     256},
-    {
-     1,
      "GOST2001-GOST89-GOST89",
      0x3000081,
      SSL_kGOST,
@@ -1170,20 +1157,8 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
      256,
-     256},
-    {
-     1,
-     "GOST94-NULL-GOST94",
-     0x3000082,
-     SSL_kGOST,
-     SSL_aGOST94,
-     SSL_eNULL,
-     SSL_GOST94,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_STRONG_NONE,
-     SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
-     0,
-     0},
+     256
+    },
     {
      1,
      "GOST2001-NULL-GOST94",
@@ -1196,7 +1171,8 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      SSL_NOT_EXP | SSL_STRONG_NONE,
      SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
      0,
-     0},
+     0
+    },
 
 #ifndef OPENSSL_NO_CAMELLIA
     /* Camellia ciphersuites from RFC4132 (256-bit portion) */
@@ -3474,63 +3450,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      256},
 #endif
 
-#ifdef TEMP_GOST_TLS
-/* Cipher FF00 */
-    {
-     1,
-     "GOST-MD5",
-     0x0300ff00,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_eGOST2814789CNT,
-     SSL_MD5,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     256,
-     256,
-     },
-    {
-     1,
-     "GOST-GOST94",
-     0x0300ff01,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_eGOST2814789CNT,
-     SSL_GOST94,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     256,
-     256},
-    {
-     1,
-     "GOST-GOST89MAC",
-     0x0300ff02,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_eGOST2814789CNT,
-     SSL_GOST89MAC,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     256,
-     256},
-    {
-     1,
-     "GOST-GOST89STREAM",
-     0x0300ff03,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_eGOST2814789CNT,
-     SSL_GOST89MAC,
-     SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF | TLS1_STREAM_MAC,
-     256,
-     256},
-#endif
-
 /* end of list */
 };
 
@@ -4694,7 +4613,6 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 #ifndef OPENSSL_NO_GOST
     if (s->version >= TLS1_VERSION) {
         if (alg_k & SSL_kGOST) {
-            p[ret++] = TLS_CT_GOST94_SIGN;
             p[ret++] = TLS_CT_GOST01_SIGN;
             return (ret);
         }
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 76f49bd..acb2fa9 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2736,9 +2736,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 
         /* Get our certificate private key */
         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-        if (alg_a & SSL_aGOST94)
-            pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
-        else if (alg_a & SSL_aGOST01)
+        if (alg_a & SSL_aGOST01)
             pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
 
         pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
@@ -2874,8 +2872,7 @@ int ssl3_get_cert_verify(SSL *s)
      * If key is GOST and n is exactly 64, it is bare signature without
      * length field
      */
-    if (n == 64 && (pkey->type == NID_id_GostR3410_94 ||
-                    pkey->type == NID_id_GostR3410_2001)) {
+    if (n == 64 && pkey->type == NID_id_GostR3410_2001) {
         len = 64;
     } else {
         if (SSL_USE_SIGALGS(s)) {
@@ -2984,8 +2981,7 @@ int ssl3_get_cert_verify(SSL *s)
         }
     } else
 #endif
-    if (pkey->type == NID_id_GostR3410_94
-            || pkey->type == NID_id_GostR3410_2001) {
+    if (pkey->type == NID_id_GostR3410_2001) {
         unsigned char signature[64];
         int idx;
         EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index da64301..08a95f9 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -331,9 +331,8 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94 | SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
+    {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0},
 
     /* aliases combining key exchange and server authentication */
@@ -528,14 +527,12 @@ void ssl_load_ciphers(void)
         disabled_mac_mask |= SSL_GOST89MAC;
     }
 
-    if (!get_optional_pkey_id("gost94"))
-        disabled_auth_mask |= SSL_aGOST94;
     if (!get_optional_pkey_id("gost2001"))
         disabled_auth_mask |= SSL_aGOST01;
     /*
      * Disable GOST key exchange if no GOST signature algs are available *
      */
-    if ((disabled_auth_mask & (SSL_aGOST94 | SSL_aGOST01)) == (SSL_aGOST94 | SSL_aGOST01))
+    if ((disabled_auth_mask & SSL_aGOST01) == SSL_aGOST01)
         disabled_mkey_mask |= SSL_kGOST;
 }
 
@@ -1673,9 +1670,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_aSRP:
         au = "SRP";
         break;
-    case SSL_aGOST94:
-        au = "GOST94";
-        break;
     case SSL_aGOST01:
         au = "GOST01";
         break;
@@ -1961,8 +1955,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
         return SSL_PKEY_DSA_SIGN;
     else if (alg_a & SSL_aRSA)
         return SSL_PKEY_RSA_ENC;
-    else if (alg_a & SSL_aGOST94)
-        return SSL_PKEY_GOST94;
     else if (alg_a & SSL_aGOST01)
         return SSL_PKEY_GOST01;
     return -1;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5a0ec8a..2a2eb78 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2007,11 +2007,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
         mask_k |= SSL_kGOST;
         mask_a |= SSL_aGOST01;
     }
-    cpk = &(c->pkeys[SSL_PKEY_GOST94]);
-    if (cpk->x509 != NULL && cpk->privatekey != NULL) {
-        mask_k |= SSL_kGOST;
-        mask_a |= SSL_aGOST94;
-    }
 
     if (rsa_enc || (rsa_tmp && rsa_sign))
         mask_k |= SSL_kRSA;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index bc8388a..63b547a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -339,8 +339,6 @@
 # define SSL_aECDSA              0x00000040L
 /* PSK auth */
 # define SSL_aPSK                0x00000080L
-/* GOST R 34.10-94 signature auth */
-# define SSL_aGOST94                             0x00000100L
 /* GOST R 34.10-2001 signature auth */
 # define SSL_aGOST01                     0x00000200L
 /* SRP auth */
@@ -508,7 +506,6 @@
 # define SSL_PKEY_DH_RSA         3
 # define SSL_PKEY_DH_DSA         4
 # define SSL_PKEY_ECC            5
-# define SSL_PKEY_GOST94         6
 # define SSL_PKEY_GOST01         7
 # define SSL_PKEY_NUM            8
 

From steve at openssl.org  Wed Aug 12 12:57:02 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Wed, 12 Aug 2015 12:57:02 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439384222.067808.29006.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2acdef5e97977958e9bb3b4a139039599ef1aefe (commit)
       via  891eac4604b5f05413e59602fae1f11136f4719a (commit)
       via  a187e08d856690b5c1da3184d0ff560d572f893b (commit)
      from  ade44dcb16141c8a30ca6c56a1fd1a0b14dcc360 (commit)


- Log -----------------------------------------------------------------
commit 2acdef5e97977958e9bb3b4a139039599ef1aefe
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:38:11 2015 +0100

    Return error for unsupported modes.
    
    PR#3974
    PR#3975
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 891eac4604b5f05413e59602fae1f11136f4719a
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:44 2015 +0100

    Fix memory leak if setup fails.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit a187e08d856690b5c1da3184d0ff560d572f893b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:01 2015 +0100

    Err isn't always malloc failure.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/cms/cms_enc.c   |  2 +-
 crypto/cms/cms_smime.c |  2 +-
 crypto/evp/evp_lib.c   | 35 ++++++++++++++++++++++++++++++-----
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index f9556ac..16b4225 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -194,7 +194,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
     ok = 1;
 
  err:
-    if (!keep_key) {
+    if (!keep_key || !ok) {
         OPENSSL_clear_free(ec->key, ec->keylen);
         ec->key = NULL;
     }
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index b33bc1d..6bed211 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -804,7 +804,7 @@ int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags)
     int ret = 0;
 
     if ((cmsbio = CMS_dataInit(cms, dcont)) == NULL) {
-        CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
+        CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_LIB);
         return 0;
     }
 
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index 1fdde9a..5ee3dcb 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -68,11 +68,22 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
     if (c->cipher->set_asn1_parameters != NULL)
         ret = c->cipher->set_asn1_parameters(c, type);
     else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
-        if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE) {
+        switch (EVP_CIPHER_CTX_mode(c)) {
+        case EVP_CIPH_WRAP_MODE:
             ASN1_TYPE_set(type, V_ASN1_NULL, NULL);
             ret = 1;
-        } else
+            break;
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+        case EVP_CIPH_OCB_MODE:
+            ret = -1;
+            break;
+
+        default:
             ret = EVP_CIPHER_set_asn1_iv(c, type);
+        }
     } else
         ret = -1;
     return (ret);
@@ -85,9 +96,23 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
     if (c->cipher->get_asn1_parameters != NULL)
         ret = c->cipher->get_asn1_parameters(c, type);
     else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
-        if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-            return 1;
-        ret = EVP_CIPHER_get_asn1_iv(c, type);
+        switch (EVP_CIPHER_CTX_mode(c)) {
+
+        case EVP_CIPH_WRAP_MODE:
+            ret = 1;
+            break;
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+        case EVP_CIPH_OCB_MODE:
+            ret = -1;
+            break;
+
+        default:
+            ret = EVP_CIPHER_get_asn1_iv(c, type);
+            break;
+        }
     } else
         ret = -1;
     return (ret);

From steve at openssl.org  Wed Aug 12 13:15:42 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Wed, 12 Aug 2015 13:15:42 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439385342.543413.7305.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  5859bc62f3dc79aea2844f0349cfa9dcbd570dfb (commit)
       via  056df45ed12527bea484c952227c09ad49e31d2d (commit)
       via  e9da86627a271d9d1ad04e47115d26fab4a21c1b (commit)
      from  0b12fa75c9df5c2c9c2f5094514323360c0af981 (commit)


- Log -----------------------------------------------------------------
commit 5859bc62f3dc79aea2844f0349cfa9dcbd570dfb
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:38:11 2015 +0100

    Return error for unsupported modes.
    
    PR#3974
    PR#3975
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 056df45ed12527bea484c952227c09ad49e31d2d
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:44 2015 +0100

    Fix memory leak if setup fails.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 891eac4604b5f05413e59602fae1f11136f4719a)
    
    Conflicts:
    	crypto/cms/cms_enc.c

commit e9da86627a271d9d1ad04e47115d26fab4a21c1b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:01 2015 +0100

    Err isn't always malloc failure.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit a187e08d856690b5c1da3184d0ff560d572f893b)
    
    Conflicts:
    	crypto/cms/cms_smime.c

-----------------------------------------------------------------------

Summary of changes:
 crypto/cms/cms_enc.c   |  2 +-
 crypto/cms/cms_smime.c |  2 +-
 crypto/evp/evp_lib.c   | 33 ++++++++++++++++++++++++++++-----
 3 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 85ae928..b14b4b6 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -195,7 +195,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
     ok = 1;
 
  err:
-    if (ec->key && !keep_key) {
+    if (ec->key && (!keep_key || !ok)) {
         OPENSSL_cleanse(ec->key, ec->keylen);
         OPENSSL_free(ec->key);
         ec->key = NULL;
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 5522a37..07e3472 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -754,7 +754,7 @@ int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags)
     BIO *cmsbio;
     int ret = 0;
     if (!(cmsbio = CMS_dataInit(cms, dcont))) {
-        CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
+        CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_LIB);
         return 0;
     }
 
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index a53a27c..d2c9ae4 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -72,11 +72,21 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
     if (c->cipher->set_asn1_parameters != NULL)
         ret = c->cipher->set_asn1_parameters(c, type);
     else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
-        if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE) {
+        switch (EVP_CIPHER_CTX_mode(c)) {
+        case EVP_CIPH_WRAP_MODE:
             ASN1_TYPE_set(type, V_ASN1_NULL, NULL);
             ret = 1;
-        } else
+            break;
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+            ret = -1;
+            break;
+
+        default:
             ret = EVP_CIPHER_set_asn1_iv(c, type);
+        }
     } else
         ret = -1;
     return (ret);
@@ -89,9 +99,22 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
     if (c->cipher->get_asn1_parameters != NULL)
         ret = c->cipher->get_asn1_parameters(c, type);
     else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
-        if (EVP_CIPHER_CTX_mode(c) == EVP_CIPH_WRAP_MODE)
-            return 1;
-        ret = EVP_CIPHER_get_asn1_iv(c, type);
+        switch (EVP_CIPHER_CTX_mode(c)) {
+
+        case EVP_CIPH_WRAP_MODE:
+            ret = 1;
+            break;
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+            ret = -1;
+            break;
+
+        default:
+            ret = EVP_CIPHER_get_asn1_iv(c, type);
+            break;
+        }
     } else
         ret = -1;
     return (ret);

From matt at openssl.org  Thu Aug 13 08:33:15 2015
From: matt at openssl.org (Matt Caswell)
Date: Thu, 13 Aug 2015 08:33:15 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439454795.820763.3881.nullmailer@dev.openssl.org>

The branch master has been updated
       via  df758a8569efe9e124baaa16aba4ac3fc35bbd9d (commit)
      from  2acdef5e97977958e9bb3b4a139039599ef1aefe (commit)


- Log -----------------------------------------------------------------
commit df758a8569efe9e124baaa16aba4ac3fc35bbd9d
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 20:10:06 2015 +0100

    PACKETise Server Certificate processing
    
    Use the PACKET API to process an incoming server Certificate message.
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 01a0a8c..4ebd7aa 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1232,12 +1232,12 @@ int ssl3_get_server_hello(SSL *s)
 int ssl3_get_server_certificate(SSL *s)
 {
     int al, i, ok, ret = -1, exp_idx;
-    unsigned long n, nc, llen, l;
+    unsigned long n, cert_list_len, cert_len;
     X509 *x = NULL;
-    const unsigned char *q, *p;
-    unsigned char *d;
+    unsigned char *certstart, *certbytes;
     STACK_OF(X509) *sk = NULL;
     EVP_PKEY *pkey = NULL;
+    PACKET pkt;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_CR_CERT_A,
@@ -1257,36 +1257,41 @@ int ssl3_get_server_certificate(SSL *s)
         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_BAD_MESSAGE_TYPE);
         goto f_err;
     }
-    p = d = (unsigned char *)s->init_msg;
+
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
 
     if ((sk = sk_X509_new_null()) == NULL) {
         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE);
         goto err;
     }
 
-    n2l3(p, llen);
-    if (llen + 3 != n) {
+    if (!PACKET_get_net_3(&pkt, &cert_list_len)
+            || PACKET_remaining(&pkt) != cert_list_len) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
-    for (nc = 0; nc < llen;) {
-        n2l3(p, l);
-        if ((l + nc + 3) > llen) {
+    while (PACKET_remaining(&pkt)) {
+        if (!PACKET_get_net_3(&pkt, &cert_len)
+                || !PACKET_get_bytes(&pkt, &certbytes, cert_len)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
             goto f_err;
         }
 
-        q = p;
-        x = d2i_X509(NULL, &q, l);
+        certstart = certbytes;
+        x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
         if (x == NULL) {
             al = SSL_AD_BAD_CERTIFICATE;
             SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
             goto f_err;
         }
-        if (q != (p + l)) {
+        if (certbytes != (certstart + cert_len)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
                    SSL_R_CERT_LENGTH_MISMATCH);
@@ -1297,8 +1302,6 @@ int ssl3_get_server_certificate(SSL *s)
             goto err;
         }
         x = NULL;
-        nc += l + 3;
-        p = q;
     }
 
     i = ssl_verify_cert_chain(s, sk);

From rsalz at openssl.org  Thu Aug 13 16:15:16 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 13 Aug 2015 16:15:16 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439482516.436396.30452.nullmailer@dev.openssl.org>

The branch master has been updated
       via  cc2829e6641092abed8360433dbe67e883fd1cc6 (commit)
      from  df758a8569efe9e124baaa16aba4ac3fc35bbd9d (commit)


- Log -----------------------------------------------------------------
commit cc2829e6641092abed8360433dbe67e883fd1cc6
Author: Ismo Puustinen <ismo.puustinen at intel.com>
Date:   Fri Aug 7 22:11:28 2015 -0400

    GH364: Free memory on an error path
    
    Part of RT 3997
    Per Ben, just jump to common exit code.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 26867cb..6b1f7fe 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -348,7 +348,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             if (!sk_X509_push(ctx->chain, x)) {
                 X509_free(xtmp);
                 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-                return 0;
+                ok = 0;
+                goto done;
             }
             num++;
         }

From rsalz at openssl.org  Thu Aug 13 16:15:27 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 13 Aug 2015 16:15:27 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439482527.505986.31234.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  25efcb44ac88ab34f60047e16a96c9462fad39c1 (commit)
      from  5859bc62f3dc79aea2844f0349cfa9dcbd570dfb (commit)


- Log -----------------------------------------------------------------
commit 25efcb44ac88ab34f60047e16a96c9462fad39c1
Author: Ismo Puustinen <ismo.puustinen at intel.com>
Date:   Fri Aug 7 22:11:28 2015 -0400

    GH364: Free memory on an error path
    
    Part of RT 3997
    Per Ben, just jump to common exit code.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit cc2829e6641092abed8360433dbe67e883fd1cc6)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a2f1dbe..26c6bb3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -354,7 +354,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             if (!sk_X509_push(ctx->chain, x)) {
                 X509_free(xtmp);
                 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-                return 0;
+                ok = 0;
+                goto done;
             }
             num++;
         }

From matt at openssl.org  Thu Aug 13 19:37:31 2015
From: matt at openssl.org (Matt Caswell)
Date: Thu, 13 Aug 2015 19:37:31 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439494651.710048.18445.nullmailer@dev.openssl.org>

The branch master has been updated
       via  bc6616a4347d4c30bce1d1918da09f09f84c0403 (commit)
       via  f9f6053442a2918d0445866252256b2cb54a1187 (commit)
      from  cc2829e6641092abed8360433dbe67e883fd1cc6 (commit)


- Log -----------------------------------------------------------------
commit bc6616a4347d4c30bce1d1918da09f09f84c0403
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 3 17:20:47 2015 +0100

    Enhance PACKET readability
    
    Enhance the PACKET code readability, and fix a stale comment. Thanks
    to Ben Kaduk (bkaduk at akamai.com) for pointing this out.
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

commit f9f6053442a2918d0445866252256b2cb54a1187
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 3 17:20:07 2015 +0100

    Add missing return check for PACKET_buf_init
    
    The new ClientHello PACKET code is missing a return value check.
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/packet_locl.h | 3 +--
 ssl/s3_srvr.c     | 8 ++++++--
 ssl/t1_lib.c      | 4 ++--
 test/packettest.c | 2 +-
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 80d0b93..a5e4d00 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -80,8 +80,7 @@ typedef struct {
 } PACKET;
 
 /*
- * Returns 1 if there are exactly |len| bytes left to be read from |pkt|
- * and 0 otherwise
+ * Returns the number of bytes remaining to be read in the PACKET
  */
 __owur static inline size_t PACKET_remaining(PACKET *pkt)
 {
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index acb2fa9..a015a49 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -874,7 +874,11 @@ int ssl3_get_client_hello(SSL *s)
     if (!ok)
         return ((int)n);
     s->first_packet = 0;
-    PACKET_buf_init(&pkt, s->init_msg, n);
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        al = SSL_AD_INTERNAL_ERROR;
+        goto f_err;
+    }
 
     /* First lets get s->client_version set correctly */
     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
@@ -1055,7 +1059,7 @@ int ssl3_get_client_hello(SSL *s)
         memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
         if (!PACKET_peek_copy_bytes(&pkt, s->s3->client_random, i)
                 || !PACKET_forward(&pkt, cl)
-                || !PACKET_remaining(&pkt) == 0) {
+                || PACKET_remaining(&pkt) != 0) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ece2b72..e37411c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2036,7 +2036,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                     }
             }
             /* We shouldn't have any bytes left */
-            if (PACKET_remaining(&ssubpkt))
+            if (PACKET_remaining(&ssubpkt) != 0)
                 goto err;
 
         }
@@ -2140,7 +2140,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
                     || (dsize & 1) != 0
                     || (dsize == 0)
                     || !PACKET_get_bytes(&subpkt, &data, dsize)
-                    || PACKET_remaining(&subpkt)
+                    || PACKET_remaining(&subpkt) != 0
                     || !tls1_save_sigalgs(s, data, dsize)) {
                 goto err;
             }
diff --git a/test/packettest.c b/test/packettest.c
index d6d0c08..c3ac53b 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -67,7 +67,7 @@ static int test_PACKET_remaining(PACKET *pkt)
             || !PACKET_forward(pkt, BUF_LEN - 1)
             ||  PACKET_remaining(pkt) != 1
             || !PACKET_forward(pkt, 1)
-            ||  PACKET_remaining(pkt)) {
+            ||  PACKET_remaining(pkt) != 0) {
         fprintf(stderr, "test_PACKET_remaining() failed\n");
         return 0;
     }

From matt at openssl.org  Thu Aug 13 19:43:28 2015
From: matt at openssl.org (Matt Caswell)
Date: Thu, 13 Aug 2015 19:43:28 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439495008.543546.19753.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ac63710a3d718cad5c4d151f0e039ce2fe9c732e (commit)
      from  bc6616a4347d4c30bce1d1918da09f09f84c0403 (commit)


- Log -----------------------------------------------------------------
commit ac63710a3d718cad5c4d151f0e039ce2fe9c732e
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Aug 5 15:52:26 2015 +0100

    PACKETise Certificate Status message
    
    Process the Certificate Status message using the PACKET API
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4ebd7aa..dedbfea 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2271,7 +2271,8 @@ int ssl3_get_cert_status(SSL *s)
 {
     int ok, al;
     unsigned long resplen, n;
-    const unsigned char *p;
+    unsigned int type;
+    PACKET pkt;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_CR_CERT_STATUS_A,
@@ -2280,31 +2281,36 @@ int ssl3_get_cert_status(SSL *s)
 
     if (!ok)
         return ((int)n);
-    if (n < 4) {
-        /* need at least status type + length */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
+
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_INTERNAL_ERROR);
         goto f_err;
     }
-    p = (unsigned char *)s->init_msg;
-    if (*p++ != TLSEXT_STATUSTYPE_ocsp) {
+    if (!PACKET_get_1(&pkt, &type)
+            || type != TLSEXT_STATUSTYPE_ocsp) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE);
         goto f_err;
     }
-    n2l3(p, resplen);
-    if (resplen + 4 != n) {
+    if (!PACKET_get_net_3(&pkt, &resplen)
+            || PACKET_remaining(&pkt) != resplen) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
     OPENSSL_free(s->tlsext_ocsp_resp);
-    s->tlsext_ocsp_resp = BUF_memdup(p, resplen);
+    s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
     if (!s->tlsext_ocsp_resp) {
         al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE);
         goto f_err;
     }
+    if (!PACKET_copy_bytes(&pkt, s->tlsext_ocsp_resp, resplen)) {
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH);
+        goto f_err;
+    }
     s->tlsext_ocsp_resplen = resplen;
     if (s->ctx->tlsext_status_cb) {
         int ret;

From rsalz at openssl.org  Thu Aug 13 19:48:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 13 Aug 2015 19:48:03 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439495283.336692.21386.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f25825c218efb71c13ef7c60c1acbe13cfdfe78b (commit)
      from  ac63710a3d718cad5c4d151f0e039ce2fe9c732e (commit)


- Log -----------------------------------------------------------------
commit f25825c218efb71c13ef7c60c1acbe13cfdfe78b
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 13 11:22:10 2015 -0400

    Fix FAQ formatting for new website.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/FAQ b/FAQ
index 2579d51..0ff792b 100644
--- a/FAQ
+++ b/FAQ
@@ -861,22 +861,25 @@ with the i2d_*_bio() or d2i_*_bio() functions or you can use the
 i2d_*(), d2i_*() functions directly. Since these are often the
 cause of grief here are some code fragments using PKCS7 as an example:
 
+----- snip:start -----
  unsigned char *buf, *p;
- int len;
+ int len = i2d_PKCS7(p7, NULL);
 
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
+ buf = OPENSSL_malloc(len); /* error checking omitted */
  p = buf;
  i2d_PKCS7(p7, &p);
+----- snip:end -----
 
 At this point buf contains the len bytes of the DER encoding of
 p7.
 
 The opposite assumes we already have len bytes in buf:
 
- unsigned char *p;
- p = buf;
+----- snip:start -----
+ unsigned char *p = buf;
+
  p7 = d2i_PKCS7(NULL, &p, len);
+----- snip:end -----
 
 At this point p7 contains a valid PKCS7 structure or NULL if an error
 occurred. If an error occurred ERR_print_errors(bio) should give more
@@ -893,14 +896,17 @@ because it no longer points to the same address.
 Memory allocation and encoding can also be combined in a single
 operation by the ASN1 routines:
 
- unsigned char *buf = NULL;	/* mandatory */
- int len;
- len = i2d_PKCS7(p7, &buf);
- if (len < 0)
-	/* Error */
+----- snip:start -----
+ unsigned char *buf = NULL;
+ int len = i2d_PKCS7(p7, &buf);
+
+ if (len < 0) {
+     /* Error */
+ }
  /* Do some things with 'buf' */
  /* Finished with buf: free it */
  OPENSSL_free(buf);
+----- snip:end -----
 
 In this special case the "buf" parameter is *not* incremented, it points
 to the start of the encoding.

From levitte at openssl.org  Thu Aug 13 20:06:37 2015
From: levitte at openssl.org (Richard Levitte)
Date: Thu, 13 Aug 2015 20:06:37 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439496397.719483.31506.nullmailer@dev.openssl.org>

The branch master has been updated
       via  00bf5001f72144062fe3f7973b968be534ac1246 (commit)
       via  4deefd6567cce43ef6c6b910693c093e9598f556 (commit)
       via  b3a231db49f864a40f999bf5b3843bebec5e3730 (commit)
      from  f25825c218efb71c13ef7c60c1acbe13cfdfe78b (commit)


- Log -----------------------------------------------------------------
commit 00bf5001f72144062fe3f7973b968be534ac1246
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Aug 13 19:15:45 2015 +0200

    for test_sslvertol, add a value to display SSL version < 3 in debug
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 4deefd6567cce43ef6c6b910693c093e9598f556
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Aug 13 19:14:34 2015 +0200

    Fixups in libssl test harness
    
    - select an actual file handle for devnull
    - do not declare $msgdata twice
    - SKE records sometimes seem to come without sig
    - in SKE parsing, use and use $pub_key_len when parsing $pub_key
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit b3a231db49f864a40f999bf5b3843bebec5e3730
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Aug 13 19:13:16 2015 +0200

    Use -I to add to @INC, and use -w to produce warnings
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/Makefile                      |  6 +++---
 util/TLSProxy/Message.pm           |  2 +-
 util/TLSProxy/Proxy.pm             |  3 ++-
 util/TLSProxy/Record.pm            |  6 ++++--
 util/TLSProxy/ServerKeyExchange.pm | 11 +++++++----
 5 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/test/Makefile b/test/Makefile
index 31b3796..b59613c 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -424,17 +424,17 @@ test_packet: $(PACKETTEST)$(EXE_EXT)
 #OPENSSL_ia32cap=... in ssl tests below ensures AES-NI is switched off (AES-NI does not go through the testmode engine)
 test_sslvertol: ../apps/openssl$(EXE_EXT)
 	@echo $(START) $@
-	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLVERTOLTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLVERTOLTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
 	@[ -n "$(SHARED_LIBS)" ] || echo test_sslvertol can only be performed with OpenSSL configured shared
 
 test_sslextension: ../apps/openssl$(EXE_EXT)
 	@echo $(START) $@
-	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
 	@[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared
 
 test_sslskewith0p: ../apps/openssl$(EXE_EXT)
 	@echo $(START) $@
-	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
 	@[ -n "$(SHARED_LIBS)" ] || echo test_sslskewith0p can only be performed with OpenSSL configured shared
 
 update: local_depend
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 66a4a7b..028322b 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -350,7 +350,7 @@ sub repack
 
     $lenlo = length($self->data) & 0xff;
     $lenhi = length($self->data) >> 8;
-    my $msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data;
+    $msgdata = pack('CnC', $self->mt, $lenhi, $lenlo).$self->data;
 
 
     if ($numrecs == 0) {
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index c033c29..571ab10 100644
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -142,7 +142,8 @@ sub start
     my $oldstdout;
 
     if(!$self->debug) {
-        $oldstdout = select(File::Spec->devnull());
+        open DEVNULL, ">", File::Spec->devnull();
+        $oldstdout = select(DEVNULL);
     }
 
     # Create the Proxy socket
diff --git a/util/TLSProxy/Record.pm b/util/TLSProxy/Record.pm
index 1d10508..124f924 100644
--- a/util/TLSProxy/Record.pm
+++ b/util/TLSProxy/Record.pm
@@ -83,7 +83,8 @@ use constant {
     VERS_TLS_1_2 => 771,
     VERS_TLS_1_1 => 770,
     VERS_TLS_1_0 => 769,
-    VERS_SSL_3_0 => 768
+    VERS_SSL_3_0 => 768,
+    VERS_SSL_LT_3_0 => 767
 };
 
 my %tls_version = (
@@ -91,7 +92,8 @@ my %tls_version = (
     VERS_TLS_1_2, "TLS1.2",
     VERS_TLS_1_1, "TLS1.1",
     VERS_TLS_1_0, "TLS1.0",
-    VERS_SSL_3_0, "SSL3"
+    VERS_SSL_3_0, "SSL3",
+    VERS_SSL_LT_3_0, "SSL<3"
 );
 
 #Class method to extract records from a packet of data
diff --git a/util/TLSProxy/ServerKeyExchange.pm b/util/TLSProxy/ServerKeyExchange.pm
index 3a91d17..b85b8ad 100644
--- a/util/TLSProxy/ServerKeyExchange.pm
+++ b/util/TLSProxy/ServerKeyExchange.pm
@@ -104,13 +104,16 @@ sub parse
     my $pub_key_len = unpack('n', substr($self->data, $ptr));
     $ptr += 2;
     my $pub_key = substr($self->data, $ptr, $pub_key_len);
-    $ptr += $g_len;
+    $ptr += $pub_key_len;
 
     #We assume its signed
     my $sig_len = unpack('n', substr($self->data, $ptr));
-    $ptr += 2;
-    my $sig = substr($self->data, $ptr, $sig_len);
-    $ptr += $sig_len;
+    my $sig = "";
+    if (defined $sig_len) {
+	$ptr += 2;
+	$sig = substr($self->data, $ptr, $sig_len);
+	$ptr += $sig_len;
+    }
 
     $self->p($p);
     $self->g($g);

From rsalz at openssl.org  Fri Aug 14 12:21:43 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 14 Aug 2015 12:21:43 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439554903.908822.29911.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  56353962e7da7e385c3d577581ccc3015ed6d1dc (commit)
      from  25efcb44ac88ab34f60047e16a96c9462fad39c1 (commit)


- Log -----------------------------------------------------------------
commit 56353962e7da7e385c3d577581ccc3015ed6d1dc
Author: Rich Salz <rsalz at openssl.org>
Date:   Fri Aug 14 08:21:19 2015 -0400

    Fix 1.0.2 build break
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_vfy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 26c6bb3..15a4fb9 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -355,7 +355,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 X509_free(xtmp);
                 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
                 ok = 0;
-                goto done;
+                goto end;
             }
             num++;
         }

From steve at openssl.org  Fri Aug 14 12:41:57 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:41:57 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439556117.682846.32243.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  50e56c1d8c681b8e8a070487645370f0f7c1ee9e (commit)
       via  2d172503687dd4c05193edf4d8242625fedc5806 (commit)
       via  aa701624b1b1fd0fa4ad692b86b25e0e79a7eaa2 (commit)
      from  396e30044910df29b81a416de42a94eb4355cd70 (commit)


- Log -----------------------------------------------------------------
commit 50e56c1d8c681b8e8a070487645370f0f7c1ee9e
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:38:11 2015 +0100

    Return error for unsupported modes.
    
    PR#3974
    PR#3975
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    
    Conflicts:
    	crypto/evp/evp_lib.c

commit 2d172503687dd4c05193edf4d8242625fedc5806
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:44 2015 +0100

    Fix memory leak if setup fails.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 891eac4604b5f05413e59602fae1f11136f4719a)
    
    Conflicts:
    	crypto/cms/cms_enc.c

commit aa701624b1b1fd0fa4ad692b86b25e0e79a7eaa2
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Aug 1 15:37:01 2015 +0100

    Err isn't always malloc failure.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit a187e08d856690b5c1da3184d0ff560d572f893b)
    
    Conflicts:
    	crypto/cms/cms_smime.c

-----------------------------------------------------------------------

Summary of changes:
 crypto/cms/cms_enc.c   |  2 +-
 crypto/cms/cms_smime.c |  2 +-
 crypto/evp/evp_lib.c   | 33 +++++++++++++++++++++++++++------
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 85ae928..b14b4b6 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -195,7 +195,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
     ok = 1;
 
  err:
-    if (ec->key && !keep_key) {
+    if (ec->key && (!keep_key || !ok)) {
         OPENSSL_cleanse(ec->key, ec->keylen);
         OPENSSL_free(ec->key);
         ec->key = NULL;
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 8b37560..f45693a 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -714,7 +714,7 @@ int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags)
     BIO *cmsbio;
     int ret = 0;
     if (!(cmsbio = CMS_dataInit(cms, dcont))) {
-        CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
+        CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_LIB);
         return 0;
     }
 
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index d4d2b4b..b16d623 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -67,9 +67,19 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
     if (c->cipher->set_asn1_parameters != NULL)
         ret = c->cipher->set_asn1_parameters(c, type);
-    else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-        ret = EVP_CIPHER_set_asn1_iv(c, type);
-    else
+    else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
+        switch (EVP_CIPHER_CTX_mode(c)) {
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+            ret = -1;
+            break;
+
+        default:
+            ret = EVP_CIPHER_set_asn1_iv(c, type);
+        }
+    } else
         ret = -1;
     return (ret);
 }
@@ -80,9 +90,20 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
     if (c->cipher->get_asn1_parameters != NULL)
         ret = c->cipher->get_asn1_parameters(c, type);
-    else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
-        ret = EVP_CIPHER_get_asn1_iv(c, type);
-    else
+    else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
+        switch (EVP_CIPHER_CTX_mode(c)) {
+
+        case EVP_CIPH_GCM_MODE:
+        case EVP_CIPH_CCM_MODE:
+        case EVP_CIPH_XTS_MODE:
+            ret = -1;
+            break;
+
+        default:
+            ret = EVP_CIPHER_get_asn1_iv(c, type);
+            break;
+        }
+    } else
         ret = -1;
     return (ret);
 }

From steve at openssl.org  Fri Aug 14 12:41:57 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:41:57 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439556117.837416.32267.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6d5f8265ce6c4a8ed528462f519d9e8f2b7cfafd (commit)
      from  00bf5001f72144062fe3f7973b968be534ac1246 (commit)


- Log -----------------------------------------------------------------
commit 6d5f8265ce6c4a8ed528462f519d9e8f2b7cfafd
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Jul 23 16:38:58 2015 +0100

    Documentation for SSL_check_chain()
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_check_chain.pod | 85 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 doc/ssl/SSL_check_chain.pod

diff --git a/doc/ssl/SSL_check_chain.pod b/doc/ssl/SSL_check_chain.pod
new file mode 100644
index 0000000..d3b7601
--- /dev/null
+++ b/doc/ssl/SSL_check_chain.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+SSL_check_chain - check certificate chain suitability
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
+
+=head1 DESCRIPTION
+
+SSL_check_chain() checks whether certificate B<x>, private key B<pk> and
+certificate chain B<chain> is suitable for use with the current session
+B<s>.
+
+=head1 RETURN VALUES
+
+SSL_check_chain() returns a bitmap of flags indicating the validity of the
+chain.
+
+B<CERT_PKEY_VALID>: the chain can be used with the current session.
+If this flag is B<not> set then the certificate will never be used even
+if the application tries to set it because it is inconsistent with the
+peer preferences.
+
+B<CERT_PKEY_SIGN>: the EE key can be used for signing.
+
+B<CERT_PKEY_EE_SIGNATURE>: the signature algorithm of the EE certificate is
+acceptable.
+
+B<CERT_PKEY_CA_SIGNATURE>: the signature algorithms of all CA certificates
+are acceptable.
+
+B<CERT_PKEY_EE_PARAM>: the parameters of the end entity certificate are
+acceptable (e.g. it is a supported curve).
+
+B<CERT_PKEY_CA_PARAM>: the parameters of all CA certificates are acceptable.
+
+B<CERT_PKEY_EXPLICIT_SIGN>: the end entity certificate algorithm
+can be used explicitly for signing (i.e. it is mentioned in the signature
+algorithms extension).
+
+B<CERT_PKEY_ISSUER_NAME>: the issuer name is acceptable. This is only
+meaningful for client authentication.
+
+B<CERT_PKEY_CERT_TYPE>: the certificate type is acceptable. Only meaningful
+for client authentication.
+
+B<CERT_PKEY_SUITEB>: chain is suitable for Suite B use.
+
+=head1 NOTES
+
+SSL_check_chain() must be called in servers after a client hello message or in
+clients after a certificate request message. It will typically be called
+in the certificate callback.
+
+An application wishing to support multiple certificate chains may call this
+function on each chain in turn: starting with the one it considers the
+most secure. It could then use the chain of the first set which returns
+suitable flags.
+
+As a minimum the flag B<CERT_PKEY_VALID> must be set for a chain to be
+usable. An application supporting multiple chains with different CA signature
+algorithms may also wish to check B<CERT_PKEY_CA_SIGNATURE> too. If no
+chain is suitable a server should fall back to the most secure chain which
+sets B<CERT_PKEY_VALID>.
+
+The validity of a chain is determined by checking if it matches a supported
+signature algorithm, supported curves and in the case of client authentication
+certificate types and issuer names.
+
+Since the supported signature algorithms extension is only used in TLS 1.2
+and DTLS 1.2 the results for earlier versions of TLS and DTLS may not be
+very useful. Applications may wish to specify a different "legacy" chain
+for earlier versions of TLS or DTLS.
+
+=head1 SEE ALSO
+
+L<SSL_CTX_set_cert_cb(3)|SSL_CTX_set_cert_cb(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut

From steve at openssl.org  Fri Aug 14 12:43:29 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:43:29 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439556209.378102.7685.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  8d2e7c0dec6e0c0edbd2db0d712cc7407143eb65 (commit)
      from  56353962e7da7e385c3d577581ccc3015ed6d1dc (commit)


- Log -----------------------------------------------------------------
commit 8d2e7c0dec6e0c0edbd2db0d712cc7407143eb65
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Jul 23 16:38:58 2015 +0100

    Documentation for SSL_check_chain()
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 6d5f8265ce6c4a8ed528462f519d9e8f2b7cfafd)

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_check_chain.pod | 85 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 doc/ssl/SSL_check_chain.pod

diff --git a/doc/ssl/SSL_check_chain.pod b/doc/ssl/SSL_check_chain.pod
new file mode 100644
index 0000000..d3b7601
--- /dev/null
+++ b/doc/ssl/SSL_check_chain.pod
@@ -0,0 +1,85 @@
+=pod
+
+=head1 NAME
+
+SSL_check_chain - check certificate chain suitability
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
+
+=head1 DESCRIPTION
+
+SSL_check_chain() checks whether certificate B<x>, private key B<pk> and
+certificate chain B<chain> is suitable for use with the current session
+B<s>.
+
+=head1 RETURN VALUES
+
+SSL_check_chain() returns a bitmap of flags indicating the validity of the
+chain.
+
+B<CERT_PKEY_VALID>: the chain can be used with the current session.
+If this flag is B<not> set then the certificate will never be used even
+if the application tries to set it because it is inconsistent with the
+peer preferences.
+
+B<CERT_PKEY_SIGN>: the EE key can be used for signing.
+
+B<CERT_PKEY_EE_SIGNATURE>: the signature algorithm of the EE certificate is
+acceptable.
+
+B<CERT_PKEY_CA_SIGNATURE>: the signature algorithms of all CA certificates
+are acceptable.
+
+B<CERT_PKEY_EE_PARAM>: the parameters of the end entity certificate are
+acceptable (e.g. it is a supported curve).
+
+B<CERT_PKEY_CA_PARAM>: the parameters of all CA certificates are acceptable.
+
+B<CERT_PKEY_EXPLICIT_SIGN>: the end entity certificate algorithm
+can be used explicitly for signing (i.e. it is mentioned in the signature
+algorithms extension).
+
+B<CERT_PKEY_ISSUER_NAME>: the issuer name is acceptable. This is only
+meaningful for client authentication.
+
+B<CERT_PKEY_CERT_TYPE>: the certificate type is acceptable. Only meaningful
+for client authentication.
+
+B<CERT_PKEY_SUITEB>: chain is suitable for Suite B use.
+
+=head1 NOTES
+
+SSL_check_chain() must be called in servers after a client hello message or in
+clients after a certificate request message. It will typically be called
+in the certificate callback.
+
+An application wishing to support multiple certificate chains may call this
+function on each chain in turn: starting with the one it considers the
+most secure. It could then use the chain of the first set which returns
+suitable flags.
+
+As a minimum the flag B<CERT_PKEY_VALID> must be set for a chain to be
+usable. An application supporting multiple chains with different CA signature
+algorithms may also wish to check B<CERT_PKEY_CA_SIGNATURE> too. If no
+chain is suitable a server should fall back to the most secure chain which
+sets B<CERT_PKEY_VALID>.
+
+The validity of a chain is determined by checking if it matches a supported
+signature algorithm, supported curves and in the case of client authentication
+certificate types and issuer names.
+
+Since the supported signature algorithms extension is only used in TLS 1.2
+and DTLS 1.2 the results for earlier versions of TLS and DTLS may not be
+very useful. Applications may wish to specify a different "legacy" chain
+for earlier versions of TLS or DTLS.
+
+=head1 SEE ALSO
+
+L<SSL_CTX_set_cert_cb(3)|SSL_CTX_set_cert_cb(3)>,
+L<ssl(3)|ssl(3)>
+
+=cut

From steve at openssl.org  Fri Aug 14 12:51:51 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:51:51 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439556711.139932.9159.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754 (commit)
      from  6d5f8265ce6c4a8ed528462f519d9e8f2b7cfafd (commit)


- Log -----------------------------------------------------------------
commit 2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Jun 17 01:13:40 2015 +0100

    Update docs.
    
    Clarify and update documention for extra chain certificates.
    
    PR#3878.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 35 +++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index 8e832a5..04300fb 100644
--- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -2,29 +2,39 @@
 
 =head1 NAME
 
-SSL_CTX_add_extra_chain_cert - add certificate to chain
+SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear
+extra chain certificates
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
- long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
+ long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
-SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
-chain presented together with the certificate. Several certificates
-can be added one after the other.
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain
+certificates associated with B<ctx>. Several certificates can be added one
+after another.
+
+SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
+associated with B<ctx>.
+
+These functions are implemented as macros.
 
 =head1 NOTES
 
-When constructing the certificate chain, the chain will be formed from
-these certificates explicitly specified. If no chain is specified,
-the library will try to complete the chain from the available CA
-certificates in the trusted CA storage, see
+When sending a certificate chain, extra chain certificates are sent in order
+following the end entity certificate.
+
+If no chain is specified, the library will try to complete the chain from the
+available CA certificates in the trusted CA storage, see
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
 
-The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the B<SSL_CTX> is destroyed. An application B<should not> free the B<x509> object.
+The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be
+freed by the library when the B<SSL_CTX> is destroyed. An application
+B<should not> free the B<x509> object.
 
 =head1 RESTRICTIONS
 
@@ -37,8 +47,9 @@ be used instead.
 
 =head1 RETURN VALUES
 
-SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
-error stack to find out the reason for failure otherwise.
+SSL_CTX_add_extra_chain_cert() and SSL_CTX_clear_extra_chain_certs() return
+1 on success and 0 for failure. Check out the error stack to find out the
+reason for failure.
 
 =head1 SEE ALSO
 

From steve at openssl.org  Fri Aug 14 12:55:40 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:55:40 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439556940.685132.17313.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  2cf51451f3a94be3fdf7d281b122eb74d72a839e (commit)
      from  50e56c1d8c681b8e8a070487645370f0f7c1ee9e (commit)


- Log -----------------------------------------------------------------
commit 2cf51451f3a94be3fdf7d281b122eb74d72a839e
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Jun 17 01:13:40 2015 +0100

    Update docs.
    
    Clarify and update documention for extra chain certificates.
    
    PR#3878.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754)

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 35 +++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index 5955ee1..18fb2e2 100644
--- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -2,29 +2,39 @@
 
 =head1 NAME
 
-SSL_CTX_add_extra_chain_cert - add certificate to chain
+SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear
+extra chain certificates
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
- long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
+ long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
-SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
-chain presented together with the certificate. Several certificates
-can be added one after the other.
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain
+certificates associated with B<ctx>. Several certificates can be added one
+after another.
+
+SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
+associated with B<ctx>.
+
+These functions are implemented as macros.
 
 =head1 NOTES
 
-When constructing the certificate chain, the chain will be formed from
-these certificates explicitly specified. If no chain is specified,
-the library will try to complete the chain from the available CA
-certificates in the trusted CA storage, see
+When sending a certificate chain, extra chain certificates are sent in order
+following the end entity certificate.
+
+If no chain is specified, the library will try to complete the chain from the
+available CA certificates in the trusted CA storage, see
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
 
-The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the B<SSL_CTX> is destroyed. An application B<should not> free the B<x509> object.
+The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be
+freed by the library when the B<SSL_CTX> is destroyed. An application
+B<should not> free the B<x509> object.
 
 =head1 RESTRICTIONS
 
@@ -36,8 +46,9 @@ function.
 
 =head1 RETURN VALUES
 
-SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
-error stack to find out the reason for failure otherwise.
+SSL_CTX_add_extra_chain_cert() and SSL_CTX_clear_extra_chain_certs() return
+1 on success and 0 for failure. Check out the error stack to find out the
+reason for failure.
 
 =head1 SEE ALSO
 

From steve at openssl.org  Fri Aug 14 12:55:40 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 12:55:40 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439556940.764659.17335.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  3d23b2c255e194ebb9dabd198d263028b475d012 (commit)
      from  8d2e7c0dec6e0c0edbd2db0d712cc7407143eb65 (commit)


- Log -----------------------------------------------------------------
commit 3d23b2c255e194ebb9dabd198d263028b475d012
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed Jun 17 01:13:40 2015 +0100

    Update docs.
    
    Clarify and update documention for extra chain certificates.
    
    PR#3878.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754)

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 35 +++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 12 deletions(-)

diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index 8e832a5..04300fb 100644
--- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -2,29 +2,39 @@
 
 =head1 NAME
 
-SSL_CTX_add_extra_chain_cert - add certificate to chain
+SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear
+extra chain certificates
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
- long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
+ long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
-SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
-chain presented together with the certificate. Several certificates
-can be added one after the other.
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain
+certificates associated with B<ctx>. Several certificates can be added one
+after another.
+
+SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
+associated with B<ctx>.
+
+These functions are implemented as macros.
 
 =head1 NOTES
 
-When constructing the certificate chain, the chain will be formed from
-these certificates explicitly specified. If no chain is specified,
-the library will try to complete the chain from the available CA
-certificates in the trusted CA storage, see
+When sending a certificate chain, extra chain certificates are sent in order
+following the end entity certificate.
+
+If no chain is specified, the library will try to complete the chain from the
+available CA certificates in the trusted CA storage, see
 L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
 
-The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the B<SSL_CTX> is destroyed. An application B<should not> free the B<x509> object.
+The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be
+freed by the library when the B<SSL_CTX> is destroyed. An application
+B<should not> free the B<x509> object.
 
 =head1 RESTRICTIONS
 
@@ -37,8 +47,9 @@ be used instead.
 
 =head1 RETURN VALUES
 
-SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
-error stack to find out the reason for failure otherwise.
+SSL_CTX_add_extra_chain_cert() and SSL_CTX_clear_extra_chain_certs() return
+1 on success and 0 for failure. Check out the error stack to find out the
+reason for failure.
 
 =head1 SEE ALSO
 

From steve at openssl.org  Fri Aug 14 13:21:52 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Fri, 14 Aug 2015 13:21:52 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439558512.180811.20503.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f8f5f8369d1d76fd8ec28d3d2422a47f8440f452 (commit)
       via  176f85a28ec73b16f68a4f1737fb4645b9e9ae7b (commit)
       via  3d3701ea20ca36215e3af5ac090797cfec5fca2a (commit)
       via  e75c5a794e71baa3d76214be3ac8dc6e082e4a1a (commit)
      from  2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754 (commit)


- Log -----------------------------------------------------------------
commit f8f5f8369d1d76fd8ec28d3d2422a47f8440f452
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 10 19:17:50 2015 +0100

    add CCM docs
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 176f85a28ec73b16f68a4f1737fb4645b9e9ae7b
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jul 31 16:53:45 2015 +0100

    Add CCM ciphersuites from RFC6655 and RFC7251
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 3d3701ea20ca36215e3af5ac090797cfec5fca2a
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jul 31 16:59:45 2015 +0100

    ccm8 support
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit e75c5a794e71baa3d76214be3ac8dc6e082e4a1a
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Fri Jul 31 16:54:35 2015 +0100

    CCM support.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/e_aes.c        |  92 ++++++++++++-
 doc/apps/ciphers.pod      |  29 +++++
 include/openssl/evp.h     |  10 +-
 include/openssl/ssl.h     |   2 +
 include/openssl/tls1.h    |  54 ++++++++
 ssl/record/rec_layer_d1.c |   2 +
 ssl/record/rec_layer_s3.c |   2 +
 ssl/record/ssl3_record.c  |  14 +-
 ssl/s3_lib.c              | 320 ++++++++++++++++++++++++++++++++++++++++++++++
 ssl/ssl_algs.c            |   2 +
 ssl/ssl_ciph.c            |  36 +++++-
 ssl/ssl_locl.h            |   6 +-
 ssl/t1_enc.c              |  18 ++-
 13 files changed, 570 insertions(+), 17 deletions(-)

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index f8365a2..b02cf6e 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -110,6 +110,7 @@ typedef struct {
     int tag_set;                /* Set if tag is valid */
     int len_set;                /* Set if message length set */
     int L, M;                   /* L and M parameters from RFC3610 */
+    int tls_aad_len;            /* TLS AAD length */
     CCM128_CONTEXT ccm;
     ccm128_f str;
 } EVP_AES_CCM_CTX;
@@ -1853,6 +1854,34 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         cctx->M = 12;
         cctx->tag_set = 0;
         cctx->len_set = 0;
+        cctx->tls_aad_len = -1;
+        return 1;
+
+    case EVP_CTRL_AEAD_TLS1_AAD:
+        /* Save the AAD for later use */
+        if (arg != EVP_AEAD_TLS1_AAD_LEN)
+            return 0;
+        memcpy(c->buf, ptr, arg);
+        cctx->tls_aad_len = arg;
+        {
+            uint16_t len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+            /* Correct length for explicit IV */
+            len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
+            /* If decrypting correct for tag too */
+            if (!c->encrypt)
+                len -= cctx->M;
+            c->buf[arg - 2] = len >> 8;
+            c->buf[arg - 1] = len & 0xff;
+        }
+        /* Extra padding: tag appended to record */
+        return cctx->M;
+
+    case EVP_CTRL_CCM_SET_IV_FIXED:
+        /* Sanity check length */
+        if (arg != EVP_CCM_TLS_FIXED_IV_LEN)
+            return 0;
+        /* Just copy to first part of IV */
+        memcpy(c->iv, ptr, arg);
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
@@ -1945,14 +1974,66 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     return 1;
 }
 
+static int aes_ccm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                              const unsigned char *in, size_t len)
+{
+    EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
+    CCM128_CONTEXT *ccm = &cctx->ccm;
+    /* Encrypt/decrypt must be performed in place */
+    if (out != in || len < (EVP_CCM_TLS_EXPLICIT_IV_LEN + (size_t)cctx->M))
+        return -1;
+    /* If encrypting set explicit IV from sequence number (start of AAD) */
+    if (ctx->encrypt)
+        memcpy(out, ctx->buf, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+    /* Get rest of IV from explicit IV */
+    memcpy(ctx->iv + EVP_CCM_TLS_FIXED_IV_LEN, in, EVP_CCM_TLS_EXPLICIT_IV_LEN);
+    /* Correct length value */
+    len -= EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
+    if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
+            return -1;
+    /* Use saved AAD */
+    CRYPTO_ccm128_aad(ccm, ctx->buf, cctx->tls_aad_len);
+    /* Fix buffer to point to payload */
+    in += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+    out += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+    if (ctx->encrypt) {
+        if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
+                                                    cctx->str) :
+            CRYPTO_ccm128_encrypt(ccm, in, out, len))
+            return -1;
+        if (!CRYPTO_ccm128_tag(ccm, out + len, cctx->M))
+            return -1;
+        return len + EVP_CCM_TLS_EXPLICIT_IV_LEN + cctx->M;
+    } else {
+        if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
+                                                     cctx->str) :
+            !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
+            unsigned char tag[16];
+            if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
+                if (!CRYPTO_memcmp(tag, in + len, cctx->M))
+                    return len;
+            }
+        }
+        OPENSSL_cleanse(out, len);
+        return -1;
+    }
+}
+
 static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, size_t len)
 {
     EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
     CCM128_CONTEXT *ccm = &cctx->ccm;
     /* If not set up, return error */
-    if (!cctx->iv_set && !cctx->key_set)
+    if (!cctx->key_set)
+        return -1;
+
+    if (cctx->tls_aad_len >= 0)
+        return aes_ccm_tls_cipher(ctx, out, in, len);
+
+    if (!cctx->iv_set)
         return -1;
+
     if (!ctx->encrypt && !cctx->tag_set)
         return -1;
     if (!out) {
@@ -2007,9 +2088,12 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 # define aes_ccm_cleanup NULL
 
-BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, CUSTOM_FLAGS)
-    BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, CUSTOM_FLAGS)
-    BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, CUSTOM_FLAGS)
+BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
+                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+    BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
+                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+    BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
+                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
 
 typedef struct {
     union {
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 5a4a4fd..3f146e8 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -260,6 +260,13 @@ cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
 AES in Galois Counter Mode (GCM): these ciphersuites are only supported
 in TLS v1.2.
 
+=item B<AESCCM>, B<AESCCM8>
+
+AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
+ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
+cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
+while B<AESCCM8> only references 8 octet ICV.
+
 =item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
 
 cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
@@ -576,6 +583,19 @@ Note: these ciphers can also be used in SSL v3.
  TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
  TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
 
+ RSA_WITH_AES_128_CCM                      AES128-CCM
+ RSA_WITH_AES_256_CCM                      AES256-CCM
+ DHE_RSA_WITH_AES_128_CCM                  DHE-RSA-AES128-CCM
+ DHE_RSA_WITH_AES_256_CCM                  DHE-RSA-AES256-CCM
+ RSA_WITH_AES_128_CCM_8                    AES128-CCM8
+ RSA_WITH_AES_256_CCM_8                    AES256-CCM8
+ DHE_RSA_WITH_AES_128_CCM_8                DHE-RSA-AES128-CCM8
+ DHE_RSA_WITH_AES_256_CCM_8                DHE-RSA-AES256-CCM8
+ ECDHE_ECDSA_WITH_AES_128_CCM              ECDHE-ECDSA-AES128-CCM
+ ECDHE_ECDSA_WITH_AES_256_CCM              ECDHE-ECDSA-AES256-CCM
+ ECDHE_ECDSA_WITH_AES_128_CCM_8            ECDHE-ECDSA-AES128-CCM8
+ ECDHE_ECDSA_WITH_AES_256_CCM_8            ECDHE-ECDSA-AES256-CCM8
+
 =head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
 
  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
@@ -652,6 +672,15 @@ Note: these ciphers can also be used in SSL v3.
  ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    ECDHE-PSK-CAMELLIA128-SHA256
  ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    ECDHE-PSK-CAMELLIA256-SHA384
 
+ PSK_WITH_AES_128_CCM                      PSK-AES128-CCM
+ PSK_WITH_AES_256_CCM                      PSK-AES256-CCM
+ DHE_PSK_WITH_AES_128_CCM                  DHE-PSK-AES128-CCM
+ DHE_PSK_WITH_AES_256_CCM                  DHE-PSK-AES256-CCM
+ PSK_WITH_AES_128_CCM_8                    PSK-AES128-CCM8
+ PSK_WITH_AES_256_CCM_8                    PSK-AES256-CCM8
+ DHE_PSK_WITH_AES_128_CCM_8                DHE-PSK-AES128-CCM8
+ DHE_PSK_WITH_AES_256_CCM_8                DHE-PSK-AES256-CCM8
+
 =head1 NOTES
 
 Some compiled versions of OpenSSL may not include all the ciphers
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index dff81b0..ddefbf6 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -399,14 +399,16 @@ struct evp_cipher_st {
 # define         EVP_CTRL_AEAD_SET_IVLEN         0x9
 # define         EVP_CTRL_AEAD_GET_TAG           0x10
 # define         EVP_CTRL_AEAD_SET_TAG           0x11
+# define         EVP_CTRL_AEAD_SET_IV_FIXED      0x12
 # define         EVP_CTRL_GCM_SET_IVLEN          EVP_CTRL_AEAD_SET_IVLEN
 # define         EVP_CTRL_GCM_GET_TAG            EVP_CTRL_AEAD_GET_TAG
 # define         EVP_CTRL_GCM_SET_TAG            EVP_CTRL_AEAD_SET_TAG
-# define         EVP_CTRL_GCM_SET_IV_FIXED       0x12
+# define         EVP_CTRL_GCM_SET_IV_FIXED       EVP_CTRL_AEAD_SET_IV_FIXED
 # define         EVP_CTRL_GCM_IV_GEN             0x13
 # define         EVP_CTRL_CCM_SET_IVLEN          EVP_CTRL_AEAD_SET_IVLEN
 # define         EVP_CTRL_CCM_GET_TAG            EVP_CTRL_AEAD_GET_TAG
 # define         EVP_CTRL_CCM_SET_TAG            EVP_CTRL_AEAD_SET_TAG
+# define         EVP_CTRL_CCM_SET_IV_FIXED       EVP_CTRL_AEAD_SET_IV_FIXED
 # define         EVP_CTRL_CCM_SET_L              0x14
 # define         EVP_CTRL_CCM_SET_MSGLEN         0x15
 /*
@@ -443,6 +445,12 @@ typedef struct {
 /* Length of tag for TLS */
 # define EVP_GCM_TLS_TAG_LEN                             16
 
+/* CCM TLS constants */
+/* Length of fixed part of IV derived from PRF */
+# define EVP_CCM_TLS_FIXED_IV_LEN                        4
+/* Length of explicit part of IV part of TLS records */
+# define EVP_CCM_TLS_EXPLICIT_IV_LEN                     8
+
 typedef struct evp_cipher_info_st {
     const EVP_CIPHER *cipher;
     unsigned char iv[EVP_MAX_IV_LENGTH];
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 28c2fb9..10f8041 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -245,6 +245,8 @@ extern "C" {
 # define SSL_TXT_AES256          "AES256"
 # define SSL_TXT_AES             "AES"
 # define SSL_TXT_AES_GCM         "AESGCM"
+# define SSL_TXT_AES_CCM         "AESCCM"
+# define SSL_TXT_AES_CCM_8       "AESCCM8"
 # define SSL_TXT_CAMELLIA128     "CAMELLIA128"
 # define SSL_TXT_CAMELLIA256     "CAMELLIA256"
 # define SSL_TXT_CAMELLIA        "CAMELLIA"
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 6e98784..6adfcf3 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -519,6 +519,31 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256             0x030000A6
 # define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384             0x030000A7
 
+/* CCM ciphersuites from RFC6655 */
+# define TLS1_CK_RSA_WITH_AES_128_CCM                    0x0300C09C
+# define TLS1_CK_RSA_WITH_AES_256_CCM                    0x0300C09D
+# define TLS1_CK_DHE_RSA_WITH_AES_128_CCM                0x0300C09E
+# define TLS1_CK_DHE_RSA_WITH_AES_256_CCM                0x0300C09F
+# define TLS1_CK_RSA_WITH_AES_128_CCM_8                  0x0300C0A0
+# define TLS1_CK_RSA_WITH_AES_256_CCM_8                  0x0300C0A1
+# define TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8              0x0300C0A2
+# define TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8              0x0300C0A3
+# define TLS1_CK_PSK_WITH_AES_128_CCM                    0x0300C0A4
+# define TLS1_CK_PSK_WITH_AES_256_CCM                    0x0300C0A5
+# define TLS1_CK_DHE_PSK_WITH_AES_128_CCM                0x0300C0A6
+# define TLS1_CK_DHE_PSK_WITH_AES_256_CCM                0x0300C0A7
+# define TLS1_CK_PSK_WITH_AES_128_CCM_8                  0x0300C0A8
+# define TLS1_CK_PSK_WITH_AES_256_CCM_8                  0x0300C0A9
+# define TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8              0x0300C0AA
+# define TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8              0x0300C0AB
+
+/* CCM ciphersuites from RFC7251 */
+
+# define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM            0x0300C0AC
+# define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM            0x0300C0AD
+# define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8          0x0300C0AE
+# define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8          0x0300C0AF
+
 /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
 # define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256                0x030000BA
 # define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256             0x030000BB
@@ -823,6 +848,35 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256            "ADH-AES128-GCM-SHA256"
 # define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384            "ADH-AES256-GCM-SHA384"
 
+/* CCM ciphersuites from RFC6655 */
+
+# define TLS1_TXT_RSA_WITH_AES_128_CCM                   "AES128-CCM"
+# define TLS1_TXT_RSA_WITH_AES_256_CCM                   "AES256-CCM"
+# define TLS1_TXT_DHE_RSA_WITH_AES_128_CCM               "DHE-RSA-AES128-CCM"
+# define TLS1_TXT_DHE_RSA_WITH_AES_256_CCM               "DHE-RSA-AES256-CCM"
+
+# define TLS1_TXT_RSA_WITH_AES_128_CCM_8                 "AES128-CCM8"
+# define TLS1_TXT_RSA_WITH_AES_256_CCM_8                 "AES256-CCM8"
+# define TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8             "DHE-RSA-AES128-CCM8"
+# define TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8             "DHE-RSA-AES256-CCM8"
+
+# define TLS1_TXT_PSK_WITH_AES_128_CCM                   "PSK-AES128-CCM"
+# define TLS1_TXT_PSK_WITH_AES_256_CCM                   "PSK-AES256-CCM"
+# define TLS1_TXT_DHE_PSK_WITH_AES_128_CCM               "DHE-PSK-AES128-CCM"
+# define TLS1_TXT_DHE_PSK_WITH_AES_256_CCM               "DHE-PSK-AES256-CCM"
+
+# define TLS1_TXT_PSK_WITH_AES_128_CCM_8                 "PSK-AES128-CCM8"
+# define TLS1_TXT_PSK_WITH_AES_256_CCM_8                 "PSK-AES256-CCM8"
+# define TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8             "DHE-PSK-AES128-CCM8"
+# define TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8             "DHE-PSK-AES256-CCM8"
+
+/* CCM ciphersuites from RFC7251 */
+
+# define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM       "ECDHE-ECDSA-AES128-CCM"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM       "ECDHE-ECDSA-AES256-CCM"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8     "ECDHE-ECDSA-AES128-CCM8"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8     "ECDHE-ECDSA-AES256-CCM8"
+
 /* ECDH HMAC based ciphersuites from RFC5289 */
 
 # define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256    "ECDHE-ECDSA-AES128-SHA256"
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 3da4f11..74796be 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -1120,6 +1120,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
         /* Need explicit part of IV for GCM mode */
         else if (mode == EVP_CIPH_GCM_MODE)
             eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+        else if (mode == EVP_CIPH_CCM_MODE)
+            eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
         else
             eivlen = 0;
     } else
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 8a9e303..5b28663 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -799,6 +799,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
         /* Need explicit part of IV for GCM mode */
         else if (mode == EVP_CIPH_GCM_MODE)
             eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+        else if (mode == EVP_CIPH_CCM_MODE)
+            eivlen = EVP_CCM_TLS_EXPLICIT_IV_LEN;
         else
             eivlen = 0;
     } else
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 1865f24..1fa1710 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -764,10 +764,16 @@ int tls1_enc(SSL *s, int send)
             ? (i < 0)
             : (i == 0))
             return -1;          /* AEAD can fail to verify MAC */
-        if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
-            rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-            rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
-            rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+        if (send == 0) {
+            if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE) {
+                rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+                rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
+                rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+            } else if (EVP_CIPHER_mode(enc) == EVP_CIPH_CCM_MODE) {
+                rec->data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+                rec->input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
+                rec->length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
+            }
         }
 
         ret = 1;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0a3bba4..47d28e7 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3450,6 +3450,326 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
      256},
 #endif
 
+    /* Cipher C09C */
+    {
+     1,
+     TLS1_TXT_RSA_WITH_AES_128_CCM,
+     TLS1_CK_RSA_WITH_AES_128_CCM,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C09D */
+    {
+     1,
+     TLS1_TXT_RSA_WITH_AES_256_CCM,
+     TLS1_CK_RSA_WITH_AES_256_CCM,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES256CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C09E */
+    {
+     1,
+     TLS1_TXT_DHE_RSA_WITH_AES_128_CCM,
+     TLS1_CK_DHE_RSA_WITH_AES_128_CCM,
+     SSL_kDHE,
+     SSL_aRSA,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C09F */
+    {
+     1,
+     TLS1_TXT_DHE_RSA_WITH_AES_256_CCM,
+     TLS1_CK_DHE_RSA_WITH_AES_256_CCM,
+     SSL_kDHE,
+     SSL_aRSA,
+     SSL_AES256CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0A0 */
+    {
+     1,
+     TLS1_TXT_RSA_WITH_AES_128_CCM_8,
+     TLS1_CK_RSA_WITH_AES_128_CCM_8,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0A1 */
+    {
+     1,
+     TLS1_TXT_RSA_WITH_AES_256_CCM_8,
+     TLS1_CK_RSA_WITH_AES_256_CCM_8,
+     SSL_kRSA,
+     SSL_aRSA,
+     SSL_AES256CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0A2 */
+    {
+     1,
+     TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8,
+     TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8,
+     SSL_kDHE,
+     SSL_aRSA,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0A3 */
+    {
+     1,
+     TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8,
+     TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8,
+     SSL_kDHE,
+     SSL_aRSA,
+     SSL_AES256CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0A4 */
+    {
+     1,
+     TLS1_TXT_PSK_WITH_AES_128_CCM,
+     TLS1_CK_PSK_WITH_AES_128_CCM,
+     SSL_kPSK,
+     SSL_aPSK,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0A4 */
+    {
+     1,
+     TLS1_TXT_PSK_WITH_AES_256_CCM,
+     TLS1_CK_PSK_WITH_AES_256_CCM,
+     SSL_kPSK,
+     SSL_aPSK,
+     SSL_AES256CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0A6 */
+    {
+     1,
+     TLS1_TXT_DHE_PSK_WITH_AES_128_CCM,
+     TLS1_CK_DHE_PSK_WITH_AES_128_CCM,
+     SSL_kDHEPSK,
+     SSL_aPSK,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0A7 */
+    {
+     1,
+     TLS1_TXT_DHE_PSK_WITH_AES_256_CCM,
+     TLS1_CK_DHE_PSK_WITH_AES_256_CCM,
+     SSL_kDHEPSK,
+     SSL_aPSK,
+     SSL_AES256CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0A8 */
+    {
+     1,
+     TLS1_TXT_PSK_WITH_AES_128_CCM_8,
+     TLS1_CK_PSK_WITH_AES_128_CCM_8,
+     SSL_kPSK,
+     SSL_aPSK,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0A9 */
+    {
+     1,
+     TLS1_TXT_PSK_WITH_AES_256_CCM_8,
+     TLS1_CK_PSK_WITH_AES_256_CCM_8,
+     SSL_kPSK,
+     SSL_aPSK,
+     SSL_AES256CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0AA */
+    {
+     1,
+     TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8,
+     TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8,
+     SSL_kDHEPSK,
+     SSL_aPSK,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0AB */
+    {
+     1,
+     TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8,
+     TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8,
+     SSL_kDHEPSK,
+     SSL_aPSK,
+     SSL_AES256CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0AC */
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES128CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0AD */
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES256CCM,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
+    /* Cipher C0AE */
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES128CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     128,
+     128,
+     },
+
+    /* Cipher C0AF */
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_AES256CCM8,
+     SSL_AEAD,
+     SSL_TLSV1_2,
+     SSL_NOT_EXP | SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+
 /* end of list */
 };
 
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index ba9fc48..f4827fd 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -91,6 +91,8 @@ int SSL_library_init(void)
     EVP_add_cipher(EVP_aes_256_cbc());
     EVP_add_cipher(EVP_aes_128_gcm());
     EVP_add_cipher(EVP_aes_256_gcm());
+    EVP_add_cipher(EVP_aes_128_ccm());
+    EVP_add_cipher(EVP_aes_256_ccm());
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
     EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
     EVP_add_cipher(EVP_aes_128_cbc_hmac_sha256());
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 08a95f9..c048fc2 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -164,7 +164,11 @@
 #define SSL_ENC_SEED_IDX        11
 #define SSL_ENC_AES128GCM_IDX   12
 #define SSL_ENC_AES256GCM_IDX   13
-#define SSL_ENC_NUM_IDX         14
+#define SSL_ENC_AES128CCM_IDX   14
+#define SSL_ENC_AES256CCM_IDX   15
+#define SSL_ENC_AES128CCM8_IDX  16
+#define SSL_ENC_AES256CCM8_IDX  17
+#define SSL_ENC_NUM_IDX         18
 
 /* NB: make sure indices in these tables match values above */
 
@@ -188,7 +192,11 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
     {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */
     {SSL_SEED, NID_seed_cbc},   /* SSL_ENC_SEED_IDX 11 */
     {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */
-    {SSL_AES256GCM, NID_aes_256_gcm} /* SSL_ENC_AES256GCM_IDX 13 */
+    {SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */
+    {SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */
+    {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
+    {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
+    {SSL_AES256CCM8, NID_aes_256_ccm} /* SSL_ENC_AES256CCM8_IDX 17 */
 };
 
 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
@@ -355,13 +363,17 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM, 0, 0, 0, 0, 0,
-     0},
-    {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM, 0, 0, 0, 0, 0,
-     0},
+    {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0,
+     0, 0, 0, 0, 0},
+    {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0,
+     0, 0, 0, 0, 0},
     {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0,
      0, 0},
+    {0, SSL_TXT_AES_CCM, 0, 0, 0, SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
+     0, 0},
+    {0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
+     0, 0},
     {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
@@ -1709,6 +1721,18 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_AES256GCM:
         enc = "AESGCM(256)";
         break;
+    case SSL_AES128CCM:
+        enc = "AESCCM(128)";
+        break;
+    case SSL_AES256CCM:
+        enc = "AESCCM(256)";
+        break;
+    case SSL_AES128CCM8:
+        enc = "AESCCM8(128)";
+        break;
+    case SSL_AES256CCM8:
+        enc = "AESCCM8(256)";
+        break;
     case SSL_CAMELLIA128:
         enc = "Camellia(128)";
         break;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 63b547a..79926ff 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -359,8 +359,12 @@
 # define SSL_SEED                0x00000800L
 # define SSL_AES128GCM           0x00001000L
 # define SSL_AES256GCM           0x00002000L
+# define SSL_AES128CCM           0x00004000L
+# define SSL_AES256CCM           0x00008000L
+# define SSL_AES128CCM8          0x00010000L
+# define SSL_AES256CCM8          0x00020000L
 
-# define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
+# define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM|SSL_AES128CCM|SSL_AES256CCM|SSL_AES128CCM8|SSL_AES256CCM8)
 # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
 
 /* Bits for algorithm_mac (symmetric authentication) */
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 9942bb4..1f539aa 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -422,9 +422,11 @@ int tls1_change_cipher_state(SSL *s, int which)
     j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
                      cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
     /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
-    /* If GCM mode only part of IV comes from PRF */
+    /* If GCM/CCM mode only part of IV comes from PRF */
     if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
         k = EVP_GCM_TLS_FIXED_IV_LEN;
+    else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
+        k = EVP_CCM_TLS_FIXED_IV_LEN;
     else
         k = EVP_CIPHER_iv_length(c);
     if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
@@ -506,6 +508,20 @@ int tls1_change_cipher_state(SSL *s, int which)
             SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
             goto err2;
         }
+    } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
+        int taglen;
+        if (s->s3->tmp.new_cipher->algorithm_enc & (SSL_AES128CCM8|SSL_AES256CCM8))
+            taglen = 8;
+        else
+            taglen = 16;
+        if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
+            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
+            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
+            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv)
+            || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
+            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+            goto err2;
+        }
     } else {
         if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
             SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);

From matt at openssl.org  Fri Aug 14 16:04:07 2015
From: matt at openssl.org (Matt Caswell)
Date: Fri, 14 Aug 2015 16:04:07 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439568247.100944.14469.nullmailer@dev.openssl.org>

The branch master has been updated
       via  c83eda8c22f08346d5434662643de523a469c81e (commit)
      from  f8f5f8369d1d76fd8ec28d3d2422a47f8440f452 (commit)


- Log -----------------------------------------------------------------
commit c83eda8c22f08346d5434662643de523a469c81e
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 10:04:23 2015 +0100

    Fix session tickets
    
    Commit 9ceb2426b0 (PACKETise ClientHello) broke session tickets by failing
    to detect the session ticket extension in an incoming ClientHello. This
    commit fixes the bug.
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/t1_lib.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e37411c..f004288 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3043,6 +3043,11 @@ int tls1_process_ticket(SSL *s, PACKET *pkt,  unsigned char *session_id,
                 break;
             }
             goto end;
+        } else {
+            if (!PACKET_forward(pkt, size)) {
+                retv = -1;
+                goto end;
+            }
         }
     }
     retv = 0;

From matt at openssl.org  Fri Aug 14 16:11:42 2015
From: matt at openssl.org (Matt Caswell)
Date: Fri, 14 Aug 2015 16:11:42 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439568702.535343.15960.nullmailer@dev.openssl.org>

The branch master has been updated
       via  561e12bbb0a85c44d2b5501ccd430f2fb2fd63aa (commit)
      from  c83eda8c22f08346d5434662643de523a469c81e (commit)


- Log -----------------------------------------------------------------
commit 561e12bbb0a85c44d2b5501ccd430f2fb2fd63aa
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Aug 5 14:50:24 2015 +0100

    PACKETise NewSessionTicket
    
    Process NewSessionTicket messages using the new PACKET API
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index dedbfea..1394293 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2174,10 +2174,10 @@ static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
 
 int ssl3_get_new_session_ticket(SSL *s)
 {
-    int ok, al, ret = 0, ticklen;
+    int ok, al, ret = 0;
+    unsigned int ticklen;
     long n;
-    const unsigned char *p;
-    unsigned char *d;
+    PACKET pkt;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_CR_SESSION_TICKET_A,
@@ -2187,15 +2187,12 @@ int ssl3_get_new_session_ticket(SSL *s)
     if (!ok)
         return ((int)n);
 
-    if (n < 6) {
-        /* need at least ticket_lifetime_hint + ticket length */
-        al = SSL_AD_DECODE_ERROR;
-        SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
         goto f_err;
     }
 
-    p = d = (unsigned char *)s->init_msg;
-
     if (s->session->session_id_length > 0) {
         int i = s->session_ctx->session_cache_mode;
         SSL_SESSION *new_sess;
@@ -2227,10 +2224,9 @@ int ssl3_get_new_session_ticket(SSL *s)
         s->session = new_sess;
     }
 
-    n2l(p, s->session->tlsext_tick_lifetime_hint);
-    n2s(p, ticklen);
-    /* ticket_lifetime_hint + ticket_length + ticket */
-    if (ticklen + 6 != n) {
+    if (!PACKET_get_net_4(&pkt, &s->session->tlsext_tick_lifetime_hint)
+            || !PACKET_get_net_2(&pkt, &ticklen)
+            || PACKET_remaining(&pkt) != ticklen) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
         goto f_err;
@@ -2242,7 +2238,11 @@ int ssl3_get_new_session_ticket(SSL *s)
         SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    memcpy(s->session->tlsext_tick, p, ticklen);
+    if (!PACKET_copy_bytes(&pkt, s->session->tlsext_tick, ticklen)) {
+        al = SSL_AD_DECODE_ERROR;
+        SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
+        goto f_err;
+    }
     s->session->tlsext_ticklen = ticklen;
     /*
      * There are two ways to detect a resumed ticket session. One is to set
@@ -2255,7 +2255,7 @@ int ssl3_get_new_session_ticket(SSL *s)
      * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
      * SHA256 is disabled) hash of the ticket.
      */
-    EVP_Digest(p, ticklen,
+    EVP_Digest(s->session->tlsext_tick, ticklen,
                s->session->session_id, &s->session->session_id_length,
                EVP_sha256(), NULL);
     ret = 1;

From matt at openssl.org  Fri Aug 14 16:22:20 2015
From: matt at openssl.org (Matt Caswell)
Date: Fri, 14 Aug 2015 16:22:20 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439569340.223809.17966.nullmailer@dev.openssl.org>

The branch master has been updated
       via  efcdbcbeda556876c0147dca21d51610de30dfd9 (commit)
      from  561e12bbb0a85c44d2b5501ccd430f2fb2fd63aa (commit)


- Log -----------------------------------------------------------------
commit efcdbcbeda556876c0147dca21d51610de30dfd9
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 3 12:57:51 2015 +0100

    PACKETise ClientKeyExchange processing
    
    Use the new PACKET code to process the CKE message
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_srvr.c | 183 ++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 119 insertions(+), 64 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a015a49..8bdb082 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2211,10 +2211,10 @@ int ssl3_send_certificate_request(SSL *s)
 
 int ssl3_get_client_key_exchange(SSL *s)
 {
-    int i, al, ok;
+    unsigned int i;
+    int al, ok;
     long n;
     unsigned long alg_k;
-    unsigned char *p;
 #ifndef OPENSSL_NO_RSA
     RSA *rsa = NULL;
     EVP_PKEY *pkey = NULL;
@@ -2229,6 +2229,9 @@ int ssl3_get_client_key_exchange(SSL *s)
     EC_POINT *clnt_ecpoint = NULL;
     BN_CTX *bn_ctx = NULL;
 #endif
+    PACKET pkt;
+    unsigned char *data;
+    size_t remain;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_SR_KEY_EXCH_A,
@@ -2237,7 +2240,11 @@ int ssl3_get_client_key_exchange(SSL *s)
 
     if (!ok)
         return ((int)n);
-    p = (unsigned char *)s->init_msg;
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
 
     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
@@ -2246,13 +2253,8 @@ int ssl3_get_client_key_exchange(SSL *s)
     if (alg_k & SSL_PSK) {
         unsigned char psk[PSK_MAX_PSK_LEN];
         size_t psklen;
-        if (n < 2) {
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
-            goto f_err;
-        }
-        n2s(p, i);
-        if (i + 2 > n) {
+
+        if (!PACKET_get_net_2(&pkt, &i)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
             goto f_err;
@@ -2271,14 +2273,20 @@ int ssl3_get_client_key_exchange(SSL *s)
         }
 
         OPENSSL_free(s->session->psk_identity);
-        s->session->psk_identity = BUF_strndup((char *)p, i);
-
+        s->session->psk_identity = OPENSSL_malloc(i + 1);
         if (s->session->psk_identity == NULL) {
             al = SSL_AD_INTERNAL_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                    ERR_R_MALLOC_FAILURE);
             goto f_err;
         }
+        if (!PACKET_copy_bytes(&pkt, (unsigned char *)s->session->psk_identity,
+                               i)) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
+        }
+        s->session->psk_identity[i] = '\0';
 
         psklen = s->psk_server_callback(s, s->session->psk_identity,
                                          psk, sizeof(psk));
@@ -2308,13 +2316,10 @@ int ssl3_get_client_key_exchange(SSL *s)
         }
 
         s->s3->tmp.psklen = psklen;
-
-        n -= i + 2;
-        p += i;
     }
     if (alg_k & SSL_kPSK) {
         /* Identity extracted earlier: should be nothing left */
-        if (n != 0) {
+        if (PACKET_remaining(&pkt) != 0) {
             al = SSL_AD_HANDSHAKE_FAILURE;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
             goto f_err;
@@ -2362,17 +2367,34 @@ int ssl3_get_client_key_exchange(SSL *s)
 
         /* TLS and [incidentally] DTLS{0xFEFF} */
         if (s->version > SSL3_VERSION && s->version != DTLS1_BAD_VER) {
-            n2s(p, i);
-            if (n != i + 2) {
+            if (!PACKET_get_net_2(&pkt, &i)) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
+                goto f_err;
+            }
+            remain = PACKET_remaining(&pkt);
+            if (remain != i) {
                 if (!(s->options & SSL_OP_TLS_D5_BUG)) {
                     al = SSL_AD_DECODE_ERROR;
                     SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                            SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
                     goto f_err;
-                } else
-                    p -= 2;
-            } else
-                n = i;
+                } else {
+                    remain += 2;
+                    if (!PACKET_back(&pkt, 2)) {
+                        /*
+                         * We already read these 2 bytes so this should never
+                         * fail
+                         */
+                        al = SSL_AD_INTERNAL_ERROR;
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               ERR_R_INTERNAL_ERROR);
+                        goto f_err;
+                    }
+                }
+            }
+        } else {
+            remain = PACKET_remaining(&pkt);
         }
 
         /*
@@ -2382,13 +2404,20 @@ int ssl3_get_client_key_exchange(SSL *s)
          * actual expected size is larger due to RSA padding, but the
          * bound is sufficient to be safe.
          */
-        if (n < SSL_MAX_MASTER_KEY_LENGTH) {
+
+        if (remain < SSL_MAX_MASTER_KEY_LENGTH) {
             al = SSL_AD_DECRYPT_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                    SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG);
             goto f_err;
         }
 
+        if (!PACKET_get_bytes(&pkt, &data, remain)) {
+            /* We already checked we had enough data so this shouldn't happen */
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
         /*
          * We must not leak whether a decryption failure occurs because of
          * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
@@ -2401,7 +2430,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                               sizeof(rand_premaster_secret)) <= 0)
             goto err;
         decrypt_len =
-            RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
+            RSA_private_decrypt(remain, data, data, rsa, RSA_PKCS1_PADDING);
         ERR_clear_error();
 
         /*
@@ -2420,9 +2449,9 @@ int ssl3_get_client_key_exchange(SSL *s)
          * constant time and are treated like any other decryption error.
          */
         version_good =
-            constant_time_eq_8(p[0], (unsigned)(s->client_version >> 8));
+            constant_time_eq_8(data[0], (unsigned)(s->client_version >> 8));
         version_good &=
-            constant_time_eq_8(p[1], (unsigned)(s->client_version & 0xff));
+            constant_time_eq_8(data[1], (unsigned)(s->client_version & 0xff));
 
         /*
          * The premaster secret must contain the same version number as the
@@ -2436,9 +2465,9 @@ int ssl3_get_client_key_exchange(SSL *s)
         if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
             unsigned char workaround_good;
             workaround_good =
-                constant_time_eq_8(p[0], (unsigned)(s->version >> 8));
+                constant_time_eq_8(data[0], (unsigned)(s->version >> 8));
             workaround_good &=
-                constant_time_eq_8(p[1], (unsigned)(s->version & 0xff));
+                constant_time_eq_8(data[1], (unsigned)(s->version & 0xff));
             version_good |= workaround_good;
         }
 
@@ -2455,11 +2484,12 @@ int ssl3_get_client_key_exchange(SSL *s)
          * it is still sufficiently large to read from.
          */
         for (j = 0; j < sizeof(rand_premaster_secret); j++) {
-            p[j] = constant_time_select_8(decrypt_good, p[j],
+            data[j] = constant_time_select_8(decrypt_good, data[j],
                                           rand_premaster_secret[j]);
         }
 
-        if (!ssl_generate_master_secret(s, p, sizeof(rand_premaster_secret), 0)) {
+        if (!ssl_generate_master_secret(s, data, sizeof(rand_premaster_secret),
+                                        0)) {
             al = SSL_AD_INTERNAL_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
             goto f_err;
@@ -2470,9 +2500,15 @@ int ssl3_get_client_key_exchange(SSL *s)
     if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd | SSL_kDHEPSK)) {
         int idx = -1;
         EVP_PKEY *skey = NULL;
-        if (n > 1) {
-            n2s(p, i);
-        } else {
+        size_t bookm;
+        unsigned char shared[(OPENSSL_DH_MAX_MODULUS_BITS + 7) / 8];
+
+        if (!PACKET_get_bookmark(&pkt, &bookm)) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
+        if (!PACKET_get_net_2(&pkt, &i)) {
             if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
                 al = SSL_AD_HANDSHAKE_FAILURE;
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
@@ -2481,14 +2517,19 @@ int ssl3_get_client_key_exchange(SSL *s)
             }
             i = 0;
         }
-        if (n && n != i + 2) {
+        if (PACKET_remaining(&pkt) != i) {
             if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                        SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                 goto err;
             } else {
-                p -= 2;
-                i = (int)n;
+                if (!PACKET_goto_bookmark(&pkt, bookm)) {
+                    al = SSL_AD_INTERNAL_ERROR;
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                           ERR_R_INTERNAL_ERROR);
+                    goto f_err;
+                }
+                i = PACKET_remaining(&pkt);
             }
         }
         if (alg_k & SSL_kDHr)
@@ -2528,14 +2569,22 @@ int ssl3_get_client_key_exchange(SSL *s)
             }
             EVP_PKEY_free(clkey);
             pub = dh_clnt->pub_key;
-        } else
-            pub = BN_bin2bn(p, i, NULL);
+        } else {
+            if (!PACKET_get_bytes(&pkt, &data, i)) {
+                /* We already checked we have enough data */
+                al = SSL_AD_INTERNAL_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                       ERR_R_INTERNAL_ERROR);
+                goto f_err;
+            }
+            pub = BN_bin2bn(data, i, NULL);
+        }
         if (pub == NULL) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
             goto err;
         }
 
-        i = DH_compute_key(p, pub, dh_srvr);
+        i = DH_compute_key(shared, pub, dh_srvr);
 
         if (i <= 0) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
@@ -2550,7 +2599,7 @@ int ssl3_get_client_key_exchange(SSL *s)
         else
             BN_clear_free(pub);
         pub = NULL;
-        if (!ssl_generate_master_secret(s, p, i, 0)) {
+        if (!ssl_generate_master_secret(s, shared, i, 0)) {
             al = SSL_AD_INTERNAL_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
             goto f_err;
@@ -2567,6 +2616,7 @@ int ssl3_get_client_key_exchange(SSL *s)
         const EC_KEY *tkey;
         const EC_GROUP *group;
         const BIGNUM *priv_key;
+        unsigned char *shared;
 
         /* initialize structures for server's ECDH key pair */
         if ((srvr_ecdh = EC_KEY_new()) == NULL) {
@@ -2645,21 +2695,21 @@ int ssl3_get_client_key_exchange(SSL *s)
             }
 
             /* Get encoded point length */
-            i = *p;
-            p += 1;
-            if (n != 1 + i) {
+            if (!PACKET_get_1(&pkt, &i)) {
+                al = SSL_AD_DECODE_ERROR;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                       SSL_R_LENGTH_MISMATCH);
+                goto f_err;
+            }
+            if (!PACKET_get_bytes(&pkt, &data, i)
+                    || PACKET_remaining(&pkt) != 0) {
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                 goto err;
             }
-            if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) {
+            if (EC_POINT_oct2point(group, clnt_ecpoint, data, i, bn_ctx) == 0) {
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
                 goto err;
             }
-            /*
-             * p is pointing to somewhere in the buffer currently, so set it
-             * to the start
-             */
-            p = (unsigned char *)s->init_buf->data;
         }
 
         /* Compute the shared pre-master secret */
@@ -2668,10 +2718,16 @@ int ssl3_get_client_key_exchange(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
             goto err;
         }
-        i = ECDH_compute_key(p, (field_size + 7) / 8, clnt_ecpoint, srvr_ecdh,
-                             NULL);
+        shared = OPENSSL_malloc((field_size + 7) / 8);
+        if (shared == NULL) {
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        i = ECDH_compute_key(shared, (field_size + 7) / 8, clnt_ecpoint,
+                             srvr_ecdh, NULL);
         if (i <= 0) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+            OPENSSL_free(shared);
             goto err;
         }
 
@@ -2682,7 +2738,7 @@ int ssl3_get_client_key_exchange(SSL *s)
         EC_KEY_free(s->s3->tmp.ecdh);
         s->s3->tmp.ecdh = NULL;
 
-        if (!ssl_generate_master_secret(s, p, i, 0)) {
+        if (!ssl_generate_master_secret(s, shared, i, 1)) {
             al = SSL_AD_INTERNAL_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
             goto f_err;
@@ -2692,17 +2748,13 @@ int ssl3_get_client_key_exchange(SSL *s)
 #endif
 #ifndef OPENSSL_NO_SRP
     if (alg_k & SSL_kSRP) {
-        int param_len;
-
-        n2s(p, i);
-        param_len = i + 2;
-        if (param_len > n) {
+        if (!PACKET_get_net_2(&pkt, &i)
+                || !PACKET_get_bytes(&pkt, &data, i)) {
             al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                   SSL_R_BAD_SRP_A_LENGTH);
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
             goto f_err;
         }
-        if ((s->srp_ctx.A = BN_bin2bn(p, i, NULL)) == NULL) {
+        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
             goto err;
         }
@@ -2724,8 +2776,6 @@ int ssl3_get_client_key_exchange(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
             goto err;
         }
-
-        p += i;
     } else
 #endif                          /* OPENSSL_NO_SRP */
     if (alg_k & SSL_kGOST) {
@@ -2757,15 +2807,20 @@ int ssl3_get_client_key_exchange(SSL *s)
                 ERR_clear_error();
         }
         /* Decrypt session key */
+        if (!PACKET_get_bytes(&pkt, &data, n)) {
+            al = SSL_AD_INTERNAL_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+            goto f_err;
+        }
         if (ASN1_get_object
-            ((const unsigned char **)&p, &Tlen, &Ttag, &Tclass,
+            ((const unsigned char **)&data, &Tlen, &Ttag, &Tclass,
              n) != V_ASN1_CONSTRUCTED || Ttag != V_ASN1_SEQUENCE
             || Tclass != V_ASN1_UNIVERSAL) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                    SSL_R_DECRYPTION_FAILED);
             goto gerr;
         }
-        start = p;
+        start = data;
         inlen = Tlen;
         if (EVP_PKEY_decrypt
             (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {

From matt at openssl.org  Fri Aug 14 16:31:46 2015
From: matt at openssl.org (Matt Caswell)
Date: Fri, 14 Aug 2015 16:31:46 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439569906.456767.19667.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ac1123320145f731fb04a4cc3df1fbd9c3d5e513 (commit)
      from  efcdbcbeda556876c0147dca21d51610de30dfd9 (commit)


- Log -----------------------------------------------------------------
commit ac1123320145f731fb04a4cc3df1fbd9c3d5e513
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Aug 4 22:12:53 2015 +0100

    PACKETise CertificateRequest
    
    Process CertificateRequest messages using the PACKET API
    
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 66 ++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 34 insertions(+), 32 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 1394293..e7bbfc9 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2011,12 +2011,13 @@ int ssl3_get_key_exchange(SSL *s)
 int ssl3_get_certificate_request(SSL *s)
 {
     int ok, ret = 0;
-    unsigned long n, nc, l;
-    unsigned int llen, ctype_num, i;
+    unsigned long n;
+    unsigned int list_len, ctype_num, i, name_len;
     X509_NAME *xn = NULL;
-    const unsigned char *p, *q;
-    unsigned char *d;
+    unsigned char *data;
+    unsigned char *namestart, *namebytes;
     STACK_OF(X509_NAME) *ca_sk = NULL;
+    PACKET pkt;
 
     n = s->method->ssl_get_message(s,
                                    SSL3_ST_CR_CERT_REQ_A,
@@ -2055,7 +2056,11 @@ int ssl3_get_certificate_request(SSL *s)
         }
     }
 
-    p = d = (unsigned char *)s->init_msg;
+    if (!PACKET_buf_init(&pkt, s->init_msg, n)) {
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
 
     if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) {
         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
@@ -2063,7 +2068,12 @@ int ssl3_get_certificate_request(SSL *s)
     }
 
     /* get the certificate types */
-    ctype_num = *(p++);
+    if (!PACKET_get_1(&pkt, &ctype_num)
+            || !PACKET_get_bytes(&pkt, &data, ctype_num)) {
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
+        goto err;
+    }
     OPENSSL_free(s->cert->ctypes);
     s->cert->ctypes = NULL;
     if (ctype_num > SSL3_CT_NUMBER) {
@@ -2073,31 +2083,27 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        memcpy(s->cert->ctypes, p, ctype_num);
+        memcpy(s->cert->ctypes, data, ctype_num);
         s->cert->ctype_num = (size_t)ctype_num;
         ctype_num = SSL3_CT_NUMBER;
     }
     for (i = 0; i < ctype_num; i++)
-        s->s3->tmp.ctype[i] = p[i];
-    p += p[-1];
+        s->s3->tmp.ctype[i] = data[i];
+
     if (SSL_USE_SIGALGS(s)) {
-        n2s(p, llen);
-        /*
-         * Check we have enough room for signature algorithms and following
-         * length value.
-         */
-        if ((unsigned long)(p - d + llen + 2) > n) {
+        if (!PACKET_get_net_2(&pkt, &list_len)
+                || !PACKET_get_bytes(&pkt, &data, list_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
-                   SSL_R_DATA_LENGTH_TOO_LONG);
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
             goto err;
         }
+
         /* Clear certificate digests and validity flags */
         for (i = 0; i < SSL_PKEY_NUM; i++) {
             s->s3->tmp.md[i] = NULL;
             s->s3->tmp.valid_flags[i] = 0;
         }
-        if ((llen & 1) || !tls1_save_sigalgs(s, p, llen)) {
+        if ((list_len & 1) || !tls1_save_sigalgs(s, data, list_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
                    SSL_R_SIGNATURE_ALGORITHMS_ERROR);
@@ -2108,35 +2114,34 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        p += llen;
     }
 
     /* get the CA RDNs */
-    n2s(p, llen);
-
-    if ((unsigned long)(p - d + llen) != n) {
+    if (!PACKET_get_net_2(&pkt, &list_len)
+            || PACKET_remaining(&pkt) != list_len) {
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
         SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
         goto err;
     }
 
-    for (nc = 0; nc < llen;) {
-        n2s(p, l);
-        if ((l + nc + 2) > llen) {
+    while (PACKET_remaining(&pkt)) {
+        if (!PACKET_get_net_2(&pkt, &name_len)
+                || !PACKET_get_bytes(&pkt, &namebytes, name_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_LENGTH_MISMATCH);
             goto err;
         }
 
-        q = p;
+        namestart = namebytes;
 
-        if ((xn = d2i_X509_NAME(NULL, &q, l)) == NULL) {
+        if ((xn = d2i_X509_NAME(NULL, (const unsigned char **)&namebytes,
+                                name_len)) == NULL) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_ASN1_LIB);
             goto err;
         }
 
-        if (q != (p + l)) {
+        if (namebytes != (namestart + name_len)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
                    SSL_R_CA_DN_LENGTH_MISMATCH);
@@ -2146,9 +2151,6 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-
-        p += l;
-        nc += l + 2;
     }
 
     /* we should setup a certificate to return.... */

From rsalz at openssl.org  Sat Aug 15 17:08:33 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:08:33 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439658513.299096.14418.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e42ef50e5b67be76e0a2e0b14d3ec85fdc88d7ec (commit)
      from  7054f23464d7f9062cd62034f4e91e346ddfd4f6 (commit)


- Log -----------------------------------------------------------------
commit e42ef50e5b67be76e0a2e0b14d3ec85fdc88d7ec
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:07:34 2015 -0400

    FLIP THE SWITCH
    
    First commit of the new website.  Things probably broke.  Now to
    start fixing.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                                         |   31 +-
 .htaccess                                          |    3 -
 .wmkrc                                             |    1 -
 .wmlrc                                             |   11 -
 .wmlsnb                                            |   13 -
 Makefile                                           |  121 +-
 README                                             |   12 -
 about/.wmlrc                                       |   10 -
 about/.wmlsnb                                      |   16 -
 about/binaries.wml                                 |   36 -
 about/contacts.wml                                 |  102 --
 about/credits.wml                                  |   53 -
 about/index.wml                                    |  106 --
 about/openssl-contact.wml                          |   22 -
 about/releasestrat.wml                             |   67 -
 about/roadmap.wml                                  |  364 -----
 about/secpolicy.wml                                |  167 ---
 bin/mk-changelog                                   |   48 +
 run-faq.pl => bin/mk-faq                           |   96 +-
 bin/mk-filelist                                    |   52 +
 bin/mk-sitemap                                     |   40 +
 bin/vulnerabilities.xsl                            |  141 ++
 community/binaries.html                            |   67 +
 community/contacts.html                            |  107 ++
 community/index.html                               |   91 ++
 community/mailinglists.html                        |  100 ++
 community/sidebar.inc                              |   32 +
 community/team.html                                |  174 +++
 community/thanks.html                              |   75 +
 docs/.gitignore                                    |    3 -
 docs/.wmlrc                                        |   10 -
 docs/.wmlsnb                                       |   15 -
 docs/HOWTO/.gitignore                              |    1 -
 docs/faq.html                                      |   31 +
 docs/fips.html                                     |   65 +
 docs/fips/SecurityPolicy-1.1.1.pdf                 |  Bin 0 -> 1395381 bytes
 docs/fips/SecurityPolicy-1.1.2.pdf                 |  Bin 0 -> 429420 bytes
 docs/fips/SecurityPolicy-1.2.2.pdf                 |  Bin 0 -> 645167 bytes
 docs/fips/SecurityPolicy-1.2.3.pdf                 |  Bin 0 -> 399521 bytes
 docs/fips/SecurityPolicy-1.2.4.pdf                 |  Bin 0 -> 399888 bytes
 docs/fips/SecurityPolicy-1.2.pdf                   |  Bin 0 -> 860211 bytes
 docs/fips/SecurityPolicy-2.0.1.pdf                 |  Bin 0 -> 453385 bytes
 docs/fips/SecurityPolicy-2.0.2.pdf                 |  Bin 0 -> 450201 bytes
 docs/fips/SecurityPolicy-2.0.3.pdf                 |  Bin 0 -> 462896 bytes
 docs/fips/SecurityPolicy-2.0.4.pdf                 |  Bin 0 -> 464520 bytes
 docs/fips/SecurityPolicy-2.0.5.pdf                 |  Bin 0 -> 467374 bytes
 docs/fips/SecurityPolicy-2.0.6.pdf                 |  Bin 0 -> 509654 bytes
 docs/fips/SecurityPolicy-2.0.7.pdf                 |  Bin 0 -> 517313 bytes
 docs/fips/SecurityPolicy-2.0.8.pdf                 |  Bin 0 -> 520606 bytes
 docs/fips/SecurityPolicy-2.0.9.odt                 |  Bin 0 -> 812096 bytes
 docs/fips/SecurityPolicy-2.0.9.pdf                 |  Bin 0 -> 525392 bytes
 docs/fips/SecurityPolicy-2.0.pdf                   |  Bin 0 -> 525392 bytes
 docs/fips/UserGuide-1.1.1.pdf                      |  Bin 0 -> 681420 bytes
 docs/fips/UserGuide-1.2.pdf                        |  Bin 0 -> 925694 bytes
 docs/fips/UserGuide-2.0.pdf                        |  Bin 0 -> 1842937 bytes
 docs/fips/UserGuide.pdf                            |  Bin 0 -> 223576 bytes
 docs/fips/fips-2.0-tv.tar.gz                       |  Bin 0 -> 82787660 bytes
 docs/fips/fipsnotes.wml                            |  115 --
 docs/fips/fipsvalidation.wml                       |  164 --
 docs/fips/incore.gz                                |  Bin 0 -> 1936 bytes
 docs/fips/index.wml                                |   24 -
 docs/fips/privatelabel.html                        |  133 ++
 docs/fips/privatelabel.wml                         |   98 --
 docs/fips/rsp.HP-UX.2005-07-01.tar.gz              |  Bin 0 -> 5660011 bytes
 docs/fips/rsp.SuSE.2005-06-30.tar.gz               |  Bin 0 -> 5699128 bytes
 docs/fips/rsp.SuSE.2005-07-01.tar.gz               |  Bin 0 -> 5700115 bytes
 ...-09.zip => testvectors-linux-2007-10-10.tar.gz} |  Bin 9112982 -> 8947798 bytes
 docs/fips/testvectors.HP-UX.tar.gz                 |  Bin 0 -> 4149860 bytes
 docs/fips/testvectors.SuSE.tar.gz                  |  Bin 0 -> 4249118 bytes
 docs/fipsnotes.html                                |  133 ++
 docs/fipsvalidation.html                           |  121 ++
 docs/index.html                                    |   51 +
 docs/index.wml                                     |   54 -
 docs/sidebar.inc                                   |   15 +
 images/page-corner-bl.gif                          |  Bin 143 -> 0 bytes
 images/page-corner-br.gif                          |  Bin 144 -> 0 bytes
 images/page-corner-tr.gif                          |  Bin 146 -> 0 bytes
 images/page-head-bl.jpg                            |  Bin 653 -> 0 bytes
 images/page-head-bm.jpg                            |  Bin 608 -> 0 bytes
 images/page-head-tl.jpg                            |  Bin 2991 -> 0 bytes
 images/page-head-tm.jpg                            |  Bin 6546 -> 0 bytes
 images/page-navbar-ab-n.jpg                        |  Bin 887 -> 0 bytes
 images/page-navbar-ab-s.jpg                        |  Bin 1035 -> 0 bytes
 images/page-navbar-bot.jpg                         |  Bin 642 -> 0 bytes
 images/page-navbar-do-n.jpg                        |  Bin 1138 -> 0 bytes
 images/page-navbar-do-s.jpg                        |  Bin 1313 -> 0 bytes
 images/page-navbar-fq-n.jpg                        |  Bin 1242 -> 0 bytes
 images/page-navbar-fq-s.jpg                        |  Bin 1336 -> 0 bytes
 images/page-navbar-ne-n.jpg                        |  Bin 865 -> 0 bytes
 images/page-navbar-ne-s.jpg                        |  Bin 993 -> 0 bytes
 images/page-navbar-re-n.jpg                        |  Bin 965 -> 0 bytes
 images/page-navbar-re-s.jpg                        |  Bin 1135 -> 0 bytes
 images/page-navbar-se-n.jpg                        |  Bin 1571 -> 0 bytes
 images/page-navbar-se-s.jpg                        |  Bin 1650 -> 0 bytes
 images/page-navbar-so-n.jpg                        |  Bin 934 -> 0 bytes
 images/page-navbar-so-s.jpg                        |  Bin 1076 -> 0 bytes
 images/page-navbar-su-n.jpg                        |  Bin 1002 -> 0 bytes
 images/page-navbar-su-s.jpg                        |  Bin 1165 -> 0 bytes
 images/page-navbar-ti-n.jpg                        |  Bin 810 -> 0 bytes
 images/page-navbar-ti-s.jpg                        |  Bin 931 -> 0 bytes
 images/page-navbar-top.jpg                         |  Bin 622 -> 0 bytes
 {images => img}/DHS-logo-med.jpg                   |  Bin
 {images => img}/acano-logo.jpg                     |  Bin
 {images => img}/akamai-logo-med.png                |  Bin
 {images => img}/cerberus-logo-med.jpg              |  Bin
 {images => img}/cii-logo-med.png                   |  Bin
 {images => img}/citrix-logo-med.jpg                |  Bin
 {images => img}/globalsign-logo-med.jpg            |  Bin
 {images => img}/huawei-logo-med.jpg                |  Bin
 {images => img}/innominate-logo-med.jpg            |  Bin
 {images => img}/lf-logo-med.png                    |  Bin
 {images => img}/milton-logo-med.jpg                |  Bin
 {images => img}/nokia-logo-med.jpg                 |  Bin
 {images => img}/opengear-logo-med.jpg              |  Bin
 {images => img}/oracle-logo-med.jpg                |  Bin
 {images => img}/pkware-logo-med.jpg                |  Bin
 {images => img}/psw-logo-med.jpg                   |  Bin
 {images => img}/psw-logo.gif                       |  Bin
 {images => img}/qualsys-logo-med.jpg               |  Bin
 {images => img}/quintessence-logo-med.jpg          |  Bin
 {images => img}/smartisan-logo-med.png             |  Bin
 support/UnionPay.jpg => img/unionpay.jpg           |  Bin
 img/up.gif                                         |  Bin 0 -> 76 bytes
 inc/README                                         |    1 +
 inc/banner.inc                                     |   33 +
 inc/footer.inc                                     |    7 +
 inc/head.inc                                       |   25 +
 inc/legalities.inc                                 |   21 +
 inc/libs/jquery.min.js                             |    5 +
 inc/modernizr-2.0.js                               |    5 +
 inc/octopress.js                                   |   78 +
 inc/screen.css                                     | 1569 ++++++++++++++++++++
 index.html                                         |   56 +
 index.wml                                          |   38 -
 news/.wmlrc                                        |   10 -
 news/.wmlsnb                                       |   12 -
 news/announce-098.txt                              |   43 -
 news/announce-100.txt                              |   44 -
 news/announce-beta.txt                             |   62 -
 news/announce.txt                                  |   44 -
 news/changelog.html                                |   36 +
 news/changelog.wml                                 |   15 -
 news/index.html                                    |   46 +
 news/index.wml                                     |   14 -
 news/internet.wml                                  |   46 -
 news/news.wml                                      |   22 -
 news/newsflash.txt                                 |  445 +++---
 news/newslog.html                                  |   33 +
 news/notice_20120425.txt                           |   14 -
 news/openssl-0.9.8-notes.wml                       |    4 -
 news/openssl-1.0.0-notes.wml                       |    4 -
 news/openssl-1.0.1-notes.wml                       |    5 -
 news/openssl-1.0.2-notes.wml                       |    4 -
 news/openssl-notes.wml                             |   20 -
 news/openssl-old-notes.wml                         |   25 -
 news/patch-CAN-2005-2969.txt                       |   13 -
 news/patch-CVE-2006-4339.txt                       |   53 -
 news/patch-CVE-2007-3108.txt                       |  126 --
 news/patch-CVE-2007-5502-1.txt                     |   20 -
 news/patch-CVE-2007-5502-2.txt                     |   29 -
 news/patch_20020730_0_9_6d.txt                     |  518 -------
 news/patch_20020730_0_9_7.txt                      |  665 ---------
 news/pgpkey.html                                   |   37 +
 news/{secadv_20020730.txt => secadv/20020730.txt}  |    0
 news/{secadv_20030219.txt => secadv/20030219.txt}  |    0
 news/{secadv_20030317.txt => secadv/20030317.txt}  |    0
 news/{secadv_20030319.txt => secadv/20030319.txt}  |    0
 news/{secadv_20030930.txt => secadv/20030930.txt}  |    0
 news/{secadv_20031104.txt => secadv/20031104.txt}  |    0
 news/{secadv_20040317.txt => secadv/20040317.txt}  |    0
 news/{secadv_20051011.txt => secadv/20051011.txt}  |    0
 news/{secadv_20060905.txt => secadv/20060905.txt}  |    0
 news/{secadv_20060928.txt => secadv/20060928.txt}  |    0
 news/{secadv_20071012.txt => secadv/20071012.txt}  |    0
 news/{secadv_20071129.txt => secadv/20071129.txt}  |    0
 news/{secadv_20080528.txt => secadv/20080528.txt}  |    0
 news/{secadv_20090107.txt => secadv/20090107.txt}  |    0
 news/{secadv_20090325.txt => secadv/20090325.txt}  |    0
 news/{secadv_20091111.txt => secadv/20091111.txt}  |    0
 news/{secadv_20100324.txt => secadv/20100324.txt}  |    0
 news/{secadv_20100601.txt => secadv/20100601.txt}  |    0
 .../20101116-2.txt}                                |    0
 news/{secadv_20101116.txt => secadv/20101116.txt}  |    0
 news/{secadv_20101202.txt => secadv/20101202.txt}  |    0
 news/{secadv_20110208.txt => secadv/20110208.txt}  |    0
 news/{secadv_20110906.txt => secadv/20110906.txt}  |    0
 news/{secadv_20120104.txt => secadv/20120104.txt}  |    0
 news/{secadv_20120118.txt => secadv/20120118.txt}  |    0
 news/{secadv_20120312.txt => secadv/20120312.txt}  |    0
 news/{secadv_20120419.txt => secadv/20120419.txt}  |    0
 news/{secadv_20120424.txt => secadv/20120424.txt}  |    0
 news/{secadv_20120510.txt => secadv/20120510.txt}  |    0
 news/{secadv_20130204.txt => secadv/20130204.txt}  |    0
 news/{secadv_20130205.txt => secadv/20130205.txt}  |    0
 news/{secadv_20140407.txt => secadv/20140407.txt}  |    0
 news/{secadv_20140605.txt => secadv/20140605.txt}  |    0
 news/{secadv_20140806.txt => secadv/20140806.txt}  |    0
 news/{secadv_20141015.txt => secadv/20141015.txt}  |    0
 news/{secadv_20150108.txt => secadv/20150108.txt}  |    0
 news/{secadv_20150319.txt => secadv/20150319.txt}  |    0
 news/{secadv_20150611.txt => secadv/20150611.txt}  |    0
 news/{secadv_20150709.txt => secadv/20150709.txt}  |    0
 news/{secadv_hack.txt => secadv/hack.txt}          |    0
 news/{secadv_prng.txt => secadv/prng.txt}          |    0
 news/sidebar.inc                                   |   18 +
 news/state.wml                                     |   31 -
 news/vulnerabilities.xml                           |  196 +--
 news/vulnerabilities.xsl                           |  129 --
 news/vulnerabilitiesdates.xsl                      |   54 -
 openssl.wml                                        |  603 --------
 {about => policies}/buglist.txt                    |    0
 policies/cla.html                                  |   80 +
 policies/codingstyle.html                          |   40 +
 {about => policies}/codingstyle.txt                |    0
 policies/index.html                                |   65 +
 {licenses => policies}/openssl_ccla.pdf            |  Bin
 {licenses => policies}/openssl_icla.pdf            |  Bin
 policies/releasestrat.html                         |  106 ++
 policies/roadmap.html                              |  421 ++++++
 policies/secpolicy.html                            |  201 +++
 policies/sidebar.inc                               |   24 +
 {about => policies}/ticket-activity.png            |  Bin
 run-changelog.pl                                   |   15 -
 run-fundingfaq.pl                                  |   97 --
 sidebar.inc                                        |   31 +
 source/.gitignore                                  |    7 -
 source/.wmlrc                                      |   10 -
 source/.wmlsnb                                     |   12 -
 source/gitrepo.html                                |   76 +
 source/index.current                               |    2 -
 source/index.html                                  |   69 +
 source/index.wml                                   |   34 -
 source/license.html                                |   38 +
 source/license.wml                                 |   12 -
 source/mirror.html                                 |   74 +
 source/mirror.wml                                  |   20 -
 source/old/0.9.x/index.html                        |   31 +
 source/old/0.9.x/index.wml                         |   16 -
 source/old/1.0.0/index.html                        |   31 +
 source/old/1.0.0/index.wml                         |   16 -
 source/old/1.0.1/index.html                        |   31 +
 source/old/1.0.1/index.wml                         |   16 -
 source/old/1.0.2/index.html                        |   31 +
 source/old/1.0.2/index.wml                         |   16 -
 source/old/fips/index.html                         |   31 +
 source/old/fips/index.wml                          |   16 -
 source/old/index.html                              |   37 +
 source/old/index.wml                               |   17 -
 source/repos.wml                                   |   87 --
 source/sidebar.inc                                 |   18 +
 support/.wmlrc                                     |   10 -
 support/.wmlsnb                                    |   14 -
 support/acknowledgments.wml                        |  192 ---
 support/acks.html                                  |   75 +
 support/community.wml                              |   91 --
 support/consulting.wml                             |   68 -
 support/contracts.html                             |  168 +++
 support/{donations-cn.wml => donations-cn.html}    |    2 +-
 support/donations.html                             |   88 ++
 support/donations.wml                              |  106 --
 support/faq.wml                                    |    8 -
 support/funding/contract.wml                       |   37 -
 support/funding/support-basic.wml                  |   22 -
 support/funding/support-contact.wml                |   19 -
 support/funding/support-definitions.wml            |   24 -
 support/funding/support-faq.txt                    |  229 ---
 support/funding/support-faq.wml                    |    7 -
 support/funding/support-incident.wml               |   10 -
 support/funding/support-premium.wml                |   30 -
 support/funding/support-vendor.wml                 |   24 -
 support/funding/wishlist.wml                       |   20 -
 support/index.html                                 |   45 +
 support/index.wml                                  |   28 -
 support/majordomo.wml                              |    8 -
 support/other.wml                                  |   36 -
 support/rt.wml                                     |   55 -
 support/sidebar.inc                                |   18 +
 template-file.html                                 |   31 +
 278 files changed, 5785 insertions(+), 5977 deletions(-)
 delete mode 100644 .wmkrc
 delete mode 100644 .wmlrc
 delete mode 100644 .wmlsnb
 delete mode 100644 README
 delete mode 100644 about/.wmlrc
 delete mode 100644 about/.wmlsnb
 delete mode 100644 about/binaries.wml
 delete mode 100644 about/contacts.wml
 delete mode 100644 about/credits.wml
 delete mode 100644 about/index.wml
 delete mode 100644 about/openssl-contact.wml
 delete mode 100644 about/releasestrat.wml
 delete mode 100644 about/roadmap.wml
 delete mode 100644 about/secpolicy.wml
 create mode 100755 bin/mk-changelog
 rename run-faq.pl => bin/mk-faq (52%)
 create mode 100755 bin/mk-filelist
 create mode 100755 bin/mk-sitemap
 create mode 100644 bin/vulnerabilities.xsl
 create mode 100644 community/binaries.html
 create mode 100644 community/contacts.html
 create mode 100644 community/index.html
 create mode 100644 community/mailinglists.html
 create mode 100644 community/sidebar.inc
 create mode 100644 community/team.html
 create mode 100644 community/thanks.html
 delete mode 100644 docs/.gitignore
 delete mode 100644 docs/.wmlrc
 delete mode 100644 docs/.wmlsnb
 delete mode 100644 docs/HOWTO/.gitignore
 create mode 100644 docs/faq.html
 create mode 100644 docs/fips.html
 create mode 100644 docs/fips/SecurityPolicy-1.1.1.pdf
 create mode 100644 docs/fips/SecurityPolicy-1.1.2.pdf
 create mode 100644 docs/fips/SecurityPolicy-1.2.2.pdf
 create mode 100644 docs/fips/SecurityPolicy-1.2.3.pdf
 create mode 100644 docs/fips/SecurityPolicy-1.2.4.pdf
 create mode 100644 docs/fips/SecurityPolicy-1.2.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.1.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.2.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.3.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.4.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.5.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.6.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.7.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.8.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.9.odt
 create mode 100644 docs/fips/SecurityPolicy-2.0.9.pdf
 create mode 100644 docs/fips/SecurityPolicy-2.0.pdf
 create mode 100644 docs/fips/UserGuide-1.1.1.pdf
 create mode 100644 docs/fips/UserGuide-1.2.pdf
 create mode 100644 docs/fips/UserGuide-2.0.pdf
 create mode 100644 docs/fips/UserGuide.pdf
 create mode 100644 docs/fips/fips-2.0-tv.tar.gz
 delete mode 100644 docs/fips/fipsnotes.wml
 delete mode 100644 docs/fips/fipsvalidation.wml
 create mode 100644 docs/fips/incore.gz
 delete mode 100644 docs/fips/index.wml
 create mode 100644 docs/fips/privatelabel.html
 delete mode 100644 docs/fips/privatelabel.wml
 create mode 100644 docs/fips/rsp.HP-UX.2005-07-01.tar.gz
 create mode 100644 docs/fips/rsp.SuSE.2005-06-30.tar.gz
 create mode 100644 docs/fips/rsp.SuSE.2005-07-01.tar.gz
 copy docs/fips/{testvectors-XP-2007-10-09.zip => testvectors-linux-2007-10-10.tar.gz} (52%)
 create mode 100644 docs/fips/testvectors.HP-UX.tar.gz
 create mode 100644 docs/fips/testvectors.SuSE.tar.gz
 create mode 100644 docs/fipsnotes.html
 create mode 100644 docs/fipsvalidation.html
 create mode 100644 docs/index.html
 delete mode 100644 docs/index.wml
 create mode 100644 docs/sidebar.inc
 delete mode 100644 images/page-corner-bl.gif
 delete mode 100644 images/page-corner-br.gif
 delete mode 100644 images/page-corner-tr.gif
 delete mode 100644 images/page-head-bl.jpg
 delete mode 100644 images/page-head-bm.jpg
 delete mode 100644 images/page-head-tl.jpg
 delete mode 100644 images/page-head-tm.jpg
 delete mode 100644 images/page-navbar-ab-n.jpg
 delete mode 100644 images/page-navbar-ab-s.jpg
 delete mode 100644 images/page-navbar-bot.jpg
 delete mode 100644 images/page-navbar-do-n.jpg
 delete mode 100644 images/page-navbar-do-s.jpg
 delete mode 100755 images/page-navbar-fq-n.jpg
 delete mode 100755 images/page-navbar-fq-s.jpg
 delete mode 100644 images/page-navbar-ne-n.jpg
 delete mode 100644 images/page-navbar-ne-s.jpg
 delete mode 100644 images/page-navbar-re-n.jpg
 delete mode 100644 images/page-navbar-re-s.jpg
 delete mode 100644 images/page-navbar-se-n.jpg
 delete mode 100644 images/page-navbar-se-s.jpg
 delete mode 100644 images/page-navbar-so-n.jpg
 delete mode 100644 images/page-navbar-so-s.jpg
 delete mode 100644 images/page-navbar-su-n.jpg
 delete mode 100644 images/page-navbar-su-s.jpg
 delete mode 100644 images/page-navbar-ti-n.jpg
 delete mode 100644 images/page-navbar-ti-s.jpg
 delete mode 100644 images/page-navbar-top.jpg
 rename {images => img}/DHS-logo-med.jpg (100%)
 rename {images => img}/acano-logo.jpg (100%)
 rename {images => img}/akamai-logo-med.png (100%)
 rename {images => img}/cerberus-logo-med.jpg (100%)
 rename {images => img}/cii-logo-med.png (100%)
 rename {images => img}/citrix-logo-med.jpg (100%)
 rename {images => img}/globalsign-logo-med.jpg (100%)
 rename {images => img}/huawei-logo-med.jpg (100%)
 rename {images => img}/innominate-logo-med.jpg (100%)
 rename {images => img}/lf-logo-med.png (100%)
 rename {images => img}/milton-logo-med.jpg (100%)
 rename {images => img}/nokia-logo-med.jpg (100%)
 rename {images => img}/opengear-logo-med.jpg (100%)
 rename {images => img}/oracle-logo-med.jpg (100%)
 rename {images => img}/pkware-logo-med.jpg (100%)
 rename {images => img}/psw-logo-med.jpg (100%)
 rename {images => img}/psw-logo.gif (100%)
 rename {images => img}/qualsys-logo-med.jpg (100%)
 rename {images => img}/quintessence-logo-med.jpg (100%)
 rename {images => img}/smartisan-logo-med.png (100%)
 rename support/UnionPay.jpg => img/unionpay.jpg (100%)
 create mode 100644 img/up.gif
 create mode 100644 inc/README
 create mode 100644 inc/banner.inc
 create mode 100644 inc/footer.inc
 create mode 100644 inc/head.inc
 create mode 100644 inc/legalities.inc
 create mode 100644 inc/libs/jquery.min.js
 create mode 100644 inc/modernizr-2.0.js
 create mode 100644 inc/octopress.js
 create mode 100644 inc/screen.css
 create mode 100644 index.html
 delete mode 100644 index.wml
 delete mode 100644 news/.wmlrc
 delete mode 100644 news/.wmlsnb
 delete mode 100644 news/announce-098.txt
 delete mode 100644 news/announce-100.txt
 delete mode 100644 news/announce-beta.txt
 delete mode 100644 news/announce.txt
 create mode 100644 news/changelog.html
 delete mode 100644 news/changelog.wml
 create mode 100644 news/index.html
 delete mode 100644 news/index.wml
 delete mode 100644 news/internet.wml
 delete mode 100644 news/news.wml
 create mode 100644 news/newslog.html
 delete mode 100644 news/notice_20120425.txt
 delete mode 100644 news/openssl-0.9.8-notes.wml
 delete mode 100644 news/openssl-1.0.0-notes.wml
 delete mode 100644 news/openssl-1.0.1-notes.wml
 delete mode 100644 news/openssl-1.0.2-notes.wml
 delete mode 100644 news/openssl-notes.wml
 delete mode 100644 news/openssl-old-notes.wml
 delete mode 100644 news/patch-CAN-2005-2969.txt
 delete mode 100644 news/patch-CVE-2006-4339.txt
 delete mode 100644 news/patch-CVE-2007-3108.txt
 delete mode 100644 news/patch-CVE-2007-5502-1.txt
 delete mode 100644 news/patch-CVE-2007-5502-2.txt
 delete mode 100644 news/patch_20020730_0_9_6d.txt
 delete mode 100644 news/patch_20020730_0_9_7.txt
 create mode 100644 news/pgpkey.html
 rename news/{secadv_20020730.txt => secadv/20020730.txt} (100%)
 rename news/{secadv_20030219.txt => secadv/20030219.txt} (100%)
 rename news/{secadv_20030317.txt => secadv/20030317.txt} (100%)
 rename news/{secadv_20030319.txt => secadv/20030319.txt} (100%)
 rename news/{secadv_20030930.txt => secadv/20030930.txt} (100%)
 rename news/{secadv_20031104.txt => secadv/20031104.txt} (100%)
 rename news/{secadv_20040317.txt => secadv/20040317.txt} (100%)
 rename news/{secadv_20051011.txt => secadv/20051011.txt} (100%)
 rename news/{secadv_20060905.txt => secadv/20060905.txt} (100%)
 rename news/{secadv_20060928.txt => secadv/20060928.txt} (100%)
 rename news/{secadv_20071012.txt => secadv/20071012.txt} (100%)
 rename news/{secadv_20071129.txt => secadv/20071129.txt} (100%)
 rename news/{secadv_20080528.txt => secadv/20080528.txt} (100%)
 rename news/{secadv_20090107.txt => secadv/20090107.txt} (100%)
 rename news/{secadv_20090325.txt => secadv/20090325.txt} (100%)
 rename news/{secadv_20091111.txt => secadv/20091111.txt} (100%)
 rename news/{secadv_20100324.txt => secadv/20100324.txt} (100%)
 rename news/{secadv_20100601.txt => secadv/20100601.txt} (100%)
 rename news/{secadv_20101116-2.txt => secadv/20101116-2.txt} (100%)
 rename news/{secadv_20101116.txt => secadv/20101116.txt} (100%)
 rename news/{secadv_20101202.txt => secadv/20101202.txt} (100%)
 rename news/{secadv_20110208.txt => secadv/20110208.txt} (100%)
 rename news/{secadv_20110906.txt => secadv/20110906.txt} (100%)
 rename news/{secadv_20120104.txt => secadv/20120104.txt} (100%)
 rename news/{secadv_20120118.txt => secadv/20120118.txt} (100%)
 rename news/{secadv_20120312.txt => secadv/20120312.txt} (100%)
 rename news/{secadv_20120419.txt => secadv/20120419.txt} (100%)
 rename news/{secadv_20120424.txt => secadv/20120424.txt} (100%)
 rename news/{secadv_20120510.txt => secadv/20120510.txt} (100%)
 rename news/{secadv_20130204.txt => secadv/20130204.txt} (100%)
 rename news/{secadv_20130205.txt => secadv/20130205.txt} (100%)
 rename news/{secadv_20140407.txt => secadv/20140407.txt} (100%)
 rename news/{secadv_20140605.txt => secadv/20140605.txt} (100%)
 rename news/{secadv_20140806.txt => secadv/20140806.txt} (100%)
 rename news/{secadv_20141015.txt => secadv/20141015.txt} (100%)
 rename news/{secadv_20150108.txt => secadv/20150108.txt} (100%)
 rename news/{secadv_20150319.txt => secadv/20150319.txt} (100%)
 rename news/{secadv_20150611.txt => secadv/20150611.txt} (100%)
 rename news/{secadv_20150709.txt => secadv/20150709.txt} (100%)
 rename news/{secadv_hack.txt => secadv/hack.txt} (100%)
 rename news/{secadv_prng.txt => secadv/prng.txt} (100%)
 create mode 100644 news/sidebar.inc
 delete mode 100644 news/state.wml
 delete mode 100644 news/vulnerabilities.xsl
 delete mode 100644 news/vulnerabilitiesdates.xsl
 delete mode 100644 openssl.wml
 rename {about => policies}/buglist.txt (100%)
 create mode 100644 policies/cla.html
 create mode 100644 policies/codingstyle.html
 rename {about => policies}/codingstyle.txt (100%)
 create mode 100644 policies/index.html
 copy {licenses => policies}/openssl_ccla.pdf (100%)
 copy {licenses => policies}/openssl_icla.pdf (100%)
 create mode 100644 policies/releasestrat.html
 create mode 100644 policies/roadmap.html
 create mode 100644 policies/secpolicy.html
 create mode 100644 policies/sidebar.inc
 rename {about => policies}/ticket-activity.png (100%)
 delete mode 100644 run-changelog.pl
 delete mode 100755 run-fundingfaq.pl
 create mode 100644 sidebar.inc
 delete mode 100644 source/.gitignore
 delete mode 100644 source/.wmlrc
 delete mode 100644 source/.wmlsnb
 create mode 100644 source/gitrepo.html
 delete mode 100644 source/index.current
 create mode 100644 source/index.html
 delete mode 100644 source/index.wml
 create mode 100644 source/license.html
 delete mode 100644 source/license.wml
 create mode 100644 source/mirror.html
 delete mode 100644 source/mirror.wml
 create mode 100644 source/old/0.9.x/index.html
 delete mode 100644 source/old/0.9.x/index.wml
 create mode 100644 source/old/1.0.0/index.html
 delete mode 100644 source/old/1.0.0/index.wml
 create mode 100644 source/old/1.0.1/index.html
 delete mode 100644 source/old/1.0.1/index.wml
 create mode 100644 source/old/1.0.2/index.html
 delete mode 100644 source/old/1.0.2/index.wml
 create mode 100644 source/old/fips/index.html
 delete mode 100644 source/old/fips/index.wml
 create mode 100644 source/old/index.html
 delete mode 100644 source/old/index.wml
 delete mode 100644 source/repos.wml
 create mode 100644 source/sidebar.inc
 delete mode 100644 support/.wmlrc
 delete mode 100644 support/.wmlsnb
 delete mode 100644 support/acknowledgments.wml
 create mode 100644 support/acks.html
 delete mode 100644 support/community.wml
 delete mode 100644 support/consulting.wml
 create mode 100644 support/contracts.html
 rename support/{donations-cn.wml => donations-cn.html} (98%)
 create mode 100644 support/donations.html
 delete mode 100644 support/donations.wml
 delete mode 100644 support/faq.wml
 delete mode 100644 support/funding/contract.wml
 delete mode 100644 support/funding/support-basic.wml
 delete mode 100644 support/funding/support-contact.wml
 delete mode 100644 support/funding/support-definitions.wml
 delete mode 100644 support/funding/support-faq.txt
 delete mode 100644 support/funding/support-faq.wml
 delete mode 100644 support/funding/support-incident.wml
 delete mode 100644 support/funding/support-premium.wml
 delete mode 100644 support/funding/support-vendor.wml
 delete mode 100644 support/funding/wishlist.wml
 create mode 100644 support/index.html
 delete mode 100644 support/index.wml
 delete mode 100644 support/majordomo.wml
 delete mode 100644 support/other.wml
 delete mode 100644 support/rt.wml
 create mode 100644 support/sidebar.inc
 create mode 100644 template-file.html

diff --git a/.gitignore b/.gitignore
index f6bef20..4e9329d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,20 @@
-*.html
-*.pdf
-*.gz*
-pod2htmd.tmp
-pod2htmi.tmp
-blog
+*.swp
+sitemap.txt
+docs/faq.inc
+docs/faq.txt
+docs/fips.inc
 news/changelog.inc
-news/vulnerabilities.wml
-source/license.inc
-support/faq.inc
-support/funding/support-faq.inc
-.ssh
-.cache
+news/changelog.txt
+news/newsflash.inc
+news/vulnerabilities.html
+news/vulnerabilities.inc
+newsflash.inc
+source/index.inc
+source/license.txt
+docs/HOWTO/*.txt
+source/*.gz
+source/*.gz.asc
+source/*.gz.md5
+source/*.gz.sha1
+source/*.tar.gz.sig
+source/*.patch
diff --git a/.htaccess b/.htaccess
index 92b86ae..ac417dd 100644
--- a/.htaccess
+++ b/.htaccess
@@ -4,9 +4,6 @@ RewriteEngine on
 
 Options +ExecCGI +FollowSymLinks
 
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule related/(.*) /about/$1
-
 <Files *.md5>
 ForceType application/binary
 </Files>
diff --git a/.wmkrc b/.wmkrc
deleted file mode 100644
index b320886..0000000
--- a/.wmkrc
+++ /dev/null
@@ -1 +0,0 @@
--F openssl.wml
diff --git a/.wmlrc b/.wmlrc
deleted file mode 100644
index 31104f3..0000000
--- a/.wmlrc
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-##  .wmlrc -- Global WML RC file for www.openssl.org
-##
-
--DROOT~.
--DBASE_URL=http://www.openssl.org
--DBASE_DIR~.
--DIMG~images
--DIMGDOT_BASE~images/misc-space
--I.
-
diff --git a/.wmlsnb b/.wmlsnb
deleted file mode 100644
index b9a20bb..0000000
--- a/.wmlsnb
+++ /dev/null
@@ -1,13 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-##  <snb_button id=general  txt="Support OpenSSL"  url="">
-  <snb_button id=tarballs txt="Download" url="source/">
-  <snb_button id=tarballs txt="Blog" url="blog/">
-  <snb_button id=sponsors  txt="Our Sponsors"  url="support/acknowledgments.html">
-  <snb_button id=donations txt="Sponsor OpenSSL" url="support/donations.html">
-  <snb_button id=security txt="Security" url="news/vulnerabilities.html">
-</snb>
-
diff --git a/Makefile b/Makefile
index ddb9619..1e0ddaa 100644
--- a/Makefile
+++ b/Makefile
@@ -1,45 +1,92 @@
 ##
-##  Makefile -- Top-level build procedure for www.openssl.org
-##
+## Build procedure for www.openssl.org
+
+##  Snapshot directory
+SNAP = /var/cache/openssl/checkouts/openssl
+RELEASEDIR = /var/www/openssl/source
 
-# Used to have a hack with a lockfile.
-# Not needed since this is fast now.
+# All simple generated files.
+SIMPLE = newsflash.inc sitemap.txt \
+	 docs/faq.txt docs/faq.inc docs/fips.inc \
+	 news/changelog.inc news/changelog.txt \
+	 news/newsflash.inc \
+	 news/vulnerabilities.inc \
+	 source/license.txt \
+	 source/index.inc
+SRCLISTS = source/old/index.inc \
+	   source/old/0.9.x/index.inc \
+	   source/old/1.0.0/index.inc \
+	   source/old/1.0.1/index.inc \
+	   source/old/1.0.2/index.inc \
+	   source/old/fips/index.inc \
 
-SNAP=/var/cache/openssl/checkouts/openssl
-PODSHOME=$(SNAP)/doc
+all: $(SIMPLE) $(SRCLISTS)
 
-FORCE=#-f
-QUIET=--quiet
+# Legacy targets
+simple: all
+generated: all
+manpages: all
+rebuild: all
+relupd: all
 
-DIRS= about docs news source support
+# To be fixed.
+hack-source_htaccess:
+	exit 1;
 
-all: generated simple manpages
+clean:
+	rm -f $(SIMPLE)
 
-generated:
-	cp -f $(SNAP)/LICENSE source/license.inc
-	cp -f $(PODSHOME)/HOWTO/*.txt docs/HOWTO/.
-	perl run-changelog.pl <$(SNAP)/CHANGES >news/changelog.inc
-	perl run-faq.pl <$(SNAP)/FAQ >support/faq.inc
-	perl run-fundingfaq.pl < support/funding/support-faq.txt >support/funding/support-faq.inc
-	( cd news && xsltproc vulnerabilities.xsl vulnerabilities.xml > vulnerabilities.wml )
+newsflash.inc: news/newsflash.inc
+	@rm -f $@
+	head -6 $? >$@
+sitemap.txt:
+	@rm -f $@
+	./bin/mk-sitemap >$@
 
-simple: rebuild hack-source_htaccess
-rebuild:
-	wmk $(FORCE) -I $(SNAP) -a $(DIRS) index.wml
-hack-source_htaccess:
-	( cd source && wml -o .htaccess .htaccess.wml )
-
-manpages:
-	sh ./run-pod2html.sh $(PODSHOME)
-
-# Update release notes (and other items, but relnotes is the use-case)
-relupd:
-	if [ "`id -un`" != openssl; then \
-		echo "**** you must do 'sudo -u openssl -H bash'"; \
-		exit 1; \
-	fi
-	cd $(SNAP)/.. ; for dir in openssl* ; do \
-		echo Updating $$dir ; ( cd $$dir ; git pull $(QUIET) ) ; \
-	done
-	git pull $(QUIET)
-	$(MAKE) generated simple
+news/changelog.inc: news/changelog.txt bin/mk-changelog
+	@rm -f $@
+	./bin/mk-changelog <news/changelog.txt >$@
+news/changelog.txt: $(SNAP)/CHANGES
+	@rm -f $@
+	cp $? $@
+news/newsflash.inc: news/newsflash.txt
+	sed <$? >$@ \
+	    -e 's@^@<tr><td class="d">@' \
+	    -e 's@: @</td><td class="t">@' \
+	    -e 's@$$@</td></tr>@'
+news/vulnerabilities.inc: bin/vulnerabilities.xsl news/vulnerabilities.xml
+	@rm -f $@
+	xsltproc bin/vulnerabilities.xsl news/vulnerabilities.xml >$@
+
+docs/faq.txt: $(SNAP)/FAQ
+	@rm -f $@
+	cp $? $@
+docs/faq.inc: docs/faq.txt
+	@rm -f $@
+	./bin/mk-faq <$? >$@
+docs/fips.inc:
+	@rm -f $@
+	./bin/mk-filelist docs/fips fips/ '*' >$@
+
+source/license.txt: $(SNAP)/LICENSE
+	@rm -f $@
+	cp $? $@
+source/index.inc:
+	@rm -f $@
+	./bin/mk-filelist $(RELEASEDIR) '' 'openssl-*.tar.gz' >$@
+
+source/old/0.9.x/index.inc:
+	@rm -f $@
+	./bin/mk-filelist source/old/0.9.8 '' '*.gz' >$@
+source/old/1.0.0/index.inc:
+	@rm -f $@
+	./bin/mk-filelist source/old/1.0.0 '' '*.gz' >$@
+source/old/1.0.1/index.inc:
+	@rm -f $@
+	./bin/mk-filelist source/old/1.0.1 '' '*.gz' >$@
+source/old/1.0.2/index.inc:
+	@rm -f $@
+	./bin/mk-filelist source/old/1.0.2 '' '*.gz' >$@
+source/old/fips/index.inc:
+	@rm -f $@
+	./bin/mk-filelist source/old/fips '' '*.gz' >$@
diff --git a/README b/README
deleted file mode 100644
index 61f945f..0000000
--- a/README
+++ /dev/null
@@ -1,12 +0,0 @@
-
-This is the source for www.openssl.org
-
-The images were generated with Photoshop.  The text is written using
-Website META Language (WML) for markup.  WML can (hopefully) be
-found at http://thewml.org; the last release was in 2006.
-
-The Makefile rebuilds the website.  It needs a copy of a checked-out
-tree, pointed to by the SNAP variable.
-
-Not included in the repository are the .tar.gz files for download.
-They are kept in the FTP area and within the URI tree.
diff --git a/about/.wmlrc b/about/.wmlrc
deleted file mode 100644
index ab44064..0000000
--- a/about/.wmlrc
+++ /dev/null
@@ -1,10 +0,0 @@
-##
-##  .wmlrc -- Local RC file for WML
-##
-
-#   define where the URL root of the Sub Navigation Bar (SNB) 
-#   is located [SNB_ROOT] and where it's buttons are defined [SNB_RC]
--DSNB_ROOT~.
--DSNB_RC=.wmlsnb
--I.
-
diff --git a/about/.wmlsnb b/about/.wmlsnb
deleted file mode 100644
index 03ecfd4..0000000
--- a/about/.wmlsnb
+++ /dev/null
@@ -1,16 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-  <snb_button id=general  txt="General"         url="/about">
-  <snb_button id=binaries txt="Binaries"        url="binaries.html">
-  <snb_button id=rt       txt="Bugs"            url="/support/rt.html">
-  <snb_button id=roadmap  txt="Roadmap"         url="roadmap.html">
-  <snb_button id=secpol   txt="Security Policy" url="secpolicy.html">
-  <snb_button id=releasestrat txt="Release Strategy" url="releasestrat.html">
-  <snb_button id=codingstyle  txt="Coding Style"     url="codingstyle.txt">
-  <snb_button id=contacts txt="Contacts"        url="contacts.html">
-  <snb_button id=credits  txt="Credits"         url="credits.html">
-</snb>
-
diff --git a/about/binaries.wml b/about/binaries.wml
deleted file mode 100644
index 21b745f..0000000
--- a/about/binaries.wml
+++ /dev/null
@@ -1,36 +0,0 @@
-
-#use wml::openssl area=about page=binaries
-
-<title>OpenSSL Binary Distributions</title>
-
-<h1>Binary Distributions</h1>
-
-<p>Some people have offered to provide OpenSSL binary distributions for
-selected operating systems.  The condition to get a link here is that the
-link is stable and can provide continued support for OpenSSL for a while.</p>
-
-<p>Note: many Linux distributions come with pre-compiled OpenSSL packages.
-Those are already well-known among the users of said distributions, and
-will therefore <i>not</i> be mentioned here.  If you are such a user,
-we ask you to get in touch with your distributor first.  This service is
-primarly for operating systems where there are no pre-compiled OpenSSL
-packages.</p>
-
-<ul>
-    <item name="OpenSSL for Windows"
-          info="Works with MSVC++, Builder 3/4/5, and MinGW.  Comes in form of self-install executables."
-          url="http://www.slproweb.com/products/Win32OpenSSL.html">
-</ul>
-
-<ul>
-    <item name="OpenSSL for Windows"
-          info="Pre-compiled Win32/64 libraries without external dependencies to the Microsoft Visual Studio
-Runtime DLLs, except for the system provided msvcrt.dll"
-          url="http://indy.fulgan.com/SSL/">
-</ul>
-
-<ul>
-    <item name="OpenSSL for Solaris"
-          info="Versions for Solaris 2.5 - 11 SPARC and X86"
-          url=" http://www.unixpackages.com/">
-</ul>
diff --git a/about/contacts.wml b/about/contacts.wml
deleted file mode 100644
index 658aa8d..0000000
--- a/about/contacts.wml
+++ /dev/null
@@ -1,102 +0,0 @@
-
-#use wml::openssl area=about page=contacts 
-
-<title>About, Contacts</title>
-
-<h1>About the OpenSSL Project</h1>
-
-<h2>Physical Addresses</h2>
-
-<p>Apart from mail addresses and names, some organizations require a physical
-address as contact for open source projects.  Physical addresses can be
-useful in other cases as well.  Therefore, some people have stepped forward
-and volunteered as "official" contacts for OpenSSL.  If you want to get in
-touch with any of these people, please consider using email first, since
-that will also reach other team members in case your contact is temporarly
-not available.</p>
-
-<p>Please remember to be kind to the contacts.  Their time is their own
-to dispose of.  You may <i>request</i> support, but it's the contact's
-responsability and freedom alone to decide if he wants to give any support
-or not, regardless of who makes the request.</p>
-
-<p>The <i>OpenSSL Software Foundation</i> represents the OpenSSL project in most capacities including contributor license
-agreements, managing donations, etc.</p>
-</p>
-
-<table>
-<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr><td>
-OpenSSL Software Foundation<br>
-20-22 Wenlock Road<br>
-London<br>
-N1 7GU<br>
-United Kingdom<br>
-+44 1785508015  (UK)<br>
-+1 877-OPENSSL(6775) (US toll free)<br>
-+1 301-956-2281 (US)<br>
-<i>E-mail:</i> <a href="mailto:info at opensslfoundation.org">info at opensslfoundation.org</a>
-</td><td valign=top>
-Worldwide
-</td></tr>
-</table>
-
-<p><i>OpenSSL Software Services</i> represents the OpenSSL project for selected commercial or quasi-commercial contexts, such
-as providing formal support contracts and brokering consulting contracts for OpenSSL team members</p>
-</p>
-
-<table>
-<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr><td>
-OpenSSL Software Services Inc.<br>
-40 E Main St, Suite 744<br>
-Newark DE 19711<br>
-USA<br>
-+1 240-215-3103<br>
-<i>E-mail:</i> <a href="mailto:info at opensslservices.com">info at opensslservices.com</a>
-</td><td valign=top>
-Worldwide
-</td></tr>
-</table>
-
-<p>
-Commercial activities specific to FIPS 140-2 validations and the OpenSSL FIPS Object Module are handled by <i>OpenSSL Validation Services</i>:
-</p>
-
-<table>
-<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr><td>
-OpenSSL Validation Services Inc.<br>
-1829 Mount Ephraim Road<br>
-Adamstown, MD  21710<br>
-USA<br>
-+1 301-874-2571<br>
-<i>E-mail:</i> <a href="mailto:info at openssl.com">info at openssl.com</a>
-</td><td valign=top>
-Worldwide
-</td></tr>
-</table>
-
-<p>
-<p>
-Some OpenSSL team members are available for selected consulting engagements:
-<p>
-
-<table>
-<tr><td><b id=sf>Address</b></td><td><b id=sf>Area covered</b></td></tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr><td>
-OpenSSL SE<br>
-c/o Richard Levitte<br>
-Nordingr?gatan 20<br>
-S-162 53 V?llingby<br>
-Sweden<br>
-<i>E-mail:</i> <a href="mailto:openssl-contact.SE at openssl.org">openssl-contact.SE at openssl.org</a>
-</td><td valign=top>
-Sweden only
-</td></tr>
-</table>
-
diff --git a/about/credits.wml b/about/credits.wml
deleted file mode 100644
index 27db0b1..0000000
--- a/about/credits.wml
+++ /dev/null
@@ -1,53 +0,0 @@
-
-#use wml::openssl area=about page=credits
-
-<title>About, Credits</title>
-
-<h1>Credits</h1>
-
-This page gives credit to the various individuals and
-companies who contributed to the OpenSSL project.
-
-<ul>
-
-<li>
-Our current hosting is provided courtesy of
-<a href="https://www.space.net">SpaceNet AG</a>.
-<p>
-
-<li>
-Thanks to <a href="https://www.globalsign.com">GMO GlobalSign</a> for
-providing free TLS certificates.
-<p>
-
-<li>Thanks to <a href="https://rsync.net">rsync.net</a> for providing free
-backup storage.
-<p>
-
-<li>
-Thanks to Eric Young and Tim Hudson for the SSLeay
-package on which OpenSSL is based.
-<p>
-
-<li>
-Thanks to C2Net for contributing back to the Open Source community the
-SSLeay version 0.9.1b, which was the last internal SSLeay version Eric 
-and Tim created while working for C2Net.
-<p>
-
-<li>
-Thanks to the Development Team of Internet Services at <a
-href="http://www.cw.com/">Cable &amp; Wireless</a> Munich, Germany, for
-providing the hardware and network resources for some time after 2002.
-<p>
-
-<li>
-Thanks to the IT Support Group of the Department of
-Information Technology and Electrical Engineering at the <a
-href="http://www.ethz.ch/">Swiss Federal Institute of Technology
-Zurich</a> (ETHZ) for providing the hardware and network resources
-from 1998 to 2002.
-<p>
-
-</ul>
-
diff --git a/about/index.wml b/about/index.wml
deleted file mode 100644
index cf363e5..0000000
--- a/about/index.wml
+++ /dev/null
@@ -1,106 +0,0 @@
-
-#use wml::openssl area=about page=general 
-
-<title>About, General</title>
-
-<h1>About the OpenSSL Project</h1>
-
-<h2>The goal of the project</h2>
-
-The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and <a
-href="http://www.opensource.org/">Open Source</a> toolkit implementing the
-Secure Sockets Layer (SSL v2/v3) and
-Transport Layer Security (TLS
-v1.0/v1.1/v1.2) protocols as well as a full-strength general purpose cryptography library
-managed by a worldwide community of volunteers that use the Internet to
-communicate, plan, and develop the OpenSSL toolkit and its related
-documentation.
-
-<h2>Derivation and License</h2>
-
-OpenSSL is based on the SSLeay library 
-developed by Eric Young and 
-<a href="mailto:tjh at cryptsoft.com">Tim Hudson</a>. The OpenSSL toolkit
-is licensed under an <a href="../source/license.html">Apache-style licence</a> which basically means that you are free
-to get and use it for commercial and non-commercial purposes.
-
-<h2>The OpenSSL Core and Development Team</h2>
-
-The OpenSSL project is volunteer-driven. We do not have any specific
-requirement for volunteers other than a strong willingness to really
-contribute while following the projects goal. The OpenSSL project is formed
-by a development team, which consists of the current active developers
-and other major contributors. Additionally a subset of the developers form the 
-OpenSSL core team which globally manages the OpenSSL project. Anyone wanting
-to join the development effort should subscribe to the developers mailing list
-openssl-dev at openssl.org, where all development efforts are coordinated.
-
-<p>
-The current OpenSSL core team consists of (in alphabetical order):
-<p>
-<blockquote><table>
-<tr><td><b id="sf">Individual</b></td>   <td><b id="sf">Email</b></td> <td><b id="sf">Location</b></td>  <td><b id="sf">Key ID / Fingerprint</b></td></tr>
-<tr><td><hr noshade size="1"></td><td><hr noshade size="1"></td><td><hr noshade size="1"></td> <td><hr noshade size="1"></td> </tr>
-<tr><td>Mark J. Cox</td>         <td><a href="mailto:mark at openssl.org">mark at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x36CEE4DEB00CFE33">B00CFE33</a>, <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xEEAD4CFD49A563D9">49A563D9 (old key)</a></td></tr>
-<tr><td>Dr. Stephen Henson</td>  <td><a href="mailto:steve at openssl.org">steve at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x62605AA4334AF9F0DDE5D349D3577507FA40E9E2">FA40E9E2</a>, <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759">F295C759 (old key)</a></td></tr>
-<tr><td>Ben Laurie</td>          <td><a href="mailto:ben at openssl.org">ben at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x765655DE62E396FF2587EB6C4F6DE1562118CF83">2118CF83<tr><td>Andy Polyakov</td>       <td><a href="mailto:appro at openssl.org">appro at openssl.org</a></td> <td>SE</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xB652F27F2B8D1B8DA78D7061BA6CDA461FE8E023">1FE8E023</a></td> </tr>
-</a></td> </tr>
-</table></blockquote>
-
-<p>
-The current OpenSSL development team consists of (in alphabetical order):
-<p>
-<blockquote><table summary="">
-<tr><td><b id="sf">Individual</b></td>   <td><b id="sf">Email</b></td> <td><b id="sf">Location&nbsp;</b></td> <td><b id="sf">Key ID</b></td> </tr>
-<tr><td><hr noshade size="1"></td><td><hr noshade size="1"></td><td><hr noshade size="1"></td><td><hr noshade size="1"></td> </tr>
-<tr><td>Matt Caswell</td>         <td><a href="mailto:matt at openssl.org">matt at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x8657ABB260F056B1E5190839D9C4D26D0E604491">0E604491</a></td></tr>
-<tr><td>Mark J. Cox</td>         <td><a href="mailto:mark at openssl.org">mark at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x36CEE4DEB00CFE33">B00CFE33</a>, <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xEEAD4CFD49A563D9">49A563D9 (old key)</a></td></tr>
-<tr><td>Viktor Dukhovni</td>  <td><a href="mailto:viktor at openssl.org">viktor at openssl.org</a></td> <td>US</td> <td></a></a></td></tr>
-<tr><td>Dr. Stephen Henson</td>  <td><a href="mailto:steve at openssl.org">steve at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x62605AA4334AF9F0DDE5D349D3577507FA40E9E2">FA40E9E2</a>, <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759">F295C759 (old key)</a></td></tr>
-<tr><td>Tim Hudson</td>  <td><a href="mailto:tjh at openssl.org">tjh at openssl.org</a></td> <td>AU</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD">41FBF7DD</a></td></tr>
-<tr><td>Lutz J&auml;nicke</td>       <td><a href="mailto:jaenicke at openssl.org">jaenicke at openssl.org</a></td> <td>DE</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x0A77335AADE74E6BB36CAD8ADFAB592ABDD52F1C">BDD52F1C</a>, <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x78993B149C58A66D">9C58A66D (old key)</a></td> </tr>
-<tr><td>Emilia K&auml;sper</td>       <td><a href="mailto:emilia at openssl.org">emilia at openssl.org</a></td> <td>CH</td> <td></td> </tr>
-<tr><td>Ben Laurie</td>          <td><a href="mailto:ben at openssl.org">ben at openssl.org</a></td> <td>UK</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x765655DE62E396FF2587EB6C4F6DE1562118CF83">2118CF83</a></td> </tr>
-<tr><td>Steve Marquess</td>          <td><a href="mailto:marquess at openssl.org">marquess at openssl.org</a></td> <td>US</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xFEAB1FB2653717429B0B894F431711F76D1892F5">6D1892F5</a>(old key: <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x1F3B2A1B7F63F8C4CAAECC4224100B01CE69424E">CE69424E</a>)</td> </tr>
-<tr><td>Richard Levitte</td>     <td><a href="mailto:levitte at openssl.org">levitte at openssl.org</a></td> <td>SE</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C">7DF9EE8C</a> (old key: <a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xA7AF9E78F709453B">F709453B</a>)</td> </tr>
-<tr><td>Bodo M&ouml;ller</td>        <td><a href="mailto:bodo at openssl.org">bodo at openssl.org</a></td> <td>CH</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xAA589DAC5A6A9B85">5A6A9B85</a></td> </tr>
-<tr><td>Andy Polyakov</td>       <td><a href="mailto:appro at openssl.org">appro at openssl.org</a></td> <td>SE</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xB652F27F2B8D1B8DA78D7061BA6CDA461FE8E023">1FE8E023</a></td> </tr>
-<tr><td>Kurt Roeckx</td>       <td><a href="mailto:kurt at openssl.org">kurt at openssl.org</a></td> <td>BE</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xE5E52560DD91C556DDBDA5D02064C53641C25E5D">41C25E5D</a></td> </tr>
-<tr><td>Rich Salz</td>
-<td><a href="mailto:rsalz at openssl.org">rsalz at openssl.org</a></td>
-<td>US</td>
-<td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xD099684DC7C21E02E14A8AFEF23479455C51B27C">5C51B27C<br>D099 684D C7C2 1E02 E14A 8AFE F234 7945 5C51 B27C</a></td>
-</tr>
-<tr><td>Geoff Thorpe</td>        <td><a href="mailto:geoff at openssl.org">geoff at openssl.org</a></td> <td>QC</td> <td><a href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x1B3DF808C221D2A5ED74172F0833F510E18C1C32">E18C1C32</td> </tr>
-</table></blockquote>
-
-<p>
-Currently inactive OpenSSL members (in alphabetical order):
-<p>
-<blockquote><table summary="">
-<tr><td><b id="sf">Individual</b></td>   <td><b id="sf">Email</b></td> <td><b id="sf">Location&nbsp;</b></td> <td><b id="sf">Key ID</b></td> </tr>
-<tr><td><hr noshade size="1"></td><td><hr noshade size="1"></td><td><hr noshade size="1"></td><hr noshade size="1"></td> </tr>
-<tr><td>Ralf S. Engelschall</td> <td><a href="mailto:rse at openssl.org">rse at openssl.org</a></td> <td>DE</td> <td></td> </tr>
-<tr><td>Nils Larsch</td>         <td><a href="mailto:nils at openssl.org">nils at openssl.org</a></td> <td>DE</td> <td></td> </tr>
-</table></blockquote>
-
-
-<p>
-OpenSSL Emeritae - old members now off doing other things (in alphabetical order):
-<p>
-<blockquote><table>
-<tr><td><b id=sf>Individual</b></td>   <td><b id=sf>Email</b></td> <td><b id=sf>Location</b></td> </tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr><td>Holger Reif</td>         <td ><a href="mailto:holger at openssl.org">holger at openssl.org</a></td> <td>DE</td> </tr>
-<tr><td>Paul C. Sutton</td>      <td ><a href="mailto:paul at openssl.org">paul at openssl.org</a></td> <td>UK</td> </tr>
-</table></blockquote>
-
-<p>
-In Memoriam - members sadly no longer with us:
-<p>
-<blockquote><table summary="">
-<tr><td><b id="sf">Individual</b></td>  <td><b id="sf">Location</b></td> </tr>
-<tr><td><hr noshade size="1"></td><td><hr noshade size="1"></td></tr>
-<tr><td>Ulf M&ouml;ller</td>  <td>DE</td> </tr>
-</table>
diff --git a/about/openssl-contact.wml b/about/openssl-contact.wml
deleted file mode 100644
index 8b9c590..0000000
--- a/about/openssl-contact.wml
+++ /dev/null
@@ -1,22 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>OpenSSL Software Foundation Contact Info</title>
-
-<h1>OpenSSL Software Foundation Queries</h1>
-
-Direct queries concerning any non-commercial activites or issues to:<br>
-<br>
-OpenSSL Software Foundation<br>
-20-22 Wenlock Road<br>
-London<br>
-N1 7GU<br>
-United Kingdom<br>
-+44 1785508015  (UK)<br>
-+1 877-OPENSSL(6775) (US toll free)<br>
-+1 301-956-2281 (US)<br>
-<a href="mailto:info at opensslfoundation.org">info at opensslfoundation.org</a>
-<p>
-You will probably wind up talking to Steve Marquess who currently handles OpenSSL commercial contracting,  he is
-reachable directly at <a href="mailto:marquess at opensslfoundation.org">marquess at opensslfoundation.org</a> or
-the telephone numbers above. 
diff --git a/about/releasestrat.wml b/about/releasestrat.wml
deleted file mode 100644
index cc20ee1..0000000
--- a/about/releasestrat.wml
+++ /dev/null
@@ -1,67 +0,0 @@
-
-#use wml::openssl area=about page=releasestrat
-
-<title>About, Release Strategy</title>
-<h1><center>OpenSSL Release Strategy</center></h1>
-<h2><center>First issued 23rd December 2014</center></h2>
-<h2><center>Last modified 9th August 2015</center></h2>
-<p>
-<br>
-</p>
-<p>As of release 1.0.0 the OpenSSL versioning scheme was improved to
-better meet developers' and vendors' expectations. Letter releases, such as
-1.0.1a, exclusively contain bug and security fixes and no new features.
-Minor releases that change the last digit, e.g. 1.0.1 vs. 1.0.2, can and
-are likely to contain new features, but in a way that does not break
-binary compatibility. This means that an application compiled and
-dynamically linked with 1.0.0 does not need to be recompiled when the shared
-library is updated to 1.0.2. It should be noted that some features are
-transparent to the application such as the maximum negotiated TLS version and
-cipher suites, performance improvements and so on. There is no need to recompile
-applications to benefit from these features.</p>
-
-<p>Binary compatibility also allows other possibilities. For example, consider an
-application that wishes to utilize a new cipher provided in a specific 1.0.x
-release, but it is also desirable to maintain the application in a 1.0.0 context.
-Customarily this would be resolved at compile time resulting in two binary
-packages targeting different OpenSSL versions. However, depending on the feature,
-it might be possible to check for its availability at run-time, thus cutting
-down on the maintenance of multiple binary packages. Admittedly it takes a certain
-discipline and some extra coding, but we would like to encourage such
-practice. This is because we want to see later releases being adopted
-faster, because new features can improve security.</p>
-
-<p>With regards to current and future releases the OpenSSL project has adopted the
-following policy:</p>
-
-<ul>
-<li><p>Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8
-will be made after that date. Security fixes only will be applied to 0.9.8 until
-then.</p></li>
-
-<li><p>Support for version 1.0.0 will cease on 2015-12-31. No further releases of 1.0.0
-will be made after that date. Security fixes only will be applied to 1.0.0 until
-then.</p></li>
-</ul>
-
-<p>We may designate a release as a Long Term Support (LTS) release. LTS releases
-will be supported for at least five years and we will specify one at least every
-four years. Non-LTS releases will be supported for at least two years.</p>
-
-<p>As implied by the above paragraphs, during the final year of support, we do not
-commit to anything other than security fixes. Before that, bug and security
-fixes will be applied as appropriate.</p>
-
-<ul>
-<li><p>Version 1.0.1 will be supported until 2016-12-31.</p></li>
-
-<li><p>Version 1.0.2 will be supported until 2019-12-31.</p></li>
-</ul>
-
-<p>At this time, we are not planning a 1.0.3 release.</p>
-
-<p>Version 1.1.0 will (moderately) break source compatibility (for example we will
-make most structures opaque etc). We expect a preview version to be available
-mid 2015, with an expected release by the end of 2015. Preview means that we are
-not planning or expecting major API changes between the preview release and the
-final release (but are not categorically precluding that possibility).</p>
diff --git a/about/roadmap.wml b/about/roadmap.wml
deleted file mode 100644
index 05f6587..0000000
--- a/about/roadmap.wml
+++ /dev/null
@@ -1,364 +0,0 @@
-
-#use wml::openssl area=about page=roadmap
-
-<title>About, Roadmap</title>
-<h1><center>OpenSSL Project Roadmap</center></h1>
-<h2><center>First issued 30th June 2014</center></h2>
-<h2><center>Last modified 14th October 2014</center></h2>
-<p>
-<br>
-</p>
-<p>
-This document is intended to outline the OpenSSL project roadmap. It
-is a living document and is expected to change over time. Objectives
-and dates should be considered aspirational.</p>
-<p>
-The OpenSSL project is increasingly perceived as slow-moving and
-insular. This roadmap will attempt to address this by setting out
-some objectives for improvement, along with defined timescales.</p>
-<h1>Current Issues</h1>
-<p>
-The OpenSSL project is currently experiencing a number of issues.
-These are:</p>
-<ol>
-	<li><p>
-	<b>RT Backlog<br></b><br>Over a period of some considerable time
-	open tickets have been building up in RT (our bug tracking system) to
-	the point that now there are a very significant number of them. A large
-	proportion of these issues have been open for years. Some of these have
-	in fact been dealt with and should be closed, but this has not been
-	recorded in the system. Most however have not been looked at.<br><br>
-	</p>
-	<li><p>
-	<b>Incomplete/incorrect documentation<br><br></b>Documentation of
-	OpenSSL is patchy at best. Some areas are well documented, while
-	many others suffer from incomplete or incorrect documentation. There
-	are also many areas which have no documentation at all.<br><br>
-	</p>
-	<li><p>
-	<b>Library complexity<br><br></b>The OpenSSL libraries and
-	applications are complex, both from a maintainer's perspective and
-	from a user's perspective. The public API contains many things which
-	should probably be internal. The code has been ported to a large
-	number of platforms, many of which are no longer relevant to us
-	today, and this complicates the codebase. Some parts of the code
-	have been in place for a very long time, and are in need of a
-	refresh. It is further complicated by the support for FIPS.<br><br>This
-	complexity causes maintenance problems, and can also be the source
-	of obscure and difficult to spot security vulnerabilities. It can
-	also make users' lives much more difficult especially when
-	combined with (2) above.<br><br>The current memory management code has
-	also been a source of problems and vulnerabilities.<br><br>
-	</p>
-	<li><p>
-	<b>Inconsistent coding style<br><br></b>There have been numerous
-	developers working on the codebase over many years. There are many
-	different styles used within the code, which is confusing and makes
-	maintenance more difficult than it should be. Even if strictly
-	consistent, the current code layout is unusual and idiosyncratic and
-	unlike any other open source software.<br><br>
-	</p>
-	<li><p>
-	<del>
-	<b>Lack of code review<br><br></b>We don't have a code review system
-	and we don't mandate code reviews.<br><br>
-	</del>
-	</p>
-	<li><p>
-	<b>No clear release plan<br><br></b>Historically OpenSSL has made new
-	feature releases on an infrequent basis and no forward plan of releases
-	has been published. It is difficult for users to plan for new releases,
-	and understand when new features might become available, or when support
-	will end for a release. In addition a large number of stable releases
-	are maintained by the OpenSSL development team - diverting effort away
-	from the most up to date versions.<br><br>
-	</p>
-	<li><p>
-	<b>No clear platform strategy</b><br><br>Historically OpenSSL has
-	supported a very wide range of platforms. Typically platform support has
-	been added through &quot;ifdef&quot; conditional compilation on a per
-	platform basis. This approach has led to a number of problems:</p>
-</ol>
-<ul>
-	<li><p>
-	The code has become very cluttered and is difficult to effectively
-	maintain</p>
-	<li><p>
-	There is support still in the code for a number of legacy platforms
-	which are unlikely to be widely deployed today - if the code even
-	still works on those platforms</p>
-	<li><p>
-	In practice the development team do not have access to many of the
-	platforms that the codebase supports and testing typically takes
-	place on a very limited set (usually Linux, FreeBSD and Windows)<br><br>
-	</p>
-</ul>
-<del>
-<ol start="8">
-	<li><p>
-	<b>No published security strategy</b><br><br>We do not have a well-known
-	and published approach for how we appropriately inform all interested
-	parties of security advisories.<br><br>
-	</p>
-</ol>
-</del>
-
-<h1>Objectives</h1>
-<p>
-Each of the issues identified above can be translated into high level
-objectives. Some of these objectives can be achieved more easily and
-quickly than others.</p>
-<p>
-<b>An important principle is that the priority and focus of effort
-will be on achieving these objectives over and above the delivery of
-new features.</b></p>
-<h2>RT Backlog</h2>
-<ol>
-	<li><p>
-	Manage all newly submitted RT tickets in a timely manner such as an
-	initial response within four working days. (Timescale: Now)</p>
-	<li><p>
-	Reduce over time the existing RT backlog (Timescale: Ongoing). This
-	may include the mass closure of very old tickets, such as those
-	raised before the release of any currently supported version</p>
-	<a name="8-sep-2014"><p>Update (8th September 2014):</a>
-	we have made a great deal of progress on the backlog.
-	A <a href="ticket-activity.png">graph of ticket activity</a>
-	is available, as is the <a href="buglist.txt">raw data</a>
-	for every bug showing when it was open, and resolved. We will
-	update these files periodically.</a>
-</ol>
-<h2>Incomplete/incorrect documentation</h2>
-<ol>
-	<li><p>
-	Provide complete documentation for all of the public API (excluding
-	deprecated APIs) (Timescale: Within one year)</p>
-	<ol type="a">
-		<li><p>
-		This may include introducing a new documentation system</p>
-		<li><p>
-		Some parts of the API have historically been public but were not
-		intended for public use, such as low level cipher and digest APIs.
-		These parts may not be documented, and if they are will be marked
-		as deprecated (Timescale: within nine months).</p>
-	</ol>
-</ol>
-<h2>Library complexity</h2>
-<ol>
-	<li><p>
-	Review and revise the public API with a view to reducing complexity
-	(Timescale: Within one year)</p>
-	<li><p>
-	Document a platform strategy: see below (Timescale: Within three
-	months)</p>
-	<li><p>
-	Review and refactor the FIPS code to make it far less intrusive
-	(Timescale: Within one year)</p>
-	<li><p>
-	Review and refactor the memory management code (Timescale: Within
-	six months)</p>
-</ol>
-<h2>Inconsistent coding style</h2>
-<ol>
-	<li><p>
-	Define a clear coding standard for the project. This will cover not
-	only code layout but also items such as how to handle platform
-	dependencies, unit testing and optional code. (Timescale: Within
-	three months)
-	</p>
-	<li><p>
-	Format the entire codebase according to the agreed standard.
-	(Timescale: Within three months of coding standard being defined)
-	</p>
-	<li><p>
-	Refactor code to follow other parts of the style guide. (Timescale:
-	Within one year)</p>
-</ol>
-<h2>Code review</h2>
-<ol>
-        <li><p>
-	<del>
-        Agree and implement a process such that all new commits should first
-        be reviewed by a team member conversant with the relevant code and
-        updated until the reviewer's issues are addressed. This is
-        contingent on recruiting sufficient team members that reviewers are
-        more-or-less always available. (Timescale: Within three months)</p>
-	</del>
-	<p>
-	Objective met (16th July 2014): All changes are first reviewed by 
-	another team member prior to being committed to the public openssl 
-	repository.
-	</p>
-	<li><p>
-	Agree on a code review system. (Timescale: Within six months)</p>
-</ol>
-<h2>Audit</h2>
-<ol>
-	<li><p>
-	Externally audit the current code base. (Timescale: Dependent on
-	external body)</p>
-	<p>
-	<p>Update (14th October 2014):
-	Auditors selected and funded; schedule being worked on.</p>
-</ol>
-<h2>Static/Dynamic Analysis</h2>
-<ol>
-	<li><p>
-	Regularly audit the code using appropriate analysis tools.
-	(Timescale: Within six months)
-	</p>
-</ol>
-<h2><a name="relstrat">Release Strategy</a></h2>
-<p>
-We intend to develop a release strategy which will set out our plans
-for how frequently we plan to release, and when. It will also cover
-how long releases will be supported for, and when their EOL (End Of
-Life) will be. (Timescale: Within three months)</p>
-<p>
-There are a number of objectives that we would be seeking to address
-within the release strategy. Some of these objectives compete with
-each other, and so from necessity there will have to be compromises.
-The objectives are:</p>
-<ol>
-	<li><p>
-	We need security fix releases with very low chance of breaking
-	anything. This is largely met by prohibiting new features in stable
-	branches (i.e. letter releases).</p>
-	<li><p>
-	If something is broken in a release a fixed version should be made
-	available shortly afterwards (i.e. more letter releases more often)</p>
-	<li><p>
-	We need a way to get new binary compatible features into OpenSSL
-	relatively quickly.</p>
-	<li><p>
-	We don't want to have to maintain too many branches. This is likely
-	to include a timescale for the EOL of version 0.9.8</p>
-	<li><p>
-	We need a way to refactor code and make necessary binary
-	incompatible changes, deprecating APIs etc.</p>
-</ol>
-<h2><a name="platstrat">Platform Strategy</a></h2>
-<p>
-Moving forward OpenSSL will adopt the following policy:</p>
-<ul>
-	<li><p>
-	There will be a defined set of primary platforms. The primary
-	platforms will be Linux and FreeBSD. A primary platform is one where
-	most development occurs.</p>
-	<li><p>
-	In addition there will be a list of secondary platforms which are
-	supported by the development team.</p>
-	<li><p>
-	Platform specific code will be moved out of the main codebase
-	(removing overuse of &quot;ifdef&quot;).</p>
-	<li><p>
-	Legacy platforms that are unlikely to have wide deployment will be
-	removed from the code.</p>
-	<li><p>
-	Non-supported platforms requiring regular maintenance activities
-	will eventually be removed from the code after first seeking
-	community owners to support the platforms in platform specific
-	repositories.<br><br></p>
-</ul>
-<p>
-Necessary criteria for a platform to be included in the secondary
-platform list includes:</p>
-<ul>
-	<li><p>
-	Currency, i.e. a platform is widely deployed and in current use</p>
-	<li><p>
-	Vendor support</p>
-	<li><p>
-	Available to the dev team, i.e. the dev team have access to a
-	suitable environment in which to test builds and deal with tickets
-	and issues</p>
-	<li><p>
-	Dev team ownership, i.e. at least one person on the team is willing
-	to take some responsibility for a platform<br><br></p>
-</ul>
-<p>
-In addition the secondary list will be as small as possible so as not
-to spread the development team too thinly.</p>
-<p>
-The secondary platforms are still to be defined but will be based on
-the above criteria. For each primary/secondary platform, we should
-have, at least, a continuous integration box and a dev machine we can
-access for test/debug. We will seek support from the platform vendors
-or the community to provide access to these platforms. The secondary
-platform list will change over time, but an initial list will be
-produced within three months.</p>
-<p>
-The Platform Strategy will be phased in over a period of time based
-on how quickly we can refactor the code.</p>
-<h2>Security Strategy</h2>
-<del>
-<p>
-We will be documenting a security strategy which will define our
-policy on:</p>
-<ul>
-	<li><p>
-	How we make security fixes</p>
-	<li><p>
-	What (if any) pre-notification of forthcoming security releases will
-	be provided (and to whom) (Timescale: Within two months)</p>
-</ul>
-</del>
-<p>
-Objective met (7th September 2014): The OpenSSL security policy is available
-<a href="secpolicy.html">here</a>
-</p>
-<h1>Forthcoming Features</h1>
-<p>
-The primary focus of effort will be on achieving the objectives
-detailed above, however we are evaluating the following new features.</p>
-<ul>
-	<li><p>
-	IPv6 support</p>
-	<li><p>
-	AEAD updates (API review, Poly/ChaCha support, /dev/crypto
-	operations coalescing)</p>
-	<li><p>
-	TLS 1.3.
-	</p>
-	<li><p>
-	Certificate Transparency support.
-	</p>
-	<li><p>
-	Support for new ciphersuites e.g. CCM.</p>
-	<li><p>
-	Extended SSL_CONF support.</p>
-	<li><p>
-	DANE support.</p>
-	<li><p>
-	Security levels (currently experimental in master)</p>
-	<li><p>
-	OCB</p>
-	<li><p>
-	FIPS code review and refactor</p>
-	<li><p>
-	Support for emerging platforms, e.g. ARMv8, POWER8</p>
-	<li><p>
-	Built-in MT support for two major threading "flavours", POSIX
-	threads and Win32.</p>
-</ul>
-
-<h1>Roadmap Update History</h1>
-<p>
-The following changes have been made since the roadmap was first 
-issued 30-June-2014.
-</p>
-<ul>
-	<li><p>
-	<a name="14-oct-2014">14-October-2014.</a>
-	Updated audit; added TLS 1.3 and Certificate
-	Transparency to features.</p>
-	<li><p>
-	8-September-2014. Updated status on the RT backlog objective.</p>
-	<li><p>
-	7-September-2014. Updated security policy section.</p>
-	<li><p>
-	16-July-2014. Updated code review section.</p>
-	<li><p>
-	1-July-2014. Noted RT is our bug tracking system.</p>
-</ul>
-
diff --git a/about/secpolicy.wml b/about/secpolicy.wml
deleted file mode 100644
index 6301a29..0000000
--- a/about/secpolicy.wml
+++ /dev/null
@@ -1,167 +0,0 @@
-
-#use wml::openssl area=about page=secpol
-
-<title>About, Security Policy</title>
-<h1><center>OpenSSL Security Policy</center></h1>
-<h2><center>Last modified 7th September 2014</center></h2>
-<p>
-<br>
-</p>
-
-
-<h1>Introduction</h1>
-
-<p>
-Recent flaws have captured the attention of the media and highlighted
-how much of the internet infrastructure is based on OpenSSL.  We've
-never published our policy on how we internally handle security issues; 
-that process being based on experience and has evolved
-over the years.  
-</p>
-
-<h1>Reporting security issues</h1>
-
-<p>
-We have an email address which can be used to notify us of possible
-security vulnerabilities.  A subset of OpenSSL team members receive
-this mail, and messages can be sent using PGP encryption.  Full
-details are at <a href="../news/vulnerabilities.html">https://www.openssl.org/news/vulnerabilities.html</a>
-</p>
-
-<p>
-When we are notified about an issue we engage resources within the
-OpenSSL team to investigate and prioritise it.  We may also utilise
-resources from the employers of our team members, as well as others
-we have worked with before.
-</p>
-
-<h1>Background</h1>
-
-<p>
-Everyone would like to get advance notice of security issues in OpenSSL.
-This is a complex topic and we need to set out some background
-with our findings:
-</p>
-<ul>
-<li><p>The more people you tell in advance the higher the likelihood that a
-  leak will occur.  We have seen this happen before, both with OpenSSL
-  and other projects.</p>
-
-<li><p>A huge number of products from an equally large number of
-  organisations use OpenSSL. It's not just secure websites, you're
-  just as likely to find OpenSSL inside your smart TV, car, or fridge.</p>
-
-<li><p>We strongly believe that the right to advance patches/info
-  should not be based in any way on paid membership to some forum. You
-  can not pay us to get security patches in advance.</p>
-
-<li><p>We can benefit from peer review of the patches and advisory. Keeping
-  security issues private means they can't get the level of testing or
-  scrutiny that they otherwise would.</p>
-
-<li><p>It is not acceptable for organisations to use advance notice in marketing
-  as a competitive advantage.  For example "if you had bought our
-  product/used our service you would have been protected a week ago".</p>
-
-<li><p>There are actually not a large number of serious vulnerabilities in
-  OpenSSL which make it worth spending significant time keeping our
-  own list of vendors we trust, or signing framework agreements, or
-  dealing with changes, and policing the policy.  This is a
-  significant amount of effort per issue that is better spent on other
-  things.</p>
-
-<li><p>We have previously used third parties to handle notification for us
-  including CPNI, oCERT, or CERT/CC, but none were suitable.</p>
-
-<li><p>It's in the best interests of the Internet as a whole to get fixes
-  for OpenSSL security issues out quickly. OpenSSL embargoes should be
-  measured in days and weeks, not months or years.</p>
-
-<li><p>Many sites affected by OpenSSL issues will be running a version of
-  OpenSSL they got from some vendor (and likely bundled with an
-  operating system).  The most effective way for these sites to get
-  protected is to get an updated version from that vendor.  Sites who
-  use their own OpenSSL compilations should be able to handle a quick
-  patch and recompile once the issue is public.</p>
-</ul>
-
-<h1>Internal handling of security issues</h1>
-
-<p>This leads us to our policy for security issues notified to us or
-found by our team which are not yet public.</p>
-
-<p>"private" means kept within the OpenSSL development team.</p>
-
-<p>We will determine the risk of each issue being addressed.  We will
-take into account our experience dealing with past issues, versions
-affected, common defaults, and use cases.  We divide the issues into
-the following categories:</p>
-
-<ul>
-
-<li><p>low severity issues.  This includes issues such as those that only
-  affect the openssl command line utility, unlikely configurations, or
-  hard to exploit timing (side channel) attacks.  These will in
-  general be fixed immediately in latest development versions, and may
-  be backported to older versions that are still getting updates.  We
-  will update the vulnerabilities page and note the issue CVE in the
-  changelog and commit message, but they may not trigger new releases.</p>
-
-<li><p>moderate severity issues.  This includes issues like crashes in
-  client applications, flaws in protocols that are less commonly used
-  (such as DTLS), and local flaws.  These will in general be kept
-  private until the next release, and that release will be scheduled
-  so that it can roll up several such flaws at one time.</p>
-
-<li><p>high severity issues.  This includes issues affecting common
-  configurations which are also likely to be exploitable.  Examples
-  include a server DoS, a significant leak of server memory, and
-  remote code execution.  These issues will be kept private and will
-  trigger a new release of all supported versions.  We will attempt to
-  keep the time these issues are private to a minimum; our aim would
-  be no longer than a month where this is something under our control,
-  and significantly quicker if there is a significant risk or we are
-  aware the issue is being exploited.</p>
-</ul>
-
-<p>During the investigation of issues we may work with individuals and
-organisations who are not on the development team.  We do this because
-past experience has shown that they can add value to our understanding
-of the issue and the ability to test patches.  In cases where
-protocols are affected this is the best way to mitigate the risk that
-a poorly reviewed update causes signficiant breakage, or to detect if
-issues are being exploited in the wild.  We have a strict policy on
-what these organisations and individuals can do with the information
-and will review the need on a case by case basis.</p>
-
-<h1>Prenotification policy</h1>
-
-<p>Where we are planning an update that fixes security issues we will
-notify the openssl-announce list and update the home page to give our
-scheduled update release date and time and the severity of issues
-being fixed by the update.  No futher information about the issues
-will be given.  This is to aid organisations that need to ensure they
-have staff available to handle triaging our announcement and what it
-means to their organisation.</p>
-
-<p>For updates that include high severity issues we will also prenotify
-with more details and patches.  Our policy is to let the organisations
-that have a general purpose OS that uses OpenSSL have a few days
-notice in order to prepare packages for their users and feedback test
-results.</p>
-
-<p>We use the mailing list described at
-<a href="http://oss-security.openwall.org/wiki/mailing-lists/distros">http://oss-security.openwall.org/wiki/mailing-lists/distros</a> for this.
-We may also include other organisations that would otherwise qualify
-for list membership.  We may withdraw notifying individual
-organisations from future prenotifications if they leak issues before
-they are public or over time do not add value (value can be added by
-providing feedback, corrections, test results, etc.)</p>
-
-<p>Finally, note that not all security issues are notified to us
-directly; some come from third parties such as companies that pay for
-vulnerabilities, some come from country CERTs.  These intermediaries,
-or the researchers themselves, may follow a different style of
-notification. This is within their rights and outside of the control
-of the OpenSSL team.</p>
-
diff --git a/bin/mk-changelog b/bin/mk-changelog
new file mode 100755
index 0000000..60135c9
--- /dev/null
+++ b/bin/mk-changelog
@@ -0,0 +1,48 @@
+#! /usr/bin/perl -w
+use strict;
+
+# Read whole input.
+my $page;
+{
+    local $/;
+    $page .= <STDIN>;
+}
+
+# HTML entities.
+$page =~ s|&|&amp;|sg;
+$page =~ s|<|&lt;|sg;
+$page =~ s|>|&gt;|sg;
+
+# Make sub-headings.
+$page =~ s|^.+?(Changes.+?\n+)|$1|s;
+$page =~ s|(Changes between.+?)\n|</pre>\n<h3>$1</h3>\n<pre>\n|sg;
+
+# Wrap it, and remove empty <pre></pre>
+$page = '<pre>' . $page . '</pre>';
+$page =~ s|<pre></pre>||g;
+
+# Make a TOC
+my $ctr = 0;
+my $toc;
+my $out;
+my $top = '  <a href="#toc"><img src="/img/up.gif"/></a>';
+for (split /^/, $page) {
+    if ( /<h3>/ ) {
+	my $name = $_;
+	$name =~ s|<h3>(.*)</h3>|$1|;
+	chop ($name);
+	$out .= '<h3><a name="x' . $ctr . '">' . $name . "</a>$top</h3>\n";
+	$toc .= '<li><a href="#x' . $ctr . '">' . $name . "</a></li>\n";
+	$ctr++;
+    } else {
+	$out .= $_;
+    }
+}
+
+print "<h3><a name='toc'>Table of contents</a></h3>\n";
+print "<ul>";
+print $toc;
+print "</ul>";
+print $out;
+
+exit(0);
diff --git a/run-faq.pl b/bin/mk-faq
similarity index 52%
rename from run-faq.pl
rename to bin/mk-faq
index f1e38f5..803d53a 100755
--- a/run-faq.pl
+++ b/bin/mk-faq
@@ -1,48 +1,73 @@
-#!/usr/bin/perl
-## read a FAQ file and pretty-print it as html
+#! /usr/bin/perl -w
+use strict;
+
+sub escape
+{
+    s/\&/\&amp;/g;
+    s/\</\&lt;/g;
+    s/\>/\&gt;/g;
+}
 
-$|++;
 # TOC
-$i=0; $l=""; $n=0;
-print "<ul>\n";
-print "<ol>\n";
+my $l = "";
+my $n = 0;
+print "<h3><a name='toc'>Table of Contents</a></h3>\n";
+my $dirty = 0;
 while (<STDIN>) {
     escape($_);
     last if /^=+$/;
     next if /^\w*$/;
     if (/^\[([^\[]+)\] (.*)/) {
-	$l=$1;
-	$n=0;
-	print "</ol>\n";
-	print "<li><a href=\"#$l\">$1</a> $2\n";
+	print "</ol>\n" if $dirty;
+	$l = $1;
+	$n = 0;
+	$dirty = 1;
+	print "<h4><a href=\"#$l\">$1</a> $2</h4>\n";
 	print "<ol>\n";
     } elsif (/^\* (.*)/) {
 	$n++;
-	print "<li><a href=\"#$l$n\">$1</a>\n";
+	print "<li><a href=\"#$l$n\">$1</a></li>\n";
     }
 }
-print "</ol>\n";
-print "</ul>\n\n";
+print "</ol>\n" if $dirty;
 
 # Contents
-$l=""; $n=0; $pre=0; $snip=0;
+my $top = '  <a href="#toc"><img src="/img/up.gif"/></a>';
+$l = "";
+$n = 0;
+my $pre = 0;
+my $snip = 0;
 while (<STDIN>) {
     next if /^=+$/;
     if (/^----- snip:start -----/) {
-	print "<pre><listing>" unless $snip;
-	$snip=1;
+	print "<pre>";
+	$snip = 1;
+	next;
     }
     if ($snip) {
+	if (/^----- snip:end -----/) {
+	    print "</pre>";
+	    $snip = 0;
+	} else {
+	    escape($_);
+	    print;
+	}
+	next;
+    }
+    if (/^ /) {
+	print "<pre>" unless $pre;
+	$pre = 1;
 	escape($_);
 	print;
+	next;
     }
-    if ($snip && /^----- snip:end -----/) {
-	print "</listing></pre>";
-	$snip=0;
-	goto cont;
+    if ($pre) {
+	print "</pre>\n";
+	$pre = 0;
     }
-    if ($snip) {
-	goto cont;
+    if (/^$/) {
+	print "<p>";
+	next;
     }
     if (/<URL:/ and not /<URL:.*>/) {
 	chomp;
@@ -53,7 +78,7 @@ while (<STDIN>) {
     s/\@\@\@(.*?)\@\@\@/<a href=\"$1\">$1<\/a>/;
     if (s/\((.?)\)/XX$1XX/g) {
 	while (/([A-Za-z_\.]*)XX(.?)XX/) {
-	    foreach $section ("apps", "ssl", "crypto") {
+	    foreach my $section ("apps", "ssl", "crypto") {
 		if (-f "../docs/$section/$1.html") {
 		    s|([A-Za-z_\.]*)XX(.?)XX|<a href=\"../docs/$section/$1.html\">$1($2)</a>|;
 		    goto found;
@@ -64,32 +89,19 @@ while (<STDIN>) {
 	}
     }
     if (/^\[([^\[]+)\] =+/) {
-	$l=$1;
-	$n=0;
+	$l = $1;
+	$n = 0;
 	print "<hr>\n";
-	print "<h2>[<a name=\"$l\">$1</a>]</h2>\n";
+	print "<h3>[<a name=\"$l\">$1</a>] $top</h3>\n";
     } elsif (/^\* (.*)/) {
 	$n++;
-	print "\n<h2><i><a name=\"$l$n\">$n. $1</a></i></h2>\n";
+	print "\n<h4><a name=\"$l$n\">$n. $1</a>$top</h4>\n";
     } elsif (/^$/) {
 	print "<p>";
-    } elsif (/^ /) {
-	print "<pre>" unless $pre;
-	$pre=1;
-	print;
-    } else {
-	print "</pre>\n" if $pre;
-	$pre=0;
+    }
+    else {
 	print;
     }
-  cont:
 }
 
 exit(0);
-
-sub escape
-{
-    s/\&/\&amp;/g;
-    s/\</\&lt;/g;
-    s/\>/\&gt;/g;
-}
diff --git a/bin/mk-filelist b/bin/mk-filelist
new file mode 100755
index 0000000..e6b6088
--- /dev/null
+++ b/bin/mk-filelist
@@ -0,0 +1,52 @@
+#! /usr/bin/perl -w
+use strict;
+
+die "Missing args\n" if $#ARGV < 2;
+my $SRCDIR = $ARGV[0]; shift;
+my $URLBASE = $ARGV[0]; shift;
+my $GLOB = join(' ', @ARGV);
+
+my @months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
+	   'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
+
+sub ls {
+    my ($pat) = @_;
+    my @F = sort { (stat($b))[9] <=> (stat($a))[9]; } (glob($pat));
+    my @R = ();
+    foreach my $f (@F) {
+        next if ($f =~ m|^index.*|);
+	next if -d $f;
+        my @S = stat($f);
+        my @T = localtime($S[9]);
+        push(@R, sprintf("%d %d-%s-%02d %02d:%02d:%02d %s",
+             $S[7] / 1024,
+	     1900+$T[5], $months[$T[4]], $T[3],
+	     $T[2], $T[1], $T[0],
+	     $f));
+    }
+    return @R;
+}
+
+chdir $SRCDIR || die "Can't chdir $SRCDIR, $!";
+my @L = &ls($GLOB);
+foreach my $l (@L) {
+    next if $l =~ m|^\s*$|;
+    my @fields = split / /, $l;
+    # Size, date, time, filename
+    my $fs = $fields[0];
+    my $fd = $fields[1] . "&nbsp;" . $fields[2];
+    my $ff = $fields[3];
+    my $url = $URLBASE . $ff;
+    my $r = "<a href=\"$url\">$ff</a>";
+    $r .= " (<a href=\"$url.sha256\">SHA256</a>)" if -f "$ff.sha256";
+    $r .= " (<a href=\"$url.asc\">PGP sign</a>)" if -f "$ff.asc";
+    $r .= " (<a href=\"$url.sha1\">SHA1</a>)" if -f "$ff.sha1";
+    # $r .= " (<a href=\"$url.md5\">MD5</a>)" if -f "$ff.md5";
+    print "<tr>\n";
+    print "  <td>$fs&nbsp;</td>\n";
+    print "  <td>$fd&nbsp;</td>\n";
+    print "  <td>$r</td>\n";
+    print "</tr>\n";
+}
+
+exit(0);
diff --git a/bin/mk-sitemap b/bin/mk-sitemap
new file mode 100755
index 0000000..d53d3cb
--- /dev/null
+++ b/bin/mk-sitemap
@@ -0,0 +1,40 @@
+#! /usr/bin/perl -w
+use strict;
+
+sub
+dodir()
+{
+    my $dir = shift;
+    my $level = shift || 1;
+    my @files = ();
+    my @dirs = ();
+
+    foreach my $entry ( glob($dir . "/*")) {
+	if (-f $entry ) {
+	    next unless $entry =~ m/.*\.(html|pdf|txt|png)$/;
+	    push @files, $entry;
+	} elsif ( -d $entry ) {
+	    push @dirs, $entry;
+	}
+    }
+
+    foreach my $entry ( @files ) {
+	$entry =~ s at .*/@@;
+	next if $entry eq 'template-file.html';
+	print "\t" x $level, $entry, "\n";
+    }
+
+    foreach my $entry ( @dirs) {
+	$entry =~ s@^\.\/@@;
+	next if $entry =~ m/.git|inc|img|bin/;
+	next if $entry =~ m/secadv/;
+	my $simple = $entry;
+	$simple =~ s at .*/@@;
+	print "\n", "\t" x $level, $simple, "/\n";
+	&dodir($entry, $level + 1);
+    }
+}
+
+print "/\n";
+&dodir('.', 0);
+exit(0);
diff --git a/bin/vulnerabilities.xsl b/bin/vulnerabilities.xsl
new file mode 100644
index 0000000..83971a6
--- /dev/null
+++ b/bin/vulnerabilities.xsl
@@ -0,0 +1,141 @@
+<?xml version="1.0"?>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+
+  <xsl:output indent="yes" encoding="UTF-8" method="html" omit-xml-declaration="yes"/>
+
+  <!-- Format a date like "1960-02-10" into "February 10th, 1960" -->
+  <xsl:template name="dateformat">
+    <xsl:param name="date" select="."/>
+    <xsl:variable name="day" select="number(substring($date,7,2))"/>
+    <xsl:variable name="month" select="number(substring($date,5,2))"/>
+    <xsl:variable name="year" select="number(substring($date,1,4))"/>
+
+    <xsl:if test="$day &gt; 0"> 
+      <xsl:value-of select="$day" />
+      <xsl:choose>
+	<xsl:when test="$day=1 or $day=21 or $day=31">st</xsl:when>
+	<xsl:when test="$day=2 or $day=22">nd</xsl:when>
+	<xsl:when test="$day=3 or $day=23">rd</xsl:when>
+	<xsl:otherwise>th</xsl:otherwise>
+      </xsl:choose>
+      <xsl:text> </xsl:text>
+    </xsl:if>
+    <xsl:choose>
+      <xsl:when test="$month=01">January</xsl:when>
+      <xsl:when test="$month=02">February</xsl:when>
+      <xsl:when test="$month=03">March</xsl:when>
+      <xsl:when test="$month=04">April</xsl:when>
+      <xsl:when test="$month=05">May</xsl:when>
+      <xsl:when test="$month=06">June</xsl:when>
+      <xsl:when test="$month=07">July</xsl:when>
+      <xsl:when test="$month=08">August</xsl:when>
+      <xsl:when test="$month=09">September</xsl:when>
+      <xsl:when test="$month=10">October</xsl:when>
+      <xsl:when test="$month=11">November</xsl:when>
+      <xsl:when test="$month=12">December</xsl:when>
+    </xsl:choose>
+    <xsl:if test="$year&gt;0">
+      <xsl:text> </xsl:text>
+      <xsl:value-of select="$year"/>
+    </xsl:if>
+  </xsl:template>
+
+  <xsl:key name="unique-date" match="@public" use="substring(.,1,4)"/>
+  <xsl:key name="unique-base" match="@base" use="."/>
+
+  <xsl:template match="security">
+    <xsl:comment>
+      Do not edit this file; edit vulnerabilities.xml
+    </xsl:comment>
+
+    <h3><a name="toc">Table of Contents</a></h3>
+    <ul>
+      <xsl:for-each select="issue/@public[generate-id()=generate-id(key('unique-date',substring(.,1,4)))]">
+	<xsl:sort select="." order="descending"/>
+	<xsl:variable name="year" select="substring(.,1,4)"/>
+	<li><a href="#y{$year}"><xsl:value-of select="$year"/></a></li>
+      </xsl:for-each>
+    </ul>
+
+    <xsl:for-each select="issue/@public[generate-id()=generate-id(key('unique-date',substring(.,1,4)))]">
+      <xsl:sort select="." order="descending"/>
+      <xsl:variable name="year" select="substring(.,1,4)"/>
+
+      <h3><a name="y{$year}"><xsl:value-of select="$year"/></a>
+	<!-- don't need an UP on each year.
+	<xsl:text>  </xsl:text><a href="#toc"><img src="/img/up.gif"/></a>
+	-->
+      </h3>
+      <dl>
+	<xsl:apply-templates select="../../issue[substring(@public,1,4)=$year]">
+	  <xsl:sort select="./@public" order="descending"/>
+	</xsl:apply-templates>
+      </dl>
+    </xsl:for-each>
+  </xsl:template>
+
+  <xsl:template match="issue">
+    <dt>
+      <xsl:apply-templates select="cve"/>
+      <xsl:if test="advisory/@url">
+	<xsl:text> </xsl:text><a href="{advisory/@url}">(OpenSSL advisory) </a>
+      </xsl:if>
+      <xsl:if test="impact/@severity">
+	[<xsl:value-of select="impact/@severity"/> severity]
+      </xsl:if>
+      <xsl:call-template name="dateformat">
+	<xsl:with-param name="date" select="@public"/>
+      </xsl:call-template>
+      <xsl:text disable-output-escaping='yes'>:  &lt;a href="#toc">&lt;img src="/img/up.gif"/>&lt;/a></xsl:text>
+    </dt>
+    <dd>
+      <xsl:copy-of select="string(description)"/>
+      <xsl:if test="reported/@source">
+	Reported by <xsl:value-of select="reported/@source"/>.
+      </xsl:if>
+      <ul>
+	<xsl:for-each select="fixed">
+	  <li>Fixed in OpenSSL  
+	    <xsl:value-of select="@version"/>
+	    <xsl:if test="git/@hash">
+	      <xsl:text> </xsl:text><a href="https://github.com/openssl/openssl/commit/{git/@hash}">(git commit)</a><xsl:text> </xsl:text>
+	    </xsl:if>
+	    <xsl:variable name="mybase" select="@base"/>
+	    <xsl:for-each select="../affects[@base=$mybase]|../maybeaffects[@base=$mybase]">
+	      <xsl:sort select="@version" order="descending"/>
+	      <xsl:if test="position() =1">
+		<xsl:text> (Affected </xsl:text>
+	      </xsl:if>
+	      <xsl:value-of select="@version"/>
+	      <xsl:if test="name() = 'maybeaffects'">
+		<xsl:text>?</xsl:text>
+	      </xsl:if>
+	      <xsl:if test="position() != last()">
+		<xsl:text>, </xsl:text>
+	      </xsl:if>
+	      <xsl:if test="position() = last()">
+		<xsl:text>) </xsl:text>
+	      </xsl:if>
+	    </xsl:for-each>
+	  </li>
+	</xsl:for-each>
+      </ul>
+    </dd>
+  </xsl:template>
+
+  <xsl:template match="cve">
+    <xsl:if test="@name != ''">
+      <b><a name="{@name}">
+	  <xsl:if test="@description = 'full'">
+	    The Common Vulnerabilities and Exposures project
+	    has assigned the name 
+	  </xsl:if>
+	  <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-{@name}">CVE-<xsl:value-of select="@name"/> </a>
+	  <xsl:if test="@description = 'full'">
+	    to this issue.
+	  </xsl:if>
+      </a></b>
+    </xsl:if>
+  </xsl:template>
+
+</xsl:stylesheet>
diff --git a/community/binaries.html b/community/binaries.html
new file mode 100644
index 0000000..7774af5
--- /dev/null
+++ b/community/binaries.html
@@ -0,0 +1,67 @@
+
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Binaries</h2></header>
+	  <div class="entry-content">
+	    <p>Some people have offered to provide OpenSSL binary
+	    distributions for selected operating systems.  The condition to
+	    get a link here is that the link is stable and can provide
+	    continued support for OpenSSL for a while.</p>
+
+	    <p>Note: many Linux distributions come with pre-compiled OpenSSL
+	    packages. Those are already well-known among the users of said
+	    distributions, and will therefore <em>not</em> be mentioned here.
+	    If you are such a user, we ask you to get in touch with your
+	    distributor first.  This service is primarly for operating systems
+	    where there are no pre-compiled OpenSSL packages.</p>
+
+	    <dl>
+	      <dt>OpenSSL for Windows</dt>
+	      <dd>Works with MSVC++, Builder 3/4/5, and MinGW.  Comes in form
+	      of self-install executables.
+	      <a
+		href="http://www.slproweb.com/products/Win32OpenSSL.html">http://www.slproweb.com/products/Win32OpenSSL.html</a>
+	      </dd>
+
+	      <dt>OpenSSL for Windows</dt>
+	      <dd>Pre-compiled Win32/64 libraries without external
+	      dependencies to the Microsoft Visual Studio Runtime DLLs, except
+	      for the system provided msvcrt.dll.
+	      <a
+		href="http://indy.fulgan.com/SSL/">http://indy.fulgan.com/SSL/</a>
+	      </dd>
+
+	      <dt>OpenSSL for Solaris</dt>
+	      <dd>Versions for Solaris 2.5 - 11 SPARC and X86
+	      <a
+		href="http://www.unixpackages.com/">http://www.unixpackages.com/</a>
+	      </dd>
+	    </dl>
+	    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Community</a>
+	    : <a href="">Binaries</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/community/contacts.html b/community/contacts.html
new file mode 100644
index 0000000..a18948b
--- /dev/null
+++ b/community/contacts.html
@@ -0,0 +1,107 @@
+<h1>About the OpenSSL Project</h1>
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header><h2>Contact Us</h2></header>
+	<div class="entry-content">
+	  <p>
+
+	  <p>Apart from email addresses and names, some organizations require
+	  a physical address as contact for open source projects.  Physical
+	  addresses can be useful in other cases as well.  Therefore, some
+	  people have stepped forward and volunteered as "official" contacts
+	  for OpenSSL.  If you want to get in touch with any of these
+	  people, please consider using email first, since that will also
+	  reach other team members in case your contact is temporarly not
+	  available.</p>
+
+	  <p>Please remember to be kind to the contacts.  Their time is
+	  their own to dispose of.  You may <em>request</em> support, but
+	  it's the contact's responsability and freedom alone to decide if
+	  he wants to give any support or not, regardless of who makes the
+	  request.</p>
+
+	  <p>The<em>OpenSSL Software Foundation</em> represents the OpenSSL
+	  project in most capacities including contributor license
+	  agreements, managing donations, and so on.
+
+	  <blockquote>
+	    OpenSSL Software Foundation<br>
+	    20-22 Wenlock Road<br>
+	    London<br>
+	    N1 7GU<br>
+	    United Kingdom<br>
+	    +44 1785508015  (UK)<br>
+	    +1 877-OPENSSL(6775) (US toll free)<br>
+	    +1 301-956-2281 (US)<br>
+	    <a href="mailto:info at opensslfoundation.org">info at opensslfoundation.org</a>
+	  </blockquote>
+	  </p>
+
+	  <p><em>OpenSSL Software Services</em> represents the OpenSSL
+	  project for selected commercial or quasi-commercial contexts, such
+	  as providing formal support contracts and brokering consulting
+	  contracts for OpenSSL team members.
+	  <blockquote>
+	    OpenSSL Software Services Inc.<br>
+	    40 E Main St, Suite 744<br>
+	    Newark DE 19711<br>
+	    USA<br>
+	    +1 240-215-3103<br>
+	    <a href="mailto:info at opensslservices.com">info at opensslservices.com</a>
+	  </blockquote>
+	  </p>
+
+	  <p>Commercial activities specific to FIPS 140-2 validations and
+	  the OpenSSL FIPS Object Module are handled by
+	  <em>OpenSSL Validation Services</em>.
+	  <blockquote>
+	    OpenSSL Validation Services Inc.<br>
+	    1829 Mount Ephraim Road<br>
+	    Adamstown, MD  21710<br>
+	    USA<br>
+	    +1 301-874-2571<br>
+	    <a href="mailto:info at openssl.com">info at openssl.com</a>
+	  </blockquote>
+	  </p>
+
+	  <p>Some OpenSSL team members are available for selected consulting
+	  engagements.</p>
+
+	  <p>In Sweden:</p>
+
+	  <blockquote>
+	    OpenSSL SE<br>
+	    c/o Richard Levitte<br>
+	    Nordingr?gatan 20<br>
+	    S-162 53 V?llingby<br>
+	    Sweden<br>
+	    <a href="mailto:openssl-contact.SE at openssl.org">openssl-contact.SE at openssl.org</a>
+	  </blockquote>
+	  </p>
+
+	</div>
+	<footer>
+	  You are here: <a href="/">Home</a>
+	  : <a href=".">Community</a>
+	  : <a href="">Contact Us</a>
+	  <br/><a href="/sitemap.txt">Sitemap</a>
+	</footer>
+      </article>
+    </div>
+    <!--#include virtual="sidebar.inc" -->
+  </div>
+</div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/community/index.html b/community/index.html
new file mode 100644
index 0000000..091bff5
--- /dev/null
+++ b/community/index.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Community<h2></header>
+	  <div class="entry-content">
+	    <p>
+	    OpenSSL is a a collaborative effort of a worldwide community of
+	    volunteers. Here are some of the ways you can join the
+	    community and contribute.
+	    The list of <a href="team.html">development team members</a> is
+	    available, as is a description of how to
+	    <a href="contacts.html">contact us</a> off-line. We'd also like
+	    to <a href="thanks.html">thank</a> several groups for help with
+	    the project infrastructure over time.
+	    </p>
+
+	    <p>
+	    We maintain several <a href="mailinglists.html">mailing lists</a>.
+	    Anyone can join, but you must be a member of a list to post to it.
+	    We have a <a href="http://wiki.openssl.org">public wiki</a>,
+	    and anyone can request an account and start adding content.
+	    We have a <a href="/blog">team blog</a>, where members of
+	    the development team will occasionally post.
+	    </p>
+
+	    <p>
+	    While we only distribute source, some members of the community
+	    make <a href="binaries.html">binaries</a> available.
+	    </p>
+
+	    <h3>Reporting Bugs</h3>
+
+	    <p>If you think have found a security bug, please see our
+	    <a href="/news/vulnerabilities.html">vulnerabilities page</a>
+	    for information on how to report it.</p>
+
+	    <p>We have set up a request tracker at
+	    <a href="http://rt.openssl.org">http://rt.openssl.org</a>,
+	    with read-only access using <em>guest</em> as the name
+	    and password.
+	    Requests can be viewed on-line by using the following URL,
+	    replacing <em>NNNN</em> with the request number:
+	    http://rt.openssl.org/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=<em>NNNN</em>
+	    </p>
+
+	    <p>To report a bug or make an enhancement request, send email
+	    to <a href="mailto:rt at openssl.org">rt at openssl.org</a>.
+	    In the subject line, please make sure to indicate if its a
+	    bug, a fix, and a brief description of the issue.  In the
+	    body of your mail, please include the version of operationg
+	    system and OpenSSL you are using.  If you have a patch or diff,
+	    please send it as an attachment, and not inline in
+	    the message body.</p>
+
+	    <p>The easiest way to respond to an existing request is to reply
+	    to the relevant message in <em>openssl-dev at openssl.org</em>.
+	    To help avoid duplicate copies, edit the recipient list so that
+	    only <em>rt at openssl.org</em> is listed and remove any quoted
+	    material.
+	    </p>
+
+	    <p>You can also create a pull request in
+	    <a href="https://github.com/openssl/openssl">GitHub</a>,
+	    but if you do that, please also use RT and refer to the
+	    request number.  That way we are less likely to lose track
+	    of things.</p>
+
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Community</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/community/mailinglists.html b/community/mailinglists.html
new file mode 100644
index 0000000..5ca5d4c
--- /dev/null
+++ b/community/mailinglists.html
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Mailing Lists<h2></header>
+	  <div class="entry-content">
+	    <p>
+	    Here is are the
+	    <a href="http://mta.openssl.org/">mailing lists</a> we run.
+	    You must be a member of the list to post to it.
+	    </p>
+
+	    <table>
+	      <tr><td>List</td><td>Purpose</td></tr>
+	      <tr>
+		<td><a
+		    href="https://mta.openssl.org/mailman/listinfo/openssl-announce">openssl-announce</a></td>
+		<td>Official Project Announcements; low-volume read-only.</td>
+	      </tr>
+	      <tr>
+		<td><a
+		    href="https://mta.openssl.org/mailman/listinfo/openssl-commits">openssl-commits</a></td>
+		<td>Commits to the source repository; read-only</td>
+	      </tr>
+	      <tr>
+		<td><a
+		    href="https://mta.openssl.org/mailman/listinfo/openssl-dev">openssl-dev</a></td>
+		<td>Discussions on development of the OpenSSL library.
+		  This is not the place for application development
+		  questions!</td>
+	      </tr>
+	      <tr>
+		<td><a
+		    href="https://mta.openssl.org/mailman/listinfo/openssl-users">openssl-users</a></td>
+		<td>Application Development, installing and configuring
+		OpenSSL, etc.</td>
+	      </tr>
+	    </table>
+	    <p></p>
+
+	    <h3>Archives</h3>
+
+	    <p>
+	    Public archives can be found at the following locations:
+	    </p>
+	    <table>
+	      <tr><td>List</td><td>Archives</td></tr>
+	      <tr><td>openssl-announce</td><td>
+		  <a
+		    href="http://marc.info/?l=openssl-announce">http://marc.info/?l=openssl-announce</a><br>
+		  <a
+		    href="http://www.mail-archive.com/openssl-announce at openssl.org/">http://www.mail-archive.com/openssl-announce at openssl.org/</a>
+	      </td></tr>
+	      <tr><td>openssl-users</td><td>
+		  <a
+		    href="http://marc.info/?l=openssl-users">http://marc.info/?l=openssl-users</a><br>
+		  <a
+		    href="http://www.mail-archive.com/openssl-users at openssl.org/">http://www.mail-archive.com/openssl-users at openssl.org/</a><br>
+		  <a
+		    href="http://groups.google.com/groups?group=mailing.openssl.users">http://groups.google.com/groups?group=mailing.openssl.users</a><br>
+	      </td></tr>
+	      <tr><td>openssl-dev</td><td>
+		  <a
+		    href="http://marc.info/?l=openssl-dev">http://marc.info/?l=openssl-dev</a><br>
+		  <a
+		    href="http://www.mail-archive.com/openssl-dev at openssl.org/">http://www.mail-archive.com/openssl-dev at openssl.org/</a><br>
+		  <a
+		    href="http://groups.google.com/groups?group=mailing.openssl.dev">http://groups.google.com/groups?group=mailing.openssl.dev</a>
+	      </td></tr>
+	      <tr><td>openssl-commits</td><td>
+		  <a
+		    href="http://marc.info/?l=openssl-cvs">http://marc.info/?l=openssl-cvs</a>
+		  <a
+		    href="http://groups.google.com/groups?group=mailing.openssl.cvs">http://groups.google.com/groups?group=mailing.openssl.cvs</a>
+		</table>
+	      </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href="index.html">Community</a>
+	    : <a href=".">Mailing Lists</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/community/sidebar.inc b/community/sidebar.inc
new file mode 100644
index 0000000..4cbbebb
--- /dev/null
+++ b/community/sidebar.inc
@@ -0,0 +1,32 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Community</a></h1>
+    <ul>
+      <li>
+	  <a href="team.html">Team</a>
+      </li>
+      <li>
+	  <a href="contacts.html">Contact Us</a>
+      </li>
+      <li>
+	  <a href="thanks.html">Thanks!</a>
+      </li>
+      <li>
+          <a href="mailinglists.html">Mailing Lists</a>
+      </li>
+      <li>
+          <a href="http://wiki.openssl.org">Wiki</a>
+      </li>
+      <li>
+          <a href="http://www.openssl.org/blog">Blog</a>
+      </li>
+      <li>
+	  <a href="binaries.html">Binaries</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
+
+
diff --git a/community/team.html b/community/team.html
new file mode 100644
index 0000000..b733f82
--- /dev/null
+++ b/community/team.html
@@ -0,0 +1,174 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header><h2>Team</h2></header>
+	<div class="entry-content">
+	  <p>
+	  The OpenSSL development team consists of people who have commit
+	  access to the source repository.
+	  Policies and procedures are adopted after a majority vote of
+	  the dev-team.
+
+	  <p>
+	  The current OpenSSL development team consists of (in alphabetical
+	  order):
+	  </p>
+	  <table summary="">
+	    <tr>
+	      <td>Name</td>
+	      <td>Email</td>
+	      <td>Locale&nbsp;</td>
+	      <td>PGP Key ID</td>
+	    </tr>
+
+	    <tr>
+	      <td>Matt Caswell</td>
+	      <td><a href="mailto:matt at openssl.org">matt at openssl.org</a></td>
+	      <td>UK</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x8657ABB260F056B1E5190839D9C4D26D0E604491">D9C4D26D0E604491</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Mark J. Cox*</td>
+	      <td><a href="mailto:mark at openssl.org">mark at openssl.org</a></td>
+	      <td>UK</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x36CEE4DEB00CFE33">27585B2E26B927CA29D660CFEAC0FF30DCE1DD5A</a>
+	    </tr>
+
+	    <tr>
+	      <td>Viktor Dukhovni</td>
+	      <td><a href="mailto:viktor at openssl.org">viktor at openssl.org</a></td>
+	      <td>US</td>
+	      <td>&nbsp;</td>
+	    </tr>
+
+	    <tr>
+	      <td>Dr. Stephen Henson*</td>
+	      <td><a href="mailto:steve at openssl.org">steve at openssl.org</a></td>
+	      <td>UK</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x62605AA4334AF9F0DDE5D349D3577507FA40E9E2">D3577507FA40E9E2</a>
+	    </tr>
+
+	    <tr>
+	      <td>Tim Hudson</td>
+	      <td><a href="mailto:tjh at openssl.org">tjh at openssl.org</a></td>
+	      <td>AU</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD">9195C48241FBF7DD</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Lutz J&auml;nicke</td>
+	      <td><a href="mailto:jaenicke at openssl.org">jaenicke at openssl.org</a></td>
+	      <td>DE</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x0A77335AADE74E6BB36CAD8ADFAB592ABDD52F1C">DFAB592ABDD52F1C</a>
+	    </tr>
+
+	    <tr>
+	      <td>Emilia K&auml;sper</td>
+	      <td><a href="mailto:emilia at openssl.org">emilia at openssl.org</a></td>
+	      <td>CH</td>
+	      <td></td>
+	    </tr>
+
+	    <tr>
+	      <td>Ben Laurie*</td>
+	      <td><a href="mailto:ben at openssl.org">ben at openssl.org</a></td>
+	      <td>UK</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x765655DE62E396FF2587EB6C4F6DE1562118CF83">4F6DE1562118CF83</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Steve Marquess</td>
+	      <td><a href="mailto:marquess at openssl.org">marquess at openssl.org</a></td>
+	      <td>US</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xFEAB1FB2653717429B0B894F431711F76D1892F5">CE1AE41903B0216376DCC2357E5776CE7D86D554</a>
+	    </tr>
+
+	    <tr>
+	      <td>Richard Levitte</td>
+	      <td><a href="mailto:levitte at openssl.org">levitte at openssl.org</a></td>
+	      <td>SE</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C">98BB1B36A0210D0139948153DC137F72BE01CD05</a>
+	    </tr>
+
+	    <tr>
+	      <td>Bodo M&ouml;ller</td>
+	      <td><a href="mailto:bodo at openssl.org">bodo at openssl.org</a></td>
+	      <td>CH</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xAA589DAC5A6A9B85">AA589DAC5A6A9B85</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Andy Polyakov*</td>
+	      <td><a href="mailto:appro at openssl.org">appro at openssl.org</a></td>
+	      <td>SE</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xB652F27F2B8D1B8DA78D7061BA6CDA461FE8E023">BA6CDA461FE8E023</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Kurt Roeckx</td>
+	      <td><a href="mailto:kurt at openssl.org">kurt at openssl.org</a></td>
+	      <td>BE</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xE5E52560DD91C556DDBDA5D02064C53641C25E5D">2064C53641C25E5D</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Rich Salz</td>
+	      <td><a href="mailto:rsalz at openssl.org">rsalz at openssl.org</a></td>
+	      <td>US</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0xD099684DC7C21E02E14A8AFEF23479455C51B27C">F23479455C51B27C</a></td>
+	    </tr>
+
+	    <tr>
+	      <td>Geoff Thorpe</td>
+	      <td><a href="mailto:geoff at openssl.org">geoff at openssl.org</a></td>
+	      <td>QC</td>
+	      <td><a
+		  href="http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=0x1B3DF808C221D2A5ED74172F0833F510E18C1C32">0833F510E18C1C32</a></td>
+	    </tr>
+	  </table>
+	  *Names with an asterisk indicate members of the core team.
+	  <p>&nbsp;</p>
+
+	  <p>
+	  In addition, we gratefully acknowledge the contributions of the
+	  following alumni: Ralf S. Engelschall, Nils Larsch, Holger Reif, and
+	  Paul C. Sutton.  We also respectfully remember Ulf M&ouml;ller who
+	  is no longer with us.
+	  </p>
+	  </div>
+
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Community</a>
+	    : <a href="">Team</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+  <!--#include virtual="/inc/footer.inc" -->
+  </body>
+  </html>
diff --git a/community/thanks.html b/community/thanks.html
new file mode 100644
index 0000000..8433046
--- /dev/null
+++ b/community/thanks.html
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Thanks!</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    We'd like to thank the following individuals and organizations
+	    who contribute to the OpenSSL project.
+	    </p>
+
+	    <ul>
+	      <li>Our current hosting is provided courtesy of
+	      <a href="https://www.space.net">SpaceNet AG</a>.</li>
+	      <li>Thanks to
+	      <a href="https://www.globalsign.com">GMO GlobalSign</a>
+	      for providing free TLS certificates.</li>
+	      <li>Thanks to <a href="https://rsync.net">rsync.net</a> for
+	      providing free backup storage.</li>
+	      <li>Thanks to Eric Young and Tim Hudson for the SSLeay
+	      package on which OpenSSL is based.</li>
+	      <li>Thanks to Tony Arcieri for the updated logo and some
+	      important tweaks to the CSS.</li>
+	      <li>Thanks to <a href="http://octopress.org">Octopress</a>
+	      for providing the CSS basis for the redesign, as well as
+	      our entire blog machinery.</li>
+	    </ul>
+
+	    <p>
+	    We'd also like to recognize the following for their prior
+	    support:
+	    </p>
+	    <ul>
+	      <li>Thanks to C2Net for contributing back to the Open Source
+	      community the SSLeay version 0.9.1b, which was the last internal
+	      SSLeay version Eric and Tim created while working for
+	      C2Net.</li>
+
+	      <li>Thanks to the Development Team of Internet Services at
+	      <a href="http://www.cw.com/">Cable &amp; Wireless</a> Munich,
+		Germany, for providing the hardware and network resources for
+		some time after 2002. </li>
+
+	      <li>Thanks to the IT Support Group of the Department of
+	      Information Technology and Electrical Engineering at the
+	      <a href="http://www.ethz.ch/">Swiss Federal Institute of Technology Zurich</a>
+	      (ETHZ) for providing the hardware and network resources
+	      from 1998 to 2002.
+	      </li>
+	    </ul>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Community</a>
+	    : <a href="">Thanks!</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/docs/.gitignore b/docs/.gitignore
deleted file mode 100644
index ea742a5..0000000
--- a/docs/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-crypto
-ssl
-apps
diff --git a/docs/.wmlrc b/docs/.wmlrc
deleted file mode 100644
index ab44064..0000000
--- a/docs/.wmlrc
+++ /dev/null
@@ -1,10 +0,0 @@
-##
-##  .wmlrc -- Local RC file for WML
-##
-
-#   define where the URL root of the Sub Navigation Bar (SNB) 
-#   is located [SNB_ROOT] and where it's buttons are defined [SNB_RC]
--DSNB_ROOT~.
--DSNB_RC=.wmlsnb
--I.
-
diff --git a/docs/.wmlsnb b/docs/.wmlsnb
deleted file mode 100644
index e53d69d..0000000
--- a/docs/.wmlsnb
+++ /dev/null
@@ -1,15 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-  <snb_button id=index   txt="Documents"  url="./">
-  <snb_button id=index   txt="Blog"       url="/blog/">
-  <snb_button id=openssl txt="openssl(1)" url="apps/openssl.html">
-  <snb_button id=ssl     txt="ssl(3)"     url="ssl/ssl.html">
-  <snb_button id=crypto  txt="crypto(3)"  url="crypto/crypto.html">
-  <snb_button id=HOWTO   txt="HOWTO"      url="HOWTO/">
-  <snb_button id=WIKI    txt="Wiki"       url="http://wiki.openssl.org/">
-  <snb_button id=FIPS140 txt="FIPS140"    url="fips/">
-</snb>
-
diff --git a/docs/HOWTO/.gitignore b/docs/HOWTO/.gitignore
deleted file mode 100644
index 2211df6..0000000
--- a/docs/HOWTO/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-*.txt
diff --git a/docs/faq.html b/docs/faq.html
new file mode 100644
index 0000000..0f8a061
--- /dev/null
+++ b/docs/faq.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Frequently Asked Questions</h2></header>
+	  <div class="entry-content">
+	    <!--#include virtual="faq.inc" -->
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">News</a>
+	    : <a href="">Frequently Asked Questions</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/docs/fips.html b/docs/fips.html
new file mode 100644
index 0000000..61b4378
--- /dev/null
+++ b/docs/fips.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>FIPS-140</h2></header>
+	  <div class="entry-content">
+
+	    <p>The OpenSSL project has collaborated with the <a
+	      href="http://oss-institute.org/"> Open Source Software Institute</a>
+	    on the groundbreaking OpenSSL FIPS Object Module and other
+	    validations. For a basic introduction and some general
+	    background see <a
+	      href="fipsnotes.html">Important Notes About OpenSSL and FIPS 140-2</a>.
+	    For information about sponsorship and support, see
+	    <a href="fipsvalidation.html">OpenSSL and FIPS 140-2</a>
+	    </p>
+
+
+	    <p>The most recent open source based validation of a cryptographic
+	    module (Module) compatible with the OpenSSL libraries is v2.0.1,
+	    FIPS 140-2 certificate <a
+	    href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
+	    This Module is documented in the
+	    <a href="UserGuide-2.0.pdf">2.0 User Guide</a>.
+	    </p>
+
+	    <p>Thanks to multiple platform sponsorships the 2.0 validation
+	    includes the largest number of formally tested platforms for any
+	    validated module.</p>
+
+	    The <a href="http://www.openssl.org/source/openssl-fips-2.0.1.tar.gz">source code</a> and
+	    <a href="fips/UserGuide-2.0.pdf">User Guide</a> are available.
+	    Here is the complete set of files:</p>
+
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="fips.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Docs</a>
+	    : <a href="">FIPS-140</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/docs/fips/SecurityPolicy-1.1.1.pdf b/docs/fips/SecurityPolicy-1.1.1.pdf
new file mode 100644
index 0000000..e79ba44
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.1.1.pdf differ
diff --git a/docs/fips/SecurityPolicy-1.1.2.pdf b/docs/fips/SecurityPolicy-1.1.2.pdf
new file mode 100644
index 0000000..4cab221
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.1.2.pdf differ
diff --git a/docs/fips/SecurityPolicy-1.2.2.pdf b/docs/fips/SecurityPolicy-1.2.2.pdf
new file mode 100644
index 0000000..0cf6e9e
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.2.2.pdf differ
diff --git a/docs/fips/SecurityPolicy-1.2.3.pdf b/docs/fips/SecurityPolicy-1.2.3.pdf
new file mode 100644
index 0000000..b4e8c71
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.2.3.pdf differ
diff --git a/docs/fips/SecurityPolicy-1.2.4.pdf b/docs/fips/SecurityPolicy-1.2.4.pdf
new file mode 100644
index 0000000..2bb1ace
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.2.4.pdf differ
diff --git a/docs/fips/SecurityPolicy-1.2.pdf b/docs/fips/SecurityPolicy-1.2.pdf
new file mode 100644
index 0000000..9ac0515
Binary files /dev/null and b/docs/fips/SecurityPolicy-1.2.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.1.pdf b/docs/fips/SecurityPolicy-2.0.1.pdf
new file mode 100644
index 0000000..e93e0e1
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.1.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.2.pdf b/docs/fips/SecurityPolicy-2.0.2.pdf
new file mode 100644
index 0000000..088b749
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.2.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.3.pdf b/docs/fips/SecurityPolicy-2.0.3.pdf
new file mode 100644
index 0000000..5e5fccc
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.3.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.4.pdf b/docs/fips/SecurityPolicy-2.0.4.pdf
new file mode 100644
index 0000000..1cca3ac
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.4.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.5.pdf b/docs/fips/SecurityPolicy-2.0.5.pdf
new file mode 100644
index 0000000..5b54047
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.5.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.6.pdf b/docs/fips/SecurityPolicy-2.0.6.pdf
new file mode 100644
index 0000000..78a5945
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.6.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.7.pdf b/docs/fips/SecurityPolicy-2.0.7.pdf
new file mode 100644
index 0000000..0f1a607
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.7.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.8.pdf b/docs/fips/SecurityPolicy-2.0.8.pdf
new file mode 100644
index 0000000..95da962
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.8.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.9.odt b/docs/fips/SecurityPolicy-2.0.9.odt
new file mode 100644
index 0000000..8c285b0
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.9.odt differ
diff --git a/docs/fips/SecurityPolicy-2.0.9.pdf b/docs/fips/SecurityPolicy-2.0.9.pdf
new file mode 100644
index 0000000..b4ff166
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.9.pdf differ
diff --git a/docs/fips/SecurityPolicy-2.0.pdf b/docs/fips/SecurityPolicy-2.0.pdf
new file mode 100644
index 0000000..b4ff166
Binary files /dev/null and b/docs/fips/SecurityPolicy-2.0.pdf differ
diff --git a/docs/fips/UserGuide-1.1.1.pdf b/docs/fips/UserGuide-1.1.1.pdf
new file mode 100644
index 0000000..edb94fa
Binary files /dev/null and b/docs/fips/UserGuide-1.1.1.pdf differ
diff --git a/docs/fips/UserGuide-1.2.pdf b/docs/fips/UserGuide-1.2.pdf
new file mode 100644
index 0000000..a0d0155
Binary files /dev/null and b/docs/fips/UserGuide-1.2.pdf differ
diff --git a/docs/fips/UserGuide-2.0.pdf b/docs/fips/UserGuide-2.0.pdf
new file mode 100644
index 0000000..6150d8d
Binary files /dev/null and b/docs/fips/UserGuide-2.0.pdf differ
diff --git a/docs/fips/UserGuide.pdf b/docs/fips/UserGuide.pdf
new file mode 100644
index 0000000..126ef28
Binary files /dev/null and b/docs/fips/UserGuide.pdf differ
diff --git a/docs/fips/fips-2.0-tv.tar.gz b/docs/fips/fips-2.0-tv.tar.gz
new file mode 100644
index 0000000..0c9a275
Binary files /dev/null and b/docs/fips/fips-2.0-tv.tar.gz differ
diff --git a/docs/fips/fipsnotes.wml b/docs/fips/fipsnotes.wml
deleted file mode 100644
index ef2b234..0000000
--- a/docs/fips/fipsnotes.wml
+++ /dev/null
@@ -1,115 +0,0 @@
-
-#use wml::openssl area=documents page=FIPS140
-
-<title>Important Notes about OpenSSL and FIPS 140-2</title>
-
-<h1>OpenSSL and FIPS 140-2</h1>
-
-Please please read the <a href="UserGuide.pdf">User Guide</a>.  Nothing will make sense otherwise (it still may not afterwards, but at least you've a better chance).
-
-<h2>FIPS What?  Where Do I Start?</h2>
-
-Ok, so your company needs FIPS validated cryptography to land that big sale, and your product currently uses OpenSSL.
-You haven't worked up the motivation to wade through the entire <a href="UserGuide.pdf">User Guide</a> and want the
-quick "executive summary".  Here is a grossly oversimplified account:
-<p>
-<ul>
-
-<li>OpenSSL itself is not validated, and never will be.  Instead a special carefully defined software component called the
-OpenSSL FIPS Object Module has been created.  This Module was designed for compatibility with OpenSSL so that products using
-the OpenSSL API can be converted to use validated cryptography with minimal effort.
-<p>
-
-<li>The OpenSSL FIPS Object Module validation is unique among all FIPS 140-2 validations in that the product is "delivered"
-in source code form, meaning that if you can use it exactly as is and can build it (according to the very specific documented
-instructions) for your platform, then you can use it as validated cryptography on a "vendor affirmed" basis.
-<p>
-
-<li>If even the tiniest source code or build process changes are required for your intended application, you cannot use
-the open source based validated module directly.  You must obtain your own validation.  This situation is common; see "Private
-Label" validation, below.
-<p>
-
-<li>New FIPS 140-2 validations (of any type) are slow (6-12 months is typical), expensive
-(US$50,000 is probably typical for an uncomplicated validation), and unpredictable
-(completion dates are not only uncertain when first beginning a validation, but remain so
-during the process).
-
-</ul>
-Note that FIPS 140-2 validation is a complicated topic that the above summary does not adequately address.  You have been warned!
-
-<a name="privatelabel">
-<h2>The "Private Label" Validation</h2>
-</a>
-
-We refer to validations based directly on the OpenSSL FIPS Object Module as
-"private label" validations.  These are also sometimes referred to as "cookie cutter"
-validations.  The usual reason for such separate validations is the need for small
-modifications which forces a complete new validation, but some vendors,
-for marketing or risk management reasons, have obtained private label validations for binaries
-produced from unmodified (or only cosmetically modified) source code.
-<p>
-The OSF would really prefer to work on open source based validations of benefit
-to the OpenSSL user community at large, but financial support for that objective
-is intermittent at best.  On the other hand many vendors are interested in private label
-validations and the OSF will assist in such efforts on a paid basis.  We've done enough
-of these to be very cost competitive, and for uncomplicated validations we typically work
-on a fixed price basis.
-
-<p>
-<font color="#cc3333">Update:</font> As of 2015 we are no longer performing
-<a href="privatelabel.html">private label</a> validations.
-We are still adding new
-platforms to the 
- <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>
-or related validations.
-
-<h2>Current Validations</h2>
-
-The most recent open source based validation is the
-<a href="fipsvalidation.html">OpenSSL FIPS Object Module v2.0</a>,
-FIPS 140-2 certificate
- <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.  You will need the
- <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf">Security Policy</a> and
- <a href="../../source/openssl-fips-2.0.tar.gz">source</a> at a minimum. Note that for this validation a
-new <a href="http://openssl.com/fips/verify.html">"secure installation"</a> requirement has been imposed.
-And did we mention the <a href="UserGuide.pdf">User Guide</a>?
-<p>
-<a name="transition">
-<font color="#cc3333">Important Note:</font>
-</a>
-Due to changes in the FIPS 140-2 validation requirements the current v2.0 Module is 
-no longer a suitable model for private label validations in its current form past the year 2014.
-<p>
-
-<h2>Upcoming Validations</h2>
-<p>
-No new validations are currently planned. The <a href="http://www.openssl.com/fips/ig95.html">I.G. 9.5</a>
-issue has effectively precluded consideration of new validations for much of 2013, but with the July 25 2013 update of the
-<a href="http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf">Implementation Guidance</a>
-(I.G.) document such validations appear to be feasible again. We will be happy to discuss our current understanding of
-the risks with interested sponsors.
-
-<h2>Technical Notes</h2>
-<h3>Performance at Startup</h3>
-We have had many complaints about poor performance of the Power-On Self Test (POST) on low
-powered computers, as with some embedded devices. In the worst cases the POST can take several minutes.
-Such devices were not included as test platforms at the time the code was originally written.
-<p>
-The current FIPS validated code performs a very comprehensive set of mandatory
-algorithm self tests when it enter FIPS mode covering many algorithm
-combinations. There is a DSA parameter generation self test which is
-especially CPU intensive.
-<p>
-As a result of the POST performance issue we revisited the KAT (Known Answer Test)
-requirements in the POST process that were burning up most of those
-cycle.  In consultation with a CMVP test lab we determined that it should
-be possible to substantially reduce that performance penalty in a new
-validation.  Unfortunately such a change can only be undertaken in the context
-of a new validation, and not as a change letter modification.
-<p>
-Another factor affecting performance is the use (or not) of platform specific
-optimizations.  The x86/x64 Windows and Linux code makes use of assembly language
-optimizations for FIPS cryptographic algorithms. The C only version
-is much slower and so the POST is slower too.
-
diff --git a/docs/fips/fipsvalidation.wml b/docs/fips/fipsvalidation.wml
deleted file mode 100644
index b75ffb7..0000000
--- a/docs/fips/fipsvalidation.wml
+++ /dev/null
@@ -1,164 +0,0 @@
-
-#use wml::openssl area=documents page=FIPS140
-
-<title>OpenSSL and FIPS 140-2</title>
-
-<h1>OpenSSL and FIPS 140-2 Validation Status</h1>
-
-The most recent open source based validation of a cryptographic module (Module) compatible with the
-OpenSSL libraries is v2.0.1, FIPS 140-2 certificate
- <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
-This Module is documented in the <a href="UserGuide-2.0.pdf">2.0 User Guide</a>.
-It substantially updates and improves the earlier v1.2 module, FIPS 140-2 certificate
- <a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051">#1051</a>, which
-is documented in the <a href="UserGuide-1.2.pdf">1.2 User Guide</a>.
-<p>
-<font color="#cc3333">Important Note:</font>
-Due to new requirements introduced in 2013 the current v2.0 Module is no longer suitable as a
-reference for private label validations; see the <a href="http://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
-Due to earlier changes in the FIPS 140-2 validation
-requirements the v1.2 Module is no longer be a suitable model for private label validations
-in its current form past the year 2010; see the NIST
-	<a href="http://csrc.nist.gov/groups/STM/cmvp/notices.html">Notices</a>,
-<a href="http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf">discussion paper</a> and
-<a href="http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf">Draft 800-131</a>.
-<p>
-<h2>The 2.0 Validation</h2>
-On January 4, 2011 we began work on the new open source FIPS 140-2 Level 1 validation.
-This validation covers most of the objectives we have been wanting to achieve in a new validation,
-including:
-<ul>
-
-<li>Satisfying the new CMVP testing guidelines.
-<p>
-<li>One or more new PRNG implementations.
-<p>
-
-<li>Algorithm test programs for the AESGCM and ECDSA algorithms.
-<p>
-
-<li>RSA encryption.
-<p>
-
-<li>Upgrade DSA2 for key sizes greater then 1024.
-<p>
-
-<li>Any mandatory additional tests or algorithm modifications for the testing guidelines.
-<p>
-<li>An extensive re-design of the FIPS Module to eliminate OpenSSL revision dependencies.  The new module
-will live in a completely separate purpose-built source distribution.  In contrast to the current module,
-this new module will at least in principle be useful in some stand-alone contexts requiring only low
-level cryptographic primitives.
-
-</ul>
-In addition this validation also includes:
-<ul>
-
-<li>Suite B cryptography, and a "Suite B" mode of operation enforcement similar
-to that provided by the current "FIPS capable" OpenSSL.
-
-</ul>
-
-Thanks to multiple platform sponsorships the 2.0 validation includes the largest number
-of formally tested platforms for any validated module.
-
-<h2>Current Status</h2>
-The validation was awarded on June 27, 2012, certificate number
-<a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>. 
-The <a href="http://www.openssl.org/source/openssl-fips-2.0.1.tar.gz">source code</a> and
-<a href="http://www.openssl.org/docs/fips/UserGuide-2.0.pdf">User Guide document</a> can be downloaded from the
-<a href="http://openssl.org/">OpenSSL web site</a>.
-
-On July 9, 2012 the first "change letter" update was approved, adding six additional platforms and a new
-revision number of 2.0.1. The revised source code can be used
-for all tested platforms, though the older 2.0 
-<a href="http://www.openssl.org/source/openssl-fips-2.0.tar.gz">source distribution</a> remains valid for the platforms tested
-at that time.
-
-On October 24, 2012, the second "change letter" update was approved, adding two additional platforms and a new
-revision number of 2.0.2.  The revised source code can be used
-for all tested platforms, though the older 2.0 and 2.0.1 revisions
-remain valid for the platforms tested at the time those revisions were approved.
-
-<a name="sponsors">
-<h2>Sponsors</h2>
-</a>
-The OpenSSL FIPS Object Module validations receive support from multiple sources for each
-validation effort; however only those sponsors who have elected to be recognised
-for their contribution to OpenSSL are listed below.
-<ul>
-
-<li><hr> <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Transformative_Apps.aspx">
-Defense Advanced Research Projects Agency (DARPA) Transformative Apps Program</a>,
-original primary sponsor of the overall validation with several Android on ARMv7 platforms.
-
-<p>
-<p>
-
-<li><hr><a href="http://www.securenetterm.com/">Intersoft International, Inc.</a>,
-platform sponsor (VC++ Win32/x86 asm optimisation)
-<p>
-<p>
-
-<li><hr><a href="http://www.opengear.com/">Opengear, Inc.</a>, platform sponsor
-(uCLinux ARMv4 asm optimisation)
-<a href="http://www.opengear.com/">
-<img src="$(IMG)/opengear-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.quintessencelabs.com/">QuintessenceLabs Pty Ltd</a>, platform sponsor
-(Fedora 14 x86-64 asm optimisation)
-<a href="http://www.quintessencelabs.com/">
-<img src="$(IMG)/quintessence-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.pkware.com/">PKWARE, Inc.</a>, platform sponsor
-(HPUX 11i on Itanium 32, 64 bit with asm optimisation)
-<a href="http://www.pkware.com/">
-<img src="$(IMG)/pkware-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr>platform sponsor
-(Ubuntu Linux 32bit x86 with asm optimisation)
-
-<li><hr><a href="http://www.cerberusftp.com/">Cerberus, LLC</a>, general sponsor
-<a href="http://www.cerberusftp.com/">
-<img src="$(IMG)/cerberus-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.cyber.st.dhs.gov/host.html">DHS Science and Technology 
-Directorate-sponsored Homeland Open Security Technology (HOST) program</a>, algorithm sponsor (CMAC, AES-CCM)
-<a href="http://www.cyber.st.dhs.gov/host.html">
-<img src="$(IMG)/DHS-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.innominate.com/">Innominate Security Technologies AG</a>, platform sponsor (Linux on Freescale MPC8313)
-<a href="http://www.innominate.com/">
-<img src="$(IMG)/innominate-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.psw.net/">PSW GROUP</a>, general sponsor
-<a href="http://www.psw.net/">
-<img src="$(IMG)/psw-logo-med.jpg" align=center border=0>
-</a>
-
-<li><hr><a href="http://www.citrix.com/">Citrix Systems, Inc.</a>, platform sponsor (multiple platforms)
-<a href="http://www.citrix.com/">
-<img src="$(IMG)/citrix-logo-med.jpg" align=center border=0>
-</a>
-
-<hr>
-</ul>
-<p>
-If you have an interest in sponsoring any changes or additions to this validation
-please contact <a href="http://openssl.com/fips">OpenSSL Validation Services</a>.
-<p>
-Some commercial software vendors ask us "what do we gain from sponsoring a validation
-that our competition can also use?".  Our answer is "nothing, if you think in terms of
-obstructing your competition".  If, on the other hand, you compete primarily on the
-merits of you products what others may do with the validation is less of a threat as
-they derive no more advantage from it than you do.  Your advantage is that your sponsorship
-will probably cost less that the commercial software license you would otherwise have to buy,
-and you will retain backwards compatibility with the regular OpenSSL API while avoiding
-vendor lock-in.
-
diff --git a/docs/fips/incore.gz b/docs/fips/incore.gz
new file mode 100644
index 0000000..c6171f0
Binary files /dev/null and b/docs/fips/incore.gz differ
diff --git a/docs/fips/index.wml b/docs/fips/index.wml
deleted file mode 100644
index 0bb9a6a..0000000
--- a/docs/fips/index.wml
+++ /dev/null
@@ -1,24 +0,0 @@
-
-#use wml::openssl area=documents page=FIPS140
-
-<title>FIPS140 Files</title>
-
-<h1>FIPS140 Files</h1>
-
-Here you can find a number of FIPS140 related files including the user
-guide and test vectors.
-The latest <a href="UserGuide.pdf">User Guide</a> is the best place to start.  For a basic
-introduction and some general background see
-<a href="fipsnotes.html">Important Notes About OpenSSL and FIPS 140-2</a>, also note the
-<a href="fipsvalidation.html">summary and status</a> of the ongoing open source based OpenSSL FIPS Object Module validation.
-<p>
-<rfilelist "*.pdf *.tar.gz *.zip *.odt incore*">
-<p>
-Note FIPS module and FIPS validation support is included in some of the
-OpenSSL <a href="../../support/funding/contract.html">support plans</a>.  Assistance
-with private label validation is also available on a
- <a href="../../support/consulting.html">consultancy</a> basis.
-<p>
-The OpenSSL project has collaborated with the <a href="http://oss-institute.org/">
-Open Source Software Institute</a> on the groundbreaking OpenSSL FIPS Object Module
-and other validations.
diff --git a/docs/fips/privatelabel.html b/docs/fips/privatelabel.html
new file mode 100644
index 0000000..00a9740
--- /dev/null
+++ b/docs/fips/privatelabel.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<!-- THIS FILE IS OUTDATED.  THE INFORMATION HERE IS IN THE FIPS.HTML
+     FILE.  THIS FILE EXISTS SO OLD LINKS STILL WORK. -->
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>OpenSSL FIPS 140-2 Private Label Validations</h2></header>
+	  <div class="entry-content">
+	    <p> If you haven't already, please read our <a
+	      href="/docs/fipsnotes.html">FIPS 140-2 Notes</a> page.</p>
+
+	    <p><strong>IMPORTANT NOTE:</strong> The addition of multiple new
+	    formal requirements since the #1747 validation was first approved
+	    in 2012, and recent unfavorable experiences with increasingly
+	    unpredictable outcomes from the validation process, have increased
+	    to the point where private label validations are no longer
+	    economically feasible for a small organization of limited means;
+	    the risk doesn't justify the substantial investment of time and
+	    money required to pursue new validations. As of 2015 we are no
+	    longer performing any private label validations. The addition of
+	    new platforms to the existing #1747 or <a
+	      href="http://openssl.com/fips/ransom.html">comparable</a>
+	    validations is still possible and those validation actions are still
+	    being performed.</p>
+
+	    <p>The rest of this page is of historical interest only.</p>
+
+	    <h3>What It Is</h3>
+
+	    <p>We have found that one of the most popular commercial services
+	    offered by the OpenSSL team is the <a
+	      href="/docs/fipsnotes.html#privatelabel">private label validation</a>.
+	    It's not a business we ever planned to be in, but as the
+	    originators of the source code based OpenSSL FIPS Object Module
+	    validations, and with lots of practice, we've gotten pretty good
+	    at it. The revenue we earn from these validations supports the
+	    OpenSSL project, and for some validations also results in useful
+	    additions to the OpenSSL baseline.</p>
+
+
+	    <h3>What You Get</h3>
+
+	    <p>For a total fixed price we will obtain a Level 1 FIPS 140-2
+	    validation in your name using the OpenSSL FIPS Object Module v2.0
+	    for two common platforms using unmodified source code.  A common
+	    platform is a computing device (hardware and operating system)
+	    that is available and familiar to us and the test lab(s).
+	    Examples of common platforms are:</p>
+	    <ul>
+	      <li>Microsoft Windows (32 bit) on x86 hardware</li>
+	      <li>Microsoft Windows (64 bit) on x64 hardware</li>
+	      <li>Linux on 32 bit x86 hardware</li>
+	      <li>Linux (64 bit) on x64 hardware
+	      <li>The Android operating system on some common smart phones
+	      using ARM processors</li>
+	      <li>HP-UX 11 on Itanium</li>
+	      <li>Solaris on x64 hardware </li>
+	    </ul>
+
+	    <p>Additional common platforms can be added to your validation for
+	    US$4000 (Linux/Unix/Android) or US$4500 (desktop/server Windows)
+	    each.</p>
+
+	    <p>We will handle all interaction with the accredited testing lab
+	    and the <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/index.html">CMVP</a>.
+	    You sign one contract with the OSF with half of the price due as a
+	    down payment and the remainder due only when your certificate is <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">posted</a>
+	    by the CMVP.</p>
+
+	    <p>Within two weeks of executing your contract with us, your
+	    pending validation will also appear on the <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/inprocess.html">pre-val list</a>.
+	  The presence of your product on this list is sufficient
+	to satisfy FIPS 140-2 requirements for some procurements.</p>
+
+	    <h3>What Qualifies</h3>
+
+	    <p>This turnkey validation package is applicable in the following
+	    circumstances:</p>
+	    <ul>
+	      <li>You have already confirmed that the module generated from
+	      the OpenSSL FIPS Object Module v2.0 source distribution,
+	      possibly with modifications, works on your platform(s).</li>
+	      <li>Your modifications to the OpenSSL source code, if any, are
+	      not "cryptographically significant".  Roughly speaking, that
+	      means the modifications do not affect the actual cryptographic
+	      algorithms.  Modifications for portability, such as changing
+	      <em>#include</em> statements or redefining macros, or changes to
+	      the build process such as new compiler or linker options, are
+	      generally acceptable.</li>
+	      <li>Your application does not require cross-compilation (the
+	      build system and the target platform can be the same system),
+	      <em>or</em> your cross-compiled platform is one for which the
+	      complete build process, including generation of the integrity
+	      test digest, is already known and tested.</li>
+	      <li>The actual platform, hardware and software, is either
+	      already available to the OSF and the lab or is supplied by you.
+	      We will need at least two complete sets of platform hardware and
+	      software for customer provided equipment.  This equipment can be
+	      returned once the validation is awarded, though some customers
+	      have preferred to leave that equipment with us for regression
+	      testing of future revisions.</li?
+	      <li>You have determined that the performance of the module is
+	      satisfactory on your specific target platform.  We continually
+	      make performance enhancements to OpenSSL, only some of which can
+	      readily be incorporated into routine private label
+	      validations.</li>
+	    </ul>
+	    <p>Note that we can still help you if not all of these
+	    circumstances apply, but we'll have to look at your specific
+	    situation more closely. Note minor software modifications can
+	    often be accommodated in a change letter modification.</p>
+
+	    <hr>
+	    <p>Interested? Contact
+	    <a href="http://openssl.com/fips">OpenSSL Software Services</a>.
+	    </p>
+
+	  </div>
+	</article>
+      </div>
+    </div>
+  </div>
+  <!--#include virtual="/inc/footer.inc" -->
+  </body>
+  </html>
diff --git a/docs/fips/privatelabel.wml b/docs/fips/privatelabel.wml
deleted file mode 100644
index 19a4f6e..0000000
--- a/docs/fips/privatelabel.wml
+++ /dev/null
@@ -1,98 +0,0 @@
-
-#use wml::openssl area=documents page=FIPS140
-
-<title>OpenSSL FIPS 140-2 Private Label Validations</title>
-
-<h1>One Stop Package Deal for Private Label Validations</h1>
-
-If you haven't already, please read our <a href="fipsnotes.html">FIPS 140-2 Notes</a> page.
-
-<p>
-<font color="#cc3333">IMPORTANT NOTE:&nbsp;</font>The addition of
-multiple new formal requirements since the #1747 validation was first approved in 2012, and
-recent unfavorable experiences with increasingly unpredictable outcomes from the validation process, have increased
-to the point where private label validations are no longer economically feasible for a small
-organization of limited means; the risk doesn't justify the substantial investment of time and money required
-to pursue new validations. As of 2015 we are no longer performing any private label validations. The addition of
-new platforms to the existing #1747 or <a href="http://openssl.com/fips/ransom.html">comparable</a> validations
-is still possible and those validation actions are still being performed.
-<p>
-The rest of this page is of historical interest only.
-
-<h2>What It Is</h2>
-
-We have found that one of the most popular commercial services offered by the OpenSSL team 
-is the <a href="fipsnotes.html#privatelabel">private label validation</a>.  It's not a
-business we ever planned to be in, but as the originators of the source code based
-OpenSSL FIPS Object Module validations, and with lots of practice, we've gotten pretty good at it.
-The revenue we earn from these validations supports the OpenSSL project, and for some
-validations also results in useful additions to the OpenSSL baseline.
-<p>
-
-
-<h2>What You Get</h2>
-
-For the total fixed price of as little as US$[TBD] we will obtain a Level 1 FIPS 140-2 validation
-in your name using the OpenSSL FIPS Object Module v2.0 for two common platforms using unmodified
-source code.  A common platform is a computing device (hardware and operating system)
-that is available and familiar to us and the test lab(s).  Examples of common platforms are:
-<ul>
-  <li> Microsoft Windows (32 bit) on x86 hardware
-  <li> Microsoft Windows (64 bit) on x64 hardware
-  <li> Linux on 32 bit x86 hardware
-  <li> Linux (64 bit) on x64 hardware
-  <li> The Android operating system on some common smart phones using ARM processors
-  <li> HP-UX 11 on Itanium
-  <li> Solaris on x64 hardware 
-</ul>
-<p>
-Additional common platforms can be added to your validation for US$4000 (Linux/Unix/Android)
-or US$4500 (desktop/server Windows) each.
-<p>
-We will handle all interaction with the accredited testing lab and the
-<a href="http://csrc.nist.gov/groups/STM/cmvp/index.html">CMVP</a>.  You sign one contract with the
-OSF with half of the price due as a down payment and the remainder due only when your certificate is
-<a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">posted</a> by the CMVP.
-
-<p>
-Within two weeks of executing your contract with us, your pending validation will also appear on the
-<a href="http://csrc.nist.gov/groups/STM/cmvp/inprocess.html">pre-val list</a>.  The presence of your product on
-this list is sufficient to satisfy FIPS 140-2 requirements for some procurements.
-
-<p>
-<h2>What Qualifies</h2>
-<p>
-This turnkey validation package is applicable in the following circumstances:
-<ul>
-  <li>You have already confirmed that the module generated from the
-OpenSSL FIPS Object Module v2.0
-source distribution, possibly with modifications, works on your platform(s).
-  <p>
-  <li>Your modifications to the OpenSSL source code, if any, are not "cryptographically
-      significant".  Roughly speaking, that means the modifications do not affect the
-      actual cryptographic algorithms.  Modifications for portability, such
-      as changing <em>#include</em> statements or redefining macros, or changes to the build process such
-      as new compiler or linker options, are generally acceptable.
-  <p>
-  <li>Your application does not require cross-compilation (the build system and the
-      target platform can be the same system), <em>or</em> your cross-compiled platform
-      is one for which the complete build process, including generation of the
-      integrity test digest, is already known and tested.
-  <p>
-  <li>The actual platform, hardware and software, is either already available to the OSF and the lab or is supplied by you.
-      We will need at least two complete sets of platform hardware and software for customer provided equipment.  This
-      equipment can be returned once the validation is awarded, though some customers have preferred
-      to leave that equipment with us for regression testing of future revisions.
-  <p>
-  <li>You have determined that the performance of the module is satisfactory on your
-      specific target platform.  We continually make performance enhancements to OpenSSL,
-      only some of which can readily be incorporated into routine private label validations.
-</ul>
-<p>
-Note that we can still help you if not all of these circumstances apply, but we'll
-have to look at your specific situation more closely.
-Note minor software modifications can often be accommodated in a change letter modification.
-<p>
-<hr>
-
-Interested?  Contact <a href="http://openssl.com/fips">OpenSSL Software Services</a>.
diff --git a/docs/fips/rsp.HP-UX.2005-07-01.tar.gz b/docs/fips/rsp.HP-UX.2005-07-01.tar.gz
new file mode 100644
index 0000000..8313592
Binary files /dev/null and b/docs/fips/rsp.HP-UX.2005-07-01.tar.gz differ
diff --git a/docs/fips/rsp.SuSE.2005-06-30.tar.gz b/docs/fips/rsp.SuSE.2005-06-30.tar.gz
new file mode 100644
index 0000000..f978047
Binary files /dev/null and b/docs/fips/rsp.SuSE.2005-06-30.tar.gz differ
diff --git a/docs/fips/rsp.SuSE.2005-07-01.tar.gz b/docs/fips/rsp.SuSE.2005-07-01.tar.gz
new file mode 100644
index 0000000..c5c1ba6
Binary files /dev/null and b/docs/fips/rsp.SuSE.2005-07-01.tar.gz differ
diff --git a/docs/fips/testvectors-XP-2007-10-09.zip b/docs/fips/testvectors-linux-2007-10-10.tar.gz
similarity index 52%
copy from docs/fips/testvectors-XP-2007-10-09.zip
copy to docs/fips/testvectors-linux-2007-10-10.tar.gz
index e87a4f9..e70c1c1 100644
Binary files a/docs/fips/testvectors-XP-2007-10-09.zip and b/docs/fips/testvectors-linux-2007-10-10.tar.gz differ
diff --git a/docs/fips/testvectors.HP-UX.tar.gz b/docs/fips/testvectors.HP-UX.tar.gz
new file mode 100644
index 0000000..5b23df6
Binary files /dev/null and b/docs/fips/testvectors.HP-UX.tar.gz differ
diff --git a/docs/fips/testvectors.SuSE.tar.gz b/docs/fips/testvectors.SuSE.tar.gz
new file mode 100644
index 0000000..fe27023
Binary files /dev/null and b/docs/fips/testvectors.SuSE.tar.gz differ
diff --git a/docs/fipsnotes.html b/docs/fipsnotes.html
new file mode 100644
index 0000000..56bcc55
--- /dev/null
+++ b/docs/fipsnotes.html
@@ -0,0 +1,133 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Important Notes about OpenSSL and FIPS 140</h2></header>
+	  <div class="entry-content">
+	    <p>Please please read the <a href="UserGuide.pdf">User Guide</a>.
+	    Nothing will make sense otherwise (it still may not afterwards,
+	    but at least you've a better chance).</p>
+
+	    <p>No new validations are currently planned.</p>
+
+	    <h3>FIPS What?  Where Do I Start?</h3>
+
+	    <p>Ok, so your company needs FIPS validated cryptography to land
+	    that big sale, and your product currently uses OpenSSL. You
+	    haven't worked up the motivation to wade through the entire <a
+	    href="UserGuide.pdf">User Guide</a> and want the quick "executive
+	    summary".  Here is a grossly oversimplified account:</p>
+	    <p>
+
+	    <ul>
+
+	      <li>OpenSSL itself is not validated, and never will be.  Instead
+	      a special carefully defined software component called the
+	      OpenSSL FIPS Object Module has been created.  This Module was
+	      designed for compatibility with OpenSSL so that products using
+	      the OpenSSL API can be converted to use validated cryptography
+	      with minimal effort.</li>
+
+	      <li>The OpenSSL FIPS Object Module validation is unique among
+	      all FIPS 140-2 validations in that the product is "delivered" in
+	      source code form, meaning that if you can use it exactly as is
+	      and can build it (according to the very specific documented
+	      instructions) for your platform, then you can use it as
+	      validated cryptography on a "vendor affirmed" basis.</li>
+
+	      <li>If even the tiniest source code or build process changes are
+	      required for your intended application, you cannot use the open
+	      source based validated module directly.  You must obtain your
+	      own validation.  This situation is common; see "Private Label"
+	      validation, below.</li>
+
+	      <li>New FIPS 140-2 validations (of any type) are slow (6-12
+	      months is typical), expensive (US$50,000 is probably typical for
+	      an uncomplicated validation), and unpredictable (completion
+	      dates are not only uncertain when first beginning a validation,
+	      but remain so during the process).</li>
+
+	    </ul>
+
+	    <p>Note that FIPS 140-2 validation is a complicated topic that the
+	    above summary does not adequately address.  You have been
+	    warned!</p>
+
+	    <h2><a name="privatelable">The "Private Label" Validation</></h2>
+
+	    <p>We refer to validations based directly on the OpenSSL FIPS
+	    Object Module as "private label" validations.  These are also
+	    sometimes referred to as "cookie cutter" validations.  The usual
+	    reason for such separate validations is the need for small
+	    modifications which forces a complete new validation, but some
+	    vendors, for marketing or risk management reasons, have obtained
+	    private label validations for binaries produced from unmodified
+	    (or only cosmetically modified) source code.</p>
+
+	    <p>The OSF would really prefer to work on open source based
+	    validations of benefit to the OpenSSL user community at large, but
+	    financial support for that objective is intermittent at best.  On
+	    the other hand many vendors are interested in private label
+	    validations and the OSF will assist in such efforts on a paid
+	    basis.  We've done enough of these to be very cost competitive,
+	    and for uncomplicated validations we typically work on a fixed
+	    price basis.</p>
+
+	    <p><strong>Update:</strong> As of 2015 we are no longer performing private label validations. We are still adding new platforms to the <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>
+	    or related validations.</p>
+
+	    <h3>Current Validations</h3>
+
+	    <p> The most recent open source based validation is the FIPS 140-2
+	    certificate <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
+	    You will need the <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf">Security Policy</a>
+	    and <a href="/source/openssl-fips-2.0.tar.gz">source</a>
+	    at a minimum. And did we mention the
+	    <a href="UserGuide.pdf">User Guide</a>?</p>
+
+	    <h3>Performance at Startup</h3>
+
+	    <p>We have had many complaints about poor performance of the
+	    Power-On Self Test (POST) on low powered computers, as with some
+	    embedded devices. In the worst cases the POST can take several
+	    minutes. Such devices were not included as test platforms at the
+	    time the code was originally written.</p>
+	    <p>The current FIPS validated code performs a very comprehensive
+	    set of mandatory algorithm self tests when it enter FIPS mode
+	    covering many algorithm combinations. There is a DSA parameter
+	    generation self test which is especially CPU intensive.</p>
+	    <p>As a result of the POST performance issue we revisited the KAT
+	    (Known Answer Test) requirements in the POST process that were
+	    burning up most of those cycle.  In consultation with a CMVP test
+	    lab we determined that it should be possible to substantially
+	    reduce that performance penalty in a new validation.
+	    Unfortunately such a change can only be undertaken in the context
+	    of a new validation, and not as a change letter modification.</p>
+	    <p>Another factor affecting performance is the use (or not) of
+	    platform specific optimizations.  The x86/x64 Windows and Linux
+	    code makes use of assembly language optimizations for FIPS
+	    cryptographic algorithms. The C only version is much slower and so
+	    the POST is slower too.</p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Docs</a>
+	    : <a href="">Important Notes about OpenSSL and FIPS-140</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/docs/fipsvalidation.html b/docs/fipsvalidation.html
new file mode 100644
index 0000000..534c87b
--- /dev/null
+++ b/docs/fipsvalidation.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>OpenSSL and FIPS 140-2</h2></header>
+
+	  <div class="entry-content">
+	    <p>The most recent open source based validation of a cryptographic
+	    module (Module) compatible with the OpenSSL libraries is v2.0.1,
+	    FIPS 140-2 certificate <a
+	    href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
+	    This Module is documented in the
+	    <a href="UserGuide-2.0.pdf">2.0 User Guide</a>. It substantially
+	      updates and improves the earlier v1.2 module, FIPS 140-2
+	      certificate
+	    <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051">#1051</a>,
+	    which is documented in the
+	    <a href="UserGuide-1.2.pdf">1.2 User Guide</a>.</p>
+
+	    <p><strong>Important Note:</strong>
+	    Due to new requirements introduced in 2013 the current v2.0 Module
+	    is no longer suitable as a reference for private label
+	    validations; see the <a
+	    href="http://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
+	    Due to earlier changes in the FIPS 140-2 validation requirements
+	    the v1.2 Module is no longer be a suitable model for private label
+	    validations in its current form past the year 2010; see the NIST <a
+	      href="http://csrc.nist.gov/groups/STM/cmvp/notices.html">Notices</a>,
+	    <a
+	      href="http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf">discussion paper</a>
+	    and <a
+	      href="http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf">Draft 800-131</a>.</p>
+
+	    <h3>Sponsors</h3>
+	    <p>The OpenSSL FIPS Object Module validations receive support
+	    from multiple sources for each validation effort; however only
+	    those sponsors who have elected to be recognised for their
+	    contribution to OpenSSL are listed below.</p>
+
+	    <hr>
+	    <a href="http://www.darpa.mil/Our_Work/I2O/Programs/Transformative_Apps.aspx">Defense Advanced Research Projects Agency (DARPA) Transformative Apps Program</a>,
+	    original primary sponsor of the overall validation with several Android on ARMv7 platforms.
+
+	    <hr>
+	    <a href="http://www.securenetterm.com/">Intersoft International, Inc.</a>,
+	    platform sponsor (VC++ Win32/x86 asm optimisation)
+
+	    <hr>
+	    <img src="/img/opengear-logo-med.jpg">
+	    <a href="http://www.opengear.com/">Opengear, Inc.</a>, platform sponsor
+	    (uCLinux ARMv4 asm optimisation)
+
+	    <hr>
+	    <img src="/img/quintessence-logo-med.jpg">
+	    <a href="http://www.quintessencelabs.com/">QuintessenceLabs Pty Ltd</a>,
+	    platform sponsor (Fedora 14 x86-64 asm optimisation)
+
+	    <hr>
+	    <img src="/img/pkware-logo-med.jpg">
+	    <a href="http://www.pkware.com/">PKWARE, Inc.</a>, platform sponsor
+	    (HPUX 11i on Itanium 32, 64 bit with asm optimisation)
+
+	    <hr>
+            <img src="/img/cerberus-logo-med.jpg">
+	    <a href="http://www.cerberusftp.com/">Cerberus, LLC</a>, general sponsor
+	    <hr>
+	    <img src="/img/DHS-logo-med.jpg">
+	    <a href="http://www.cyber.st.dhs.gov/host.html">DHS Science and Technology Directorate-sponsored Homeland Open Security Technology (HOST) program</a>,
+	    algorithm sponsor (CMAC, AES-CCM)
+
+	    <hr>
+	    <img src="/img/innominate-logo-med.jpg">
+	    <a href="http://www.innominate.com/">Innominate Security Technologies AG</a>,
+	    platform sponsor (Linux on Freescale MPC8313)
+
+	    <hr>
+	    <img src="/img/psw-logo-med.jpg">
+	    <a href="http://www.psw.net/">PSW GROUP</a>,
+	    general sponsor
+
+	    <hr>
+	    <img src="/img/citrix-logo-med.jpg">
+	    <a href="http://www.citrix.com/">Citrix Systems, Inc.</a>,
+	    platform sponsor (multiple platforms)
+
+	    <hr>
+
+	    <p>If you have an interest in sponsoring any changes or additions
+	    to this validation please contact <a
+	      href="http://openssl.com/fips">OpenSSL Validation Services</a>.</p>
+	    <p>Some commercial software vendors ask us "what do we gain from
+	    sponsoring a validation that our competition can also use?".  Our
+	    answer is "nothing, if you think in terms of obstructing your
+	    competition".  If, on the other hand, you compete primarily on the
+	    merits of you products what others may do with the validation is
+	    less of a threat as they derive no more advantage from it than you
+	    do.  Your advantage is that your sponsorship will probably cost
+	    less that the commercial software license you would otherwise have
+	    to buy, and you will retain backwards compatibility with the
+	    regular OpenSSL API while avoiding vendor lock-in.</p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="">OpenSSL and FIPS 140-2</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/docs/index.html b/docs/index.html
new file mode 100644
index 0000000..72e3f1e
--- /dev/null
+++ b/docs/index.html
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Documentation<h2></header>
+	  <div class="entry-content">
+	    <p>We have an online copy of our
+	    <a href="faq.html">FAQ</a>.  It is
+	    also part of the distribution.</p>
+	    </p>
+	    <p>Information about the first-ever open source
+	    <a href="fips.html">FIPS-140 validation</a> is also
+	    available.</p>
+
+	    <p>Ivan Risti&#x0107;, the creator of
+	    <a href="https://ssllabs.com">https://ssllabs.com</a>,
+	    has a free download of his <em>OpenSSL Cookbook</em>
+	    that covers the most frequently used OpenSSL features
+	    and commands.  It is updated often, and is available
+	    at
+	    <a
+	      href="https://www.feistyduck.com/books/openssl-cookbook/">https://www.feistyduck.com/books/openssl-cookbook/</a>.
+	    It is highly recommended.
+	    </p>
+
+	    <p>Online versions of the manpages are not yet available,
+	    but will be shortly.</p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/docs/index.wml b/docs/index.wml
deleted file mode 100644
index 3ad49e6..0000000
--- a/docs/index.wml
+++ /dev/null
@@ -1,54 +0,0 @@
-
-#use wml::openssl area=docs page=index
-
-<title>Documentation</title>
-
-<h1>OpenSSL Documents</h1>
-
-<p>
-Here are copies of the manpages from the latest snapshot, and other
-useful documentation. Since they are from the snapshot, they may describe
-features which are not present in other releases.
-
-<p>
-<ul>
-<li><a href="apps/openssl.html" target="_blank"><font id=sfl>openssl(1)</font></a><br>
-    Manual page documenting the <b>openssl</b> command line tool,
-    or the <a href="apps/">full command list</a>.
-    (Opens in new page or tab.)
-<p>
-<li><a href="ssl/ssl.html" target="_blank"><font id=sfl>ssl(3)</font></a><br>
-    Manual page documenting the OpenSSL <b>SSL/TLS</b> library,
-    or the <a href="ssl/">full list of SSL API's</a>.
-    (Opens in new page or tab.)
-<p>
-<li><a href="crypto/crypto.html" target="_blank"><font id=sfl>crypto(3)</font></a><br>
-    Manual page documenting the OpenSSL <b>Crypto</b> library,
-    or the <a href="crypto/">full list of crypto API's</a>.
-    (Opens in new page or tab.)
-<p>
-<li><a href="HOWTO/"><font id=sfl>HOWTO</font></a><br>
-    HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.
-<p>
-<li><a href="http://wiki.openssl.org/"><font id=sfl>WIKI</font></a><br>
-    A wiki providing information and guidance about openssl. Operated by the OpenSSL Software Foundation.
-<p>
-<li><a href="fips/"><font id=sfl>FIPS140</font></a>:<br>
-    Data and documentation related to the FIPS140 validation support in OpenSSL
-<p>
-</ul>
-
-<p>
-Other standards and documentation:
-<ul>
-    <item name="OpenSSL Cookbook"
-          info="A free ebook that covers configuration and command-line usage; highly recommended. Updated in March, with more than 30 new pages."
-          url="https://www.feistyduck.com/books/openssl-cookbook/">
-    <item name="X.680 and X.690"
-          info="The official ASN.1, BER and DER specifications."
-          url="http://www.itu.int/ITU-T/studygroups/com10/languages/">
-    <item name="ASN.1 Modules from X-series Recommendations"
-          info="The ASN.1 definitions for X.509 and other standards."
-          url="http://www.itu.int/ITU-T/asn1/database/itu-t/x/">
-</ul>
-
diff --git a/docs/sidebar.inc b/docs/sidebar.inc
new file mode 100644
index 0000000..13d62a7
--- /dev/null
+++ b/docs/sidebar.inc
@@ -0,0 +1,15 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Documentation</a></h1>
+    <ul>
+      <li>
+	<a href="faq.html">FAQ</a>
+      </li>
+      <li>
+        <a href="fips.html">FIPS-140 Validation</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
diff --git a/images/page-corner-bl.gif b/images/page-corner-bl.gif
deleted file mode 100644
index 8ac02c7..0000000
Binary files a/images/page-corner-bl.gif and /dev/null differ
diff --git a/images/page-corner-br.gif b/images/page-corner-br.gif
deleted file mode 100644
index 33e830d..0000000
Binary files a/images/page-corner-br.gif and /dev/null differ
diff --git a/images/page-corner-tr.gif b/images/page-corner-tr.gif
deleted file mode 100644
index 6a63e13..0000000
Binary files a/images/page-corner-tr.gif and /dev/null differ
diff --git a/images/page-head-bl.jpg b/images/page-head-bl.jpg
deleted file mode 100644
index 2604f71..0000000
Binary files a/images/page-head-bl.jpg and /dev/null differ
diff --git a/images/page-head-bm.jpg b/images/page-head-bm.jpg
deleted file mode 100644
index 8b02a1b..0000000
Binary files a/images/page-head-bm.jpg and /dev/null differ
diff --git a/images/page-head-tl.jpg b/images/page-head-tl.jpg
deleted file mode 100644
index b603f89..0000000
Binary files a/images/page-head-tl.jpg and /dev/null differ
diff --git a/images/page-head-tm.jpg b/images/page-head-tm.jpg
deleted file mode 100644
index 73051b9..0000000
Binary files a/images/page-head-tm.jpg and /dev/null differ
diff --git a/images/page-navbar-ab-n.jpg b/images/page-navbar-ab-n.jpg
deleted file mode 100644
index 5c84066..0000000
Binary files a/images/page-navbar-ab-n.jpg and /dev/null differ
diff --git a/images/page-navbar-ab-s.jpg b/images/page-navbar-ab-s.jpg
deleted file mode 100644
index 7ccba47..0000000
Binary files a/images/page-navbar-ab-s.jpg and /dev/null differ
diff --git a/images/page-navbar-bot.jpg b/images/page-navbar-bot.jpg
deleted file mode 100644
index 1c00c62..0000000
Binary files a/images/page-navbar-bot.jpg and /dev/null differ
diff --git a/images/page-navbar-do-n.jpg b/images/page-navbar-do-n.jpg
deleted file mode 100644
index dc7e04c..0000000
Binary files a/images/page-navbar-do-n.jpg and /dev/null differ
diff --git a/images/page-navbar-do-s.jpg b/images/page-navbar-do-s.jpg
deleted file mode 100644
index 0bff78b..0000000
Binary files a/images/page-navbar-do-s.jpg and /dev/null differ
diff --git a/images/page-navbar-fq-n.jpg b/images/page-navbar-fq-n.jpg
deleted file mode 100755
index de3b582..0000000
Binary files a/images/page-navbar-fq-n.jpg and /dev/null differ
diff --git a/images/page-navbar-fq-s.jpg b/images/page-navbar-fq-s.jpg
deleted file mode 100755
index 8fa2409..0000000
Binary files a/images/page-navbar-fq-s.jpg and /dev/null differ
diff --git a/images/page-navbar-ne-n.jpg b/images/page-navbar-ne-n.jpg
deleted file mode 100644
index 828731b..0000000
Binary files a/images/page-navbar-ne-n.jpg and /dev/null differ
diff --git a/images/page-navbar-ne-s.jpg b/images/page-navbar-ne-s.jpg
deleted file mode 100644
index 0025056..0000000
Binary files a/images/page-navbar-ne-s.jpg and /dev/null differ
diff --git a/images/page-navbar-re-n.jpg b/images/page-navbar-re-n.jpg
deleted file mode 100644
index f915322..0000000
Binary files a/images/page-navbar-re-n.jpg and /dev/null differ
diff --git a/images/page-navbar-re-s.jpg b/images/page-navbar-re-s.jpg
deleted file mode 100644
index 65bd3fb..0000000
Binary files a/images/page-navbar-re-s.jpg and /dev/null differ
diff --git a/images/page-navbar-se-n.jpg b/images/page-navbar-se-n.jpg
deleted file mode 100644
index 96cc9b2..0000000
Binary files a/images/page-navbar-se-n.jpg and /dev/null differ
diff --git a/images/page-navbar-se-s.jpg b/images/page-navbar-se-s.jpg
deleted file mode 100644
index 3db5d5f..0000000
Binary files a/images/page-navbar-se-s.jpg and /dev/null differ
diff --git a/images/page-navbar-so-n.jpg b/images/page-navbar-so-n.jpg
deleted file mode 100644
index 40f070b..0000000
Binary files a/images/page-navbar-so-n.jpg and /dev/null differ
diff --git a/images/page-navbar-so-s.jpg b/images/page-navbar-so-s.jpg
deleted file mode 100644
index 35af201..0000000
Binary files a/images/page-navbar-so-s.jpg and /dev/null differ
diff --git a/images/page-navbar-su-n.jpg b/images/page-navbar-su-n.jpg
deleted file mode 100644
index 6b165ec..0000000
Binary files a/images/page-navbar-su-n.jpg and /dev/null differ
diff --git a/images/page-navbar-su-s.jpg b/images/page-navbar-su-s.jpg
deleted file mode 100644
index 037b9ea..0000000
Binary files a/images/page-navbar-su-s.jpg and /dev/null differ
diff --git a/images/page-navbar-ti-n.jpg b/images/page-navbar-ti-n.jpg
deleted file mode 100644
index 765d8f1..0000000
Binary files a/images/page-navbar-ti-n.jpg and /dev/null differ
diff --git a/images/page-navbar-ti-s.jpg b/images/page-navbar-ti-s.jpg
deleted file mode 100644
index 4bc05e8..0000000
Binary files a/images/page-navbar-ti-s.jpg and /dev/null differ
diff --git a/images/page-navbar-top.jpg b/images/page-navbar-top.jpg
deleted file mode 100644
index 3703213..0000000
Binary files a/images/page-navbar-top.jpg and /dev/null differ
diff --git a/images/DHS-logo-med.jpg b/img/DHS-logo-med.jpg
similarity index 100%
rename from images/DHS-logo-med.jpg
rename to img/DHS-logo-med.jpg
diff --git a/images/acano-logo.jpg b/img/acano-logo.jpg
similarity index 100%
rename from images/acano-logo.jpg
rename to img/acano-logo.jpg
diff --git a/images/akamai-logo-med.png b/img/akamai-logo-med.png
similarity index 100%
rename from images/akamai-logo-med.png
rename to img/akamai-logo-med.png
diff --git a/images/cerberus-logo-med.jpg b/img/cerberus-logo-med.jpg
similarity index 100%
rename from images/cerberus-logo-med.jpg
rename to img/cerberus-logo-med.jpg
diff --git a/images/cii-logo-med.png b/img/cii-logo-med.png
similarity index 100%
rename from images/cii-logo-med.png
rename to img/cii-logo-med.png
diff --git a/images/citrix-logo-med.jpg b/img/citrix-logo-med.jpg
similarity index 100%
rename from images/citrix-logo-med.jpg
rename to img/citrix-logo-med.jpg
diff --git a/images/globalsign-logo-med.jpg b/img/globalsign-logo-med.jpg
similarity index 100%
rename from images/globalsign-logo-med.jpg
rename to img/globalsign-logo-med.jpg
diff --git a/images/huawei-logo-med.jpg b/img/huawei-logo-med.jpg
similarity index 100%
rename from images/huawei-logo-med.jpg
rename to img/huawei-logo-med.jpg
diff --git a/images/innominate-logo-med.jpg b/img/innominate-logo-med.jpg
similarity index 100%
rename from images/innominate-logo-med.jpg
rename to img/innominate-logo-med.jpg
diff --git a/images/lf-logo-med.png b/img/lf-logo-med.png
similarity index 100%
rename from images/lf-logo-med.png
rename to img/lf-logo-med.png
diff --git a/images/milton-logo-med.jpg b/img/milton-logo-med.jpg
similarity index 100%
rename from images/milton-logo-med.jpg
rename to img/milton-logo-med.jpg
diff --git a/images/nokia-logo-med.jpg b/img/nokia-logo-med.jpg
similarity index 100%
rename from images/nokia-logo-med.jpg
rename to img/nokia-logo-med.jpg
diff --git a/images/opengear-logo-med.jpg b/img/opengear-logo-med.jpg
similarity index 100%
rename from images/opengear-logo-med.jpg
rename to img/opengear-logo-med.jpg
diff --git a/images/oracle-logo-med.jpg b/img/oracle-logo-med.jpg
similarity index 100%
rename from images/oracle-logo-med.jpg
rename to img/oracle-logo-med.jpg
diff --git a/images/pkware-logo-med.jpg b/img/pkware-logo-med.jpg
similarity index 100%
rename from images/pkware-logo-med.jpg
rename to img/pkware-logo-med.jpg
diff --git a/images/psw-logo-med.jpg b/img/psw-logo-med.jpg
similarity index 100%
rename from images/psw-logo-med.jpg
rename to img/psw-logo-med.jpg
diff --git a/images/psw-logo.gif b/img/psw-logo.gif
similarity index 100%
rename from images/psw-logo.gif
rename to img/psw-logo.gif
diff --git a/images/qualsys-logo-med.jpg b/img/qualsys-logo-med.jpg
similarity index 100%
rename from images/qualsys-logo-med.jpg
rename to img/qualsys-logo-med.jpg
diff --git a/images/quintessence-logo-med.jpg b/img/quintessence-logo-med.jpg
similarity index 100%
rename from images/quintessence-logo-med.jpg
rename to img/quintessence-logo-med.jpg
diff --git a/images/smartisan-logo-med.png b/img/smartisan-logo-med.png
similarity index 100%
rename from images/smartisan-logo-med.png
rename to img/smartisan-logo-med.png
diff --git a/support/UnionPay.jpg b/img/unionpay.jpg
similarity index 100%
rename from support/UnionPay.jpg
rename to img/unionpay.jpg
diff --git a/img/up.gif b/img/up.gif
new file mode 100644
index 0000000..a169e3c
Binary files /dev/null and b/img/up.gif differ
diff --git a/inc/README b/inc/README
new file mode 100644
index 0000000..09edd38
--- /dev/null
+++ b/inc/README
@@ -0,0 +1 @@
+Directory for files that are used in multiple places.
diff --git a/inc/banner.inc b/inc/banner.inc
new file mode 100644
index 0000000..e9ce3a0
--- /dev/null
+++ b/inc/banner.inc
@@ -0,0 +1,33 @@
+<!-- banner.inc -->
+<header role="banner">
+  <hgroup>
+    <h1>
+      <a href="/">
+        <span id="header-open-text">Open</span><span id="header-ssl-text">SSL</span>
+      </a>
+    </h1>
+    <h2>
+      Cryptography and SSL/TLS Toolkit
+    </h2>
+  </hgroup>
+</header>
+
+<nav role="navigation">
+  <form action="https://www.google.com/search" method="get">
+    <fieldset role="search">
+      <input type="hidden" name="sitesearch" value="www.openssl.org" />
+      <input class="search" type="text" name="q" results="0" placeholder="Search"/>
+    </fieldset>
+  </form>
+
+  <ul class="main-navigation">
+    <li><a href="/" title="Home page">Home</a></li>
+    <li><a href="/source" title="Source code">Downloads</a></li>
+    <li><a href="/docs" title="FAQ, FIPS, manpages, ...">Docs</a></li>
+    <li><a href="/news" title="Latest information">News</a></li>
+    <li><a href="/policies" title="How we operate">Policies</a></li>
+    <li><a href="/community" title="Blog, bugs, email, ...">Community</a></li>
+    <li><a href="/support" title="Commercial support and contracting">Support</a></li>
+  </ul>
+  </nav>
+<!-- end -->
diff --git a/inc/footer.inc b/inc/footer.inc
new file mode 100644
index 0000000..e09888e
--- /dev/null
+++ b/inc/footer.inc
@@ -0,0 +1,7 @@
+<!-- footer.inc -->
+<footer role="contentinfo">
+  <p>
+    Copyright &copy; 2015, OpenSSL Software Foundation.
+  </p>
+</footer>
+<!-- end -->
diff --git a/inc/head.inc b/inc/head.inc
new file mode 100644
index 0000000..9367a7f
--- /dev/null
+++ b/inc/head.inc
@@ -0,0 +1,25 @@
+<!-- head.inc -->
+  <title>OpenSSL</title>
+  <meta charset="utf-8">
+  <meta name="author" content="OpenSSL Foundation, Inc.">
+  <meta name="HandheldFriendly" content="True">
+  <meta name="MobileOptimized" content="320">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+
+  <link rel="canonical" href="https://www.openssl.org/">
+  <link href="favicon.png" rel="icon">
+  <link href="/inc/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
+
+  <script src="/inc/modernizr-2.0.js"></script>
+  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
+  <script>!window.jQuery && document.write(unescape('%3Cscript src="./inc/libs/jquery.min.js"%3E%3C/script%3E'))</script>
+  <script src="/inc/octopress.js" type="text/javascript"></script>
+
+  <link href="//fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
+  <link href="//fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
+
+  <!--[if lt IE 9]>
+    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
+  <![endif]-->
+<!-- end -->
diff --git a/inc/legalities.inc b/inc/legalities.inc
new file mode 100644
index 0000000..2a2a3c8
--- /dev/null
+++ b/inc/legalities.inc
@@ -0,0 +1,21 @@
+<h3>Legalities</h3>
+<p>
+Please remember that export/import and/or use of strong
+cryptography software, providing cryptography hooks, or even just
+communicating technical details about cryptography software is
+illegal in some parts of the world. So when you import this
+package to your country, re-distribute it from there or even
+just email technical suggestions or even source patches to the
+authors or other people you are strongly advised to pay close
+attention to any laws or regulations which apply to
+you. The authors of openssl are not liable for any violations
+you make here. So be careful, it is your responsibility.
+</p>
+
+<h3>Acknowledgement</h3>
+<p>
+This product includes cryptographic software written by Eric
+Young. This product includes software written by Tim Hudson
+(tjh at cryptsoft.com).
+</p>
+
diff --git a/inc/libs/jquery.min.js b/inc/libs/jquery.min.js
new file mode 100644
index 0000000..32d50cb
--- /dev/null
+++ b/inc/libs/jquery.min.js
@@ -0,0 +1,5 @@
+/*! jQuery v1.9.1 | (c) 2005, 2012 jQuery Foundation, Inc. | jquery.org/license
+//@ sourceMappingURL=jquery.min.map
+*/(function(e,t){var n,r,i=typeof t,o=e.document,a=e.location,s=e.jQuery,u=e.$,l={},c=[],p="1.9.1",f=c.concat,d=c.push,h=c.slice,g=c.indexOf,m=l.toString,y=l.hasOwnProperty,v=p.trim,b=function(e,t){return new b.fn.init(e,t,r)},x=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,w=/\S+/g,T=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,N=/^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=/^<(\w+)\s*\/?>(?:<\/\1>|)$/,k=/^[\],:{}\s]*$/,E=/(?:^|:|,)(?:\s*\[)+/g,S=/\\(?:["\\\/bfnrt]|u[\da-fA-F]{4})/g,A=/"[^"\\\r\n]*"|true|false|null|-?(?:\d+\.|)\d+(?:[eE][+-]?\d+|)/g,j=/^-ms-/,D=/-([\da-z])/gi,L=function(e,t){return t.toUpperCase()},H=function(e){(o.addEventListener||"load"===e.type||"complete"===o.readyState)&&(q(),b.ready())},q=function(){o.addEventListener?(o.removeEventListener("DOMContentLoaded",H,!1),e.removeEventListener("load",H,!1)):(o.detachEvent("onreadystatechange",H),e.detachEvent("onload",H))};b.fn=b.prototype={jquery:p,constructor:b,init:function(e,n,r){var i,a;if(!e)return this;if("string"==typeof e){if(i="<"===e.charAt(0)&&">"===e.charAt(e.length-1)&&e.length>=3?[null,e,null]:N.exec(e),!i||!i[1]&&n)return!n||n.jquery?(n||r).find(e):this.constructor(n).find(e);if(i[1]){if(n=n instanceof b?n[0]:n,b.merge(this,b.parseHTML(i[1],n&&n.nodeType?n.ownerDocument||n:o,!0)),C.test(i[1])&&b.isPlainObject(n))for(i in n)b.isFunction(this[i])?this[i](n[i]):this.attr(i,n[i]);return this}if(a=o.getElementById(i[2]),a&&a.parentNode){if(a.id!==i[2])return r.find(e);this.length=1,this[0]=a}return this.context=o,this.selector=e,this}return e.nodeType?(this.context=this[0]=e,this.length=1,this):b.isFunction(e)?r.ready(e):(e.selector!==t&&(this.selector=e.selector,this.context=e.context),b.makeArray(e,this))},selector:"",length:0,size:function(){return this.length},toArray:function(){return h.call(this)},get:function(e){return null==e?this.toArray():0>e?this[this.length+e]:this[e]},pushStack:function(e){var t=b.merge(this.constructor(),e);return t.prevObject=this,t.context=this.context,t},each:function(e,t){return b.each(this,e,t)},ready:function(e){return b.ready.promise().done(e),this},slice:function(){return this.pushStack(h.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(0>e?t:0);return this.pushStack(n>=0&&t>n?[this[n]]:[])},map:function(e){return this.pushStack(b.map(this,function(t,n){return e.call(t,n,t)}))},end:function(){return this.prevObject||this.constructor(null)},push:d,sort:[].sort,splice:[].splice},b.fn.init.prototype=b.fn,b.extend=b.fn.extend=function(){var e,n,r,i,o,a,s=arguments[0]||{},u=1,l=arguments.length,c=!1;for("boolean"==typeof s&&(c=s,s=arguments[1]||{},u=2),"object"==typeof s||b.isFunction(s)||(s={}),l===u&&(s=this,--u);l>u;u++)if(null!=(o=arguments[u]))for(i in o)e=s[i],r=o[i],s!==r&&(c&&r&&(b.isPlainObject(r)||(n=b.isArray(r)))?(n?(n=!1,a=e&&b.isArray(e)?e:[]):a=e&&b.isPlainObject(e)?e:{},s[i]=b.extend(c,a,r)):r!==t&&(s[i]=r));return s},b.extend({noConflict:function(t){return e.$===b&&(e.$=u),t&&e.jQuery===b&&(e.jQuery=s),b},isReady:!1,readyWait:1,holdReady:function(e){e?b.readyWait++:b.ready(!0)},ready:function(e){if(e===!0?!--b.readyWait:!b.isReady){if(!o.body)return setTimeout(b.ready);b.isReady=!0,e!==!0&&--b.readyWait>0||(n.resolveWith(o,[b]),b.fn.trigger&&b(o).trigger("ready").off("ready"))}},isFunction:function(e){return"function"===b.type(e)},isArray:Array.isArray||function(e){return"array"===b.type(e)},isWindow:function(e){return null!=e&&e==e.window},isNumeric:function(e){return!isNaN(parseFloat(e))&&isFinite(e)},type:function(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[m.call(e)]||"object":typeof e},isPlainObject:function(e){if(!e||"object"!==b.type(e)||e.nodeType||b.isWindow(e))return!1;try{if(e.constructor&&!y.call(e,"constructor")&&!y.call(e.constructor.prototype,"isPrototypeOf"))return!1}catch(n){return!1}var r;for(r in e);return r===t||y.call(e,r)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},error:function(e){throw Error(e)},parseHTML:function(e,t,n){if(!e||"string"!=typeof e)return null;"boolean"==typeof t&&(n=t,t=!1),t=t||o;var r=C.exec(e),i=!n&&[];return r?[t.createElement(r[1])]:(r=b.buildFragment([e],t,i),i&&b(i).remove(),b.merge([],r.childNodes))},parseJSON:function(n){return e.JSON&&e.JSON.parse?e.JSON.parse(n):null===n?n:"string"==typeof n&&(n=b.trim(n),n&&k.test(n.replace(S,"@").replace(A,"]").replace(E,"")))?Function("return "+n)():(b.error("Invalid JSON: "+n),t)},parseXML:function(n){var r,i;if(!n||"string"!=typeof n)return null;try{e.DOMParser?(i=new DOMParser,r=i.parseFromString(n,"text/xml")):(r=new ActiveXObject("Microsoft.XMLDOM"),r.async="false",r.loadXML(n))}catch(o){r=t}return r&&r.documentElement&&!r.getElementsByTagName("parsererror").length||b.error("Invalid XML: "+n),r},noop:function(){},globalEval:function(t){t&&b.trim(t)&&(e.execScript||function(t){e.eval.call(e,t)})(t)},camelCase:function(e){return e.replace(j,"ms-").replace(D,L)},nodeName:function(e,t){return e.nodeName&&e.nodeName.toLowerCase()===t.toLowerCase()},each:function(e,t,n){var r,i=0,o=e.length,a=M(e);if(n){if(a){for(;o>i;i++)if(r=t.apply(e[i],n),r===!1)break}else for(i in e)if(r=t.apply(e[i],n),r===!1)break}else if(a){for(;o>i;i++)if(r=t.call(e[i],i,e[i]),r===!1)break}else for(i in e)if(r=t.call(e[i],i,e[i]),r===!1)break;return e},trim:v&&!v.call("\ufeff\u00a0")?function(e){return null==e?"":v.call(e)}:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(M(Object(e))?b.merge(n,"string"==typeof e?[e]:e):d.call(n,e)),n},inArray:function(e,t,n){var r;if(t){if(g)return g.call(t,e,n);for(r=t.length,n=n?0>n?Math.max(0,r+n):n:0;r>n;n++)if(n in t&&t[n]===e)return n}return-1},merge:function(e,n){var r=n.length,i=e.length,o=0;if("number"==typeof r)for(;r>o;o++)e[i++]=n[o];else while(n[o]!==t)e[i++]=n[o++];return e.length=i,e},grep:function(e,t,n){var r,i=[],o=0,a=e.length;for(n=!!n;a>o;o++)r=!!t(e[o],o),n!==r&&i.push(e[o]);return i},map:function(e,t,n){var r,i=0,o=e.length,a=M(e),s=[];if(a)for(;o>i;i++)r=t(e[i],i,n),null!=r&&(s[s.length]=r);else for(i in e)r=t(e[i],i,n),null!=r&&(s[s.length]=r);return f.apply([],s)},guid:1,proxy:function(e,n){var r,i,o;return"string"==typeof n&&(o=e[n],n=e,e=o),b.isFunction(e)?(r=h.call(arguments,2),i=function(){return e.apply(n||this,r.concat(h.call(arguments)))},i.guid=e.guid=e.guid||b.guid++,i):t},access:function(e,n,r,i,o,a,s){var u=0,l=e.length,c=null==r;if("object"===b.type(r)){o=!0;for(u in r)b.access(e,n,u,r[u],!0,a,s)}else if(i!==t&&(o=!0,b.isFunction(i)||(s=!0),c&&(s?(n.call(e,i),n=null):(c=n,n=function(e,t,n){return c.call(b(e),n)})),n))for(;l>u;u++)n(e[u],r,s?i:i.call(e[u],u,n(e[u],r)));return o?e:c?n.call(e):l?n(e[0],r):a},now:function(){return(new Date).getTime()}}),b.ready.promise=function(t){if(!n)if(n=b.Deferred(),"complete"===o.readyState)setTimeout(b.ready);else if(o.addEventListener)o.addEventListener("DOMContentLoaded",H,!1),e.addEventListener("load",H,!1);else{o.attachEvent("onreadystatechange",H),e.attachEvent("onload",H);var r=!1;try{r=null==e.frameElement&&o.documentElement}catch(i){}r&&r.doScroll&&function a(){if(!b.isReady){try{r.doScroll("left")}catch(e){return setTimeout(a,50)}q(),b.ready()}}()}return n.promise(t)},b.each("Boolean Number String Function Array Date RegExp Object Error".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function M(e){var t=e.length,n=b.type(e);return b.isWindow(e)?!1:1===e.nodeType&&t?!0:"array"===n||"function"!==n&&(0===t||"number"==typeof t&&t>0&&t-1 in e)}r=b(o);var _={};function F(e){var t=_[e]={};return b.each(e.match(w)||[],function(e,n){t[n]=!0}),t}b.Callbacks=function(e){e="string"==typeof e?_[e]||F(e):b.extend({},e);var n,r,i,o,a,s,u=[],l=!e.once&&[],c=function(t){for(r=e.memory&&t,i=!0,a=s||0,s=0,o=u.length,n=!0;u&&o>a;a++)if(u[a].apply(t[0],t[1])===!1&&e.stopOnFalse){r=!1;break}n=!1,u&&(l?l.length&&c(l.shift()):r?u=[]:p.disable())},p={add:function(){if(u){var t=u.length;(function i(t){b.each(t,function(t,n){var r=b.type(n);"function"===r?e.unique&&p.has(n)||u.push(n):n&&n.length&&"string"!==r&&i(n)})})(arguments),n?o=u.length:r&&(s=t,c(r))}return this},remove:function(){return u&&b.each(arguments,function(e,t){var r;while((r=b.inArray(t,u,r))>-1)u.splice(r,1),n&&(o>=r&&o--,a>=r&&a--)}),this},has:function(e){return e?b.inArray(e,u)>-1:!(!u||!u.length)},empty:function(){return u=[],this},disable:function(){return u=l=r=t,this},disabled:function(){return!u},lock:function(){return l=t,r||p.disable(),this},locked:function(){return!l},fireWith:function(e,t){return t=t||[],t=[e,t.slice?t.slice():t],!u||i&&!l||(n?l.push(t):c(t)),this},fire:function(){return p.fireWith(this,arguments),this},fired:function(){return!!i}};return p},b.extend({Deferred:function(e){var t=[["resolve","done",b.Callbacks("once memory"),"resolved"],["reject","fail",b.Callbacks("once memory"),"rejected"],["notify","progress",b.Callbacks("memory")]],n="pending",r={state:function(){return n},always:function(){return i.done(arguments).fail(arguments),this},then:function(){var e=arguments;return b.Deferred(function(n){b.each(t,function(t,o){var a=o[0],s=b.isFunction(e[t])&&e[t];i[o[1]](function(){var e=s&&s.apply(this,arguments);e&&b.isFunction(e.promise)?e.promise().done(n.resolve).fail(n.reject).progress(n.notify):n[a+"With"](this===r?n.promise():this,s?[e]:arguments)})}),e=null}).promise()},promise:function(e){return null!=e?b.extend(e,r):r}},i={};return r.pipe=r.then,b.each(t,function(e,o){var a=o[2],s=o[3];r[o[1]]=a.add,s&&a.add(function(){n=s},t[1^e][2].disable,t[2][2].lock),i[o[0]]=function(){return i[o[0]+"With"](this===i?r:this,arguments),this},i[o[0]+"With"]=a.fireWith}),r.promise(i),e&&e.call(i,i),i},when:function(e){var t=0,n=h.call(arguments),r=n.length,i=1!==r||e&&b.isFunction(e.promise)?r:0,o=1===i?e:b.Deferred(),a=function(e,t,n){return function(r){t[e]=this,n[e]=arguments.length>1?h.call(arguments):r,n===s?o.notifyWith(t,n):--i||o.resolveWith(t,n)}},s,u,l;if(r>1)for(s=Array(r),u=Array(r),l=Array(r);r>t;t++)n[t]&&b.isFunction(n[t].promise)?n[t].promise().done(a(t,l,n)).fail(o.reject).progress(a(t,u,s)):--i;return i||o.resolveWith(l,n),o.promise()}}),b.support=function(){var t,n,r,a,s,u,l,c,p,f,d=o.createElement("div");if(d.setAttribute("className","t"),d.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",n=d.getElementsByTagName("*"),r=d.getElementsByTagName("a")[0],!n||!r||!n.length)return{};s=o.createElement("select"),l=s.appendChild(o.createElement("option")),a=d.getElementsByTagName("input")[0],r.style.cssText="top:1px;float:left;opacity:.5",t={getSetAttribute:"t"!==d.className,leadingWhitespace:3===d.firstChild.nodeType,tbody:!d.getElementsByTagName("tbody").length,htmlSerialize:!!d.getElementsByTagName("link").length,style:/top/.test(r.getAttribute("style")),hrefNormalized:"/a"===r.getAttribute("href"),opacity:/^0.5/.test(r.style.opacity),cssFloat:!!r.style.cssFloat,checkOn:!!a.value,optSelected:l.selected,enctype:!!o.createElement("form").enctype,html5Clone:"<:nav></:nav>"!==o.createElement("nav").cloneNode(!0).outerHTML,boxModel:"CSS1Compat"===o.compatMode,deleteExpando:!0,noCloneEvent:!0,inlineBlockNeedsLayout:!1,shrinkWrapBlocks:!1,reliableMarginRight:!0,boxSizingReliable:!0,pixelPosition:!1},a.checked=!0,t.noCloneChecked=a.cloneNode(!0).checked,s.disabled=!0,t.optDisabled=!l.disabled;try{delete d.test}catch(h){t.deleteExpando=!1}a=o.createElement("input"),a.setAttribute("value",""),t.input=""===a.getAttribute("value"),a.value="t",a.setAttribute("type","radio"),t.radioValue="t"===a.value,a.setAttribute("checked","t"),a.setAttribute("name","t"),u=o.createDocumentFragment(),u.appendChild(a),t.appendChecked=a.checked,t.checkClone=u.cloneNode(!0).cloneNode(!0).lastChild.checked,d.attachEvent&&(d.attachEvent("onclick",function(){t.noCloneEvent=!1}),d.cloneNode(!0).click());for(f in{submit:!0,change:!0,focusin:!0})d.setAttribute(c="on"+f,"t"),t[f+"Bubbles"]=c in e||d.attributes[c].expando===!1;return d.style.backgroundClip="content-box",d.cloneNode(!0).style.backgroundClip="",t.clearCloneStyle="content-box"===d.style.backgroundClip,b(function(){var n,r,a,s="padding:0;margin:0;border:0;display:block;box-sizing:content-box;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;",u=o.getElementsByTagName("body")[0];u&&(n=o.createElement("div"),n.style.cssText="border:0;width:0;height:0;position:absolute;top:0;left:-9999px;margin-top:1px",u.appendChild(n).appendChild(d),d.innerHTML="<table><tr><td></td><td>t</td></tr></table>",a=d.getElementsByTagName("td"),a[0].style.cssText="padding:0;margin:0;border:0;display:none",p=0===a[0].offsetHeight,a[0].style.display="",a[1].style.display="none",t.reliableHiddenOffsets=p&&0===a[0].offsetHeight,d.innerHTML="",d.style.cssText="box-sizing:border-box;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;padding:1px;border:1px;display:block;width:4px;margin-top:1%;position:absolute;top:1%;",t.boxSizing=4===d.offsetWidth,t.doesNotIncludeMarginInBodyOffset=1!==u.offsetTop,e.getComputedStyle&&(t.pixelPosition="1%"!==(e.getComputedStyle(d,null)||{}).top,t.boxSizingReliable="4px"===(e.getComputedStyle(d,null)||{width:"4px"}).width,r=d.appendChild(o.createElement("div")),r.style.cssText=d.style.cssText=s,r.style.marginRight=r.style.width="0",d.style.width="1px",t.reliableMarginRight=!parseFloat((e.getComputedStyle(r,null)||{}).marginRight)),typeof d.style.zoom!==i&&(d.innerHTML="",d.style.cssText=s+"width:1px;padding:1px;display:inline;zoom:1",t.inlineBlockNeedsLayout=3===d.offsetWidth,d.style.display="block",d.innerHTML="<div></div>",d.firstChild.style.width="5px",t.shrinkWrapBlocks=3!==d.offsetWidth,t.inlineBlockNeedsLayout&&(u.style.zoom=1)),u.removeChild(n),n=d=a=r=null)}),n=s=u=l=r=a=null,t}();var O=/(?:\{[\s\S]*\}|\[[\s\S]*\])$/,B=/([A-Z])/g;function P(e,n,r,i){if(b.acceptData(e)){var o,a,s=b.expando,u="string"==typeof n,l=e.nodeType,p=l?b.cache:e,f=l?e[s]:e[s]&&s;if(f&&p[f]&&(i||p[f].data)||!u||r!==t)return f||(l?e[s]=f=c.pop()||b.guid++:f=s),p[f]||(p[f]={},l||(p[f].toJSON=b.noop)),("object"==typeof n||"function"==typeof n)&&(i?p[f]=b.extend(p[f],n):p[f].data=b.extend(p[f].data,n)),o=p[f],i||(o.data||(o.data={}),o=o.data),r!==t&&(o[b.camelCase(n)]=r),u?(a=o[n],null==a&&(a=o[b.camelCase(n)])):a=o,a}}function R(e,t,n){if(b.acceptData(e)){var r,i,o,a=e.nodeType,s=a?b.cache:e,u=a?e[b.expando]:b.expando;if(s[u]){if(t&&(o=n?s[u]:s[u].data)){b.isArray(t)?t=t.concat(b.map(t,b.camelCase)):t in o?t=[t]:(t=b.camelCase(t),t=t in o?[t]:t.split(" "));for(r=0,i=t.length;i>r;r++)delete o[t[r]];if(!(n?$:b.isEmptyObject)(o))return}(n||(delete s[u].data,$(s[u])))&&(a?b.cleanData([e],!0):b.support.deleteExpando||s!=s.window?delete s[u]:s[u]=null)}}}b.extend({cache:{},expando:"jQuery"+(p+Math.random()).replace(/\D/g,""),noData:{embed:!0,object:"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000",applet:!0},hasData:function(e){return e=e.nodeType?b.cache[e[b.expando]]:e[b.expando],!!e&&!$(e)},data:function(e,t,n){return P(e,t,n)},removeData:function(e,t){return R(e,t)},_data:function(e,t,n){return P(e,t,n,!0)},_removeData:function(e,t){return R(e,t,!0)},acceptData:function(e){if(e.nodeType&&1!==e.nodeType&&9!==e.nodeType)return!1;var t=e.nodeName&&b.noData[e.nodeName.toLowerCase()];return!t||t!==!0&&e.getAttribute("classid")===t}}),b.fn.extend({data:function(e,n){var r,i,o=this[0],a=0,s=null;if(e===t){if(this.length&&(s=b.data(o),1===o.nodeType&&!b._data(o,"parsedAttrs"))){for(r=o.attributes;r.length>a;a++)i=r[a].name,i.indexOf("data-")||(i=b.camelCase(i.slice(5)),W(o,i,s[i]));b._data(o,"parsedAttrs",!0)}return s}return"object"==typeof e?this.each(function(){b.data(this,e)}):b.access(this,function(n){return n===t?o?W(o,e,b.data(o,e)):null:(this.each(function(){b.data(this,e,n)}),t)},null,n,arguments.length>1,null,!0)},removeData:function(e){return this.each(function(){b.removeData(this,e)})}});function W(e,n,r){if(r===t&&1===e.nodeType){var i="data-"+n.replace(B,"-$1").toLowerCase();if(r=e.getAttribute(i),"string"==typeof r){try{r="true"===r?!0:"false"===r?!1:"null"===r?null:+r+""===r?+r:O.test(r)?b.parseJSON(r):r}catch(o){}b.data(e,n,r)}else r=t}return r}function $(e){var t;for(t in e)if(("data"!==t||!b.isEmptyObject(e[t]))&&"toJSON"!==t)return!1;return!0}b.extend({queue:function(e,n,r){var i;return e?(n=(n||"fx")+"queue",i=b._data(e,n),r&&(!i||b.isArray(r)?i=b._data(e,n,b.makeArray(r)):i.push(r)),i||[]):t},dequeue:function(e,t){t=t||"fx";var n=b.queue(e,t),r=n.length,i=n.shift(),o=b._queueHooks(e,t),a=function(){b.dequeue(e,t)};"inprogress"===i&&(i=n.shift(),r--),o.cur=i,i&&("fx"===t&&n.unshift("inprogress"),delete o.stop,i.call(e,a,o)),!r&&o&&o.empty.fire()},_queueHooks:function(e,t){var n=t+"queueHooks";return b._data(e,n)||b._data(e,n,{empty:b.Callbacks("once memory").add(function(){b._removeData(e,t+"queue"),b._removeData(e,n)})})}}),b.fn.extend({queue:function(e,n){var r=2;return"string"!=typeof e&&(n=e,e="fx",r--),r>arguments.length?b.queue(this[0],e):n===t?this:this.each(function(){var t=b.queue(this,e,n);b._queueHooks(this,e),"fx"===e&&"inprogress"!==t[0]&&b.dequeue(this,e)})},dequeue:function(e){return this.each(function(){b.dequeue(this,e)})},delay:function(e,t){return e=b.fx?b.fx.speeds[e]||e:e,t=t||"fx",this.queue(t,function(t,n){var r=setTimeout(t,e);n.stop=function(){clearTimeout(r)}})},clearQueue:function(e){return this.queue(e||"fx",[])},promise:function(e,n){var r,i=1,o=b.Deferred(),a=this,s=this.length,u=function(){--i||o.resolveWith(a,[a])};"string"!=typeof e&&(n=e,e=t),e=e||"fx";while(s--)r=b._data(a[s],e+"queueHooks"),r&&r.empty&&(i++,r.empty.add(u));return u(),o.promise(n)}});var I,z,X=/[\t\r\n]/g,U=/\r/g,V=/^(?:input|select|textarea|button|object)$/i,Y=/^(?:a|area)$/i,J=/^(?:checked|selected|autofocus|autoplay|async|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped)$/i,G=/^(?:checked|selected)$/i,Q=b.support.getSetAttribute,K=b.support.input;b.fn.extend({attr:function(e,t){return b.access(this,b.attr,e,t,arguments.length>1)},removeAttr:function(e){return this.each(function(){b.removeAttr(this,e)})},prop:function(e,t){return b.access(this,b.prop,e,t,arguments.length>1)},removeProp:function(e){return e=b.propFix[e]||e,this.each(function(){try{this[e]=t,delete this[e]}catch(n){}})},addClass:function(e){var t,n,r,i,o,a=0,s=this.length,u="string"==typeof e&&e;if(b.isFunction(e))return this.each(function(t){b(this).addClass(e.call(this,t,this.className))});if(u)for(t=(e||"").match(w)||[];s>a;a++)if(n=this[a],r=1===n.nodeType&&(n.className?(" "+n.className+" ").replace(X," "):" ")){o=0;while(i=t[o++])0>r.indexOf(" "+i+" ")&&(r+=i+" ");n.className=b.trim(r)}return this},removeClass:function(e){var t,n,r,i,o,a=0,s=this.length,u=0===arguments.length||"string"==typeof e&&e;if(b.isFunction(e))return this.each(function(t){b(this).removeClass(e.call(this,t,this.className))});if(u)for(t=(e||"").match(w)||[];s>a;a++)if(n=this[a],r=1===n.nodeType&&(n.className?(" "+n.className+" ").replace(X," "):"")){o=0;while(i=t[o++])while(r.indexOf(" "+i+" ")>=0)r=r.replace(" "+i+" "," ");n.className=e?b.trim(r):""}return this},toggleClass:function(e,t){var n=typeof e,r="boolean"==typeof t;return b.isFunction(e)?this.each(function(n){b(this).toggleClass(e.call(this,n,this.className,t),t)}):this.each(function(){if("string"===n){var o,a=0,s=b(this),u=t,l=e.match(w)||[];while(o=l[a++])u=r?u:!s.hasClass(o),s[u?"addClass":"removeClass"](o)}else(n===i||"boolean"===n)&&(this.className&&b._data(this,"__className__",this.className),this.className=this.className||e===!1?"":b._data(this,"__className__")||"")})},hasClass:function(e){var t=" "+e+" ",n=0,r=this.length;for(;r>n;n++)if(1===this[n].nodeType&&(" "+this[n].className+" ").replace(X," ").indexOf(t)>=0)return!0;return!1},val:function(e){var n,r,i,o=this[0];{if(arguments.length)return i=b.isFunction(e),this.each(function(n){var o,a=b(this);1===this.nodeType&&(o=i?e.call(this,n,a.val()):e,null==o?o="":"number"==typeof o?o+="":b.isArray(o)&&(o=b.map(o,function(e){return null==e?"":e+""})),r=b.valHooks[this.type]||b.valHooks[this.nodeName.toLowerCase()],r&&"set"in r&&r.set(this,o,"value")!==t||(this.value=o))});if(o)return r=b.valHooks[o.type]||b.valHooks[o.nodeName.toLowerCase()],r&&"get"in r&&(n=r.get(o,"value"))!==t?n:(n=o.value,"string"==typeof n?n.replace(U,""):null==n?"":n)}}}),b.extend({valHooks:{option:{get:function(e){var t=e.attributes.value;return!t||t.specified?e.value:e.text}},select:{get:function(e){var t,n,r=e.options,i=e.selectedIndex,o="select-one"===e.type||0>i,a=o?null:[],s=o?i+1:r.length,u=0>i?s:o?i:0;for(;s>u;u++)if(n=r[u],!(!n.selected&&u!==i||(b.support.optDisabled?n.disabled:null!==n.getAttribute("disabled"))||n.parentNode.disabled&&b.nodeName(n.parentNode,"optgroup"))){if(t=b(n).val(),o)return t;a.push(t)}return a},set:function(e,t){var n=b.makeArray(t);return b(e).find("option").each(function(){this.selected=b.inArray(b(this).val(),n)>=0}),n.length||(e.selectedIndex=-1),n}}},attr:function(e,n,r){var o,a,s,u=e.nodeType;if(e&&3!==u&&8!==u&&2!==u)return typeof e.getAttribute===i?b.prop(e,n,r):(a=1!==u||!b.isXMLDoc(e),a&&(n=n.toLowerCase(),o=b.attrHooks[n]||(J.test(n)?z:I)),r===t?o&&a&&"get"in o&&null!==(s=o.get(e,n))?s:(typeof e.getAttribute!==i&&(s=e.getAttribute(n)),null==s?t:s):null!==r?o&&a&&"set"in o&&(s=o.set(e,r,n))!==t?s:(e.setAttribute(n,r+""),r):(b.removeAttr(e,n),t))},removeAttr:function(e,t){var n,r,i=0,o=t&&t.match(w);if(o&&1===e.nodeType)while(n=o[i++])r=b.propFix[n]||n,J.test(n)?!Q&&G.test(n)?e[b.camelCase("default-"+n)]=e[r]=!1:e[r]=!1:b.attr(e,n,""),e.removeAttribute(Q?n:r)},attrHooks:{type:{set:function(e,t){if(!b.support.radioValue&&"radio"===t&&b.nodeName(e,"input")){var n=e.value;return e.setAttribute("type",t),n&&(e.value=n),t}}}},propFix:{tabindex:"tabIndex",readonly:"readOnly","for":"htmlFor","class":"className",maxlength:"maxLength",cellspacing:"cellSpacing",cellpadding:"cellPadding",rowspan:"rowSpan",colspan:"colSpan",usemap:"useMap",frameborder:"frameBorder",contenteditable:"contentEditable"},prop:function(e,n,r){var i,o,a,s=e.nodeType;if(e&&3!==s&&8!==s&&2!==s)return a=1!==s||!b.isXMLDoc(e),a&&(n=b.propFix[n]||n,o=b.propHooks[n]),r!==t?o&&"set"in o&&(i=o.set(e,r,n))!==t?i:e[n]=r:o&&"get"in o&&null!==(i=o.get(e,n))?i:e[n]},propHooks:{tabIndex:{get:function(e){var n=e.getAttributeNode("tabindex");return n&&n.specified?parseInt(n.value,10):V.test(e.nodeName)||Y.test(e.nodeName)&&e.href?0:t}}}}),z={get:function(e,n){var r=b.prop(e,n),i="boolean"==typeof r&&e.getAttribute(n),o="boolean"==typeof r?K&&Q?null!=i:G.test(n)?e[b.camelCase("default-"+n)]:!!i:e.getAttributeNode(n);return o&&o.value!==!1?n.toLowerCase():t},set:function(e,t,n){return t===!1?b.removeAttr(e,n):K&&Q||!G.test(n)?e.setAttribute(!Q&&b.propFix[n]||n,n):e[b.camelCase("default-"+n)]=e[n]=!0,n}},K&&Q||(b.attrHooks.value={get:function(e,n){var r=e.getAttributeNode(n);return b.nodeName(e,"input")?e.defaultValue:r&&r.specified?r.value:t},set:function(e,n,r){return b.nodeName(e,"input")?(e.defaultValue=n,t):I&&I.set(e,n,r)}}),Q||(I=b.valHooks.button={get:function(e,n){var r=e.getAttributeNode(n);return r&&("id"===n||"name"===n||"coords"===n?""!==r.value:r.specified)?r.value:t},set:function(e,n,r){var i=e.getAttributeNode(r);return i||e.setAttributeNode(i=e.ownerDocument.createAttribute(r)),i.value=n+="","value"===r||n===e.getAttribute(r)?n:t}},b.attrHooks.contenteditable={get:I.get,set:function(e,t,n){I.set(e,""===t?!1:t,n)}},b.each(["width","height"],function(e,n){b.attrHooks[n]=b.extend(b.attrHooks[n],{set:function(e,r){return""===r?(e.setAttribute(n,"auto"),r):t}})})),b.support.hrefNormalized||(b.each(["href","src","width","height"],function(e,n){b.attrHooks[n]=b.extend(b.attrHooks[n],{get:function(e){var r=e.getAttribute(n,2);return null==r?t:r}})}),b.each(["href","src"],function(e,t){b.propHooks[t]={get:function(e){return e.getAttribute(t,4)}}})),b.support.style||(b.attrHooks.style={get:function(e){return e.style.cssText||t},set:function(e,t){return e.style.cssText=t+""}}),b.support.optSelected||(b.propHooks.selected=b.extend(b.propHooks.selected,{get:function(e){var t=e.parentNode;return t&&(t.selectedIndex,t.parentNode&&t.parentNode.selectedIndex),null}})),b.support.enctype||(b.propFix.enctype="encoding"),b.support.checkOn||b.each(["radio","checkbox"],function(){b.valHooks[this]={get:function(e){return null===e.getAttribute("value")?"on":e.value}}}),b.each(["radio","checkbox"],function(){b.valHooks[this]=b.extend(b.valHooks[this],{set:function(e,n){return b.isArray(n)?e.checked=b.inArray(b(e).val(),n)>=0:t}})});var Z=/^(?:input|select|textarea)$/i,et=/^key/,tt=/^(?:mouse|contextmenu)|click/,nt=/^(?:focusinfocus|focusoutblur)$/,rt=/^([^.]*)(?:\.(.+)|)$/;function it(){return!0}function ot(){return!1}b.event={global:{},add:function(e,n,r,o,a){var s,u,l,c,p,f,d,h,g,m,y,v=b._data(e);if(v){r.handler&&(c=r,r=c.handler,a=c.selector),r.guid||(r.guid=b.guid++),(u=v.events)||(u=v.events={}),(f=v.handle)||(f=v.handle=function(e){return typeof b===i||e&&b.event.triggered===e.type?t:b.event.dispatch.apply(f.elem,arguments)},f.elem=e),n=(n||"").match(w)||[""],l=n.length;while(l--)s=rt.exec(n[l])||[],g=y=s[1],m=(s[2]||"").split(".").sort(),p=b.event.special[g]||{},g=(a?p.delegateType:p.bindType)||g,p=b.event.special[g]||{},d=b.extend({type:g,origType:y,data:o,handler:r,guid:r.guid,selector:a,needsContext:a&&b.expr.match.needsContext.test(a),namespace:m.join(".")},c),(h=u[g])||(h=u[g]=[],h.delegateCount=0,p.setup&&p.setup.call(e,o,m,f)!==!1||(e.addEventListener?e.addEventListener(g,f,!1):e.attachEvent&&e.attachEvent("on"+g,f))),p.add&&(p.add.call(e,d),d.handler.guid||(d.handler.guid=r.guid)),a?h.splice(h.delegateCount++,0,d):h.push(d),b.event.global[g]=!0;e=null}},remove:function(e,t,n,r,i){var o,a,s,u,l,c,p,f,d,h,g,m=b.hasData(e)&&b._data(e);if(m&&(c=m.events)){t=(t||"").match(w)||[""],l=t.length;while(l--)if(s=rt.exec(t[l])||[],d=g=s[1],h=(s[2]||"").split(".").sort(),d){p=b.event.special[d]||{},d=(r?p.delegateType:p.bindType)||d,f=c[d]||[],s=s[2]&&RegExp("(^|\\.)"+h.join("\\.(?:.*\\.|)")+"(\\.|$)"),u=o=f.length;while(o--)a=f[o],!i&&g!==a.origType||n&&n.guid!==a.guid||s&&!s.test(a.namespace)||r&&r!==a.selector&&("**"!==r||!a.selector)||(f.splice(o,1),a.selector&&f.delegateCount--,p.remove&&p.remove.call(e,a));u&&!f.length&&(p.teardown&&p.teardown.call(e,h,m.handle)!==!1||b.removeEvent(e,d,m.handle),delete c[d])}else for(d in c)b.event.remove(e,d+t[l],n,r,!0);b.isEmptyObject(c)&&(delete m.handle,b._removeData(e,"events"))}},trigger:function(n,r,i,a){var s,u,l,c,p,f,d,h=[i||o],g=y.call(n,"type")?n.type:n,m=y.call(n,"namespace")?n.namespace.split("."):[];if(l=f=i=i||o,3!==i.nodeType&&8!==i.nodeType&&!nt.test(g+b.event.triggered)&&(g.indexOf(".")>=0&&(m=g.split("."),g=m.shift(),m.sort()),u=0>g.indexOf(":")&&"on"+g,n=n[b.expando]?n:new b.Event(g,"object"==typeof n&&n),n.isTrigger=!0,n.namespace=m.join("."),n.namespace_re=n.namespace?RegExp("(^|\\.)"+m.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,n.result=t,n.target||(n.target=i),r=null==r?[n]:b.makeArray(r,[n]),p=b.event.special[g]||{},a||!p.trigger||p.trigger.apply(i,r)!==!1)){if(!a&&!p.noBubble&&!b.isWindow(i)){for(c=p.delegateType||g,nt.test(c+g)||(l=l.parentNode);l;l=l.parentNode)h.push(l),f=l;f===(i.ownerDocument||o)&&h.push(f.defaultView||f.parentWindow||e)}d=0;while((l=h[d++])&&!n.isPropagationStopped())n.type=d>1?c:p.bindType||g,s=(b._data(l,"events")||{})[n.type]&&b._data(l,"handle"),s&&s.apply(l,r),s=u&&l[u],s&&b.acceptData(l)&&s.apply&&s.apply(l,r)===!1&&n.preventDefault();if(n.type=g,!(a||n.isDefaultPrevented()||p._default&&p._default.apply(i.ownerDocument,r)!==!1||"click"===g&&b.nodeName(i,"a")||!b.acceptData(i)||!u||!i[g]||b.isWindow(i))){f=i[u],f&&(i[u]=null),b.event.triggered=g;try{i[g]()}catch(v){}b.event.triggered=t,f&&(i[u]=f)}return n.result}},dispatch:function(e){e=b.event.fix(e);var n,r,i,o,a,s=[],u=h.call(arguments),l=(b._data(this,"events")||{})[e.type]||[],c=b.event.special[e.type]||{};if(u[0]=e,e.delegateTarget=this,!c.preDispatch||c.preDispatch.call(this,e)!==!1){s=b.event.handlers.call(this,e,l),n=0;while((o=s[n++])&&!e.isPropagationStopped()){e.currentTarget=o.elem,a=0;while((i=o.handlers[a++])&&!e.isImmediatePropagationStopped())(!e.namespace_re||e.namespace_re.test(i.namespace))&&(e.handleObj=i,e.data=i.data,r=((b.event.special[i.origType]||{}).handle||i.handler).apply(o.elem,u),r!==t&&(e.result=r)===!1&&(e.preventDefault(),e.stopPropagation()))}return c.postDispatch&&c.postDispatch.call(this,e),e.result}},handlers:function(e,n){var r,i,o,a,s=[],u=n.delegateCount,l=e.target;if(u&&l.nodeType&&(!e.button||"click"!==e.type))for(;l!=this;l=l.parentNode||this)if(1===l.nodeType&&(l.disabled!==!0||"click"!==e.type)){for(o=[],a=0;u>a;a++)i=n[a],r=i.selector+" ",o[r]===t&&(o[r]=i.needsContext?b(r,this).index(l)>=0:b.find(r,this,null,[l]).length),o[r]&&o.push(i);o.length&&s.push({elem:l,handlers:o})}return n.length>u&&s.push({elem:this,handlers:n.slice(u)}),s},fix:function(e){if(e[b.expando])return e;var t,n,r,i=e.type,a=e,s=this.fixHooks[i];s||(this.fixHooks[i]=s=tt.test(i)?this.mouseHooks:et.test(i)?this.keyHooks:{}),r=s.props?this.props.concat(s.props):this.props,e=new b.Event(a),t=r.length;while(t--)n=r[t],e[n]=a[n];return e.target||(e.target=a.srcElement||o),3===e.target.nodeType&&(e.target=e.target.parentNode),e.metaKey=!!e.metaKey,s.filter?s.filter(e,a):e},props:"altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(e,t){return null==e.which&&(e.which=null!=t.charCode?t.charCode:t.keyCode),e}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(e,n){var r,i,a,s=n.button,u=n.fromElement;return null==e.pageX&&null!=n.clientX&&(i=e.target.ownerDocument||o,a=i.documentElement,r=i.body,e.pageX=n.clientX+(a&&a.scrollLeft||r&&r.scrollLeft||0)-(a&&a.clientLeft||r&&r.clientLeft||0),e.pageY=n.clientY+(a&&a.scrollTop||r&&r.scrollTop||0)-(a&&a.clientTop||r&&r.clientTop||0)),!e.relatedTarget&&u&&(e.relatedTarget=u===e.target?n.toElement:u),e.which||s===t||(e.which=1&s?1:2&s?3:4&s?2:0),e}},special:{load:{noBubble:!0},click:{trigger:function(){return b.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):t}},focus:{trigger:function(){if(this!==o.activeElement&&this.focus)try{return this.focus(),!1}catch(e){}},delegateType:"focusin"},blur:{trigger:function(){return this===o.activeElement&&this.blur?(this.blur(),!1):t},delegateType:"focusout"},beforeunload:{postDispatch:function(e){e.result!==t&&(e.originalEvent.returnValue=e.result)}}},simulate:function(e,t,n,r){var i=b.extend(new b.Event,n,{type:e,isSimulated:!0,originalEvent:{}});r?b.event.trigger(i,null,t):b.event.dispatch.call(t,i),i.isDefaultPrevented()&&n.preventDefault()}},b.removeEvent=o.removeEventListener?function(e,t,n){e.removeEventListener&&e.removeEventListener(t,n,!1)}:function(e,t,n){var r="on"+t;e.detachEvent&&(typeof e[r]===i&&(e[r]=null),e.detachEvent(r,n))},b.Event=function(e,n){return this instanceof b.Event?(e&&e.type?(this.originalEvent=e,this.type=e.type,this.isDefaultPrevented=e.defaultPrevented||e.returnValue===!1||e.getPreventDefault&&e.getPreventDefault()?it:ot):this.type=e,n&&b.extend(this,n),this.timeStamp=e&&e.timeStamp||b.now(),this[b.expando]=!0,t):new b.Event(e,n)},b.Event.prototype={isDefaultPrevented:ot,isPropagationStopped:ot,isImmediatePropagationStopped:ot,preventDefault:function(){var e=this.originalEvent;this.isDefaultPrevented=it,e&&(e.preventDefault?e.preventDefault():e.returnValue=!1)},stopPropagation:function(){var e=this.originalEvent;this.isPropagationStopped=it,e&&(e.stopPropagation&&e.stopPropagation(),e.cancelBubble=!0)},stopImmediatePropagation:function(){this.isImmediatePropagationStopped=it,this.stopPropagation()}},b.each({mouseenter:"mouseover",mouseleave:"mouseout"},function(e,t){b.event.special[e]={delegateType:t,bindType:t,handle:function(e){var n,r=this,i=e.relatedTarget,o=e.handleObj;
+return(!i||i!==r&&!b.contains(r,i))&&(e.type=o.origType,n=o.handler.apply(this,arguments),e.type=t),n}}}),b.support.submitBubbles||(b.event.special.submit={setup:function(){return b.nodeName(this,"form")?!1:(b.event.add(this,"click._submit keypress._submit",function(e){var n=e.target,r=b.nodeName(n,"input")||b.nodeName(n,"button")?n.form:t;r&&!b._data(r,"submitBubbles")&&(b.event.add(r,"submit._submit",function(e){e._submit_bubble=!0}),b._data(r,"submitBubbles",!0))}),t)},postDispatch:function(e){e._submit_bubble&&(delete e._submit_bubble,this.parentNode&&!e.isTrigger&&b.event.simulate("submit",this.parentNode,e,!0))},teardown:function(){return b.nodeName(this,"form")?!1:(b.event.remove(this,"._submit"),t)}}),b.support.changeBubbles||(b.event.special.change={setup:function(){return Z.test(this.nodeName)?(("checkbox"===this.type||"radio"===this.type)&&(b.event.add(this,"propertychange._change",function(e){"checked"===e.originalEvent.propertyName&&(this._just_changed=!0)}),b.event.add(this,"click._change",function(e){this._just_changed&&!e.isTrigger&&(this._just_changed=!1),b.event.simulate("change",this,e,!0)})),!1):(b.event.add(this,"beforeactivate._change",function(e){var t=e.target;Z.test(t.nodeName)&&!b._data(t,"changeBubbles")&&(b.event.add(t,"change._change",function(e){!this.parentNode||e.isSimulated||e.isTrigger||b.event.simulate("change",this.parentNode,e,!0)}),b._data(t,"changeBubbles",!0))}),t)},handle:function(e){var n=e.target;return this!==n||e.isSimulated||e.isTrigger||"radio"!==n.type&&"checkbox"!==n.type?e.handleObj.handler.apply(this,arguments):t},teardown:function(){return b.event.remove(this,"._change"),!Z.test(this.nodeName)}}),b.support.focusinBubbles||b.each({focus:"focusin",blur:"focusout"},function(e,t){var n=0,r=function(e){b.event.simulate(t,e.target,b.event.fix(e),!0)};b.event.special[t]={setup:function(){0===n++&&o.addEventListener(e,r,!0)},teardown:function(){0===--n&&o.removeEventListener(e,r,!0)}}}),b.fn.extend({on:function(e,n,r,i,o){var a,s;if("object"==typeof e){"string"!=typeof n&&(r=r||n,n=t);for(a in e)this.on(a,n,r,e[a],o);return this}if(null==r&&null==i?(i=n,r=n=t):null==i&&("string"==typeof n?(i=r,r=t):(i=r,r=n,n=t)),i===!1)i=ot;else if(!i)return this;return 1===o&&(s=i,i=function(e){return b().off(e),s.apply(this,arguments)},i.guid=s.guid||(s.guid=b.guid++)),this.each(function(){b.event.add(this,e,i,r,n)})},one:function(e,t,n,r){return this.on(e,t,n,r,1)},off:function(e,n,r){var i,o;if(e&&e.preventDefault&&e.handleObj)return i=e.handleObj,b(e.delegateTarget).off(i.namespace?i.origType+"."+i.namespace:i.origType,i.selector,i.handler),this;if("object"==typeof e){for(o in e)this.off(o,n,e[o]);return this}return(n===!1||"function"==typeof n)&&(r=n,n=t),r===!1&&(r=ot),this.each(function(){b.event.remove(this,e,r,n)})},bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)},trigger:function(e,t){return this.each(function(){b.event.trigger(e,t,this)})},triggerHandler:function(e,n){var r=this[0];return r?b.event.trigger(e,n,r,!0):t}}),function(e,t){var n,r,i,o,a,s,u,l,c,p,f,d,h,g,m,y,v,x="sizzle"+-new Date,w=e.document,T={},N=0,C=0,k=it(),E=it(),S=it(),A=typeof t,j=1<<31,D=[],L=D.pop,H=D.push,q=D.slice,M=D.indexOf||function(e){var t=0,n=this.length;for(;n>t;t++)if(this[t]===e)return t;return-1},_="[\\x20\\t\\r\\n\\f]",F="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",O=F.replace("w","w#"),B="([*^$|!~]?=)",P="\\["+_+"*("+F+")"+_+"*(?:"+B+_+"*(?:(['\"])((?:\\\\.|[^\\\\])*?)\\3|("+O+")|)|)"+_+"*\\]",R=":("+F+")(?:\\(((['\"])((?:\\\\.|[^\\\\])*?)\\3|((?:\\\\.|[^\\\\()[\\]]|"+P.replace(3,8)+")*)|.*)\\)|)",W=RegExp("^"+_+"+|((?:^|[^\\\\])(?:\\\\.)*)"+_+"+$","g"),$=RegExp("^"+_+"*,"+_+"*"),I=RegExp("^"+_+"*([\\x20\\t\\r\\n\\f>+~])"+_+"*"),z=RegExp(R),X=RegExp("^"+O+"$"),U={ID:RegExp("^#("+F+")"),CLASS:RegExp("^\\.("+F+")"),NAME:RegExp("^\\[name=['\"]?("+F+")['\"]?\\]"),TAG:RegExp("^("+F.replace("w","w*")+")"),ATTR:RegExp("^"+P),PSEUDO:RegExp("^"+R),CHILD:RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+_+"*(even|odd|(([+-]|)(\\d*)n|)"+_+"*(?:([+-]|)"+_+"*(\\d+)|))"+_+"*\\)|)","i"),needsContext:RegExp("^"+_+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+_+"*((?:-\\d)?\\d*)"+_+"*\\)|)(?=[^-]|$)","i")},V=/[\x20\t\r\n\f]*[+~]/,Y=/^[^{]+\{\s*\[native code/,J=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,G=/^(?:input|select|textarea|button)$/i,Q=/^h\d$/i,K=/'|\\/g,Z=/\=[\x20\t\r\n\f]*([^'"\]]*)[\x20\t\r\n\f]*\]/g,et=/\\([\da-fA-F]{1,6}[\x20\t\r\n\f]?|.)/g,tt=function(e,t){var n="0x"+t-65536;return n!==n?t:0>n?String.fromCharCode(n+65536):String.fromCharCode(55296|n>>10,56320|1023&n)};try{q.call(w.documentElement.childNodes,0)[0].nodeType}catch(nt){q=function(e){var t,n=[];while(t=this[e++])n.push(t);return n}}function rt(e){return Y.test(e+"")}function it(){var e,t=[];return e=function(n,r){return t.push(n+=" ")>i.cacheLength&&delete e[t.shift()],e[n]=r}}function ot(e){return e[x]=!0,e}function at(e){var t=p.createElement("div");try{return e(t)}catch(n){return!1}finally{t=null}}function st(e,t,n,r){var i,o,a,s,u,l,f,g,m,v;if((t?t.ownerDocument||t:w)!==p&&c(t),t=t||p,n=n||[],!e||"string"!=typeof e)return n;if(1!==(s=t.nodeType)&&9!==s)return[];if(!d&&!r){if(i=J.exec(e))if(a=i[1]){if(9===s){if(o=t.getElementById(a),!o||!o.parentNode)return n;if(o.id===a)return n.push(o),n}else if(t.ownerDocument&&(o=t.ownerDocument.getElementById(a))&&y(t,o)&&o.id===a)return n.push(o),n}else{if(i[2])return H.apply(n,q.call(t.getElementsByTagName(e),0)),n;if((a=i[3])&&T.getByClassName&&t.getElementsByClassName)return H.apply(n,q.call(t.getElementsByClassName(a),0)),n}if(T.qsa&&!h.test(e)){if(f=!0,g=x,m=t,v=9===s&&e,1===s&&"object"!==t.nodeName.toLowerCase()){l=ft(e),(f=t.getAttribute("id"))?g=f.replace(K,"\\$&"):t.setAttribute("id",g),g="[id='"+g+"'] ",u=l.length;while(u--)l[u]=g+dt(l[u]);m=V.test(e)&&t.parentNode||t,v=l.join(",")}if(v)try{return H.apply(n,q.call(m.querySelectorAll(v),0)),n}catch(b){}finally{f||t.removeAttribute("id")}}}return wt(e.replace(W,"$1"),t,n,r)}a=st.isXML=function(e){var t=e&&(e.ownerDocument||e).documentElement;return t?"HTML"!==t.nodeName:!1},c=st.setDocument=function(e){var n=e?e.ownerDocument||e:w;return n!==p&&9===n.nodeType&&n.documentElement?(p=n,f=n.documentElement,d=a(n),T.tagNameNoComments=at(function(e){return e.appendChild(n.createComment("")),!e.getElementsByTagName("*").length}),T.attributes=at(function(e){e.innerHTML="<select></select>";var t=typeof e.lastChild.getAttribute("multiple");return"boolean"!==t&&"string"!==t}),T.getByClassName=at(function(e){return e.innerHTML="<div class='hidden e'></div><div class='hidden'></div>",e.getElementsByClassName&&e.getElementsByClassName("e").length?(e.lastChild.className="e",2===e.getElementsByClassName("e").length):!1}),T.getByName=at(function(e){e.id=x+0,e.innerHTML="<a name='"+x+"'></a><div name='"+x+"'></div>",f.insertBefore(e,f.firstChild);var t=n.getElementsByName&&n.getElementsByName(x).length===2+n.getElementsByName(x+0).length;return T.getIdNotName=!n.getElementById(x),f.removeChild(e),t}),i.attrHandle=at(function(e){return e.innerHTML="<a href='#'></a>",e.firstChild&&typeof e.firstChild.getAttribute!==A&&"#"===e.firstChild.getAttribute("href")})?{}:{href:function(e){return e.getAttribute("href",2)},type:function(e){return e.getAttribute("type")}},T.getIdNotName?(i.find.ID=function(e,t){if(typeof t.getElementById!==A&&!d){var n=t.getElementById(e);return n&&n.parentNode?[n]:[]}},i.filter.ID=function(e){var t=e.replace(et,tt);return function(e){return e.getAttribute("id")===t}}):(i.find.ID=function(e,n){if(typeof n.getElementById!==A&&!d){var r=n.getElementById(e);return r?r.id===e||typeof r.getAttributeNode!==A&&r.getAttributeNode("id").value===e?[r]:t:[]}},i.filter.ID=function(e){var t=e.replace(et,tt);return function(e){var n=typeof e.getAttributeNode!==A&&e.getAttributeNode("id");return n&&n.value===t}}),i.find.TAG=T.tagNameNoComments?function(e,n){return typeof n.getElementsByTagName!==A?n.getElementsByTagName(e):t}:function(e,t){var n,r=[],i=0,o=t.getElementsByTagName(e);if("*"===e){while(n=o[i++])1===n.nodeType&&r.push(n);return r}return o},i.find.NAME=T.getByName&&function(e,n){return typeof n.getElementsByName!==A?n.getElementsByName(name):t},i.find.CLASS=T.getByClassName&&function(e,n){return typeof n.getElementsByClassName===A||d?t:n.getElementsByClassName(e)},g=[],h=[":focus"],(T.qsa=rt(n.querySelectorAll))&&(at(function(e){e.innerHTML="<select><option selected=''></option></select>",e.querySelectorAll("[selected]").length||h.push("\\["+_+"*(?:checked|disabled|ismap|multiple|readonly|selected|value)"),e.querySelectorAll(":checked").length||h.push(":checked")}),at(function(e){e.innerHTML="<input type='hidden' i=''/>",e.querySelectorAll("[i^='']").length&&h.push("[*^$]="+_+"*(?:\"\"|'')"),e.querySelectorAll(":enabled").length||h.push(":enabled",":disabled"),e.querySelectorAll("*,:x"),h.push(",.*:")})),(T.matchesSelector=rt(m=f.matchesSelector||f.mozMatchesSelector||f.webkitMatchesSelector||f.oMatchesSelector||f.msMatchesSelector))&&at(function(e){T.disconnectedMatch=m.call(e,"div"),m.call(e,"[s!='']:x"),g.push("!=",R)}),h=RegExp(h.join("|")),g=RegExp(g.join("|")),y=rt(f.contains)||f.compareDocumentPosition?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)while(t=t.parentNode)if(t===e)return!0;return!1},v=f.compareDocumentPosition?function(e,t){var r;return e===t?(u=!0,0):(r=t.compareDocumentPosition&&e.compareDocumentPosition&&e.compareDocumentPosition(t))?1&r||e.parentNode&&11===e.parentNode.nodeType?e===n||y(w,e)?-1:t===n||y(w,t)?1:0:4&r?-1:1:e.compareDocumentPosition?-1:1}:function(e,t){var r,i=0,o=e.parentNode,a=t.parentNode,s=[e],l=[t];if(e===t)return u=!0,0;if(!o||!a)return e===n?-1:t===n?1:o?-1:a?1:0;if(o===a)return ut(e,t);r=e;while(r=r.parentNode)s.unshift(r);r=t;while(r=r.parentNode)l.unshift(r);while(s[i]===l[i])i++;return i?ut(s[i],l[i]):s[i]===w?-1:l[i]===w?1:0},u=!1,[0,0].sort(v),T.detectDuplicates=u,p):p},st.matches=function(e,t){return st(e,null,null,t)},st.matchesSelector=function(e,t){if((e.ownerDocument||e)!==p&&c(e),t=t.replace(Z,"='$1']"),!(!T.matchesSelector||d||g&&g.test(t)||h.test(t)))try{var n=m.call(e,t);if(n||T.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(r){}return st(t,p,null,[e]).length>0},st.contains=function(e,t){return(e.ownerDocument||e)!==p&&c(e),y(e,t)},st.attr=function(e,t){var n;return(e.ownerDocument||e)!==p&&c(e),d||(t=t.toLowerCase()),(n=i.attrHandle[t])?n(e):d||T.attributes?e.getAttribute(t):((n=e.getAttributeNode(t))||e.getAttribute(t))&&e[t]===!0?t:n&&n.specified?n.value:null},st.error=function(e){throw Error("Syntax error, unrecognized expression: "+e)},st.uniqueSort=function(e){var t,n=[],r=1,i=0;if(u=!T.detectDuplicates,e.sort(v),u){for(;t=e[r];r++)t===e[r-1]&&(i=n.push(r));while(i--)e.splice(n[i],1)}return e};function ut(e,t){var n=t&&e,r=n&&(~t.sourceIndex||j)-(~e.sourceIndex||j);if(r)return r;if(n)while(n=n.nextSibling)if(n===t)return-1;return e?1:-1}function lt(e){return function(t){var n=t.nodeName.toLowerCase();return"input"===n&&t.type===e}}function ct(e){return function(t){var n=t.nodeName.toLowerCase();return("input"===n||"button"===n)&&t.type===e}}function pt(e){return ot(function(t){return t=+t,ot(function(n,r){var i,o=e([],n.length,t),a=o.length;while(a--)n[i=o[a]]&&(n[i]=!(r[i]=n[i]))})})}o=st.getText=function(e){var t,n="",r=0,i=e.nodeType;if(i){if(1===i||9===i||11===i){if("string"==typeof e.textContent)return e.textContent;for(e=e.firstChild;e;e=e.nextSibling)n+=o(e)}else if(3===i||4===i)return e.nodeValue}else for(;t=e[r];r++)n+=o(t);return n},i=st.selectors={cacheLength:50,createPseudo:ot,match:U,find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(et,tt),e[3]=(e[4]||e[5]||"").replace(et,tt),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||st.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&st.error(e[0]),e},PSEUDO:function(e){var t,n=!e[5]&&e[2];return U.CHILD.test(e[0])?null:(e[4]?e[2]=e[4]:n&&z.test(n)&&(t=ft(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){return"*"===e?function(){return!0}:(e=e.replace(et,tt).toLowerCase(),function(t){return t.nodeName&&t.nodeName.toLowerCase()===e})},CLASS:function(e){var t=k[e+" "];return t||(t=RegExp("(^|"+_+")"+e+"("+_+"|$)"))&&k(e,function(e){return t.test(e.className||typeof e.getAttribute!==A&&e.getAttribute("class")||"")})},ATTR:function(e,t,n){return function(r){var i=st.attr(r,e);return null==i?"!="===t:t?(i+="","="===t?i===n:"!="===t?i!==n:"^="===t?n&&0===i.indexOf(n):"*="===t?n&&i.indexOf(n)>-1:"$="===t?n&&i.slice(-n.length)===n:"~="===t?(" "+i+" ").indexOf(n)>-1:"|="===t?i===n||i.slice(0,n.length+1)===n+"-":!1):!0}},CHILD:function(e,t,n,r,i){var o="nth"!==e.slice(0,3),a="last"!==e.slice(-4),s="of-type"===t;return 1===r&&0===i?function(e){return!!e.parentNode}:function(t,n,u){var l,c,p,f,d,h,g=o!==a?"nextSibling":"previousSibling",m=t.parentNode,y=s&&t.nodeName.toLowerCase(),v=!u&&!s;if(m){if(o){while(g){p=t;while(p=p[g])if(s?p.nodeName.toLowerCase()===y:1===p.nodeType)return!1;h=g="only"===e&&!h&&"nextSibling"}return!0}if(h=[a?m.firstChild:m.lastChild],a&&v){c=m[x]||(m[x]={}),l=c[e]||[],d=l[0]===N&&l[1],f=l[0]===N&&l[2],p=d&&m.childNodes[d];while(p=++d&&p&&p[g]||(f=d=0)||h.pop())if(1===p.nodeType&&++f&&p===t){c[e]=[N,d,f];break}}else if(v&&(l=(t[x]||(t[x]={}))[e])&&l[0]===N)f=l[1];else while(p=++d&&p&&p[g]||(f=d=0)||h.pop())if((s?p.nodeName.toLowerCase()===y:1===p.nodeType)&&++f&&(v&&((p[x]||(p[x]={}))[e]=[N,f]),p===t))break;return f-=i,f===r||0===f%r&&f/r>=0}}},PSEUDO:function(e,t){var n,r=i.pseudos[e]||i.setFilters[e.toLowerCase()]||st.error("unsupported pseudo: "+e);return r[x]?r(t):r.length>1?(n=[e,e,"",t],i.setFilters.hasOwnProperty(e.toLowerCase())?ot(function(e,n){var i,o=r(e,t),a=o.length;while(a--)i=M.call(e,o[a]),e[i]=!(n[i]=o[a])}):function(e){return r(e,0,n)}):r}},pseudos:{not:ot(function(e){var t=[],n=[],r=s(e.replace(W,"$1"));return r[x]?ot(function(e,t,n,i){var o,a=r(e,null,i,[]),s=e.length;while(s--)(o=a[s])&&(e[s]=!(t[s]=o))}):function(e,i,o){return t[0]=e,r(t,null,o,n),!n.pop()}}),has:ot(function(e){return function(t){return st(e,t).length>0}}),contains:ot(function(e){return function(t){return(t.textContent||t.innerText||o(t)).indexOf(e)>-1}}),lang:ot(function(e){return X.test(e||"")||st.error("unsupported lang: "+e),e=e.replace(et,tt).toLowerCase(),function(t){var n;do if(n=d?t.getAttribute("xml:lang")||t.getAttribute("lang"):t.lang)return n=n.toLowerCase(),n===e||0===n.indexOf(e+"-");while((t=t.parentNode)&&1===t.nodeType);return!1}}),target:function(t){var n=e.location&&e.location.hash;return n&&n.slice(1)===t.id},root:function(e){return e===f},focus:function(e){return e===p.activeElement&&(!p.hasFocus||p.hasFocus())&&!!(e.type||e.href||~e.tabIndex)},enabled:function(e){return e.disabled===!1},disabled:function(e){return e.disabled===!0},checked:function(e){var t=e.nodeName.toLowerCase();return"input"===t&&!!e.checked||"option"===t&&!!e.selected},selected:function(e){return e.parentNode&&e.parentNode.selectedIndex,e.selected===!0},empty:function(e){for(e=e.firstChild;e;e=e.nextSibling)if(e.nodeName>"@"||3===e.nodeType||4===e.nodeType)return!1;return!0},parent:function(e){return!i.pseudos.empty(e)},header:function(e){return Q.test(e.nodeName)},input:function(e){return G.test(e.nodeName)},button:function(e){var t=e.nodeName.toLowerCase();return"input"===t&&"button"===e.type||"button"===t},text:function(e){var t;return"input"===e.nodeName.toLowerCase()&&"text"===e.type&&(null==(t=e.getAttribute("type"))||t.toLowerCase()===e.type)},first:pt(function(){return[0]}),last:pt(function(e,t){return[t-1]}),eq:pt(function(e,t,n){return[0>n?n+t:n]}),even:pt(function(e,t){var n=0;for(;t>n;n+=2)e.push(n);return e}),odd:pt(function(e,t){var n=1;for(;t>n;n+=2)e.push(n);return e}),lt:pt(function(e,t,n){var r=0>n?n+t:n;for(;--r>=0;)e.push(r);return e}),gt:pt(function(e,t,n){var r=0>n?n+t:n;for(;t>++r;)e.push(r);return e})}};for(n in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})i.pseudos[n]=lt(n);for(n in{submit:!0,reset:!0})i.pseudos[n]=ct(n);function ft(e,t){var n,r,o,a,s,u,l,c=E[e+" "];if(c)return t?0:c.slice(0);s=e,u=[],l=i.preFilter;while(s){(!n||(r=$.exec(s)))&&(r&&(s=s.slice(r[0].length)||s),u.push(o=[])),n=!1,(r=I.exec(s))&&(n=r.shift(),o.push({value:n,type:r[0].replace(W," ")}),s=s.slice(n.length));for(a in i.filter)!(r=U[a].exec(s))||l[a]&&!(r=l[a](r))||(n=r.shift(),o.push({value:n,type:a,matches:r}),s=s.slice(n.length));if(!n)break}return t?s.length:s?st.error(e):E(e,u).slice(0)}function dt(e){var t=0,n=e.length,r="";for(;n>t;t++)r+=e[t].value;return r}function ht(e,t,n){var i=t.dir,o=n&&"parentNode"===i,a=C++;return t.first?function(t,n,r){while(t=t[i])if(1===t.nodeType||o)return e(t,n,r)}:function(t,n,s){var u,l,c,p=N+" "+a;if(s){while(t=t[i])if((1===t.nodeType||o)&&e(t,n,s))return!0}else while(t=t[i])if(1===t.nodeType||o)if(c=t[x]||(t[x]={}),(l=c[i])&&l[0]===p){if((u=l[1])===!0||u===r)return u===!0}else if(l=c[i]=[p],l[1]=e(t,n,s)||r,l[1]===!0)return!0}}function gt(e){return e.length>1?function(t,n,r){var i=e.length;while(i--)if(!e[i](t,n,r))return!1;return!0}:e[0]}function mt(e,t,n,r,i){var o,a=[],s=0,u=e.length,l=null!=t;for(;u>s;s++)(o=e[s])&&(!n||n(o,r,i))&&(a.push(o),l&&t.push(s));return a}function yt(e,t,n,r,i,o){return r&&!r[x]&&(r=yt(r)),i&&!i[x]&&(i=yt(i,o)),ot(function(o,a,s,u){var l,c,p,f=[],d=[],h=a.length,g=o||xt(t||"*",s.nodeType?[s]:s,[]),m=!e||!o&&t?g:mt(g,f,e,s,u),y=n?i||(o?e:h||r)?[]:a:m;if(n&&n(m,y,s,u),r){l=mt(y,d),r(l,[],s,u),c=l.length;while(c--)(p=l[c])&&(y[d[c]]=!(m[d[c]]=p))}if(o){if(i||e){if(i){l=[],c=y.length;while(c--)(p=y[c])&&l.push(m[c]=p);i(null,y=[],l,u)}c=y.length;while(c--)(p=y[c])&&(l=i?M.call(o,p):f[c])>-1&&(o[l]=!(a[l]=p))}}else y=mt(y===a?y.splice(h,y.length):y),i?i(null,a,y,u):H.apply(a,y)})}function vt(e){var t,n,r,o=e.length,a=i.relative[e[0].type],s=a||i.relative[" "],u=a?1:0,c=ht(function(e){return e===t},s,!0),p=ht(function(e){return M.call(t,e)>-1},s,!0),f=[function(e,n,r){return!a&&(r||n!==l)||((t=n).nodeType?c(e,n,r):p(e,n,r))}];for(;o>u;u++)if(n=i.relative[e[u].type])f=[ht(gt(f),n)];else{if(n=i.filter[e[u].type].apply(null,e[u].matches),n[x]){for(r=++u;o>r;r++)if(i.relative[e[r].type])break;return yt(u>1&&gt(f),u>1&&dt(e.slice(0,u-1)).replace(W,"$1"),n,r>u&&vt(e.slice(u,r)),o>r&&vt(e=e.slice(r)),o>r&&dt(e))}f.push(n)}return gt(f)}function bt(e,t){var n=0,o=t.length>0,a=e.length>0,s=function(s,u,c,f,d){var h,g,m,y=[],v=0,b="0",x=s&&[],w=null!=d,T=l,C=s||a&&i.find.TAG("*",d&&u.parentNode||u),k=N+=null==T?1:Math.random()||.1;for(w&&(l=u!==p&&u,r=n);null!=(h=C[b]);b++){if(a&&h){g=0;while(m=e[g++])if(m(h,u,c)){f.push(h);break}w&&(N=k,r=++n)}o&&((h=!m&&h)&&v--,s&&x.push(h))}if(v+=b,o&&b!==v){g=0;while(m=t[g++])m(x,y,u,c);if(s){if(v>0)while(b--)x[b]||y[b]||(y[b]=L.call(f));y=mt(y)}H.apply(f,y),w&&!s&&y.length>0&&v+t.length>1&&st.uniqueSort(f)}return w&&(N=k,l=T),x};return o?ot(s):s}s=st.compile=function(e,t){var n,r=[],i=[],o=S[e+" "];if(!o){t||(t=ft(e)),n=t.length;while(n--)o=vt(t[n]),o[x]?r.push(o):i.push(o);o=S(e,bt(i,r))}return o};function xt(e,t,n){var r=0,i=t.length;for(;i>r;r++)st(e,t[r],n);return n}function wt(e,t,n,r){var o,a,u,l,c,p=ft(e);if(!r&&1===p.length){if(a=p[0]=p[0].slice(0),a.length>2&&"ID"===(u=a[0]).type&&9===t.nodeType&&!d&&i.relative[a[1].type]){if(t=i.find.ID(u.matches[0].replace(et,tt),t)[0],!t)return n;e=e.slice(a.shift().value.length)}o=U.needsContext.test(e)?0:a.length;while(o--){if(u=a[o],i.relative[l=u.type])break;if((c=i.find[l])&&(r=c(u.matches[0].replace(et,tt),V.test(a[0].type)&&t.parentNode||t))){if(a.splice(o,1),e=r.length&&dt(a),!e)return H.apply(n,q.call(r,0)),n;break}}}return s(e,p)(r,t,d,n,V.test(e)),n}i.pseudos.nth=i.pseudos.eq;function Tt(){}i.filters=Tt.prototype=i.pseudos,i.setFilters=new Tt,c(),st.attr=b.attr,b.find=st,b.expr=st.selectors,b.expr[":"]=b.expr.pseudos,b.unique=st.uniqueSort,b.text=st.getText,b.isXMLDoc=st.isXML,b.contains=st.contains}(e);var at=/Until$/,st=/^(?:parents|prev(?:Until|All))/,ut=/^.[^:#\[\.,]*$/,lt=b.expr.match.needsContext,ct={children:!0,contents:!0,next:!0,prev:!0};b.fn.extend({find:function(e){var t,n,r,i=this.length;if("string"!=typeof e)return r=this,this.pushStack(b(e).filter(function(){for(t=0;i>t;t++)if(b.contains(r[t],this))return!0}));for(n=[],t=0;i>t;t++)b.find(e,this[t],n);return n=this.pushStack(i>1?b.unique(n):n),n.selector=(this.selector?this.selector+" ":"")+e,n},has:function(e){var t,n=b(e,this),r=n.length;return this.filter(function(){for(t=0;r>t;t++)if(b.contains(this,n[t]))return!0})},not:function(e){return this.pushStack(ft(this,e,!1))},filter:function(e){return this.pushStack(ft(this,e,!0))},is:function(e){return!!e&&("string"==typeof e?lt.test(e)?b(e,this.context).index(this[0])>=0:b.filter(e,this).length>0:this.filter(e).length>0)},closest:function(e,t){var n,r=0,i=this.length,o=[],a=lt.test(e)||"string"!=typeof e?b(e,t||this.context):0;for(;i>r;r++){n=this[r];while(n&&n.ownerDocument&&n!==t&&11!==n.nodeType){if(a?a.index(n)>-1:b.find.matchesSelector(n,e)){o.push(n);break}n=n.parentNode}}return this.pushStack(o.length>1?b.unique(o):o)},index:function(e){return e?"string"==typeof e?b.inArray(this[0],b(e)):b.inArray(e.jquery?e[0]:e,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(e,t){var n="string"==typeof e?b(e,t):b.makeArray(e&&e.nodeType?[e]:e),r=b.merge(this.get(),n);return this.pushStack(b.unique(r))},addBack:function(e){return this.add(null==e?this.prevObject:this.prevObject.filter(e))}}),b.fn.andSelf=b.fn.addBack;function pt(e,t){do e=e[t];while(e&&1!==e.nodeType);return e}b.each({parent:function(e){var t=e.parentNode;return t&&11!==t.nodeType?t:null},parents:function(e){return b.dir(e,"parentNode")},parentsUntil:function(e,t,n){return b.dir(e,"parentNode",n)},next:function(e){return pt(e,"nextSibling")},prev:function(e){return pt(e,"previousSibling")},nextAll:function(e){return b.dir(e,"nextSibling")},prevAll:function(e){return b.dir(e,"previousSibling")},nextUntil:function(e,t,n){return b.dir(e,"nextSibling",n)},prevUntil:function(e,t,n){return b.dir(e,"previousSibling",n)},siblings:function(e){return b.sibling((e.parentNode||{}).firstChild,e)},children:function(e){return b.sibling(e.firstChild)},contents:function(e){return b.nodeName(e,"iframe")?e.contentDocument||e.contentWindow.document:b.merge([],e.childNodes)}},function(e,t){b.fn[e]=function(n,r){var i=b.map(this,t,n);return at.test(e)||(r=n),r&&"string"==typeof r&&(i=b.filter(r,i)),i=this.length>1&&!ct[e]?b.unique(i):i,this.length>1&&st.test(e)&&(i=i.reverse()),this.pushStack(i)}}),b.extend({filter:function(e,t,n){return n&&(e=":not("+e+")"),1===t.length?b.find.matchesSelector(t[0],e)?[t[0]]:[]:b.find.matches(e,t)},dir:function(e,n,r){var i=[],o=e[n];while(o&&9!==o.nodeType&&(r===t||1!==o.nodeType||!b(o).is(r)))1===o.nodeType&&i.push(o),o=o[n];return i},sibling:function(e,t){var n=[];for(;e;e=e.nextSibling)1===e.nodeType&&e!==t&&n.push(e);return n}});function ft(e,t,n){if(t=t||0,b.isFunction(t))return b.grep(e,function(e,r){var i=!!t.call(e,r,e);return i===n});if(t.nodeType)return b.grep(e,function(e){return e===t===n});if("string"==typeof t){var r=b.grep(e,function(e){return 1===e.nodeType});if(ut.test(t))return b.filter(t,r,!n);t=b.filter(t,r)}return b.grep(e,function(e){return b.inArray(e,t)>=0===n})}function dt(e){var t=ht.split("|"),n=e.createDocumentFragment();if(n.createElement)while(t.length)n.createElement(t.pop());return n}var ht="abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|header|hgroup|mark|meter|nav|output|progress|section|summary|time|video",gt=/ jQuery\d+="(?:null|\d+)"/g,mt=RegExp("<(?:"+ht+")[\\s/>]","i"),yt=/^\s+/,vt=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/gi,bt=/<([\w:]+)/,xt=/<tbody/i,wt=/<|&#?\w+;/,Tt=/<(?:script|style|link)/i,Nt=/^(?:checkbox|radio)$/i,Ct=/checked\s*(?:[^=]|=\s*.checked.)/i,kt=/^$|\/(?:java|ecma)script/i,Et=/^true\/(.*)/,St=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,At={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:b.support.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]},jt=dt(o),Dt=jt.appendChild(o.createElement("div"));At.optgroup=At.option,At.tbody=At.tfoot=At.colgroup=At.caption=At.thead,At.th=At.td,b.fn.extend({text:function(e){return b.access(this,function(e){return e===t?b.text(this):this.empty().append((this[0]&&this[0].ownerDocument||o).createTextNode(e))},null,e,arguments.length)},wrapAll:function(e){if(b.isFunction(e))return this.each(function(t){b(this).wrapAll(e.call(this,t))});if(this[0]){var t=b(e,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&t.insertBefore(this[0]),t.map(function(){var e=this;while(e.firstChild&&1===e.firstChild.nodeType)e=e.firstChild;return e}).append(this)}return this},wrapInner:function(e){return b.isFunction(e)?this.each(function(t){b(this).wrapInner(e.call(this,t))}):this.each(function(){var t=b(this),n=t.contents();n.length?n.wrapAll(e):t.append(e)})},wrap:function(e){var t=b.isFunction(e);return this.each(function(n){b(this).wrapAll(t?e.call(this,n):e)})},unwrap:function(){return this.parent().each(function(){b.nodeName(this,"body")||b(this).replaceWith(this.childNodes)}).end()},append:function(){return this.domManip(arguments,!0,function(e){(1===this.nodeType||11===this.nodeType||9===this.nodeType)&&this.appendChild(e)})},prepend:function(){return this.domManip(arguments,!0,function(e){(1===this.nodeType||11===this.nodeType||9===this.nodeType)&&this.insertBefore(e,this.firstChild)})},before:function(){return this.domManip(arguments,!1,function(e){this.parentNode&&this.parentNode.insertBefore(e,this)})},after:function(){return this.domManip(arguments,!1,function(e){this.parentNode&&this.parentNode.insertBefore(e,this.nextSibling)})},remove:function(e,t){var n,r=0;for(;null!=(n=this[r]);r++)(!e||b.filter(e,[n]).length>0)&&(t||1!==n.nodeType||b.cleanData(Ot(n)),n.parentNode&&(t&&b.contains(n.ownerDocument,n)&&Mt(Ot(n,"script")),n.parentNode.removeChild(n)));return this},empty:function(){var e,t=0;for(;null!=(e=this[t]);t++){1===e.nodeType&&b.cleanData(Ot(e,!1));while(e.firstChild)e.removeChild(e.firstChild);e.options&&b.nodeName(e,"select")&&(e.options.length=0)}return this},clone:function(e,t){return e=null==e?!1:e,t=null==t?e:t,this.map(function(){return b.clone(this,e,t)})},html:function(e){return b.access(this,function(e){var n=this[0]||{},r=0,i=this.length;if(e===t)return 1===n.nodeType?n.innerHTML.replace(gt,""):t;if(!("string"!=typeof e||Tt.test(e)||!b.support.htmlSerialize&&mt.test(e)||!b.support.leadingWhitespace&&yt.test(e)||At[(bt.exec(e)||["",""])[1].toLowerCase()])){e=e.replace(vt,"<$1></$2>");try{for(;i>r;r++)n=this[r]||{},1===n.nodeType&&(b.cleanData(Ot(n,!1)),n.innerHTML=e);n=0}catch(o){}}n&&this.empty().append(e)},null,e,arguments.length)},replaceWith:function(e){var t=b.isFunction(e);return t||"string"==typeof e||(e=b(e).not(this).detach()),this.domManip([e],!0,function(e){var t=this.nextSibling,n=this.parentNode;n&&(b(this).remove(),n.insertBefore(e,t))})},detach:function(e){return this.remove(e,!0)},domManip:function(e,n,r){e=f.apply([],e);var i,o,a,s,u,l,c=0,p=this.length,d=this,h=p-1,g=e[0],m=b.isFunction(g);if(m||!(1>=p||"string"!=typeof g||b.support.checkClone)&&Ct.test(g))return this.each(function(i){var o=d.eq(i);m&&(e[0]=g.call(this,i,n?o.html():t)),o.domManip(e,n,r)});if(p&&(l=b.buildFragment(e,this[0].ownerDocument,!1,this),i=l.firstChild,1===l.childNodes.length&&(l=i),i)){for(n=n&&b.nodeName(i,"tr"),s=b.map(Ot(l,"script"),Ht),a=s.length;p>c;c++)o=l,c!==h&&(o=b.clone(o,!0,!0),a&&b.merge(s,Ot(o,"script"))),r.call(n&&b.nodeName(this[c],"table")?Lt(this[c],"tbody"):this[c],o,c);if(a)for(u=s[s.length-1].ownerDocument,b.map(s,qt),c=0;a>c;c++)o=s[c],kt.test(o.type||"")&&!b._data(o,"globalEval")&&b.contains(u,o)&&(o.src?b.ajax({url:o.src,type:"GET",dataType:"script",async:!1,global:!1,"throws":!0}):b.globalEval((o.text||o.textContent||o.innerHTML||"").replace(St,"")));l=i=null}return this}});function Lt(e,t){return e.getElementsByTagName(t)[0]||e.appendChild(e.ownerDocument.createElement(t))}function Ht(e){var t=e.getAttributeNode("type");return e.type=(t&&t.specified)+"/"+e.type,e}function qt(e){var t=Et.exec(e.type);return t?e.type=t[1]:e.removeAttribute("type"),e}function Mt(e,t){var n,r=0;for(;null!=(n=e[r]);r++)b._data(n,"globalEval",!t||b._data(t[r],"globalEval"))}function _t(e,t){if(1===t.nodeType&&b.hasData(e)){var n,r,i,o=b._data(e),a=b._data(t,o),s=o.events;if(s){delete a.handle,a.events={};for(n in s)for(r=0,i=s[n].length;i>r;r++)b.event.add(t,n,s[n][r])}a.data&&(a.data=b.extend({},a.data))}}function Ft(e,t){var n,r,i;if(1===t.nodeType){if(n=t.nodeName.toLowerCase(),!b.support.noCloneEvent&&t[b.expando]){i=b._data(t);for(r in i.events)b.removeEvent(t,r,i.handle);t.removeAttribute(b.expando)}"script"===n&&t.text!==e.text?(Ht(t).text=e.text,qt(t)):"object"===n?(t.parentNode&&(t.outerHTML=e.outerHTML),b.support.html5Clone&&e.innerHTML&&!b.trim(t.innerHTML)&&(t.innerHTML=e.innerHTML)):"input"===n&&Nt.test(e.type)?(t.defaultChecked=t.checked=e.checked,t.value!==e.value&&(t.value=e.value)):"option"===n?t.defaultSelected=t.selected=e.defaultSelected:("input"===n||"textarea"===n)&&(t.defaultValue=e.defaultValue)}}b.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(e,t){b.fn[e]=function(e){var n,r=0,i=[],o=b(e),a=o.length-1;for(;a>=r;r++)n=r===a?this:this.clone(!0),b(o[r])[t](n),d.apply(i,n.get());return this.pushStack(i)}});function Ot(e,n){var r,o,a=0,s=typeof e.getElementsByTagName!==i?e.getElementsByTagName(n||"*"):typeof e.querySelectorAll!==i?e.querySelectorAll(n||"*"):t;if(!s)for(s=[],r=e.childNodes||e;null!=(o=r[a]);a++)!n||b.nodeName(o,n)?s.push(o):b.merge(s,Ot(o,n));return n===t||n&&b.nodeName(e,n)?b.merge([e],s):s}function Bt(e){Nt.test(e.type)&&(e.defaultChecked=e.checked)}b.extend({clone:function(e,t,n){var r,i,o,a,s,u=b.contains(e.ownerDocument,e);if(b.support.html5Clone||b.isXMLDoc(e)||!mt.test("<"+e.nodeName+">")?o=e.cloneNode(!0):(Dt.innerHTML=e.outerHTML,Dt.removeChild(o=Dt.firstChild)),!(b.support.noCloneEvent&&b.support.noCloneChecked||1!==e.nodeType&&11!==e.nodeType||b.isXMLDoc(e)))for(r=Ot(o),s=Ot(e),a=0;null!=(i=s[a]);++a)r[a]&&Ft(i,r[a]);if(t)if(n)for(s=s||Ot(e),r=r||Ot(o),a=0;null!=(i=s[a]);a++)_t(i,r[a]);else _t(e,o);return r=Ot(o,"script"),r.length>0&&Mt(r,!u&&Ot(e,"script")),r=s=i=null,o},buildFragment:function(e,t,n,r){var i,o,a,s,u,l,c,p=e.length,f=dt(t),d=[],h=0;for(;p>h;h++)if(o=e[h],o||0===o)if("object"===b.type(o))b.merge(d,o.nodeType?[o]:o);else if(wt.test(o)){s=s||f.appendChild(t.createElement("div")),u=(bt.exec(o)||["",""])[1].toLowerCase(),c=At[u]||At._default,s.innerHTML=c[1]+o.replace(vt,"<$1></$2>")+c[2],i=c[0];while(i--)s=s.lastChild;if(!b.support.leadingWhitespace&&yt.test(o)&&d.push(t.createTextNode(yt.exec(o)[0])),!b.support.tbody){o="table"!==u||xt.test(o)?"<table>"!==c[1]||xt.test(o)?0:s:s.firstChild,i=o&&o.childNodes.length;while(i--)b.nodeName(l=o.childNodes[i],"tbody")&&!l.childNodes.length&&o.removeChild(l)
+}b.merge(d,s.childNodes),s.textContent="";while(s.firstChild)s.removeChild(s.firstChild);s=f.lastChild}else d.push(t.createTextNode(o));s&&f.removeChild(s),b.support.appendChecked||b.grep(Ot(d,"input"),Bt),h=0;while(o=d[h++])if((!r||-1===b.inArray(o,r))&&(a=b.contains(o.ownerDocument,o),s=Ot(f.appendChild(o),"script"),a&&Mt(s),n)){i=0;while(o=s[i++])kt.test(o.type||"")&&n.push(o)}return s=null,f},cleanData:function(e,t){var n,r,o,a,s=0,u=b.expando,l=b.cache,p=b.support.deleteExpando,f=b.event.special;for(;null!=(n=e[s]);s++)if((t||b.acceptData(n))&&(o=n[u],a=o&&l[o])){if(a.events)for(r in a.events)f[r]?b.event.remove(n,r):b.removeEvent(n,r,a.handle);l[o]&&(delete l[o],p?delete n[u]:typeof n.removeAttribute!==i?n.removeAttribute(u):n[u]=null,c.push(o))}}});var Pt,Rt,Wt,$t=/alpha\([^)]*\)/i,It=/opacity\s*=\s*([^)]*)/,zt=/^(top|right|bottom|left)$/,Xt=/^(none|table(?!-c[ea]).+)/,Ut=/^margin/,Vt=RegExp("^("+x+")(.*)$","i"),Yt=RegExp("^("+x+")(?!px)[a-z%]+$","i"),Jt=RegExp("^([+-])=("+x+")","i"),Gt={BODY:"block"},Qt={position:"absolute",visibility:"hidden",display:"block"},Kt={letterSpacing:0,fontWeight:400},Zt=["Top","Right","Bottom","Left"],en=["Webkit","O","Moz","ms"];function tn(e,t){if(t in e)return t;var n=t.charAt(0).toUpperCase()+t.slice(1),r=t,i=en.length;while(i--)if(t=en[i]+n,t in e)return t;return r}function nn(e,t){return e=t||e,"none"===b.css(e,"display")||!b.contains(e.ownerDocument,e)}function rn(e,t){var n,r,i,o=[],a=0,s=e.length;for(;s>a;a++)r=e[a],r.style&&(o[a]=b._data(r,"olddisplay"),n=r.style.display,t?(o[a]||"none"!==n||(r.style.display=""),""===r.style.display&&nn(r)&&(o[a]=b._data(r,"olddisplay",un(r.nodeName)))):o[a]||(i=nn(r),(n&&"none"!==n||!i)&&b._data(r,"olddisplay",i?n:b.css(r,"display"))));for(a=0;s>a;a++)r=e[a],r.style&&(t&&"none"!==r.style.display&&""!==r.style.display||(r.style.display=t?o[a]||"":"none"));return e}b.fn.extend({css:function(e,n){return b.access(this,function(e,n,r){var i,o,a={},s=0;if(b.isArray(n)){for(o=Rt(e),i=n.length;i>s;s++)a[n[s]]=b.css(e,n[s],!1,o);return a}return r!==t?b.style(e,n,r):b.css(e,n)},e,n,arguments.length>1)},show:function(){return rn(this,!0)},hide:function(){return rn(this)},toggle:function(e){var t="boolean"==typeof e;return this.each(function(){(t?e:nn(this))?b(this).show():b(this).hide()})}}),b.extend({cssHooks:{opacity:{get:function(e,t){if(t){var n=Wt(e,"opacity");return""===n?"1":n}}}},cssNumber:{columnCount:!0,fillOpacity:!0,fontWeight:!0,lineHeight:!0,opacity:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":b.support.cssFloat?"cssFloat":"styleFloat"},style:function(e,n,r,i){if(e&&3!==e.nodeType&&8!==e.nodeType&&e.style){var o,a,s,u=b.camelCase(n),l=e.style;if(n=b.cssProps[u]||(b.cssProps[u]=tn(l,u)),s=b.cssHooks[n]||b.cssHooks[u],r===t)return s&&"get"in s&&(o=s.get(e,!1,i))!==t?o:l[n];if(a=typeof r,"string"===a&&(o=Jt.exec(r))&&(r=(o[1]+1)*o[2]+parseFloat(b.css(e,n)),a="number"),!(null==r||"number"===a&&isNaN(r)||("number"!==a||b.cssNumber[u]||(r+="px"),b.support.clearCloneStyle||""!==r||0!==n.indexOf("background")||(l[n]="inherit"),s&&"set"in s&&(r=s.set(e,r,i))===t)))try{l[n]=r}catch(c){}}},css:function(e,n,r,i){var o,a,s,u=b.camelCase(n);return n=b.cssProps[u]||(b.cssProps[u]=tn(e.style,u)),s=b.cssHooks[n]||b.cssHooks[u],s&&"get"in s&&(a=s.get(e,!0,r)),a===t&&(a=Wt(e,n,i)),"normal"===a&&n in Kt&&(a=Kt[n]),""===r||r?(o=parseFloat(a),r===!0||b.isNumeric(o)?o||0:a):a},swap:function(e,t,n,r){var i,o,a={};for(o in t)a[o]=e.style[o],e.style[o]=t[o];i=n.apply(e,r||[]);for(o in t)e.style[o]=a[o];return i}}),e.getComputedStyle?(Rt=function(t){return e.getComputedStyle(t,null)},Wt=function(e,n,r){var i,o,a,s=r||Rt(e),u=s?s.getPropertyValue(n)||s[n]:t,l=e.style;return s&&(""!==u||b.contains(e.ownerDocument,e)||(u=b.style(e,n)),Yt.test(u)&&Ut.test(n)&&(i=l.width,o=l.minWidth,a=l.maxWidth,l.minWidth=l.maxWidth=l.width=u,u=s.width,l.width=i,l.minWidth=o,l.maxWidth=a)),u}):o.documentElement.currentStyle&&(Rt=function(e){return e.currentStyle},Wt=function(e,n,r){var i,o,a,s=r||Rt(e),u=s?s[n]:t,l=e.style;return null==u&&l&&l[n]&&(u=l[n]),Yt.test(u)&&!zt.test(n)&&(i=l.left,o=e.runtimeStyle,a=o&&o.left,a&&(o.left=e.currentStyle.left),l.left="fontSize"===n?"1em":u,u=l.pixelLeft+"px",l.left=i,a&&(o.left=a)),""===u?"auto":u});function on(e,t,n){var r=Vt.exec(t);return r?Math.max(0,r[1]-(n||0))+(r[2]||"px"):t}function an(e,t,n,r,i){var o=n===(r?"border":"content")?4:"width"===t?1:0,a=0;for(;4>o;o+=2)"margin"===n&&(a+=b.css(e,n+Zt[o],!0,i)),r?("content"===n&&(a-=b.css(e,"padding"+Zt[o],!0,i)),"margin"!==n&&(a-=b.css(e,"border"+Zt[o]+"Width",!0,i))):(a+=b.css(e,"padding"+Zt[o],!0,i),"padding"!==n&&(a+=b.css(e,"border"+Zt[o]+"Width",!0,i)));return a}function sn(e,t,n){var r=!0,i="width"===t?e.offsetWidth:e.offsetHeight,o=Rt(e),a=b.support.boxSizing&&"border-box"===b.css(e,"boxSizing",!1,o);if(0>=i||null==i){if(i=Wt(e,t,o),(0>i||null==i)&&(i=e.style[t]),Yt.test(i))return i;r=a&&(b.support.boxSizingReliable||i===e.style[t]),i=parseFloat(i)||0}return i+an(e,t,n||(a?"border":"content"),r,o)+"px"}function un(e){var t=o,n=Gt[e];return n||(n=ln(e,t),"none"!==n&&n||(Pt=(Pt||b("<iframe frameborder='0' width='0' height='0'/>").css("cssText","display:block !important")).appendTo(t.documentElement),t=(Pt[0].contentWindow||Pt[0].contentDocument).document,t.write("<!doctype html><html><body>"),t.close(),n=ln(e,t),Pt.detach()),Gt[e]=n),n}function ln(e,t){var n=b(t.createElement(e)).appendTo(t.body),r=b.css(n[0],"display");return n.remove(),r}b.each(["height","width"],function(e,n){b.cssHooks[n]={get:function(e,r,i){return r?0===e.offsetWidth&&Xt.test(b.css(e,"display"))?b.swap(e,Qt,function(){return sn(e,n,i)}):sn(e,n,i):t},set:function(e,t,r){var i=r&&Rt(e);return on(e,t,r?an(e,n,r,b.support.boxSizing&&"border-box"===b.css(e,"boxSizing",!1,i),i):0)}}}),b.support.opacity||(b.cssHooks.opacity={get:function(e,t){return It.test((t&&e.currentStyle?e.currentStyle.filter:e.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":t?"1":""},set:function(e,t){var n=e.style,r=e.currentStyle,i=b.isNumeric(t)?"alpha(opacity="+100*t+")":"",o=r&&r.filter||n.filter||"";n.zoom=1,(t>=1||""===t)&&""===b.trim(o.replace($t,""))&&n.removeAttribute&&(n.removeAttribute("filter"),""===t||r&&!r.filter)||(n.filter=$t.test(o)?o.replace($t,i):o+" "+i)}}),b(function(){b.support.reliableMarginRight||(b.cssHooks.marginRight={get:function(e,n){return n?b.swap(e,{display:"inline-block"},Wt,[e,"marginRight"]):t}}),!b.support.pixelPosition&&b.fn.position&&b.each(["top","left"],function(e,n){b.cssHooks[n]={get:function(e,r){return r?(r=Wt(e,n),Yt.test(r)?b(e).position()[n]+"px":r):t}}})}),b.expr&&b.expr.filters&&(b.expr.filters.hidden=function(e){return 0>=e.offsetWidth&&0>=e.offsetHeight||!b.support.reliableHiddenOffsets&&"none"===(e.style&&e.style.display||b.css(e,"display"))},b.expr.filters.visible=function(e){return!b.expr.filters.hidden(e)}),b.each({margin:"",padding:"",border:"Width"},function(e,t){b.cssHooks[e+t]={expand:function(n){var r=0,i={},o="string"==typeof n?n.split(" "):[n];for(;4>r;r++)i[e+Zt[r]+t]=o[r]||o[r-2]||o[0];return i}},Ut.test(e)||(b.cssHooks[e+t].set=on)});var cn=/%20/g,pn=/\[\]$/,fn=/\r?\n/g,dn=/^(?:submit|button|image|reset|file)$/i,hn=/^(?:input|select|textarea|keygen)/i;b.fn.extend({serialize:function(){return b.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var e=b.prop(this,"elements");return e?b.makeArray(e):this}).filter(function(){var e=this.type;return this.name&&!b(this).is(":disabled")&&hn.test(this.nodeName)&&!dn.test(e)&&(this.checked||!Nt.test(e))}).map(function(e,t){var n=b(this).val();return null==n?null:b.isArray(n)?b.map(n,function(e){return{name:t.name,value:e.replace(fn,"\r\n")}}):{name:t.name,value:n.replace(fn,"\r\n")}}).get()}}),b.param=function(e,n){var r,i=[],o=function(e,t){t=b.isFunction(t)?t():null==t?"":t,i[i.length]=encodeURIComponent(e)+"="+encodeURIComponent(t)};if(n===t&&(n=b.ajaxSettings&&b.ajaxSettings.traditional),b.isArray(e)||e.jquery&&!b.isPlainObject(e))b.each(e,function(){o(this.name,this.value)});else for(r in e)gn(r,e[r],n,o);return i.join("&").replace(cn,"+")};function gn(e,t,n,r){var i;if(b.isArray(t))b.each(t,function(t,i){n||pn.test(e)?r(e,i):gn(e+"["+("object"==typeof i?t:"")+"]",i,n,r)});else if(n||"object"!==b.type(t))r(e,t);else for(i in t)gn(e+"["+i+"]",t[i],n,r)}b.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(e,t){b.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),b.fn.hover=function(e,t){return this.mouseenter(e).mouseleave(t||e)};var mn,yn,vn=b.now(),bn=/\?/,xn=/#.*$/,wn=/([?&])_=[^&]*/,Tn=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Nn=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Cn=/^(?:GET|HEAD)$/,kn=/^\/\//,En=/^([\w.+-]+:)(?:\/\/([^\/?#:]*)(?::(\d+)|)|)/,Sn=b.fn.load,An={},jn={},Dn="*/".concat("*");try{yn=a.href}catch(Ln){yn=o.createElement("a"),yn.href="",yn=yn.href}mn=En.exec(yn.toLowerCase())||[];function Hn(e){return function(t,n){"string"!=typeof t&&(n=t,t="*");var r,i=0,o=t.toLowerCase().match(w)||[];if(b.isFunction(n))while(r=o[i++])"+"===r[0]?(r=r.slice(1)||"*",(e[r]=e[r]||[]).unshift(n)):(e[r]=e[r]||[]).push(n)}}function qn(e,n,r,i){var o={},a=e===jn;function s(u){var l;return o[u]=!0,b.each(e[u]||[],function(e,u){var c=u(n,r,i);return"string"!=typeof c||a||o[c]?a?!(l=c):t:(n.dataTypes.unshift(c),s(c),!1)}),l}return s(n.dataTypes[0])||!o["*"]&&s("*")}function Mn(e,n){var r,i,o=b.ajaxSettings.flatOptions||{};for(i in n)n[i]!==t&&((o[i]?e:r||(r={}))[i]=n[i]);return r&&b.extend(!0,e,r),e}b.fn.load=function(e,n,r){if("string"!=typeof e&&Sn)return Sn.apply(this,arguments);var i,o,a,s=this,u=e.indexOf(" ");return u>=0&&(i=e.slice(u,e.length),e=e.slice(0,u)),b.isFunction(n)?(r=n,n=t):n&&"object"==typeof n&&(a="POST"),s.length>0&&b.ajax({url:e,type:a,dataType:"html",data:n}).done(function(e){o=arguments,s.html(i?b("<div>").append(b.parseHTML(e)).find(i):e)}).complete(r&&function(e,t){s.each(r,o||[e.responseText,t,e])}),this},b.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(e,t){b.fn[t]=function(e){return this.on(t,e)}}),b.each(["get","post"],function(e,n){b[n]=function(e,r,i,o){return b.isFunction(r)&&(o=o||i,i=r,r=t),b.ajax({url:e,type:n,dataType:o,data:r,success:i})}}),b.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:yn,type:"GET",isLocal:Nn.test(mn[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Dn,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/xml/,html:/html/,json:/json/},responseFields:{xml:"responseXML",text:"responseText"},converters:{"* text":e.String,"text html":!0,"text json":b.parseJSON,"text xml":b.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(e,t){return t?Mn(Mn(e,b.ajaxSettings),t):Mn(b.ajaxSettings,e)},ajaxPrefilter:Hn(An),ajaxTransport:Hn(jn),ajax:function(e,n){"object"==typeof e&&(n=e,e=t),n=n||{};var r,i,o,a,s,u,l,c,p=b.ajaxSetup({},n),f=p.context||p,d=p.context&&(f.nodeType||f.jquery)?b(f):b.event,h=b.Deferred(),g=b.Callbacks("once memory"),m=p.statusCode||{},y={},v={},x=0,T="canceled",N={readyState:0,getResponseHeader:function(e){var t;if(2===x){if(!c){c={};while(t=Tn.exec(a))c[t[1].toLowerCase()]=t[2]}t=c[e.toLowerCase()]}return null==t?null:t},getAllResponseHeaders:function(){return 2===x?a:null},setRequestHeader:function(e,t){var n=e.toLowerCase();return x||(e=v[n]=v[n]||e,y[e]=t),this},overrideMimeType:function(e){return x||(p.mimeType=e),this},statusCode:function(e){var t;if(e)if(2>x)for(t in e)m[t]=[m[t],e[t]];else N.always(e[N.status]);return this},abort:function(e){var t=e||T;return l&&l.abort(t),k(0,t),this}};if(h.promise(N).complete=g.add,N.success=N.done,N.error=N.fail,p.url=((e||p.url||yn)+"").replace(xn,"").replace(kn,mn[1]+"//"),p.type=n.method||n.type||p.method||p.type,p.dataTypes=b.trim(p.dataType||"*").toLowerCase().match(w)||[""],null==p.crossDomain&&(r=En.exec(p.url.toLowerCase()),p.crossDomain=!(!r||r[1]===mn[1]&&r[2]===mn[2]&&(r[3]||("http:"===r[1]?80:443))==(mn[3]||("http:"===mn[1]?80:443)))),p.data&&p.processData&&"string"!=typeof p.data&&(p.data=b.param(p.data,p.traditional)),qn(An,p,n,N),2===x)return N;u=p.global,u&&0===b.active++&&b.event.trigger("ajaxStart"),p.type=p.type.toUpperCase(),p.hasContent=!Cn.test(p.type),o=p.url,p.hasContent||(p.data&&(o=p.url+=(bn.test(o)?"&":"?")+p.data,delete p.data),p.cache===!1&&(p.url=wn.test(o)?o.replace(wn,"$1_="+vn++):o+(bn.test(o)?"&":"?")+"_="+vn++)),p.ifModified&&(b.lastModified[o]&&N.setRequestHeader("If-Modified-Since",b.lastModified[o]),b.etag[o]&&N.setRequestHeader("If-None-Match",b.etag[o])),(p.data&&p.hasContent&&p.contentType!==!1||n.contentType)&&N.setRequestHeader("Content-Type",p.contentType),N.setRequestHeader("Accept",p.dataTypes[0]&&p.accepts[p.dataTypes[0]]?p.accepts[p.dataTypes[0]]+("*"!==p.dataTypes[0]?", "+Dn+"; q=0.01":""):p.accepts["*"]);for(i in p.headers)N.setRequestHeader(i,p.headers[i]);if(p.beforeSend&&(p.beforeSend.call(f,N,p)===!1||2===x))return N.abort();T="abort";for(i in{success:1,error:1,complete:1})N[i](p[i]);if(l=qn(jn,p,n,N)){N.readyState=1,u&&d.trigger("ajaxSend",[N,p]),p.async&&p.timeout>0&&(s=setTimeout(function(){N.abort("timeout")},p.timeout));try{x=1,l.send(y,k)}catch(C){if(!(2>x))throw C;k(-1,C)}}else k(-1,"No Transport");function k(e,n,r,i){var c,y,v,w,T,C=n;2!==x&&(x=2,s&&clearTimeout(s),l=t,a=i||"",N.readyState=e>0?4:0,r&&(w=_n(p,N,r)),e>=200&&300>e||304===e?(p.ifModified&&(T=N.getResponseHeader("Last-Modified"),T&&(b.lastModified[o]=T),T=N.getResponseHeader("etag"),T&&(b.etag[o]=T)),204===e?(c=!0,C="nocontent"):304===e?(c=!0,C="notmodified"):(c=Fn(p,w),C=c.state,y=c.data,v=c.error,c=!v)):(v=C,(e||!C)&&(C="error",0>e&&(e=0))),N.status=e,N.statusText=(n||C)+"",c?h.resolveWith(f,[y,C,N]):h.rejectWith(f,[N,C,v]),N.statusCode(m),m=t,u&&d.trigger(c?"ajaxSuccess":"ajaxError",[N,p,c?y:v]),g.fireWith(f,[N,C]),u&&(d.trigger("ajaxComplete",[N,p]),--b.active||b.event.trigger("ajaxStop")))}return N},getScript:function(e,n){return b.get(e,t,n,"script")},getJSON:function(e,t,n){return b.get(e,t,n,"json")}});function _n(e,n,r){var i,o,a,s,u=e.contents,l=e.dataTypes,c=e.responseFields;for(s in c)s in r&&(n[c[s]]=r[s]);while("*"===l[0])l.shift(),o===t&&(o=e.mimeType||n.getResponseHeader("Content-Type"));if(o)for(s in u)if(u[s]&&u[s].test(o)){l.unshift(s);break}if(l[0]in r)a=l[0];else{for(s in r){if(!l[0]||e.converters[s+" "+l[0]]){a=s;break}i||(i=s)}a=a||i}return a?(a!==l[0]&&l.unshift(a),r[a]):t}function Fn(e,t){var n,r,i,o,a={},s=0,u=e.dataTypes.slice(),l=u[0];if(e.dataFilter&&(t=e.dataFilter(t,e.dataType)),u[1])for(i in e.converters)a[i.toLowerCase()]=e.converters[i];for(;r=u[++s];)if("*"!==r){if("*"!==l&&l!==r){if(i=a[l+" "+r]||a["* "+r],!i)for(n in a)if(o=n.split(" "),o[1]===r&&(i=a[l+" "+o[0]]||a["* "+o[0]])){i===!0?i=a[n]:a[n]!==!0&&(r=o[0],u.splice(s--,0,r));break}if(i!==!0)if(i&&e["throws"])t=i(t);else try{t=i(t)}catch(c){return{state:"parsererror",error:i?c:"No conversion from "+l+" to "+r}}}l=r}return{state:"success",data:t}}b.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/(?:java|ecma)script/},converters:{"text script":function(e){return b.globalEval(e),e}}}),b.ajaxPrefilter("script",function(e){e.cache===t&&(e.cache=!1),e.crossDomain&&(e.type="GET",e.global=!1)}),b.ajaxTransport("script",function(e){if(e.crossDomain){var n,r=o.head||b("head")[0]||o.documentElement;return{send:function(t,i){n=o.createElement("script"),n.async=!0,e.scriptCharset&&(n.charset=e.scriptCharset),n.src=e.url,n.onload=n.onreadystatechange=function(e,t){(t||!n.readyState||/loaded|complete/.test(n.readyState))&&(n.onload=n.onreadystatechange=null,n.parentNode&&n.parentNode.removeChild(n),n=null,t||i(200,"success"))},r.insertBefore(n,r.firstChild)},abort:function(){n&&n.onload(t,!0)}}}});var On=[],Bn=/(=)\?(?=&|$)|\?\?/;b.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var e=On.pop()||b.expando+"_"+vn++;return this[e]=!0,e}}),b.ajaxPrefilter("json jsonp",function(n,r,i){var o,a,s,u=n.jsonp!==!1&&(Bn.test(n.url)?"url":"string"==typeof n.data&&!(n.contentType||"").indexOf("application/x-www-form-urlencoded")&&Bn.test(n.data)&&"data");return u||"jsonp"===n.dataTypes[0]?(o=n.jsonpCallback=b.isFunction(n.jsonpCallback)?n.jsonpCallback():n.jsonpCallback,u?n[u]=n[u].replace(Bn,"$1"+o):n.jsonp!==!1&&(n.url+=(bn.test(n.url)?"&":"?")+n.jsonp+"="+o),n.converters["script json"]=function(){return s||b.error(o+" was not called"),s[0]},n.dataTypes[0]="json",a=e[o],e[o]=function(){s=arguments},i.always(function(){e[o]=a,n[o]&&(n.jsonpCallback=r.jsonpCallback,On.push(o)),s&&b.isFunction(a)&&a(s[0]),s=a=t}),"script"):t});var Pn,Rn,Wn=0,$n=e.ActiveXObject&&function(){var e;for(e in Pn)Pn[e](t,!0)};function In(){try{return new e.XMLHttpRequest}catch(t){}}function zn(){try{return new e.ActiveXObject("Microsoft.XMLHTTP")}catch(t){}}b.ajaxSettings.xhr=e.ActiveXObject?function(){return!this.isLocal&&In()||zn()}:In,Rn=b.ajaxSettings.xhr(),b.support.cors=!!Rn&&"withCredentials"in Rn,Rn=b.support.ajax=!!Rn,Rn&&b.ajaxTransport(function(n){if(!n.crossDomain||b.support.cors){var r;return{send:function(i,o){var a,s,u=n.xhr();if(n.username?u.open(n.type,n.url,n.async,n.username,n.password):u.open(n.type,n.url,n.async),n.xhrFields)for(s in n.xhrFields)u[s]=n.xhrFields[s];n.mimeType&&u.overrideMimeType&&u.overrideMimeType(n.mimeType),n.crossDomain||i["X-Requested-With"]||(i["X-Requested-With"]="XMLHttpRequest");try{for(s in i)u.setRequestHeader(s,i[s])}catch(l){}u.send(n.hasContent&&n.data||null),r=function(e,i){var s,l,c,p;try{if(r&&(i||4===u.readyState))if(r=t,a&&(u.onreadystatechange=b.noop,$n&&delete Pn[a]),i)4!==u.readyState&&u.abort();else{p={},s=u.status,l=u.getAllResponseHeaders(),"string"==typeof u.responseText&&(p.text=u.responseText);try{c=u.statusText}catch(f){c=""}s||!n.isLocal||n.crossDomain?1223===s&&(s=204):s=p.text?200:404}}catch(d){i||o(-1,d)}p&&o(s,c,p,l)},n.async?4===u.readyState?setTimeout(r):(a=++Wn,$n&&(Pn||(Pn={},b(e).unload($n)),Pn[a]=r),u.onreadystatechange=r):r()},abort:function(){r&&r(t,!0)}}}});var Xn,Un,Vn=/^(?:toggle|show|hide)$/,Yn=RegExp("^(?:([+-])=|)("+x+")([a-z%]*)$","i"),Jn=/queueHooks$/,Gn=[nr],Qn={"*":[function(e,t){var n,r,i=this.createTween(e,t),o=Yn.exec(t),a=i.cur(),s=+a||0,u=1,l=20;if(o){if(n=+o[2],r=o[3]||(b.cssNumber[e]?"":"px"),"px"!==r&&s){s=b.css(i.elem,e,!0)||n||1;do u=u||".5",s/=u,b.style(i.elem,e,s+r);while(u!==(u=i.cur()/a)&&1!==u&&--l)}i.unit=r,i.start=s,i.end=o[1]?s+(o[1]+1)*n:n}return i}]};function Kn(){return setTimeout(function(){Xn=t}),Xn=b.now()}function Zn(e,t){b.each(t,function(t,n){var r=(Qn[t]||[]).concat(Qn["*"]),i=0,o=r.length;for(;o>i;i++)if(r[i].call(e,t,n))return})}function er(e,t,n){var r,i,o=0,a=Gn.length,s=b.Deferred().always(function(){delete u.elem}),u=function(){if(i)return!1;var t=Xn||Kn(),n=Math.max(0,l.startTime+l.duration-t),r=n/l.duration||0,o=1-r,a=0,u=l.tweens.length;for(;u>a;a++)l.tweens[a].run(o);return s.notifyWith(e,[l,o,n]),1>o&&u?n:(s.resolveWith(e,[l]),!1)},l=s.promise({elem:e,props:b.extend({},t),opts:b.extend(!0,{specialEasing:{}},n),originalProperties:t,originalOptions:n,startTime:Xn||Kn(),duration:n.duration,tweens:[],createTween:function(t,n){var r=b.Tween(e,l.opts,t,n,l.opts.specialEasing[t]||l.opts.easing);return l.tweens.push(r),r},stop:function(t){var n=0,r=t?l.tweens.length:0;if(i)return this;for(i=!0;r>n;n++)l.tweens[n].run(1);return t?s.resolveWith(e,[l,t]):s.rejectWith(e,[l,t]),this}}),c=l.props;for(tr(c,l.opts.specialEasing);a>o;o++)if(r=Gn[o].call(l,e,c,l.opts))return r;return Zn(l,c),b.isFunction(l.opts.start)&&l.opts.start.call(e,l),b.fx.timer(b.extend(u,{elem:e,anim:l,queue:l.opts.queue})),l.progress(l.opts.progress).done(l.opts.done,l.opts.complete).fail(l.opts.fail).always(l.opts.always)}function tr(e,t){var n,r,i,o,a;for(i in e)if(r=b.camelCase(i),o=t[r],n=e[i],b.isArray(n)&&(o=n[1],n=e[i]=n[0]),i!==r&&(e[r]=n,delete e[i]),a=b.cssHooks[r],a&&"expand"in a){n=a.expand(n),delete e[r];for(i in n)i in e||(e[i]=n[i],t[i]=o)}else t[r]=o}b.Animation=b.extend(er,{tweener:function(e,t){b.isFunction(e)?(t=e,e=["*"]):e=e.split(" ");var n,r=0,i=e.length;for(;i>r;r++)n=e[r],Qn[n]=Qn[n]||[],Qn[n].unshift(t)},prefilter:function(e,t){t?Gn.unshift(e):Gn.push(e)}});function nr(e,t,n){var r,i,o,a,s,u,l,c,p,f=this,d=e.style,h={},g=[],m=e.nodeType&&nn(e);n.queue||(c=b._queueHooks(e,"fx"),null==c.unqueued&&(c.unqueued=0,p=c.empty.fire,c.empty.fire=function(){c.unqueued||p()}),c.unqueued++,f.always(function(){f.always(function(){c.unqueued--,b.queue(e,"fx").length||c.empty.fire()})})),1===e.nodeType&&("height"in t||"width"in t)&&(n.overflow=[d.overflow,d.overflowX,d.overflowY],"inline"===b.css(e,"display")&&"none"===b.css(e,"float")&&(b.support.inlineBlockNeedsLayout&&"inline"!==un(e.nodeName)?d.zoom=1:d.display="inline-block")),n.overflow&&(d.overflow="hidden",b.support.shrinkWrapBlocks||f.always(function(){d.overflow=n.overflow[0],d.overflowX=n.overflow[1],d.overflowY=n.overflow[2]}));for(i in t)if(a=t[i],Vn.exec(a)){if(delete t[i],u=u||"toggle"===a,a===(m?"hide":"show"))continue;g.push(i)}if(o=g.length){s=b._data(e,"fxshow")||b._data(e,"fxshow",{}),"hidden"in s&&(m=s.hidden),u&&(s.hidden=!m),m?b(e).show():f.done(function(){b(e).hide()}),f.done(function(){var t;b._removeData(e,"fxshow");for(t in h)b.style(e,t,h[t])});for(i=0;o>i;i++)r=g[i],l=f.createTween(r,m?s[r]:0),h[r]=s[r]||b.style(e,r),r in s||(s[r]=l.start,m&&(l.end=l.start,l.start="width"===r||"height"===r?1:0))}}function rr(e,t,n,r,i){return new rr.prototype.init(e,t,n,r,i)}b.Tween=rr,rr.prototype={constructor:rr,init:function(e,t,n,r,i,o){this.elem=e,this.prop=n,this.easing=i||"swing",this.options=t,this.start=this.now=this.cur(),this.end=r,this.unit=o||(b.cssNumber[n]?"":"px")},cur:function(){var e=rr.propHooks[this.prop];return e&&e.get?e.get(this):rr.propHooks._default.get(this)},run:function(e){var t,n=rr.propHooks[this.prop];return this.pos=t=this.options.duration?b.easing[this.easing](e,this.options.duration*e,0,1,this.options.duration):e,this.now=(this.end-this.start)*t+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),n&&n.set?n.set(this):rr.propHooks._default.set(this),this}},rr.prototype.init.prototype=rr.prototype,rr.propHooks={_default:{get:function(e){var t;return null==e.elem[e.prop]||e.elem.style&&null!=e.elem.style[e.prop]?(t=b.css(e.elem,e.prop,""),t&&"auto"!==t?t:0):e.elem[e.prop]},set:function(e){b.fx.step[e.prop]?b.fx.step[e.prop](e):e.elem.style&&(null!=e.elem.style[b.cssProps[e.prop]]||b.cssHooks[e.prop])?b.style(e.elem,e.prop,e.now+e.unit):e.elem[e.prop]=e.now}}},rr.propHooks.scrollTop=rr.propHooks.scrollLeft={set:function(e){e.elem.nodeType&&e.elem.parentNode&&(e.elem[e.prop]=e.now)}},b.each(["toggle","show","hide"],function(e,t){var n=b.fn[t];b.fn[t]=function(e,r,i){return null==e||"boolean"==typeof e?n.apply(this,arguments):this.animate(ir(t,!0),e,r,i)}}),b.fn.extend({fadeTo:function(e,t,n,r){return this.filter(nn).css("opacity",0).show().end().animate({opacity:t},e,n,r)},animate:function(e,t,n,r){var i=b.isEmptyObject(e),o=b.speed(t,n,r),a=function(){var t=er(this,b.extend({},e),o);a.finish=function(){t.stop(!0)},(i||b._data(this,"finish"))&&t.stop(!0)};return a.finish=a,i||o.queue===!1?this.each(a):this.queue(o.queue,a)},stop:function(e,n,r){var i=function(e){var t=e.stop;delete e.stop,t(r)};return"string"!=typeof e&&(r=n,n=e,e=t),n&&e!==!1&&this.queue(e||"fx",[]),this.each(function(){var t=!0,n=null!=e&&e+"queueHooks",o=b.timers,a=b._data(this);if(n)a[n]&&a[n].stop&&i(a[n]);else for(n in a)a[n]&&a[n].stop&&Jn.test(n)&&i(a[n]);for(n=o.length;n--;)o[n].elem!==this||null!=e&&o[n].queue!==e||(o[n].anim.stop(r),t=!1,o.splice(n,1));(t||!r)&&b.dequeue(this,e)})},finish:function(e){return e!==!1&&(e=e||"fx"),this.each(function(){var t,n=b._data(this),r=n[e+"queue"],i=n[e+"queueHooks"],o=b.timers,a=r?r.length:0;for(n.finish=!0,b.queue(this,e,[]),i&&i.cur&&i.cur.finish&&i.cur.finish.call(this),t=o.length;t--;)o[t].elem===this&&o[t].queue===e&&(o[t].anim.stop(!0),o.splice(t,1));for(t=0;a>t;t++)r[t]&&r[t].finish&&r[t].finish.call(this);delete n.finish})}});function ir(e,t){var n,r={height:e},i=0;for(t=t?1:0;4>i;i+=2-t)n=Zt[i],r["margin"+n]=r["padding"+n]=e;return t&&(r.opacity=r.width=e),r}b.each({slideDown:ir("show"),slideUp:ir("hide"),slideToggle:ir("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(e,t){b.fn[e]=function(e,n,r){return this.animate(t,e,n,r)}}),b.speed=function(e,t,n){var r=e&&"object"==typeof e?b.extend({},e):{complete:n||!n&&t||b.isFunction(e)&&e,duration:e,easing:n&&t||t&&!b.isFunction(t)&&t};return r.duration=b.fx.off?0:"number"==typeof r.duration?r.duration:r.duration in b.fx.speeds?b.fx.speeds[r.duration]:b.fx.speeds._default,(null==r.queue||r.queue===!0)&&(r.queue="fx"),r.old=r.complete,r.complete=function(){b.isFunction(r.old)&&r.old.call(this),r.queue&&b.dequeue(this,r.queue)},r},b.easing={linear:function(e){return e},swing:function(e){return.5-Math.cos(e*Math.PI)/2}},b.timers=[],b.fx=rr.prototype.init,b.fx.tick=function(){var e,n=b.timers,r=0;for(Xn=b.now();n.length>r;r++)e=n[r],e()||n[r]!==e||n.splice(r--,1);n.length||b.fx.stop(),Xn=t},b.fx.timer=function(e){e()&&b.timers.push(e)&&b.fx.start()},b.fx.interval=13,b.fx.start=function(){Un||(Un=setInterval(b.fx.tick,b.fx.interval))},b.fx.stop=function(){clearInterval(Un),Un=null},b.fx.speeds={slow:600,fast:200,_default:400},b.fx.step={},b.expr&&b.expr.filters&&(b.expr.filters.animated=function(e){return b.grep(b.timers,function(t){return e===t.elem}).length}),b.fn.offset=function(e){if(arguments.length)return e===t?this:this.each(function(t){b.offset.setOffset(this,e,t)});var n,r,o={top:0,left:0},a=this[0],s=a&&a.ownerDocument;if(s)return n=s.documentElement,b.contains(n,a)?(typeof a.getBoundingClientRect!==i&&(o=a.getBoundingClientRect()),r=or(s),{top:o.top+(r.pageYOffset||n.scrollTop)-(n.clientTop||0),left:o.left+(r.pageXOffset||n.scrollLeft)-(n.clientLeft||0)}):o},b.offset={setOffset:function(e,t,n){var r=b.css(e,"position");"static"===r&&(e.style.position="relative");var i=b(e),o=i.offset(),a=b.css(e,"top"),s=b.css(e,"left"),u=("absolute"===r||"fixed"===r)&&b.inArray("auto",[a,s])>-1,l={},c={},p,f;u?(c=i.position(),p=c.top,f=c.left):(p=parseFloat(a)||0,f=parseFloat(s)||0),b.isFunction(t)&&(t=t.call(e,n,o)),null!=t.top&&(l.top=t.top-o.top+p),null!=t.left&&(l.left=t.left-o.left+f),"using"in t?t.using.call(e,l):i.css(l)}},b.fn.extend({position:function(){if(this[0]){var e,t,n={top:0,left:0},r=this[0];return"fixed"===b.css(r,"position")?t=r.getBoundingClientRect():(e=this.offsetParent(),t=this.offset(),b.nodeName(e[0],"html")||(n=e.offset()),n.top+=b.css(e[0],"borderTopWidth",!0),n.left+=b.css(e[0],"borderLeftWidth",!0)),{top:t.top-n.top-b.css(r,"marginTop",!0),left:t.left-n.left-b.css(r,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var e=this.offsetParent||o.documentElement;while(e&&!b.nodeName(e,"html")&&"static"===b.css(e,"position"))e=e.offsetParent;return e||o.documentElement})}}),b.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(e,n){var r=/Y/.test(n);b.fn[e]=function(i){return b.access(this,function(e,i,o){var a=or(e);return o===t?a?n in a?a[n]:a.document.documentElement[i]:e[i]:(a?a.scrollTo(r?b(a).scrollLeft():o,r?o:b(a).scrollTop()):e[i]=o,t)},e,i,arguments.length,null)}});function or(e){return b.isWindow(e)?e:9===e.nodeType?e.defaultView||e.parentWindow:!1}b.each({Height:"height",Width:"width"},function(e,n){b.each({padding:"inner"+e,content:n,"":"outer"+e},function(r,i){b.fn[i]=function(i,o){var a=arguments.length&&(r||"boolean"!=typeof i),s=r||(i===!0||o===!0?"margin":"border");return b.access(this,function(n,r,i){var o;return b.isWindow(n)?n.document.documentElement["client"+e]:9===n.nodeType?(o=n.documentElement,Math.max(n.body["scroll"+e],o["scroll"+e],n.body["offset"+e],o["offset"+e],o["client"+e])):i===t?b.css(n,r,s):b.style(n,r,i,s)},n,a?i:t,a,null)}})}),e.jQuery=e.$=b,"function"==typeof define&&define.amd&&define.amd.jQuery&&define("jquery",[],function(){return b})})(window);
diff --git a/inc/modernizr-2.0.js b/inc/modernizr-2.0.js
new file mode 100644
index 0000000..9dca7b0
--- /dev/null
+++ b/inc/modernizr-2.0.js
@@ -0,0 +1,5 @@
+/* Modernizr 2.6.2 (Custom Build) | MIT & BSD
+ * Build: http://modernizr.com/download/#-video-mq-cssclasses-teststyles-testprop-testallprops-prefixes-domprefixes-load
+ */
+;window.Modernizr=function(a,b,c){function A(a){j.cssText=a}function B(a,b){return A(m.join(a+";")+(b||""))}function C(a,b){return typeof a===b}function D(a,b){return!!~(""+a).indexOf(b)}function E(a,b){for(var d in a){var e=a[d];if(!D(e,"-")&&j[e]!==c)return b=="pfx"?e:!0}return!1}function F(a,b,d){for(var e in a){var f=b[a[e]];if(f!==c)return d===!1?a[e]:C(f,"function")?f.bind(d||b):f}return!1}function G(a,b,c){var d=a.charAt(0).toUpperCase()+a.slice(1),e=(a+" "+o.join(d+" ")+d).split(" ");return C(b,"string")||C(b,"undefined")?E(e,b):(e=(a+" "+p.join(d+" ")+d).split(" "),F(e,b,c))}var d="2.6.2",e={},f=!0,g=b.documentElement,h="modernizr",i=b.createElement(h),j=i.style,k,l={}.toString,m=" -webkit- -moz- -o- -ms- ".split(" "),n="Webkit Moz O ms",o=n.split(" "),p=n.toLowerCase().split(" "),q={},r={},s={},t=[],u=t.slice,v,w=function(a,c,d,e){var f,i,j,k,l=b.createElement("div"),m=b.body,n=m||b.createElement("body");if(parseInt(d,10))while(d--)j=b.createElement("div"),j.id=e?e[d]:h+(d+1),l.appendChild(j);return f=["&#173;",'<style id="s',h,'">',a,"</style>"].join(""),l.id=h,(m?l:n).innerHTML+=f,n.appendChild(l),m||(n.style.background="",n.style.overflow="hidden",k=g.style.overflow,g.style.overflow="hidden",g.appendChild(n)),i=c(l,a),m?l.parentNode.removeChild(l):(n.parentNode.removeChild(n),g.style.overflow=k),!!i},x=function(b){var c=a.matchMedia||a.msMatchMedia;if(c)return c(b).matches;var d;return w("@media "+b+" { #"+h+" { position: absolute; } }",function(b){d=(a.getComputedStyle?getComputedStyle(b,null):b.currentStyle)["position"]=="absolute"}),d},y={}.hasOwnProperty,z;!C(y,"undefined")&&!C(y.call,"undefined")?z=function(a,b){return y.call(a,b)}:z=function(a,b){return b in a&&C(a.constructor.prototype[b],"undefined")},Function.prototype.bind||(Function.prototype.bind=function(b){var c=this;if(typeof c!="function")throw new TypeError;var d=u.call(arguments,1),e=function(){if(this instanceof e){var a=function(){};a.prototype=c.prototype;var f=new a,g=c.apply(f,d.concat(u.call(arguments)));return Object(g)===g?g:f}return c.apply(b,d.concat(u.call(arguments)))};return e}),q.video=function(){var a=b.createElement("video"),c=!1;try{if(c=!!a.canPlayType)c=new Boolean(c),c.ogg=a.canPlayType('video/ogg; codecs="theora"').replace(/^no$/,""),c.h264=a.canPlayType('video/mp4; codecs="avc1.42E01E"').replace(/^no$/,""),c.webm=a.canPlayType('video/webm; codecs="vp8, vorbis"').replace(/^no$/,"")}catch(d){}return c};for(var H in q)z(q,H)&&(v=H.toLowerCase(),e[v]=q[H](),t.push((e[v]?"":"no-")+v));return e.addTest=function(a,b){if(typeof a=="object")for(var d in a)z(a,d)&&e.addTest(d,a[d]);else{a=a.toLowerCase();if(e[a]!==c)return e;b=typeof b=="function"?b():b,typeof f!="undefined"&&f&&(g.className+=" "+(b?"":"no-")+a),e[a]=b}return e},A(""),i=k=null,e._version=d,e._prefixes=m,e._domPrefixes=p,e._cssomPrefixes=o,e.mq=x,e.testProp=function(a){return E([a])},e.testAllProps=G,e.testStyles=w,g.className=g.className.replace(/(^|\s)no-js(\s|$)/,"$1$2")+(f?" js "+t.join(" "):""),e}(this,this.document),function(a,b,c){function d(a){return"[object Function]"==o.call(a)}function e(a){return"string"==typeof a}function f(){}function g(a){return!a||"loaded"==a||"complete"==a||"uninitialized"==a}function h(){var a=p.shift();q=1,a?a.t?m(function(){("c"==a.t?B.injectCss:B.injectJs)(a.s,0,a.a,a.x,a.e,1)},0):(a(),h()):q=0}function i(a,c,d,e,f,i,j){function k(b){if(!o&&g(l.readyState)&&(u.r=o=1,!q&&h(),l.onload=l.onreadystatechange=null,b)){"img"!=a&&m(function(){t.removeChild(l)},50);for(var d in y[c])y[c].hasOwnProperty(d)&&y[c][d].onload()}}var j=j||B.errorTimeout,l=b.createElement(a),o=0,r=0,u={t:d,s:c,e:f,a:i,x:j};1===y[c]&&(r=1,y[c]=[]),"object"==a?l.data=c:(l.src=c,l.type=a),l.width=l.height="0",l.onerror=l.onload=l.onreadystatechange=function(){k.call(this,r)},p.splice(e,0,u),"img"!=a&&(r||2===y[c]?(t.insertBefore(l,s?null:n),m(k,j)):y[c].push(l))}function j(a,b,c,d,f){return q=0,b=b||"j",e(a)?i("c"==b?v:u,a,b,this.i++,c,d,f):(p.splice(this.i++,0,a),1==p.length&&h()),this}function k(){var a=B;return a.loader={load:j,i:0},a}var l=b.documentElement,m=a.setTimeout,n=b.getElementsByTagName("script")[0],o={}.toString,p=[],q=0,r="MozAppearance"in l.style,s=r&&!!b.createRange().compareNode,t=s?l:n.parentNode,l=a.opera&&"[object Opera]"==o.call(a.opera),l=!!b.attachEvent&&!l,u=r?"object":l?"script":"img",v=l?"script":u,w=Array.isArray||function(a){return"[object Array]"==o.call(a)},x=[],y={},z={timeout:function(a,b){return b.length&&(a.timeout=b[0]),a}},A,B;B=function(a){function b(a){var a=a.split("!"),b=x.length,c=a.pop(),d=a.length,c={url:c,origUrl:c,prefixes:a},e,f,g;for(f=0;f<d;f++)g=a[f].split("="),(e=z[g.shift()])&&(c=e(c,g));for(f=0;f<b;f++)c=x[f](c);return c}function g(a,e,f,g,h){var i=b(a),j=i.autoCallback;i.url.split(".").pop().split("?").shift(),i.bypass||(e&&(e=d(e)?e:e[a]||e[g]||e[a.split("/").pop().split("?")[0]]),i.instead?i.instead(a,e,f,g,h):(y[i.url]?i.noexec=!0:y[i.url]=1,f.load(i.url,i.forceCSS||!i.forceJS&&"css"==i.url.split(".").pop().split("?").shift()?"c":c,i.noexec,i.attrs,i.timeout),(d(e)||d(j))&&f.load(function(){k(),e&&e(i.origUrl,h,g),j&&j(i.origUrl,h,g),y[i.url]=2})))}function h(a,b){function c(a,c){if(a){if(e(a))c||(j=function(){var a=[].slice.call(arguments);k.apply(this,a),l()}),g(a,j,b,0,h);else if(Object(a)===a)for(n in m=function(){var b=0,c;for(c in a)a.hasOwnProperty(c)&&b++;return b}(),a)a.hasOwnProperty(n)&&(!c&&!--m&&(d(j)?j=function(){var a=[].slice.call(arguments);k.apply(this,a),l()}:j[n]=function(a){return function(){var b=[].slice.call(arguments);a&&a.apply(this,b),l()}}(k[n])),g(a[n],j,b,n,h))}else!c&&l()}var h=!!a.test,i=a.load||a.both,j=a.callback||f,k=j,l=a.complete||f,m,n;c(h?a.yep:a.nope,!!i),i&&c(i)}var i,j,l=this.yepnope.loader;if(e(a))g(a,0,l,0);else if(w(a))for(i=0;i<a.length;i++)j=a[i],e(j)?g(j,0,l,0):w(j)?B(j):Object(j)===j&&h(j,l);else Object(a)===a&&h(a,l)},B.addPrefix=function(a,b){z[a]=b},B.addFilter=function(a){x.push(a)},B.errorTimeout=1e4,null==b.readyState&&b.addEventListener&&(b.readyState="loading",b.addEventListener("DOMContentLoaded",A=function(){b.removeEventListener("DOMContentLoaded",A,0),b.readyState="complete"},0)),a.yepnope=k(),a.yepnope.executeStack=h,a.yepnope.injectJs=function(a,c,d,e,i,j){var k=b.createElement("script"),l,o,e=e||B.errorTimeout;k.src=a;for(o in d)k.setAttribute(o,d[o]);c=j?h:c||f,k.onreadystatechange=k.onload=function(){!l&&g(k.readyState)&&(l=1,c(),k.onload=k.onreadystatechange=null)},m(function(){l||(l=1,c(1))},e),i?k.onload():n.parentNode.insertBefore(k,n)},a.yepnope.injectCss=function(a,c,d,e,g,i){var e=b.createElement("link"),j,c=i?h:c||f;e.href=a,e.rel="stylesheet",e.type="text/css";for(j in d)e.setAttribute(j,d[j]);g||(n.parentNode.insertBefore(e,n),m(c,0))}}(this,document),Modernizr.load=function(){yepnope.apply(window,[].slice.call(arguments,0))};
+
diff --git a/inc/octopress.js b/inc/octopress.js
new file mode 100644
index 0000000..10fa974
--- /dev/null
+++ b/inc/octopress.js
@@ -0,0 +1,78 @@
+function getNav() {
+  var mainNav = $('ul.main-navigation, ul[role=main-navigation]').before('<fieldset class="mobile-nav">')
+  var mobileNav = $('fieldset.mobile-nav').append('<select>');
+  mobileNav.find('select').append('<option value="">Navigate&hellip;</option>');
+  var addOption = function(i, option) {
+    mobileNav.find('select').append('<option value="' + this.href + '">&raquo; ' + $(this).text() + '</option>');
+  }
+  mainNav.find('a').each(addOption);
+  $('ul.subscription a').each(addOption);
+  mobileNav.find('select').bind('change', function(event) {
+    if (event.target.value) { window.location.href = event.target.value; }
+  });
+}
+
+function addSidebarToggler() {
+  if(!$('body').hasClass('sidebar-footer')) {
+    $('#content').append('<span class="toggle-sidebar"></span>');
+    $('.toggle-sidebar').bind('click', function(e) {
+      e.preventDefault();
+      $('body').toggleClass('collapse-sidebar');
+    });
+  }
+  var sections = $('aside.sidebar > section');
+  if (sections.length > 1) {
+    sections.each(function(index, section){
+      if ((sections.length >= 3) && index % 3 === 0) {
+        $(section).addClass("first");
+      }
+      var count = ((index +1) % 2) ? "odd" : "even";
+      $(section).addClass(count);
+    });
+  }
+  if (sections.length >= 3){ $('aside.sidebar').addClass('thirds'); }
+}
+
+function testFeatures() {
+  var features = ['maskImage'];
+  $(features).map(function(i, feature) {
+    if (Modernizr.testAllProps(feature)) {
+      $('html').addClass(feature);
+    } else {
+      $('html').addClass('no-'+feature);
+    }
+  });
+  if ("placeholder" in document.createElement("input")) {
+    $('html').addClass('placeholder');
+  } else {
+    $('html').addClass('no-placeholder');
+  }
+}
+
+
+$('document').ready(function() {
+  testFeatures();
+  getNav();
+  addSidebarToggler();
+});
+
+// iOS scaling bug fix
+// Rewritten version
+// By @mathias, @cheeaun and @jdalton
+// Source url: https://gist.github.com/901295
+(function(doc) {
+  var addEvent = 'addEventListener',
+      type = 'gesturestart',
+      qsa = 'querySelectorAll',
+      scales = [1, 1],
+      meta = qsa in doc ? doc[qsa]('meta[name=viewport]') : [];
+  function fix() {
+    meta.content = 'width=device-width,minimum-scale=' + scales[0] + ',maximum-scale=' + scales[1];
+    doc.removeEventListener(type, fix, true);
+  }
+  if ((meta = meta[meta.length - 1]) && addEvent in doc) {
+    fix();
+    scales = [0.25, 1.6];
+    doc[addEvent](type, fix, true);
+  }
+}(document));
diff --git a/inc/screen.css b/inc/screen.css
new file mode 100644
index 0000000..fb51d89
--- /dev/null
+++ b/inc/screen.css
@@ -0,0 +1,1569 @@
+html, body, div, span, object, iframe,
+h1, h2, h3, h4, h5, h6, p, blockquote, pre,
+a, abbr, acronym, address, big, cite, code,
+del, dfn, em, img, ins, kbd, q, s, samp,
+small, strike, strong, sub, sup, tt, var,
+b, u, i, center,
+dl, dt, ol, ul, li,
+fieldset, form, label, legend,
+table, caption, tbody, tfoot, thead, tr, th, td,
+article, aside, canvas, details, embed,
+figure, figcaption, footer, header, hgroup,
+menu, nav, output, ruby, section, summary,
+mark {
+  margin: 0;
+  padding: 0;
+  border: 0;
+  font: inherit;
+  font-size: 100%;
+  vertical-align: baseline;
+}
+
+html {
+  line-height: 1;
+}
+
+ol, ul {
+  list-style: none;
+}
+
+table {
+  border-collapse: collapse;
+  border-spacing: 0;
+}
+
+caption, th, td {
+  text-align: left;
+  font-weight: normal;
+  vertical-align: middle;
+}
+
+q, blockquote {
+  quotes: none;
+}
+q:before, q:after, blockquote:before, blockquote:after {
+  content: "";
+  content: none;
+}
+
+a img {
+  border: none;
+}
+
+article, aside, details, figcaption, figure, footer, header, hgroup, menu, nav, section, summary {
+  display: block;
+}
+
+a {
+  color: #1863a1;
+}
+a:visited {
+  color: #751590;
+}
+a:focus {
+  color: #0181eb;
+}
+a:hover {
+  color: #0181eb;
+}
+a:active {
+  color: #01579f;
+}
+
+aside.sidebar a {
+  color: #222222;
+}
+aside.sidebar a:focus {
+  color: #0181eb;
+}
+aside.sidebar a:hover {
+  color: #0181eb;
+}
+aside.sidebar a:active {
+  color: #01579f;
+}
+
+a {
+  -webkit-transition: color 0.3s;
+  -moz-transition: color 0.3s;
+  -o-transition: color 0.3s;
+  transition: color 0.3s;
+}
+
+html {
+  background: #252525 url('/img/line-tile.png') top left;
+}
+
+body > div {
+  background: #f2f2f2 url('/img/noise.png') top left;
+  border-bottom: 1px solid #bfbfbf;
+}
+body > div > div {
+  background: #f8f8f8 url('/img/noise.png') top left;
+  border-right: 1px solid #e0e0e0;
+}
+
+.heading, body > header h1, h1, h2, h3, h4, h5, h6 {
+  font-family: "PT Serif", "Georgia", "Helvetica Neue", Arial, sans-serif;
+}
+
+.sans, body > header h2, article header p.meta, article > footer, #content .blog-index footer, html aside.sidebar section, body > footer {
+  font-family: "PT Sans", "Helvetica Neue", Arial, sans-serif;
+}
+
+.serif, body, #content .blog-index a[rel=full-article] {
+  font-family: "PT Serif", Georgia, Times, "Times New Roman", serif;
+}
+
+.mono, pre, code, tt, p code, li code {
+  font-family: Menlo, Monaco, "Andale Mono", "lucida console", "Courier New", monospace;
+}
+
+body > header h1 {
+  font-size: 2.2em;
+  font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", Helvetica, Arial, "Lucida Grande", sans-serif;
+  font-weight: normal;
+  line-height: 1.2em;
+  margin-bottom: 0.6667em;
+}
+
+body > header h2 {
+  font-family: "HelveticaNeue-Light", "Helvetica Neue Light", "Helvetica Neue", Helvetica, Arial, "Lucida Grande", sans-serif;
+  color: black;
+  position: relative;
+  top: -0.8em;
+  left: 5em;
+}
+
+#header-open-text {
+  font-weight: 400;
+  font-size: 1.8em;
+  color: #721412;
+}
+
+#header-ssl-text {
+  font-weight: bold;
+  font-size: 1.8em;
+  color: black;
+}
+
+body {
+  line-height: 1.5em;
+  color: #222222;
+}
+
+h1 {
+  font-size: 2.2em;
+  line-height: 1.2em;
+}
+
+ at media only screen and (min-width: 992px) {
+  body {
+    font-size: 1.15em;
+  }
+
+  h1 {
+    font-size: 2.6em;
+    line-height: 1.2em;
+  }
+}
+h1, h2, h3, h4, h5, h6 {
+  text-rendering: optimizelegibility;
+  margin-bottom: 1em;
+  font-weight: bold;
+}
+
+h2, section h1 {
+  font-size: 1.5em;
+}
+
+h3, section h2, section section h1 {
+  font-size: 1.3em;
+}
+
+h4, section h3, section section h2, section section section h1 {
+  font-size: 1em;
+}
+
+h5, section h4, section section h3 {
+  font-size: .9em;
+}
+
+h6, section h5, section section h4, section section section h3 {
+  font-size: .8em;
+}
+
+p, article blockquote, ul, ol {
+  margin-bottom: 1.5em;
+}
+
+ul {
+  list-style-type: disc;
+}
+ul ul {
+  list-style-type: circle;
+  margin-bottom: 0px;
+}
+ul ul ul {
+  list-style-type: square;
+  margin-bottom: 0px;
+}
+
+ol {
+  list-style-type: decimal;
+}
+ol ol {
+  list-style-type: lower-alpha;
+  margin-bottom: 0px;
+}
+ol ol ol {
+  list-style-type: lower-roman;
+  margin-bottom: 0px;
+}
+
+ul, ul ul, ul ol, ol, ol ul, ol ol {
+  margin-left: 1.3em;
+}
+
+ul ul, ul ol, ol ul, ol ol {
+  margin-bottom: 0em;
+}
+
+strong {
+  font-weight: bold;
+}
+
+em {
+  font-style: italic;
+}
+
+sup, sub {
+  font-size: 0.75em;
+  position: relative;
+  display: inline-block;
+  padding: 0 .2em;
+  line-height: .8em;
+}
+
+sup {
+  top: -.5em;
+}
+
+sub {
+  bottom: -.5em;
+}
+
+a[rev='footnote'] {
+  font-size: .75em;
+  padding: 0 .3em;
+  line-height: 1;
+}
+
+q {
+  font-style: italic;
+}
+q:before {
+  content: "\201C";
+}
+q:after {
+  content: "\201D";
+}
+
+em, dfn {
+  font-style: italic;
+}
+
+strong, dfn {
+  font-weight: bold;
+}
+
+del, s {
+  text-decoration: line-through;
+}
+
+abbr, acronym {
+  border-bottom: 1px dotted;
+  cursor: help;
+}
+
+hr {
+  margin-bottom: 0.2em;
+}
+
+small {
+  font-size: .8em;
+}
+
+big {
+  font-size: 1.2em;
+}
+
+article blockquote {
+  font-style: italic;
+  position: relative;
+  font-size: 1.2em;
+  line-height: 1.5em;
+  padding-left: 1em;
+  border-left: 4px solid rgba(170, 170, 170, 0.5);
+}
+article blockquote cite {
+  font-style: italic;
+}
+article blockquote cite a {
+  color: #aaaaaa !important;
+  word-wrap: break-word;
+}
+article blockquote cite:before {
+  content: '\2014';
+  padding-right: .3em;
+  padding-left: .3em;
+  color: #aaaaaa;
+}
+ at media only screen and (min-width: 992px) {
+  article blockquote {
+    padding-left: 1.5em;
+    border-left-width: 4px;
+  }
+}
+
+.pullquote-right:before,
+.pullquote-left:before {
+  /* Reset metrics. */
+  padding: 0;
+  border: none;
+  /* Content */
+  content: attr(data-pullquote);
+  /* Pull out to the right, modular scale based margins. */
+  float: right;
+  width: 45%;
+  margin: .5em 0 1em 1.5em;
+  /* Baseline correction */
+  position: relative;
+  top: 7px;
+  font-size: 1.4em;
+  line-height: 1.45em;
+}
+
+.pullquote-left:before {
+  /* Make left pullquotes align properly. */
+  float: left;
+  margin: .5em 1.5em 1em 0;
+}
+
+/* @extend this to force long lines of continuous text to wrap */
+.force-wrap, article a, aside.sidebar a {
+  white-space: -moz-pre-wrap;
+  white-space: -pre-wrap;
+  white-space: -o-pre-wrap;
+  white-space: pre-wrap;
+  word-wrap: break-word;
+}
+
+.group, body > header, body > nav, body > footer, body #content > article, body #content > div > article, body #content > div > section, body div.pagination, aside.sidebar, #content, .sidebar {
+  *zoom: 1;
+}
+.group:after, body > header:after, body > nav:after, body > footer:after, body #content > article:after, body #content > div > section:after, body div.pagination:after, #content:after, .sidebar:after {
+  content: "";
+  display: table;
+  clear: both;
+}
+
+body {
+  -webkit-text-size-adjust: none;
+  max-width: 1200px;
+  position: relative;
+  margin: 0 auto;
+}
+body > header, body > nav, body > footer, body #content > article, body #content > div > article, body #content > div > section {
+  padding-left: 18px;
+  padding-right: 18px;
+}
+ at media only screen and (min-width: 480px) {
+  body > header, body > nav, body > footer, body #content > article, body #content > div > article, body #content > div > section {
+    padding-left: 25px;
+    padding-right: 25px;
+  }
+}
+ at media only screen and (min-width: 768px) {
+  body > header, body > nav, body > footer, body #content > article, body #content > div > article, body #content > div > section {
+    padding-left: 35px;
+    padding-right: 35px;
+  }
+}
+ at media only screen and (min-width: 992px) {
+  body > header, body > nav, body > footer, body #content > article, body #content > div > article, body #content > div > section {
+    padding-left: 55px;
+    padding-right: 55px;
+  }
+}
+body div.pagination {
+  margin-left: 18px;
+  margin-right: 18px;
+}
+ at media only screen and (min-width: 480px) {
+  body div.pagination {
+    margin-left: 25px;
+    margin-right: 25px;
+  }
+}
+ at media only screen and (min-width: 768px) {
+  body div.pagination {
+    margin-left: 35px;
+    margin-right: 35px;
+  }
+}
+ at media only screen and (min-width: 992px) {
+  body div.pagination {
+    margin-left: 55px;
+    margin-right: 55px;
+  }
+}
+body > header {
+  font-size: 1em;
+  padding-top: 1.5em;
+  padding-bottom: 1.5em;
+  margin-bottom: -1em;
+}
+
+#content {
+  overflow: hidden;
+}
+#content > div, #content > article {
+  width: 100%;
+}
+
+aside.sidebar {
+  float: none;
+  padding: 0 18px 1px;
+  background-color: #f7f7f7;
+  border-top: 1px solid #e0e0e0;
+}
+
+.flex-content, article img, aside.sidebar img {
+  max-width: 100%;
+  height: auto;
+}
+
+.basic-alignment.left, article img.left, aside.sidebar img.left {
+  float: left;
+  margin-right: 1.5em;
+}
+.basic-alignment.right, article img.right, aside.sidebar img.right {
+  float: right;
+  margin-left: 1.5em;
+}
+.basic-alignment.center, article img.center, aside.sidebar img.center {
+  display: block;
+  margin: 0 auto 1.5em;
+}
+.basic-alignment.left, article img.left, aside.sidebar img.left, .basic-alignment.right, article img.right, aside.sidebar img.right {
+  margin-bottom: .8em;
+}
+
+.toggle-sidebar, .no-sidebar .toggle-sidebar {
+  display: none;
+}
+
+ at media only screen and (min-width: 750px) {
+  body.sidebar-footer aside.sidebar {
+    float: none;
+    width: auto;
+    clear: left;
+    margin: 0;
+    padding: 0 35px 1px;
+    background-color: #f7f7f7;
+    border-top: 1px solid #eaeaea;
+  }
+  body.sidebar-footer aside.sidebar section.odd, body.sidebar-footer aside.sidebar section.even {
+    float: left;
+    width: 48%;
+  }
+  body.sidebar-footer aside.sidebar section.odd {
+    margin-left: 0;
+  }
+  body.sidebar-footer aside.sidebar section.even {
+    margin-left: 4%;
+  }
+  body.sidebar-footer aside.sidebar.thirds section {
+    width: 30%;
+    margin-left: 5%;
+  }
+  body.sidebar-footer aside.sidebar.thirds section.first {
+    margin-left: 0;
+    clear: both;
+  }
+}
+body.sidebar-footer #content {
+  margin-right: 0px;
+}
+body.sidebar-footer .toggle-sidebar {
+  display: none;
+}
+
+ at media only screen and (min-width: 550px) {
+  body > header {
+    font-size: 1em;
+  }
+}
+ at media only screen and (min-width: 750px) {
+  aside.sidebar {
+    float: none;
+    width: auto;
+    clear: left;
+    margin: 0;
+    padding: 0 35px 1px;
+    background-color: #f7f7f7;
+    border-top: 1px solid #eaeaea;
+  }
+  aside.sidebar section.odd, aside.sidebar section.even {
+    float: left;
+    width: 48%;
+  }
+  aside.sidebar section.odd {
+    margin-left: 0;
+  }
+  aside.sidebar section.even {
+    margin-left: 4%;
+  }
+  aside.sidebar.thirds section {
+    width: 30%;
+    margin-left: 5%;
+  }
+  aside.sidebar.thirds section.first {
+    margin-left: 0;
+    clear: both;
+  }
+}
+ at media only screen and (min-width: 768px) {
+  body {
+    -webkit-text-size-adjust: auto;
+  }
+
+  body > header {
+    font-size: 1.2em;
+  }
+
+  #content {
+    overflow: visible;
+    margin-right: 240px;
+    position: relative;
+  }
+  .no-sidebar #content {
+    margin-right: 0;
+    border-right: 0;
+  }
+  .collapse-sidebar #content {
+    margin-right: 20px;
+  }
+  #content > div, #content > article {
+    padding-top: 17.5px;
+    padding-bottom: 17.5px;
+    float: left;
+  }
+
+  aside.sidebar {
+    width: 210px;
+    padding: 0 15px 15px;
+    background: none;
+    clear: none;
+    float: left;
+    margin: 0 -100% 0 0;
+  }
+  aside.sidebar section {
+    width: auto;
+    margin-left: 0;
+  }
+  aside.sidebar section.odd, aside.sidebar section.even {
+    float: none;
+    width: auto;
+    margin-left: 0;
+  }
+  .collapse-sidebar aside.sidebar {
+    float: none;
+    width: auto;
+    clear: left;
+    margin: 0;
+    padding: 0 35px 1px;
+    background-color: #f7f7f7;
+    border-top: 1px solid #eaeaea;
+  }
+  .collapse-sidebar aside.sidebar section.odd, .collapse-sidebar aside.sidebar section.even {
+    float: left;
+    width: 48%;
+  }
+  .collapse-sidebar aside.sidebar section.odd {
+    margin-left: 0;
+  }
+  .collapse-sidebar aside.sidebar section.even {
+    margin-left: 4%;
+  }
+  .collapse-sidebar aside.sidebar.thirds section {
+    width: 30%;
+    margin-left: 5%;
+  }
+  .collapse-sidebar aside.sidebar.thirds section.first {
+    margin-left: 0;
+    clear: both;
+  }
+}
+ at media only screen and (min-width: 992px) {
+  body > header {
+    font-size: 1.3em;
+  }
+
+  #content {
+    margin-right: 300px;
+  }
+
+  #content > div, #content > article {
+    padding-top: 27.5px;
+    padding-bottom: 27.5px;
+  }
+
+  aside.sidebar {
+    width: 260px;
+    padding: 1.2em 20px 20px;
+  }
+  .collapse-sidebar aside.sidebar {
+    padding-left: 55px;
+    padding-right: 55px;
+  }
+}
+ at media only screen and (min-width: 768px) {
+  ul, ol {
+    margin-left: 0;
+  }
+}
+body > header {
+  background: #cccccc;
+}
+body > header h1 {
+  display: inline-block;
+  margin: 0;
+}
+body > header h1 a, body > header h1 a:visited, body > header h1 a:hover {
+  color: #f2f2f2;
+  text-decoration: none;
+}
+body > header h2 {
+  margin: .2em 0 0;
+  font-weight: 300;
+  font-size: 0.8em;
+  color: black;
+  position: relative;
+  top: -0.8em;
+  left: 5em;
+}
+
+body > nav {
+  position: relative;
+  background-color: #cccccc;
+  background: url('/img/noise.png'), -webkit-gradient(linear, 50% 0%, 50% 100%, color-stop(0%, #e0e0e0), color-stop(50%, #cccccc), color-stop(100%, #b0b0b0));
+  background: url('/img/noise.png'), -webkit-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), -moz-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), -o-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  border-top: 1px solid #f2f2f2;
+  border-bottom: 1px solid #8c8c8c;
+  padding-top: .35em;
+  padding-bottom: .35em;
+}
+body > nav form {
+  -webkit-background-clip: padding;
+  -moz-background-clip: padding;
+  background-clip: padding-box;
+  margin: 0;
+  padding: 0;
+}
+body > nav form .search {
+  padding: .3em .5em 0;
+  font-size: .85em;
+  font-family: "PT Sans", "Helvetica Neue", Arial, sans-serif;
+  line-height: 1.1em;
+  width: 95%;
+  -webkit-border-radius: 0.5em;
+  -moz-border-radius: 0.5em;
+  -ms-border-radius: 0.5em;
+  -o-border-radius: 0.5em;
+  border-radius: 0.5em;
+  -webkit-background-clip: padding;
+  -moz-background-clip: padding;
+  background-clip: padding-box;
+  -webkit-box-shadow: #d1d1d1 0 1px;
+  -moz-box-shadow: #d1d1d1 0 1px;
+  box-shadow: #d1d1d1 0 1px;
+  background-color: #f2f2f2;
+  border: 1px solid #b3b3b3;
+  color: #888;
+}
+body > nav form .search:focus {
+  color: #444;
+  border-color: #80b1df;
+  -webkit-box-shadow: #80b1df 0 0 4px, #80b1df 0 0 3px inset;
+  -moz-box-shadow: #80b1df 0 0 4px, #80b1df 0 0 3px inset;
+  box-shadow: #80b1df 0 0 4px, #80b1df 0 0 3px inset;
+  background-color: #fff;
+  outline: none;
+}
+body > nav fieldset[role=search] {
+  float: right;
+  width: 48%;
+}
+body > nav fieldset.mobile-nav {
+  float: left;
+  width: 48%;
+}
+body > nav fieldset.mobile-nav select {
+  width: 100%;
+  font-size: .8em;
+  border: 1px solid #888;
+}
+body > nav ul {
+  display: none;
+}
+ at media only screen and (min-width: 550px) {
+  body > nav {
+    font-size: .9em;
+  }
+  body > nav ul {
+    margin: 0;
+    padding: 0;
+    border: 0;
+    overflow: hidden;
+    *zoom: 1;
+    float: left;
+    display: block;
+    padding-top: .15em;
+  }
+  body > nav ul li {
+    list-style-image: none;
+    list-style-type: none;
+    margin-left: 0;
+    white-space: nowrap;
+    display: inline;
+    float: left;
+    padding-left: 0;
+    padding-right: 0;
+  }
+  body > nav ul li:first-child, body > nav ul li.first {
+    padding-left: 0;
+  }
+  body > nav ul li:last-child {
+    padding-right: 0;
+  }
+  body > nav ul li.last {
+    padding-right: 0;
+  }
+  body > nav ul.subscription {
+    margin-left: .8em;
+    float: right;
+  }
+  body > nav ul.subscription li:last-child a {
+    padding-right: 0;
+  }
+  body > nav ul li {
+    margin: 0;
+  }
+  body > nav a {
+    color: #6b6b6b;
+    font-family: "PT Sans", "Helvetica Neue", Arial, sans-serif;
+    text-shadow: #ebebeb 0 1px;
+    float: left;
+    text-decoration: none;
+    font-size: 1.1em;
+    padding: .1em 0;
+    line-height: 1.5em;
+  }
+  body > nav a:visited {
+    color: #6b6b6b;
+  }
+  body > nav a:hover {
+    color: #2b2b2b;
+  }
+  body > nav li + li {
+    border-left: 1px solid #b0b0b0;
+    margin-left: .8em;
+  }
+  body > nav li + li a {
+    padding-left: .8em;
+    border-left: 1px solid #dedede;
+  }
+  body > nav form {
+    float: right;
+    text-align: left;
+    padding-left: .8em;
+    width: 175px;
+  }
+  body > nav form .search {
+    width: 93%;
+    font-size: .95em;
+    line-height: 1.2em;
+  }
+  body > nav ul[data-subscription$=email] + form {
+    width: 97px;
+  }
+  body > nav ul[data-subscription$=email] + form .search {
+    width: 91%;
+  }
+  body > nav fieldset.mobile-nav {
+    display: none;
+  }
+  body > nav fieldset[role=search] {
+    width: 99%;
+  }
+}
+ at media only screen and (min-width: 992px) {
+  body > nav form {
+    width: 215px;
+  }
+  body > nav ul[data-subscription$=email] + form {
+    width: 147px;
+  }
+}
+
+.no-placeholder body > nav .search {
+  background: #f2f2f2 url('/img/search.png') 0.3em 0.25em no-repeat;
+  text-indent: 1.3em;
+}
+
+ at media only screen and (min-width: 550px) {
+  .maskImage body > nav ul[data-subscription$=email] + form {
+    width: 123px;
+  }
+}
+ at media only screen and (min-width: 992px) {
+  .maskImage body > nav ul[data-subscription$=email] + form {
+    width: 173px;
+  }
+}
+.maskImage ul.subscription {
+  position: relative;
+  top: .2em;
+}
+.maskImage ul.subscription li, .maskImage ul.subscription a {
+  border: 0;
+  padding: 0;
+}
+
+article {
+  padding-top: 1em;
+}
+article header {
+  position: relative;
+  padding-top: 2em;
+  padding-bottom: 1em;
+  margin-bottom: 1em;
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') bottom left repeat-x;
+}
+article header h1 {
+  margin: 0;
+}
+article header h1 a {
+  text-decoration: none;
+}
+article header h1 a:hover {
+  text-decoration: underline;
+}
+article header p {
+  font-size: .9em;
+  color: #aaaaaa;
+  margin: 0;
+}
+article header p.meta {
+  text-transform: uppercase;
+  position: absolute;
+  top: 0;
+}
+ at media only screen and (min-width: 768px) {
+  article header {
+    margin-bottom: 1.5em;
+    padding-bottom: 1em;
+    background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') bottom left repeat-x;
+  }
+}
+article h2 {
+  padding-top: 0.8em;
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') top left repeat-x;
+}
+.entry-content article h2:first-child, article header + h2 {
+  padding-top: 0;
+}
+article h2:first-child, article header + h2 {
+  background: none;
+}
+article .feature {
+  padding-top: .5em;
+  margin-bottom: 1em;
+  padding-bottom: 1em;
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') bottom left repeat-x;
+  font-size: 2.0em;
+  font-style: italic;
+  line-height: 1.3em;
+}
+article img, {
+  -webkit-border-radius: 0.3em;
+  -moz-border-radius: 0.3em;
+  -ms-border-radius: 0.3em;
+  -o-border-radius: 0.3em;
+  border-radius: 0.3em;
+  -webkit-box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  -moz-box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box;
+  border: white 0.5em solid;
+}
+article > footer {
+  padding-bottom: 2.5em;
+  margin-top: 2em;
+}
+article > footer p.meta {
+  margin-bottom: .8em;
+  font-size: .85em;
+  clear: both;
+  overflow: hidden;
+}
+
+.blog-index article + article {
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') top left repeat-x;
+}
+
+#content .blog-index {
+  padding-top: 0;
+  padding-bottom: 0;
+}
+#content .blog-index article {
+  padding-top: 2em;
+}
+#content .blog-index article header {
+  background: none;
+  padding-bottom: 0;
+}
+#content .blog-index article h1 {
+  font-size: 2.2em;
+}
+#content .blog-index article h1 a {
+  color: inherit;
+}
+#content .blog-index article h1 a:hover {
+  color: #0181eb;
+}
+#content .blog-index footer {
+  margin-top: 1em;
+}
+
+.separator, article > footer .comments:before {
+  content: "\2022 ";
+  padding: 0 .4em 0 .2em;
+  display: inline-block;
+}
+
+#content div.pagination {
+  text-align: center;
+  font-size: .95em;
+  position: relative;
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') top left repeat-x;
+  padding-top: 1.5em;
+  padding-bottom: 1.5em;
+}
+#content div.pagination a {
+  text-decoration: none;
+  color: #aaaaaa;
+}
+#content div.pagination a.prev {
+  position: absolute;
+  left: 0;
+}
+#content div.pagination a.next {
+  position: absolute;
+  right: 0;
+}
+#content div.pagination a:hover {
+  color: #0181eb;
+}
+#content div.pagination a[href*=archive]:before, #content div.pagination a[href*=archive]:after {
+  content: '\2014';
+  padding: 0 .3em;
+}
+
+p.meta + .sharing {
+  padding-top: 1em;
+  padding-left: 0;
+  background: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAABCAYAAACsXeyTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAFUlEQVQIHWNIS0sr/v//PwMMDzY+ADqMahlW4J91AAAAAElFTkSuQmCC') top left repeat-x;
+}
+
+#fb-root {
+  display: none;
+}
+
+.highlight, {
+  border: 1px solid #05232b !important;
+}
+.highlight table td.code, table td.code {
+  width: 100%;
+}
+
+.highlight .line-numbers, html .highlight .line_numbers {
+  text-align: right;
+  font-size: 13px;
+  line-height: 1.45em;
+  background: #073642 url('/img/noise.png') top left !important;
+  border-right: 1px solid #00232c !important;
+  -webkit-box-shadow: #083e4b -1px 0 inset;
+  -moz-box-shadow: #083e4b -1px 0 inset;
+  box-shadow: #083e4b -1px 0 inset;
+  text-shadow: #021014 0 -1px;
+  padding: .8em !important;
+  -webkit-border-radius: 0;
+  -moz-border-radius: 0;
+  -ms-border-radius: 0;
+  -o-border-radius: 0;
+  border-radius: 0;
+}
+.highlight .line-numbers span, html .highlight .line_numbers span {
+  color: #586e75 !important;
+}
+
+figure.code, pre {
+  -webkit-box-shadow: rgba(0, 0, 0, 0.06) 0 0 10px;
+  -moz-box-shadow: rgba(0, 0, 0, 0.06) 0 0 10px;
+  box-shadow: rgba(0, 0, 0, 0.06) 0 0 10px;
+}
+figure.code .highlight pre, .highlight pre, pre .highlight pre {
+  -webkit-box-shadow: none;
+  -moz-box-shadow: none;
+  box-shadow: none;
+}
+
+.highlight *::-moz-selection, figure.code .highlight *::-moz-selection {
+  background: #386774;
+  color: inherit;
+  text-shadow: #002b36 0 1px;
+}
+.highlight *::-webkit-selection, figure.code .highlight *::-webkit-selection {
+  background: #386774;
+  color: inherit;
+  text-shadow: #002b36 0 1px;
+}
+.highlight *::selection, figure.code .highlight *::selection {
+  background: #386774;
+  color: inherit;
+  text-shadow: #002b36 0 1px;
+}
+
+pre {
+  background: #002b36 url('/img/noise.png') top left;
+  -webkit-border-radius: 0.4em;
+  -moz-border-radius: 0.4em;
+  -ms-border-radius: 0.4em;
+  -o-border-radius: 0.4em;
+  border-radius: 0.4em;
+  border: 1px solid #05232b;
+  line-height: 1.45em;
+  font-size: 13px;
+  margin-bottom: 2.1em;
+  padding: .8em 1em;
+#  color: #93a1a1;
+  color: #00FF00;
+  overflow: auto;
+}
+
+h3.filename + pre {
+  -moz-border-radius-topleft: 0px;
+  -webkit-border-top-left-radius: 0px;
+  border-top-left-radius: 0px;
+  -moz-border-radius-topright: 0px;
+  -webkit-border-top-right-radius: 0px;
+  border-top-right-radius: 0px;
+}
+
+p code, li code {
+  display: inline-block;
+  white-space: no-wrap;
+  background: #fff;
+  font-size: .8em;
+  line-height: 1.5em;
+  color: #555;
+  border: 1px solid #ddd;
+  -webkit-border-radius: 0.4em;
+  -moz-border-radius: 0.4em;
+  -ms-border-radius: 0.4em;
+  -o-border-radius: 0.4em;
+  border-radius: 0.4em;
+  padding: 0 .3em;
+  margin: -1px 0;
+}
+p pre code, li pre code {
+  font-size: 1em !important;
+  background: none;
+  border: none;
+}
+
+.pre-code, html .highlight pre, .highlight code {
+  font-family: Menlo, Monaco, "Andale Mono", "lucida console", "Courier New", monospace !important;
+  overflow: scroll;
+  overflow-y: hidden;
+  display: block;
+  padding: .8em;
+  overflow-x: auto;
+  line-height: 1.45em;
+  background: #002b36 url('/img/noise.png') top left !important;
+  color: #93a1a1 !important;
+}
+.pre-code span, html .highlight pre span, .highlight code span {
+  color: #93a1a1 !important;
+}
+.pre-code span, html .highlight pre span, .highlight code span {
+  font-style: normal !important;
+  font-weight: normal !important;
+}
+.pre-code .c, html .highlight pre .c, .highlight code .c {
+  color: #586e75 !important;
+  font-style: italic !important;
+}
+.pre-code .cm, html .highlight pre .cm, .highlight code .cm {
+  color: #586e75 !important;
+  font-style: italic !important;
+}
+.pre-code .cp, html .highlight pre .cp, .highlight code .cp {
+  color: #586e75 !important;
+  font-style: italic !important;
+}
+.pre-code .c1, html .highlight pre .c1, .highlight code .c1 {
+  color: #586e75 !important;
+  font-style: italic !important;
+}
+.pre-code .cs, html .highlight pre .cs, .highlight code .cs {
+  color: #586e75 !important;
+  font-weight: bold !important;
+  font-style: italic !important;
+}
+.pre-code .err, html .highlight pre .err, .highlight code .err {
+  color: #dc322f !important;
+  background: none !important;
+}
+.pre-code .k, html .highlight pre .k, .highlight code .k {
+  color: #cb4b16 !important;
+}
+.pre-code .o, html .highlight pre .o, .highlight code .o {
+  color: #93a1a1 !important;
+  font-weight: bold !important;
+}
+.pre-code .p, html .highlight pre .p, .highlight code .p {
+  color: #93a1a1 !important;
+}
+.pre-code .ow, html .highlight pre .ow, .highlight code .ow {
+  color: #2aa198 !important;
+  font-weight: bold !important;
+}
+.pre-code .gd, html .highlight pre .gd, .highlight code .gd {
+  color: #93a1a1 !important;
+  background-color: #372c34 !important;
+  display: inline-block;
+}
+.pre-code .gd .x, html .highlight pre .gd .x, .highlight code .gd .x {
+  color: #93a1a1 !important;
+  background-color: #4d2d33 !important;
+  display: inline-block;
+}
+.pre-code .ge, html .highlight pre .ge, .highlight code .ge {
+  color: #93a1a1 !important;
+  font-style: italic !important;
+}
+.pre-code .gh, html .highlight pre .gh, .highlight code .gh {
+  color: #586e75 !important;
+}
+.pre-code .gi, html .highlight pre .gi, .highlight code .gi {
+  color: #93a1a1 !important;
+  background-color: #1a412b !important;
+  display: inline-block;
+}
+.pre-code .gi .x, html .highlight pre .gi .x, .highlight code .gi .x {
+  color: #93a1a1 !important;
+  background-color: #355720 !important;
+  display: inline-block;
+}
+.pre-code .gs, html .highlight pre .gs, .highlight code .gs {
+  color: #93a1a1 !important;
+  font-weight: bold !important;
+}
+.pre-code .gu, html .highlight pre .gu, .highlight code .gu {
+  color: #6c71c4 !important;
+}
+.pre-code .kc, html .highlight pre .kc, .highlight code .kc {
+  color: #859900 !important;
+  font-weight: bold !important;
+}
+.pre-code .kd, html .highlight pre .kd, .highlight code .kd {
+  color: #268bd2 !important;
+}
+.pre-code .kp, html .highlight pre .kp, .highlight code .kp {
+  color: #cb4b16 !important;
+  font-weight: bold !important;
+}
+.pre-code .kr, html .highlight pre .kr, .highlight code .kr {
+  color: #d33682 !important;
+  font-weight: bold !important;
+}
+.pre-code .kt, html .highlight pre .kt, .highlight code .kt {
+  color: #2aa198 !important;
+}
+.pre-code .n, html .highlight pre .n, .highlight code .n {
+  color: #268bd2 !important;
+}
+.pre-code .na, html .highlight pre .na, .highlight code .na {
+  color: #268bd2 !important;
+}
+.pre-code .nb, html .highlight pre .nb, .highlight code .nb {
+  color: #859900 !important;
+}
+.pre-code .nc, html .highlight pre .nc, .highlight code .nc {
+  color: #d33682 !important;
+}
+.pre-code .no, html .highlight pre .no, .highlight code .no {
+  color: #b58900 !important;
+}
+.pre-code .nl, html .highlight pre .nl, .highlight code .nl {
+  color: #859900 !important;
+}
+.pre-code .ne, html .highlight pre .ne, .highlight code .ne {
+  color: #268bd2 !important;
+  font-weight: bold !important;
+}
+.pre-code .nf, html .highlight pre .nf, .highlight code .nf {
+  color: #268bd2 !important;
+  font-weight: bold !important;
+}
+.pre-code .nn, html .highlight pre .nn, .highlight code .nn {
+  color: #b58900 !important;
+}
+.pre-code .nt, html .highlight pre .nt, .highlight code .nt {
+  color: #268bd2 !important;
+  font-weight: bold !important;
+}
+.pre-code .nx, html .highlight pre .nx, .highlight code .nx {
+  color: #b58900 !important;
+}
+.pre-code .vg, html .highlight pre .vg, .highlight code .vg {
+  color: #268bd2 !important;
+}
+.pre-code .vi, html .highlight pre .vi, .highlight code .vi {
+  color: #268bd2 !important;
+}
+.pre-code .nv, html .highlight pre .nv, .highlight code .nv {
+  color: #268bd2 !important;
+}
+.pre-code .mf, html .highlight pre .mf, .highlight code .mf {
+  color: #2aa198 !important;
+}
+.pre-code .m, html .highlight pre .m, .highlight code .m {
+  color: #2aa198 !important;
+}
+.pre-code .mh, html .highlight pre .mh, .highlight code .mh {
+  color: #2aa198 !important;
+}
+.pre-code .mi, html .highlight pre .mi, .highlight code .mi {
+  color: #2aa198 !important;
+}
+.pre-code .s, html .highlight pre .s, .highlight code .s {
+  color: #2aa198 !important;
+}
+.pre-code .sd, html .highlight pre .sd, .highlight code .sd {
+  color: #2aa198 !important;
+}
+.pre-code .s2, html .highlight pre .s2, .highlight code .s2 {
+  color: #2aa198 !important;
+}
+.pre-code .se, html .highlight pre .se, .highlight code .se {
+  color: #dc322f !important;
+}
+.pre-code .si, html .highlight pre .si, .highlight code .si {
+  color: #268bd2 !important;
+}
+.pre-code .sr, html .highlight pre .sr, .highlight code .sr {
+  color: #2aa198 !important;
+}
+.pre-code .s1, html .highlight pre .s1, .highlight code .s1 {
+  color: #2aa198 !important;
+}
+.pre-code div .gd, html .highlight pre div .gd, .highlight code div .gd, .pre-code div .gd .x, html .highlight pre div .gd .x, .highlight code div .gd .x, .pre-code div .gi, html .highlight pre div .gi, .highlight code div .gi, .pre-code div .gi .x, html .highlight pre div .gi .x, .highlight code div .gi .x {
+  display: inline-block;
+  width: 100%;
+}
+
+.highlight {
+  margin-bottom: 1.8em;
+  background: #002b36;
+  overflow-y: hidden;
+  overflow-x: auto;
+}
+.highlight pre {
+  background: none;
+  -webkit-border-radius: 0px;
+  -moz-border-radius: 0px;
+  -ms-border-radius: 0px;
+  -o-border-radius: 0px;
+  border-radius: 0px;
+  border: none;
+  padding: 0;
+  margin-bottom: 0;
+}
+
+pre::-webkit-scrollbar, .highlight::-webkit-scrollbar {
+  height: .5em;
+  background: rgba(255, 255, 255, 0.15);
+}
+pre::-webkit-scrollbar-thumb:horizontal, .highlight::-webkit-scrollbar-thumb:horizontal {
+  background: rgba(255, 255, 255, 0.2);
+  -webkit-border-radius: 4px;
+  border-radius: 4px;
+}
+
+.highlight code {
+  background: #000;
+}
+
+figure.code {
+  background: none;
+  padding: 0;
+  border: 0;
+  margin-bottom: 1.5em;
+}
+figure.code pre {
+  margin-bottom: 0;
+}
+figure.code figcaption {
+  position: relative;
+}
+figure.code .highlight {
+  margin-bottom: 0;
+}
+
+.code-title, html a[href*='#file'], h3.filename, figure.code figcaption {
+  text-align: center;
+  font-size: 13px;
+  line-height: 2em;
+  text-shadow: #cbcccc 0 1px 0;
+  color: #474747;
+  font-weight: normal;
+  margin-bottom: 0;
+  -moz-border-radius-topleft: 5px;
+  -webkit-border-top-left-radius: 5px;
+  border-top-left-radius: 5px;
+  -moz-border-radius-topright: 5px;
+  -webkit-border-top-right-radius: 5px;
+  border-top-right-radius: 5px;
+  font-family: "Helvetica Neue", Arial, "Lucida Grande", "Lucida Sans Unicode", Lucida, sans-serif;
+  background: #aaaaaa url('/img/code_bg.png') top repeat-x;
+  border: 1px solid #565656;
+  border-top-color: #cbcbcb;
+  border-left-color: #a5a5a5;
+  border-right-color: #a5a5a5;
+  border-bottom: 0;
+}
+
+.download-source, html a[href*=raw], figure.code figcaption a {
+  position: absolute;
+  right: .8em;
+  text-decoration: none;
+  color: #666 !important;
+  z-index: 1;
+  font-size: 13px;
+  text-shadow: #cbcccc 0 1px 0;
+  padding-left: 3em;
+}
+.download-source:hover, html a[href*=raw]:hover, figure.code figcaption a:hover {
+  text-decoration: underline;
+}
+
+#archive #content > div, #archive #content > div > article {
+  padding-top: 0;
+}
+
+
+#content > .category article {
+  margin-left: 0;
+  padding-left: 6.8em;
+}
+#content > .category .year {
+  display: inline;
+}
+
+.side-shadow-border, aside.sidebar section h1, aside.sidebar li {
+  -webkit-box-shadow: white 0 1px;
+  -moz-box-shadow: white 0 1px;
+  box-shadow: white 0 1px;
+}
+
+aside.sidebar {
+  overflow: hidden;
+  color: #4b4b4b;
+  text-shadow: white 0 1px;
+}
+aside.sidebar section {
+  font-size: .8em;
+  line-height: 1.4em;
+  margin-bottom: 1.5em;
+}
+aside.sidebar section h1 {
+  margin: 1.5em 0 0;
+  padding-bottom: .2em;
+  border-bottom: 1px solid #e0e0e0;
+}
+aside.sidebar section h1 + p {
+  padding-top: .4em;
+}
+aside.sidebar img {
+  -webkit-border-radius: 0.3em;
+  -moz-border-radius: 0.3em;
+  -ms-border-radius: 0.3em;
+  -o-border-radius: 0.3em;
+  border-radius: 0.3em;
+  -webkit-box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  -moz-box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  box-shadow: rgba(0, 0, 0, 0.15) 0 1px 4px;
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box;
+  border: white 0.3em solid;
+}
+aside.sidebar ul {
+  margin-bottom: 0.5em;
+  margin-left: 0;
+}
+aside.sidebar li {
+  list-style: none;
+  padding: .5em 0;
+  margin: 0;
+  border-bottom: 1px solid #e0e0e0;
+}
+aside.sidebar li p:last-child {
+  margin-bottom: 0;
+}
+aside.sidebar a {
+  color: inherit;
+  -webkit-transition: color 0.5s;
+  -moz-transition: color 0.5s;
+  -o-transition: color 0.5s;
+  transition: color 0.5s;
+  text-decoration: none;
+}
+aside.sidebar:hover a {
+  color: #222222;
+}
+aside.sidebar:hover a:hover {
+  color: #0181eb;
+}
+
+.aside-alt-link, #pinboard_linkroll .pin-tag {
+  color: #7e7e7e;
+}
+.aside-alt-link:hover, #pinboard_linkroll .pin-tag:hover {
+  color: #0181eb;
+}
+
+ at media only screen and (min-width: 768px) {
+  .toggle-sidebar {
+    outline: none;
+    position: absolute;
+    right: -10px;
+    top: 0;
+    bottom: 0;
+    display: inline-block;
+    text-decoration: none;
+    color: #cecece;
+    width: 9px;
+    cursor: pointer;
+  }
+  .toggle-sidebar:hover {
+    background: #e9e9e9;
+    background: -webkit-gradient(linear, 0% 50%, 100% 50%, color-stop(0%, rgba(224, 224, 224, 0.5)), color-stop(100%, rgba(224, 224, 224, 0)));
+    background: -webkit-linear-gradient(left, rgba(224, 224, 224, 0.5), rgba(224, 224, 224, 0));
+    background: -moz-linear-gradient(left, rgba(224, 224, 224, 0.5), rgba(224, 224, 224, 0));
+    background: -o-linear-gradient(left, rgba(224, 224, 224, 0.5), rgba(224, 224, 224, 0));
+    background: linear-gradient(left, rgba(224, 224, 224, 0.5), rgba(224, 224, 224, 0));
+  }
+  .toggle-sidebar:after {
+    position: absolute;
+    right: -11px;
+    top: 0;
+    width: 20px;
+    font-size: 1.2em;
+    line-height: 1.1em;
+    padding-bottom: .15em;
+    -moz-border-radius-bottomright: 0.3em;
+    -webkit-border-bottom-right-radius: 0.3em;
+    border-bottom-right-radius: 0.3em;
+    text-align: center;
+    background: #f8f8f8 url('/img/noise.png') top left;
+    border-bottom: 1px solid #e0e0e0;
+    border-right: 1px solid #e0e0e0;
+    content: "\00BB";
+    text-indent: -1px;
+  }
+  .collapse-sidebar .toggle-sidebar {
+    text-indent: 0px;
+    right: -20px;
+    width: 19px;
+  }
+  .collapse-sidebar .toggle-sidebar:hover {
+    background: #e9e9e9;
+  }
+  .collapse-sidebar .toggle-sidebar:after {
+    border-left: 1px solid #e0e0e0;
+    text-shadow: #fff 0 1px;
+    content: "\00AB";
+    left: 0px;
+    right: 0;
+    text-align: center;
+    text-indent: 0;
+    border: 0;
+    border-right-width: 0;
+    background: none;
+  }
+}
+
+body > footer {
+  font-size: .8em;
+  color: #888888;
+  text-shadow: #d9d9d9 0 1px;
+  background-color: #cccccc;
+  background: url('/img/noise.png'), -webkit-gradient(linear, 50% 0%, 50% 100%, color-stop(0%, #e0e0e0), color-stop(50%, #cccccc), color-stop(100%, #b0b0b0));
+  background: url('/img/noise.png'), -webkit-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), -moz-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), -o-linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  background: url('/img/noise.png'), linear-gradient(#e0e0e0, #cccccc, #b0b0b0);
+  border-top: 1px solid #f2f2f2;
+  position: relative;
+  padding-top: 1em;
+  padding-bottom: 1em;
+  margin-bottom: 3em;
+  -moz-border-radius-bottomleft: 0.4em;
+  -webkit-border-bottom-left-radius: 0.4em;
+  border-bottom-left-radius: 0.4em;
+  -moz-border-radius-bottomright: 0.4em;
+  -webkit-border-bottom-right-radius: 0.4em;
+  border-bottom-right-radius: 0.4em;
+  z-index: 1;
+}
+body > footer a {
+  color: #6b6b6b;
+}
+body > footer a:visited {
+  color: #6b6b6b;
+}
+body > footer a:hover {
+  color: #484848;
+}
+body > footer p:last-child {
+  margin-bottom: 0;
+}
+
+/* OPENSSL WEBSITE ADDITIONS */
+
+/* newsflash table */
+tr:first-child { font-weight: bold; border-bottom: 1px solid black; }
+tr:nth-child(even) { background-color: #D9f0ff; }
+td.d { float: left; width: 20%; }
+td.t { float: right; width: 80%; }
diff --git a/index.html b/index.html
new file mode 100644
index 0000000..6e6684f
--- /dev/null
+++ b/index.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header><h2>Welcome to the OpenSSL Project</h2></header>
+	<div class="entry-content">
+	  <p>
+	  The OpenSSL Project is a collaborative effort to develop a
+	  robust, commercial-grade, full-featured, and Open Source toolkit
+	  implementing the Transport Layer Security (TLS) and Secure
+	  Sockets Layer (SSL) protocols as well as a full-strength
+	  general purpose cryptography library. The project is managed
+	  by a worldwide community of volunteers that use the Internet
+	  to communicate, plan, and develop the OpenSSL toolkit and its
+	  related documentation.
+	  </p>
+
+	  <p>
+	  OpenSSL is based on the excellent SSLeay library developed by Eric
+	  Young and Tim Hudson. The OpenSSL toolkit is licensed under an
+	  Apache-style licence, which basically means that you are free to
+	  get and use it for commercial and non-commercial purposes subject
+	  to some simple license conditions. 
+	  </p>
+
+	  <h3>Latest News</h3>
+	  <table class="newsflash" width="90%">
+	    <!--#include virtual="newsflash.inc"-->
+	    <tr><td class="d"><a href="news">More...</a></td><td class="t"></td></tr>
+	  </table>
+	  <p>&nbsp;</p>
+
+	  <!--#include virtual="/inc/legalities.inc" -->
+
+	</div>
+	<footer>
+	  You are here: <a href="/">Home</a>
+	  <br/><a href="/sitemap.txt">Sitemap</a>
+	</footer>
+      </article>
+    </div>
+    <!--#include virtual="sidebar.inc" -->
+  </div>
+</div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/index.wml b/index.wml
deleted file mode 100644
index 0dfdfa4..0000000
--- a/index.wml
+++ /dev/null
@@ -1,38 +0,0 @@
-
-#use wml::openssl area=title page=home
-
-<title>The Open Source toolkit for SSL/TLS</title>
-
-<h1>Welcome to the OpenSSL Project</h1>
-
-The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and <a href="http://www.opensource.org/">Open
-Source</a> toolkit implementing the 
-Secure Sockets Layer (SSL v2/v3)
-and Transport
-Layer Security (TLS) protocols as well as a full-strength general
-purpose cryptography library.
-The project is managed by a worldwide community of volunteers that
-use the Internet to communicate, plan, and develop the OpenSSL toolkit and its
-related documentation.
-
-<p>
-OpenSSL is based on the excellent SSLeay library developed by Eric Young
-and Tim Hudson. The OpenSSL toolkit <a href="$(ROOT)/source/license.html">is
-licensed</a>
-under an Apache-style
-licence, which basically means that you are free to get and use it for
-commercial and non-commercial purposes subject to some simple license
-conditions.
-
-<p>
-<newsflash from="$(ROOT)/news/newsflash.txt" max=5 more="$(ROOT)/news/">
-
-<p>
-<disclaimer>
-
-<p>
-<website-tools>
-
-<p>
-Hosting provided courtesy of <a href="https://www.space.net/">SpaceNet AG</a>.
diff --git a/news/.wmlrc b/news/.wmlrc
deleted file mode 100644
index ab44064..0000000
--- a/news/.wmlrc
+++ /dev/null
@@ -1,10 +0,0 @@
-##
-##  .wmlrc -- Local RC file for WML
-##
-
-#   define where the URL root of the Sub Navigation Bar (SNB) 
-#   is located [SNB_ROOT] and where it's buttons are defined [SNB_RC]
--DSNB_ROOT~.
--DSNB_RC=.wmlsnb
--I.
-
diff --git a/news/.wmlsnb b/news/.wmlsnb
deleted file mode 100644
index b38ee26..0000000
--- a/news/.wmlsnb
+++ /dev/null
@@ -1,12 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-  <snb_button id=newsflash txt="Newsflash" url="index.html">
-  <snb_button id=state     txt="State"     url="state.html">
-  <snb_button id=news      txt="Release Notes"      url="news.html">
-  <snb_button id=changelog txt="ChangeLog" url="changelog.html">
-  <snb_button id=vulnerabilities txt="Vulnerabilities" url="vulnerabilities.html">
-</snb>
-
diff --git a/news/announce-098.txt b/news/announce-098.txt
deleted file mode 100644
index f833a59..0000000
--- a/news/announce-098.txt
+++ /dev/null
@@ -1,43 +0,0 @@
-
-   OpenSSL version 0.9.8x released
-   ===============================
-
-   OpenSSL - The Open Source toolkit for SSL/TLS
-   http://www.openssl.org/
-
-   The OpenSSL project team is pleased to announce the release of
-   version 0.9.8x of our open source toolkit for SSL/TLS. This new
-   OpenSSL version is a security and bugfix release. For a complete
-   list of changes, please see
-
-       http://www.openssl.org/source/exp/CHANGES.
-
-   The most significant changes are:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-   We consider OpenSSL 0.9.8x to be the best version of OpenSSL 0.9.8
-   available and we strongly recommend that users of older 0.9.8 versions
-   upgrade as soon as possible. OpenSSL 0.9.8x is available for
-   download via HTTP and FTP from the following master locations (you
-   can find the various FTP mirrors under
-   http://www.openssl.org/source/mirror.html):
-
-     * http://www.openssl.org/source/
-     * ftp://ftp.openssl.org/source/
-
-   The distribution file name is:
-
-    o openssl-0.9.8x.tar.gz
-      Size: 3782486
-      MD5 checksum: ee17e9bc805c8cc7d0afac3b0ef78eda
-      SHA1 checksum: 8c3be5160513c0af1e558d3f932390ecb16f59e9
-
-   The checksums were calculated using the following commands:
-
-    openssl md5 openssl-0.9.8x.tar.gz
-    openssl sha1 openssl-0.9.8x.tar.gz
-
-   Yours,
-
-   The OpenSSL Project Team.
diff --git a/news/announce-100.txt b/news/announce-100.txt
deleted file mode 100644
index 1f90678..0000000
--- a/news/announce-100.txt
+++ /dev/null
@@ -1,44 +0,0 @@
-
-   OpenSSL version 1.0.0j released
-   ===============================
-
-   OpenSSL - The Open Source toolkit for SSL/TLS
-   http://www.openssl.org/
-
-   The OpenSSL project team is pleased to announce the release of
-   version 1.0.0j of our open source toolkit for SSL/TLS. This new
-   OpenSSL version is a new feature release. For a complete
-   list of changes, please see
-
-       http://www.openssl.org/source/exp/CHANGES.
-
-   The most significant changes are:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-   We consider OpenSSL 1.0.0j to be the best version of OpenSSL 1.0.0
-   available and we strongly recommend that users of older 1.0.0 versions
-   upgrade as soon as possible. OpenSSL 1.0.0j is available for
-   download via HTTP and FTP from the following master locations (you
-   can find the various FTP mirrors under
-   http://www.openssl.org/source/mirror.html):
-
-     * http://www.openssl.org/source/
-     * ftp://ftp.openssl.org/source/
-
-   The distribution file name is:
-
-    o openssl-1.0.0j.tar.gz
-      Size: 4047852
-      MD5 checksum: cbe4ac0d8f598680f68a951e04b0996b
-      SHA1 checksum: 31e6e8bbf1de2f59fbd53382c34214887ccc1318
-
-   The checksums were calculated using the following commands:
-
-    openssl md5 openssl-1.0.0j.tar.gz
-    openssl sha1 openssl-1.0.0j.tar.gz
-
-   Yours,
-
-   The OpenSSL Project Team.
-
diff --git a/news/announce-beta.txt b/news/announce-beta.txt
deleted file mode 100644
index 66cb6da..0000000
--- a/news/announce-beta.txt
+++ /dev/null
@@ -1,62 +0,0 @@
-
-  OpenSSL version 1.0.1 Beta 3
-  ============================
-
-  OpenSSL - The Open Source toolkit for SSL/TLS
-  http://www.openssl.org/
-
-  OpenSSL is currently in a release cycle. The third beta is now released.
-  This is expected to be the final beta depending on the number of bugs
-  reported.
-
-  The beta release is available for download via HTTP and FTP from the
-  following master locations (the various FTP mirrors you can find under
-  http://www.openssl.org/source/mirror.html):
-
-    o http://www.openssl.org/source/
-    o ftp://ftp.openssl.org/source/
-
-  The file names of the beta are:
-
-    o openssl-1.0.1-beta3.tar.gz
-      Size: 4451351
-      MD5 checksum: dc141587e0d374bdb0c7b97f770fff5e
-      SHA1 checksum: 32105cbcc1bc6bc959102b2d70eb16ed1da732ce
-
-  The checksums were calculated using the following command:
-
-    openssl md5 < openssl-1.0.1-beta3.tar.gz
-    openssl sha1 < openssl-1.0.1-beta3.tar.gz
-
-  Please download and test them as soon as possible. This new OpenSSL
-  version incorporates 55 documented changes and bugfixes to the
-  toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).
-
-  Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ 
-  or CVS (see http://www.openssl.org/source/repos.html) to avoid
-  reporting previously fixed bugs.
-
-  Since the second beta the following has happened:
-
-    - Improved TLS v1.2 client authentication interop.
-    - MDC2 signature format compatibility fix.
-    - ABI compatibility fixes.
-    - Other fixes.
-
-  Reports and patches should be sent to openssl-bugs at openssl.org.
-  Discussions around the development of OpenSSL should be sent to
-  openssl-dev at openssl.org.  Anything else should go to
-  openssl-users at openssl.org.
-
-  The best way, at least on Unix, to create a report is to do the
-  following after configuration:
-
-      make report
-
-  That will do a few basic checks of the compiler and bc, then build
-  and run the tests.  The result will appear on screen and in the file
-  "testlog".  Please read the report before sending it to us.  There
-  may be problems that we can't solve for you, like missing programs.
-
-  Yours,
-  The OpenSSL Project Team.
diff --git a/news/announce.txt b/news/announce.txt
deleted file mode 100644
index be91b16..0000000
--- a/news/announce.txt
+++ /dev/null
@@ -1,44 +0,0 @@
-
-   OpenSSL version 1.0.1e released
-   ===============================
-
-   OpenSSL - The Open Source toolkit for SSL/TLS
-   http://www.openssl.org/
-
-   The OpenSSL project team is pleased to announce the release of
-   version 1.0.1e of our open source toolkit for SSL/TLS. This new
-   OpenSSL version is a new feature release. For a complete
-   list of changes, please see
-
-       http://www.openssl.org/source/exp/CHANGES.
-
-   The most significant changes are:
-
-      o Corrected fix for CVE-2013-0169
-
-   We consider OpenSSL 1.0.1e to be the best version of OpenSSL
-   available and we strongly recommend that users of older versions
-   upgrade as soon as possible. OpenSSL 1.0.1e is available for
-   download via HTTP and FTP from the following master locations (you
-   can find the various FTP mirrors under
-   http://www.openssl.org/source/mirror.html):
-
-     * http://www.openssl.org/source/
-     * ftp://ftp.openssl.org/source/
-
-   The distribution file name is:
-
-    o openssl-1.0.1e.tar.gz
-      Size: 4459777
-      MD5 checksum: 66bf6f10f060d561929de96f9dfe5b8c
-      SHA1 checksum: 3f1b1223c9e8189bfe4e186d86449775bd903460
-
-   The checksums were calculated using the following commands:
-
-    openssl md5 openssl-1.0.1e.tar.gz
-    openssl sha1 openssl-1.0.1e.tar.gz
-
-   Yours,
-
-   The OpenSSL Project Team.
-
diff --git a/news/changelog.html b/news/changelog.html
new file mode 100644
index 0000000..66abe58
--- /dev/null
+++ b/news/changelog.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Changelog</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    The plain-text version of this document is available
+	    here: <a href="changelog.txt">changelog.txt</a>
+	    </p>
+	    <!--#include virtual="changelog.inc" -->
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">News</a>
+	    : <a href="">Changelog</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/news/changelog.wml b/news/changelog.wml
deleted file mode 100644
index 9ecb792..0000000
--- a/news/changelog.wml
+++ /dev/null
@@ -1,15 +0,0 @@
-
-#use wml::openssl area=news page=changelog 
-
-<title>News, ChangeLog</title>
-
-<h1>ChangeLog</h1>
-
-This file summarizes all types of changes to the OpenSSL toolkit, i.e.
-changes between each patchlevel. Take this list as a reference for concrete
-and detailed information about every significant change. The presented contents
-reflects the current state of the <tt>CHANGES</tt> file inside the git repository. 
-
-<p>
-<!--#include virtual="/news/changelog.inc" -->
-
diff --git a/news/index.html b/news/index.html
new file mode 100644
index 0000000..e157bcb
--- /dev/null
+++ b/news/index.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>News<h2></header>
+	  <div class="entry-content">
+	    <p>
+	    To get the latest source, see the
+	    <a href="/source">Downloads</a> section.
+	    For an exhaustive list of all releases (and some other
+	    announcements), see the <a href="newslog.html">Newslog</a>
+	    page.
+	    </p>
+
+	    <p>If you think you have found a security bug, or want
+	    to look at all the vulnerabilities we have published and
+	    fixed, visit the
+	    <a href="vulnerabilities.html">Vulnerabilities</a> page.</p>
+
+	    <p>We have an online copy of our
+	    <a href="changelog.html">Changelog</a>.  It is
+	    also part of the distribution.</p>
+	    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">News</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/news/index.wml b/news/index.wml
deleted file mode 100644
index 95c862a..0000000
--- a/news/index.wml
+++ /dev/null
@@ -1,14 +0,0 @@
-
-#use wml::openssl area=news page=newsflash 
-
-<title>News, Project Newsflash</title>
-
-<h1>Project Newsflash!</h1>
-
-Here you can find hints to the regular news about the OpenSSL project.  Check
-this table from time to time when you want to be up-to-date with the latest
-OpenSSL development.
-
-<p>
-<newsflash from="$(ROOT)/news/newsflash.txt">
-
diff --git a/news/internet.wml b/news/internet.wml
deleted file mode 100644
index 7a32168..0000000
--- a/news/internet.wml
+++ /dev/null
@@ -1,46 +0,0 @@
-
-#use wml::openssl area=news page=internet 
-
-<title>News, Internet</title>
-
-<h1>OpenSSL News on the Internet</h1>
-
-<p>
-<zwue>News on the Internet</zwue>
-
-Here you can find some links to Internet services which show you the
-OpenSSL-related activity and latest news on the net.
-
-<ul>
-<li><a href="http://www.dejanews.com/">
-    <font id=sfl>DejaNews Discussion Network</font>
-	</a><br>
-    <a href="http://www.dejanews.com/dnquery.xp?QRY=OpenSSL&defaultOp=AND&DBS=1&maxhits=100&showsort=date&format=terse">
-	Archive of all OpenSSL related discussions</a> on Usenet forums.  Use this
-	to look at all postings in Usenet newsgroups where people talk about
-	OpenSSL.
-<p>
-<li><a href="http://www.altavista.com/">
-    <font id=sfl>AltaVista Usenet Search Engine</font>
-	</a><br>
-    <a href="http://www.altavista.com/cgi-bin/query?pg=q&what=news&q=OpenSSL">
-	Archive of all OpenSSL related discussions</a> on Usenet forums.  Use this
-	to look at all postings in Usenet newsgroups where people talk about
-	OpenSSL.
-<p>
-<li><a href="http://www.altavista.com/">
-    <font id=sfl>AltaVista Web Search Engine</font>
-	</a><br>
-    <a href="http://www.altavista.com/cgi-bin/query?pg=q&kl=XX&q=link%3Awww.openssl.org%2F">
-	List of all currently known hyperlinks</a> to the OpenSSL website.  Use
-	this to look at all pages on the WWW which have a hyperlink to the OpenSSL
-	home location.
-<p>
-<li><a href="http://ftpsearch.ntnu.no/">
-    <font id=sfl>FAST FTP Search Engine</font>
-	</a><br>
-    <a href="http://ftpsearch.ntnu.no/cgi-bin/search?query=openssl&doit=Search&type=Case+insensitive+substring+search&doexact=on&hits=50&matches=&hitsprmatch=&limdom=&limpath=&hidepackages=on&hidedistfiles=on&hidefreebsd=on&hideopenbsd=on&hidenetbsd=on&f1=Mode&f2=Time&f3=Host&f4=Path&f5=-&f6=-&header=none&sort=date&trlen=30">
-	List of FTP location</a> where OpenSSL distribution tarballs can be found.
-	Use this to find the various mirrors of the OpenSSL FTP area.
-</ul>
-
diff --git a/news/news.wml b/news/news.wml
deleted file mode 100644
index c55a434..0000000
--- a/news/news.wml
+++ /dev/null
@@ -1,22 +0,0 @@
-
-#use wml::openssl area=news page=news
-
-<title>News, Release Notes</title>
-
-<h1>Release Notes</h1>
-
-This page contains links to release and pre-release notes for all branches of
-the OpenSSL toolkit. The presented contents reflect the current state of the
-<tt>NEWS</tt> file inside the git repository for the appropriate branch. 
-
-<ul>
-<li><a href="openssl-notes.html">Release notes for all OpenSSL branches.</a>
-<li><a href="openssl-1.0.2-notes.html">Release notes for 1.0.2 branch of OpenSSL.</a>
-<li><a href="openssl-1.0.1-notes.html">Release notes for 1.0.1 branch of OpenSSL.</a>
-<li><a href="openssl-1.0.0-notes.html">Release notes for 1.0.0 branch of OpenSSL.</a>
-<li><a href="openssl-0.9.8-notes.html">Release notes for 0.9.8 branch of OpenSSL.</a>
-<li><a href="openssl-old-notes.html">Release notes for obsolete branches of OpenSSL.</a>
-</ul>
-
-More details can be found in the <a href="changelog.html">ChangeLog</a>.
-
diff --git a/news/newsflash.txt b/news/newsflash.txt
index a49983f..42e39b2 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -1,227 +1,228 @@
-09-Jul-2015: <a href="ROOT/news/secadv_20150709.txt">Security Advisory</a>: one security fix
-09-Jul-2015: OpenSSL 1.0.2d is now <a href="ROOT/source/">available</a>, including bug and security fixes
-09-Jul-2015: OpenSSL 1.0.1p is now <a href="ROOT/source/">available</a>, including bug and security fixes
+Date: Item
+09-Jul-2015: <a href="secadv/20150709.txt">Security Advisory</a>: one security fix
+09-Jul-2015: OpenSSL 1.0.2d is now available, including bug and security fixes
+09-Jul-2015: OpenSSL 1.0.1p is now available, including bug and security fixes
 06-Jul-2015: OpenSSL 1.0.2d and 1.0.1p <a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html">security releases due 9th July 2015</a>
 12-Jun-2015: New releases to resolve ABI compatibility problems:
-12-Jun-2015: OpenSSL 1.0.2c is now <a href="ROOT/source/">available</a>, including bug fixes
-12-Jun-2015: OpenSSL 1.0.1o is now <a href="ROOT/source/">available</a>, including bug fixes
-11-Jun-2015: <a href="ROOT/news/secadv_20150611.txt">Security Advisory</a>: five security fixes
-11-Jun-2015: OpenSSL 1.0.2b is now <a href="ROOT/source/">available</a>, including bug and security fixes
-11-Jun-2015: OpenSSL 1.0.1n is now <a href="ROOT/source/">available</a>, including bug and security fixes
-11-Jun-2015: OpenSSL 1.0.0s is now <a href="ROOT/source/">available</a>, including bug and security fixes
-11-Jun-2015: OpenSSL 0.9.8zg is now <a href="ROOT/source/">available</a>, including bug and security fixes
-19-Mar-2015: <a href="ROOT/news/secadv_20150319.txt">Security Advisory</a>: twelve security fixes
-19-Mar-2015: OpenSSL 1.0.2a is now <a href="ROOT/source/">available</a>, including bug and security fixes
-19-Mar-2015: OpenSSL 1.0.1m is now <a href="ROOT/source/">available</a>, including bug and security fixes
-19-Mar-2015: OpenSSL 1.0.0r is now <a href="ROOT/source/">available</a>, including bug and security fixes
-19-Mar-2015: OpenSSL 0.9.8zf is now <a href="ROOT/source/">available</a>, including bug and security fixes
-22-Jan-2015: OpenSSL 1.0.2 is now <a href="ROOT/source/">available</a>, a major release
+12-Jun-2015: OpenSSL 1.0.2c is now available, including bug fixes
+12-Jun-2015: OpenSSL 1.0.1o is now available, including bug fixes
+11-Jun-2015: <a href="secadv/20150611.txt">Security Advisory</a>: five security fixes
+11-Jun-2015: OpenSSL 1.0.2b is now available, including bug and security fixes
+11-Jun-2015: OpenSSL 1.0.1n is now available, including bug and security fixes
+11-Jun-2015: OpenSSL 1.0.0s is now available, including bug and security fixes
+11-Jun-2015: OpenSSL 0.9.8zg is now available, including bug and security fixes
+19-Mar-2015: <a href="secadv/20150319.txt">Security Advisory</a>: twelve security fixes
+19-Mar-2015: OpenSSL 1.0.2a is now available, including bug and security fixes
+19-Mar-2015: OpenSSL 1.0.1m is now available, including bug and security fixes
+19-Mar-2015: OpenSSL 1.0.0r is now available, including bug and security fixes
+19-Mar-2015: OpenSSL 0.9.8zf is now available, including bug and security fixes
+22-Jan-2015: OpenSSL 1.0.2 is now available, a major release
 15-Jan-2015: New releases to resolve Windows/OpenVMS compilation problems:
-15-Jan-2015: OpenSSL 1.0.1l is now <a href="ROOT/source/">available</a>, including bug fixes
-15-Jan-2015: OpenSSL 1.0.0q is now <a href="ROOT/source/">available</a>, including bug fixes
-15-Jan-2015: OpenSSL 0.9.8ze is now <a href="ROOT/source/">available</a>, including bug fixes
-08-Jan-2015: <a href="ROOT/news/secadv_20150108.txt">Security Advisory</a>: eight security fixes
-08-Jan-2015: OpenSSL 1.0.1k is now <a href="ROOT/source/">available</a>, including bug and security fixes
-08-Jan-2015: OpenSSL 1.0.0p is now <a href="ROOT/source/">available</a>, including bug and security fixes
-08-Jan-2015: OpenSSL 0.9.8zd is now <a href="ROOT/source/">available</a>, including bug and security fixes
-15-Oct-2014: <a href="ROOT/news/secadv_20141015.txt">Security Advisory</a>: four security fixes
-15-Oct-2014: OpenSSL 1.0.1j is now <a href="ROOT/source/">available</a>, including bug and security fixes
-15-Oct-2014: OpenSSL 1.0.0o is now <a href="ROOT/source/">available</a>, including bug and security fixes
-15-Oct-2014: OpenSSL 0.9.8zc is now <a href="ROOT/source/">available</a>, including bug and security fixes
-25-Sep-2014: Beta 3 of OpenSSL 1.0.2 is now <a href="ROOT/source/">available</a>, please test it now
-06-Aug-2014: <a href="ROOT/news/secadv_20140806.txt">Security Advisory</a>: nine security fixes
-06-Aug-2014: OpenSSL 1.0.1i is now <a href="ROOT/source/">available</a>, including bug and security fixes
-06-Aug-2014: OpenSSL 1.0.0n is now <a href="ROOT/source/">available</a>, including bug and security fixes
-06-Aug-2014: OpenSSL 0.9.8zb is now <a href="ROOT/source/">available</a>, including bug and security fixes
-22-Jul-2014: Beta 2 of OpenSSL 1.0.2 is now <a href="ROOT/source/">available</a>, please test it now
-30-Jun-2014: <a href="ROOT/about/roadmap.html">Project roadmap</a> released
-24-Jun-2014: <a href="ROOT/about/">Team status changes</a> including six new development team members
-05-Jun-2014: <a href="ROOT/news/secadv_20140605.txt">Security Advisory</a>: seven security fixes
-05-Jun-2014: OpenSSL 1.0.1h is now <a href="ROOT/source/">available</a>, including bug and security fixes
-05-Jun-2014: OpenSSL 1.0.0m is now <a href="ROOT/source/">available</a>, including bug and security fixes
-05-Jun-2014: OpenSSL 0.9.8za is now <a href="ROOT/source/">available</a>, including bug and security fixes
-23-Apr-2014: <a href="ROOT/about/">Team status changes</a> including new team member: Steve Marquess
-07-Apr-2014: <a href="ROOT/news/secadv_20140407.txt">Security Advisory</a>: Heartbeat overflow issue.
-07-Apr-2014: OpenSSL 1.0.1g is now <a href="ROOT/source/">available</a>, including bug and security fixes
-24-Feb-2014: Beta 1 of OpenSSL 1.0.2 is now <a href="ROOT/source/">available</a>, please test it now
-06-Jan-2014: OpenSSL 1.0.0l is now <a href="ROOT/source/">available</a>, including bug and security fixes
-06-Jan-2014: OpenSSL 1.0.1f is now <a href="ROOT/source/">available</a>, including bug and security fixes
-03-Jan-2014: UPDATE: site defacement <a href="ROOT/news/secadv_hack.txt">final details.</a>
-11-Feb-2013: OpenSSL 1.0.1e is now <a href="ROOT/source/">available</a>, including bug fixes
-05-Feb-2013: <a href="ROOT/news/secadv_20130205.txt">Security Advisory</a>: three security fixes
-05-Feb-2013: OpenSSL 1.0.1d is now <a href="ROOT/source/">available</a>, including bug and security fixes
-05-Feb-2013: OpenSSL 1.0.0k is now <a href="ROOT/source/">available</a>, including security fixes
-05-Feb-2013: OpenSSL 0.9.8y is now <a href="ROOT/source/">available</a>, including security fixes
-10-May-2012: <a href="ROOT/news/secadv_20120510.txt">Security Advisory</a>: TLS/DTLS DoS issue
-10-May-2012: OpenSSL 1.0.1c is now <a href="ROOT/source/">available</a>, including bug and security fixes
-10-May-2012: OpenSSL 1.0.0j is now <a href="ROOT/source/">available</a>, including security fixes
-10-May-2012: OpenSSL 0.9.8x is now <a href="ROOT/source/">available</a>, including security fixes
-26-Apr-2012: OpenSSL 1.0.1b is now <a href="ROOT/source/">available</a>, including important bug fixes
-25-Apr-2012: <a href="ROOT/news/notice_20120425.txt">Notice</a>:OpenSSL 1.0.1a compilation problems with non x86 platforms
-24-Apr-2012: OpenSSL 0.9.8w is now <a href="ROOT/source/">available</a>, including security fixes
-24-Apr-2012: <a href="ROOT/news/secadv_20120424.txt">Security Advisory</a>: ASN1 incomplete fix for OpenSSL 0.9.8
-19-Apr-2012: OpenSSL 1.0.1a is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-19-Apr-2012: OpenSSL 1.0.0i is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-19-Apr-2012: OpenSSL 0.9.8v is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-19-Apr-2012: <a href="ROOT/news/secadv_20120419.txt">Security Advisory</a>: ASN1 overflow vulnerability
-14-Mar-2012: OpenSSL 1.0.1 is now <a href="ROOT/source/">available</a>, including new features
-12-Mar-2012: <a href="ROOT/news/secadv_20120312.txt">Security Advisory</a>: PKCS7/CMS MMA issue
-12-Mar-2012: OpenSSL 0.9.8u is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-12-Mar-2012: OpenSSL 1.0.0h is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-23-Feb-2012: Beta 3 of OpenSSL 1.0.1 is now <a href="ROOT/source/">available</a>, please test it now
-19-Jan-2012: Beta 2 of OpenSSL 1.0.1 is now <a href="ROOT/source/">available</a>, please test it now
-18-Jan-2012: <a href="ROOT/news/secadv_20120118.txt">Security Advisory</a>: DTLS DoS issue
-18-Jan-2012: OpenSSL 1.0.0g is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-18-Jan-2012: OpenSSL 0.9.8t is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-04-Jan-2012: <a href="ROOT/news/secadv_20120104.txt">Security Advisory</a>: six security fixes
-04-Jan-2012: OpenSSL 0.9.8s is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-04-Jan-2012: OpenSSL 1.0.0f is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-03-Jan-2012: Beta 1 of OpenSSL 1.0.1 is now <a href="ROOT/source/">available</a>, please test it now
-06-Sep-2011: OpenSSL 1.0.0e is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-06-Sep-2011: <a href="ROOT/news/secadv_20110906.txt">Security Advisory</a>: two security fixes
-08-Feb-2011: <a href="ROOT/news/secadv_20110208.txt">Security Advisory</a>: OCSP stapling vulnerability
-08-Feb-2011: OpenSSL 1.0.0d is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-08-Feb-2011: OpenSSL 0.9.8r is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-09-Dec-2010: OpenSSL FIPS 140-2 module 1.2.2 is now <a href="ROOT/source/">available</a>.
-02-Dec-2010: <a href="ROOT/news/secadv_20101202.txt">Security Advisory</a>: ciphersuite downgrade fix
-02-Dec-2010: OpenSSL 1.0.0c is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-02-Dec-2010: OpenSSL 0.9.8q is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-16-Nov-2010: OpenSSL 1.0.0b is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-16-Nov-2010: OpenSSL 0.9.8p is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-16-Nov-2010: <a href="ROOT/news/secadv_20101116.txt">Security Advisory</a>: buffer overrun fix
-01-Jun-2010: OpenSSL 0.9.8o is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-01-Jun-2010: OpenSSL 1.0.0a is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-01-Jun-2010: <a href="ROOT/news/secadv_20100601.txt">Security Advisory</a>: two security fixes
-29-Mar-2010: OpenSSL 1.0.0 is now <a href="ROOT/source/">available</a>, a major release
-24-Mar-2010: <a href="ROOT/news/secadv_20100324.txt">Security Advisory</a>: "Record of death" security fix
-24-Mar-2010: OpenSSL 0.9.8n is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-25-Feb-2010: OpenSSL 0.9.8m is now <a href="ROOT/source/">available</a>, including important bug and security fixes
-24-Jun-2009: Commercial support for OpenSSL is now <a href="ROOT/support/funding/contract.html">available</a>
-25-Mar-2009: OpenSSL 0.9.8k is now <a href="ROOT/source/">available</a>, including important bug fixes
-25-Mar-2009: <a href="ROOT/news/secadv_20090325.txt">Security Advisory</a>: Three moderate severity security issues
-07-Jan-2009: OpenSSL 0.9.8j is now <a href="ROOT/source/">available</a>, including important bug fixes
-07-Jan-2009: <a href="ROOT/news/secadv_20090107.txt">Security Advisory</a>: incorrect checks for malformed signatures
-18-Nov-2008: OpenSSL FIPS 140-2 module 1.2 is now <a href="ROOT/source/">available</a>
-15-Sep-2008: OpenSSL 0.9.8i is now <a href="ROOT/source/">available</a>, including important bug fixes
-28-May-2008: <a href="ROOT/news/secadv_20080528.txt">Security Advisory</a>: Two moderate severity security issues
-28-May-2008: OpenSSL 0.9.8h is now <a href="ROOT/source/">available</a>, including security and bug fixes
-29-Nov-2007: <a href="ROOT/news/secadv_20071129.txt">Security Advisory</a>: FIPS 1.1.1 module PRNG security issue
-19-Oct-2007: OpenSSL 0.9.8g is now <a href="ROOT/source/">available</a>, including bug fixes
-12-Oct-2007: <a href="ROOT/news/secadv_20071012.txt">Security Advisory</a>: Various security issues
-11-Oct-2007: OpenSSL 0.9.8f is now <a href="ROOT/source/">available</a>, including security and bug fixes
-23-Feb-2007: OpenSSL 0.9.8e is now <a href="ROOT/source/">available</a>, including important bugfixes
-23-Feb-2007: OpenSSL 0.9.7m is now <a href="ROOT/source/">available</a>, including important bugfixes
-28-Sep-2006: <a href="ROOT/news/secadv_20060928.txt">Security Advisory</a>: Various security issues
-28-Sep-2006: OpenSSL 0.9.8d is now <a href="ROOT/source/">available</a>, including security fixes
-28-Sep-2006: OpenSSL 0.9.7l is now <a href="ROOT/source/">available</a>, including security fixes
-05-Sep-2006: <a href="ROOT/news/secadv_20060905.txt">Security Advisory</a>: RSA Signature Forgery
-05-Sep-2006: OpenSSL 0.9.8c is now <a href="ROOT/source/">available</a>, including security fix
-05-Sep-2006: OpenSSL 0.9.7k is now <a href="ROOT/source/">available</a>, including security fix
-04-May-2006: OpenSSL 0.9.8b is now <a href="ROOT/source/">available</a>, including important bugfixes
-04-May-2006: OpenSSL 0.9.7j is now <a href="ROOT/source/">available</a>, including important bugfixes
-15-oct-2005: OpenSSL 0.9.7i is now <a href="ROOT/source/">available</a>, contains compatibility fix	
-11-oct-2005: <a href="ROOT/news/secadv_20051011.txt">Security Advisory</a>: Potential SSL 2.0 rollback
-11-oct-2005: OpenSSL 0.9.8a is now <a href="ROOT/source/">available</a>, including security fix
-11-oct-2005: OpenSSL 0.9.7h is now <a href="ROOT/source/">available</a>, including security fix
-05-jul-2005: OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, a major release
-21-jun-2005: Beta 6 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-13-jun-2005: Beta 5 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-06-jun-2005: Beta 4 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-31-may-2005: Beta 3 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-24-may-2005: Beta 2 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-19-may-2005: Beta 1 of OpenSSL 0.9.8 is now <a href="ROOT/source/">available</a>, please test it now
-11-apr-2005: OpenSSL 0.9.7g is now <a href="ROOT/source/">available</a>, including important bugfixes
-22-mar-2005: OpenSSL 0.9.7f is now <a href="ROOT/source/">available</a>, including important bugfixes
-25-oct-2004: OpenSSL 0.9.7e is now <a href="ROOT/source/">available</a>, including important bugfixes
-17-mar-2004: <a href="ROOT/news/secadv_20040317.txt">Security Advisory</a>: Denial of Service flaws in 0.9.6l and 0.9.7c
-17-mar-2004: OpenSSL 0.9.7d is now <a href="ROOT/source/">available</a>, including important bugfixes
-17-mar-2004: OpenSSL 0.9.6m is now <a href="ROOT/source/">available</a>, including security fix
-17-mar-2004: OpenSSL 0.9.6m [engine] is now <a href="ROOT/source/">available</a>, including security fix
-04-nov-2003: OpenSSL 0.9.6l is now <a href="ROOT/source/">available</a>, including security fix
-04-nov-2003: OpenSSL 0.9.6l [engine] is now <a href="ROOT/source/">available</a>, including security fix
-04-nov-2003: <a href="ROOT/news/secadv_20031104.txt">Security Advisory</a>: Denial of Service in ASN.1 parsing in 0.9.6k.
-30-sep-2003: OpenSSL 0.9.7c is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-sep-2003: OpenSSL 0.9.6k is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-sep-2003: OpenSSL 0.9.6k [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-sep-2003: <a href="ROOT/news/secadv_20030930.txt">Security Advisory</a>: Vulnerabilities in ASN.1 parsing.
-10-apr-2003: OpenSSL 0.9.7b is now <a href="ROOT/source/">available</a>, including important bugfixes
-10-apr-2003: OpenSSL 0.9.6j is now <a href="ROOT/source/">available</a>, including important bugfixes
-10-apr-2003: OpenSSL 0.9.6j [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-19-Mar-2003: <a href="ROOT/news/secadv_20030319.txt">Security Advisory</a>: Klima-Pokorny-Rosa attack.
-17-Mar-2003: <a href="ROOT/news/secadv_20030317.txt">Security Advisory</a>: timing attacks, RSA blinding.
-19-feb-2003: OpenSSL 0.9.7a is now <a href="ROOT/source/">available</a>, including important bugfixes
-19-feb-2003: OpenSSL 0.9.6i is now <a href="ROOT/source/">available</a>, including important bugfixes
-19-feb-2003: OpenSSL 0.9.6i [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-19-feb-2003: <a href="ROOT/news/secadv_20030219.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6i and 0.9.7a
-31-Dec-2002: OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, a major release
-17-dec-2002: Beta 6 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-5-dec-2002: Beta 5 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-5-dec-2002: OpenSSL 0.9.6h is now <a href="ROOT/source/">available</a>, including important bugfixes
-5-dec-2002: OpenSSL 0.9.6h [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-19-Nov-2002: Beta 4 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-9-aug-2002: OpenSSL 0.9.6g is now <a href="ROOT/source/">available</a>, including important bugfixes
-9-aug-2002: OpenSSL 0.9.6g [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-8-aug-2002: OpenSSL 0.9.6f is now <a href="ROOT/source/">available</a>, including important bugfixes
-8-aug-2002: OpenSSL 0.9.6f [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-Jul-2002: OpenSSL 0.9.6e is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-Jul-2002: OpenSSL 0.9.6e [engine] is now <a href="ROOT/source/">available</a>, including important bugfixes
-30-Jul-2002: <a href="ROOT/news/secadv_20020730.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6e
-30-Jul-2002: Beta 3 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-16-jun-2002: Beta 2 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-01-jun-2002: Beta 1 of OpenSSL 0.9.7 is now <a href="ROOT/source/">available</a>, please test it now
-9-may-2002: OpenSSL 0.9.6d is now <a href="ROOT/source/">available</a>, a minor release
-9-may-2002: OpenSSL 0.9.6d [engine] is now <a href="ROOT/source/">available</a>, a minor release
-17-apr-2002: Beta 1 of OpenSSL 0.9.6d is now <a href="ROOT/source/">available</a>, please test it now
-17-apr-2002: Beta 1 of OpenSSL 0.9.6d [engine] is now <a href="ROOT/source/">available</a>, please test it now
+15-Jan-2015: OpenSSL 1.0.1l is now available, including bug fixes
+15-Jan-2015: OpenSSL 1.0.0q is now available, including bug fixes
+15-Jan-2015: OpenSSL 0.9.8ze is now available, including bug fixes
+08-Jan-2015: <a href="secadv/20150108.txt">Security Advisory</a>: eight security fixes
+08-Jan-2015: OpenSSL 1.0.1k is now available, including bug and security fixes
+08-Jan-2015: OpenSSL 1.0.0p is now available, including bug and security fixes
+08-Jan-2015: OpenSSL 0.9.8zd is now available, including bug and security fixes
+15-Oct-2014: <a href="secadv/20141015.txt">Security Advisory</a>: four security fixes
+15-Oct-2014: OpenSSL 1.0.1j is now available, including bug and security fixes
+15-Oct-2014: OpenSSL 1.0.0o is now available, including bug and security fixes
+15-Oct-2014: OpenSSL 0.9.8zc is now available, including bug and security fixes
+25-Sep-2014: Beta 3 of OpenSSL 1.0.2 is now available, please test it now
+06-Aug-2014: <a href="secadv/20140806.txt">Security Advisory</a>: nine security fixes
+06-Aug-2014: OpenSSL 1.0.1i is now available, including bug and security fixes
+06-Aug-2014: OpenSSL 1.0.0n is now available, including bug and security fixes
+06-Aug-2014: OpenSSL 0.9.8zb is now available, including bug and security fixes
+22-Jul-2014: Beta 2 of OpenSSL 1.0.2 is now available, please test it now
+30-Jun-2014: Project roadmap released
+24-Jun-2014: Team status changes including six new development team members
+05-Jun-2014: <a href="secadv/20140605.txt">Security Advisory</a>: seven security fixes
+05-Jun-2014: OpenSSL 1.0.1h is now available, including bug and security fixes
+05-Jun-2014: OpenSSL 1.0.0m is now available, including bug and security fixes
+05-Jun-2014: OpenSSL 0.9.8za is now available, including bug and security fixes
+23-Apr-2014: Team status changes including new team member: Steve Marquess
+07-Apr-2014: <a href="secadv/20140407.txt">Security Advisory</a>: Heartbeat overflow issue.
+07-Apr-2014: OpenSSL 1.0.1g is now available, including bug and security fixes
+24-Feb-2014: Beta 1 of OpenSSL 1.0.2 is now available, please test it now
+06-Jan-2014: OpenSSL 1.0.0l is now available, including bug and security fixes
+06-Jan-2014: OpenSSL 1.0.1f is now available, including bug and security fixes
+03-Jan-2014: UPDATE: site defacement <a href="secadv/hack.txt">final details.</a>
+11-Feb-2013: OpenSSL 1.0.1e is now available, including bug fixes
+05-Feb-2013: <a href="secadv/20130205.txt">Security Advisory</a>: three security fixes
+05-Feb-2013: OpenSSL 1.0.1d is now available, including bug and security fixes
+05-Feb-2013: OpenSSL 1.0.0k is now available, including security fixes
+05-Feb-2013: OpenSSL 0.9.8y is now available, including security fixes
+10-May-2012: <a href="secadv/20120510.txt">Security Advisory</a>: TLS/DTLS DoS issue
+10-May-2012: OpenSSL 1.0.1c is now available, including bug and security fixes
+10-May-2012: OpenSSL 1.0.0j is now available, including security fixes
+10-May-2012: OpenSSL 0.9.8x is now available, including security fixes
+26-Apr-2012: OpenSSL 1.0.1b is now available, including important bug fixes
+25-Apr-2012: Notice: OpenSSL 1.0.1a compilation problems with non x86 platforms
+24-Apr-2012: OpenSSL 0.9.8w is now available, including security fixes
+24-Apr-2012: <a href="secadv/20120424.txt">Security Advisory</a>: ASN1 incomplete fix for OpenSSL 0.9.8
+19-Apr-2012: OpenSSL 1.0.1a is now available, including important bug and security fixes
+19-Apr-2012: OpenSSL 1.0.0i is now available, including important bug and security fixes
+19-Apr-2012: OpenSSL 0.9.8v is now available, including important bug and security fixes
+19-Apr-2012: <a href="secadv/20120419.txt">Security Advisory</a>: ASN1 overflow vulnerability
+14-Mar-2012: OpenSSL 1.0.1 is now available, including new features
+12-Mar-2012: <a href="secadv/20120312.txt">Security Advisory</a>: PKCS7/CMS MMA issue
+12-Mar-2012: OpenSSL 0.9.8u is now available, including important bug and security fixes
+12-Mar-2012: OpenSSL 1.0.0h is now available, including important bug and security fixes
+23-Feb-2012: Beta 3 of OpenSSL 1.0.1 is now available, please test it now
+19-Jan-2012: Beta 2 of OpenSSL 1.0.1 is now available, please test it now
+18-Jan-2012: <a href="secadv/20120118.txt">Security Advisory</a>: DTLS DoS issue
+18-Jan-2012: OpenSSL 1.0.0g is now available, including important bug and security fixes
+18-Jan-2012: OpenSSL 0.9.8t is now available, including important bug and security fixes
+04-Jan-2012: <a href="secadv/20120104.txt">Security Advisory</a>: six security fixes
+04-Jan-2012: OpenSSL 0.9.8s is now available, including important bug and security fixes
+04-Jan-2012: OpenSSL 1.0.0f is now available, including important bug and security fixes
+03-Jan-2012: Beta 1 of OpenSSL 1.0.1 is now available, please test it now
+06-Sep-2011: OpenSSL 1.0.0e is now available, including important bug and security fixes
+06-Sep-2011: <a href="secadv/20110906.txt">Security Advisory</a>: two security fixes
+08-Feb-2011: <a href="secadv/20110208.txt">Security Advisory</a>: OCSP stapling vulnerability
+08-Feb-2011: OpenSSL 1.0.0d is now available, including important bug and security fixes
+08-Feb-2011: OpenSSL 0.9.8r is now available, including important bug and security fixes
+09-Dec-2010: OpenSSL FIPS 140-2 module 1.2.2 is now available.
+02-Dec-2010: <a href="secadv/20101202.txt">Security Advisory</a>: ciphersuite downgrade fix
+02-Dec-2010: OpenSSL 1.0.0c is now available, including important bug and security fixes
+02-Dec-2010: OpenSSL 0.9.8q is now available, including important bug and security fixes
+16-Nov-2010: OpenSSL 1.0.0b is now available, including important bug and security fixes
+16-Nov-2010: OpenSSL 0.9.8p is now available, including important bug and security fixes
+16-Nov-2010: <a href="secadv/20101116.txt">Security Advisory</a>: buffer overrun fix
+01-Jun-2010: OpenSSL 0.9.8o is now available, including important bug and security fixes
+01-Jun-2010: OpenSSL 1.0.0a is now available, including important bug and security fixes
+01-Jun-2010: <a href="secadv/20100601.txt">Security Advisory</a>: two security fixes
+29-Mar-2010: OpenSSL 1.0.0 is now available, a major release
+24-Mar-2010: <a href="secadv/20100324.txt">Security Advisory</a>: "Record of death" security fix
+24-Mar-2010: OpenSSL 0.9.8n is now available, including important bug and security fixes
+25-Feb-2010: OpenSSL 0.9.8m is now available, including important bug and security fixes
+24-Jun-2009: Commercial support for OpenSSL is now available
+25-Mar-2009: OpenSSL 0.9.8k is now available, including important bug fixes
+25-Mar-2009: <a href="secadv/20090325.txt">Security Advisory</a>: Three moderate severity security issues
+07-Jan-2009: OpenSSL 0.9.8j is now available, including important bug fixes
+07-Jan-2009: <a href="secadv/20090107.txt">Security Advisory</a>: incorrect checks for malformed signatures
+18-Nov-2008: OpenSSL FIPS 140-2 module 1.2 is now available
+15-Sep-2008: OpenSSL 0.9.8i is now available, including important bug fixes
+28-May-2008: <a href="secadv/20080528.txt">Security Advisory</a>: Two moderate severity security issues
+28-May-2008: OpenSSL 0.9.8h is now available, including security and bug fixes
+29-Nov-2007: <a href="secadv/20071129.txt">Security Advisory</a>: FIPS 1.1.1 module PRNG security issue
+19-Oct-2007: OpenSSL 0.9.8g is now available, including bug fixes
+12-Oct-2007: <a href="secadv/20071012.txt">Security Advisory</a>: Various security issues
+11-Oct-2007: OpenSSL 0.9.8f is now available, including security and bug fixes
+23-Feb-2007: OpenSSL 0.9.8e is now available, including important bugfixes
+23-Feb-2007: OpenSSL 0.9.7m is now available, including important bugfixes
+28-Sep-2006: <a href="secadv/20060928.txt">Security Advisory</a>: Various security issues
+28-Sep-2006: OpenSSL 0.9.8d is now available, including security fixes
+28-Sep-2006: OpenSSL 0.9.7l is now available, including security fixes
+05-Sep-2006: <a href="secadv/20060905.txt">Security Advisory</a>: RSA Signature Forgery
+05-Sep-2006: OpenSSL 0.9.8c is now available, including security fix
+05-Sep-2006: OpenSSL 0.9.7k is now available, including security fix
+04-May-2006: OpenSSL 0.9.8b is now available, including important bugfixes
+04-May-2006: OpenSSL 0.9.7j is now available, including important bugfixes
+15-oct-2005: OpenSSL 0.9.7i is now available, contains compatibility fix	
+11-oct-2005: <a href="secadv/20051011.txt">Security Advisory</a>: Potential SSL 2.0 rollback
+11-oct-2005: OpenSSL 0.9.8a is now available, including security fix
+11-oct-2005: OpenSSL 0.9.7h is now available, including security fix
+05-jul-2005: OpenSSL 0.9.8 is now available, a major release
+21-jun-2005: Beta 6 of OpenSSL 0.9.8 is now available, please test it now
+13-jun-2005: Beta 5 of OpenSSL 0.9.8 is now available, please test it now
+06-jun-2005: Beta 4 of OpenSSL 0.9.8 is now available, please test it now
+31-may-2005: Beta 3 of OpenSSL 0.9.8 is now available, please test it now
+24-may-2005: Beta 2 of OpenSSL 0.9.8 is now available, please test it now
+19-may-2005: Beta 1 of OpenSSL 0.9.8 is now available, please test it now
+11-apr-2005: OpenSSL 0.9.7g is now available, including important bugfixes
+22-mar-2005: OpenSSL 0.9.7f is now available, including important bugfixes
+25-oct-2004: OpenSSL 0.9.7e is now available, including important bugfixes
+17-mar-2004: <a href="secadv/20040317.txt">Security Advisory</a>: Denial of Service flaws in 0.9.6l and 0.9.7c
+17-mar-2004: OpenSSL 0.9.7d is now available, including important bugfixes
+17-mar-2004: OpenSSL 0.9.6m is now available, including security fix
+17-mar-2004: OpenSSL 0.9.6m [engine] is now available, including security fix
+04-nov-2003: OpenSSL 0.9.6l is now available, including security fix
+04-nov-2003: OpenSSL 0.9.6l [engine] is now available, including security fix
+04-nov-2003: <a href="secadv/20031104.txt">Security Advisory</a>: Denial of Service in ASN.1 parsing in 0.9.6k.
+30-sep-2003: OpenSSL 0.9.7c is now available, including important bugfixes
+30-sep-2003: OpenSSL 0.9.6k is now available, including important bugfixes
+30-sep-2003: OpenSSL 0.9.6k [engine] is now available, including important bugfixes
+30-sep-2003: <a href="secadv/20030930.txt">Security Advisory</a>: Vulnerabilities in ASN.1 parsing.
+10-apr-2003: OpenSSL 0.9.7b is now available, including important bugfixes
+10-apr-2003: OpenSSL 0.9.6j is now available, including important bugfixes
+10-apr-2003: OpenSSL 0.9.6j [engine] is now available, including important bugfixes
+19-Mar-2003: <a href="secadv/20030319.txt">Security Advisory</a>: Klima-Pokorny-Rosa attack.
+17-Mar-2003: <a href="secadv/20030317.txt">Security Advisory</a>: timing attacks, RSA blinding.
+19-feb-2003: OpenSSL 0.9.7a is now available, including important bugfixes
+19-feb-2003: OpenSSL 0.9.6i is now available, including important bugfixes
+19-feb-2003: OpenSSL 0.9.6i [engine] is now available, including important bugfixes
+19-feb-2003: <a href="secadv/20030219.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6i and 0.9.7a
+31-Dec-2002: OpenSSL 0.9.7 is now available, a major release
+17-dec-2002: Beta 6 of OpenSSL 0.9.7 is now available, please test it now
+5-dec-2002: Beta 5 of OpenSSL 0.9.7 is now available, please test it now
+5-dec-2002: OpenSSL 0.9.6h is now available, including important bugfixes
+5-dec-2002: OpenSSL 0.9.6h [engine] is now available, including important bugfixes
+19-Nov-2002: Beta 4 of OpenSSL 0.9.7 is now available, please test it now
+9-aug-2002: OpenSSL 0.9.6g is now available, including important bugfixes
+9-aug-2002: OpenSSL 0.9.6g [engine] is now available, including important bugfixes
+8-aug-2002: OpenSSL 0.9.6f is now available, including important bugfixes
+8-aug-2002: OpenSSL 0.9.6f [engine] is now available, including important bugfixes
+30-Jul-2002: OpenSSL 0.9.6e is now available, including important bugfixes
+30-Jul-2002: OpenSSL 0.9.6e [engine] is now available, including important bugfixes
+30-Jul-2002: <a href="secadv/20020730.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6e
+30-Jul-2002: Beta 3 of OpenSSL 0.9.7 is now available, please test it now
+16-jun-2002: Beta 2 of OpenSSL 0.9.7 is now available, please test it now
+01-jun-2002: Beta 1 of OpenSSL 0.9.7 is now available, please test it now
+9-may-2002: OpenSSL 0.9.6d is now available, a minor release
+9-may-2002: OpenSSL 0.9.6d [engine] is now available, a minor release
+17-apr-2002: Beta 1 of OpenSSL 0.9.6d is now available, please test it now
+17-apr-2002: Beta 1 of OpenSSL 0.9.6d [engine] is now available, please test it now
 13-Feb-2002: OpenSSL 0.9.7 is now in feature freeze.  A release plan will come later
-21-Dec-2001: OpenSSL 0.9.6c [engine] is now <a href="ROOT/source/">available</a>, a major release
-21-Dec-2001: OpenSSL 0.9.6c is now <a href="ROOT/source/">available</a>, a major release
-09-Jul-2001: OpenSSL 0.9.6b [engine] is now <a href="ROOT/source/">available</a>, a major release
-09-Jul-2001: OpenSSL 0.9.6b is now <a href="ROOT/source/">available</a>, a major release
-05-Apr-2001: OpenSSL 0.9.6a [engine] is now <a href="ROOT/source/">available</a>, a major release
-05-Apr-2001: OpenSSL 0.9.6a is now <a href="ROOT/source/">available</a>, a major release
-30-Mar-2001: Beta 3 of OpenSSL 0.9.6a is now <a href="ROOT/source/">available</a>, please test it now
-30-Mar-2001: Beta 3 of OpenSSL 0.9.6a [engine] is now <a href="ROOT/source/">available</a>, please test it now
-21-Mar-2001: Beta 2 of OpenSSL 0.9.6a is now <a href="ROOT/source/">available</a>, please test it now
-21-Mar-2001: Beta 2 of OpenSSL 0.9.6a [engine] is now <a href="ROOT/source/">available</a>, please test it now
-13-Mar-2001: Beta 1 of OpenSSL 0.9.6a is now <a href="ROOT/source/">available</a>, please test it now
-13-Mar-2001: Beta 1 of OpenSSL 0.9.6a [engine] is now <a href="ROOT/source/">available</a>, please test it now
-04-Nov-2000: New <a href="ROOT/about/">development team member</a>: Lutz J&auml;nicke
-24-Sep-2000: OpenSSL 0.9.6 is now <a href="ROOT/source/">available</a>, a major release
-21-Sep-2000: Beta 3 of OpenSSL 0.9.6 is now <a href="ROOT/source/">available</a>, please test it now
-21-Sep-2000: Beta 3 of OpenSSL 0.9.6 [engine] is now <a href="ROOT/source/">available</a>, please test it now
-17-Sep-2000: Beta 2 of OpenSSL 0.9.6 is now <a href="ROOT/source/">available</a>, please test it now
-17-Sep-2000: Beta 2 of OpenSSL 0.9.6 [engine] is now <a href="ROOT/source/">available</a>, please test it now
-11-Sep-2000: Beta 1 of OpenSSL 0.9.6 is now <a href="ROOT/source/">available</a>, please test it now
-11-Sep-2000: Beta 1 of OpenSSL 0.9.6 [engine] is now <a href="ROOT/source/">available</a>, please test it now
-09-Sep-2000: A release plan for OpenSSL 0.9.6 is now <a href="ROOT/news/state.html">available</a>
-01-Apr-2000: OpenSSL 0.9.5a is now <a href="ROOT/source/">available</a>, a bugfix release
-23-Mar-2000: Beta 2 of OpenSSL 0.9.5a is now <a href="ROOT/source/">available</a>, please test it now
-20-Mar-2000: Beta 1 of OpenSSL 0.9.5a is now <a href="ROOT/source/">available</a>, please test it now
-29-Feb-2000: FAQ: <a href="ROOT/support/faq.html#6">Why do I get a "PRNG not seeded" error message?</a>
-28-Feb-2000: OpenSSL 0.9.5 is now <a href="ROOT/source/">available</a>, a major release
-27-Feb-2000: Beta 2 of OpenSSL 0.9.5 is now <a href="ROOT/source/">available</a>, please test it now
-24-Feb-2000: New <a href="ROOT/about/">development team member</a>: Geoff Thorpe
-24-Feb-2000: Beta 1 of OpenSSL 0.9.5 is now <a href="ROOT/source/">available</a>, please test it now
-11-Nov-1999: New <a href="ROOT/about/">development team member</a>: Richard Levitte
-09-Aug-1999: OpenSSL 0.9.4 is now <a href="ROOT/source/">available</a>, a major release
-15-Jul-1999: New <a href="ROOT/about/">development team member</a>: Andy Polyakov
-29-May-1999: OpenSSL 0.9.3a is now <a href="ROOT/source/">available</a>, a minor bugfix release
-25-May-1999: <a href="ROOT/news/">OpenSSL 0.9.3</a> is now <a href="ROOT/source/">available</a>
-10-May-1999: Test <a href="ftp://ftp.openssl.org/snapshot/">snapshots</a> now to make OpenSSL 0.9.3 a success!
-06-Apr-1999: RSAref-related <a href="ROOT/source/openssl-0.9.2b-rsaoaep.patch">patch</a> for OpenSSL 0.9.2b available
-29-Mar-1999: New <a href="ROOT/about/">development team members</a>: Ulf, Bodo and Holger.
-22-Mar-1999: Long-awaited <a href="ROOT/news/">OpenSSL 0.9.2b</a> now <a href="ROOT/source/">available</a>
-04-Mar-1999: Important <a href="ROOT/source/openssl-0.9.1c-bnrec.patch">patch</a> for OpenSSL 0.9.1c available
-28-Feb-1999: Added: <a href="ROOT/source/mirror.html">How To</a> establish an FTP mirror
-20-Feb-1999: Daily <a href="ftp://ftp.openssl.org/snapshot/">snapshot tarballs</a> now available
-15-Feb-1999: New: <a href="ROOT/support/">archives</a> of our mailing lists
-10-Feb-1999: <a href="ROOT/support/">Web form</a> for subscribing to our mailing lists
-02-Feb-1999: Added list of <a href="ROOT/related/apps.html">OpenSSL Applications</a>
-16-Jan-1999: The first <a href="ROOT/source/">FTP Mirrors</a> are available
-31-Dec-1998: New: Browsing <a href="ROOT/source/cvs/">interface</a> to the CVS repository
-29-Dec-1998: Designed the new <a href="http://www.openssl.org/">www.openssl.org</a> website
-27-Dec-1998: Established the OpenSSL <a href="ROOT/support/">mailing lists</a>
-26-Dec-1998: Established the <a href="ROOT/source/repos.html">CVS Repository</a> environment
-23-Dec-1998: Released OpenSSL <a href="ROOT/source/openssl-0.9.1c.tar.gz">0.9.1c</a>
+21-Dec-2001: OpenSSL 0.9.6c [engine] is now available, a major release
+21-Dec-2001: OpenSSL 0.9.6c is now available, a major release
+09-Jul-2001: OpenSSL 0.9.6b [engine] is now available, a major release
+09-Jul-2001: OpenSSL 0.9.6b is now available, a major release
+05-Apr-2001: OpenSSL 0.9.6a [engine] is now available, a major release
+05-Apr-2001: OpenSSL 0.9.6a is now available, a major release
+30-Mar-2001: Beta 3 of OpenSSL 0.9.6a is now available, please test it now
+30-Mar-2001: Beta 3 of OpenSSL 0.9.6a [engine] is now available, please test it now
+21-Mar-2001: Beta 2 of OpenSSL 0.9.6a is now available, please test it now
+21-Mar-2001: Beta 2 of OpenSSL 0.9.6a [engine] is now available, please test it now
+13-Mar-2001: Beta 1 of OpenSSL 0.9.6a is now available, please test it now
+13-Mar-2001: Beta 1 of OpenSSL 0.9.6a [engine] is now available, please test it now
+04-Nov-2000: New development team member: Lutz J&auml;nicke
+24-Sep-2000: OpenSSL 0.9.6 is now available, a major release
+21-Sep-2000: Beta 3 of OpenSSL 0.9.6 is now available, please test it now
+21-Sep-2000: Beta 3 of OpenSSL 0.9.6 [engine] is now available, please test it now
+17-Sep-2000: Beta 2 of OpenSSL 0.9.6 is now available, please test it now
+17-Sep-2000: Beta 2 of OpenSSL 0.9.6 [engine] is now available, please test it now
+11-Sep-2000: Beta 1 of OpenSSL 0.9.6 is now available, please test it now
+11-Sep-2000: Beta 1 of OpenSSL 0.9.6 [engine] is now available, please test it now
+09-Sep-2000: A release plan for OpenSSL 0.9.6 is now available
+01-Apr-2000: OpenSSL 0.9.5a is now available, a bugfix release
+23-Mar-2000: Beta 2 of OpenSSL 0.9.5a is now available, please test it now
+20-Mar-2000: Beta 1 of OpenSSL 0.9.5a is now available, please test it now
+29-Feb-2000: FAQ: Why do I get a "PRNG not seeded" error message?
+28-Feb-2000: OpenSSL 0.9.5 is now available, a major release
+27-Feb-2000: Beta 2 of OpenSSL 0.9.5 is now available, please test it now
+24-Feb-2000: New development team member: Geoff Thorpe
+24-Feb-2000: Beta 1 of OpenSSL 0.9.5 is now available, please test it now
+11-Nov-1999: New development team member: Richard Levitte
+09-Aug-1999: OpenSSL 0.9.4 is now available, a major release
+15-Jul-1999: New development team member: Andy Polyakov
+29-May-1999: OpenSSL 0.9.3a is now available, a minor bugfix release
+25-May-1999: OpenSSL 0.9.3 is now available
+10-May-1999: Test snapshots now to make OpenSSL 0.9.3 a success!
+06-Apr-1999: RSAref-related patch for OpenSSL 0.9.2b available
+29-Mar-1999: New development team members: Ulf, Bodo and Holger.
+22-Mar-1999: Long-awaited OpenSSL 0.9.2b now available
+04-Mar-1999: Important patch for OpenSSL 0.9.1c available
+28-Feb-1999: Added: How To establish an FTP mirror
+20-Feb-1999: Daily snapshot tarballs now available
+15-Feb-1999: New: archives of our mailing lists
+10-Feb-1999: Web form for subscribing to our mailing lists
+02-Feb-1999: Added list of OpenSSL Applications
+16-Jan-1999: The first FTP Mirrors are available
+31-Dec-1998: New: Browsing interface to the CVS repository
+29-Dec-1998: Designed the new www.openssl.org website
+27-Dec-1998: Established the OpenSSL mailing lists
+26-Dec-1998: Established the CVS Repository environment
+23-Dec-1998: Released OpenSSL 0.9.1c
 23-Dec-1998: Official start of the OpenSSL project
diff --git a/news/newslog.html b/news/newslog.html
new file mode 100644
index 0000000..942c80e
--- /dev/null
+++ b/news/newslog.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Newslog</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    Here is a terse log of all OpenSSL announcements.
+	    They are almost release notices.
+	    </p>
+	    <table class="newsflash" width="90%">
+	      <!--#include virtual="newsflash.inc"-->
+	    </table>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">News</a>
+	    : <a href="">Newslog</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/news/notice_20120425.txt b/news/notice_20120425.txt
deleted file mode 100644
index 08043dc..0000000
--- a/news/notice_20120425.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-Since the release of OpenSSL 1.0.1a a couple of significant problems have
-become apparent.
-
-1. Compilation on non x86 and x86_64 platforms fails in the file
-   e_rc4_hmac_md5.c
-
-2. Attempts to use ciphers in FIPS capable builds outside FIPS mode fails.
-
-A release of OpenSSL 1.0.1b will be made in the near future to address this
-and any other reported problems.
-
-Anyone not wishing to wait should use the most recent 1.0.1-stable snapshot
-from ftp://ftp.openssl.org/snapshot/
-
diff --git a/news/openssl-0.9.8-notes.wml b/news/openssl-0.9.8-notes.wml
deleted file mode 100644
index 023e900..0000000
--- a/news/openssl-0.9.8-notes.wml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-#use wml::openssl area=news page=openssl-0.9.8-notes
-<notes>
-
diff --git a/news/openssl-1.0.0-notes.wml b/news/openssl-1.0.0-notes.wml
deleted file mode 100644
index b5a713a..0000000
--- a/news/openssl-1.0.0-notes.wml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-#use wml::openssl area=news page=openssl-1.0.0-notes
-<notes>
-
diff --git a/news/openssl-1.0.1-notes.wml b/news/openssl-1.0.1-notes.wml
deleted file mode 100644
index 3cf610d..0000000
--- a/news/openssl-1.0.1-notes.wml
+++ /dev/null
@@ -1,5 +0,0 @@
-
-#use wml::openssl area=news page=openssl-1.0.1-notes
-
-<notes>
-
diff --git a/news/openssl-1.0.2-notes.wml b/news/openssl-1.0.2-notes.wml
deleted file mode 100644
index 8ee9568..0000000
--- a/news/openssl-1.0.2-notes.wml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-#use wml::openssl area=news page=openssl-1.0.2-notes
-
-<notes>
diff --git a/news/openssl-notes.wml b/news/openssl-notes.wml
deleted file mode 100644
index 9452174..0000000
--- a/news/openssl-notes.wml
+++ /dev/null
@@ -1,20 +0,0 @@
-
-#use wml::openssl area=news page=openssl-notes
-
-<title>OpenSSL Release Notes</title>
-
-<h1>OpenSSL Release Notes</h1>
-
-The major changes for all branches of the OpenSSL toolkit are summarised below. The contents reflect the state of the <tt>NEWS</tt> file inside the git
-repository.
-
-<p>
-Additional details of changes can be found in the
-<a href="https://github.com/openssl/openssl/blob/master/CHANGES">
-change log.</a>.
-<p>
-The complete list of changes can be found in the
-<a href="https://github.com/openssl/openssl/commits/master">commit log</a>.
-<p>
-
-<notes minversion="" maxversion="X" dirname="openssl">
diff --git a/news/openssl-old-notes.wml b/news/openssl-old-notes.wml
deleted file mode 100644
index 9c2f238..0000000
--- a/news/openssl-old-notes.wml
+++ /dev/null
@@ -1,25 +0,0 @@
-
-#use wml::openssl area=news page=openssl-old-notes
-
-<title>OpenSSL Release Notes</title>
-
-<h1>OpenSSL Old Branch Release notes</h1>
-
-The major changes in the 0.9.7 and earlier branches of the OpenSSL
-toolkit are summarised below. The contents reflect the state of the
-<tt>NEWS</tt> file inside the git repository. <b>Note:</b> these branches
-are considered obsolete and are no longer maintained.
-<p>
-Additional details of changes to OpenSSL 0.9.7 and earlier can be found in the
-<a href="https://github.com/openssl/openssl/blob/OpenSSL_0_9_7-stable/CHANGES">
-change log</a>.
-<p>
-
-A complete list of changes to OpenSSL 0.9.7 and earlier can be found in the
-<a href="https://github.com/openssl/openssl/commits/OpenSSL_0_9_7-stable">
-commit log</a>.
-<p>
-
-
-<notes minversion="" maxversion="0.9.7" dirname="openssl-0.9.8-stable">
-
diff --git a/news/patch-CAN-2005-2969.txt b/news/patch-CAN-2005-2969.txt
deleted file mode 100644
index 65dc393..0000000
--- a/news/patch-CAN-2005-2969.txt
+++ /dev/null
@@ -1,13 +0,0 @@
---- ssl/s23_srvr.c	25 Sep 2002 15:36:09 -0000	1.32.2.5
-+++ ssl/s23_srvr.c	11 Oct 2005 00:00:00 -0000
-@@ -575,9 +575,7 @@
- 			}
- 
- 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
--		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
--			use_sslv2_strong ||
--			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
-+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
- 			s->s2->ssl2_rollback=0;
- 		else
- 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
diff --git a/news/patch-CVE-2006-4339.txt b/news/patch-CVE-2006-4339.txt
deleted file mode 100644
index 203d1c5..0000000
--- a/news/patch-CVE-2006-4339.txt
+++ /dev/null
@@ -1,53 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-
-http://www.openssl.org/news/secadv_20060905.txt
-
-(This patch was updated Tue Sep  5 15:54:30 UTC 2006 to also work
-against 0.9.6)
-
-(This patch was updated Wed Sep 6 08:37:55 UTC 2006 to remove the
-changes to rsa_eay.c/rsa.h/rsa_err.c which were not necessary to
-correct this vulnerability)
-
-Index: crypto/rsa/rsa_sign.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_sign.c,v
-retrieving revision 1.21
-diff -u -r1.21 rsa_sign.c
-- - - --- crypto/rsa/rsa_sign.c	26 Apr 2005 22:07:17 -0000	1.21
-+++ crypto/rsa/rsa_sign.c	4 Sep 2006 15:16:57 -0000
-@@ -185,6 +185,23 @@
- 		sig=d2i_X509_SIG(NULL,&p,(long)i);
- 
- 		if (sig == NULL) goto err;
-+
-+		/* Excess data can be used to create forgeries */
-+		if(p != s+i)
-+			{
-+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
-+			goto err;
-+			}
-+
-+		/* Parameters to the signature algorithm can also be used to
-+		   create forgeries */
-+		if(sig->algor->parameter
-+		   && sig->algor->parameter->type != V_ASN1_NULL)
-+			{
-+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
-+			goto err;
-+			}
-+
- 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
- 
-
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.2.2 (GNU/Linux)
-
-iQCVAwUBRP6JWe6tTP1JpWPZAQLssAP+LZH3morviQ2DEN7yWRpVuCsP31850Ma7
-9OjH1wEkAbA3rX2XmDxYFd6dJBanksgdXUqLHlm8w8Q9aA+FKPmyFSaQ74N7nHgE
-iDGws5w1PE1U/sigQvz9FoY5DgCU0l/L+MOoj+UaIiueafLCgO4VpwB1EftXymsS
-eCQDyyI37rE=
-=MXpR
------END PGP SIGNATURE-----
diff --git a/news/patch-CVE-2007-3108.txt b/news/patch-CVE-2007-3108.txt
deleted file mode 100644
index abf0196..0000000
--- a/news/patch-CVE-2007-3108.txt
+++ /dev/null
@@ -1,126 +0,0 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-- --- openssl-0.9.8e/crypto/bn/bn_mont.c	2006-06-16 03:01:14.000000000 +0200
-+++ openssl-0.9.8-cvs/crypto/bn/bn_mont.c	2007-06-29 10:13:25.000000000 +0200
-@@ -176,7 +176,6 @@
- 
- 	max=(nl+al+1); /* allow for overflow (no?) XXX */
- 	if (bn_wexpand(r,max) == NULL) goto err;
-- -	if (bn_wexpand(ret,max) == NULL) goto err;
- 
- 	r->neg=a->neg^n->neg;
- 	np=n->d;
-@@ -228,19 +227,70 @@
- 		}
- 	bn_correct_top(r);
- 	
-- -	/* mont->ri will be a multiple of the word size */
-- -#if 0
-- -	BN_rshift(ret,r,mont->ri);
-- -#else
-- -	ret->neg = r->neg;
-- -	x=ri;
-+	/* mont->ri will be a multiple of the word size and below code
-+	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
-+	if (r->top <= ri)
-+		{
-+		ret->top=0;
-+		retn=1;
-+		goto err;
-+		}
-+	al=r->top-ri;
-+
-+# define BRANCH_FREE 1
-+# if BRANCH_FREE
-+	if (bn_wexpand(ret,ri) == NULL) goto err;
-+	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
-+	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
-+	ret->neg=r->neg;
-+
- 	rp=ret->d;
-- -	ap= &(r->d[x]);
-- -	if (r->top < x)
-- -		al=0;
-- -	else
-- -		al=r->top-x;
-+	ap=&(r->d[ri]);
-+
-+	{
-+	size_t m1,m2;
-+
-+	v=bn_sub_words(rp,ap,np,ri);
-+	/* this ----------------^^ works even in al<ri case
-+	 * thanks to zealous zeroing of top of the vector in the
-+	 * beginning. */
-+
-+	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
-+	/* in other words if subtraction result is real, then
-+	 * trick unconditional memcpy below to perform in-place
-+	 * "refresh" instead of actual copy. */
-+	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
-+	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
-+	m1|=m2;			/* (al!=ri) */
-+	m1|=(0-(size_t)v);	/* (al!=ri || v) */
-+	m1&=~m2;		/* (al!=ri || v) && !al>ri */
-+	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
-+	}
-+
-+	/* 'i<ri' is chosen to eliminate dependency on input data, even
-+	 * though it results in redundant copy in al<ri case. */
-+	for (i=0,ri-=4; i<ri; i+=4)
-+		{
-+		BN_ULONG t1,t2,t3,t4;
-+		
-+		t1=nrp[i+0];
-+		t2=nrp[i+1];
-+		t3=nrp[i+2];	ap[i+0]=0;
-+		t4=nrp[i+3];	ap[i+1]=0;
-+		rp[i+0]=t1;	ap[i+2]=0;
-+		rp[i+1]=t2;	ap[i+3]=0;
-+		rp[i+2]=t3;
-+		rp[i+3]=t4;
-+		}
-+	for (ri+=4; i<ri; i++)
-+		rp[i]=nrp[i], ap[i]=0;
-+# else
-+	if (bn_wexpand(ret,al) == NULL) goto err;
- 	ret->top=al;
-+	ret->neg=r->neg;
-+
-+	rp=ret->d;
-+	ap=&(r->d[ri]);
- 	al-=4;
- 	for (i=0; i<al; i+=4)
- 		{
-@@ -258,7 +308,7 @@
- 	al+=4;
- 	for (; i<al; i++)
- 		rp[i]=ap[i];
-- -#endif
-+# endif
- #else /* !MONT_WORD */ 
- 	BIGNUM *t1,*t2;
- 
-@@ -278,10 +328,12 @@
- 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
- #endif /* MONT_WORD */
- 
-+#if !defined(BRANCH_FREE) || BRANCH_FREE==0
- 	if (BN_ucmp(ret, &(mont->N)) >= 0)
- 		{
- 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
- 		}
-+#endif
- 	retn=1;
- 	bn_check_top(ret);
-  err:
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.5 (GNU/Linux)
-
-iQCVAwUBRrGk++6tTP1JpWPZAQJbjwP/W/6mROtxOVU1gvvq/uFHCytNWHVaJfKA
-7zh+v4OPQEIYekIBkEpNFgTJbHcyIZoyDNnwOetkRXvI4LDqvV1V5/pA5bzrKqDj
-zv7Hj8R7DGqG8ad0Esf3l7SqqirI3curkIzm5/cALJBJxz/Pp7qyXNzzQgp55UPz
-iBDdynBpa+s=
-=aquq
------END PGP SIGNATURE-----
diff --git a/news/patch-CVE-2007-5502-1.txt b/news/patch-CVE-2007-5502-1.txt
deleted file mode 100644
index d7fcfe5..0000000
--- a/news/patch-CVE-2007-5502-1.txt
+++ /dev/null
@@ -1,20 +0,0 @@
---- fips-1.0/rand/@fips_rand.c	2007-11-01 17:12:07.000000000 -0400
-+++ fips-1.0/rand/fips_rand.c	2007-11-01 17:18:04.000000000 -0400
-@@ -205,6 +205,7 @@
-     n_seed=0;
-     o_seed=0;
-     key_init=0;
-+    key_set=0;
-     }
- 
- void FIPS_rand_seed(const void *buf_, FIPS_RAND_SIZE_T num)
---- fips-1.0/rand/@fips_rand_selftest.c	2007-11-01 17:16:41.000000000 -0400
-+++ fips-1.0/rand/fips_rand_selftest.c	2007-11-01 17:17:07.000000000 -0400
-@@ -114,6 +114,7 @@
- 	    }
- 	}
-     FIPS_test_mode(0,NULL);
-+    FIPS_rand_method()->cleanup();
-     return 1;
-     }
- 
diff --git a/news/patch-CVE-2007-5502-2.txt b/news/patch-CVE-2007-5502-2.txt
deleted file mode 100644
index f80290b..0000000
--- a/news/patch-CVE-2007-5502-2.txt
+++ /dev/null
@@ -1,29 +0,0 @@
---- fips-1.0/@fips.c	2007-11-29 07:09:47.000000000 -0500
-+++ fips-1.0/fips.c	2007-11-29 07:10:37.000000000 -0500
-@@ -265,18 +265,16 @@
- 	    goto end;
- 	    }
- 
--	/* automagically seed PRNG if not already seeded */
--	if(!FIPS_rand_seeded())
-+	/* Always automagically seed PRNG */
-+	FIPS_rand_method()->cleanup();
-+	if(RAND_bytes(buf,sizeof buf) <= 0)
- 	    {
--	    if(RAND_bytes(buf,sizeof buf) <= 0)
--		{
--		fips_selftest_fail = 1;
--		ret = 0;
--		goto end;
--		}
--	    FIPS_set_prng_key(buf,buf+8);
--	    FIPS_rand_seed(buf+16,8);
-+	    fips_selftest_fail = 1;
-+	    ret = 0;
-+	    goto end;
- 	    }
-+	FIPS_set_prng_key(buf,buf+8);
-+	FIPS_rand_seed(buf+16,8);
- 
- 	/* now switch into FIPS mode */
- 	fips_set_rand_check(FIPS_rand_method());
diff --git a/news/patch_20020730_0_9_6d.txt b/news/patch_20020730_0_9_6d.txt
deleted file mode 100644
index 39db0ed..0000000
--- a/news/patch_20020730_0_9_6d.txt
+++ /dev/null
@@ -1,518 +0,0 @@
-Index: CHANGES
-===================================================================
-RCS file: /e/openssl/cvs/openssl/CHANGES,v
-retrieving revision 1.618.2.158
-diff -u -r1.618.2.158 CHANGES
---- CHANGES	2002/05/09 22:40:31	1.618.2.158
-+++ CHANGES	2002/07/30 09:14:15
-@@ -2,6 +2,35 @@
-  OpenSSL CHANGES
-  _______________
- 
-+ Changes in security patch
-+
-+Changes marked "(CHATS)" were sponsored by the Defense Advanced
-+Research Projects Agency (DARPA) and Air Force Research Laboratory,
-+Air Force Materiel Command, USAF, under agreement number
-+F30602-01-2-0537.
-+
-+  *) Add various sanity checks to asn1_get_length() to reject
-+     the ASN1 length bytes if they exceed sizeof(long), will appear
-+     negative or the content length exceeds the length of the
-+     supplied buffer. (CAN-2002-0659)
-+     [Steve Henson, Adi Stav <stav at mercury.co.il>, James Yonan <jim at ntlp.com>]
-+
-+  *) Assertions for various potential buffer overflows, not known to
-+     happen in practice.
-+     [Ben Laurie (CHATS)]
-+
-+  *) Various temporary buffers to hold ASCII versions of integers were
-+     too small for 64 bit platforms. (CAN-2002-0655)
-+     [Matthew Byng-Maddick <mbm at aldigital.co.uk> and Ben Laurie (CHATS)>
-+
-+  *) Remote buffer overflow in SSL3 protocol - an attacker could
-+     supply an oversized session ID to a client. (CAN-2002-0656)
-+     [Ben Laurie (CHATS)]
-+
-+  *) Remote buffer overflow in SSL2 protocol - an attacker could
-+     supply an oversized client master key. (CAN-2002-0656)
-+     [Ben Laurie (CHATS)]
-+
-  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
- 
-   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
-Index: crypto/cryptlib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.c,v
-retrieving revision 1.20.2.4
-diff -u -r1.20.2.4 cryptlib.c
---- crypto/cryptlib.c	2001/11/23 20:57:59	1.20.2.4
-+++ crypto/cryptlib.c	2002/07/30 09:14:15
-@@ -491,3 +491,11 @@
- #endif
- 
- #endif
-+
-+void OpenSSLDie(const char *file,int line,const char *assertion)
-+    {
-+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
-+	    file,line,assertion);
-+    abort();
-+    }
-+
-Index: crypto/cryptlib.h
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.h,v
-retrieving revision 1.8
-diff -u -r1.8 cryptlib.h
---- crypto/cryptlib.h	2000/05/02 12:35:04	1.8
-+++ crypto/cryptlib.h	2002/07/30 09:14:16
-@@ -89,6 +89,14 @@
- #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
- #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
- 
-+/* size of string represenations */
-+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
-+#define HEX_SIZE(type)         ((sizeof(type)*2)
-+
-+/* die if we have to */
-+void OpenSSLDie(const char *file,int line,const char *assertion);
-+#define die(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
-+
- #ifdef  __cplusplus
- }
- #endif
-Index: crypto/asn1/asn1_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/asn1/asn1_lib.c,v
-retrieving revision 1.19.2.1
-diff -u -r1.19.2.1 asn1_lib.c
---- crypto/asn1/asn1_lib.c	2001/03/30 13:42:32	1.19.2.1
-+++ crypto/asn1/asn1_lib.c	2002/08/02 00:00:00
-@@ -124,15 +124,13 @@
- 		(int)(omax+ *pp));
- 
- #endif
--#if 0
--	if ((p+ *plength) > (omax+ *pp))
-+	if (*plength > (omax - (p - *pp)))
- 		{
- 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
- 		/* Set this so that even if things are not long enough
- 		 * the values are set correctly */
- 		ret|=0x80;
- 		}
--#endif
- 	*pp=p;
- 	return(ret|inf);
- err:
-@@ -159,6 +157,8 @@
- 		i= *p&0x7f;
- 		if (*(p++) & 0x80)
- 			{
-+			if (i > sizeof(long))
-+				return 0;
- 			if (max-- == 0) return(0);
- 			while (i-- > 0)
- 				{
-@@ -170,6 +170,8 @@
- 		else
- 			ret=i;
- 		}
-+	if (ret < 0)
-+		return 0;
- 	*pp=p;
- 	*rl=ret;
- 	return(1);
-@@ -407,7 +409,7 @@
- 
- void asn1_add_error(unsigned char *address, int offset)
- 	{
--	char buf1[16],buf2[16];
-+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
- 
- 	sprintf(buf1,"%lu",(unsigned long)address);
- 	sprintf(buf2,"%d",offset);
-Index: crypto/conf/conf_def.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_def.c,v
-retrieving revision 1.3
-diff -u -r1.3 conf_def.c
---- crypto/conf/conf_def.c	2000/06/06 15:21:12	1.3
-+++ crypto/conf/conf_def.c	2002/07/30 09:14:18
-@@ -67,6 +67,7 @@
- #include "conf_def.h"
- #include <openssl/buffer.h>
- #include <openssl/err.h>
-+#include "cryptlib.h"
- 
- static char *eat_ws(CONF *conf, char *p);
- static char *eat_alpha_numeric(CONF *conf, char *p);
-@@ -180,12 +181,12 @@
- static int def_load(CONF *conf, BIO *in, long *line)
- 	{
- #define BUFSIZE	512
--	char btmp[16];
- 	int bufnum=0,i,ii;
- 	BUF_MEM *buff=NULL;
- 	char *s,*p,*end;
- 	int again,n;
- 	long eline=0;
-+	char btmp[DECIMAL_SIZE(eline)+1];
- 	CONF_VALUE *v=NULL,*tv;
- 	CONF_VALUE *sv=NULL;
- 	char *section=NULL,*buf;
-Index: crypto/objects/obj_dat.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/objects/obj_dat.c,v
-retrieving revision 1.16.2.2
-diff -u -r1.16.2.2 obj_dat.c
---- crypto/objects/obj_dat.c	2002/04/18 11:52:28	1.16.2.2
-+++ crypto/objects/obj_dat.c	2002/07/30 09:14:19
-@@ -428,7 +428,7 @@
- 	unsigned long l;
- 	unsigned char *p;
- 	const char *s;
--	char tbuf[32];
-+	char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
- 
- 	if (buf_len <= 0) return(0);
- 
-Index: ssl/s2_clnt.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_clnt.c,v
-retrieving revision 1.27.2.4
-diff -u -r1.27.2.4 s2_clnt.c
---- ssl/s2_clnt.c	2001/11/10 10:43:51	1.27.2.4
-+++ ssl/s2_clnt.c	2002/07/30 09:14:25
-@@ -116,6 +116,7 @@
- #include <openssl/buffer.h>
- #include <openssl/objects.h>
- #include <openssl/evp.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl2_get_client_method(int ver);
- static int get_server_finished(SSL *s);
-@@ -517,6 +518,7 @@
- 		}
- 		
- 	s->s2->conn_id_length=s->s2->tmp.conn_id_length;
-+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 	memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
- 	return(1);
- 	}
-@@ -618,6 +620,7 @@
- 		/* make key_arg data */
- 		i=EVP_CIPHER_iv_length(c);
- 		sess->key_arg_length=i;
-+		die(i <= SSL_MAX_KEY_ARG_LENGTH);
- 		if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
- 
- 		/* make a master key */
-@@ -625,6 +628,7 @@
- 		sess->master_key_length=i;
- 		if (i > 0)
- 			{
-+			die(i <= sizeof sess->master_key);
- 			if (RAND_bytes(sess->master_key,i) <= 0)
- 				{
- 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-@@ -668,6 +672,7 @@
- 		d+=enc;
- 		karg=sess->key_arg_length;	
- 		s2n(karg,p); /* key arg size */
-+		die(karg <= sizeof sess->key_arg);
- 		memcpy(d,sess->key_arg,(unsigned int)karg);
- 		d+=karg;
- 
-@@ -688,6 +693,7 @@
- 		{
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_CLIENT_FINISHED;
-+		die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 		memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
- 
- 		s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
-@@ -944,6 +950,8 @@
- 		{
- 		if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
- 			{
-+			die(s->session->session_id_length
-+			    <= sizeof s->session->session_id);
- 			if (memcmp(buf,s->session->session_id,
- 				(unsigned int)s->session->session_id_length) != 0)
- 				{
-Index: ssl/s2_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_lib.c,v
-retrieving revision 1.29.2.2
-diff -u -r1.29.2.2 s2_lib.c
---- ssl/s2_lib.c	2000/12/26 12:06:47	1.29.2.2
-+++ ssl/s2_lib.c	2002/07/30 09:14:25
-@@ -62,6 +62,7 @@
- #include <openssl/rsa.h>
- #include <openssl/objects.h>
- #include <openssl/md5.h>
-+#include "cryptlib.h"
- 
- static long ssl2_default_timeout(void );
- const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
-@@ -425,10 +426,14 @@
- #endif
- 
- 	km=s->s2->key_material;
-+ 	die(s->s2->key_material_length <= sizeof s->s2->key_material);
- 	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
- 		{
- 		MD5_Init(&ctx);
- 
-+ 		die(s->session->master_key_length >= 0
-+ 		    && s->session->master_key_length
-+ 		    < sizeof s->session->master_key);
- 		MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
- 		MD5_Update(&ctx,&c,1);
- 		c++;
-@@ -463,6 +468,7 @@
- /*	state=s->rwstate;*/
- 	error=s->error;
- 	s->error=0;
-+	die(error >= 0 && error <= 3);
- 	i=ssl2_write(s,&(buf[3-error]),error);
- /*	if (i == error) s->rwstate=state; */
- 
-Index: ssl/s2_srvr.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_srvr.c,v
-retrieving revision 1.25.2.5
-diff -u -r1.25.2.5 s2_srvr.c
---- ssl/s2_srvr.c	2001/11/14 21:19:47	1.25.2.5
-+++ ssl/s2_srvr.c	2002/07/30 09:14:26
-@@ -116,6 +116,7 @@
- #include <openssl/rand.h>
- #include <openssl/objects.h>
- #include <openssl/evp.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl2_get_server_method(int ver);
- static int get_client_master_key(SSL *s);
-@@ -417,11 +418,18 @@
- 		n2s(p,i); s->s2->tmp.clear=i;
- 		n2s(p,i); s->s2->tmp.enc=i;
- 		n2s(p,i); s->session->key_arg_length=i;
-+		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
-+			{
-+			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
-+				   SSL_R_KEY_ARG_TOO_LONG);
-+			return -1;
-+			}
- 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
- 		}
- 
- 	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
- 	p=(unsigned char *)s->init_buf->data;
-+	die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
- 	keya=s->session->key_arg_length;
- 	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
- 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-@@ -502,6 +510,7 @@
- #endif
- 
- 	if (is_export) i+=s->s2->tmp.clear;
-+	die(i <= SSL_MAX_MASTER_KEY_LENGTH);
- 	s->session->master_key_length=i;
- 	memcpy(s->session->master_key,p,(unsigned int)i);
- 	return(1);
-@@ -649,6 +658,7 @@
- 	p+=s->s2->tmp.session_id_length;
- 
- 	/* challenge */
-+	die(s->s2->challenge_length <= sizeof s->s2->challenge);
- 	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
- 	return(1);
- mem_err:
-@@ -800,6 +810,7 @@
- 		}
- 
- 	/* SSL2_ST_GET_CLIENT_FINISHED_B */
-+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 	len = 1 + (unsigned long)s->s2->conn_id_length;
- 	n = (int)len - s->init_num;
- 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-@@ -825,6 +836,7 @@
- 		{
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_SERVER_VERIFY;
-+		die(s->s2->challenge_length <= sizeof s->s2->challenge);
- 		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
- 		/* p+=s->s2->challenge_length; */
- 
-@@ -844,6 +856,8 @@
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_SERVER_FINISHED;
- 
-+		die(s->session->session_id_length
-+		    <= sizeof s->session->session_id);
- 		memcpy(p,s->session->session_id,
- 			(unsigned int)s->session->session_id_length);
- 		/* p+=s->session->session_id_length; */
-Index: ssl/s3_clnt.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
-retrieving revision 1.31.2.6
-diff -u -r1.31.2.6 s3_clnt.c
---- ssl/s3_clnt.c	2002/01/14 23:42:35	1.31.2.6
-+++ ssl/s3_clnt.c	2002/07/30 09:14:27
-@@ -117,6 +117,7 @@
- #include <openssl/sha.h>
- #include <openssl/evp.h>
- #include "ssl_locl.h"
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl3_get_client_method(int ver);
- static int ssl3_client_hello(SSL *s);
-@@ -545,6 +546,7 @@
- 		*(p++)=i;
- 		if (i != 0)
- 			{
-+			die(i <= sizeof s->session->session_id);
- 			memcpy(p,s->session->session_id,i);
- 			p+=i;
- 			}
-@@ -625,6 +627,14 @@
- 
- 	/* get the session-id */
- 	j= *(p++);
-+
-+       if(j > sizeof s->session->session_id)
-+               {
-+               al=SSL_AD_ILLEGAL_PARAMETER;
-+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-+                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-+               goto f_err;
-+               }
- 
- 	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
- 		{
-Index: ssl/s3_srvr.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s3_srvr.c,v
-retrieving revision 1.49.2.14
-diff -u -r1.49.2.14 s3_srvr.c
---- ssl/s3_srvr.c	2002/04/13 22:49:26	1.49.2.14
-+++ ssl/s3_srvr.c	2002/07/30 09:14:28
-@@ -122,6 +122,7 @@
- #include <openssl/evp.h>
- #include <openssl/x509.h>
- #include "ssl_locl.h"
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl3_get_server_method(int ver);
- static int ssl3_get_client_hello(SSL *s);
-@@ -948,6 +949,7 @@
- 			s->session->session_id_length=0;
- 
- 		sl=s->session->session_id_length;
-+		die(sl <= sizeof s->session->session_id);
- 		*(p++)=sl;
- 		memcpy(p,s->session->session_id,sl);
- 		p+=sl;
-Index: ssl/ssl.h
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
-retrieving revision 1.85.2.12
-diff -u -r1.85.2.12 ssl.h
---- ssl/ssl.h	2002/01/14 23:42:42	1.85.2.12
-+++ ssl/ssl.h	2002/07/30 09:14:29
-@@ -1478,6 +1478,7 @@
- #define SSL_R_INVALID_COMMAND				 280
- #define SSL_R_INVALID_PURPOSE				 278
- #define SSL_R_INVALID_TRUST				 279
-+#define SSL_R_KEY_ARG_TOO_LONG				 1112
- #define SSL_R_LENGTH_MISMATCH				 159
- #define SSL_R_LENGTH_TOO_SHORT				 160
- #define SSL_R_LIBRARY_BUG				 274
-@@ -1546,6 +1547,7 @@
- #define SSL_R_SHORT_READ				 219
- #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
- #define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
-+#define SSL_R_SSL3_SESSION_ID_TOO_LONG			 1113
- #define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
- #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
- #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
-Index: ssl/ssl_asn1.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_asn1.c,v
-retrieving revision 1.8
-diff -u -r1.8 ssl_asn1.c
---- ssl/ssl_asn1.c	2000/06/01 22:19:19	1.8
-+++ ssl/ssl_asn1.c	2002/07/30 09:14:29
-@@ -62,6 +62,7 @@
- #include <openssl/objects.h>
- #include <openssl/x509.h>
- #include "ssl_locl.h"
-+#include "cryptlib.h"
- 
- typedef struct ssl_session_asn1_st
- 	{
-@@ -275,6 +276,7 @@
- 		os.length=i;
- 
- 	ret->session_id_length=os.length;
-+	die(os.length <= sizeof ret->session_id);
- 	memcpy(ret->session_id,os.data,os.length);
- 
- 	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-Index: ssl/ssl_err.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_err.c,v
-retrieving revision 1.28.2.6
-diff -u -r1.28.2.6 ssl_err.c
---- ssl/ssl_err.c	2001/11/10 01:15:29	1.28.2.6
-+++ ssl/ssl_err.c	2002/07/30 09:14:30
-@@ -1,6 +1,6 @@
- /* ssl/ssl_err.c */
- /* ====================================================================
-- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
-+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions
-@@ -275,6 +275,7 @@
- {SSL_R_INVALID_COMMAND                   ,"invalid command"},
- {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
- {SSL_R_INVALID_TRUST                     ,"invalid trust"},
-+{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
- {SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
- {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
- {SSL_R_LIBRARY_BUG                       ,"library bug"},
-@@ -343,6 +344,7 @@
- {SSL_R_SHORT_READ                        ,"short read"},
- {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
- {SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
-+{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
- {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
- {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
- {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
-Index: ssl/ssl_sess.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_sess.c,v
-retrieving revision 1.30.2.2
-diff -u -r1.30.2.2 ssl_sess.c
---- ssl/ssl_sess.c	2002/02/10 12:52:57	1.30.2.2
-+++ ssl/ssl_sess.c	2002/07/30 09:14:30
-@@ -60,6 +60,7 @@
- #include <openssl/lhash.h>
- #include <openssl/rand.h>
- #include "ssl_locl.h"
-+#include "cryptlib.h"
- 
- static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
- static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
-@@ -199,6 +200,7 @@
- 		ss->session_id_length=0;
- 		}
- 
-+	die(s->sid_ctx_length <= sizeof ss->sid_ctx);
- 	memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
- 	ss->sid_ctx_length=s->sid_ctx_length;
- 	s->session=ss;
diff --git a/news/patch_20020730_0_9_7.txt b/news/patch_20020730_0_9_7.txt
deleted file mode 100644
index c61909a..0000000
--- a/news/patch_20020730_0_9_7.txt
+++ /dev/null
@@ -1,665 +0,0 @@
-Index: CHANGES
-===================================================================
-RCS file: /e/openssl/cvs/openssl/CHANGES,v
-retrieving revision 1.977.2.42
-diff -u -r1.977.2.42 CHANGES
---- CHANGES	2002/07/16 09:18:25	1.977.2.42
-+++ CHANGES	2002/07/30 09:54:48
-@@ -4,6 +4,38 @@
- 
-  Changes between 0.9.6e and 0.9.7  [XX xxx 2002]
- 
-+Changes marked "(CHATS)" were sponsored by the Defense Advanced
-+Research Projects Agency (DARPA) and Air Force Research Laboratory,
-+Air Force Materiel Command, USAF, under agreement number
-+F30602-01-2-0537.
-+
-+  *) Add various sanity checks to asn1_get_length() to reject
-+     the ASN1 length bytes if they exceed sizeof(long), will appear
-+     negative or the content length exceeds the length of the
-+     supplied buffer. (CAN-2002-0659)
-+     [Steve Henson, Adi Stav <stav at mercury.co.il>, James Yonan <jim at ntlp.com>]
-+
-+  *) Assertions for various potential buffer overflows, not known to
-+     happen in practice.
-+     [Ben Laurie (CHATS)]
-+
-+  *) Various temporary buffers to hold ASCII versions of integers were
-+     too small for 64 bit platforms. (CAN-2002-0655)
-+     [Matthew Byng-Maddick <mbm at aldigital.co.uk> and Ben Laurie (CHATS)>
-+
-+  *) Remote buffer overflow in SSL3 protocol - an attacker could
-+     supply an oversized master key in Kerberos-enabled versions.
-+     (CAN-2002-0657)
-+     [Ben Laurie (CHATS)]
-+
-+  *) Remote buffer overflow in SSL3 protocol - an attacker could
-+     supply an oversized session ID to a client. (CAN-2002-0656)
-+     [Ben Laurie (CHATS)]
-+
-+  *) Remote buffer overflow in SSL2 protocol - an attacker could
-+     supply an oversized client master key. (CAN-2002-0656)
-+     [Ben Laurie (CHATS)]
-+
-   *) Add appropriate support for separate platform-dependent build
-      directories.  The recommended way to make a platform-dependent
-      build directory is the following (tested on Linux), maybe with
-@@ -1654,6 +1686,12 @@
-      [Richard Levitte]
- 
-  Changes between 0.9.6d and 0.9.6e  [XX xxx XXXX]
-+
-+  *) Add various sanity checks to asn1_get_length() to reject
-+     the ASN1 length bytes if they exceed sizeof(long), will appear
-+     negative or the content length exceeds the length of the
-+     supplied buffer.
-+     [Steve Henson, Adi Stav <stav at mercury.co.il>, James Yonan <jim at ntlp.com>]
- 
-   *) Fix cipher selection routines: ciphers without encryption had no flags
-      for the cipher strength set and where therefore not handled correctly
-Index: crypto/cryptlib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.c,v
-retrieving revision 1.32
-diff -u -r1.32 cryptlib.c
---- crypto/cryptlib.c	2001/11/24 04:02:42	1.32
-+++ crypto/cryptlib.c	2002/07/30 09:54:50
-@@ -492,3 +492,11 @@
- #endif
- 
- #endif
-+
-+void OpenSSLDie(const char *file,int line,const char *assertion)
-+    {
-+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
-+	    file,line,assertion);
-+    abort();
-+    }
-+
-Index: crypto/cryptlib.h
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.h,v
-retrieving revision 1.10
-diff -u -r1.10 cryptlib.h
---- crypto/cryptlib.h	2001/02/22 14:44:54	1.10
-+++ crypto/cryptlib.h	2002/07/30 09:54:50
-@@ -89,6 +89,14 @@
- #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
- #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
- 
-+/* size of string represenations */
-+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
-+#define HEX_SIZE(type)         ((sizeof(type)*2)
-+
-+/* die if we have to */
-+void OpenSSLDie(const char *file,int line,const char *assertion);
-+#define die(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
-+
- #ifdef  __cplusplus
- }
- #endif
-Index: crypto/asn1/asn1_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/asn1/asn1_lib.c,v
-retrieving revision 1.20.2.1
-diff -u -r1.20.2.1 asn1_lib.c
---- crypto/asn1/asn1_lib.c	2002/06/13 17:38:46	1.20.2.1
-+++ crypto/asn1/asn1_lib.c	2002/08/02 00:00:00
-@@ -124,15 +124,13 @@
- 		(int)(omax+ *pp));
- 
- #endif
--#if 0
--	if ((p+ *plength) > (omax+ *pp))
-+	if (*plength > (omax - (p - *pp)))
- 		{
- 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
- 		/* Set this so that even if things are not long enough
- 		 * the values are set correctly */
- 		ret|=0x80;
- 		}
--#endif
- 	*pp=p;
- 	return(ret|inf);
- err:
-@@ -159,6 +157,8 @@
- 		i= *p&0x7f;
- 		if (*(p++) & 0x80)
- 			{
-+			if (i > sizeof(long))
-+				return 0;
- 			if (max-- == 0) return(0);
- 			while (i-- > 0)
- 				{
-@@ -170,6 +170,8 @@
- 		else
- 			ret=i;
- 		}
-+	if (ret < 0)
-+		return 0;
- 	*pp=p;
- 	*rl=ret;
- 	return(1);
-@@ -407,7 +409,7 @@
- 
- void asn1_add_error(unsigned char *address, int offset)
- 	{
--	char buf1[16],buf2[16];
-+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
- 
- 	sprintf(buf1,"%lu",(unsigned long)address);
- 	sprintf(buf2,"%d",offset);
-Index: crypto/conf/conf_def.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_def.c,v
-retrieving revision 1.12
-diff -u -r1.12 conf_def.c
---- crypto/conf/conf_def.c	2002/01/24 16:15:17	1.12
-+++ crypto/conf/conf_def.c	2002/07/30 09:54:51
-@@ -67,6 +67,7 @@
- #include "conf_def.h"
- #include <openssl/buffer.h>
- #include <openssl/err.h>
-+#include "cryptlib.h"
- 
- static char *eat_ws(CONF *conf, char *p);
- static char *eat_alpha_numeric(CONF *conf, char *p);
-@@ -208,12 +209,12 @@
- static int def_load_bio(CONF *conf, BIO *in, long *line)
- 	{
- #define BUFSIZE	512
--	char btmp[16];
- 	int bufnum=0,i,ii;
- 	BUF_MEM *buff=NULL;
- 	char *s,*p,*end;
- 	int again,n;
- 	long eline=0;
-+	char btmp[DECIMAL_SIZE(eline)+1];
- 	CONF_VALUE *v=NULL,*tv;
- 	CONF_VALUE *sv=NULL;
- 	char *section=NULL,*buf;
-Index: crypto/conf/conf_mod.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_mod.c,v
-retrieving revision 1.8.2.6
-diff -u -r1.8.2.6 conf_mod.c
---- crypto/conf/conf_mod.c	2002/05/08 15:13:24	1.8.2.6
-+++ crypto/conf/conf_mod.c	2002/07/30 09:54:52
-@@ -230,7 +230,7 @@
- 		{
- 		if (!(flags & CONF_MFLAGS_SILENT))
- 			{
--			char rcode[10];
-+			char rcode[DECIMAL_SIZE(ret)+1];
- 			CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
- 			sprintf(rcode, "%-8d", ret);
- 			ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
-Index: crypto/engine/hw_cswift.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/engine/hw_cswift.c,v
-retrieving revision 1.17.2.1
-diff -u -r1.17.2.1 hw_cswift.c
---- crypto/engine/hw_cswift.c	2002/06/21 02:48:52	1.17.2.1
-+++ crypto/engine/hw_cswift.c	2002/07/30 09:54:53
-@@ -501,7 +501,7 @@
- 		goto err;
- 	default:
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -518,7 +518,7 @@
- 	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP, &arg, 1,
- 		&res, 1)) != SW_OK)
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -608,7 +608,7 @@
- 		goto err;
- 	default:
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -625,7 +625,7 @@
- 	if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP_CRT, &arg, 1,
- 		&res, 1)) != SW_OK)
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -740,7 +740,7 @@
- 		goto err;
- 	default:
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -758,7 +758,7 @@
- 		&res, 1);
- 	if(sw_status != SW_OK)
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -852,7 +852,7 @@
- 		goto err;
- 	default:
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-@@ -874,7 +874,7 @@
- 		&res, 1);
- 	if(sw_status != SW_OK)
- 		{
--		char tmpbuf[20];
-+		char tmpbuf[DECIMAL_SIZE(sw_status)+1];
- 		CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
- 		sprintf(tmpbuf, "%ld", sw_status);
- 		ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
-Index: crypto/objects/obj_dat.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/objects/obj_dat.c,v
-retrieving revision 1.23.2.3
-diff -u -r1.23.2.3 obj_dat.c
---- crypto/objects/obj_dat.c	2002/05/30 16:49:44	1.23.2.3
-+++ crypto/objects/obj_dat.c	2002/07/30 09:54:53
-@@ -436,7 +436,7 @@
- 	unsigned long l;
- 	unsigned char *p;
- 	const char *s;
--	char tbuf[32];
-+	char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
- 
- 	if (buf_len <= 0) return(0);
- 
-Index: ssl/s2_clnt.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_clnt.c,v
-retrieving revision 1.37
-diff -u -r1.37 s2_clnt.c
---- ssl/s2_clnt.c	2002/01/12 15:56:10	1.37
-+++ ssl/s2_clnt.c	2002/07/30 09:55:01
-@@ -116,6 +116,7 @@
- #include <openssl/buffer.h>
- #include <openssl/objects.h>
- #include <openssl/evp.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl2_get_client_method(int ver);
- static int get_server_finished(SSL *s);
-@@ -535,6 +536,7 @@
- 		}
- 		
- 	s->s2->conn_id_length=s->s2->tmp.conn_id_length;
-+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 	memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
- 	return(1);
- 	}
-@@ -636,6 +638,7 @@
- 		/* make key_arg data */
- 		i=EVP_CIPHER_iv_length(c);
- 		sess->key_arg_length=i;
-+		die(i <= SSL_MAX_KEY_ARG_LENGTH);
- 		if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
- 
- 		/* make a master key */
-@@ -643,6 +646,7 @@
- 		sess->master_key_length=i;
- 		if (i > 0)
- 			{
-+			die(i <= sizeof sess->master_key);
- 			if (RAND_bytes(sess->master_key,i) <= 0)
- 				{
- 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-@@ -686,6 +690,7 @@
- 		d+=enc;
- 		karg=sess->key_arg_length;	
- 		s2n(karg,p); /* key arg size */
-+		die(karg <= sizeof sess->key_arg);
- 		memcpy(d,sess->key_arg,(unsigned int)karg);
- 		d+=karg;
- 
-@@ -706,6 +711,7 @@
- 		{
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_CLIENT_FINISHED;
-+		die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 		memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
- 
- 		s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
-@@ -978,6 +984,8 @@
- 		{
- 		if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
- 			{
-+			die(s->session->session_id_length
-+			    <= sizeof s->session->session_id);
- 			if (memcmp(buf,s->session->session_id,
- 				(unsigned int)s->session->session_id_length) != 0)
- 				{
-Index: ssl/s2_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_lib.c,v
-retrieving revision 1.39.2.1
-diff -u -r1.39.2.1 s2_lib.c
---- ssl/s2_lib.c	2002/07/10 06:40:18	1.39.2.1
-+++ ssl/s2_lib.c	2002/07/30 09:55:01
-@@ -63,6 +63,7 @@
- #include <openssl/objects.h>
- #include <openssl/evp.h>
- #include <openssl/md5.h>
-+#include "cryptlib.h"
- 
- static long ssl2_default_timeout(void );
- const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
-@@ -428,10 +429,14 @@
- #endif
- 	EVP_MD_CTX_init(&ctx);
- 	km=s->s2->key_material;
-+	die(s->s2->key_material_length <= sizeof s->s2->key_material);
- 	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
- 		{
- 		EVP_DigestInit_ex(&ctx,EVP_md5(), NULL);
- 
-+		die(s->session->master_key_length >= 0
-+		    && s->session->master_key_length
-+		    < sizeof s->session->master_key);
- 		EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- 		EVP_DigestUpdate(&ctx,&c,1);
- 		c++;
-@@ -467,6 +472,7 @@
- /*	state=s->rwstate;*/
- 	error=s->error;
- 	s->error=0;
-+	die(error >= 0 && error <= 3);
- 	i=ssl2_write(s,&(buf[3-error]),error);
- /*	if (i == error) s->rwstate=state; */
- 
-Index: ssl/s2_srvr.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s2_srvr.c,v
-retrieving revision 1.36
-diff -u -r1.36 s2_srvr.c
---- ssl/s2_srvr.c	2002/01/12 15:56:11	1.36
-+++ ssl/s2_srvr.c	2002/07/30 09:55:02
-@@ -116,6 +116,7 @@
- #include <openssl/rand.h>
- #include <openssl/objects.h>
- #include <openssl/evp.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl2_get_server_method(int ver);
- static int get_client_master_key(SSL *s);
-@@ -417,11 +418,18 @@
- 		n2s(p,i); s->s2->tmp.clear=i;
- 		n2s(p,i); s->s2->tmp.enc=i;
- 		n2s(p,i); s->session->key_arg_length=i;
-+		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
-+			{
-+			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
-+				   SSL_R_KEY_ARG_TOO_LONG);
-+			return -1;
-+			}
- 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
- 		}
- 
- 	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
- 	p=(unsigned char *)s->init_buf->data;
-+	die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
- 	keya=s->session->key_arg_length;
- 	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
- 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
-@@ -504,6 +512,7 @@
- #endif
- 
- 	if (is_export) i+=s->s2->tmp.clear;
-+	die(i <= SSL_MAX_MASTER_KEY_LENGTH);
- 	s->session->master_key_length=i;
- 	memcpy(s->session->master_key,p,(unsigned int)i);
- 	return(1);
-@@ -670,6 +679,7 @@
- 	p+=s->s2->tmp.session_id_length;
- 
- 	/* challenge */
-+	die(s->s2->challenge_length <= sizeof s->s2->challenge);
- 	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
- 	return(1);
- mem_err:
-@@ -826,6 +836,7 @@
- 		}
- 
- 	/* SSL2_ST_GET_CLIENT_FINISHED_B */
-+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
- 	len = 1 + (unsigned long)s->s2->conn_id_length;
- 	n = (int)len - s->init_num;
- 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
-@@ -853,6 +864,7 @@
- 		{
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_SERVER_VERIFY;
-+		die(s->s2->challenge_length <= sizeof s->s2->challenge);
- 		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
- 		/* p+=s->s2->challenge_length; */
- 
-@@ -872,6 +884,8 @@
- 		p=(unsigned char *)s->init_buf->data;
- 		*(p++)=SSL2_MT_SERVER_FINISHED;
- 
-+		die(s->session->session_id_length
-+		    <= sizeof s->session->session_id);
- 		memcpy(p,s->session->session_id,
- 			(unsigned int)s->session->session_id_length);
- 		/* p+=s->session->session_id_length; */
-Index: ssl/s3_clnt.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
-retrieving revision 1.53.2.2
-diff -u -r1.53.2.2 s3_clnt.c
---- ssl/s3_clnt.c	2002/07/10 06:57:48	1.53.2.2
-+++ ssl/s3_clnt.c	2002/07/30 09:55:03
-@@ -117,6 +117,7 @@
- #include <openssl/objects.h>
- #include <openssl/evp.h>
- #include <openssl/md5.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl3_get_client_method(int ver);
- static int ssl3_client_hello(SSL *s);
-@@ -545,6 +546,7 @@
- 		*(p++)=i;
- 		if (i != 0)
- 			{
-+			die(i <= sizeof s->session->session_id);
- 			memcpy(p,s->session->session_id,i);
- 			p+=i;
- 			}
-@@ -626,6 +628,14 @@
- 	/* get the session-id */
- 	j= *(p++);
- 
-+       if(j > sizeof s->session->session_id)
-+               {
-+               al=SSL_AD_ILLEGAL_PARAMETER;
-+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-+                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
-+               goto f_err;
-+               }
-+
- 	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
- 		{
- 		/* SSLref returns 16 :-( */
-@@ -1588,6 +1598,7 @@
- 				SSL_MAX_MASTER_KEY_LENGTH);
- 			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
- 			outl += padl;
-+			die(outl <= sizeof epms);
- 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
- 
- 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
-Index: ssl/s3_srvr.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/s3_srvr.c,v
-retrieving revision 1.85.2.5
-diff -u -r1.85.2.5 s3_srvr.c
---- ssl/s3_srvr.c	2002/07/10 06:57:50	1.85.2.5
-+++ ssl/s3_srvr.c	2002/07/30 13:36:36
-@@ -123,6 +123,7 @@
- #include <openssl/x509.h>
- #include <openssl/krb5_asn.h>
- #include <openssl/md5.h>
-+#include "cryptlib.h"
- 
- static SSL_METHOD *ssl3_get_server_method(int ver);
- static int ssl3_get_client_hello(SSL *s);
-@@ -964,6 +965,7 @@
- 			s->session->session_id_length=0;
- 
- 		sl=s->session->session_id_length;
-+		die(sl <= sizeof s->session->session_id);
- 		*(p++)=sl;
- 		memcpy(p,s->session->session_id,sl);
- 		p+=sl;
-@@ -1559,8 +1561,8 @@
- 		EVP_CIPHER		*enc = NULL;
- 		unsigned char		iv[EVP_MAX_IV_LENGTH];
- 		unsigned char		pms[SSL_MAX_MASTER_KEY_LENGTH
--						+ EVP_MAX_IV_LENGTH + 1];
--		int 			padl, outl = sizeof(pms);
-+                                               + EVP_MAX_BLOCK_LENGTH];
-+		int                     padl, outl;
- 		krb5_timestamp		authtime = 0;
- 		krb5_ticket_times	ttimes;
- 
-@@ -1582,6 +1584,16 @@
- 		enc_pms.length = i;
- 		enc_pms.data = (char *)p;
- 		p+=enc_pms.length;
-+
-+		/* Note that the length is checked again below,
-+		** after decryption
-+		*/
-+		if(enc_pms.length > sizeof pms)
-+			{
-+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-+			       SSL_R_DATA_LENGTH_TOO_LONG);
-+			goto err;
-+			}
- 
- 		if (n != enc_ticket.length + authenticator.length +
- 						enc_pms.length + 6)
-Index: ssl/ssl.h
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
-retrieving revision 1.126.2.7
-diff -u -r1.126.2.7 ssl.h
---- ssl/ssl.h	2002/07/04 08:50:31	1.126.2.7
-+++ ssl/ssl.h	2002/07/30 09:55:05
-@@ -1650,6 +1650,7 @@
- #define SSL_R_INVALID_COMMAND				 280
- #define SSL_R_INVALID_PURPOSE				 278
- #define SSL_R_INVALID_TRUST				 279
-+#define SSL_R_KEY_ARG_TOO_LONG				 1112
- #define SSL_R_KRB5					 1104
- #define SSL_R_KRB5_C_CC_PRINC				 1094
- #define SSL_R_KRB5_C_GET_CRED				 1095
-@@ -1729,6 +1730,7 @@
- #define SSL_R_SHORT_READ				 219
- #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
- #define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
-+#define SSL_R_SSL3_SESSION_ID_TOO_LONG			 1113
- #define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
- #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
- #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
-Index: ssl/ssl_asn1.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_asn1.c,v
-retrieving revision 1.9.2.2
-diff -u -r1.9.2.2 ssl_asn1.c
---- ssl/ssl_asn1.c	2002/07/10 06:57:51	1.9.2.2
-+++ ssl/ssl_asn1.c	2002/07/30 09:55:05
-@@ -62,6 +62,7 @@
- #include <openssl/asn1_mac.h>
- #include <openssl/objects.h>
- #include <openssl/x509.h>
-+#include "cryptlib.h"
- 
- typedef struct ssl_session_asn1_st
- 	{
-@@ -296,6 +297,7 @@
- 		os.length=i;
- 
- 	ret->session_id_length=os.length;
-+	die(os.length <= sizeof ret->session_id);
- 	memcpy(ret->session_id,os.data,os.length);
- 
- 	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-Index: ssl/ssl_err.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_err.c,v
-retrieving revision 1.41
-diff -u -r1.41 ssl_err.c
---- ssl/ssl_err.c	2001/11/10 01:16:28	1.41
-+++ ssl/ssl_err.c	2002/07/30 09:55:06
-@@ -1,6 +1,6 @@
- /* ssl/ssl_err.c */
- /* ====================================================================
-- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
-+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions
-@@ -275,6 +275,7 @@
- {SSL_R_INVALID_COMMAND                   ,"invalid command"},
- {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
- {SSL_R_INVALID_TRUST                     ,"invalid trust"},
-+{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
- {SSL_R_KRB5                              ,"krb5"},
- {SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"},
- {SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"},
-@@ -354,6 +355,7 @@
- {SSL_R_SHORT_READ                        ,"short read"},
- {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
- {SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
-+{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
- {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
- {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
- {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
-Index: ssl/ssl_sess.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/ssl/ssl_sess.c,v
-retrieving revision 1.40
-diff -u -r1.40 ssl_sess.c
---- ssl/ssl_sess.c	2002/02/10 12:46:41	1.40
-+++ ssl/ssl_sess.c	2002/07/30 09:55:06
-@@ -60,6 +60,7 @@
- #include <openssl/lhash.h>
- #include <openssl/rand.h>
- #include "ssl_locl.h"
-+#include "cryptlib.h"
- 
- static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
- static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
-@@ -250,6 +251,7 @@
- 		ss->session_id_length=0;
- 		}
- 
-+	die(s->sid_ctx_length <= sizeof ss->sid_ctx);
- 	memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
- 	ss->sid_ctx_length=s->sid_ctx_length;
- 	s->session=ss;
diff --git a/news/pgpkey.html b/news/pgpkey.html
new file mode 100644
index 0000000..4e15e38
--- /dev/null
+++ b/news/pgpkey.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>PGP Key</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    Mail sent to 
+	    <a href="mailto:openssl-security at openssl.org">openssl-security at openssl.org</a>
+	    can be encrypted with our team PGP key, below.
+	    The plain-text document of the key is available
+	    here:
+	    <a href="openssl-security.asc">openssl-security.asc</a>
+	    </p>
+	    <pre>
+	    <!--#include virtual="openssl-security.asc">
+	    </pre>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">News</a>
+	    : <a href="">PGP Key</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/news/secadv_20020730.txt b/news/secadv/20020730.txt
similarity index 100%
rename from news/secadv_20020730.txt
rename to news/secadv/20020730.txt
diff --git a/news/secadv_20030219.txt b/news/secadv/20030219.txt
similarity index 100%
rename from news/secadv_20030219.txt
rename to news/secadv/20030219.txt
diff --git a/news/secadv_20030317.txt b/news/secadv/20030317.txt
similarity index 100%
rename from news/secadv_20030317.txt
rename to news/secadv/20030317.txt
diff --git a/news/secadv_20030319.txt b/news/secadv/20030319.txt
similarity index 100%
rename from news/secadv_20030319.txt
rename to news/secadv/20030319.txt
diff --git a/news/secadv_20030930.txt b/news/secadv/20030930.txt
similarity index 100%
rename from news/secadv_20030930.txt
rename to news/secadv/20030930.txt
diff --git a/news/secadv_20031104.txt b/news/secadv/20031104.txt
similarity index 100%
rename from news/secadv_20031104.txt
rename to news/secadv/20031104.txt
diff --git a/news/secadv_20040317.txt b/news/secadv/20040317.txt
similarity index 100%
rename from news/secadv_20040317.txt
rename to news/secadv/20040317.txt
diff --git a/news/secadv_20051011.txt b/news/secadv/20051011.txt
similarity index 100%
rename from news/secadv_20051011.txt
rename to news/secadv/20051011.txt
diff --git a/news/secadv_20060905.txt b/news/secadv/20060905.txt
similarity index 100%
rename from news/secadv_20060905.txt
rename to news/secadv/20060905.txt
diff --git a/news/secadv_20060928.txt b/news/secadv/20060928.txt
similarity index 100%
rename from news/secadv_20060928.txt
rename to news/secadv/20060928.txt
diff --git a/news/secadv_20071012.txt b/news/secadv/20071012.txt
similarity index 100%
rename from news/secadv_20071012.txt
rename to news/secadv/20071012.txt
diff --git a/news/secadv_20071129.txt b/news/secadv/20071129.txt
similarity index 100%
rename from news/secadv_20071129.txt
rename to news/secadv/20071129.txt
diff --git a/news/secadv_20080528.txt b/news/secadv/20080528.txt
similarity index 100%
rename from news/secadv_20080528.txt
rename to news/secadv/20080528.txt
diff --git a/news/secadv_20090107.txt b/news/secadv/20090107.txt
similarity index 100%
rename from news/secadv_20090107.txt
rename to news/secadv/20090107.txt
diff --git a/news/secadv_20090325.txt b/news/secadv/20090325.txt
similarity index 100%
rename from news/secadv_20090325.txt
rename to news/secadv/20090325.txt
diff --git a/news/secadv_20091111.txt b/news/secadv/20091111.txt
similarity index 100%
rename from news/secadv_20091111.txt
rename to news/secadv/20091111.txt
diff --git a/news/secadv_20100324.txt b/news/secadv/20100324.txt
similarity index 100%
rename from news/secadv_20100324.txt
rename to news/secadv/20100324.txt
diff --git a/news/secadv_20100601.txt b/news/secadv/20100601.txt
similarity index 100%
rename from news/secadv_20100601.txt
rename to news/secadv/20100601.txt
diff --git a/news/secadv_20101116-2.txt b/news/secadv/20101116-2.txt
similarity index 100%
rename from news/secadv_20101116-2.txt
rename to news/secadv/20101116-2.txt
diff --git a/news/secadv_20101116.txt b/news/secadv/20101116.txt
similarity index 100%
rename from news/secadv_20101116.txt
rename to news/secadv/20101116.txt
diff --git a/news/secadv_20101202.txt b/news/secadv/20101202.txt
similarity index 100%
rename from news/secadv_20101202.txt
rename to news/secadv/20101202.txt
diff --git a/news/secadv_20110208.txt b/news/secadv/20110208.txt
similarity index 100%
rename from news/secadv_20110208.txt
rename to news/secadv/20110208.txt
diff --git a/news/secadv_20110906.txt b/news/secadv/20110906.txt
similarity index 100%
rename from news/secadv_20110906.txt
rename to news/secadv/20110906.txt
diff --git a/news/secadv_20120104.txt b/news/secadv/20120104.txt
similarity index 100%
rename from news/secadv_20120104.txt
rename to news/secadv/20120104.txt
diff --git a/news/secadv_20120118.txt b/news/secadv/20120118.txt
similarity index 100%
rename from news/secadv_20120118.txt
rename to news/secadv/20120118.txt
diff --git a/news/secadv_20120312.txt b/news/secadv/20120312.txt
similarity index 100%
rename from news/secadv_20120312.txt
rename to news/secadv/20120312.txt
diff --git a/news/secadv_20120419.txt b/news/secadv/20120419.txt
similarity index 100%
rename from news/secadv_20120419.txt
rename to news/secadv/20120419.txt
diff --git a/news/secadv_20120424.txt b/news/secadv/20120424.txt
similarity index 100%
rename from news/secadv_20120424.txt
rename to news/secadv/20120424.txt
diff --git a/news/secadv_20120510.txt b/news/secadv/20120510.txt
similarity index 100%
rename from news/secadv_20120510.txt
rename to news/secadv/20120510.txt
diff --git a/news/secadv_20130204.txt b/news/secadv/20130204.txt
similarity index 100%
rename from news/secadv_20130204.txt
rename to news/secadv/20130204.txt
diff --git a/news/secadv_20130205.txt b/news/secadv/20130205.txt
similarity index 100%
rename from news/secadv_20130205.txt
rename to news/secadv/20130205.txt
diff --git a/news/secadv_20140407.txt b/news/secadv/20140407.txt
similarity index 100%
rename from news/secadv_20140407.txt
rename to news/secadv/20140407.txt
diff --git a/news/secadv_20140605.txt b/news/secadv/20140605.txt
similarity index 100%
rename from news/secadv_20140605.txt
rename to news/secadv/20140605.txt
diff --git a/news/secadv_20140806.txt b/news/secadv/20140806.txt
similarity index 100%
rename from news/secadv_20140806.txt
rename to news/secadv/20140806.txt
diff --git a/news/secadv_20141015.txt b/news/secadv/20141015.txt
similarity index 100%
rename from news/secadv_20141015.txt
rename to news/secadv/20141015.txt
diff --git a/news/secadv_20150108.txt b/news/secadv/20150108.txt
similarity index 100%
rename from news/secadv_20150108.txt
rename to news/secadv/20150108.txt
diff --git a/news/secadv_20150319.txt b/news/secadv/20150319.txt
similarity index 100%
rename from news/secadv_20150319.txt
rename to news/secadv/20150319.txt
diff --git a/news/secadv_20150611.txt b/news/secadv/20150611.txt
similarity index 100%
rename from news/secadv_20150611.txt
rename to news/secadv/20150611.txt
diff --git a/news/secadv_20150709.txt b/news/secadv/20150709.txt
similarity index 100%
rename from news/secadv_20150709.txt
rename to news/secadv/20150709.txt
diff --git a/news/secadv_hack.txt b/news/secadv/hack.txt
similarity index 100%
rename from news/secadv_hack.txt
rename to news/secadv/hack.txt
diff --git a/news/secadv_prng.txt b/news/secadv/prng.txt
similarity index 100%
rename from news/secadv_prng.txt
rename to news/secadv/prng.txt
diff --git a/news/sidebar.inc b/news/sidebar.inc
new file mode 100644
index 0000000..704c645
--- /dev/null
+++ b/news/sidebar.inc
@@ -0,0 +1,18 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">News</a></h1>
+    <ul>
+      <li>
+	<a href="newslog.html">Newslog</a>
+      </li>
+      <li>
+	<a href="vulnerabilities">Vulnerabilities</a>
+      </li>
+      <li>
+	<a href="changelog.html">Changelog</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
diff --git a/news/state.wml b/news/state.wml
deleted file mode 100644
index 9ae6860..0000000
--- a/news/state.wml
+++ /dev/null
@@ -1,31 +0,0 @@
-
-#use wml::openssl area=news page=state 
-
-<title>News, Project State</title>
-
-<h1>Project State</h1>
-
-Here is a short summary of the current development and release state
-of the OpenSSL project as of July, 2015.
-The latest releases can always be found at
-<a href="https://www.openssl.org/source">https://www.openssl.org/source</a>.
-
-<ul>
-
-<li>On July 9, we released version <b>1.0.2d</b>.  This is the most
-recent security fixes for the current major release branch.
-We also released version <b>1.0.1p</b> which has the same fixes for
-that branch.
-<br>
-
-<li>In 2014, we declared <b>1.0.0</b> and <b>0.9.8</b> to be end of life, with
-all updates ending at the end of 2015. Until then, only security fixes will
-be released for those branches.
-<br>
-
-<li>Our next major release is <b>1.1.0</b>. It is currently in development.
-It is the master branch, available at
-<a href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</a> (as are all other release branches).
-<br>
-
-</ul>
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 9a41b1e..8dbb358 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -22,7 +22,7 @@
       enabling them to use a valid leaf certificate to act as a CA and
       "issue" an invalid certificate.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150709.txt"/>
+    <advisory url="/news/secadv/20150709.txt"/>
     <reported source="Adam Langley and David Benjamin (Google/BoringSSL)"/>
   </issue>
   <issue public="20150611">
@@ -81,7 +81,7 @@
       certificates.  This includes TLS clients and TLS servers with
       client authentication enabled.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Joseph Birr-Pixton"/>
   </issue>
 
@@ -171,7 +171,7 @@
       authentication enabled may be affected if they use custom verification
       callbacks.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Robert Swiecki (Google) and (independently) Hanno B?ck"/>
   </issue>
 
@@ -257,7 +257,7 @@
       structures from untrusted sources are affected. OpenSSL clients and
       servers are not affected.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Michal Zalewski (Google)"/>
   </issue>
 
@@ -341,7 +341,7 @@
       This can be used to perform denial of service against any system which
       verifies signedData messages using the CMS code.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Johannes Bauer"/>
   </issue>
 
@@ -423,7 +423,7 @@
       reuse a previous ticket then a race condition can occur potentially leading to
       a double free of the ticket data.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Emilia K?sper (OpenSSL)"/>
   </issue>
 
@@ -487,7 +487,7 @@
       free, resulting in a segmentation fault or potentially, memory
       corruption.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150611.txt"/>
+    <advisory url="/news/secadv/20150611.txt"/>
     <reported source="Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)"/>
   </issue>
   <issue public="20150319">
@@ -501,7 +501,7 @@ ClientHello sigalgs DoS.  If a client connects to an OpenSSL 1.0.2 server and re
 invalid signature algorithms extension a NULL pointer dereference will occur.
 This can be exploited in a DoS attack against the server.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source=" David Ramos (Stanford University)"/>
   </issue>
 
@@ -522,7 +522,7 @@ will only result in a failed connection. However if some other BIO is used then
 it is likely that a segmentation fault will be triggered, thus enabling a
 potential DoS attack.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Daniel Danner and Rainer Mueller"/>
   </issue>
 
@@ -540,7 +540,7 @@ fault. Errors processing the initial ClientHello can trigger this scenario. An
 example of such an error could be that a DTLS1.0 only client is attempting to
 connect to a DTLS1.2 only server.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Per Allansson"/>
   </issue>
 
@@ -594,7 +594,7 @@ certificate verification operation and exploited in a DoS attack. Any
 application which performs certificate verification is vulnerable including
 OpenSSL clients and servers which enable client authentication.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Stephen Henson (OpenSSL development team)"/>
   </issue>
 
@@ -614,7 +614,7 @@ certificate verification operation and exploited in a DoS attack. Any
 application which performs certificate verification is vulnerable including
 OpenSSL clients and servers which enable client authentication.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Brian Carpenter"/>
   </issue>
 
@@ -694,7 +694,7 @@ Reusing a structure in ASN.1 parsing may allow an attacker to cause
 memory corruption via an invalid write. Such reuse is and has been
 strongly discouraged and is believed to be rare.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Emilia K?sper (OpenSSL development team)"/>
   </issue>
 
@@ -777,7 +777,7 @@ Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
 otherwise parse PKCS#7 structures from untrusted sources are
 affected. OpenSSL clients and servers are not affected.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Michal Zalewski (Google)"/>
   </issue>
 
@@ -841,7 +841,7 @@ untrusted source could be affected (such as the PEM processing routines).
 Maliciously crafted base 64 data could trigger a segmenation fault or memory
 corruption. 
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)"/>
   </issue>
 
@@ -921,7 +921,7 @@ A malicious client can trigger an OPENSSL_assert in
 servers that both support SSLv2 and enable export cipher suites by sending
 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Sean Burford (Google) and Emilia K?sper (OpenSSL development team)"/>
   </issue>
 
@@ -937,7 +937,7 @@ If client auth is used then a server can seg fault in the event of a DHE
 ciphersuite being selected and a zero length ClientKeyExchange message being
 sent by the client. This could be exploited in a DoS attack.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Matt Caswell (OpenSSL development team)"/>
   </issue>
 
@@ -953,7 +953,7 @@ an unseeded PRNG. If the handshake succeeds then the client random that has been
 been generated from a PRNG with insufficient entropy and therefore the output
 may be predictable.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Matt Caswell (OpenSSL development team)"/>
   </issue>
 
@@ -1036,7 +1036,7 @@ or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
 for applications that receive EC private keys from untrusted
 sources. This scenario is considered rare.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="The BoringSSL project"/>
   </issue>
 
@@ -1115,7 +1115,7 @@ X509_to_X509_REQ NULL pointer deref.
 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
 the certificate key is invalid. This function is rarely used in practice.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150319.txt"/>
+    <advisory url="/news/secadv/20150319.txt"/>
     <reported source="Brian Carpenter"/>
   </issue>
 
@@ -1157,7 +1157,7 @@ the certificate key is invalid. This function is rarely used in practice.
       memory leak could be exploited by an attacker in a Denial of Service
       attack through memory exhaustion.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Chris Mueller"/>
   </issue>
 
@@ -1175,7 +1175,7 @@ the certificate key is invalid. This function is rarely used in practice.
       received the ssl method would be set to NULL which could later result in
       a NULL pointer dereference.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Frank Schmirler"/>
   </issue>
 
@@ -1245,7 +1245,7 @@ the certificate key is invalid. This function is rarely used in practice.
       ciphersuite using an ECDSA certificate if the server key exchange message
       is omitted. This effectively removes forward secrecy from the ciphersuite.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
   </issue>
 
@@ -1315,7 +1315,7 @@ the certificate key is invalid. This function is rarely used in practice.
       non-export RSA key exchange ciphersuite. A server could present a weak
       temporary key and downgrade the security of the session.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
   </issue>
 
@@ -1358,7 +1358,7 @@ the certificate key is invalid. This function is rarely used in practice.
       certificates containing DH keys: these are extremely rare and hardly ever
       encountered.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Karthikeyan Bhargavan of the PROSECCO team at INRIA"/>
   </issue>
 
@@ -1437,7 +1437,7 @@ the certificate key is invalid. This function is rarely used in practice.
       applications that rely on the uniqueness of the fingerprint (e.g.
       certificate blacklists) may be affected.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google"/>
   </issue>
 
@@ -1526,7 +1526,7 @@ the certificate key is invalid. This function is rarely used in practice.
       attacker cannot control when the bug triggers, or no private key material
       is involved.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20150108.txt"/>
+    <advisory url="/news/secadv/20150108.txt"/>
     <reported source="Pieter Wuille (Blockstream)"/>
   </issue>
 
@@ -1552,7 +1552,7 @@ the certificate key is invalid. This function is rarely used in practice.
       whether SRTP is used or configured. Implementations of OpenSSL that
       have been compiled with OPENSSL_NO_SRTP defined are not affected.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
+    <advisory url="/news/secadv/20141015.txt"/>
     <reported source="LibreSSL project"/>
   </issue>
 
@@ -1614,7 +1614,7 @@ the certificate key is invalid. This function is rarely used in practice.
       tickets an attacker could exploit this issue in a Denial Of Service
       attack.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
+    <advisory url="/news/secadv/20141015.txt"/>
   </issue>
   <issue public="20141015">
     <cve name=""/>  <!-- this is deliberate -->
@@ -1754,7 +1754,7 @@ the certificate key is invalid. This function is rarely used in practice.
       could accept and complete a SSL 3.0 handshake, and clients could be
       configured to send them.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20141015.txt"/>
+    <advisory url="/news/secadv/20141015.txt"/>
     <reported source="Akamai Technologies"/>
   </issue>
   <issue public="20140806">
@@ -1820,7 +1820,7 @@ X509_name_oneline, X509_name_print_ex, to leak some information from the
 stack. Applications may be affected if they echo pretty printing output to the
 attacker.  OpenSSL SSL/TLS clients and servers themselves are not affected.
     </description>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
     <reported source="Ivan Fratric (Google)"/>
   </issue>
 
@@ -1844,7 +1844,7 @@ could lead to a Denial of Service.
     <affects base="1.0.1" version="1.0.1h"/>
     <fixed base="1.0.1" version="1.0.1i" date="20140806">
     </fixed>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
     <reported source="Joonas Kuorilehto and Riku Hietam?ki (Codenomicon)"/>
   </issue>
 
@@ -1881,7 +1881,7 @@ to freed memory.</description>
     <fixed base="1.0.0" version="1.0.0n" date="20140806">
     </fixed>
     <reported source="Gabor Tyukasz (LogMeIn Inc)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -1935,7 +1935,7 @@ processing DTLS packets due to memory being freed twice. This could lead to a
 Denial of Service attack.
     </description>
     <reported source="Adam Langley and Wan-Teh Chang (Google)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -2002,7 +2002,7 @@ processing DTLS handshake messages. This could lead to a Denial of
 Service attack.
     </description>
     <reported source="Adam Langley (Google)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -2052,7 +2052,7 @@ By sending carefully crafted DTLS packets an attacker could cause OpenSSL to
 leak memory. This could lead to a Denial of Service attack.
     </description>
     <reported source="Adam Langley (Google)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -2120,7 +2120,7 @@ pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
 sending carefully crafted handshake messages.
     </description>
     <reported source="Felix Gr?bert (Google)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -2144,7 +2144,7 @@ downgrade to TLS 1.0 even if both the server and the client support a higher
 protocol version, by modifying the client's TLS records.
     </description>
     <reported source="David Benjamin and Adam Langley (Google)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20140806">
@@ -2167,7 +2167,7 @@ an internal buffer. Only applications which are explicitly set up for SRP
 use are affected.
     </description>
     <reported source="Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20140806.txt"/>
+    <advisory url="/news/secadv/20140806.txt"/>
   </issue>
 
   <issue public="20020730">
@@ -2178,7 +2178,7 @@ use are affected.
     <affects base="0.9.6" version="0.9.6c"/>
     <affects base="0.9.6" version="0.9.6d"/>
     <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
-    <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
+    <advisory url="/news/secadv/20020730.txt"/>
     <reported source="OpenSSL Group (A.L. Digital)"/>
     <description>
 Inproper handling of ASCII representations of integers on
@@ -2195,7 +2195,7 @@ service or possibly execute arbitrary code.
     <affects base="0.9.6" version="0.9.6c"/>
     <affects base="0.9.6" version="0.9.6d"/>
     <fixed base="0.9.6" version="0.9.6e" date="20020730"/>
-    <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
+    <advisory url="/news/secadv/20020730.txt"/>
     <reported source="OpenSSL Group (A.L. Digital)"/>
     <description>
 A buffer overflow allowed remote attackers to execute
@@ -2206,7 +2206,7 @@ large session ID in SSL3.
 
   <issue public="20020730">
     <cve name="2002-0657"/>
-    <advisory url="http://www.openssl.org/news/secadv_20020730.txt"/>
+    <advisory url="/news/secadv/20020730.txt"/>
     <reported source="OpenSSL Group (A.L. Digital)"/>
     <description>
 A buffer overflow when Kerberos is enabled allowed attackers
@@ -2256,7 +2256,7 @@ s2_srvr.c.
     <affects base="0.9.6" version="0.9.6h"/>
     <fixed base="0.9.7" version="0.9.7a" date="20030219"/>
     <fixed base="0.9.6" version="0.9.6i" date="20030219"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030219.txt"/>
+    <advisory url="/news/secadv/20030219.txt"/>
     <description>
 sl3_get_record in s3_pkt.c did not perform a MAC computation if an
 incorrect block cipher padding was used, causing an information leak
@@ -2283,7 +2283,7 @@ plaintext, aka the "Vaudenay timing attack."
     <affects base="0.9.7" version="0.9.7a"/>
     <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
     <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030319.txt"/>
+    <advisory url="/news/secadv/20030319.txt"/>
     <description>
 The SSL and TLS components allowed remote attackers to perform an
 unauthorized RSA private key operation via a modified Bleichenbacher
@@ -2308,7 +2308,7 @@ relationship between ciphertext and the associated plaintext, aka the
     <affects base="0.9.6" version="0.9.6i"/>
     <affects base="0.9.7" version="0.9.7"/>
     <affects base="0.9.7" version="0.9.7a"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030317.txt"/>
+    <advisory url="/news/secadv/20030317.txt"/>
     <fixed base="0.9.7" version="0.9.7b" date="20030410"/>
     <fixed base="0.9.6" version="0.9.6j" date="20030410"/>
     <description>
@@ -2338,7 +2338,7 @@ multiplication algorithms ("Karatsuba" and normal).
     <affects base="0.9.7" version="0.9.7b"/>
     <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
     <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
+    <advisory url="/news/secadv/20030930.txt"/>
     <reported source="NISCC"/>
     <description>
 An integer overflow could allow remote attackers to cause a denial of
@@ -2365,7 +2365,7 @@ values.
     <affects base="0.9.6" version="0.9.6j"/>
     <fixed base="0.9.6" version="0.9.6k" date="20030930"/>
     <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
+    <advisory url="/news/secadv/20030930.txt"/>
     <reported source="NISCC"/>
     <description>
 Incorrect tracking of the number of characters in certain
@@ -2381,7 +2381,7 @@ read past the end of a buffer when the long form is used.
     <affects base="0.9.7" version="0.9.7a"/>
     <affects base="0.9.7" version="0.9.7b"/>
     <fixed base="0.9.7" version="0.9.7c" date="20030930"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030930.txt"/>
+    <advisory url="/news/secadv/20030930.txt"/>
     <reported source="NISCC"/>
     <description>
 Certain ASN.1 encodings that were rejected as invalid by the parser could
@@ -2394,7 +2394,7 @@ corrupting the stack, leading to a crash.
     <cve name="2003-0851"/>
     <affects base="0.9.6" version="0.9.6k"/>
     <fixed base="0.9.6" version="0.9.6l" date="20031104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20031104.txt"/>
+    <advisory url="/news/secadv/20031104.txt"/>
     <reported source="Novell"/>
     <description> 
 A flaw in OpenSSL 0.9.6k (only) would cause certain ASN.1 sequences to
@@ -2425,7 +2425,7 @@ SSL/TLS enabled server which is configured to accept them.
     <affects base="0.9.7" version="0.9.7c"/>
     <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
     <fixed base="0.9.6" version="0.9.6m" date="20040317"/>
-    <advisory url="http://www.openssl.org/news/secadv_20040317.txt"/>
+    <advisory url="/news/secadv/20040317.txt"/>
     <reported source="OpenSSL group"/>
     <description> 
 The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the
@@ -2441,7 +2441,7 @@ OpenSSL library in such a way as to cause a crash.
     <affects base="0.9.6" version="0.9.6a"/>
     <affects base="0.9.6" version="0.9.6b"/>
     <affects base="0.9.6" version="0.9.6c"/>
-    <advisory url="http://www.openssl.org/news/secadv_20030317.txt"/>
+    <advisory url="/news/secadv/20030317.txt"/>
     <reported source="OpenSSL group"/>
     <description>
 The Codenomicon TLS Test Tool found that some unknown message types
@@ -2457,7 +2457,7 @@ of service (infinite loop).
     <affects base="0.9.7" version="0.9.7c"/>
     <fixed base="0.9.7" version="0.9.7d" date="20040317"/>
     <reported source="OpenSSL group (Stephen Henson)"/>
-    <advisory url="http://www.openssl.org/news/secadv_20040317.txt"/>
+    <advisory url="/news/secadv/20040317.txt"/>
     <description>
 A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites.
 A remote attacker could perform a carefully crafted SSL/TLS handshake
@@ -2530,7 +2530,7 @@ distribution.
     <fixed base="0.9.7" version="0.9.7h" date="20051011"/>
     <fixed base="0.9.8" version="0.9.8a" date="20051011"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20051011.txt"/>
+    <advisory url="/news/secadv/20051011.txt"/>
     <reported source="researcher"/>
 
     <description>
@@ -2573,7 +2573,7 @@ downgrade to SSL 2.0 even if both parties support better protocols.
     <fixed base="0.9.7" version="0.9.7k" date="20060905"/>
     <fixed base="0.9.8" version="0.9.8c" date="20060905"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20060905.txt"/>
+    <advisory url="/news/secadv/20060905.txt"/>
     <reported source="openssl"/>
 
     <description>
@@ -2605,7 +2605,7 @@ verified by OpenSSL.
     <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
     <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
+    <advisory url="/news/secadv/20060928.txt"/>
     <reported source="openssl"/>
 
     <description>
@@ -2650,7 +2650,7 @@ consumes system memory
     <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
     <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
+    <advisory url="/news/secadv/20060928.txt"/>
     <reported source="openssl"/>
 
     <description>
@@ -2695,7 +2695,7 @@ service attack.
     <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
     <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
+    <advisory url="/news/secadv/20060928.txt"/>
     <reported source="openssl"/>
 
     <description>
@@ -2740,7 +2740,7 @@ application that uses this function and overrun a buffer.
     <fixed base="0.9.7" version="0.9.7l" date="20060928"/>
     <fixed base="0.9.8" version="0.9.8d" date="20060928"/>
 
-    <advisory url="http://www.openssl.org/news/secadv_20060928.txt"/>
+    <advisory url="/news/secadv/20060928.txt"/>
     <reported source="openssl"/>
 
     <description>
@@ -2759,7 +2759,7 @@ server, that server could cause the client to crash.
     <affects base="0.9.8" version="0.9.8d"/>
     <affects base="0.9.8" version="0.9.8e"/>
     <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
-    <advisory url="http://www.openssl.org/news/secadv_20071012.txt"/>
+    <advisory url="/news/secadv/20071012.txt"/>
     <reported source="Andy Polyakov"/>
 
     <description>
@@ -2779,7 +2779,7 @@ not been verified.
     <affects base="0.9.8" version="0.9.8d"/>
     <affects base="0.9.8" version="0.9.8e"/>
     <fixed base="0.9.8" version="0.9.8f" date="20071012"/>
-    <advisory url="http://www.openssl.org/news/secadv_20071012.txt"/>
+    <advisory url="/news/secadv/20071012.txt"/>
     <reported source="Moritz Jodeit"/>
 
     <description>
@@ -2793,7 +2793,7 @@ only when applications are compiled for debugging.
 
   <issue public="20071129">
     <cve name="2007-5502"/>
-    <advisory url="http://www.openssl.org/news/secadv_20071129.txt"/>
+    <advisory url="/news/secadv/20071129.txt"/>
     <reported source="Geoff Lowe"/>
 
     <description>
@@ -2810,7 +2810,7 @@ randomness.
     <affects base="0.9.8" version="0.9.8f"/>
     <affects base="0.9.8" version="0.9.8g"/>
     <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
-    <advisory url="http://www.openssl.org/news/secadv_20080528.txt"/>
+    <advisory url="/news/secadv/20080528.txt"/>
     <reported source="codenomicon"/>
     <description>
 Testing using the Codenomicon TLS test suite discovered a flaw in the
@@ -2826,7 +2826,7 @@ packet to a server application using OpenSSL and cause it to crash.
     <affects base="0.9.8" version="0.9.8f"/>
     <affects base="0.9.8" version="0.9.8g"/>
     <fixed base="0.9.8" version="0.9.8h" date="20080528"/>
-    <advisory url="http://www.openssl.org/news/secadv_20080528.txt"/>
+    <advisory url="/news/secadv/20080528.txt"/>
     <reported source="codenomicon"/>
     <description>
 Testing using the Codenomicon TLS test suite discovered a flaw if the
@@ -2850,7 +2850,7 @@ the client to crash.
     <affects base="0.9.8" version="0.9.8h"/>
     <affects base="0.9.8" version="0.9.8i"/>
     <fixed base="0.9.8" version="0.9.8j" date="20090107"/>
-    <advisory url="http://www.openssl.org/news/secadv_20090107.txt"/>
+    <advisory url="/news/secadv/20090107.txt"/>
     <reported source="google"/>
     <description>
 
@@ -2880,7 +2880,7 @@ vulnerable client, bypassing validation.
     <affects base="0.9.8" version="0.9.8i"/>
     <affects base="0.9.8" version="0.9.8j"/>
     <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
-    <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
+    <advisory url="/news/secadv/20090325.txt"/>
     <description>
 The function ASN1_STRING_print_ex() when used to print a BMPString or
 UniversalString will crash with an invalid memory access if the
@@ -2896,7 +2896,7 @@ this bug, including SSL servers, clients and S/MIME software.
     <affects base="0.9.8" version="0.9.8i"/>
     <affects base="0.9.8" version="0.9.8j"/>
     <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
-    <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
+    <advisory url="/news/secadv/20090325.txt"/>
     <reported source="Ivan Nestlerode, IBM"/>
     <description>
 The function CMS_verify() does not correctly handle an error condition
@@ -2921,7 +2921,7 @@ checked.
     <affects base="0.9.8" version="0.9.8j"/>
     <fixed base="0.9.8" version="0.9.8k" date="20090325"/>
     <reported source="Paolo Ganci"/>
-    <advisory url="http://www.openssl.org/news/secadv_20090325.txt"/>
+    <advisory url="/news/secadv/20090325.txt"/>
     <description>
 When a malformed ASN1 structure is received it's contents are freed up and
 zeroed and an error condition returned. On a small number of platforms where
@@ -2967,7 +2967,7 @@ A remote attacker could use this flaw to cause a DTLS server to crash
     <affects base="0.9.8" version="0.9.8k"/>
     <affects base="0.9.8" version="0.9.8l"/>
     <fixed base="0.9.8" version="0.9.8m" date="20100120"/>
-    <advisory url="http://www.openssl.org/news/secadv_20091111.txt"/>
+    <advisory url="/news/secadv/20091111.txt"/>
     <description>
 Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.
     </description>
@@ -3111,7 +3111,7 @@ cipher suites during the TLS handshake
     <affects base="0.9.8" version="0.9.8l"/>
     <affects base="0.9.8" version="0.9.8m"/>
     <fixed base="0.9.8" version="0.9.8n" date="20100324"/>
-    <advisory url="http://www.openssl.org/news/secadv_20100324.txt"/>
+    <advisory url="/news/secadv/20100324.txt"/>
     <reported source="Bodo Moeller and Adam Langley (Google)"/>
     <description>
 In TLS connections, certain incorrectly formatted records can cause an
@@ -3131,7 +3131,7 @@ OpenSSL client or server to crash due to a read attempt at NULL.
     <affects base="0.9.8" version="0.9.8n"/>
     <fixed base="0.9.8" version="0.9.8o" date="20100601"/>
     <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
-    <advisory url="http://www.openssl.org/news/secadv_20100601.txt"/>
+    <advisory url="/news/secadv/20100601.txt"/>
     <reported source="Ronald Moesbergen"/>
     <description>
 A flaw in the handling of CMS structures containing OriginatorInfo was found which 
@@ -3144,7 +3144,7 @@ disabled by default in OpenSSL 0.9.8 versions.
     <cve name="2010-1633"/>
     <affects base="1.0.0" version="1.0.0"/>
     <fixed base="1.0.0" version="1.0.0a" date="20100601"/>
-    <advisory url="http://www.openssl.org/news/secadv_20100601.txt"/>
+    <advisory url="/news/secadv/20100601.txt"/>
     <reported source="Peter-Michael Hager"/>
     <description>
 An invalid Return value check in pkey_rsa_verifyrecover was
@@ -3176,7 +3176,7 @@ an error code.  This could lead to an information leak.
     <affects base="1.0.0" version="1.0.0a"/>
     <fixed base="1.0.0" version="1.0.0b" date="20101116"/>
     <fixed base="0.9.8" version="0.9.8p" date="20101116"/>
-    <advisory url="http://www.openssl.org/news/secadv_20101116.txt"/>
+    <advisory url="/news/secadv/20101116.txt"/>
     <reported source="Rob Hulswit"/>
     <description>
 
@@ -3196,7 +3196,7 @@ affected.
     <affects base="1.0.0" version="1.0.0a"/>
     <affects base="1.0.0" version="1.0.0b"/>
     <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
-    <advisory url="http://www.openssl.org/news/secadv_20101202.txt"/>
+    <advisory url="/news/secadv/20101202.txt"/>
     <reported source="Sebastian Martini"/>
     <description>
 An error in OpenSSL's experimental J-PAKE implementation which could
@@ -3230,7 +3230,7 @@ J-PAKE to be experimental and is not compiled by default.
     <affects base="1.0.0" version="1.0.0b"/>
     <fixed base="1.0.0" version="1.0.0c" date="20101202"/>
     <fixed base="0.9.8" version="0.9.8q" date="20101202"/>
-    <advisory url="http://www.openssl.org/news/secadv_20101202.txt"/>
+    <advisory url="/news/secadv/20101202.txt"/>
     <reported source="Martin Rex"/>
     <description>
 A flaw in the OpenSSL SSL/TLS server code where an old bug workaround
@@ -3251,7 +3251,7 @@ applications enable this by using the SSL_OP_ALL option).
     <affects base="1.0.0" version="1.0.0c"/>
     <affects base="1.0.0" version="1.0.0d"/>
     <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
-    <advisory url="http://www.openssl.org/news/secadv_20110906.txt"/>
+    <advisory url="/news/secadv/20110906.txt"/>
     <reported source="Kaspar Brand"/>
     <description>
 Under certain circumstances OpenSSL's internal certificate
@@ -3290,7 +3290,7 @@ checking (such as Apache) are not affected.
     <affects base="1.0.0" version="1.0.0c"/>
     <affects base="1.0.0" version="1.0.0d"/>
     <fixed base="1.0.0" version="1.0.0e" date="20110906"/>
-    <advisory url="http://www.openssl.org/news/secadv_20110906.txt"/>
+    <advisory url="/news/secadv/20110906.txt"/>
     <reported source="Adam Langley"/>
     <description>
 OpenSSL server code for ephemeral ECDH ciphersuites is not
@@ -3331,7 +3331,7 @@ enabled in the configuration.
     <affects base="1.0.0" version="1.0.0e"/>
     <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
     <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="Nadhem Alfardan and Kenny Paterson"/>
     <description>
 OpenSSL was susceptable an extension of the 
@@ -3364,7 +3364,7 @@ decryption processing.
     <affects base="0.9.8" version="0.9.8q"/>
     <affects base="0.9.8" version="0.9.8r"/>
     <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="Ben Laurie"/>
     <description>
 If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy
@@ -3402,7 +3402,7 @@ unless this flag is set. Users of OpenSSL 1.0.0 are not affected
     <affects base="1.0.0" version="1.0.0e"/>
     <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
     <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="Adam Langley"/>
     <description>
 OpenSSL failed to clear the bytes used as
@@ -3440,7 +3440,7 @@ the contents of memory in some circumstances.
     <affects base="1.0.0" version="1.0.0e"/>
     <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
     <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="Andrew Chi"/>
     <description>
 RFC 3779 data can be included in certificates, and if it is malformed,
@@ -3479,7 +3479,7 @@ denial-of-service attack.  Builds of OpenSSL are only vulnerable if configured w
     <affects base="1.0.0" version="1.0.0e"/>
     <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
     <fixed base="0.9.8" version="0.9.8s" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="George Kadianakis"/>
     <description>
 Support for handshake restarts for server gated cryptograpy (SGC) can
@@ -3496,7 +3496,7 @@ be used in a denial-of-service attack.
     <affects base="1.0.0" version="1.0.0d"/>
     <affects base="1.0.0" version="1.0.0e"/>
     <fixed base="1.0.0" version="1.0.0f" date="20120104"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120104.txt"/>
+    <advisory url="/news/secadv/20120104.txt"/>
     <reported source="Andrey Kulikov"/>
     <description>
 A malicious TLS client can send an invalid set of GOST parameters
@@ -3512,7 +3512,7 @@ Only users of the OpenSSL GOST ENGINE are affected by this bug.
     <affects base="1.0.0" version="1.0.0f"/>
     <fixed base="1.0.0" version="1.0.0g" date="20120118"/>
     <fixed base="0.9.8" version="0.9.8t" date="20120118"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120118.txt"/>
+    <advisory url="/news/secadv/20120118.txt"/>
     <reported source="Antonio Martin"/>
     <description>
 A flaw in the fix to CVE-2011-4108 can be exploited in a denial of
@@ -3553,7 +3553,7 @@ service attack. Only DTLS applications are affected.
     <affects base="1.0.0" version="1.0.0g"/>
     <fixed base="1.0.0" version="1.0.0h" date="20120312"/>
     <fixed base="0.9.8" version="0.9.8u" date="20120312"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120312.txt"/>
+    <advisory url="/news/secadv/20120312.txt"/>
     <reported source="Ivan Nestlerode"/>
     <description>
 A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
@@ -3583,7 +3583,7 @@ SSL/TLS applications are not affected by this issue.
     <affects base="1.0.0" version="1.0.0c"/>
     <fixed base="1.0.0" version="1.0.0d" date="20110208"/>
     <fixed base="0.9.8" version="0.9.8r" date="20110208"/>
-    <advisory url="http://www.openssl.org/news/secadv_20110208.txt"/>
+    <advisory url="/news/secadv/20110208.txt"/>
     <reported source="Neel Mehta"/>
     <description>
 A buffer over-read flaw was discovered in the way OpenSSL parsed the
@@ -3597,7 +3597,7 @@ server using the affected OpenSSL functionality.
     <cve name="2012-2131"/>
     <affects base="0.9.8" version="0.9.8v"/>
     <fixed base="0.9.8" version="0.9.8w" date="20120424"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120424.txt"/>
+    <advisory url="/news/secadv/20120424.txt"/>
     <reported source="Red Hat"/>
     <description>
 It was discovered that the fix for CVE-2012-2110 released on 19 Apr
@@ -3644,7 +3644,7 @@ contain a patch sufficient to correct CVE-2012-2110.
     <fixed base="1.0.1" version="1.0.1a" date="20120419"/>
     <fixed base="1.0.0" version="1.0.0i" date="20120419"/>
     <fixed base="0.9.8" version="0.9.8v" date="20120419"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120419.txt"/>
+    <advisory url="/news/secadv/20120419.txt"/>
     <reported source="Tavis Ormandy"/>
     <description>
 Multiple numeric conversion errors, leading to a buffer overflow, were
@@ -3697,7 +3697,7 @@ potentially, execute arbitrary code.
     <fixed base="1.0.1" version="1.0.1c" date="20120510"/>
     <fixed base="1.0.0" version="1.0.0j" date="20120510"/>
     <fixed base="0.9.8" version="0.9.8x" date="20120510"/>
-    <advisory url="http://www.openssl.org/news/secadv_20120510.txt"/>
+    <advisory url="/news/secadv/20120510.txt"/>
     <reported source="Codenomicon"/>
     <description>
 An integer underflow flaw, leading to a buffer over-read, was found in
@@ -3753,7 +3753,7 @@ peer.
     <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
     <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
     <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
-    <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
+    <advisory url="/news/secadv/20130205.txt"/>
     <reported source="Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London"/>
     <description>
 A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could
@@ -3769,7 +3769,7 @@ arising during MAC processing.
     <affects base="1.0.1" version="1.0.1b"/>
     <affects base="1.0.1" version="1.0.1c"/>
     <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
-    <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
+    <advisory url="/news/secadv/20130205.txt"/>
     <reported source="Adam Langley and Wolfgang Ettlinger"/>
     <description>
 A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on
@@ -3821,7 +3821,7 @@ AES-NI supporting platforms can be exploited in a DoS attack.
     <fixed base="1.0.1" version="1.0.1d" date="20130205"/>
     <fixed base="1.0.0" version="1.0.0k" date="20130205"/>
     <fixed base="0.9.8" version="0.9.8y" date="20130205"/>
-    <advisory url="http://www.openssl.org/news/secadv_20130205.txt"/>
+    <advisory url="/news/secadv/20130205.txt"/>
     <reported source="Stephen Henson"/>
     <description>
 A flaw in the OpenSSL handling of OCSP response verification can be exploited in
@@ -3968,7 +3968,7 @@ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     <affects base="1.0.1" version="1.0.1f"/>
     <fixed base="1.0.1" version="1.0.1g" date="20140409">
     </fixed>
-    <advisory url="http://www.openssl.org/news/secadv_20140407.txt"/>
+    <advisory url="/news/secadv/20140407.txt"/>
     <reported source="Neel Mehta"/>
     <description>
 A missing bounds check in the handling of the TLS heartbeat extension can be
@@ -4037,7 +4037,7 @@ issue did not affect versions of OpenSSL prior to 1.0.1.
     by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
     modify traffic from the attacked client and server.
   </description>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
   <reported source="KIKUCHI Masashi (Lepidum Co. Ltd.)"/>
 </issue>
 
@@ -4096,7 +4096,7 @@ issue did not affect versions of OpenSSL prior to 1.0.1.
   <fixed base="0.9.8" version="0.9.8za" date="20140605">
   </fixed>
   <description>By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.</description>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
   <reported source="Imre Rad (Search-Lab Ltd.)"/>
 </issue>
 
@@ -4143,7 +4143,7 @@ issue did not affect versions of OpenSSL prior to 1.0.1.
   to an OpenSSL DTLS client or server. This is potentially exploitable to
   run arbitrary code on a vulnerable client or server.  Only applications using OpenSSL as a DTLS client or server affected.
   </description>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
   <reported source="J?ri Aedla"/>
 </issue>
 
@@ -4177,7 +4177,7 @@ issue did not affect versions of OpenSSL prior to 1.0.1.
 cause a denial of service via a NULL pointer dereference.  This flaw
 only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
 enabled, which is not the default and not common.</description>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
 </issue>
 
 <issue public="20140408">
@@ -4211,7 +4211,7 @@ attackers to inject data across sessions or cause a denial of service.
 This flaw only affects multithreaded applications using OpenSSL 1.0.0
 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
 default and not common.</description>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
 </issue>
 
 <issue public="20140530">
@@ -4271,7 +4271,7 @@ default and not common.</description>
   <description>OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
   denial of service attack.</description>
   <reported source="Felix Gr?bert and Ivan Fratri? (Google)"/>
-  <advisory url="http://www.openssl.org/news/secadv_20140605.txt"/>
+  <advisory url="/news/secadv/20140605.txt"/>
 </issue>
 
 </security>
diff --git a/news/vulnerabilities.xsl b/news/vulnerabilities.xsl
deleted file mode 100644
index 375f3c6..0000000
--- a/news/vulnerabilities.xsl
+++ /dev/null
@@ -1,129 +0,0 @@
-<?xml version="1.0"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-  <xsl:output indent="yes" encoding="UTF-8" method="xml" omit-xml-declaration="yes"/>
-
-<xsl:include href="./vulnerabilitiesdates.xsl"/>
-
-<xsl:key name="unique-date" match="@public" use="substring(.,1,4)"/>
-<xsl:key name="unique-base" match="@base" use="."/>
-
-<xsl:template match="security">
-  <xsl:text>## Do not edit this file, instead edit vulnerabilities.xml
-## then create it using
-## xsltproc vulnerabilities.xsl vulnerabilities.xml 
-##
-
-</xsl:text>
-  <xsl:text>#use wml::openssl area=news page=vulnerabilities
-
-</xsl:text>
-<title>OpenSSL vulnerabilities</title>
-
-<h1>OpenSSL vulnerabilities</h1>
-
-<h2>Reporting a security vulnerability</h2>
-
-<p>If you think you have found a security vulnerability then please send
-  it to the OpenSSL team using the private security list
-  <a href="mailto:openssl-security at openssl.org">openssl-security at openssl.org</a>.
-  Encrypting your report is not necessary, but you can either use the
-  <a href="openssl-security.asc">team PGP key</a>. If you wish to
-  limit the initial disclosure, send it encrypted to specific team
-  members.</p>
-
-<p>Any mail sent to that address that is not about a security vulnerability will be ignored.  In general, bugs that are only present in the openssl
-  command-line utility are not considered security issues.</p>
-
-<h2>Notification of security vulnerabilities</h2>
-
-<p>Please read the <a href="../about/secpolicy.html">OpenSSL Security Policy</a>.</p>
-
-<p>To get notified when an OpenSSL update addresses a security vulnerability please subscribe to the
-<a href="https://www.openssl.org/support/community.html">openssl-announce mailing list</a></p>
-
-<h2>Security vulnerabilities and advisories</h2>
-
-<p>This section lists all security vulnerabilities fixed in released
-versions of OpenSSL since 0.9.6a was released on 5th April 2001.
-</p>
-<p>Note: OpenSSL 0.9.6 versions and 0.9.7 versions are no longer supported and will not 
-receive security updates</p>
-
-<xsl:for-each select="issue/@public[generate-id()=generate-id(key('unique-date',substring(.,1,4)))]">
-  		  <xsl:sort select="." order="descending"/>
-<xsl:variable name="year" select="substring(.,1,4)"/>
-<h2><xsl:value-of select="$year"/></h2>
-             <dl>
-                <xsl:apply-templates select="../../issue[substring(@public,1,4)=$year]">
-                  <xsl:sort select="./@public" order="descending"/>
-	        </xsl:apply-templates>
-             </dl>
-        </xsl:for-each>
-</xsl:template>
-
-<xsl:template match="issue">
-  <dt>
-  <xsl:apply-templates select="cve"/>
-  <xsl:if test="impact/@severity">
-    [<xsl:value-of select="impact/@severity"/> severity]
-  </xsl:if>
-<xsl:call-template name="dateformat">
-  <xsl:with-param name="date" select="@public"/>
-</xsl:call-template>
-<p/>
-</dt><dd>
-  <xsl:copy-of select="description"/>
-  <xsl:if test="advisory/@url">
-    <a href="{advisory/@url}">(original advisory)</a><xsl:text>. </xsl:text>
-  </xsl:if>
-  <xsl:if test="reported/@source">
-    Reported by <xsl:value-of select="reported/@source"/>.
-  </xsl:if>
-  </dd>
-  <p/>
-    <xsl:for-each select="fixed">
-      <dd>Fixed in OpenSSL  
-      <xsl:value-of select="@version"/>
-      <xsl:if test="git/@hash">
-	<xsl:text> </xsl:text><a href="https://github.com/openssl/openssl/commit/{git/@hash}">(git commit)</a><xsl:text> </xsl:text>
-      </xsl:if>
-      <xsl:variable name="mybase" select="@base"/>
-      <xsl:for-each select="../affects[@base=$mybase]|../maybeaffects[@base=$mybase]">
-        <xsl:sort select="@version" order="descending"/>
-            <xsl:if test="position() =1">
-              <xsl:text> (Affected </xsl:text>
-            </xsl:if>
-            <xsl:value-of select="@version"/>
-            <xsl:if test="name() = 'maybeaffects'">
-              <xsl:text>?</xsl:text>
-            </xsl:if>
-            <xsl:if test="position() != last()">
-              <xsl:text>, </xsl:text>
-            </xsl:if>
-            <xsl:if test="position() = last()">
-              <xsl:text>) </xsl:text>
-            </xsl:if>
-      </xsl:for-each>
-      </dd>
-    </xsl:for-each>
-  <p/>
-</xsl:template>
-
-<xsl:template match="cve">
-<xsl:if test="@name != ''">
-<b><a name="{@name}">
-<xsl:if test="@description = 'full'">
-The Common Vulnerabilities and Exposures project
-has assigned the name 
-</xsl:if>
-<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-{@name}">CVE-<xsl:value-of select="@name"/>: </a>
-<xsl:if test="@description = 'full'">
- to this issue.
-</xsl:if>
-</a></b>
-</xsl:if>
-</xsl:template>
-</xsl:stylesheet>
-
-
diff --git a/news/vulnerabilitiesdates.xsl b/news/vulnerabilitiesdates.xsl
deleted file mode 100644
index 80364c5..0000000
--- a/news/vulnerabilitiesdates.xsl
+++ /dev/null
@@ -1,54 +0,0 @@
-<?xml version="1.0"?>
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
-
-<xsl:template name="dateformat">
-
-  <xsl:param name="date" select="."/>
-
-  <xsl:variable name="day" select="number(substring($date,7,2))"/>
-  <xsl:variable name="month" select="number(substring($date,5,2))"/>
-  <xsl:variable name="year" select="number(substring($date,1,4))"/>
-  
-  <xsl:if test="$day &gt; 0"> 
-  <xsl:value-of select="$day" />
-  
-    <xsl:choose>
-      <xsl:when test="$day=1 or $day=21 or $day=31">st</xsl:when>
-      <xsl:when test="$day=2 or $day=22">nd</xsl:when>
-      <xsl:when test="$day=3 or $day=23">rd</xsl:when>
-      <xsl:otherwise>th</xsl:otherwise>
-    </xsl:choose>
-    
-    <xsl:text> </xsl:text>
-  </xsl:if>
-
-  <xsl:call-template name="whatmonth">
-  <xsl:with-param name="month" select="$month"/>
-  </xsl:call-template>
-  
-  <xsl:if test="$year&gt;0">
-    <xsl:text> </xsl:text>
-    <xsl:value-of select="$year"/>
-    </xsl:if>
-    
-</xsl:template>
-
-<xsl:template name="whatmonth">
-<xsl:param name="month" select="."/>
-  <xsl:choose>
-    <xsl:when test="$month=01">January</xsl:when>
-    <xsl:when test="$month=02">February</xsl:when>
-    <xsl:when test="$month=03">March</xsl:when>
-    <xsl:when test="$month=04">April</xsl:when>
-    <xsl:when test="$month=05">May</xsl:when>
-    <xsl:when test="$month=06">June</xsl:when>
-    <xsl:when test="$month=07">July</xsl:when>
-    <xsl:when test="$month=08">August</xsl:when>
-    <xsl:when test="$month=09">September</xsl:when>
-    <xsl:when test="$month=10">October</xsl:when>
-    <xsl:when test="$month=11">November</xsl:when>
-    <xsl:when test="$month=12">December</xsl:when>
-  </xsl:choose>
-</xsl:template>
-
-</xsl:stylesheet>
diff --git a/openssl.wml b/openssl.wml
deleted file mode 100644
index 2adc21b..0000000
--- a/openssl.wml
+++ /dev/null
@@ -1,603 +0,0 @@
-##
-##  openssl.wml -- WML Template for the www.openssl.org website
-##  Written by Ralf S. Engelschall <rse at engelschall.com>
-##
-##  Usage: #use wml::openssl area=<area_name> [page=<page_name>]
-##
-
-#use wml::std::tags
-#use wml::std::info
-#use wml::des::navbar
-#use wml::des::space
-
-##
-##  The Global Page Layout
-##
-
-#   start of page header
-[PAGE_HEAD:\
-<html>
-<head>
-
-#   insert information about the webpage
-<info style=comment domainname="openssl.org"
-      copyright="1998-2014 The OpenSSL Project, http://www.openssl.org/">
-<info style=meta domainname="openssl.org"
-      copyright="1998-2014 The OpenSSL Project, http://www.openssl.org/">
-
-#   insert overideable title container
-<title*>OpenSSL: {#PAGE_TITLE#}</title*>
-#   predefine it to show errors
-..PAGE_TITLE!>>Error: Undefined Title !!<<..
-#   define override tag
-<define-tag title endtag=required>
-..PAGE_TITLE>>%body<<..
-</define-tag>
-
-#   define a style-sheet for adjusting some HTML layouting things
-#   to conform to some typographically stronger conventions.
-<style type="text/css"><!--
-BODY      { position: absolute; left: 0px; top: 0px; background: #666699; }
-A         { text-decoration: none; font-weight: bold; }
-A:link    { text-decoration: none; font-weight: bold; color: #666699; }
-A:visited { text-decoration: none; font-weight: bold; color: #666699; }
-A:hover   { text-decoration: none; font-weight: bold; color: #666699; text-decoration: underline; }
-\#red { color: #cc3333; }
-\#sf  { font-family: arial,helvetica; font-variant: normal; font-style: normal; }
-\#sfl { font-weight: bold; font-family: arial,helvetica; font-size: 16pt; \
-        line-height: 16pt; font-variant: normal; font-style: normal; }
-H1    { font-weight: bold; font-size: 18pt; line-height: 18pt; \
-        font-family: arial,helvetica; font-variant: normal; font-style: normal; }
-H2    { font-weight: bold; font-size: 14pt; line-height: 14pt; \
-        font-family: arial,helvetica; font-variant: normal; font-style: normal; }
-H3    { font-weight: bold; font-size: 12pt; line-height: 12pt; \
-        font-family: arial,helvetica; font-variant: normal; font-style: normal; }
---></style>
-
-#   end of header and start of physical body
-#   (use additionally use colors here for older browsers)
-</head>
-<body link="#6666cc" alink="#6666cc" vlink="#6666cc" bgcolor="#666699" text="#000000"
-      marginheight=0 leftmargin=0 rightmargin=0 topmargin=0>
-
-#   now define the page layout by a nested table
-#   structure consisting of a 5x5 cell grid.
-<table width=100% cellspacing=0 cellpadding=0 border=0>
-  #   visually: the top line of the page
-  <tr>\
-    <td align=left width=100 bgcolor="#666699"><img src="$(IMG)/page-head-tl.jpg" alt="OpenSSL"></td>\
-    <td align=left colspan=2 width=600 bgcolor="#666699"><img src="$(IMG)/page-head-tm.jpg" alt=""></td>\
-    <td align=right width=20 bgcolor="#666699">&nbsp;&nbsp;&nbsp;</td>\
-    <td align=right width=50 bgcolor="#666699">&nbsp;</td>\
-  </tr>
-  #   visually: the top of the white body with the subnavbar
-  <tr>\
-    <td align=left width=100><img src="$(IMG)/page-head-bl.jpg"></td>\
-    <td align=left width=20><img src="$(IMG)/page-head-bm.jpg"></td>\
-    <td align=left width=100% bgcolor="#ffffff">\
-        {#PAGE_SUBNAVBAR#}\
-    </td>\
-    <td align=right width=20><img src="$(IMG)/page-corner-tr.gif"></td>\
-    <td align=right width=50 bgcolor="#666699">&nbsp;</td>\
-  </tr>
-  #   visually: the left main navigation bar and the white body
-  <tr>\
-    <td align=left valign=top width=100 bgcolor="#666699">{#PAGE_NAVBAR#}</td>\
-    <td align=left valign=top width=20  bgcolor="#ffffff">&nbsp;</td>\
-    <td align=left valign=top bgcolor="#ffffff">\
-        <br>
-        :PAGE_HEAD][PAGE_BODY:
-        {#PAGE_BODY#}
-        :PAGE_BODY][PAGE_FOOT:\
-    </td>\
-    <td align=right width=20 bgcolor="#ffffff">&nbsp;&nbsp;&nbsp;</td>\
-    <td align=right width=50 bgcolor="#666699">&nbsp;</td>\
-  </tr>
-  #   visually: the bottom of the white body
-  <tr>\
-    <td align=left valign=top width=100 bgcolor="#666699">&nbsp;</td>\
-    <td align=left width=20><img src="$(IMG)/page-corner-bl.gif"></td>\
-    <td align=left valign=top bgcolor="#ffffff">&nbsp;</td>\
-    <td align=right width=20><img src="$(IMG)/page-corner-br.gif"></td>\
-    <td align=right width=50 bgcolor="#666699">&nbsp;</td>\
-  </tr>
-  #   visually: the bottom of the page (only for esthetical
-  #   reasons, i.e. the page doesn't end with the white body)
-  <tr>\
-    <td colspan=5 bgcolor="#666699">&nbsp;</td>\
-  </tr>
-</table>
-
-#   the physical end of the body
-</body>
-</html>
-:PAGE_FOOT]
-
-##
-##  The main Navigation Bar [left, vertically]
-##
-
-#   define the navigation bar through a grammar
-<navbar:define name=navbar imgstar="n:s:s"
-               imgbase="$(IMG)" urlbase="$(ROOT)">
-  #   bar header
-  <navbar:header>
-  </navbar:header>
-  #   button prolog
-  <navbar:prolog>
-    <tr><td>
-  </navbar:prolog>
-  #   the buttons itself
-  <navbar:button id=title    url="."      txt="Home"        img=page-navbar-ti-*.jpg>
-  <navbar:button id=source   url=source/  txt="Download"       img=page-navbar-so-*.jpg>
-  <navbar:button id=about    url=about/   txt="About"        img=page-navbar-ab-*.jpg>
-  <navbar:button id=news     url=news/    txt="News"         img=page-navbar-ne-*.jpg>
-  <navbar:button id=FAQ      url=support/faq.html   txt="FAQ"          img=page-navbar-fq-*.jpg>
-  <navbar:button id=docs     url=docs/    txt="Documents"    img=page-navbar-do-*.jpg>
-  <navbar:button id=support  url=support/ txt="Support"      img=page-navbar-su-*.jpg>
-  #   button epilog
-  <navbar:epilog>
-    </td></tr>
-  </navbar:epilog>
-  #   bar footer
-  <navbar:footer>
-  </navbar:footer>
-</navbar:define>
-
-#   and then immediately render it into its layout location
-#   (Hint: The top and buttom images have to be part of the table
-#   structure because only this way we can put them 0pt to the
-#   buttons without a gap)
-..PAGE_NAVBAR>>\
-  <table cellspacing=0 cellpadding=0 border=0>\
-    <tr><td><img src="$(IMG)/page-navbar-top.jpg"></td></tr>
-    #   render it!
-    <navbar:render name=navbar select=$(area) $(page:+subselected)>
-    <tr><td><img src="$(IMG)/page-navbar-bot.jpg"><br><p></td></tr>
-  </table>
-<<..
-
-##
-##  The Sub Navigation Bar (SNB) [top, horizontally]
-##
-
-#   define the <snb>...</snb> container tag
-<define-tag snb endtag=required>
-  #   1. define the navigation bar through a grammar
-  <navbar:define name=snb urlbase="$(SNB_ROOT)"
-                 txtcol_normal="#666666" txtcol_select="#000000">
-    #   bar header
-    <navbar:header>\
-      <table cellspacing=0 cellpadding=0 border=0>
-        <tr>
-    </navbar:header>
-    #   button prolog (normal)
-    <navbar:prolog>\
-          <td><font face="Arial,Helvetica">&nbsp;
-    </navbar:prolog>
-    #   button prolog (selected)
-    <navbar:prolog type=S>\
-          <td bgcolor="#f0f0f0">&nbsp;<font face="Arial,Helvetica"><b>
-    </navbar:prolog>
-    #   ...here the <snb_button> tags will occur...
-    %body
-    #   button epilog (normal)
-    <navbar:epilog>\
-          </font>&nbsp;</td><td>|</td>
-    </navbar:epilog>
-    #   button epilog (selected)
-    <navbar:epilog type=S>\
-          </b></font>&nbsp;</td><td>|</td>
-    </navbar:epilog>
-    #   last button epilog (normal)
-    <navbar:epilog pos=last>\
-          </font>&nbsp;</td><td></td>
-    </navbar:epilog>
-    #   last button epilog (selected)
-    <navbar:epilog type=S pos=last>\
-          </b></font>&nbsp;</td><td></td>
-    </navbar:epilog>
-    #   bar footer
-    <navbar:footer>\
-        </tr>
-      </table>
-    </navbar:footer>
-  </navbar:define>
-  #   2. render the navigation bar and divert
-  #      divert it into it's final location
-  ..PAGE_SUBNAVBAR>>\
-  <navbar:render name=snb select="$(page)">\
-  <<..
-</define-tag>
-
-#   define the <snb_button> tag for the <snb> container
-#   (this is for consistency with the tag names)
-<define-tag snb_button>
-  <navbar:button %attributes>
-</define-tag>
-
-#   predefine the contents of the SNB location
-#   by diverting a whitespace character to it.
-#   This prevents the table to be folded.
-..PAGE_SUBNAVBAR!>>
-&nbsp;
-<<..
-
-#   and now the final WML trick: When the page=<page_name>
-#   attribute is specified for this template, we read in the SNB
-#   spec-file which now can use the <snb>..</snb> and
-#   <snb_button> tags to actually define and render a SNB. This
-#   is accomplished by doing some sort of a conditional #include. ;-)
-$(page:*# )$(page:+#include ")$(SNB_RC:-.wmlsnb)$(page:+")
-
-##
-##  Useful tags (for convenience purposes only)
-##
-
-#   define a <item> tag for <ul>/<ol> item similar to <li> but
-#   which is nice for URL lists like the Related area where
-#   we want a special layout.
-<define-tag item>
-<preserve name>
-<preserve url>
-<preserve aio>
-<preserve info>
-<set-var aio=*>
-<set-var %attributes>
-<li><imgdot width=1 height=18>\
-    <a href="<get-var url>"><font size=+1 face="Arial,Helvetica"><b><get-var name></b></font></a>
-    <ifeq "<get-var aio>" "" <img src="aio.gif" alt="[all-in-one]" align=absmiddle>>
-    <br>
-    <a href="<get-var url>"><font size=-1><get-var url></font></a><br>
-    <ifeq "<get-var info>" "" "" "<get-var info>">
-<restore info>
-<restore aio>
-<restore url>
-<restore name>
-</define-tag>
-
-#   define a <filelist> tag which can be used to create a file listing which
-#   is optically more compact than the stuff Apache's mod_autoindex creates.
-#   Especially the current version is marked red, too.
-<define-tag filelist>
-<pre>
-<b>   Bytes      Timestamp       Filename</b>
-<b>________ ____________________ ____________________________</b>
-<:
- at HI = ();
-open(FP, "<index.current");
-while (<FP>) {
-   s|\s*\n$||;
-   push(@HI, $_);
-}
-close(FP);
-sub ls {
-    my ($pat) = @_;
-    my (@F, @R, $f, @S, @T);
-    @F = sort { (stat($a))[9] <=> (stat($b))[9]; } (glob($pat));
-    @R = ();
-    foreach $f (@F) {
-        next if ($f =~ m|^index.*|);
-        if ('%1' ne '') {
-            if (! %1 $f) {
-                next;
-            }
-        }
-        @S = stat($f);
-        $f = "$f/" if (-d $f);
-        @T = localtime($S[9]);
-        my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
-                   'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
-             $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
-    }
-    return @R;
-}
- at L = &ls("%0");
-foreach $l (@L) {
-    next if ($l =~ m|^\s*$|);
-    $l =~ s|(\s+)(\S+[^/])(\s*\n)$|$1."<a href=\"$2\">$2</a>".$3|e;
-    $l =~ s|(\s+)(\S+/)(\s*\n)$|$1."<a href=\"$2\"><b>$2</b></a>".$3|e;
-    foreach $hi (@HI) {
-        $l =~ s|^(.*$hi.*)$|<font color="#cc3333">$1&nbsp;&nbsp;<b>[LATEST]</b></font>|;
-        $l =~ s|>($hi)<|><font color="#cc3333">$1</font><|;
-    }
-    print $l;
-}
-:>
-</pre>
-</define-tag>
-
-<define-tag rfilelist>
-<pre>
-<b>   Bytes      Timestamp       Filename</b>
-<b>________ ____________________ ____________________________</b>
-<:
- at HI = ();
-open(FP, "<index.current");
-while (<FP>) {
-   s|\s*\n$||;
-   s/#.*$//;
-   next if (/^\s*$/);
-   # If line is of form "last <regex>" look for last
-   # matching filename in the list.
-   # This means "last openssl-1*.tar.gz" will automatically
-   # mark the last version of OpenSSL as the latest without
-   # the need to manually update index.current on each release.
-   if (/^\s*last\s*(\S+)\s*$/) {
-	# Get list of all file, skip betas
-	my @list = sort grep(!/beta/, glob($1));
-	my $lastfile = pop @list;
-	push(@HI, $lastfile) if (-f $lastfile);
-   } elsif (-f $_) {
-   	push(@HI, $_);
-   }
-}
-close(FP);
-sub ls {
-    my ($pat) = @_;
-    my (@F, @R, $f, @S, @T);
-    @F = sort { (stat($b))[9] <=> (stat($a))[9]; } (glob($pat));
-    @R = ();
-    foreach $f (@F) {
-        next if ($f =~ m|^index.*|);
-        if ('%1' ne '') {
-            if (! %1 $f) {
-                next;
-            }
-        }
-        @S = stat($f);
-        $f = "$f/" if (-d $f);
-        @T = localtime($S[9]);
-        my @moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
-                   'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec');
-        push(@R, sprintf("%"."8d %"."s %"."2d %"."02d:%"."02d:%"."02d %"."d %"."s\n",
-             $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f));
-    }
-    return @R;
-}
- at L = &ls("%0");
-foreach $l (@L) {
-    next if ($l =~ m|^\s*$|);
-    if ($l =~ m|(\s+)(\S+[^/])(\s*\n)$|) {
-	my $h = $`.$1;
-	my $f = $2;
-	my $t = $3;
-	my $r = "<a href=\"$f\">$f</a>";
-	if (-f "$f.md5") { $r .= " (<a href=\"$f.md5\">MD5</a>)"; }
-	if (-f "$f.sha1") { $r .= " (<a href=\"$f.sha1\">SHA1</a>)"; }
-	if (-f "$f.sha256") { $r .= " (<a href=\"$f.sha256\">SHA256</a>)"; }
-	if (-f "$f.asc") { $r .= " (<a href=\"$f.asc\">PGP sign</a>)"; }
-	$l = $h.$r.$t;
-    }
-    $l =~ s|(\s+)(\S+/)(\s*\n)$|$1."<a href=\"$2\"><b>$2</b></a>".$3|e;
-    foreach $hi (@HI) {
-        $l =~ s|^(.*$hi.*)$|<font color="#cc3333">$1&nbsp;&nbsp;<b>[LATEST]</b></font>|;
-        $l =~ s|>($hi)<|><font color="#cc3333"><span class="latest">$1</span></font><|;
-    }
-    print $l;
-}
-:>
-</pre>
-</define-tag>
-
-<define-tag notes>
-<preserve minversion>
-<preserve maxversion>
-<preserve filename>
-<set-var %attributes>
-<:
-
-my $minversion = "<get-var minversion>";
-my $maxversion = "<get-var maxversion>";
-my $dirname = "<get-var dirname>";
-my $file;
-my $custompage = 0;
-
-if ($maxversion eq "") {
-	$minversion="<get-var WML_SRC_FILENAME>";
-	$minversion =~ s/^.*-(\d+\.\d+\.\d+)-.*$/$1/;
-	$maxversion = $minversion;
-} else {
-	$custompage = 1;
-}
-
-
-my $dir = defined $ENV{PODSHOME} ? "$ENV{PODSHOME}/../.." : "/var/cache/openssl/checkouts";
-if ($dirname ne "") {
-	$file = "${dir}/$dirname/NEWS";
-	$custompage = 1;
-} else {
-	$file = "${dir}/openssl-${minversion}-stable/NEWS";
-}
-# For testing
-$file = $ENV{NEWSTEST} if defined $ENV{NEWSTEST};
-if ($custompage == 0) {
-	my $brname = $minversion;
-	$brname =~ tr/./_/;
-	$brname = "OpenSSL_${brname}-stable";
-	print <<"END"
-<title>OpenSSL $minversion Release Notes.</title>
-<h1>OpenSSL $minversion Branch Release notes</h1>
-
-The major changes and known issues for the $minversion branch of the OpenSSL
-toolkit are summarised below. The contents reflect the current state of the
-<tt>NEWS</tt> file inside the git repository.
-<p>
-Additional details of changes can be found in the
-<a href="https://github.com/openssl/openssl/blob/$brname/CHANGES">
-change log.</a>.
-<p>
-The complete list of changes can be found in the
-<a href="https://github.com/openssl/openssl/commits/$brname">commit log</a>.
-<p>
-
-END
-}
-
-my $copy = 0;
-my $in_ul = 0;
-open(FP, "<$file") || die "Can't open $file";
-while (<FP>) {
-	if (/^\s*Major changes between.*(\d+\.\d+\.\d+)\D.*$/ ||
-		/^\s*Known issues in.*(\d+\.\d+\.\d+)\D.*$/) {
-		if ($1 ge $minversion && $1 le $maxversion) {
-			$copy = 1;
-			s|^(.*)$|<b>$1</b>|;
-			if ($in_ul) {
-				print "</ul>\n";
-				$in_ul = 0;
-			}
-		print;
-		next;
-		} elsif ($copy) {
-			last;
-		}
-	}
-	if ($copy) {
-		s/&/&amp;/g;
-		s/</&lt;/g;
-		s/>/&gt;/g;
-		if (s/^\s+o\s+/<li>/ && !$in_ul) {
-			print "<ul>\n";
-			$in_ul = 1;
-		}
-		s/CVE-(\d{4}-\d{4})/<a href=vulnerabilities.html#$1>CVE-$1<\/a>/g;
-	print;
-	}
-	
-}
-close(FP);
-print "</ul>";
-:>
-<restore minversion>
-<restore maxversion>
-<restore filename>
-</define-tag>
-
-#
-<define-tag newsflash>
-<preserve from>
-<preserve max>
-<preserve more>
-<set-var %attributes>
-<table width=550 cellspacing=0 cellpadding=1 border=0>
-<tr><td><font face="Arial,Helvetica"><b>Date</b></font></td> <td>&nbsp;&nbsp;&nbsp;<font face="Arial,Helvetica"><b>Newsflash</b></font></td></tr>
-<tr><td><hr noshade size=1></td> <td><hr noshade size=1></td></tr>
-<:
-    open(FP, "< <get-var from>") || die;
-    my $max = ("<get-var max>" eq '' ? 9999 : "<get-var max>");
-    @COL = (
-        '#ffffff',
-        '#f0f0f0',
-    );
-    $ncol = 1;
-    $n = 0;
-    while (<FP>) {
-        $ncol = ($ncol + 1) % 2;
-        $col  = $COL[$ncol];
-        s|="ROOT|="$(ROOT)|g;
-        if (m|^(.+?):(.+)|) {
-            print "<tr bgcolor=\"$col\">\n";
-            print "  <td align=right><font face=\"Arial,Helvetica\"><b>$1:</b></font></td> <td>&nbsp;&nbsp;$2</td>\n";
-            print "</tr>\n";
-        }
-        $n++;
-        last if ($n >= $max);
-    }
-    close(FP);
-:>
-<ifeq "<get-var more>" "" "" <group
-<tr>
-  <td>&nbsp;</td> <td align=right><a href="<get-var more>">more...</a></td>
-</tr>
->>
-</table>
-<restore more>
-<restore max>
-<restore from>
-</define-tag>
-
-#   define a <disclaimer> tag which displays the usual disclaimer stuff
-<define-tag disclaimer>
-<font face="Arial,Helvetica" size=-1>
-This software package uses strong cryptography, so even if it is created,
-maintained and distributed from liberal countries in Europe (where it is legal
-to do this), it falls under certain export/import and/or use restrictions in
-some other parts of the world.
-<p>
-PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
-SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL
-DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD.
-SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM
-THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE
-AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
-ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS OF OPENSSL
-ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT
-IS YOUR RESPONSIBILITY.
-</font>
-<p>
-<font face="Arial,Helvetica" size=-1>
-CREDIT INFORMATION:
-This product includes cryptographic software written by Eric Young.
-This product includes software written by Tim Hudson (tjh at cryptsoft.com).
-</font>
-</define-tag>
-
-#  a tag displaying the used tools
-<define-tag website-tools>
-<font face="Arial,Helvetica" size=-1>
-Website designed by
-<a href="http://www.engelschall.com/">Ralf S. Engelschall</a>
-and generated with
-<a href="http://thewml.org/"><font color="#000000">
-Website META Language</font></a> (WML).<br>
-All markup code and graphics on this website
-are Copyright &copy; 1999-2014 <a href="http://www.openssl.org/">The OpenSSL Project</a>,
-All rights reserved.<br>
-This website is served by an
-<a href="http://www.apache.org/"><font color="#000000">Apache</font></a>/
-<a href="http://www.modssl.org/"><font color="#000000">mod_ssl</font></a>
-webserver environment.<br>
-</font>
-</define-tag>
-
-#  construct an absolute URL out of a relative URL
-#  (essential for the mirroring of the website!)
-<define-tag absolute>
-<:{
-    my ($cwd, $baseurl, $basedir, $subdir, $page, $url);
-
-    #   determine current working directory
-    $cwd = '<get-var WML_SRC_DIRNAME>';
-
-    #   determine base URL
-    $baseurl = '<get-var BASE_URL>' || 'file://';
-
-    #   determine base directory
-    $basedir = '<get-var BASE_DIR>' || '<get-var WML_SRC_DIRNAME>';
-    $basedir = &canonpath("$cwd/$basedir") if ($basedir !~ m|^/|);
-
-    #   determine subdir from base dir to current working dir
-    $subdir = &relpath($basedir, $cwd);
-
-    #   determine document
-    $page = '%0';
-
-    #   construct final URL
-    $url = "$baseurl/$subdir/$page";
-    $url = &canonurl($url);
-
-    #   replace this tag with the constructed URL
-    print $url;
-}:>
-</define-tag>
-
-##
-##  Finally, the layout is now rendered, so divert all
-##  following stuff (the code in the local file after the #use
-##  for this template!) into the white body area.
-##
-
-..PAGE_BODY>>
-
diff --git a/about/buglist.txt b/policies/buglist.txt
similarity index 100%
rename from about/buglist.txt
rename to policies/buglist.txt
diff --git a/policies/cla.html b/policies/cla.html
new file mode 100644
index 0000000..77ff892
--- /dev/null
+++ b/policies/cla.html
@@ -0,0 +1,80 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Contributor Agreements</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    As we described in
+	    <a href="http://www.openssl.org/blog/blog/2015/08/01/cla/">a recent blog post</a>,
+	    we will soon require almost every
+	    contributor to have a signed Contributor License Agreement (CLA)
+	    on file.  We are following the practice of
+	    <a href="https://www.apache.org">the Apache Sofware Foundation</a>.
+	    You can see their CLA policy
+	    <a href="https://www.apache.org/licenses/#clas">here</a>.
+	  Or, you can just read the following paragraphs :)
+	  </p>
+
+	  <p>
+	  OpenSSL desires that all contributors of ideas, code, or
+	  documentation complete, sign, and submit (via postal mail, fax
+	  or email) an Individual CLA [<a href="openssl_icla.pdf">PDF</a>].
+	  The purpose of this agreement is to clearly define
+	  the terms under which intellectual property has been contributed
+	  to OpenSSL and thereby allow us to defend the project should
+	  there be a legal dispute regarding the software at some future
+	  time.</p>
+
+	  <p>
+	  The ICLA is not tied to any employer you may have, so we
+	  recommend you use a personal email address in the contact
+	  details, rather than a work address.
+	  </p>
+
+	  <p>
+	  For a corporation that has assigned employees to work on OpenSSL,
+	  a Corporate CLA [<a href="openssl_ccla.pdf">PDF</a>]
+	  is available for contributing intellectual property via
+	  the corporation, that may have been assigned as part of an
+	  employment agreement. Note that a Corporate CLA does not
+	  cover any individual contributions which are not owned by the
+	  corporation signing the CCLA.
+	  </p>
+
+	  <p>
+	  Your Full name will be published unless you provide an alternative
+	  Public name. For example if your full name is Andrew Bernard Charles
+	  Dickens, but you wish to be known as Andrew Dickens, please enter
+	  the latter as your Public name.  If you do not wish to have your
+	  name listed as a contributor, use <em>Anonymous</em>.
+	  We reserve the right to reject rude or obscene nick-names.
+	  The email address and other contact details are not published.
+	  </p>
+
+	</div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Policies</a>
+	    : <a href="">Contributor Agreements</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
+
diff --git a/policies/codingstyle.html b/policies/codingstyle.html
new file mode 100644
index 0000000..70a417e
--- /dev/null
+++ b/policies/codingstyle.html
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Coding Style</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    The plain-text document version of this document is available
+	    here:
+	    <a href="codingstyle.txt">codingstyle.txt</a>
+	    </p>
+	    <pre>
+	    <!--#include virtual="codingstyle.txt" -->
+	    </pre>
+	  </div>
+
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href="">Policies</a>
+	    : <a href="">Coding Style.</a><br/>
+	    <a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/about/codingstyle.txt b/policies/codingstyle.txt
similarity index 100%
rename from about/codingstyle.txt
rename to policies/codingstyle.txt
diff --git a/policies/index.html b/policies/index.html
new file mode 100644
index 0000000..811aea2
--- /dev/null
+++ b/policies/index.html
@@ -0,0 +1,65 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Policies</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    In this section we try to document as many of our
+	    policies and procedures as possible.
+	    We do this for two reasons:
+	    <ul>
+	      <li>
+	      First, we want to to make sure everyone knows how the project is
+	      run. For example, when we announce a forthcoming fix for a
+	      high-severity bug, the
+	      <a href="secpolicy.html">Security Policy</a> explains what
+	      that means.</li>
+	      <li>
+	      Second, it helps us be consistent. For example,
+	      the <a href="releasestrat.html">Release Strategy</a> defines the
+	      plan of record of when, and how long, various releases will be
+	      supported.</li>
+	    </ul>
+	    <p>
+	    Put another way, by being as transparent as possible,
+	    we hope to reduce the chance that people are surprised by
+	    what we do, and we hope to help maintain predictable
+	    behavior within the project.
+	    </p>
+	    <p>
+	    The <a href="roadmap.html">Roadmap</a> describes our overall
+	    goals and plans for OpenSSL. It is a living document and is
+	    expected to change over time. Objectives and dates should be
+	    considered aspirational.</p>
+	    <p>
+	    If you want to contribute code or fixes to the project,
+	    please read the <a href="codingstyle.html">Coding Style</a>
+	    page. For legal obligations of contributors, see the
+	    page on <a href="cla.html">Contributor Agreements</a>.
+	    </po>
+	  </div>
+
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href="">Policies</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/licenses/openssl_ccla.pdf b/policies/openssl_ccla.pdf
similarity index 100%
copy from licenses/openssl_ccla.pdf
copy to policies/openssl_ccla.pdf
diff --git a/licenses/openssl_icla.pdf b/policies/openssl_icla.pdf
similarity index 100%
copy from licenses/openssl_icla.pdf
copy to policies/openssl_icla.pdf
diff --git a/policies/releasestrat.html b/policies/releasestrat.html
new file mode 100644
index 0000000..1041334
--- /dev/null
+++ b/policies/releasestrat.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header>
+	  <h2>Release Strategy</h2>
+	  <h5>
+	    First issued 23rd December 2014<br/>
+	    Last modified 9th August 2015
+	  </h5>
+	</header>
+
+	<div class="entry-content">
+
+	  <p>
+	  As of release 1.0.0 the OpenSSL versioning scheme was improved
+	  to better meet developers' and vendors' expectations. Letter
+	  releases, such as 1.0.1a, exclusively contain bug and security
+	  fixes and no new features. Minor releases that change the
+	  last digit, e.g. 1.0.1 vs. 1.0.2, can and are likely to
+	  contain new features, but in a way that does not break binary
+	  compatibility. This means that an application compiled and
+	  dynamically linked with 1.0.0 does not need to be recompiled
+	  when the shared library is updated to 1.0.2. It should be
+	  noted that some features are transparent to the application
+	  such as the maximum negotiated TLS version and cipher suites,
+	  performance improvements and so on. There is no need to
+	  recompile applications to benefit from these features.</p>
+
+	  <p>Binary compatibility also allows other possibilities. For
+	  example, consider an application that wishes to utilize
+	  a new cipher provided in a specific 1.0.x release, but it
+	  is also desirable to maintain the application in a 1.0.0
+	  context.  Customarily this would be resolved at compile time
+	  resulting in two binary packages targeting different OpenSSL
+	  versions. However, depending on the feature, it might be
+	  possible to check for its availability at run-time, thus cutting
+	  down on the maintenance of multiple binary packages. Admittedly
+	  it takes a certain discipline and some extra coding, but we
+	  would like to encourage such practice. This is because we
+	  want to see later releases being adopted faster, because new
+	  features can improve security.</p>
+
+	  <p>With regards to current and future releases the OpenSSL
+	  project has adopted the following policy:</p>
+
+	  <ul>
+	    <li>Support for version 0.9.8 will cease on 2015-12-31. No
+	    further releases of 0.9.8 will be made after that
+	    date. Security fixes only will be applied to 0.9.8 until
+	    then.</li>
+	    <li>Support for version 1.0.0 will cease on 2015-12-31. No
+	    further releases of 1.0.0 will be made after that
+	    date. Security fixes only will be applied to 1.0.0 until
+	    then.</li>
+	  </ul>
+
+	  <p>We may designate a release as a Long Term Support (LTS)
+	  release. LTS releases will be supported for at least five years
+	  and we will specify one at least every four years. Non-LTS
+	  releases will be supported for at least two years.</p>
+
+	  <p>As implied by the above paragraphs, during the final year
+	  of support, we do not commit to anything other than security
+	  fixes. Before that, bug and security fixes will be applied
+	  as appropriate.</p>
+
+	  <ul>
+	    <li>Version 1.0.1 will be supported until 2016-12-31.</li>
+	    <li>Version 1.0.2 will be supported until 2019-12-31.</li>
+	  </ul>
+
+	  <p>At this time, we are not planning a 1.0.3 release.</p>
+
+	  <p>Version 1.1.0 will (moderately) break source compatibility
+	  (for example we will make most structures opaque etc). We
+	  expect a preview version to be available mid 2015, with an
+	  expected release by the end of 2015. Preview means that we
+	  are not planning or expecting major API changes between the
+	  preview release and the final release (but are not categorically
+	  precluding that possibility).</p>
+	</div>
+	<footer>
+	  You are here: <a href="/">Home</a>
+	  : <a href="/policies">Policies</a>
+	  : <a href="">Release Strategy</a>
+	  <br/><a href="/sitemap.txt">Sitemap</a>
+	</footer>
+      </article>
+    </div>
+    <!--#include virtual="sidebar.inc" -->
+  </div>
+</div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/policies/roadmap.html b/policies/roadmap.html
new file mode 100644
index 0000000..bf2ef63
--- /dev/null
+++ b/policies/roadmap.html
@@ -0,0 +1,421 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header>
+	  <h2>Project Roadmap</h2>
+	  <h5>
+	    First issued 30th June 2014<br/>
+	    Last modified 8th August 2015
+	  </h5>
+	</header>
+
+	<div class="entry-content">
+	  <p>
+	  This document is intended to outline the OpenSSL project
+	  roadmap. It is a living document and is expected to change
+	  over time. Objectives and dates should be considered
+	  aspirational.</p>
+	  <p>
+	  The OpenSSL project is increasingly perceived as slow-moving
+	  and insular. This roadmap will attempt to address this by
+	  setting out some objectives for improvement, along with
+	  defined timescales.</p>
+
+	  <h3><a name='toc'>Table of Contents:</a></h3>
+
+	  <ol>
+	    <li><a href="#current">Current Issues</a></li>
+	    <li><a href="#objectives">Objectives</a></li>
+	    <li><a href="#forthcoming">Forthcoming Features</a></li>
+	    <li><a href="#update">Roadmap Update History</a></li>
+	  </ol></p>
+	  <p>&nbsp;</p>
+
+
+	  <h3><a name="current">Current Issues</a> <a href="#toc"><img src="/img/up.gif"/></a></h3>
+	  <p>
+	  The OpenSSL project is currently experiencing a number of issues.
+	  These are:</p>
+	  <ol>
+	    <li><em>RT Backlog</em><br/>
+	    Over a period of some considerable time open tickets have
+	    been building up in RT (our bug tracking system) to the
+	    point that now there are a very significant number of
+	    them. A large proportion of these issues have been open
+	    for years. Some of these have in fact been dealt with and
+	    should be closed, but this has not been recorded in the
+	    system. Most however have not been looked at.
+	    </li>
+	    <li><em>Incomplete/incorrect documentation</em><br/>
+	    Documentation of OpenSSL is patchy at best. Some areas are
+	    well documented, while many others suffer from incomplete
+	    or incorrect documentation. There are also many areas
+	    which have no documentation at all.
+	    </li>
+	    <li><em>Library complexity</em><br/>
+	    The OpenSSL libraries and applications are complex,
+	    both from a maintainer's perspective and from a user's
+	    perspective. The public API contains many things which
+	    should probably be internal. The code has been ported
+	    to a large number of platforms, many of which are no
+	    longer relevant to us today, and this complicates the
+	    codebase. Some parts of the code have been in place for
+	    a very long time, and are in need of a refresh. It is
+	    further complicated by the support for FIPS.
+	    This complexity causes maintenance problems, and
+	    can also be the source of obscure and difficult to spot
+	    security vulnerabilities. It can also make users' lives
+	    much more difficult especially when combined with (2)
+	    above.
+	    The current memory management code has
+	    also been a source of problems and vulnerabilities.
+	    </li>
+	    <li><em>Inconsistent coding style</em><br/>
+	    There have been numerous developers working on the codebase
+	    over many years. There are many different styles used within
+	    the code, which is confusing and makes maintenance more
+	    difficult than it should be. Even if strictly consistent,
+	    the current code layout is unusual and idiosyncratic and
+	    unlike any other open source software.
+	    </li>
+	    <li><em>Lack of code review</em><br/>
+	    We don't have a code review system and we don't mandate code
+	    reviews.
+	    </li>
+	    <li><em>No clear release plan</em><br/>
+	    Historically OpenSSL has made new feature releases on
+	    an infrequent basis and no forward plan of releases has
+	    been published. It is difficult for users to plan for new
+	    releases, and understand when new features might become
+	    available, or when support will end for a release. In
+	    addition a large number of stable releases are maintained
+	    by the OpenSSL development team - diverting effort away
+	    from the most up to date versions.
+	    </li>
+	    <li><em>No clear platform strategy</em><br/>
+	    Historically OpenSSL has supported a very wide range of
+	    platforms. Typically platform support has been added through
+	    &quot;ifdef&quot; conditional compilation on a per platform
+	    basis. This approach has led to a number of problems:
+	    <ul>
+	      <li>
+	      The code has become very cluttered and is difficult to
+	      effectively maintain</li>
+	      <li>
+	      There is support still in the code for a number of legacy
+	      platforms which are unlikely to be widely deployed today -
+	      if the code even still works on those platforms</li>
+	      <li>
+	      In practice the development team do not have access to many of
+	      the platforms that the codebase supports and testing typically
+	      takes place on a very limited set (usually Linux, FreeBSD and
+	      Windows)</li>
+	    </ul>
+	    <del>
+	      <li>
+	      <em>No published security strategy</em><br/>
+	      We do not have a well-known and published approach for how we
+	      appropriately inform all interested parties of security
+	      advisories.</li>
+	    </del>
+	  </ol>
+
+	  <p></p>
+
+	  <h3><a name="objectives">Objectives</a> <a href="#toc"><img src="/img/up.gif"/></a></h3>
+	  <p>
+	  Each of the issues identified above can be translated into
+	  high level objectives. Some of these objectives can be
+	  achieved more easily and quickly than others.</p>
+	  <p>
+	  <em>An important principle is that the priority and focus of
+	    effort will be on achieving these objectives over and above
+	    the delivery of new features.</em></p>
+
+	  <h4>RT Backlog</h4>
+	  <ol>
+	    <li>
+	    Manage all newly submitted RT tickets in a timely
+	    manner such as an initial response within four working
+	    days. (Timescale: Now)</li>
+	    <li>
+	    Reduce over time the existing RT backlog (Timescale:
+	    Ongoing). This may include the mass closure of very old
+	    tickets, such as those raised before the release of any
+	    currently supported version.
+	    <p><em>Update (8th September 2014)</em>:
+	    we have made a great deal of progress on the backlog.
+	    A <a href="ticket-activity.png">graph of ticket activity</a>
+	    is available, as is the <a href="buglist.txt">raw data</a>
+	    for every bug showing when it was open, and resolved. We
+	    will update these files periodically.</p></li>
+	  </ol>
+
+	  <h4>Incomplete/incorrect documentation</h4>
+	   <ol>
+	     <li>
+	     Provide complete documentation for all of the public
+	     API (excluding deprecated APIs) (Timescale: Within one year).
+	     </li>
+	     <li>Some parts of the API have historically been public but were
+	     not intended for public use, such as low level cipher and digest
+	     APIs. These parts may not be documented, and if they are will be
+	     marked as deprecated (Timescale: within nine months).</li>
+	     <li>This may include introducing a new documentation system.</li>
+	   </ol>
+
+	  <h4>Library complexity</h4>
+	  <ol>
+	    <li>
+	    Review and revise the public API with a view to reducing complexity
+	    (Timescale: Within one year)</li>
+	    <li>
+	    Document a platform strategy: see below (Timescale: Within three
+	    months)</li>
+	    <li>
+	    <del>Review and refactor the FIPS code to make it far less
+	    intrusive (Timescale: Within one year)</del>
+	    <br>Objective met (2015): The FIPS code has been removed from the
+	    master branch, and will be re-integrated more cleanly during
+	    a future validation.
+	    </li>
+	    <li>
+	    <del>Review and refactor the memory management code.
+	    (Timescale: Within six months)</del>
+	    <br>Objective met (2015): All use of dynamic memory allocation has
+	    been cleaned up and made consistent, and the internal memory
+	    pool has been removed.
+	    </li>
+	  </ol>
+
+	  <h4>Inconsistent coding style</h4>
+	  <ol>
+	    <li>
+	    Define a clear coding standard for the project. This will cover not
+	    only code layout but also items such as how to handle platform
+	    dependencies, unit testing and optional code. (Timescale: Within
+	    three months).</li>
+	    <li>
+	    <del>Format the entire codebase according to the agreed standard.
+	    (Timescale: Within three months of coding standard being
+	    defined).</del>
+	    <br>Objective met (2015): All release branches were
+	    reformatted using a script included in the release.
+	    </li>
+	    <li>
+	    Refactor code to follow other parts of the style guide. (Timescale:
+	    Within one year)</li>
+	  </ol>
+
+	  <h4>Code review</h4>
+	  <ol>
+	    <li>
+	    <del>
+	      Agree and implement a process such that all new commits
+	      should first be reviewed by a team member conversant
+	      with the relevant code and updated until the reviewer's
+	      issues are addressed. This is contingent on recruiting
+	      sufficient team members that reviewers are more-or-less
+	      always available. (Timescale: Within three months)
+	    </del>
+	    <br>Objective met (16th July 2014): All changes are first reviewed by 
+	    another team member prior to being committed to the public openssl 
+	    repository.
+	    </li>
+	    <li>
+	    <del>
+	      Agree on a code review system. (Timescale: Within six months)
+	    </del>
+	    <br>Objective met (2015): We use
+	    <a href="https://gitlab.com">GitLab</a>.
+	    </li>
+	  </ol>
+
+	  <h4>Audit</h4>
+	  <p>
+	  Externally audit the current code base. (Timescale: Dependent on
+	  external body)</p>
+	  <p>Update (14th October 2014):
+	  Auditors selected and funded; schedule being worked on.</p>
+
+	  <h4>Static/Dynamic Analysis</h4>
+	  <p>
+	  Regularly audit the code using appropriate analysis tools.
+	  (Timescale: Within six months)
+	  </p>
+
+	  <h4>Release Strategy</h4>
+	  <del>
+	  <p>
+	  We intend to develop a release strategy which will set out our plans
+	  for how frequently we plan to release, and when. It will also cover
+	  how long releases will be supported for, and when their EOL (End Of
+	  Life) will be. (Timescale: Within three months)</p>
+	  <p>
+	  There are a number of objectives that we would be seeking to address
+	  within the release strategy. Some of these objectives compete with
+	  each other, and so from necessity there will have to be compromises.
+	  The objectives are:
+	  <ol>
+	    <li>
+	    We need security fix releases with very low chance of breaking
+	    anything. This is largely met by prohibiting new features in stable
+	    branches (i.e. letter releases).</li>
+	    <li>
+	    If something is broken in a release a fixed version should be made
+	    available shortly afterwards (i.e. more letter releases more
+	    often)</li>
+	    <li>
+	    We need a way to get new binary compatible features into OpenSSL
+	    relatively quickly.</li>
+	    <li>
+	    We don't want to have to maintain too many branches. This is likely
+	    to include a timescale for the EOL of version 0.9.8</li>
+	    <li>
+	    We need a way to refactor code and make necessary binary
+	    incompatible changes, deprecating APIs etc.</li>
+	  </ol>
+	  </del>
+	  Objective met (2015): We have announced a
+	  <a href="releasestrat.html">release strategiy</a>
+	  which includes end-of-life and long-term support definitions.
+	  Also, our
+	  <a href="secpolicy.html">security policy</a> has relevant
+	  information.
+	  </p>
+
+	  <h4>Platform Strategy</h4>
+	  <p>
+	  Moving forward OpenSSL will adopt the following policy:</p>
+	  <ul>
+	    <li>
+	    There will be a defined set of primary platforms. The primary
+	    platforms will be Linux and FreeBSD. A primary platform is one where
+	    most development occurs.</li>
+	    <li>
+	    In addition there will be a list of secondary platforms which are
+	    supported by the development team.</li>
+	    <li>
+	    Platform specific code will be moved out of the main codebase
+	    (removing overuse of &quot;ifdef&quot;).</li>
+	    <li>
+	    Legacy platforms that are unlikely to have wide deployment will be
+	    removed from the code.</li>
+	    <li>
+	    Non-supported platforms requiring regular maintenance activities
+	    will eventually be removed from the code after first seeking
+	    community owners to support the platforms in platform specific
+	    repositories.</li>
+	  </ul>
+	  <p>
+	  Necessary criteria for a platform to be included in the secondary
+	  platform list includes:</p>
+	  <ul>
+	    <li>
+	    Currency, i.e. a platform is widely deployed and in current use</li>
+	    <li>
+	    Vendor support</li>
+	    <li>
+	    Available to the dev team, i.e. the dev team have access to a
+	    suitable environment in which to test builds and deal with tickets
+	    and issues</li>
+	    <li>
+	    Dev team ownership, i.e. at least one person on the team is willing
+	    to take some responsibility for a platform.</li>
+	  </ul>
+	  <p>
+	  In addition the secondary list will be as small as possible so as not
+	  to spread the development team too thinly.</p>
+	  <p>
+	  The secondary platforms are still to be defined but will be based on
+	  the above criteria. For each primary/secondary platform, we should
+	  have, at least, a continuous integration box and a dev machine we can
+	  access for test/debug. We will seek support from the platform vendors
+	  or the community to provide access to these platforms. The secondary
+	  platform list will change over time, but an initial list will be
+	  produced within three months.</p>
+	  <p>
+	  The Platform Strategy will be phased in over a period of time based
+	  on how quickly we can refactor the code.</p>
+
+	  <h4>Security Strategy</h4>
+	  <p>
+	  <del>
+	    We will be documenting a security strategy which will define our
+	    policy on how we make security fixes, and what (if any)
+	    pre-notification of forthcoming security releases will be provided
+	    (and to whom) (Timescale: Within two months)
+	  </del>
+	  <br>Objective met (7th September 2014): The OpenSSL security policy
+	  is available <a href="secpolicy.html">here</a>.
+	  </p>
+
+	  <h3><a name="forthcoming">Forthcoming Features</a> <a href="#toc"><img src="/img/up.gif"/></a></h3>
+	  <p>The primary focus of effort will be on achieving the
+	  objectives detailed above, however we are evaluating the following
+	  new features.</p>
+
+	  <ul>
+	    <li>IPv6 support</li>
+	    <li>AEAD updates (API review, Poly/ChaCha support, /dev/crypto
+	    operations coalescing)</li>
+	    <li>TLS 1.3.</li>
+	    <li>Certificate Transparency support</li>
+	    <li>Support for new ciphersuites e.g., CCM</li>
+	    <li>Extended SSL_CONF support</li>
+	    <li>DANE support</li>
+	    <li>Security levels (currently experimental in master)</li>
+	    <li>OCB</li>
+	    <li>FIPS code review and refactor</li>
+	    <li>Support for emerging platforms, e.g. ARMv8, POWER8</li>
+	    <li>Built-in multi-threaded support for two major threading
+	    "flavours," POSIX threads and Win32</li>
+	  </ul>
+	  <p></p>
+
+	  <h3><a name="update">Roadmap Update History</a> <a href="#toc"><img src="/img/up.gif"/></a></h3>
+	  <p>
+	  The following changes have been made since the roadmap was first 
+	  issued 30-June-2014.
+	  </p>
+	  <ul>
+	    <li>8-August-2015.
+	    Many updates, for what happened in 2015.</li>
+	    <li>14-October-2014.
+	    Updated audit; added TLS 1.3 and Certificate
+	    Transparency to features.</li>
+	    <li>8-September-2014.
+	    Updated status on the RT backlog objective.</li>
+	    <li>7-September-2014.
+	    Updated security policy section.</li>
+	    <li>16-July-2014.
+	    Updated code review section.</li>
+	    <li>1-July-2014.
+	    Noted RT is our bug tracking system.</li>
+	  </ul>
+	</div>
+	<footer>
+	  You are here: <a href="/">Home</a>
+	  : <a href="/policies"> Policies</a>
+	  : <a href="">Roadmap</a>.
+	  <br><a href="/sitemap.txt">Sitemap</a>
+	</footer>
+      </article>
+    </div>
+    <!--#include virtual="sidebar.inc" -->
+  </div>
+</div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
+
diff --git a/policies/secpolicy.html b/policies/secpolicy.html
new file mode 100644
index 0000000..832510d
--- /dev/null
+++ b/policies/secpolicy.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header>
+	    <h2>Security Policy</h2>
+	    <h5>
+	      Last modified 7th September 2014
+	    </h5>
+	</header>
+	  <div class="entry-content">
+
+	    <h2>Introduction</h2>
+
+	    <p>Recent flaws have captured the attention of the media
+	    and highlighted how much of the internet infrastructure is
+	    based on OpenSSL.  We've never published our policy on how
+	    we internally handle security issues; that process being
+	    based on experience and has evolved over the years.</p>
+
+	    <h2>Reporting security issues</h2>
+
+	    <p>
+	    We have an email address which can be used to notify
+	    us of possible security vulnerabilities.  A subset of
+	    OpenSSL team members receive this mail, and messages
+	    can be sent using PGP encryption.  Full details are at <a
+	    href="/news/vulnerabilities.html">https://www.openssl.org/news/vulnerabilities.html</a>
+	    </p>
+
+	    <p>
+	    When we are notified about an issue we engage resources
+	    within the OpenSSL team to investigate and prioritise it.
+	    We may also utilise resources from the employers of our team
+	    members, as well as others we have worked with before.
+	    </p>
+
+	    <h2>Background</h2>
+
+	    <p>
+	    Everyone would like to get advance notice of security issues
+	    in OpenSSL.  This is a complex topic and we need to set out
+	    some background with our findings:
+	    </p>
+	    <ul>
+	      <li>The more people you tell in advance the higher the
+	      likelihood that a leak will occur.  We have seen this
+	      happen before, both with OpenSSL and other projects.</li>
+
+	      <li>A huge number of products from an equally large number of
+	      organisations use OpenSSL. It's not just secure websites, you're
+	      just as likely to find OpenSSL inside your smart TV, car, or
+	      fridge.</li>
+
+	      <li>We strongly believe that the right to advance patches/info
+	      should not be based in any way on paid membership to some forum.
+	      You can not pay us to get security patches in advance.</li>
+
+	      <li>We can benefit from peer review of the patches and advisory.
+	      Keeping security issues private means they can't get the level
+	      of testing or scrutiny that they otherwise would.</li>
+
+	      <li>It is not acceptable for organisations to use advance notice
+	      in marketing as a competitive advantage.  For example "if you
+	      had bought our product/used our service you would have been
+	      protected a week ago".</li>
+
+	      <li>There are actually not a large number of serious
+	      vulnerabilities in OpenSSL which make it worth spending
+	      significant time keeping our own list of vendors we trust, or
+	      signing framework agreements, or dealing with changes, and
+	      policing the policy.  This is a significant amount of effort per
+	      issue that is better spent on other things.</li>
+
+	      <li>We have previously used third parties to handle notification
+	      for us including CPNI, oCERT, or CERT/CC, but none were
+	      suitable.</li>
+
+	      <li>It's in the best interests of the Internet as a whole to get
+	      fixes for OpenSSL security issues out quickly. OpenSSL embargoes
+	      should be measured in days and weeks, not months or years.</li>
+
+	      <li>Many sites affected by OpenSSL issues will be running a
+	      version of OpenSSL they got from some vendor (and likely bundled
+	      with an operating system).  The most effective way for these
+	      sites to get protected is to get an updated version from that
+	      vendor.  Sites who use their own OpenSSL compilations should be
+	      able to handle a quick patch and recompile once the issue is
+	      public.</li>
+	    </ul>
+
+	    <h2>Internal handling of security issues</h2>
+
+	    <p>This leads us to our policy for security issues notified
+	    to us or found by our team which are not yet public.</p>
+
+	    <p>"private" means kept within the OpenSSL development
+	    team.</p>
+
+	    <p>We will determine the risk of each issue being addressed.
+	    We will take into account our experience dealing with past
+	    issues, versions affected, common defaults, and use cases.
+	    We divide the issues into the following categories:</p>
+
+	    <ul>
+	      <li>
+	      <em>LOW Severity.</em>
+	      This includes issues such as those that only affect the
+	      openssl command line utility, unlikely configurations, or hard
+	      to exploit timing (side channel) attacks.  These will in general
+	      be fixed immediately in latest development versions, and may be
+	      backported to older versions that are still getting updates.  We
+	      will update the vulnerabilities page and note the issue CVE in
+	      the changelog and commit message, but they may not trigger new
+	      releases.</li>
+	      <li>
+	      <em>MODERATE Severity.</em>
+	      This includes issues like crashes in client applications,
+	      flaws in protocols that are less commonly used (such as DTLS),
+	      and local flaws.  These will in general be kept private until
+	      the next release, and that release will be scheduled so that it
+	      can roll up several such flaws at one time.</li>
+	      <li><em>HIGH Severity.</em>
+	      This includes issues affecting common configurations which are
+	      also likely to be exploitable.  Examples include a server DoS, a
+	      significant leak of server memory, and remote code execution.
+	      These issues will be kept private and will trigger a new release
+	      of all supported versions.  We will attempt to keep the time
+	      these issues are private to a minimum; our aim would be no
+	      longer than a month where this is something under our control,
+	      and significantly quicker if there is a significant risk or we
+	      are aware the issue is being exploited.</li>
+	    </ul>
+
+	    <p>During the investigation of issues we may work with individuals
+	    and organisations who are not on the development team.  We do this
+	    because past experience has shown that they can add value to our
+	    understanding of the issue and the ability to test patches.  In
+	    cases where protocols are affected this is the best way to
+	    mitigate the risk that a poorly reviewed update causes signficiant
+	    breakage, or to detect if issues are being exploited in the wild.
+	    We have a strict policy on what these organisations and
+	    individuals can do with the information and will review the need
+	    on a case by case basis.</p>
+
+	    <h2>Prenotification policy</h2>
+
+	    <p>Where we are planning an update that fixes security issues
+	    we will notify the openssl-announce list and update the home
+	    page to give our scheduled update release date and time and
+	    the severity of issues being fixed by the update.  No futher
+	    information about the issues will be given.  This is to aid
+	    organisations that need to ensure they have staff available
+	    to handle triaging our announcement and what it means to
+	    their organisation.</p>
+
+	    <p>For updates that include high severity issues we will
+	    also prenotify with more details and patches.  Our policy
+	    is to let the organisations that have a general purpose OS
+	    that uses OpenSSL have a few days notice in order to prepare
+	    packages for their users and feedback test results.</p>
+
+	    <p>We use the mailing list described at <a
+	    href="http://oss-security.openwall.org/wiki/mailing-lists/distros">http://oss-security.openwall.org/wiki/mailing-lists/distros</a>
+	    for this.  We may also include other organisations that
+	    would otherwise qualify for list membership.  We may
+	    withdraw notifying individual organisations from future
+	    prenotifications if they leak issues before they are public
+	    or over time do not add value (value can be added by providing
+	    feedback, corrections, test results, etc.)</p>
+
+	    <p>Finally, note that not all security issues are notified to
+	    us directly; some come from third parties such as companies
+	    that pay for vulnerabilities, some come from country CERTs.
+	    These intermediaries, or the researchers themselves, may
+	    follow a different style of notification. This is within their
+	    rights and outside of the control of the OpenSSL team.</p>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Policies</a>
+	    : <a href="">Security Policy</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+  <!--#include virtual="/inc/footer.inc" -->
+  </body>
+  </html>
+
diff --git a/policies/sidebar.inc b/policies/sidebar.inc
new file mode 100644
index 0000000..8610c5f
--- /dev/null
+++ b/policies/sidebar.inc
@@ -0,0 +1,24 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Policies</a></h1>
+    <ul>
+      <li>
+	<a href="roadmap.html">Roadmap</a>
+      </li>
+      <li>
+	<a href="releasestrat.html">Release Strategy</a>
+      </li>
+      <li>
+	<a href="secpolicy.html">Security Policy</a>
+      </li>
+      <li>
+	<a href="codingstyle.html">Coding Style</a>
+      </li>
+      <li>
+        <a href="cla.html">Contributor Agreements</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
diff --git a/about/ticket-activity.png b/policies/ticket-activity.png
similarity index 100%
rename from about/ticket-activity.png
rename to policies/ticket-activity.png
diff --git a/run-changelog.pl b/run-changelog.pl
deleted file mode 100644
index c8dc392..0000000
--- a/run-changelog.pl
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/perl
-
-$|++;
-$page = '';
-$page .= $_ while (<STDIN>);
-
-$page =~ s|^.+?(Changes.+?\n+)|$1|s;
-$page =~ s|&|&amp\;|sg; # escape with useless backslash
-$page =~ s|<|&lt\;|sg;
-$page =~ s|>|&gt\;|sg;
-$page =~ s|(Changes between.+?)\n|<b>$1</b>\n|sg;
-
-print "<pre>$page</pre>";
-
-exit(0);
diff --git a/run-fundingfaq.pl b/run-fundingfaq.pl
deleted file mode 100755
index b380028..0000000
--- a/run-fundingfaq.pl
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/perl
-## read a FAQ file and pretty-print it as html
-
-$|++;
-# TOC
-$i=0; $l=""; $n=0;
-print "<ul>\n";
-print "<ol>\n";
-while (<STDIN>) {
-    escape($_);
-    last if /^=+$/;
-    next if /^\w*$/;
-    if (/^\[([^\[]+)\] (.*)/) {
-	$l=$1;
-	$n=0;
-	print "</ol>\n";
-	print "<li><a href=\"#$l\">$1</a> $2\n";
-	print "<ol>\n";
-    } elsif (/^\* (.*)/) {
-	$n++;
-	print "<li><a href=\"#$l$n\">$1</a>\n";
-    }
-}
-print "</ol>\n";
-print "</ul>\n\n";
-
-# Contents
-$l=""; $n=0; $pre=0; $snip=0;
-while (<STDIN>) {
-    next if /^=+$/;
-    if (/^----- snip:start -----/) {
-	print "<pre><listing>" unless $snip;
-	$snip=1;
-    }
-    if ($snip) {
-	escape($_);
-	print;
-    }
-    if ($snip && /^----- snip:end -----/) {
-	print "</listing></pre>";
-	$snip=0;
-	goto cont;
-    }
-    if ($snip) {
-	goto cont;
-    }
-    if (/<URL:/ and not /<URL:.*>/) {
-	chomp;
-	$_ .= <STDIN>;
-    }
-    s/<URL: *(.*?)>/\@\@\@$1\@\@\@/;
-    escape($_);
-    s|\s\*(\S+)\*\s| <i>$1</i> |;
-    s/\@\@\@(.+)\((\S+)\)\@\@\@/<a href=\"$2\">$1<\/a>/;
-    s/\@\@\@(.*?)\@\@\@/<a href=\"$1\">$1<\/a>/;
-    if (s/\((.?)\)/XX$1XX/g) {
-	while (/([A-Za-z_\.]*)XX(.?)XX/) {
-	    foreach $section ("apps", "ssl", "crypto") {
-		if (-f "../docs/$section/$1.html") {
-		    s|([A-Za-z_\.]*)XX(.?)XX|<a href=\"../docs/$section/$1.html\">$1($2)</a>|;
-		    goto found;
-		}
-	    }
-	    s/XX(.?)XX/($1)/;
-	  found:
-	}
-    }
-    if (/^\[([^\[]+)\] =+/) {
-	$l=$1;
-	$n=0;
-	print "<hr>\n";
-	print "<h2>[<a name=\"$l\">$1</a>]</h2>\n";
-    } elsif (/^\* (.*)/) {
-	$n++;
-	print "\n<h2><i><a name=\"$l$n\">$n. $1</a></i></h2>\n";
-    } elsif (/^$/) {
-	print "<p>";
-    } elsif (/^ /) {
-	print "<pre>" unless $pre;
-	$pre=1;
-	print;
-    } else {
-	print "</pre>\n" if $pre;
-	$pre=0;
-	print;
-    }
-  cont:
-}
-
-exit(0);
-
-sub escape
-{
-    s/\&/\&amp;/g;
-    s/\</\&lt;/g;
-    s/\>/\&gt;/g;
-}
diff --git a/sidebar.inc b/sidebar.inc
new file mode 100644
index 0000000..1b3d6b6
--- /dev/null
+++ b/sidebar.inc
@@ -0,0 +1,31 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Home</a></h1>
+    <ul>
+      <li>
+        <a href="source">Downloads: Source code</a>
+      </li>
+      <li>
+        <a href="docs">Docs: FAQ, FIPS, manpages, ...</a>
+      </li>
+      <li>
+        <a href="news">News: Latest information</a>
+      </li>
+      <li>
+        <a href="policies">Policies: How we operate</a>
+      </li>
+      <li>
+        <a href="community">Community: Blog, bugs, email, ...</a>
+      </li>
+      <li>
+        <a href="support">Support: Commercial support and contracting</a>
+      </li>
+      <li>
+        <a href="support/acks.html">Sponsor Acknowledgements</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
+
diff --git a/source/.gitignore b/source/.gitignore
deleted file mode 100644
index 24294ee..0000000
--- a/source/.gitignore
+++ /dev/null
@@ -1,7 +0,0 @@
-*.html
-*.gz
-*.gz.asc
-*.gz.md5
-*.gz.sha1
-*.tar.gz.sig
-*.patch
diff --git a/source/.wmlrc b/source/.wmlrc
deleted file mode 100644
index ab44064..0000000
--- a/source/.wmlrc
+++ /dev/null
@@ -1,10 +0,0 @@
-##
-##  .wmlrc -- Local RC file for WML
-##
-
-#   define where the URL root of the Sub Navigation Bar (SNB) 
-#   is located [SNB_ROOT] and where it's buttons are defined [SNB_RC]
--DSNB_ROOT~.
--DSNB_RC=.wmlsnb
--I.
-
diff --git a/source/.wmlsnb b/source/.wmlsnb
deleted file mode 100644
index e9cfd83..0000000
--- a/source/.wmlsnb
+++ /dev/null
@@ -1,12 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-  <snb_button id=tarballs txt="Tarballs"     url=".">
-  <snb_button id=license  txt="License"      url="license.html">
-  <snb_button id=rt       txt="Bugs"     url="/support/rt.html">
-  <snb_button id=repos    txt="Repository"   url="repos.html">
-  <snb_button id=mirror   txt="Mirror"       url="mirror.html">
-</snb>
-
diff --git a/source/gitrepo.html b/source/gitrepo.html
new file mode 100644
index 0000000..2077ae7
--- /dev/null
+++ b/source/gitrepo.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Git Repository</h2></header>
+
+	  <div class="entry-content">
+	    <p>The OpenSSL software is developed using a Git repository.
+	    Read-only access to the repository is available at
+	    git.openssl.org. We also maintain a downstream clone on GitHub, at
+	    <a
+	    href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</a>
+	  on GitHub.  This repository is updated with every commit and is
+	  accessible through a number of protocols.</p>
+
+	  <p>On the OpenSSL repository we only support the <em>git</em>
+	  protocol. Use the following command to clone the git repository
+	  including all available branches and tags:
+	  <code><pre>
+
+$ git clone git://git.openssl.org/openssl.git
+	  </pre></code>
+	</p>
+
+	<p>Access to the specific branches is possible via the standard branch
+	and checkout commands. See the discussion of branch naming below for
+	more information.</p>
+
+	<p>On Windows, once the repository is cloned, you  should ensure
+	that line endings are set correctly:</p>
+
+	<code><pre>
+
+$ cd openssl
+$ git config core.autocrlf false
+$ git config core.eol lf
+$ git checkout .
+	</pre></code>
+
+	<h3>Git branch names and tagging</h3>
+
+	<p>The <em>master</em> branch, also known as the development branch,
+	contains the latest bleeding edge code. There are also several
+	<em>stable</em> branches where stable releases come from. These take
+	the form <em>OpenSSL_x_y_z-stable</em> so for example the 1.0.0 stable
+	branch is <em>OpenSSL_1_0_0-stable</em>. When an actual release is
+	made it is tagged in the form <em>OpenSSL_x_y_zp</em> or a beta
+	<em>OpenSSL_x_y_xp-betan</em> though you should normally just download
+	the release tarball. Tags and branches are occasionally used for other
+	purposes such as testing experimental or unstable code before it is
+	merged into another branch.</p>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Downloads</a>
+	    : <a href="">Git Repository</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/source/index.current b/source/index.current
deleted file mode 100644
index 7f0cb26..0000000
--- a/source/index.current
+++ /dev/null
@@ -1,2 +0,0 @@
-# Set latest tarball automatically
-last openssl-1*.tar.gz
diff --git a/source/index.html b/source/index.html
new file mode 100644
index 0000000..0a84ecf
--- /dev/null
+++ b/source/index.html
@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Downloads</h2></header>
+	  <div class="entry-content">
+	    <p>Our development is maintained in a
+	    <a href="gitrepo.html">git repository</a>, which is
+	    accessible over the network and cloned on GitHub.
+	    Please familiarize yourself with the
+	    <a href="license.html">license</a>.
+	    </p>
+
+	    <p>The table below lists the latest releases for every branch.
+	    The most recent previous releases can be found at
+	    <a href="ftp://ftp.openssl.org/source/">ftp://ftp.openssl.org/source/</a>
+	    and all releases can be found at
+	    <a href="old">/source/old</a>.
+	    A list of mirror sites can be found <a href="mirror.html">here</a>.
+	    </p>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
+	    <p>When building a release for the first time, please make sure
+	    to look at the README and INSTALL files in the distribution.
+	    If you have problems, look at the FAQ, which can also be
+	    found <a href="/news/faq.html">online</a>.</p>
+
+	    <p>
+	    Each day we make a snapshot of each development branch.
+	    They can be found at
+	    <a href="ftp://ftp.openssl.org/snapshot/">ftp://ftp.openssl.org/snapshot/</a>.
+	    These snapshots are provided for convenience only. When you really
+	    want to keep yourself up-to-date please clone the git repository
+	    instead.</p>
+
+	  <!--#include virtual="/inc/legalities.inc" -->
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Downloads</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/source/index.wml b/source/index.wml
deleted file mode 100644
index 59c571a..0000000
--- a/source/index.wml
+++ /dev/null
@@ -1,34 +0,0 @@
-
-#use wml::openssl area=source page=tarballs
-
-<title>Source, Tarballs</title>
-
-<h1>Tarballs</h1>
-
-<p>
-The table below lists the latest releases for every branch.
-Old releases can be found at
-<a href="old">https://www.openssl.org/source/old</a>.
-</p>
-
-<p>
-Alternatively, you can find all distribution tarballs in our FTP area,
-<a href="ftp://ftp.openssl.org/source/">ftp://ftp.openssl.org/source/</a>.
-A list of FTP mirror sites can be found <a href="mirror.html">here</a>.
-</p>
-
-<p>
-Development snapshots can be found at
-<a href="ftp://ftp.openssl.org/snapshot/">ftp://ftp.openssl.org/snapshot/</a>.
-
-<p>
-We also maintain a clone at GitHub,
-<a href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</a>.
-
-
-<p>
-<rfilelist "openssl-*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/license.html b/source/license.html
new file mode 100644
index 0000000..a2ce2e4
--- /dev/null
+++ b/source/license.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>License</h2></header>
+	  <div class="entry-content">
+	    <p>
+	    This is a copy of the current LICENSE file from
+	    the main repository.
+	    The plain-text document version of this document is available
+	    here:
+	    <a href="license.txt">license.txt</a>
+	    </p>
+	    <pre>
+	    <!--#include virtual="license.txt" -->
+	    </pre>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Downloads</a>
+	    : <a href="">License</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
diff --git a/source/license.wml b/source/license.wml
deleted file mode 100644
index 88143d9..0000000
--- a/source/license.wml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-#use wml::openssl area=source page=license
-
-<title>Source, License</title>
-
-<h1>License</h1>
-This is a copy of the current LICENSE file inside the CVS repository.
-<p>
-
-<pre>
-#include "license.inc"
-</pre>
diff --git a/source/mirror.html b/source/mirror.html
new file mode 100644
index 0000000..58e282b
--- /dev/null
+++ b/source/mirror.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Mirrors</h2></header>
+	  <div class="entry-content">
+	    <p>You can download the latest distribution files from the
+	    following FTP areas:</p>
+	    <table>
+	      <tr><td>Locale</td><td>URL</td></tr>
+
+	      <tr><td>DE</td><td><a
+		    href="ftp://ftp.openssl.org/source/">ftp://ftp.openssl.org/source/</a></td></tr>
+	      <tr><td>CH</td><td><a
+		    href="ftp://mirror.switch.ch/mirror/openssl/">ftp://mirror.switch.ch/mirror/openssl/</a></td></tr>
+	      <tr><td>CH</td><td><a
+		    href="http://mirror.switch.ch/ftp/mirror/openssl/">http://mirror.switch.ch/ftp/mirror/openssl/</a></td></tr>
+	      <tr><td>DE</td><td><a
+		    href="ftp://ftp.pca.dfn.de/pub/tools/net/openssl/">ftp://ftp.pca.dfn.de/pub/tools/net/openssl/</a></td></tr>
+	      <tr><td>NO</td><td><a
+		    href="ftp://sunsite.uio.no/pub/security/openssl/">ftp://sunsite.uio.no/pub/security/openssl/</a></td></tr>
+	      <tr><td>SE</td><td><a
+		    href="ftp://ftp.sunet.se/pub/security/tools/net/openssl/">ftp://ftp.sunet.se/pub/security/tools/net/openssl/</a></td></tr>
+	      <tr><td>AT</td><td><a
+		    href="ftp://gd.tuwien.ac.at/infosys/security/openssl/">ftp://gd.tuwien.ac.at/infosys/security/openssl/</a></td></tr>
+	      <tr><td>HU</td><td><a
+		    href="ftp://ftp.kfki.hu/pub/packages/security/openssl/">ftp://ftp.kfki.hu/pub/packages/security/openssl/</a></td></tr>
+	      <tr><td>PL</td><td><a
+		    href="ftp://guest.kuria.katowice.pl/pub/openssl/">ftp://guest.kuria.katowice.pl/pub/openssl/</a></td></tr>
+	      <tr><td>CZ</td><td><a
+		    href="ftp://ftp.fi.muni.cz/pub/openssl/">ftp://ftp.fi.muni.cz/pub/openssl/</a></td></tr>
+	      <tr><td>HR</td><td><a
+		    href="ftp://ftp.linux.hr/pub/openssl/">ftp://ftp.linux.hr/pub/openssl/</a></td></tr>
+	      <tr><td>DE</td><td><a
+		    href="http://openssl.initrd.net/">http://openssl.initrd.net/</a></td></tr>
+	      <tr><td>PL</td><td><a
+		    href="rsync://ftp.tpnet.pl/pub/security/openssl/">rsync://ftp.tpnet.pl/pub/security/openssl/</a></td></tr>
+	      <tr><td>CA</td><td><a
+		    href="http://openssl.skazkaforyou.com/">http://openssl.skazkaforyou.com/</a></td></tr>
+	      <tr><td>CA</td><td><a
+		    href="http://openssl.raffsoftware.com/">http://openssl.raffsoftware.com/</a></td></tr>
+	      <tr><td>DE</td><td><a
+		    href="http://artfiles.org/openssl.org/">http://artfiles.org/openssl.org/</a></td></tr>
+
+	  </table>
+
+	  <p>&nbsp;</p>
+	    <h3>No additional mirrors</h3>
+	    <p>We are not interested in taking on additional mirrors at the
+	    time.</p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Downloads</a>
+	    : <a href="">Mirrors</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/source/mirror.wml b/source/mirror.wml
deleted file mode 100644
index 4a1c52f..0000000
--- a/source/mirror.wml
+++ /dev/null
@@ -1,20 +0,0 @@
-
-#use wml::openssl area=source page=mirror
-
-#use wml::std::box
-#use wml::fmt::verbatim
-#use wml::std::href
-
-<title>Source, FTP Mirrors</title>
-
-<h1>FTP Mirrors</h1>
-
-<h2>Available Mirrors</h2>
- 
-You can download the latest distribution files from the following FTP areas:
-
-#include 'mirror.inc'
-
-<h2>No additional mirrors</h2>
-
-We are not interested in taking on additional mirrors at the time.
diff --git a/source/old/0.9.x/index.html b/source/old/0.9.x/index.html
new file mode 100644
index 0000000..dc74bce
--- /dev/null
+++ b/source/old/0.9.x/index.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old 0.9.x Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old 0.9.x releases.</p>
+          <!--#include virtual="index.inc" -->
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/0.9.x/index.wml b/source/old/0.9.x/index.wml
deleted file mode 100644
index ebd4c81..0000000
--- a/source/old/0.9.x/index.wml
+++ /dev/null
@@ -1,16 +0,0 @@
-#use wml::openssl area=source page=old/0.9.x
-
-<title>Old 0.9.x Releases</title>
-
-<h1>Old 0.9.x Releases</h1>
-
-<p>
-The table below lists the outdated 0.9.x releases.
-</p>
-
-<p>
-<rfilelist "*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/old/1.0.0/index.html b/source/old/1.0.0/index.html
new file mode 100644
index 0000000..a040259
--- /dev/null
+++ b/source/old/1.0.0/index.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old 1.0.0 Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old 1.0.0 releases.</p>
+          <!--#include virtual="index.inc" -->
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/1.0.0/index.wml b/source/old/1.0.0/index.wml
deleted file mode 100644
index d3cb9b5..0000000
--- a/source/old/1.0.0/index.wml
+++ /dev/null
@@ -1,16 +0,0 @@
-#use wml::openssl area=source page=old/1.0.0
-
-<title>Old 1.0.0 Releases</title>
-
-<h1>Old 1.0.0 Releases</h1>
-
-<p>
-The table below lists the outdated 1.0.0 releases.
-</p>
-
-<p>
-<rfilelist "*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/old/1.0.1/index.html b/source/old/1.0.1/index.html
new file mode 100644
index 0000000..5028934
--- /dev/null
+++ b/source/old/1.0.1/index.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old 1.0.1 Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old 1.0.1 releases.</p>
+          <!--#include virtual="index.inc" -->
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/1.0.1/index.wml b/source/old/1.0.1/index.wml
deleted file mode 100644
index ba8b064..0000000
--- a/source/old/1.0.1/index.wml
+++ /dev/null
@@ -1,16 +0,0 @@
-#use wml::openssl area=source page=old/1.0.1
-
-<title>Old 1.0.1 Releases</title>
-
-<h1>Old 1.0.1 Releases</h1>
-
-<p>
-The table below lists the outdated 1.0.1 releases.
-</p>
-
-<p>
-<rfilelist "*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/old/1.0.2/index.html b/source/old/1.0.2/index.html
new file mode 100644
index 0000000..b238dcf
--- /dev/null
+++ b/source/old/1.0.2/index.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old 1.0.2 Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old 1.0.2 releases.</p>
+          <!--#include virtual="index.inc" -->
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/1.0.2/index.wml b/source/old/1.0.2/index.wml
deleted file mode 100644
index 1876079..0000000
--- a/source/old/1.0.2/index.wml
+++ /dev/null
@@ -1,16 +0,0 @@
-#use wml::openssl area=source page=old/1.0.2
-
-<title>Old 1.0.2 Releases</title>
-
-<h1>Old 1.0.2 Releases</h1>
-
-<p>
-The table below lists the outdated 1.0.2 releases.
-</p>
-
-<p>
-<rfilelist "*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
new file mode 100644
index 0000000..1ade710
--- /dev/null
+++ b/source/old/fips/index.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old XXX Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old xxx releases.</p>
+          <!--#include virtual="index.inc" -->
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/fips/index.wml b/source/old/fips/index.wml
deleted file mode 100644
index 6df3f3e..0000000
--- a/source/old/fips/index.wml
+++ /dev/null
@@ -1,16 +0,0 @@
-#use wml::openssl area=source page=old/fips
-
-<title>Old FIPS Releases</title>
-
-<h1>Old FIPS Releases</h1>
-
-<p>
-The table below lists the outdated FIPS releases.
-</p>
-
-<p>
-<rfilelist "*.gz">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/old/index.html b/source/old/index.html
new file mode 100644
index 0000000..4d2b267
--- /dev/null
+++ b/source/old/index.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+        <header><h2>Old Releases</h2></header>
+        <div class="entry-content">
+          <p>Here are the old releases.</p>
+          <ul>
+            <li><a href="0.9.x">0.9.x</a></li>
+            <li><a href="1.0.0">1.0.0</a></li>
+            <li><a href="1.0.1">1.0.1</a></li>
+            <li><a href="1.0.2">1.0.2</a></li>
+            <li><a href="fips">fips</a></li>
+          </ul>
+        </div>
+        <footer>
+          You are here: <a href="/">Home</a>
+          : <a href=".">Source</a>
+          <br/><a href="/sitemap.txt">Sitemap</a>
+        </footer>
+      </article>
+
+
+    </div>
+    <!--NO NO #include virtual="sidebar.inc" -->
+  </div>
+  <!--#include virtual="/inc/legalities.inc" -->
+
+</div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/source/old/index.wml b/source/old/index.wml
deleted file mode 100644
index a8213de..0000000
--- a/source/old/index.wml
+++ /dev/null
@@ -1,17 +0,0 @@
-
-#use wml::openssl area=source page=old
-
-<title>Old Releases</title>
-
-<h1>Old Releases</h1>
-
-<p>
-The table below lists the different release branches.
-</p>
-
-<p>
-<rfilelist "*">
-
-<h2>Legalities</h2>
-
-<disclaimer>
diff --git a/source/repos.wml b/source/repos.wml
deleted file mode 100644
index 7b62ea0..0000000
--- a/source/repos.wml
+++ /dev/null
@@ -1,87 +0,0 @@
-
-#use wml::openssl area=source page=repos
-
-#use wml::std::box
-#use wml::fmt::verbatim
-#use wml::std::href
-
-<title>Source, Repository</title>
-
-<h1>Git repository</h1>
-
-The OpenSSL package is developed in a Git-based repository.
-It is available via Git mechanisms at git.openssl.org or at
-<a href="https://github.com/openssl/openssl">
-https://github.com/openssl/openssl</a> on GitHub.
-
-<h2>Fetching Git repository snapshot tarballs</h2>
-
-Tarballs containing snapshots of the latest git repository states can be found
-under <a
-href="ftp://ftp.openssl.org/snapshot/">ftp://ftp.openssl.org/snapshot/</a>.
-They are created on a daily basis. These snapshots are provided for
-convenience only. When you really want to keep yourself up-to-date please use
-the bandwidth-friendly git service to directly clone the git repository
-instead.
-
-<h2>Anonymous Git access</h2>
-
-Read only access to the respository is possible using the git protocol.
-Use the following command to clone the git repository including all
-available branches and tags:
-
-    <p>
-    <box bgcolor="#f0f0f0">
-    <b><verbatim>
-$ git clone git://git.openssl.org/openssl.git
-    </verbatim></b>
-    </box>
-    <p>
-
-Access to the specific branches is possible via standard git methods
-using the git branch and git checkout commands.
-See the discussion of branch naming below for more information.<br/><br/>
-
-On Windows, once the repository is cloned, you  should ensure that line endings
-are set correctly:
-
-    <p>
-    <box bgcolor="#f0f0f0">
-    <b><verbatim>
-$ cd openssl
-$ git config core.autocrlf false
-$ git config core.eol lf
-$ git checkout .
-    </verbatim></b>
-    </box>
-    <p>
-
-<h3>git mirror sites</h2>
-
-A mirror at github is updated every 15 minutes. Github provides access
-via additional protocols.
-
-<p>
-<href url="https://github.com/openssl/openssl">
-</p>
-
-<h3>Git branch names and tagging</h2>
-
-The <b>master</b> (also known as the development branch) contains the latest
-bleeding edge code. There are also several <i>stable</i> branches where stable
-releases come from. These take the form <b>OpenSSL_x_y_z-stable</b> so for
-example the 1.0.0 stable branch is <b>OpenSSL_1_0_0-stable</b>. When an
-actual release is made it is tagged in the form <b>OpenSSL_x_y_zp</b> or
-a beta <b>OpenSSL_x_y_xp-betan</b> though you should normally just download
-the release tarball. Tags and branches are occasionally used for other
-purposes such as testing experimental or unstable code before it is merged
-into another branch.
-
-<h1>CVS (Legacy) repository</h1>
-
-All of the development history has been converted to Git.
-The CVS source code repository is frozen and the final version is available
-at
-<p>
-<href url="http://cvs.openssl.org/">
-</p>
diff --git a/source/sidebar.inc b/source/sidebar.inc
new file mode 100644
index 0000000..4eab542
--- /dev/null
+++ b/source/sidebar.inc
@@ -0,0 +1,18 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Downloads</a></h1>
+    <ul>
+      <li>
+	<a href="gitrepo.html">Git Repository</a>
+      </li>
+      <li>
+	<a href="license.html">License</a>
+      </li>
+      <li>
+	<a href="mirror.html">Mirror Sites</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
diff --git a/support/.wmlrc b/support/.wmlrc
deleted file mode 100644
index ab44064..0000000
--- a/support/.wmlrc
+++ /dev/null
@@ -1,10 +0,0 @@
-##
-##  .wmlrc -- Local RC file for WML
-##
-
-#   define where the URL root of the Sub Navigation Bar (SNB) 
-#   is located [SNB_ROOT] and where it's buttons are defined [SNB_RC]
--DSNB_ROOT~.
--DSNB_RC=.wmlsnb
--I.
-
diff --git a/support/.wmlsnb b/support/.wmlsnb
deleted file mode 100644
index 1523827..0000000
--- a/support/.wmlsnb
+++ /dev/null
@@ -1,14 +0,0 @@
-##
-##  .wmlsnb -- Sub Navigation Bar Specification for WML
-##
-
-<snb>
-  <snb_button id=support      txt="Support"		url="index.html">
-  <snb_button id=community    txt="Join"         url="community.html">
-  <snb_button id=rt           txt="Bugs"     url="rt.html">
-  <snb_button id=donations    txt="Donations"		url="donations.html">
-  <snb_button id=funding      txt="Funding"		url="funding/contract.html">
-  <snb_button id=consulting   txt="Consulting"		url="consulting.html">
-  <snb_button id=acknowledgments   txt="Acknowledgments"	url="acknowledgments.html">
-</snb>
-
diff --git a/support/acknowledgments.wml b/support/acknowledgments.wml
deleted file mode 100644
index 151c2fe..0000000
--- a/support/acknowledgments.wml
+++ /dev/null
@@ -1,192 +0,0 @@
-
-#use wml::openssl area=support page=acknowledgments
-
-<title>Sponsorship and Patronage Acknowledgments</title>
-
-<h1>Sponsor Acknowledgments</h1>
-
-The OpenSSL project depends on volunteer efforts and financial support from the end user community.  That support
-comes in the form of
-<a href="donations.html">donations and paid sponsorships</font></a>,
-<a href="funding/contract.html">software support contracts</font></a>,
-<a href="consulting.html">paid consulting services</font></a>,
-and
-<a href="consulting.html">commissioned software development</font></a>.
-Since all these activities support the continued development and improvement of OpenSSL
-we consider all these clients and customers as sponsors of the OpenSSL project.
-<p>
-
-
-<br>
-We would like to identify and thank the following such sponsors for their past or current significant
-support of the OpenSSL project. Except as noted sponsors are listed within categories in order of overall contribution value:
-<br>
-
-<hr noshade size=1>
-Exceptional support:
-<br>
-<br>
-<br>
-<table>
-    <tr>
-    
-    <td>
-        <a href="http://www.linux-foundation.org/">
-        <img src="$(IMG)/lf-logo-med.png" align=center border=0>
-        </a>
-        <a href="http://www.linuxfoundation.org/programs/core-infrastructure-initiative">
-        <img src="$(IMG)/cii-logo-med.png" align=center border=0>
-        </a>
-        <br>
-        <br>
-        <br>
-        <br>
-        <a href="http://www.smartisan.com/">
-        <img src="$(IMG)/smartisan-logo-med.png" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-
-    </tr>
-</table>
-<hr noshade size=1>
-Platinum sponsors (listed chronologically, left to right).  The sustainable funding provided by these sponsorships allows long term planning:
-<br>
-<br>
-<br>
-<table>
-    #<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-    <tr>
-    
-    <td>
-        <a href="http://company.nokia.com/en">
-        <img src="$(IMG)/nokia-logo-med.jpg" align=center border=0>
-        </a>
-        <a href="http://www.huawei.com/">
-        <img src="$(IMG)/huawei-logo-med.jpg" align=center border=0>
-        </a>
-        <a href="http://www.oracle.com/">
-        <img src="$(IMG)/oracle-logo-med.jpg" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-
-    </tr>
-</table>
-
-
-<hr noshade size=1>
-Major sustaining support:
-<br>
-<br>
-<br>
-<table>
-    #<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-    <tr>
-
-    <td>
-        <a href="https://www.akamai.com/">
-        <img src="$(IMG)/akamai-logo-med.png" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-
-    </tr>
-</table>
-
-
-<hr noshade size=1>
-Major support:
-<br>
-<br>
-<br>
-<table>
-#<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-    <tr>
-    
-    <td>
-        <a href="https://www.globalsign.com/">
-        <img src="$(IMG)/globalsign-logo-med.jpg" align=center border=0>
-        </a>
-        <br>
-        <br>
-        <br>
-        <br>
-        <a href="http://www.qualys.com/">
-        <img src="$(IMG)/qualsys-logo-med.jpg" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-    
-    </tr>
-</table>
-
-<hr noshade size=1>
-Very significant support:
-<br>
-<br>
-<table>
-    <tr>
-    
-    <td>
-        <a href="http://www.opengear.com/">
-        <img src="$(IMG)/opengear-logo-med.jpg" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-    
-    <br>
-    <br>
-
-    </tr>
-</table>
-
-<hr noshade size=1>
-Significant support:
-<br>
-<br>
-<table>
-    <tr>
-
-    <td> 
-        <a href="http://www.psw.net/">
-        <img src="$(IMG)/psw-logo.gif" alt="SSL-Zertifikate" align=center border=0>
-        </a>
-        <br>
-        <br>
-        <br>
-        <br>
-        <a href="https://miltonsecurity.com/">
-        <img src="$(IMG)/milton-logo-med.jpg" alt="Milton Security" align=center border=0>
-        </a>
-        <br>
-        <br>
-        <br>
-        <br>
-        <a href="http://acano.com/">
-        <img src="$(IMG)/acano-logo.jpg" align=center border=0>
-        </a>
-        <br>
-        <br>
-    </td>
-    
-    <br>
-    <br>
-
-    </tr>
-</table> 
-
-<hr size=1>
-
-<br>
-<br>
-Please note that we ask permission to identify sponsors and that some sponsors we consider eligible for
-inclusion here have requested to remain anonymous.
-<p>
-Additional sponsorship or financial support of any kind is always welcome; for more information please 
-contact the <a href="../about/openssl-contact.html">OpenSSL Software Foundation</a> 
diff --git a/support/acks.html b/support/acks.html
new file mode 100644
index 0000000..1368ee1
--- /dev/null
+++ b/support/acks.html
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+<div id="main">
+  <div id="content">
+    <div class="blog-index">
+      <article>
+	<header><h2>Sponsor Acknowledgements</h2></header>
+	<div class="entry-content">
+	  <p>The OpenSSL project depends on volunteer efforts and financial
+	  support from the end user community.  That support can comes
+	  in the form of donations, contracts, and volunteer contributions.
+	  Since all of these activities support the continued development
+	  and improvement of OpenSSL, we consider all of them to be
+	  sponsors of the OpenSSL project.</p>
+
+	  <p>We would like to identify and thank the following such sponsors
+	  for their past or current significant support of the OpenSSL
+	  project. Except as noted sponsors are listed within categories in
+	  order of overall contribution value. Please note that we ask
+	  permission to identify sponsors and that some sponsors we consider
+	  eligible for inclusion here have requested to remain anonymous.</p>
+
+	  <hr noshade size=1>
+	  <p>Exceptional support:</p>
+	  <a href="http://www.linux-foundation.org/"><img src="/img/lf-logo-med.png"></a>
+
+	  <a href="http://www.linuxfoundation.org/programs/core-infrastructure-initiative"><img src="/img/cii-logo-med.png"></a>
+	  <a href="http://www.smartisan.com/"><img src="/img/smartisan-logo-med.png"></a>
+
+	  <hr noshade size=1>
+	  <p>Platinum sponsors (listed chronologically).  The
+	  sustainable funding provided by these sponsorships allows long term
+	  planning:</p>
+	  <a href="http://company.nokia.com/en"><img src="/img/nokia-logo-med.jpg"></a>
+	  <a href="http://www.huawei.com/"><img src="/img/huawei-logo-med.jpg"></a>
+	  <a href="http://www.oracle.com/"><img src="/img/oracle-logo-med.jpg"></a>
+
+	  <hr noshade size=1>
+	  <p>Major sustaining support:</p>
+	  <a href="https://www.akamai.com/"><img src="/img/akamai-logo-med.png"></a>
+
+	  <hr noshade size=1>
+	  <p>Major support:</p>
+	  <a href="https://www.globalsign.com/"><img src="/img/globalsign-logo-med.jpg"></a>
+	  <a href="http://www.qualys.com/"><img src="/img/qualsys-logo-med.jpg"></a>
+
+	  <hr noshade size=1>
+	  <p>Very significant support:</p>
+	  <a href="http://www.opengear.com/"><img src="/img/opengear-logo-med.jpg"></a>
+
+	  <hr noshade size=1>
+	  <p>Significant support:</p>
+	  <a href="http://www.psw.net/"><img src="/img/psw-logo.gif" alt="SSL-Zertifikate"></a>
+	  <a href="https://miltonsecurity.com/"><img src="/img/milton-logo-med.jpg" alt="Milton Security"></a>
+	  <a href="http://acano.com/"><img src="/img/acano-logo.jpg"></a>
+
+	    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Support</a>
+	    : <a href="">Acknowledgements</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/support/community.wml b/support/community.wml
deleted file mode 100644
index c9dde79..0000000
--- a/support/community.wml
+++ /dev/null
@@ -1,91 +0,0 @@
-
-#use wml::openssl area=support page=community
-
-<title>Support, Mailing Lists</title>
-
-<h1>Mailing List Update</h1>
-
-We have moved all mailing lists over from to a new server and
-using <a href="http://www.gnu.org/software/mailman/">MailMan</a>.
-If you find any issues please contact postmaster at openssl.org.
-
-We will be installing better DNS names soon.
-
-<h2>Overview</h2>
-
-Here is an overview of the public mailing lists.
-Anyone can join.
-
-<p>
-<table cellspacing=0 cellpadding=2 border=0>
-<tr>
-   <td><b id=sf>List </b></td>
-   <td><b id=sf>Usage</b></td> 
-</tr>
-<tr>
-   <td><hr noshade size=1></td>
-   <td><hr noshade size=1></td>
-</tr>
-<tr>
-   <td>openssl-announce</td>
-   <td>Official Project Announcements; low-volume read-only.</td>
-</tr>
-   <td>openssl-commits</td>
-   <td>Commits to the source repository; read-only</td>
-</tr>
-<tr>
-   <td>openssl-dev</td>
-   <td>Discussions on development of the OpenSSL library.
-   This is not the place for application development questions!</td>
-</tr>
-<tr>
-   <td>openssl-users</td>
-   <td>Application Development, installing and configuring OpenSSL,
-   etc.</td>
-</tr>
-</table>
-
-<p>
-In addition, there is a list dedicated to the "discussion of the effort to
-improve unit/automated testing for OpenSSL." It is a Google group,
-available at
-<a href="https://groups.google.com/forum/#!forum/openssl-testing">
-https://groups.google.com/forum/#!forum/openssl-testing
-<a>
-
-<h2>Subscription</h2>
-
-To join any list, visit
-<a href="https://mta.openssl.org">https://mta.openssl.org</a>.
-
-<h2>Archive</h2>
-
-The mailing lists are automatically archived at the following locations:
-
-<ul>
-<li><b>openssl-announce</b>:<br>
-    - <a href="http://marc.info/?l=openssl-announce">
-      http://marc.info/?l=openssl-announce</a><br>
-    - <a href="http://www.mail-archive.com/openssl-announce at openssl.org/">
-      http://www.mail-archive.com/openssl-announce at openssl.org/</a><br>
-<li><b>openssl-users</b>:<br>
-    - <a href="http://marc.info/?l=openssl-users">
-      http://marc.info/?l=openssl-users</a><br>
-    - <a href="http://www.mail-archive.com/openssl-users at openssl.org/">
-      http://www.mail-archive.com/openssl-users at openssl.org/</a><br>
-    - <a href="http://groups.google.com/groups?group=mailing.openssl.users">
-      http://groups.google.com/groups?group=mailing.openssl.users</a><br>
-<li><b>openssl-dev</b>:<br>
-    - <a href="http://marc.info/?l=openssl-dev">
-      http://marc.info/?l=openssl-dev</a><br>
-    - <a href="http://www.mail-archive.com/openssl-dev at openssl.org/">
-      http://www.mail-archive.com/openssl-dev at openssl.org/</a><br>
-    - <a href="http://groups.google.com/groups?group=mailing.openssl.dev">
-      http://groups.google.com/groups?group=mailing.openssl.dev</a><br>
-<li><b>openssl-commits</b>:<br>
-    - <a href="http://marc.info/?l=openssl-cvs">
-      http://marc.info/?l=openssl-cvs</a><br>
-    - <a href="http://groups.google.com/groups?group=mailing.openssl.cvs">
-      http://groups.google.com/groups?group=mailing.openssl.cvs</a><br>
-</ul>
-
diff --git a/support/consulting.wml b/support/consulting.wml
deleted file mode 100644
index 12e773d..0000000
--- a/support/consulting.wml
+++ /dev/null
@@ -1,68 +0,0 @@
-
-#use wml::openssl area=support page=consulting
-
-<title>Consulting</title>
-<h1>Consulting</h1>
-
-Does your company use the OpenSSL toolkit and need some help porting it to a new platform? Do you
-need a new feature added?  Are you developing new cryptographic functionality for your product?
-<p>
-
-Even if you have experienced in-house software development personnel you may find that the OpenSSL
-team can provide cost-effective solutions to your OpenSSL related challenges.  No one knows OpenSSL
-like the people who write and maintain it and work with it every day.
-
-Also, the income they earn though their paid consulting work supports their unpaid work on OpenSSL,
-so by hiring OpenSSL team members you are not only solving your own problems but also helping to
-ensure the long term viability of the OpenSSL product.
-<p>
-While our passion is open source, part of that passion is seeing our software widely used.  We
-understand the requirements of commercial industry and will work under and respect appropriate
-non-disclosure agreements.
-<p>
-OpenSSL team members have recently performed or are currently performing the following work.
-Those sponsors willing to be identified are shown in parentheses:
-
-<p>
-<ul style=list-style-type:circle>
-  <li> RFC3850, RFC3851, RFC3852 and RFC3394: CMS support (2008)
-  <p>
-  <li> RFC3280 and PKITS compliance (Google, 2008)
-  <p>
-  <li> RFC4507bis: stateless session resumption (Google, 2007)
-  <p>
-  <li> CryptoAPI ENGINE support (2008)
-  <p>
-  <li> RFC3546: OCSP stapling (2007)
-  <p>
-  <li> Open source based FIPS 140-2 validation (Symantec and others, 2008-2010)
-  <p>
-  <li> Change letter for validation #1051 to support cross-compilation (Opengear, 2010)
-  <p>
-  <li> Change letter for validation #1051 to support newer 64 bit Windows (2010)
-</ul>
-
-We have extensive experience in obtaining FIPS 140-2 validations for OpenSSL based cryptographic
-modules.  We can assist you in utilising the open source based validated module (#1051), we
-can obtain a change letter modification to that validated module to suit your specific
-circumstances, or we can obtain a complete new validation with your company as the vendor of
-record.  We can provide a complete turnkey service handling all arrangements with the test labs
-and CMVP, or we can work with your existing test lab.
-
-If you are not familiar with the validation and change letter process give us a call; you
-may well find that the cost of obtaining FIPS 140-2 validation status for the OpenSSL based software
-you currently use is less than the cost of a license for a commercial equivalent.
-<p>
-All of our commercial work is performed under formal contracts with fully specified deliverables,
-conventional milestones and deadlines, progress reporting, and invoicing -- no PayPal payments to
-some unknown pseudonym.
-<p>
-Since we consider all sources of financial support to be OpenSSL sponsors and patrons, clients
-purchasing any of our commercial services will at their discretion be identified and credited in
-several formats such as our
-<a href=acknowledgments.html>acknowledgments</a> page, in the source distribution release notes, and
-in mailing list announcements.
-
-<p>
-For further information please contact our consulting organization, <a href="funding/support-contact.html">OpenSSL Software Services</a>.
-
diff --git a/support/contracts.html b/support/contracts.html
new file mode 100644
index 0000000..ea3e2f3
--- /dev/null
+++ b/support/contracts.html
@@ -0,0 +1,168 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+
+<body>
+<!--#include virtual="/inc/banner.inc" -->
+
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Support Contracts</h2></header>
+	  <div class="entry-content">
+	    <p>In addition to <a href="/community">community</a> support,
+	    <a href="/community/contacts.html">OpenSSL Software Services</a>
+	    offers three different type of support contract.  If you
+	    have specific requirements not addressed by any of these plans,
+	    or for more information, discuss custom arrangements.</p>
+
+	    <p>Please see the <a href="#definitions">list of definitions</a>
+	    at the bottom of the page for the definitions used below.</p>
+
+	    <dl>
+	      <dt><a href="#premium">Premium</a>
+	      Enterprise Level Support</dt>
+	      <dd>Designed for the large enterprise utilising OpenSSL
+	      extensively in product lines or critical infrastructure.</dd>
+	      <dt><a href="#vendor"><dt>Vendor</a> Support</dt>
+	      <dd>Designed for organisations requiring support of product
+	      lines using OpenSSL or for customised in-house versions of
+	      OpenSSL.</dd>
+	      <dt><a href="#basic"><dt>Basic</a> Support<dt>
+	      <dd>Basic technical support for application development shops or
+	      end users.</dd>
+	    </dl>
+	    <p>&nbsp;</p>
+
+	    <h3><a name="premium">Premium Level Support</a></h3>
+	    <p>US$50,000 annually</p>
+	    <ul>
+	      <li>All technical support requests handled directly by a Designated Responder
+	      <li>24x7x365 availability
+	      <li>Four Support Administrators
+	      <li>Unlimited Service Requests
+	      <li>Custom patch preparation and creation
+	      <li>OpenSSL FIPS Object Module support included
+	      <li>FIPS validation support
+	    </ul>
+	    <p>The premium support plan is designed for the large enterprise
+	    using OpenSSL as an essential component of multiple products or
+	    product lines or in support of in-house or commercially provided
+	    services. Many prospective Premium Level customers have already
+	    hired individual OpenSSL team members for specific tasks. The
+	    typical large enterprise customer has a capable in-house technical
+	    staff but still finds it cost-effective to engage the world class
+	    talent of OpenSSL authors and maintainers.  Customisation of
+	    OpenSSL by prospective Schedule A customers is common, as are
+	    "private label" FIPS 140-2 validations.</p>
+	    <p>Note we don't expect to sell very many of the premium support
+	    plans, but those few customers will receive careful attention for
+	    both immediate problems and long range strategic interests.</p>
+
+	    <h3><a name="vendor">Vendor Level Support</a></h3>
+	    <p>US$20,000 annually</p>
+	    <ul>
+	      <li>Institutional Response with escalation to Designated Responder as appropriate.
+	      <li>12x5 availability
+	      <li>Two Support Administrators
+	      <li>Limit of four Service Requests per month
+	      <li>Custom patch preparation
+	      <li>OpenSSL FIPS Object Module support included
+	      <li>FIPS validation support excluded
+	    </ul>
+	    <p>This plan is designed for the medium enterprise using OpenSSL
+	    for a single product or product line. The prospective Vendor Level
+	    Support customer has a proficient technical staff but no specific
+	    expertise in cryptography or OpenSSL. Technical support is
+	    provided for use of the unmodified OpenSSL FIPS Object Module, but
+	    not for validations of derivative software.</p>
+
+	    <h3><a name="basic">Basic Support</a></h3>
+	    <p>US$10,000 annually</p>
+	    <ul>
+	      <li>Institutional Response only
+	      <li>8x5 availability
+	      <li>One Support Administrator
+	      <li>Limit of one unique Service Request per month
+	      <li>OpenSSL FIPS Object Module support excluded
+	      <li>FIPS validation support excluded
+	    </ul>
+	    <p>This plan is designed for the medium to small enterprise
+	    relying on stock OpenSSL for significant products or services and
+	    lacking internal resources for effectively addressing all
+	    operational and application development issues.</p>
+
+	    <h3><a name="definitions">Support Terms</a></h3>
+	    <dl>
+	      <dt>Customer Contacts</dt>
+	      <dd>customer personnel familiar with the customer's software
+	      environment coordinating technical support correspondence
+	      between the customer and OSF personnel for a specific service
+	      request.  The Customer Contacts are the sole liaisons for such
+	      technical correspondence with the OSF.  It is recommended that
+	      the Customer Contacts be knowledgeable about the customer
+	      environment and use of the OpenSSL software and have an
+	      understanding of the problem for which support services are
+	      requested.</dd>
+
+	      <dt>Designated Responder</dt>
+	      <dd>All technical support is provided by OpenSSL team members or
+	      their close collaborators in the OpenSSL developer community.  A
+	      designated responder is an OpenSSL team member directly handling
+	      a support request and communicating directly with the Customer
+	      Contact.</dd>
+
+	      <dt>Institutional Response</dt>
+	      <dd>Technical support correspondence originating or reviewed by
+	      one or more OpenSSL team members but communicated indirectly by
+	      other OSF personnel.</dd>
+
+	      <dt>Patch Preparation</dt>
+	      <dd>The preparation of a patch changeset from existing changes
+	      committed to the OpenSSL source code repository.</dd>
+
+	      <dt>Patch Creation</dt>
+	      <dd>The coding of new source code modifications or additions not
+	      already committed to the OpenSSL source code repository.  The
+	      resolution of problems identified in the OpenSSL software itself
+	      will generally be resolved by committing the code modifications
+	      to the OpenSSL source code repository; such modifications
+	      automatically define a patch.  For support plan options custom
+	      software modifications may be performed that are specific to the
+	      customer environment.  Such custom modifications will not be
+	      committed to the publicly available source code repository and
+	      will be delivered to the customer as custom patches.</dd>
+
+	      <dt>Service Request</dt>
+	      <dd>A specific request for support initiated by a Support
+	      Administrator and assigned a service request number by the
+	      OSF.</dd>
+
+	      <dt>Support Administrator</dt>
+	      <dd>An individual designated by the customer to submit requests
+	      for technical support to the OSF.  The number of individuals
+	      that can be designated as support administrators varies with the
+	      support plan option.  The support administrator may be a
+	      Customer Contact in the context of a specific Service Request,
+	      or may designate a Customer Contact for Service Requests.</dd>
+
+	    </dl>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Support</a>
+	    : <a href="">Contracts</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+
+</html>
diff --git a/support/donations-cn.wml b/support/donations-cn.html
similarity index 98%
rename from support/donations-cn.wml
rename to support/donations-cn.html
index eef9802..48b9c69 100644
--- a/support/donations-cn.wml
+++ b/support/donations-cn.html
@@ -15,7 +15,7 @@ We accept donations in any amount via PayPal and UnionPay:
 <input type="hidden" name="hosted_button_id" value="JFMKAASZ9XL2N">
 <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal payment">
 <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
-<img alt="" border="0" src="UnionPay.jpg" align="center">
+<img alt="" border="0" src="/img/unionpay.jpg" align="center">
 </form>
 
 <br>
diff --git a/support/donations.html b/support/donations.html
new file mode 100644
index 0000000..1f8fc2d
--- /dev/null
+++ b/support/donations.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Donations</h2></header>
+	  <div class="entry-content">
+	    <p>Your donation to the OpenSSL team will support the ongoing
+	    development activities of the team members.</p>
+
+	    <p>Please note that the
+	    <a href="/community/contacts.html">OpenSSL Software Foundation</a>
+	    (OSF) is incorporated in the the state of Delaware, United States,
+	    as a non-profit corporation.  It does not qualify as a tax-exempt
+	    charitable organisation under Section 501(c)(3) of the U.S.
+	    Internal Revenue Code.  We looked into it and concluded that
+	    501(c)(3) status would require more of an investment in time and
+	    money than we can justify at present.  This means that, for
+	    individuals within the U.S., donations to the OSF are not
+	    tax-deductible.  Corporate donations can of course be written off
+	    as a business expense.</p>
+
+	    <p>In addition to direct financial contributions in the form of
+	    donations or sponsorship you may also support the OpenSSL project
+	    financially with the purchase of a
+	    <a href="contracts.html"> support contract</a>, or by hiring OSF
+	    for consulting services or custom software development.  We
+	    consider all sources of funding to be sponsors, because we use all
+	    such funding, whether donations or pay for services rendered, for
+	    the same purpose -- to improve and maintain the OpenSSL
+	    product.</p>
+
+	    <table>
+	      <tr><td>Level</td><td>Acknowledgement</td></tr>
+	      <tr><td>Platinum<br>$50,000/yr</td>
+		<td>Prominent logo placement on openssl.org<br>
+		  OpenSSL sponsor logo for your use<br>
+		  Acknowledgement on openssl.org<br>
+		  Acknowledgement in source distributions</td></tr>
+
+	      <tr><td>Gold<br>$20,000/yr</td>
+		<td>Logo placement on openssl.org<br>
+		  OpenSSL sponsor logo for your use<br>
+		  Acknowledgement on openssl.org<br>
+		  Acknowledgement in source distributions</td></tr>
+
+	      <tr><td>Silver<br>$10,000/yr</td>
+		<td>Acknowledgement on openssl.org<br>
+		  Acknowledgement in source distributions</td></tr>
+
+	      <tr><td>Contributing&nbsp;&nbsp;<br>$5,000/yr</td>
+		<td>Acknowledgement in source distributions</td></tr>
+	    </table>
+	    <p>&nbsp;</p>
+
+We also accept donations in any amount via credit card or PayPal:
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
+<input type="hidden" name="cmd" value="_s-xclick">
+<input type="hidden" name="hosted_button_id" value="JFMKAASZ9XL2N">
+<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal payment">
+<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
+</form>
+
+<p>
+<a href="donations-cn.html">
+??????????????????????????????
+</a>
+</p>
+
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Support</a>
+	    : <a href="">Donations</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/support/donations.wml b/support/donations.wml
deleted file mode 100644
index 33f0662..0000000
--- a/support/donations.wml
+++ /dev/null
@@ -1,106 +0,0 @@
-
-#use wml::openssl area=support page=donations
-
-<title>Donations</title>
-
-<h1>Donations and Sponsorship</h1>
-
-<p>Your donation to the OpenSSL team will support the ongoing development activities of the team members.
-</p>
-
-<p>Please note that the <a href="../about/openssl-contact.html">OpenSSL
-Software Foundation</a> (OSF) is incorporated in the the state of Delaware,
-United States, as a non-profit corporation.  It does not qualify as
-a tax-exempt charitable organisation under Section 501(c)(3) of the U.S. Internal
-Revenue Code.  We looked into it and concluded that 501(c)(3) status
-would require more of an investment in time and money than we can justify
-at present.  This means that, for individuals within the U.S., donations
-to the OSF are not tax-deductible.  Corporate donations can of course be
-written off as a business expense.  </p>
-
-<p>In addition to direct financial contributions in the form of donations or sponsorship you may also
-support the OpenSSL project financially with the purchase of a <a href="funding/contract.html"> support contract</a>,
-or by <a href="consulting.html">hiring us</a> for consulting services or custom software development.  We consider all
-sources of funding to be sponsors, because we use all such funding, whether donations or pay for services rendered, for the same purpose -- to improve and maintain the OpenSSL product.
-</p>
-
-<table>
-<tr><td><b id=sf>Sponsorship Level</b></td><td><b id=sf>Acknowledgement</b></td></tr>
-<tr><td><hr noshade size=1></td><td><hr noshade size=1></td></tr>
-<tr>
-
-<td>
-Platinum<br>
-$50,000/yr<br>
-<br>
-<br>
-<br>
-
-Gold<br>
-$20,000/yr<br>
-<br>
-<br>
-<br>
-
-Silver<br>
-$10,000/yr<br>
-<br>
-<br>
-
-Contributing Sponsor<br>
-$5,000/yr<br>
-<br>
-<br>
-</td>
-
-<td valign=top>
-Prominent logo placement on openssl.org<br>
-OpenSSL sponsor logo for your use<br>
-Acknowledgement on openssl.org<br>
-Acknowledgement in source distributions<br>
-<br>
-
-Logo placement on openssl.org<br>
-OpenSSL sponsor logo for your use<br>
-Acknowledgement on openssl.org<br>
-Acknowledgement in source distributions<br>
-<br>
-
-Acknowledgement on openssl.org<br>
-Acknowledgement in source distributions<br>
-<br>
-<br>
-
-Acknowledgement in source distributions<br>
-<br>
-<br>
-<br>
-</td>
-
-</tr>
-</table>
-
-We also accept donations in any amount via credit card or PayPal:
-<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
-<input type="hidden" name="cmd" value="_s-xclick">
-<input type="hidden" name="hosted_button_id" value="JFMKAASZ9XL2N">
-<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal payment">
-<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
-</form>
-
-<br>
-<br>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<a href="donations-cn.html">
-??????????????????????????????
-</a>
-<br>
-<br>
-
-<br>
-<br>
-(the Bitcoin option has been temporarily removed)<br>
-<br>
-<br>
-As noted above these donations are currently <em>not</em> tax-deductible!<br>
-For further information please contact the <a href="../about/openssl-contact.html">OpenSSL Software Foundation</a>.
diff --git a/support/faq.wml b/support/faq.wml
deleted file mode 100644
index 7520718..0000000
--- a/support/faq.wml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-#use wml::openssl area=support page=faq 
-
-<title>Support, Frequently Asked Questions</title>
-
-<h1>Frequently Asked Questions</h1>
-
-<!--#include virtual="/support/faq.inc" -->
diff --git a/support/funding/contract.wml b/support/funding/contract.wml
deleted file mode 100644
index d45b6b1..0000000
--- a/support/funding/contract.wml
+++ /dev/null
@@ -1,37 +0,0 @@
-
-#use wml::openssl area=support page=funding
-
-<title>Support Contracts</title>
-
-<h1>Support Contracts</h1>
-
-Technical support for OpenSSL has long been available through the online collaborative <a href="../community.html">community</a>
-of OpenSSL team members, other software developers familiar with OpenSSL and cryptography, and knowledgeable users.
-However, some commercial and government organisations have expressed a desire for a more formal technical support service.
-<p>
-In order to satisfy this demand the OpenSSL team has partnered with a new for-profit corporation formed for
-the purpose of offering formal paid software support contracts.  This new business entity, the OpenSSL Software Foundation (OSF),
-is incorporated in the United States and acts as the legal agent for the OpenSSL team members providing the technical
-support services.
-<p>
-For more details on this formal support contract offering please see the <a href="support-faq.html">support contract FAQ</a>.
-<p>
-At present four different type of support contract are offered.  If you have specific requirements not addressed
-by any of these plans please contact the <a href="support-contact.html">OSF</a> to discuss
-custom arrangements.
-<ul style=list-style-type:circle>
-<li><a href="support-premium.html"><font id=sfl>Premium</font></a> Enterprise Level Support<br>
-    Designed for the large enterprise utilising OpenSSL extensively in product lines or critical infrastructure.
-<p>
-<li><a href="support-vendor.html"><font id=sfl>Vendor</font></a> Support<br>
-    Designed for organisations requiring support of product lines using OpenSSL or for customised in-house versions of OpenSSL.
-<p>
-<li><a href="support-basic.html"><font id=sfl>Basic</font></a> Support<br>
-    Basic technical support for application development shops or end users.
-<p>
-<li><a href="support-incident.html"><font id=sfl>Incident Based</font></a> Support<br>
-    Per-incident support.
-<p>
-</ul>
-For further information please contact <a href="support-contact.html">OpenSSL Software Services</a>.
-
diff --git a/support/funding/support-basic.wml b/support/funding/support-basic.wml
deleted file mode 100644
index e9bc9be..0000000
--- a/support/funding/support-basic.wml
+++ /dev/null
@@ -1,22 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Basic Support Contract</title>
-
-<h1>Basic Level Support</h1>
-<p>
-US$10,000 annually
-<p>
-(<a href="support-definitions.html">definitions</a> of terms)
-<p>
-<ul>
-<li>Institutional Response only
-<li>8x5 availability
-<li>One Support Administrator
-<li>Limit of one unique Service Request per month
-<li>OpenSSL FIPS Object Module support excluded
-<li>FIPS validation support excluded
-</ul>
-<p>
-This plan is designed for the medium to small enterprise relying on stock OpenSSL for significant
-products or services and lacking internal resources for effectively addressing all operational and application development issues.
diff --git a/support/funding/support-contact.wml b/support/funding/support-contact.wml
deleted file mode 100644
index b66b75a..0000000
--- a/support/funding/support-contact.wml
+++ /dev/null
@@ -1,19 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Support Contract Contact Info</title>
-
-<h1>Support Contract Queries</h1>
-
-Direct queries concerning support contracts, donations or consulting services to:<br>
-<br>
-OpenSSL Software Services, Inc.<br>
-40 E Main St, Suite 744<br>
-Newark DE 19711<br>
-USA<br>
-+1 240-215-3103<br>
-<a href="mailto:info at opensslservices.com">info at opensslservices.com</a>
-<p>
-You will probably wind up talking to Steve Marquess who currently handles OpenSSL commercial contracting,  he is
-reachable directly at <a href="mailto:marquess at openssl.com">marquess at openssl.com</a> or
-the telephone number above. 
diff --git a/support/funding/support-definitions.wml b/support/funding/support-definitions.wml
deleted file mode 100644
index b8e8ccf..0000000
--- a/support/funding/support-definitions.wml
+++ /dev/null
@@ -1,24 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Support Contract Definitions</title>
-
-<h1>Definitions</h1>
-<p>
-Terms used in the description of the support contract options.
-<p>
-<ul>
-<li><font id=sf>Customer Contacts</font>: customer personnel familiar with the customer's software environment coordinating technical support correspondence between the customer and OSF personnel for a specific service request.  The Customer Contacts are the sole liaisons for such technical correspondence with the OSF.  It is recommended that the Customer Contacts be knowledgeable about the customer environment and use of the OpenSSL software and have an understanding of the problem for which support services are requested.
-<p>
-<li><font id=sf>Designated Responder</font>: All technical support is provided by OpenSSL team members or their close collaborators in the OpenSSL developer community.  A designated responder is an OpenSSL team member directly handling a support request and communicating directly with the Customer Contact.
-<p>
-<li><font id=sf>Institutional Response</font>:  Technical support correspondence originating or reviewed by one or more OpenSSL team members but communicated indirectly by other OSF personnel.
-<p>
-<li><font id=sf>Patch Preparation</font>:  The preparation of a patch changeset from existing changes committed to the OpenSSL source code repository.
-<p>
-<li><font id=sf>Patch Creation</font>:  The coding of new source code modifications or additions not already committed to the OpenSSL source code repository.  The resolution of problems identified in the OpenSSL software itself will generally be resolved by committing the code modifications to the OpenSSL source code repository; such modifications automatically define a patch.  For support plan options custom software modifications may be performed that are specific to the customer environment.  Such custom modifications will not be committed to the publicly available source code repository and will be delivered to the customer as custom patches.
-<p>
-<li><font id=sf>Service Request</font>: A specific request for support initiated by a Support Administrator and assigned a service request number by the OSF.
-<p>
-<li><font id=sf>Support Administrator</font>: An individual designated by the customer to submit requests for technical support to the OSF.  The number of individuals that can be designated as support administrators varies with the support plan option.  The support administrator may be a Customer Contact in the context of a specific Service Request, or may designate a Customer Contact for Service Requests.
-</ul>
diff --git a/support/funding/support-faq.txt b/support/funding/support-faq.txt
deleted file mode 100644
index 64b9e69..0000000
--- a/support/funding/support-faq.txt
+++ /dev/null
@@ -1,229 +0,0 @@
-OpenSSL Support Contracts  -  Frequently Asked Questions
---------------------------------------
-
-[General] General questions
-
-* How does this commercialisation impact the OpenSSL mission?
-* What is the target market?
-* Why pay for support when I can get it for free?
-* Can we just send a donation instead?
-* Why hasn't this been done before?
-
-[Plans] The support plans
-
-* What is covered by the support plans?
-* What if we need new features not covered by the support plan?
-* What about support for FIPS140 and the OpenSSL FIPS Object Module?
-* Why is there no per-incident support option?
-* Will subscribers have an inside track on vulnerability announcements?
-
-[Services] Consulting Services
-
-* What about other types of consulting services?
-* What is a "private label" validation?
-
-[Legal and Financial] Legal questions
-
-* Who or what exactly am I contracting with?
-* Where does the money for support contract subscriptions go?
-* Are the support plans listed on a GSA schedule?
-
-[Miscellaneous]
-
-* What if we need help with proprietary or sensitive information?
-* Why the separate domain name?
-
-===============================================================================
-
-[General] ========================================================================
-
-* How does this commercialisation impact the OpenSSL mission?
-
-It doesn't.  OpenSSL is not being commercialised and there will *not* be
-separate "paid" and "free" versions of the software.
-
-The OpenSSL mission of providing a high quality open source
-cryptographic library for use by anyone under a very business friendly license
-will not change.  The same OpenSSL team members will continue to improve and
-maintain the OpenSSL product for general use as always.
-
-The only commercial aspect that has been introduced is that corporate,
-institutional, and government users now have the option of purchasing
-commercial software support for the same open source product that is freely
-available to everyone.  These paid support subscriptions help support the OpenSSL
-team members actively working on the OpenSSL product and so indirectly benefit
-the entire user community.
-
-* What is the target market?
-
-We are primarily targeting the commercial vendors with a significant stake in
-the OpenSSL product who wish to have an assured level of support and to
-sponsor the continued development and maintenance of OpenSSL.  We anticipate
-that our typical customer will fit most of the follow criteria: 
-
-a) Is a medium to large software product or services vendor,
-b) Uses OpenSSL as an important component of those products or services,
-c) Has an interest in the future stability and development of OpenSSL,
-d) Has significant on-house technical expertise but recognises that
-specialised external support wold be cost-effective
-
-* Why pay for support when I can get it for free?
-
-Why indeed?  If you're satisfied with the extensive support available from the
-@@@collaborative community(../community.html)@@@ and the expertise, proficiency, and resource availability of your
-current technical staff then this service is not designed for you.
-
-This support contract option is designed for companies that do not have, or
-cannot spare, the in-house technical resources for utilising or customising
-OpenSSL, who want the assurance that appropriate technical assistance will
-be available when needed, and who may not want their technical queries and
-discussions seen by the entire world.
-
-* Can we just send a donation instead?
-
-Absolutely, @@@donations(../donations.html)@@@ are welcome and will help make
-OpenSSL a better product.  Please note that the OSF is not a qualified
-non-profit entity under the U.S. tax code and hence donations from individuals are not
-tax-deductible.  We looked into 501(c)(3) tax exemption; it costs more and
-takes a long time.  Since our primary purpose is to provide services to the
-commercial and government markets and not to solicit charitable
-contributions we have elected to defer pursuit of tax exempt status for now.
-
-* Why hasn't this been done before?
-
-Sloth and inertia, basically.  Although the demand for such a service has been
-apparent for some time it took a while to work out how to structure a solution
-that addressed the legal, financial, and operational issues.
-
-[Plans] =======================================================================
-
-* What is covered by the support plans?
-
-All of the support plans are designed to provide technical assistance with use
-of relatively recently released versions of the OpenSSL product for platforms
-supported by those versions.  Assistance with using the existing API,
-compile/link errors, runtime problem diagnosis, and portability issues for
-currently supported platforms would all be covered under the
-terms of the support contract.  Porting to completely new platforms,
-development of new functionality, or use of OpenSSL in a context clearly not
-anticipated at the time of release is not covered by the standard plans.
-
-Merging of bug or vulnerability fixes from a newer release or the development
-trunk to an older supported release will *generally* be covered (the exception
-being modifications involving significant interface incompatibilities).
-
-* What if we need new features not covered by the support plan?
-
-The incorporation of completely new functionality (new cryptographic
-algorithms, implementation of new RFCs, etc.) is not covered.  However, the
-OSF can quote a separate development task on a time-and-materials or hourly
-rate basis. 
-
-* What about support for FIPS140 and the OpenSSL FIPS Object Module?
-
-The OpenSSL FIPS Object Module validations are based on source code derived
-from the baseline OpenSSL product but are not synonymous with that product.
-FIPS 140-2 presents some unique challenges transcending the more purely
-technical issues of OpenSSL proper.  FPS 140-2 is also of interest to a
-relatively small subset of the user community.
-
-The standard support plans will cover operational problems with OpenSSL in "FIPS
-compatible" mode but do not cover building of the validated FIPS Object Module
-itself.  Support for the FIPS Object Module, including assistance with
-building a validated module for a specific platform (if possible) is available
-with the Premium plan or as a separate support plan that can be negotiated to
-suit your specific requirements.
-
-* Why is there no per-incident support option?
-
-We are a very low overhead organisation with no front office to handle a
-significant volume of new customer contacts.  All OSF personnel are
-primarily or exclusively dedicated to providing technical services; we could
-only support per-incident customers at the expense of the annual support plan
-subscribers.  At this point we don't have a feel for the potential demand for
-per-incident support and so can't justify the additional staffing such support
-may require.  We may reconsider this position at some point
-
-* Will subscribers have an inside track on vulnerability announcements?
-
-The OpenSSL team will not be deliberately withholding any information from the
-general open source community for the benefit of paid support plan
-subscribers.  We are not changing our mission!
-
-For some types of vulnerabilities the OpenSSL team will work on a fix before
-making any public announcement.  Support plan subscribers will not have any
-special access to the unannounced details of such vulnerabilities.  However,
-we will alert subscribers to the fact that a patch will be required as soon as
-we can do so, and will prepare appropriate patches in advance to the extent
-our knowledge of your specific situation permits.
-
-[Services] =======================================================================
-
-* What about other types of consulting services?
-
-OpenSSL team members have been providing consulting and custom software
-development services on an ad-hoc basis for many years.  In fact, it was the
-increasing demand for such services that led to the creation of the OpenSSL
-Software Foundation.  Consulting service contracts can be provided on a hourly rate
-for one or more OpenSSL team members, or we can prepare a fixed-price proposal
-for clearly defined deliverables.
-
-* What is a "private label" validation?
-
-Even though the OpenSSL FIPS Object Module FIPS 140-2 validations were designed for direct
-use by commercial software vendors, for various reasons some vendors prefer to obtain
-separate validations for their OpenSSL derived software.  That sounds wasteful, and it
-is, but in fact the majority of all level 1 FIPS 140-2 validated software products are
-based on OpenSSL.  Due to our extensive experience in such validations we can cost-effectively
-provide the documentation and CMVP test lab interaction for private label validations.
-
-[Legal and Financial] =======================================================================
-
-* Who or what exactly am I contracting with?
-
-There is no formal legal entity corresponding with the OpenSSL team itself,
-which is an informal collaborative association of individuals around the
-world.  We created a legal entity to represent the OpenSSL team members
-actively participating in the support contract initiative.  That entity, the
-OpenSSL Software Foundation (OSF) will execute the formal support contract
-agreements and handle the associated business functions.  The actual technical
-support will be provided by OpenSSL team members.
-
-* Where does the money for support contract subscriptions go?
-
-It all goes to the people directly providing the technical support services
-and to current active OpenSSL team members.  There is no investor or parent
-company syphoning off revenue for other purposes; the OpenSSL Software
-Foundation was created specifically to support the activities of the OpenSSL
-team.
-
-Even though not all OpenSSL team members will be directly participating in or directly
-benefiting from the support subscription business all have consented to the arrangement
-and all will have full access to the financial records (tax
-filings and bank statements) of the OSF.
-
-* Are the support plans listed on a GSA schedule?
-
-Sorry, no.  Frankly the paperwork requirements are too intimidating at this
-point, and the significant costs of meeting them would have to be passed on
-to all of our customers.  Perhaps someday.
-
-[Miscellaneous] =======================================================================
-
-* What if we need help with proprietary or sensitive information?
-
-We recognise that some vendors do not wish to reveal details of their software
-products or business plans.  We will respect non-disclosure restrictions
-provided such restrictions do not constrain our ability to write and maintain OpenSSL
-or other software.
-
-* Why the separate domain name?
-
-We're conducting business using the *opensslfoundation.com* domain name instead
-of the *openssl.org* domain name because we
-want to distinguish the new for-pay support and service activities from the
-traditional OpenSSL project which will continue as before.  We would like
-to have used the *openssl.com* domain name but it is taken by someone not
-associated with the OpenSSL team.
-
-===============================================================================
diff --git a/support/funding/support-faq.wml b/support/funding/support-faq.wml
deleted file mode 100644
index 88eab91..0000000
--- a/support/funding/support-faq.wml
+++ /dev/null
@@ -1,7 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Support Contract FAQ</title>
-<h1>Support Contract FAQ</h1>
-
-<!--#include virtual="/support/funding/support-faq.inc" -->
diff --git a/support/funding/support-incident.wml b/support/funding/support-incident.wml
deleted file mode 100644
index 24273f1..0000000
--- a/support/funding/support-incident.wml
+++ /dev/null
@@ -1,10 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Support Contract Contact Info</title>
-
-<h1>Support Contract Queries</h1>
-
-At this point in time we are not offering per-incident support services, only because we want to focus our potentially limited
-resources on annual support contract subscribers.  If you are interested in such support we'd still like to hear from you, and
-we may re-evaluate our position as we see what workload and resource commitments we encounter.
diff --git a/support/funding/support-premium.wml b/support/funding/support-premium.wml
deleted file mode 100644
index 156f338..0000000
--- a/support/funding/support-premium.wml
+++ /dev/null
@@ -1,30 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Premium Support Contract</title>
-
-<h1>Premium Level Support</h1>
-<p>
-US$50,000 annually
-<p>
-(<a href="support-definitions.html">definitions</a> of terms)
-<p>
-<ul>
-<li>All technical support requests handled directly by a Designated Responder
-<li>24x7x365 availability
-<li>Four Support Administrators
-<li>Unlimited Service Requests
-<li>Custom patch preparation and creation
-<li>OpenSSL FIPS Object Module support included
-<li>FIPS validation support
-</ul>
-<p>
-The premium support plan is designed for the large enterprise using OpenSSL as an essential component of
-multiple products or product lines or in support of in-house or commercially provided services.
-Many prospective Premium Level customers have already hired individual OpenSSL team members for specific tasks.
-The typical large enterprise customer has a capable in-house technical staff but still finds it cost-effective
-to engage the world class talent of OpenSSL authors and maintainers.  Customisation of OpenSSL by prospective
-Schedule A customers is common, as are &#8220;private label&#8221; FIPS 140-2 validations.
-<p>
-Note we don't expect to sell very many of the premium support plans, but those few customers will receive careful
-attention for both immediate problems and long range strategic interests.
diff --git a/support/funding/support-vendor.wml b/support/funding/support-vendor.wml
deleted file mode 100644
index fb04c9d..0000000
--- a/support/funding/support-vendor.wml
+++ /dev/null
@@ -1,24 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>Vendor Support Contract</title>
-
-<h1>Vendor Level Support</h1>
-<p>
-US$20,000 annually
-<p>
-(<a href="support-definitions.html">definitions</a> of terms)
-<p>
-<ul>
-<li>Institutional Response with escalation to Designated Responder as appropriate.
-<li>12x5 availability
-<li>Two Support Administrators
-<li>Limit of four Service Requests per month
-<li>Custom patch preparation
-<li>OpenSSL FIPS Object Module support included
-<li>FIPS validation support excluded
-</ul>
-<p>
-This plan is designed for the medium enterprise using OpenSSL for a single product or product line.
-The prospective Vendor Level Support customer has a proficient technical staff but no specific expertise in cryptography or OpenSSL.
-Technical support is provided for use of the unmodified OpenSSL FIPS Object Module, but not for validations of derivative software.
diff --git a/support/funding/wishlist.wml b/support/funding/wishlist.wml
deleted file mode 100644
index a363400..0000000
--- a/support/funding/wishlist.wml
+++ /dev/null
@@ -1,20 +0,0 @@
-
-#use wml::openssl area=funding page=index
-
-<title>New Development Wish List</title>
-
-<h1>Wish List</h1>
-<p>
-Most of the OpenSSL team have full time day jobs and so are precluded from tackling some ambitious improvements
-that would otherwise attract their attention.  If and when we have the manpower available
-some of the new initiatives to improve OpenSSL that will be addressed are:
-<p>
-<ul>
-<li>Support for TLS v1.1 and 1.2.
-<p>
-<li>New algorithm schemes PSS and OAEP.
-<p>
-<li>Streaming ASN1 decode including CMS support.
-<p>
-<li>A new FIPS Object Module API that will be OpenSSL version independent and built from a separate source tarball.
-</ul>
diff --git a/support/index.html b/support/index.html
new file mode 100644
index 0000000..837f4a3
--- /dev/null
+++ b/support/index.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Commercial Support</h2></header>
+	  <div class="entry-content">
+	    <p>OpenSSL is a a collaborative effort of a worldwide
+	    <a href="/community">community</a> of volunteers. We are always
+	    grateful to receive support for the project.</p>
+
+	    <p>In addition to joining the community, you can make a
+	    direct <a href="donations.html">donation</a>
+	    to the project. Your contribution will help fund members of our
+	    development team.  Significant sponsors have a say in the future
+	    direction of OpenSSL as well as acknowledgements and logo
+	    placements.  We would like to take this opportunity to
+	    <a href="acks.html">acknowledge</a> those who have provided
+	    financial support.</p>
+
+	    <p>We provide commercial
+	    <a href="contracts.html">support contracts</a>
+	    of various types.
+	    Some members of the development team are also available
+	    for custom OpenSSL-related developent work. Please contact
+	    <a href="/community/contacts.html">OpenSSL Software Services</a>
+	    for more information.</p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Support</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
diff --git a/support/index.wml b/support/index.wml
deleted file mode 100644
index d3ec74d..0000000
--- a/support/index.wml
+++ /dev/null
@@ -1,28 +0,0 @@
-
-#use wml::openssl area=support page=index
-
-<title>Supporting OpenSSL</title>
-
-<h1>OpenSSL Support</h1>
-
-OpenSSL is a a collaborative effort of a worldwide community of volunteers. We are always happy to receive support for the project in many forms as long as the core mission of providing a high quality software product to all commercial and non-commercial users is not compromised.
-In addition to routine maintenance and development your support could help tackle projects on our <a href="funding/wishlist.html">wish list</a>.
-<p>
-You can contribute to the OpenSSL project in any of the following ways:
-
-<p>
-<ul>
-<li><a href="community.html"><font id=sfl>Join</font></a> the online community via public mailing lists<br>
-    Participate in the online community of developers, testers, and contributing end users working to make OpenSSL a better product.
-<p>
-<li><a href="donations.html"><font id=sfl>Donate</font></a> to the OpenSSL project<br>
-    Your donation will help add new capabilities to OpenSSL.  Significant sponsors have a say in the future direction of OpenSSL as well as acknowledgements and logo placements.
-<p>
-<li><a href="funding/contract.html"><font id=sfl>Fund</font></a> the OpenSSL project via a support contract<br>
-    Obtain the protection of formal support contract coverage for your commercial or government enterprise and support ongoing OpenSSL development.
-<p>
-<li><a href="consulting.html"><font id=sfl>Hire</font></a> individual OpenSSL team members<br>
-    Some OpenSSL team members are available for custom consultancy contract work.
-<p>
-</ul>
-
diff --git a/support/majordomo.wml b/support/majordomo.wml
deleted file mode 100644
index cec470f..0000000
--- a/support/majordomo.wml
+++ /dev/null
@@ -1,8 +0,0 @@
-#!wml -oPAGE_HEADuPAGE_BODY:majordomo.head.html -oPAGE_FOOT:majordomo.foot.html
-
-#use wml::openssl area=support page=lists
-
-<title>Support, Mailing Lists</title>
-
-<h1>OpenSSL Mailing Lists</h1>
-
diff --git a/support/other.wml b/support/other.wml
deleted file mode 100644
index 00210fe..0000000
--- a/support/other.wml
+++ /dev/null
@@ -1,36 +0,0 @@
-
-#use wml::openssl area=related page=commercial
-
-<title>Related, Commercial</title>
-
-<h1>Other OpenSSL Realted Commercial Services</h1>
-
-These are commercial offers with respect to OpenSSL, e.g. people/organizations
-offering support.
-
-<p>
-
-<b>Disclaimer:</b>
-The offers listed below are not necessarily related to the OpenSSL
-team. Neither the sorting nor the pure fact of being listed does
-in any way provide a statement about the quality of the offering.
-
-<p>
-
-If you want yourself or your company to be listed here, please send a
-message to
-<a href="mailto:openssl-info at openssl.org">openssl-info at openssl.org</a>.
-The message needs to include the company name, and information string
-and a URL.
-
-<ul>
-    <item name="Linux4biz"
-          info="Linux4biz  specialises in all aspects of apache and openssl deployment, support and security."
-          url="http://www.linux4biz.net/">
-    <item name="Secure Endpoints Inc."
-	  info="Expert consulting and software development services, OpenSSL and more"
-	  url="http://www.secure-endpoints.com/">
-    <item name="dmp|cda"
-	  info="Websolutions including OpenSSL and more"
-	  url="http://www.dmpcda.de/">
-</ul>
diff --git a/support/rt.wml b/support/rt.wml
deleted file mode 100644
index c3a705c..0000000
--- a/support/rt.wml
+++ /dev/null
@@ -1,55 +0,0 @@
-
-#use wml::openssl area=support page=rt
-
-<title>Support, Request Tracker</title>
-
-<h1>OpenSSL Request Tracker</h1>
-
-We have set up a request tracker at
-<a href="http://rt.openssl.org/">http://rt.openssl.org/</a>
-offering read-only access using the account <tt>guest</tt> with the
-password <tt>guest</tt>.
-
-The username and password can also be specified in the URL, as can a link
-to a specific bug.  For example:
-<a href="http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1">
-http://rt.openssl.org/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=1</a>
-
-<h2>List of Bugs/Requests</h2>
-
-Please see the
-<a href="http://rt.openssl.org/NoAuth/Buglist.html">list</a>
-of new or open bugs and requests.
-
-<h2>Sending a Request</h2>
-
-To create a new bug or enhancement request, send email to
-<a href="mailto:rt at openssl.org">rt at openssl.org</a>, clearly indicating
-the type of request (bug report, patch, contribution, enhancement request,
-...) the operating system and version of OpenSSL affected.
-If you have a patch or diff, please send it as an attachment, and not
-inline in the message body.
-
-The easiest way to respond to an existing request is to reply to the relevant
-message in <tt>openssl-dev at openssl.org</tt>. To help avoid duplicate copies,
-edit the recipient list so that only
-<tt>rt at openssl.org</tt> is listed and remove any quoted material.
-You can also create a new email by having the subject line start with a
-special prefix.
-For example to reply to ID #9999
-you'd send a message to <tt>rt at openssl.org</tt> including <tt>[openssl.org #9999]</tt> in the subject.
-
-<h2>Gateways</h2>
-
-Incoming requests are added to the request tracker. The request tracker
-automatically forwards incoming requests to the
-<tt>openssl-dev at openssl.org</tt>
-mailing list for information of the community and public discussion.
-Replies sent to <tt>rt at openssl.org</tt> keeping the ticket in the
-subject line unchanged will be recorded and added to the ticket by the
-request tracker, then forwarded to <tt>openssl-dev at openssl.org</tt>.
-
-<h2>Request Tracker Software</h2>
-
-The request tracker is using the RT software, available from
-<a href="http://www.bestpractical.com/rt/">http://www.bestpractical.com/rt/</a>.
diff --git a/support/sidebar.inc b/support/sidebar.inc
new file mode 100644
index 0000000..c3ac2b8
--- /dev/null
+++ b/support/sidebar.inc
@@ -0,0 +1,18 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Commercial Support</a></h1>
+    <ul>
+      <li>
+	  <a href="donations.html">Donations</a>
+      </li>
+      <li>
+	  <a href="acks.html">Acknowledgements</a>
+      </li>
+      <li>
+	  <a href="contracts.html">Support Contracts</a>
+      </li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->
diff --git a/template-file.html b/template-file.html
new file mode 100644
index 0000000..298c5a0
--- /dev/null
+++ b/template-file.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>XXX name</h2></header>
+	  <div class="entry-content">
+	    <p>
+
+	    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">XXX-subdirname</a>
+	    <!--
+	    : <a href="">xxx topic name</a>
+	    -->
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>

From rsalz at openssl.org  Sat Aug 15 17:25:46 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:25:46 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439659546.478285.17154.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a7b78d1e638f196112945cab8f86ad29594c4ea6 (commit)
      from  e42ef50e5b67be76e0a2e0b14d3ec85fdc88d7ec (commit)


- Log -----------------------------------------------------------------
commit a7b78d1e638f196112945cab8f86ad29594c4ea6
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:25:30 2015 -0400

    Fix source/old indices

-----------------------------------------------------------------------

Summary of changes:
 Makefile                    | 2 +-
 source/old/0.9.x/index.html | 5 +++--
 source/old/1.0.0/index.html | 5 +++--
 source/old/1.0.1/index.html | 5 +++--
 source/old/1.0.2/index.html | 5 +++--
 source/old/fips/index.html  | 5 +++--
 source/old/index.html       | 5 +++--
 source/sidebar.inc          | 3 +++
 8 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index 1e0ddaa..dc5711b 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ SIMPLE = newsflash.inc sitemap.txt \
 	 news/vulnerabilities.inc \
 	 source/license.txt \
 	 source/index.inc
-SRCLISTS = source/old/index.inc \
+SRCLISTS = \
 	   source/old/0.9.x/index.inc \
 	   source/old/1.0.0/index.inc \
 	   source/old/1.0.1/index.inc \
diff --git a/source/old/0.9.x/index.html b/source/old/0.9.x/index.html
index dc74bce..07b991f 100644
--- a/source/old/0.9.x/index.html
+++ b/source/old/0.9.x/index.html
@@ -15,15 +15,16 @@
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
+        <!--#include virtual="/inc/legalities.inc" -->
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/old/1.0.0/index.html b/source/old/1.0.0/index.html
index a040259..2fae25b 100644
--- a/source/old/1.0.0/index.html
+++ b/source/old/1.0.0/index.html
@@ -12,18 +12,19 @@
           <p>Here are the old 1.0.0 releases.</p>
           <!--#include virtual="index.inc" -->
         </div>
+        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/old/1.0.1/index.html b/source/old/1.0.1/index.html
index 5028934..eb2121d 100644
--- a/source/old/1.0.1/index.html
+++ b/source/old/1.0.1/index.html
@@ -12,18 +12,19 @@
           <p>Here are the old 1.0.1 releases.</p>
           <!--#include virtual="index.inc" -->
         </div>
+        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/old/1.0.2/index.html b/source/old/1.0.2/index.html
index b238dcf..8ed017a 100644
--- a/source/old/1.0.2/index.html
+++ b/source/old/1.0.2/index.html
@@ -12,18 +12,19 @@
           <p>Here are the old 1.0.2 releases.</p>
           <!--#include virtual="index.inc" -->
         </div>
+        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
index 1ade710..80385d7 100644
--- a/source/old/fips/index.html
+++ b/source/old/fips/index.html
@@ -12,18 +12,19 @@
           <p>Here are the old xxx releases.</p>
           <!--#include virtual="index.inc" -->
         </div>
+        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/old/index.html b/source/old/index.html
index 4d2b267..9e5b4e5 100644
--- a/source/old/index.html
+++ b/source/old/index.html
@@ -18,18 +18,19 @@
             <li><a href="fips">fips</a></li>
           </ul>
         </div>
+        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href=".">Source</a>
+          : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
 
 
     </div>
-    <!--NO NO #include virtual="sidebar.inc" -->
+    <!--#include virtual="../sidebar.inc" -->
   </div>
-  <!--#include virtual="/inc/legalities.inc" -->
 
 </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/source/sidebar.inc b/source/sidebar.inc
index 4eab542..7b631e5 100644
--- a/source/sidebar.inc
+++ b/source/sidebar.inc
@@ -10,6 +10,9 @@
 	<a href="license.html">License</a>
       </li>
       <li>
+        <a href="old">Old Releases</a>
+      </li>
+      <li>
 	<a href="mirror.html">Mirror Sites</a>
       </li>
     </ul>

From rsalz at openssl.org  Sat Aug 15 17:30:07 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:30:07 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439659807.484342.17923.nullmailer@dev.openssl.org>

The branch master has been updated
       via  703a70aaedec96c63d13bcea884f04cee4a58b97 (commit)
      from  a7b78d1e638f196112945cab8f86ad29594c4ea6 (commit)


- Log -----------------------------------------------------------------
commit 703a70aaedec96c63d13bcea884f04cee4a58b97
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:30:04 2015 -0400

    ignore source/old/ tgz files

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.gitignore b/.gitignore
index 4e9329d..e0646bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,9 @@ source/*.gz.md5
 source/*.gz.sha1
 source/*.tar.gz.sig
 source/*.patch
+source/old/x/*.tar.gz*
+source/old/0.9.x/*.tar.gz*
+source/old/1.0.0/*.tar.gz*
+source/old/1.0.1/*.tar.gz*
+source/old/1.0.2/*.tar.gz*
+source/old/fips/*.tar.gz*

From rsalz at openssl.org  Sat Aug 15 17:33:06 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:33:06 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439659986.339306.18654.nullmailer@dev.openssl.org>

The branch master has been updated
       via  907dca8062c2e3b9d2e1242258ee7de822c87447 (commit)
      from  703a70aaedec96c63d13bcea884f04cee4a58b97 (commit)


- Log -----------------------------------------------------------------
commit 907dca8062c2e3b9d2e1242258ee7de822c87447
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:33:03 2015 -0400

    More ignore fixes, from dynamic content

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index e0646bc..f4c749a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,25 +1,16 @@
 *.swp
+*.inc
 sitemap.txt
-docs/faq.inc
 docs/faq.txt
-docs/fips.inc
-news/changelog.inc
 news/changelog.txt
-news/newsflash.inc
 news/vulnerabilities.html
-news/vulnerabilities.inc
-newsflash.inc
-source/index.inc
 source/license.txt
 docs/HOWTO/*.txt
-source/*.gz
-source/*.gz.asc
-source/*.gz.md5
-source/*.gz.sha1
-source/*.tar.gz.sig
+source/*.gz*
 source/*.patch
 source/old/x/*.tar.gz*
 source/old/0.9.x/*.tar.gz*
+source/old/0.9.x/*.patch
 source/old/1.0.0/*.tar.gz*
 source/old/1.0.1/*.tar.gz*
 source/old/1.0.2/*.tar.gz*

From rsalz at openssl.org  Sat Aug 15 17:44:24 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:44:24 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439660664.588838.20616.nullmailer@dev.openssl.org>

The branch master has been updated
       via  03e725858a77a8d76452903516c2529fd30c6f40 (commit)
      from  907dca8062c2e3b9d2e1242258ee7de822c87447 (commit)


- Log -----------------------------------------------------------------
commit 03e725858a77a8d76452903516c2529fd30c6f40
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:44:20 2015 -0400

    Fix most of relupd target

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 11 ++++-------
 Makefile   | 23 ++++++++++++++++++-----
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index f4c749a..f448120 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 *.swp
 *.inc
+blog
 sitemap.txt
 docs/faq.txt
 news/changelog.txt
@@ -8,10 +9,6 @@ source/license.txt
 docs/HOWTO/*.txt
 source/*.gz*
 source/*.patch
-source/old/x/*.tar.gz*
-source/old/0.9.x/*.tar.gz*
-source/old/0.9.x/*.patch
-source/old/1.0.0/*.tar.gz*
-source/old/1.0.1/*.tar.gz*
-source/old/1.0.2/*.tar.gz*
-source/old/fips/*.tar.gz*
+source/old/*/*.tar.gz*
+source/old/*/*.patch
+source/old/*/*.txt.asc
diff --git a/Makefile b/Makefile
index dc5711b..1028456 100644
--- a/Makefile
+++ b/Makefile
@@ -3,8 +3,10 @@
 
 ##  Snapshot directory
 SNAP = /var/cache/openssl/checkouts/openssl
+## Where releases are found.
 RELEASEDIR = /var/www/openssl/source
 
+
 # All simple generated files.
 SIMPLE = newsflash.inc sitemap.txt \
 	 docs/faq.txt docs/faq.inc docs/fips.inc \
@@ -22,17 +24,28 @@ SRCLISTS = \
 
 all: $(SIMPLE) $(SRCLISTS)
 
-# Legacy targets
-simple: all
-generated: all
-manpages: all
-rebuild: all
 relupd: all
+	if [ "`id -un`" != openssl ]; then \
+	    echo "You must run this as 'openssl'" ; \
+	    echo "     sudo -u openssl -H make"; \
+	    exit 1; \
+	fi
+	cd $(SNAP)/.. ; for dir in openssl* ; do \
+	    echo Updating $$dir ; ( cd $$dir ; git pull $(QUIET) ) ; \
+	done
+	git pull $(QUIET)
+	$(MAKE)
 
 # To be fixed.
 hack-source_htaccess:
 	exit 1;
 
+# Legacy targets
+simple: all
+generated: all
+manpages: all
+rebuild: all
+
 clean:
 	rm -f $(SIMPLE)
 

From rsalz at openssl.org  Sat Aug 15 17:55:50 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 17:55:50 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439661350.776274.22147.nullmailer@dev.openssl.org>

The branch master has been updated
       via  c4ec6409d5d46ef41047d2085814534c7ad53e54 (commit)
      from  03e725858a77a8d76452903516c2529fd30c6f40 (commit)


- Log -----------------------------------------------------------------
commit c4ec6409d5d46ef41047d2085814534c7ad53e54
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 13:55:10 2015 -0400

    Remove HOWTO (for now?), old URL patching.

-----------------------------------------------------------------------

Summary of changes:
 docs/.htaccess       |  4 ++++
 docs/HOWTO/index.wml | 17 -----------------
 source/sidebar.inc   |  9 +++++----
 3 files changed, 9 insertions(+), 21 deletions(-)
 create mode 100644 docs/.htaccess
 delete mode 100644 docs/HOWTO/index.wml

diff --git a/docs/.htaccess b/docs/.htaccess
new file mode 100644
index 0000000..fa6d11a
--- /dev/null
+++ b/docs/.htaccess
@@ -0,0 +1,4 @@
+RewriteEngine on
+RewriteBase /docs
+RewriteRule fips fips.html [L,R=302,NC]
+RewriteRule fips/* fips.html [L,R=302,NC]
diff --git a/docs/HOWTO/index.wml b/docs/HOWTO/index.wml
deleted file mode 100644
index b1c5336..0000000
--- a/docs/HOWTO/index.wml
+++ /dev/null
@@ -1,17 +0,0 @@
-
-#use wml::openssl area=documents page=HOWTO
-
-<title>Documents, HOWTO's</title>
-
-<h1>HOWTO's</h1>
-
-Here you can find a number of howto's.  These howto's are also part of the
-OpenSSL distribution, in <tt>doc/HOWTO/</tt>.
-
-<p>
-<filelist *.txt>
-
-<h2>Legalities</h2>
-
-<disclaimer>
-
diff --git a/source/sidebar.inc b/source/sidebar.inc
index 7b631e5..96eafc9 100644
--- a/source/sidebar.inc
+++ b/source/sidebar.inc
@@ -1,16 +1,17 @@
 <!-- sidebar.inc -->
+<!-- This needs full paths since the subdirs include this navbar. -->
 <aside class="sidebar">
   <section>
-    <h1><a href=".">Downloads</a></h1>
+    <h1><a href="/source">Downloads</a></h1>
     <ul>
       <li>
-	<a href="gitrepo.html">Git Repository</a>
+	<a href="/source/gitrepo.html">Git Repository</a>
       </li>
       <li>
-	<a href="license.html">License</a>
+	<a href="/source/license.html">License</a>
       </li>
       <li>
-        <a href="old">Old Releases</a>
+        <a href="/source/old">Old Releases</a>
       </li>
       <li>
 	<a href="mirror.html">Mirror Sites</a>

From rsalz at openssl.org  Sat Aug 15 18:09:02 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 18:09:02 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439662142.862722.23836.nullmailer@dev.openssl.org>

The branch master has been updated
       via  173047539a218cb383c451ec64f14fb9179f311d (commit)
      from  c4ec6409d5d46ef41047d2085814534c7ad53e54 (commit)


- Log -----------------------------------------------------------------
commit 173047539a218cb383c451ec64f14fb9179f311d
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 14:08:50 2015 -0400

    More work on old release URL's

-----------------------------------------------------------------------

Summary of changes:
 Makefile                    |  2 +-
 docs/.htaccess              |  6 ++++--
 source/old/0.9.x/index.html | 10 +++++++++-
 source/old/1.0.0/index.html | 10 +++++++++-
 source/old/1.0.1/index.html | 10 +++++++++-
 source/old/1.0.2/index.html | 10 +++++++++-
 source/old/fips/index.html  | 10 +++++++++-
 7 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 1028456..19d203c 100644
--- a/Makefile
+++ b/Makefile
@@ -90,7 +90,7 @@ source/index.inc:
 
 source/old/0.9.x/index.inc:
 	@rm -f $@
-	./bin/mk-filelist source/old/0.9.8 '' '*.gz' >$@
+	./bin/mk-filelist source/old/0.9.x '' '*.gz' >$@
 source/old/1.0.0/index.inc:
 	@rm -f $@
 	./bin/mk-filelist source/old/1.0.0 '' '*.gz' >$@
diff --git a/docs/.htaccess b/docs/.htaccess
index fa6d11a..39c9d22 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -1,4 +1,6 @@
 RewriteEngine on
 RewriteBase /docs
-RewriteRule fips fips.html [L,R=302,NC]
-RewriteRule fips/* fips.html [L,R=302,NC]
+RewriteRule fips/ fips.html [L,R=302,NC]
+RewriteRule fips/fipsnotes.html fips.html [L,R=302,NC]
+RewriteRule docs/fips/fipsvalidation.html fips.html [L,R=302,NC]
+RewriteRule docs/fips/index.html fips.html [L,R=302,NC]
diff --git a/source/old/0.9.x/index.html b/source/old/0.9.x/index.html
index 07b991f..aa1e633 100644
--- a/source/old/0.9.x/index.html
+++ b/source/old/0.9.x/index.html
@@ -10,7 +10,15 @@
         <header><h2>Old 0.9.x Releases</h2></header>
         <div class="entry-content">
           <p>Here are the old 0.9.x releases.</p>
-          <!--#include virtual="index.inc" -->
+          <table>
+            <tr>
+              <td>KBytes&nbsp;</td>
+              <td>Date&nbsp;&nbsp;</td>
+              <td>File&nbsp;</td>
+            </tr>
+            <!--#include virtual="index.inc" -->
+          </table>
+          <p>&nbsp;</p>
         </div>
         <footer>
           You are here: <a href="/">Home</a>
diff --git a/source/old/1.0.0/index.html b/source/old/1.0.0/index.html
index 2fae25b..efbb214 100644
--- a/source/old/1.0.0/index.html
+++ b/source/old/1.0.0/index.html
@@ -10,7 +10,15 @@
         <header><h2>Old 1.0.0 Releases</h2></header>
         <div class="entry-content">
           <p>Here are the old 1.0.0 releases.</p>
-          <!--#include virtual="index.inc" -->
+          <table>
+            <tr>
+              <td>KBytes&nbsp;</td>
+              <td>Date&nbsp;&nbsp;</td>
+              <td>File&nbsp;</td>
+            </tr>
+            <!--#include virtual="index.inc" -->
+          </table>
+          <p>&nbsp;</p>
         </div>
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
diff --git a/source/old/1.0.1/index.html b/source/old/1.0.1/index.html
index eb2121d..cf46c10 100644
--- a/source/old/1.0.1/index.html
+++ b/source/old/1.0.1/index.html
@@ -10,7 +10,15 @@
         <header><h2>Old 1.0.1 Releases</h2></header>
         <div class="entry-content">
           <p>Here are the old 1.0.1 releases.</p>
-          <!--#include virtual="index.inc" -->
+          <table>
+            <tr>
+              <td>KBytes&nbsp;</td>
+              <td>Date&nbsp;&nbsp;</td>
+              <td>File&nbsp;</td>
+            </tr>
+            <!--#include virtual="index.inc" -->
+          </table>
+          <p>&nbsp;</p>
         </div>
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
diff --git a/source/old/1.0.2/index.html b/source/old/1.0.2/index.html
index 8ed017a..9934b85 100644
--- a/source/old/1.0.2/index.html
+++ b/source/old/1.0.2/index.html
@@ -10,7 +10,15 @@
         <header><h2>Old 1.0.2 Releases</h2></header>
         <div class="entry-content">
           <p>Here are the old 1.0.2 releases.</p>
-          <!--#include virtual="index.inc" -->
+          <table>
+            <tr>
+              <td>KBytes&nbsp;</td>
+              <td>Date&nbsp;&nbsp;</td>
+              <td>File&nbsp;</td>
+            </tr>
+            <!--#include virtual="index.inc" -->
+          </table>
+          <p>&nbsp;</p>
         </div>
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
index 80385d7..933374a 100644
--- a/source/old/fips/index.html
+++ b/source/old/fips/index.html
@@ -10,7 +10,15 @@
         <header><h2>Old XXX Releases</h2></header>
         <div class="entry-content">
           <p>Here are the old xxx releases.</p>
-          <!--#include virtual="index.inc" -->
+          <table>
+            <tr>
+              <td>KBytes&nbsp;</td>
+              <td>Date&nbsp;&nbsp;</td>
+              <td>File&nbsp;</td>
+            </tr>
+            <!--#include virtual="index.inc" -->
+          </table>
+          <p>&nbsp;</p>
         </div>
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>

From rsalz at openssl.org  Sat Aug 15 18:19:44 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 18:19:44 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439662784.513286.24928.nullmailer@dev.openssl.org>

The branch master has been updated
       via  89738db3a78e48c58284fa9f69abcbbf56a1b4cc (commit)
      from  173047539a218cb383c451ec64f14fb9179f311d (commit)


- Log -----------------------------------------------------------------
commit 89738db3a78e48c58284fa9f69abcbbf56a1b4cc
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 14:19:14 2015 -0400

    mv some files, fix some links.

-----------------------------------------------------------------------

Summary of changes:
 Makefile                               | 2 +-
 getnames.pl => bin/getnames.pl         | 0
 run-pod2html.sh => bin/run-pod2html.sh | 0
 community/sidebar.inc                  | 2 +-
 docs/fips.html                         | 2 +-
 policies/cla.html                      | 2 +-
 source/old/fips/index.html             | 4 ++--
 7 files changed, 6 insertions(+), 6 deletions(-)
 rename getnames.pl => bin/getnames.pl (100%)
 rename run-pod2html.sh => bin/run-pod2html.sh (100%)

diff --git a/Makefile b/Makefile
index 19d203c..23d0275 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ manpages: all
 rebuild: all
 
 clean:
-	rm -f $(SIMPLE)
+	rm -f $(SIMPLE) $(SRCLISTS)
 
 newsflash.inc: news/newsflash.inc
 	@rm -f $@
diff --git a/getnames.pl b/bin/getnames.pl
similarity index 100%
rename from getnames.pl
rename to bin/getnames.pl
diff --git a/run-pod2html.sh b/bin/run-pod2html.sh
similarity index 100%
rename from run-pod2html.sh
rename to bin/run-pod2html.sh
diff --git a/community/sidebar.inc b/community/sidebar.inc
index 4cbbebb..7017277 100644
--- a/community/sidebar.inc
+++ b/community/sidebar.inc
@@ -19,7 +19,7 @@
           <a href="http://wiki.openssl.org">Wiki</a>
       </li>
       <li>
-          <a href="http://www.openssl.org/blog">Blog</a>
+          <a href="/blog">Blog</a>
       </li>
       <li>
 	  <a href="binaries.html">Binaries</a>
diff --git a/docs/fips.html b/docs/fips.html
index 61b4378..a942515 100644
--- a/docs/fips.html
+++ b/docs/fips.html
@@ -33,7 +33,7 @@
 	    includes the largest number of formally tested platforms for any
 	    validated module.</p>
 
-	    The <a href="http://www.openssl.org/source/openssl-fips-2.0.1.tar.gz">source code</a> and
+	    The <a href="/source/openssl-fips-2.0.1.tar.gz">source code</a> and
 	    <a href="fips/UserGuide-2.0.pdf">User Guide</a> are available.
 	    Here is the complete set of files:</p>
 
diff --git a/policies/cla.html b/policies/cla.html
index 77ff892..a13319c 100644
--- a/policies/cla.html
+++ b/policies/cla.html
@@ -13,7 +13,7 @@
 	  <div class="entry-content">
 	    <p>
 	    As we described in
-	    <a href="http://www.openssl.org/blog/blog/2015/08/01/cla/">a recent blog post</a>,
+	    <a href="/blog/blog/2015/08/01/cla/">a blog post</a>,
 	    we will soon require almost every
 	    contributor to have a signed Contributor License Agreement (CLA)
 	    on file.  We are following the practice of
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
index 933374a..a5058b2 100644
--- a/source/old/fips/index.html
+++ b/source/old/fips/index.html
@@ -7,9 +7,9 @@
   <div id="content">
     <div class="blog-index">
       <article>
-        <header><h2>Old XXX Releases</h2></header>
+        <header><h2>Old FIPS Releases</h2></header>
         <div class="entry-content">
-          <p>Here are the old xxx releases.</p>
+          <p>Here are the old FIPS releases.</p>
           <table>
             <tr>
               <td>KBytes&nbsp;</td>

From rsalz at openssl.org  Sat Aug 15 18:34:06 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 18:34:06 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439663646.691898.26864.nullmailer@dev.openssl.org>

The branch master has been updated
       via  b4ff83c2d59972634c1fb5cec296e8b4b4217c55 (commit)
      from  89738db3a78e48c58284fa9f69abcbbf56a1b4cc (commit)


- Log -----------------------------------------------------------------
commit b4ff83c2d59972634c1fb5cec296e8b4b4217c55
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 14:33:52 2015 -0400

    CLA PDF's moved

-----------------------------------------------------------------------

Summary of changes:
 .htaccess                 |   3 +++
 bin/mk-sitemap            |   4 +++-
 licenses/openssl_ccla.pdf | Bin 37962 -> 0 bytes
 licenses/openssl_icla.pdf | Bin 37290 -> 0 bytes
 4 files changed, 6 insertions(+), 1 deletion(-)
 delete mode 100644 licenses/openssl_ccla.pdf
 delete mode 100644 licenses/openssl_icla.pdf

diff --git a/.htaccess b/.htaccess
index ac417dd..62a857a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -4,6 +4,9 @@ RewriteEngine on
 
 Options +ExecCGI +FollowSymLinks
 
+RewriteRule licenses/openssl_ccla.pdf policies/openssl_ccla.pdf
+RewriteRule licenses/openssl_icla.pdf policies/openssl_icla.pdf
+
 <Files *.md5>
 ForceType application/binary
 </Files>
diff --git a/bin/mk-sitemap b/bin/mk-sitemap
index d53d3cb..ee76444 100755
--- a/bin/mk-sitemap
+++ b/bin/mk-sitemap
@@ -9,6 +9,8 @@ dodir()
     my @files = ();
     my @dirs = ();
 
+    return if $dir eq 'source/old' || $dir eq 'docs/fips';
+
     foreach my $entry ( glob($dir . "/*")) {
 	if (-f $entry ) {
 	    next unless $entry =~ m/.*\.(html|pdf|txt|png)$/;
@@ -26,7 +28,7 @@ dodir()
 
     foreach my $entry ( @dirs) {
 	$entry =~ s@^\.\/@@;
-	next if $entry =~ m/.git|inc|img|bin/;
+	next if $entry =~ m/.git|inc|img|bin|blog/;
 	next if $entry =~ m/secadv/;
 	my $simple = $entry;
 	$simple =~ s at .*/@@;
diff --git a/licenses/openssl_ccla.pdf b/licenses/openssl_ccla.pdf
deleted file mode 100644
index 031ed4c..0000000
Binary files a/licenses/openssl_ccla.pdf and /dev/null differ
diff --git a/licenses/openssl_icla.pdf b/licenses/openssl_icla.pdf
deleted file mode 100644
index 798b231..0000000
Binary files a/licenses/openssl_icla.pdf and /dev/null differ

From rsalz at openssl.org  Sat Aug 15 18:41:16 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 18:41:16 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439664076.965014.27759.nullmailer@dev.openssl.org>

The branch master has been updated
       via  177bf95046063c83c2e0fca944acde7da178824d (commit)
      from  b4ff83c2d59972634c1fb5cec296e8b4b4217c55 (commit)


- Log -----------------------------------------------------------------
commit 177bf95046063c83c2e0fca944acde7da178824d
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 14:41:13 2015 -0400

    Remove old images, broken link, mv OCB license

-----------------------------------------------------------------------

Summary of changes:
 images/misc-new.gif                                | Bin 111 -> 0 bytes
 images/misc-space.imgdot-1x1-transp-ffffff.gif     | Bin 43 -> 0 bytes
 images/misc-space.imgdot-1x1-transp.gif            | Bin 43 -> 0 bytes
 images/smartisan-logo-med.jpg                      | Bin 6744 -> 0 bytes
 {images => img}/symantec-logo-large.jpg            | Bin
 news/secadv/20130204.txt                           |   1 -
 {docs/misc => source}/OCB-patent-grant-OpenSSL.pdf | Bin
 source/sidebar.inc                                 |  10 ++++++++--
 8 files changed, 8 insertions(+), 3 deletions(-)
 delete mode 100644 images/misc-new.gif
 delete mode 100644 images/misc-space.imgdot-1x1-transp-ffffff.gif
 delete mode 100644 images/misc-space.imgdot-1x1-transp.gif
 delete mode 100644 images/smartisan-logo-med.jpg
 rename {images => img}/symantec-logo-large.jpg (100%)
 delete mode 120000 news/secadv/20130204.txt
 rename {docs/misc => source}/OCB-patent-grant-OpenSSL.pdf (100%)

diff --git a/images/misc-new.gif b/images/misc-new.gif
deleted file mode 100644
index ede003b..0000000
Binary files a/images/misc-new.gif and /dev/null differ
diff --git a/images/misc-space.imgdot-1x1-transp-ffffff.gif b/images/misc-space.imgdot-1x1-transp-ffffff.gif
deleted file mode 100644
index 35d42e8..0000000
Binary files a/images/misc-space.imgdot-1x1-transp-ffffff.gif and /dev/null differ
diff --git a/images/misc-space.imgdot-1x1-transp.gif b/images/misc-space.imgdot-1x1-transp.gif
deleted file mode 100644
index 5bfd67a..0000000
Binary files a/images/misc-space.imgdot-1x1-transp.gif and /dev/null differ
diff --git a/images/smartisan-logo-med.jpg b/images/smartisan-logo-med.jpg
deleted file mode 100644
index aea6e25..0000000
Binary files a/images/smartisan-logo-med.jpg and /dev/null differ
diff --git a/images/symantec-logo-large.jpg b/img/symantec-logo-large.jpg
similarity index 100%
rename from images/symantec-logo-large.jpg
rename to img/symantec-logo-large.jpg
diff --git a/news/secadv/20130204.txt b/news/secadv/20130204.txt
deleted file mode 120000
index 05a9e9e..0000000
--- a/news/secadv/20130204.txt
+++ /dev/null
@@ -1 +0,0 @@
-secadv_20130205.txt
\ No newline at end of file
diff --git a/docs/misc/OCB-patent-grant-OpenSSL.pdf b/source/OCB-patent-grant-OpenSSL.pdf
similarity index 100%
rename from docs/misc/OCB-patent-grant-OpenSSL.pdf
rename to source/OCB-patent-grant-OpenSSL.pdf
diff --git a/source/sidebar.inc b/source/sidebar.inc
index 96eafc9..6862589 100644
--- a/source/sidebar.inc
+++ b/source/sidebar.inc
@@ -1,7 +1,10 @@
 <!-- sidebar.inc -->
-<!-- This needs full paths since the subdirs include this navbar. -->
 <aside class="sidebar">
   <section>
+    <!-- What I tell you three times is true: -->
+    <!--  THIS NEEDS FULL PATHS SINCE THE SUBDIRS INCLUDE THIS NAVBAR. -->
+    <!--   THIS NEEDS FULL PATHS SINCE THE SUBDIRS INCLUDE THIS NAVBAR. -->
+    <!--    THIS NEEDS FULL PATHS SINCE THE SUBDIRS INCLUDE THIS NAVBAR. -->
     <h1><a href="/source">Downloads</a></h1>
     <ul>
       <li>
@@ -11,10 +14,13 @@
 	<a href="/source/license.html">License</a>
       </li>
       <li>
+        <a href="/source/OCB-patent-grant-OpenSSL.pdf">OCB License</a>
+      </li>
+      <li>
         <a href="/source/old">Old Releases</a>
       </li>
       <li>
-	<a href="mirror.html">Mirror Sites</a>
+	<a href="/source/mirror.html">Mirror Sites</a>
       </li>
     </ul>
   </section>

From rsalz at openssl.org  Sat Aug 15 19:27:59 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sat, 15 Aug 2015 19:27:59 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439666879.883803.32404.nullmailer@dev.openssl.org>

The branch master has been updated
       via  39107644a019885ccdef15ae1033550d45e5e932 (commit)
      from  177bf95046063c83c2e0fca944acde7da178824d (commit)


- Log -----------------------------------------------------------------
commit 39107644a019885ccdef15ae1033550d45e5e932
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 15:26:02 2015 -0400

    Create "latest" links
    
    And the last of WML is gone gone gone!

-----------------------------------------------------------------------

Summary of changes:
 .gitignore           |  2 +-
 Makefile             |  9 +++++----
 bin/mk-latest        | 48 ++++++++++++++++++++++++++++++++++++++++++++++
 source/.htaccess.wml | 54 ----------------------------------------------------
 4 files changed, 54 insertions(+), 59 deletions(-)
 create mode 100755 bin/mk-latest
 delete mode 100644 source/.htaccess.wml

diff --git a/.gitignore b/.gitignore
index f448120..2c89231 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,7 @@ docs/faq.txt
 news/changelog.txt
 news/vulnerabilities.html
 source/license.txt
-docs/HOWTO/*.txt
+source/.htaccess
 source/*.gz*
 source/*.patch
 source/old/*/*.tar.gz*
diff --git a/Makefile b/Makefile
index 23d0275..ab069ec 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ SIMPLE = newsflash.inc sitemap.txt \
 	 news/changelog.inc news/changelog.txt \
 	 news/newsflash.inc \
 	 news/vulnerabilities.inc \
+	 source/.htaccess \
 	 source/license.txt \
 	 source/index.inc
 SRCLISTS = \
@@ -36,11 +37,8 @@ relupd: all
 	git pull $(QUIET)
 	$(MAKE)
 
-# To be fixed.
-hack-source_htaccess:
-	exit 1;
-
 # Legacy targets
+hack-source_htaccess: all
 simple: all
 generated: all
 manpages: all
@@ -81,6 +79,9 @@ docs/fips.inc:
 	@rm -f $@
 	./bin/mk-filelist docs/fips fips/ '*' >$@
 
+source/.htaccess:
+	@rm -f @?
+	./bin/mk-latest >$@
 source/license.txt: $(SNAP)/LICENSE
 	@rm -f $@
 	cp $? $@
diff --git a/bin/mk-latest b/bin/mk-latest
new file mode 100755
index 0000000..519c353
--- /dev/null
+++ b/bin/mk-latest
@@ -0,0 +1,48 @@
+#! /usr/bin/perl -w
+use strict;
+
+my @tarballs =
+	sort grep /openssl-\d+\.\d+\.\d+[a-z]*\.tar\.gz$/, glob("openssl-*.tar.gz");
+my %series = ();
+foreach(@tarballs) {
+	my ($version, $serie) = /^openssl-((\d+\.\d+\.\d+)[a-z]*)\./;
+	$series{$serie} = $_;
+}
+my $latest = $series{ (reverse sort keys %series)[0] };
+
+print "RewriteEngine on\n";
+print "RewriteBase /source\n";
+print "# First, rewrite all the 'latest' URLs\n";
+print "RewriteRule ^latest.tar.gz\$ $latest [L,R=302,NC]\n";
+
+foreach (sort keys %series) {
+	my $rule = "openssl-$_-latest.tar.gz";
+	#don't bother: $rule =~ s|\.|\\.|g;
+	my $target = $series{$_};
+	print "RewriteRule ^$rule\$ $target [L,R=302,NC]\n";
+}
+
+print <<\EOF
+
+# Old distro's are in subdirs.
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule (openssl-0\.9\.8.*) old/0.9.x/$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule openssl-(1\.0\.0.*) old/1.0.0/openssl-$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule openssl-(1\.0\.1.*) old/1.0.1/openssl-$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule openssl-(1\.0\.2.*) old/1.0.1/openssl-$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule openssl-(fips.*)  old/fips/openssl-$1 [L]
+
+<Files *.gz.asc>
+    RemoveEncoding .gz
+</Files>
+<Files *.gz.md5>
+    RemoveEncoding .gz
+</Files>
+<Files *.gz.sha1>
+    RemoveEncoding .gz
+</Files>
+EOF
diff --git a/source/.htaccess.wml b/source/.htaccess.wml
deleted file mode 100644
index 23ccfd7..0000000
--- a/source/.htaccess.wml
+++ /dev/null
@@ -1,54 +0,0 @@
-<protect>##
-##  .htaccess -- Apache per-dir config
-##
-
-RewriteEngine on
-
-RewriteBase /source
-
-# First, rewrite all the 'latest' URLs</protect>
-<:{
-    my @tarballs =
-        sort grep /openssl-\d+\.\d+\.\d+[a-z]*\.tar\.gz$/, glob("openssl-*.tar.gz");
-    my %series = ();
-    foreach(@tarballs) {
-        my ($version, $serie) = /^openssl-((\d+\.\d+\.\d+)[a-z]*)\./;
-	$series{$serie} = $_;
-    }
-
-    my $latest = $series{ (reverse sort keys %series)[0] };
-    print "RewriteRule ^latest\\.tar\\.gz\$ $latest [L,R=302,NC]\n";
-
-    foreach (sort keys %series) {
-        my $rule = "openssl-$_-latest.tar.gz"; $rule =~ s|\.|\\.|g;
-	my $target = $series{$_};
-        print "RewriteRule ^$rule\$ $target [L,R=302,NC]\n";
-    }
-}:>
-<protect>
-# Old distro's are in subdirs.
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule (openssl-0\.9\.8.*) old/0.9.x/$1 [L]
-
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule openssl-(1\.0\.0.*) old/1.0.0/openssl-$1 [L]
-
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule openssl-(1\.0\.1.*) old/1.0.1/openssl-$1 [L]
-
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule openssl-(1\.0\.2.*) old/1.0.1/openssl-$1 [L]
-
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule openssl-(fips.*)  old/fips/openssl-$1 [L]
-
-<Files *.gz.asc>
-    RemoveEncoding .gz
-</Files>
-<Files *.gz.md5>
-    RemoveEncoding .gz
-</Files>
-<Files *.gz.sha1>
-    RemoveEncoding .gz
-</Files>
-</protect>

From rsalz at openssl.org  Sun Aug 16 01:25:16 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 01:25:16 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439688316.143930.20300.nullmailer@dev.openssl.org>

The branch master has been updated
       via  4e03b7d918207bb1f9a80295b3cc70986dfc1f05 (commit)
      from  39107644a019885ccdef15ae1033550d45e5e932 (commit)


- Log -----------------------------------------------------------------
commit 4e03b7d918207bb1f9a80295b3cc70986dfc1f05
Author: Rich Salz <rsalz at akamai.com>
Date:   Sat Aug 15 21:25:06 2015 -0400

    fix mk-latest

-----------------------------------------------------------------------

Summary of changes:
 Makefile      |  2 +-
 bin/mk-latest | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ab069ec..4f48bd5 100644
--- a/Makefile
+++ b/Makefile
@@ -81,7 +81,7 @@ docs/fips.inc:
 
 source/.htaccess:
 	@rm -f @?
-	./bin/mk-latest >$@
+	./bin/mk-latest source >$@
 source/license.txt: $(SNAP)/LICENSE
 	@rm -f $@
 	cp $? $@
diff --git a/bin/mk-latest b/bin/mk-latest
index 519c353..14f586f 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -1,8 +1,16 @@
 #! /usr/bin/perl -w
 use strict;
 
+die "Missing args\n" if $#ARGV < 0;
+my $SRCDIR = $ARGV[0]; shift;
+
+chdir $SRCDIR || die "Can't chdir $SRCDIR, $!";
+
 my @tarballs =
-	sort grep /openssl-\d+\.\d+\.\d+[a-z]*\.tar\.gz$/, glob("openssl-*.tar.gz");
+       sort grep /openssl-\d+\.\d+\.\d+[a-z]*\.tar\.gz$/,
+               glob("openssl-*.tar.gz");
+die "No tgz files found in $SRCDIR?\n" if $#tarballs < 1;
+
 my %series = ();
 foreach(@tarballs) {
 	my ($version, $serie) = /^openssl-((\d+\.\d+\.\d+)[a-z]*)\./;

From rsalz at openssl.org  Sun Aug 16 12:53:01 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 12:53:01 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439729581.487394.29166.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6fe0c6a6e3676dea5bd1012ff55ef6abe036bf14 (commit)
      from  4e03b7d918207bb1f9a80295b3cc70986dfc1f05 (commit)


- Log -----------------------------------------------------------------
commit 6fe0c6a6e3676dea5bd1012ff55ef6abe036bf14
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 08:52:57 2015 -0400

    mised vulnerabilities.html

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                                 |  1 -
 docs/faq.html => news/vulnerabilities.html | 10 +++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)
 copy docs/faq.html => news/vulnerabilities.html (75%)

diff --git a/.gitignore b/.gitignore
index 2c89231..0d1f8ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,6 @@ blog
 sitemap.txt
 docs/faq.txt
 news/changelog.txt
-news/vulnerabilities.html
 source/license.txt
 source/.htaccess
 source/*.gz*
diff --git a/docs/faq.html b/news/vulnerabilities.html
similarity index 75%
copy from docs/faq.html
copy to news/vulnerabilities.html
index 0f8a061..c06d973 100644
--- a/docs/faq.html
+++ b/news/vulnerabilities.html
@@ -9,14 +9,17 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Frequently Asked Questions</h2></header>
+	  <header><h2>Vulnerabilities<h2></header>
 	  <div class="entry-content">
-	    <!--#include virtual="faq.inc" -->
+	    <p>
+	    </p>
+            <!--#include virtual="vulnerabilities.inc" -->
+	    </p>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href=".">News</a>
-	    : <a href="">Frequently Asked Questions</a>
+            : <a href="">Vulnerabilities</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -29,3 +32,4 @@
 </body>
 
 </html>
+

From rsalz at openssl.org  Sun Aug 16 12:54:00 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 12:54:00 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439729640.516432.29521.nullmailer@dev.openssl.org>

The branch master has been updated
       via  aa56dff910fe52dbd12cd6ae5852df4be6d23553 (commit)
      from  6fe0c6a6e3676dea5bd1012ff55ef6abe036bf14 (commit)


- Log -----------------------------------------------------------------
commit aa56dff910fe52dbd12cd6ae5852df4be6d23553
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 08:53:57 2015 -0400

    more fix

-----------------------------------------------------------------------

Summary of changes:
 news/sidebar.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/news/sidebar.inc b/news/sidebar.inc
index 704c645..006efa3 100644
--- a/news/sidebar.inc
+++ b/news/sidebar.inc
@@ -7,7 +7,7 @@
 	<a href="newslog.html">Newslog</a>
       </li>
       <li>
-	<a href="vulnerabilities">Vulnerabilities</a>
+	<a href="vulnerabilities.html">Vulnerabilities</a>
       </li>
       <li>
 	<a href="changelog.html">Changelog</a>

From rsalz at openssl.org  Sun Aug 16 13:00:25 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 13:00:25 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439730025.111218.30290.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2bd0d83f0cb5308a534f3b7c2a74416b0832748f (commit)
      from  aa56dff910fe52dbd12cd6ae5852df4be6d23553 (commit)


- Log -----------------------------------------------------------------
commit 2bd0d83f0cb5308a534f3b7c2a74416b0832748f
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 09:00:22 2015 -0400

    more text for vulnerabilities.html

-----------------------------------------------------------------------

Summary of changes:
 news/vulnerabilities.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/news/vulnerabilities.html b/news/vulnerabilities.html
index c06d973..fa66b41 100644
--- a/news/vulnerabilities.html
+++ b/news/vulnerabilities.html
@@ -12,6 +12,17 @@
 	  <header><h2>Vulnerabilities<h2></header>
 	  <div class="entry-content">
 	    <p>
+            If you think you have found a security bug in OpenSSL,
+            please send mail to <a
+              href="mailto:openssl-security at openssl.org">openssl-security at openssl.org</a>.
+            If you want to encrypt the mail, you can use our
+            team's <a href="pgpkey.html">PGP Key</a>.  Or you can
+            send mail to one or more individual <a
+              href="/community/team.html">Team Members</a>,
+            encrypted or plaintext.
+            We will work with you to assess and fix the flaw,
+            as discussed in our
+            <a href="/policies/secpolicy.html">Security Policy</a>.
 	    </p>
             <!--#include virtual="vulnerabilities.inc" -->
 	    </p>

From rsalz at openssl.org  Sun Aug 16 16:46:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 16:46:17 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439743577.567893.13691.nullmailer@dev.openssl.org>

The branch master has been updated
       via  0a14e9257e037fbafcb0cbdaf0e6894900b9400e (commit)
      from  2bd0d83f0cb5308a534f3b7c2a74416b0832748f (commit)


- Log -----------------------------------------------------------------
commit 0a14e9257e037fbafcb0cbdaf0e6894900b9400e
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 12:46:13 2015 -0400

    fix links in newsflash

-----------------------------------------------------------------------

Summary of changes:
 Makefile           |  1 +
 news/newsflash.txt | 74 +++++++++++++++++++++++++++---------------------------
 2 files changed, 38 insertions(+), 37 deletions(-)

diff --git a/Makefile b/Makefile
index 4f48bd5..252ed02 100644
--- a/Makefile
+++ b/Makefile
@@ -62,6 +62,7 @@ news/changelog.txt: $(SNAP)/CHANGES
 	cp $? $@
 news/newsflash.inc: news/newsflash.txt
 	sed <$? >$@ \
+	    -e '/^#/d' \
 	    -e 's@^@<tr><td class="d">@' \
 	    -e 's@: @</td><td class="t">@' \
 	    -e 's@$$@</td></tr>@'
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 42e39b2..8822cb9 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -1,17 +1,17 @@
 Date: Item
-09-Jul-2015: <a href="secadv/20150709.txt">Security Advisory</a>: one security fix
+09-Jul-2015: <a href="/news/secadv/20150709.txt">Security Advisory</a>: one security fix
 09-Jul-2015: OpenSSL 1.0.2d is now available, including bug and security fixes
 09-Jul-2015: OpenSSL 1.0.1p is now available, including bug and security fixes
 06-Jul-2015: OpenSSL 1.0.2d and 1.0.1p <a href="https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html">security releases due 9th July 2015</a>
 12-Jun-2015: New releases to resolve ABI compatibility problems:
 12-Jun-2015: OpenSSL 1.0.2c is now available, including bug fixes
 12-Jun-2015: OpenSSL 1.0.1o is now available, including bug fixes
-11-Jun-2015: <a href="secadv/20150611.txt">Security Advisory</a>: five security fixes
+11-Jun-2015: <a href="/news/secadv/20150611.txt">Security Advisory</a>: five security fixes
 11-Jun-2015: OpenSSL 1.0.2b is now available, including bug and security fixes
 11-Jun-2015: OpenSSL 1.0.1n is now available, including bug and security fixes
 11-Jun-2015: OpenSSL 1.0.0s is now available, including bug and security fixes
 11-Jun-2015: OpenSSL 0.9.8zg is now available, including bug and security fixes
-19-Mar-2015: <a href="secadv/20150319.txt">Security Advisory</a>: twelve security fixes
+19-Mar-2015: <a href="/news/secadv/20150319.txt">Security Advisory</a>: twelve security fixes
 19-Mar-2015: OpenSSL 1.0.2a is now available, including bug and security fixes
 19-Mar-2015: OpenSSL 1.0.1m is now available, including bug and security fixes
 19-Mar-2015: OpenSSL 1.0.0r is now available, including bug and security fixes
@@ -21,107 +21,107 @@ Date: Item
 15-Jan-2015: OpenSSL 1.0.1l is now available, including bug fixes
 15-Jan-2015: OpenSSL 1.0.0q is now available, including bug fixes
 15-Jan-2015: OpenSSL 0.9.8ze is now available, including bug fixes
-08-Jan-2015: <a href="secadv/20150108.txt">Security Advisory</a>: eight security fixes
+08-Jan-2015: <a href="/news/secadv/20150108.txt">Security Advisory</a>: eight security fixes
 08-Jan-2015: OpenSSL 1.0.1k is now available, including bug and security fixes
 08-Jan-2015: OpenSSL 1.0.0p is now available, including bug and security fixes
 08-Jan-2015: OpenSSL 0.9.8zd is now available, including bug and security fixes
-15-Oct-2014: <a href="secadv/20141015.txt">Security Advisory</a>: four security fixes
+15-Oct-2014: <a href="/news/secadv/20141015.txt">Security Advisory</a>: four security fixes
 15-Oct-2014: OpenSSL 1.0.1j is now available, including bug and security fixes
 15-Oct-2014: OpenSSL 1.0.0o is now available, including bug and security fixes
 15-Oct-2014: OpenSSL 0.9.8zc is now available, including bug and security fixes
 25-Sep-2014: Beta 3 of OpenSSL 1.0.2 is now available, please test it now
-06-Aug-2014: <a href="secadv/20140806.txt">Security Advisory</a>: nine security fixes
+06-Aug-2014: <a href="/news/secadv/20140806.txt">Security Advisory</a>: nine security fixes
 06-Aug-2014: OpenSSL 1.0.1i is now available, including bug and security fixes
 06-Aug-2014: OpenSSL 1.0.0n is now available, including bug and security fixes
 06-Aug-2014: OpenSSL 0.9.8zb is now available, including bug and security fixes
 22-Jul-2014: Beta 2 of OpenSSL 1.0.2 is now available, please test it now
 30-Jun-2014: Project roadmap released
 24-Jun-2014: Team status changes including six new development team members
-05-Jun-2014: <a href="secadv/20140605.txt">Security Advisory</a>: seven security fixes
+05-Jun-2014: <a href="/news/secadv/20140605.txt">Security Advisory</a>: seven security fixes
 05-Jun-2014: OpenSSL 1.0.1h is now available, including bug and security fixes
 05-Jun-2014: OpenSSL 1.0.0m is now available, including bug and security fixes
 05-Jun-2014: OpenSSL 0.9.8za is now available, including bug and security fixes
 23-Apr-2014: Team status changes including new team member: Steve Marquess
-07-Apr-2014: <a href="secadv/20140407.txt">Security Advisory</a>: Heartbeat overflow issue.
+07-Apr-2014: <a href="/news/secadv/20140407.txt">Security Advisory</a>: Heartbeat overflow issue.
 07-Apr-2014: OpenSSL 1.0.1g is now available, including bug and security fixes
 24-Feb-2014: Beta 1 of OpenSSL 1.0.2 is now available, please test it now
 06-Jan-2014: OpenSSL 1.0.0l is now available, including bug and security fixes
 06-Jan-2014: OpenSSL 1.0.1f is now available, including bug and security fixes
-03-Jan-2014: UPDATE: site defacement <a href="secadv/hack.txt">final details.</a>
+03-Jan-2014: UPDATE: site defacement <a href="/news/secadv/hack.txt">final details.</a>
 11-Feb-2013: OpenSSL 1.0.1e is now available, including bug fixes
-05-Feb-2013: <a href="secadv/20130205.txt">Security Advisory</a>: three security fixes
+05-Feb-2013: <a href="/news/secadv/20130205.txt">Security Advisory</a>: three security fixes
 05-Feb-2013: OpenSSL 1.0.1d is now available, including bug and security fixes
 05-Feb-2013: OpenSSL 1.0.0k is now available, including security fixes
 05-Feb-2013: OpenSSL 0.9.8y is now available, including security fixes
-10-May-2012: <a href="secadv/20120510.txt">Security Advisory</a>: TLS/DTLS DoS issue
+10-May-2012: <a href="/news/secadv/20120510.txt">Security Advisory</a>: TLS/DTLS DoS issue
 10-May-2012: OpenSSL 1.0.1c is now available, including bug and security fixes
 10-May-2012: OpenSSL 1.0.0j is now available, including security fixes
 10-May-2012: OpenSSL 0.9.8x is now available, including security fixes
 26-Apr-2012: OpenSSL 1.0.1b is now available, including important bug fixes
 25-Apr-2012: Notice: OpenSSL 1.0.1a compilation problems with non x86 platforms
 24-Apr-2012: OpenSSL 0.9.8w is now available, including security fixes
-24-Apr-2012: <a href="secadv/20120424.txt">Security Advisory</a>: ASN1 incomplete fix for OpenSSL 0.9.8
+24-Apr-2012: <a href="/news/secadv/20120424.txt">Security Advisory</a>: ASN1 incomplete fix for OpenSSL 0.9.8
 19-Apr-2012: OpenSSL 1.0.1a is now available, including important bug and security fixes
 19-Apr-2012: OpenSSL 1.0.0i is now available, including important bug and security fixes
 19-Apr-2012: OpenSSL 0.9.8v is now available, including important bug and security fixes
-19-Apr-2012: <a href="secadv/20120419.txt">Security Advisory</a>: ASN1 overflow vulnerability
+19-Apr-2012: <a href="/news/secadv/20120419.txt">Security Advisory</a>: ASN1 overflow vulnerability
 14-Mar-2012: OpenSSL 1.0.1 is now available, including new features
-12-Mar-2012: <a href="secadv/20120312.txt">Security Advisory</a>: PKCS7/CMS MMA issue
+12-Mar-2012: <a href="/news/secadv/20120312.txt">Security Advisory</a>: PKCS7/CMS MMA issue
 12-Mar-2012: OpenSSL 0.9.8u is now available, including important bug and security fixes
 12-Mar-2012: OpenSSL 1.0.0h is now available, including important bug and security fixes
 23-Feb-2012: Beta 3 of OpenSSL 1.0.1 is now available, please test it now
 19-Jan-2012: Beta 2 of OpenSSL 1.0.1 is now available, please test it now
-18-Jan-2012: <a href="secadv/20120118.txt">Security Advisory</a>: DTLS DoS issue
+18-Jan-2012: <a href="/news/secadv/20120118.txt">Security Advisory</a>: DTLS DoS issue
 18-Jan-2012: OpenSSL 1.0.0g is now available, including important bug and security fixes
 18-Jan-2012: OpenSSL 0.9.8t is now available, including important bug and security fixes
-04-Jan-2012: <a href="secadv/20120104.txt">Security Advisory</a>: six security fixes
+04-Jan-2012: <a href="/news/secadv/20120104.txt">Security Advisory</a>: six security fixes
 04-Jan-2012: OpenSSL 0.9.8s is now available, including important bug and security fixes
 04-Jan-2012: OpenSSL 1.0.0f is now available, including important bug and security fixes
 03-Jan-2012: Beta 1 of OpenSSL 1.0.1 is now available, please test it now
 06-Sep-2011: OpenSSL 1.0.0e is now available, including important bug and security fixes
-06-Sep-2011: <a href="secadv/20110906.txt">Security Advisory</a>: two security fixes
-08-Feb-2011: <a href="secadv/20110208.txt">Security Advisory</a>: OCSP stapling vulnerability
+06-Sep-2011: <a href="/news/secadv/20110906.txt">Security Advisory</a>: two security fixes
+08-Feb-2011: <a href="/news/secadv/20110208.txt">Security Advisory</a>: OCSP stapling vulnerability
 08-Feb-2011: OpenSSL 1.0.0d is now available, including important bug and security fixes
 08-Feb-2011: OpenSSL 0.9.8r is now available, including important bug and security fixes
 09-Dec-2010: OpenSSL FIPS 140-2 module 1.2.2 is now available.
-02-Dec-2010: <a href="secadv/20101202.txt">Security Advisory</a>: ciphersuite downgrade fix
+02-Dec-2010: <a href="/news/secadv/20101202.txt">Security Advisory</a>: ciphersuite downgrade fix
 02-Dec-2010: OpenSSL 1.0.0c is now available, including important bug and security fixes
 02-Dec-2010: OpenSSL 0.9.8q is now available, including important bug and security fixes
 16-Nov-2010: OpenSSL 1.0.0b is now available, including important bug and security fixes
 16-Nov-2010: OpenSSL 0.9.8p is now available, including important bug and security fixes
-16-Nov-2010: <a href="secadv/20101116.txt">Security Advisory</a>: buffer overrun fix
+16-Nov-2010: <a href="/news/secadv/20101116.txt">Security Advisory</a>: buffer overrun fix
 01-Jun-2010: OpenSSL 0.9.8o is now available, including important bug and security fixes
 01-Jun-2010: OpenSSL 1.0.0a is now available, including important bug and security fixes
-01-Jun-2010: <a href="secadv/20100601.txt">Security Advisory</a>: two security fixes
+01-Jun-2010: <a href="/news/secadv/20100601.txt">Security Advisory</a>: two security fixes
 29-Mar-2010: OpenSSL 1.0.0 is now available, a major release
-24-Mar-2010: <a href="secadv/20100324.txt">Security Advisory</a>: "Record of death" security fix
+24-Mar-2010: <a href="/news/secadv/20100324.txt">Security Advisory</a>: "Record of death" security fix
 24-Mar-2010: OpenSSL 0.9.8n is now available, including important bug and security fixes
 25-Feb-2010: OpenSSL 0.9.8m is now available, including important bug and security fixes
 24-Jun-2009: Commercial support for OpenSSL is now available
 25-Mar-2009: OpenSSL 0.9.8k is now available, including important bug fixes
-25-Mar-2009: <a href="secadv/20090325.txt">Security Advisory</a>: Three moderate severity security issues
+25-Mar-2009: <a href="/news/secadv/20090325.txt">Security Advisory</a>: Three moderate severity security issues
 07-Jan-2009: OpenSSL 0.9.8j is now available, including important bug fixes
-07-Jan-2009: <a href="secadv/20090107.txt">Security Advisory</a>: incorrect checks for malformed signatures
+07-Jan-2009: <a href="/news/secadv/20090107.txt">Security Advisory</a>: incorrect checks for malformed signatures
 18-Nov-2008: OpenSSL FIPS 140-2 module 1.2 is now available
 15-Sep-2008: OpenSSL 0.9.8i is now available, including important bug fixes
-28-May-2008: <a href="secadv/20080528.txt">Security Advisory</a>: Two moderate severity security issues
+28-May-2008: <a href="/news/secadv/20080528.txt">Security Advisory</a>: Two moderate severity security issues
 28-May-2008: OpenSSL 0.9.8h is now available, including security and bug fixes
-29-Nov-2007: <a href="secadv/20071129.txt">Security Advisory</a>: FIPS 1.1.1 module PRNG security issue
+29-Nov-2007: <a href="/news/secadv/20071129.txt">Security Advisory</a>: FIPS 1.1.1 module PRNG security issue
 19-Oct-2007: OpenSSL 0.9.8g is now available, including bug fixes
-12-Oct-2007: <a href="secadv/20071012.txt">Security Advisory</a>: Various security issues
+12-Oct-2007: <a href="/news/secadv/20071012.txt">Security Advisory</a>: Various security issues
 11-Oct-2007: OpenSSL 0.9.8f is now available, including security and bug fixes
 23-Feb-2007: OpenSSL 0.9.8e is now available, including important bugfixes
 23-Feb-2007: OpenSSL 0.9.7m is now available, including important bugfixes
-28-Sep-2006: <a href="secadv/20060928.txt">Security Advisory</a>: Various security issues
+28-Sep-2006: <a href="/news/secadv/20060928.txt">Security Advisory</a>: Various security issues
 28-Sep-2006: OpenSSL 0.9.8d is now available, including security fixes
 28-Sep-2006: OpenSSL 0.9.7l is now available, including security fixes
-05-Sep-2006: <a href="secadv/20060905.txt">Security Advisory</a>: RSA Signature Forgery
+05-Sep-2006: <a href="/news/secadv/20060905.txt">Security Advisory</a>: RSA Signature Forgery
 05-Sep-2006: OpenSSL 0.9.8c is now available, including security fix
 05-Sep-2006: OpenSSL 0.9.7k is now available, including security fix
 04-May-2006: OpenSSL 0.9.8b is now available, including important bugfixes
 04-May-2006: OpenSSL 0.9.7j is now available, including important bugfixes
 15-oct-2005: OpenSSL 0.9.7i is now available, contains compatibility fix	
-11-oct-2005: <a href="secadv/20051011.txt">Security Advisory</a>: Potential SSL 2.0 rollback
+11-oct-2005: <a href="/news/secadv/20051011.txt">Security Advisory</a>: Potential SSL 2.0 rollback
 11-oct-2005: OpenSSL 0.9.8a is now available, including security fix
 11-oct-2005: OpenSSL 0.9.7h is now available, including security fix
 05-jul-2005: OpenSSL 0.9.8 is now available, a major release
@@ -134,26 +134,26 @@ Date: Item
 11-apr-2005: OpenSSL 0.9.7g is now available, including important bugfixes
 22-mar-2005: OpenSSL 0.9.7f is now available, including important bugfixes
 25-oct-2004: OpenSSL 0.9.7e is now available, including important bugfixes
-17-mar-2004: <a href="secadv/20040317.txt">Security Advisory</a>: Denial of Service flaws in 0.9.6l and 0.9.7c
+17-mar-2004: <a href="/news/secadv/20040317.txt">Security Advisory</a>: Denial of Service flaws in 0.9.6l and 0.9.7c
 17-mar-2004: OpenSSL 0.9.7d is now available, including important bugfixes
 17-mar-2004: OpenSSL 0.9.6m is now available, including security fix
 17-mar-2004: OpenSSL 0.9.6m [engine] is now available, including security fix
 04-nov-2003: OpenSSL 0.9.6l is now available, including security fix
 04-nov-2003: OpenSSL 0.9.6l [engine] is now available, including security fix
-04-nov-2003: <a href="secadv/20031104.txt">Security Advisory</a>: Denial of Service in ASN.1 parsing in 0.9.6k.
+04-nov-2003: <a href="/news/secadv/20031104.txt">Security Advisory</a>: Denial of Service in ASN.1 parsing in 0.9.6k.
 30-sep-2003: OpenSSL 0.9.7c is now available, including important bugfixes
 30-sep-2003: OpenSSL 0.9.6k is now available, including important bugfixes
 30-sep-2003: OpenSSL 0.9.6k [engine] is now available, including important bugfixes
-30-sep-2003: <a href="secadv/20030930.txt">Security Advisory</a>: Vulnerabilities in ASN.1 parsing.
+30-sep-2003: <a href="/news/secadv/20030930.txt">Security Advisory</a>: Vulnerabilities in ASN.1 parsing.
 10-apr-2003: OpenSSL 0.9.7b is now available, including important bugfixes
 10-apr-2003: OpenSSL 0.9.6j is now available, including important bugfixes
 10-apr-2003: OpenSSL 0.9.6j [engine] is now available, including important bugfixes
-19-Mar-2003: <a href="secadv/20030319.txt">Security Advisory</a>: Klima-Pokorny-Rosa attack.
-17-Mar-2003: <a href="secadv/20030317.txt">Security Advisory</a>: timing attacks, RSA blinding.
+19-Mar-2003: <a href="/news/secadv/20030319.txt">Security Advisory</a>: Klima-Pokorny-Rosa attack.
+17-Mar-2003: <a href="/news/secadv/20030317.txt">Security Advisory</a>: timing attacks, RSA blinding.
 19-feb-2003: OpenSSL 0.9.7a is now available, including important bugfixes
 19-feb-2003: OpenSSL 0.9.6i is now available, including important bugfixes
 19-feb-2003: OpenSSL 0.9.6i [engine] is now available, including important bugfixes
-19-feb-2003: <a href="secadv/20030219.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6i and 0.9.7a
+19-feb-2003: <a href="/news/secadv/20030219.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6i and 0.9.7a
 31-Dec-2002: OpenSSL 0.9.7 is now available, a major release
 17-dec-2002: Beta 6 of OpenSSL 0.9.7 is now available, please test it now
 5-dec-2002: Beta 5 of OpenSSL 0.9.7 is now available, please test it now
@@ -166,7 +166,7 @@ Date: Item
 8-aug-2002: OpenSSL 0.9.6f [engine] is now available, including important bugfixes
 30-Jul-2002: OpenSSL 0.9.6e is now available, including important bugfixes
 30-Jul-2002: OpenSSL 0.9.6e [engine] is now available, including important bugfixes
-30-Jul-2002: <a href="secadv/20020730.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6e
+30-Jul-2002: <a href="/news/secadv/20020730.txt">Security Advisory</a>: Vulnerabilities in OpenSSL versions before 0.9.6e
 30-Jul-2002: Beta 3 of OpenSSL 0.9.7 is now available, please test it now
 16-jun-2002: Beta 2 of OpenSSL 0.9.7 is now available, please test it now
 01-jun-2002: Beta 1 of OpenSSL 0.9.7 is now available, please test it now

From rsalz at openssl.org  Sun Aug 16 16:49:28 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 16:49:28 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439743768.317846.14209.nullmailer@dev.openssl.org>

The branch master has been updated
       via  14c6e2f5ad348a67bc450e058c94624aadb958f8 (commit)
      from  0a14e9257e037fbafcb0cbdaf0e6894900b9400e (commit)


- Log -----------------------------------------------------------------
commit 14c6e2f5ad348a67bc450e058c94624aadb958f8
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 12:49:25 2015 -0400

    add comments

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 8822cb9..44b973c 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -1,3 +1,8 @@
+# Lines beginning with a poundsign are comments and are deleted
+# Only the first five lines appear on the main page; edit Makefile
+# to change that.
+# Format is two fields, colon-separated; the first line is the column
+# headings.  URL paths must all be absolute.
 Date: Item
 09-Jul-2015: <a href="/news/secadv/20150709.txt">Security Advisory</a>: one security fix
 09-Jul-2015: OpenSSL 1.0.2d is now available, including bug and security fixes

From rsalz at openssl.org  Sun Aug 16 19:18:11 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 19:18:11 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439752691.353740.22020.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6ba10736ce435609246d709976f98a541e99410b (commit)
      from  14c6e2f5ad348a67bc450e058c94624aadb958f8 (commit)


- Log -----------------------------------------------------------------
commit 6ba10736ce435609246d709976f98a541e99410b
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 15:18:06 2015 -0400

    fix faq link (alliteration almost)

-----------------------------------------------------------------------

Summary of changes:
 source/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/index.html b/source/index.html
index 0a84ecf..e8eb2f6 100644
--- a/source/index.html
+++ b/source/index.html
@@ -39,7 +39,7 @@
 	    <p>When building a release for the first time, please make sure
 	    to look at the README and INSTALL files in the distribution.
 	    If you have problems, look at the FAQ, which can also be
-	    found <a href="/news/faq.html">online</a>.</p>
+	    found <a href="/docs/faq.html">online</a>.</p>
 
 	    <p>
 	    Each day we make a snapshot of each development branch.

From rsalz at openssl.org  Sun Aug 16 19:19:25 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 19:19:25 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439752765.116748.22380.nullmailer@dev.openssl.org>

The branch master has been updated
       via  17b3fa42983e2b44f86c33515610c9ecf02fa012 (commit)
      from  6ba10736ce435609246d709976f98a541e99410b (commit)


- Log -----------------------------------------------------------------
commit 17b3fa42983e2b44f86c33515610c9ecf02fa012
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 15:19:22 2015 -0400

    space missing before OSF name

-----------------------------------------------------------------------

Summary of changes:
 community/contacts.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/community/contacts.html b/community/contacts.html
index a18948b..7a6af0c 100644
--- a/community/contacts.html
+++ b/community/contacts.html
@@ -29,7 +29,7 @@
 	  he wants to give any support or not, regardless of who makes the
 	  request.</p>
 
-	  <p>The<em>OpenSSL Software Foundation</em> represents the OpenSSL
+	  <p>The <em>OpenSSL Software Foundation</em> represents the OpenSSL
 	  project in most capacities including contributor license
 	  agreements, managing donations, and so on.
 

From rsalz at openssl.org  Sun Aug 16 21:50:08 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 21:50:08 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439761808.707646.29753.nullmailer@dev.openssl.org>

The branch master has been updated
       via  5cc4b6c2f0ed2347339c8f862f75f0d0985b1968 (commit)
      from  17b3fa42983e2b44f86c33515610c9ecf02fa012 (commit)


- Log -----------------------------------------------------------------
commit 5cc4b6c2f0ed2347339c8f862f75f0d0985b1968
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 17:50:05 2015 -0400

    remove spurious h1 header

-----------------------------------------------------------------------

Summary of changes:
 community/contacts.html | 1 -
 1 file changed, 1 deletion(-)

diff --git a/community/contacts.html b/community/contacts.html
index 7a6af0c..8a8ddcd 100644
--- a/community/contacts.html
+++ b/community/contacts.html
@@ -1,4 +1,3 @@
-<h1>About the OpenSSL Project</h1>
 <!DOCTYPE html>
 <html lang="en">
 <!--#include virtual="/inc/head.inc" -->

From rsalz at openssl.org  Sun Aug 16 22:48:12 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 22:48:12 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439765292.979647.890.nullmailer@dev.openssl.org>

The branch master has been updated
       via  18230e5da090636496156e5516d3e35590aed979 (commit)
      from  5cc4b6c2f0ed2347339c8f862f75f0d0985b1968 (commit)


- Log -----------------------------------------------------------------
commit 18230e5da090636496156e5516d3e35590aed979
Author: Viktor Szakats <vszakats at users.noreply.github.com>
Date:   Mon Aug 17 00:45:26 2015 +0200

    community/index: use https URLs

-----------------------------------------------------------------------

Summary of changes:
 community/index.html | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/community/index.html b/community/index.html
index 091bff5..9129cf4 100644
--- a/community/index.html
+++ b/community/index.html
@@ -25,7 +25,7 @@
 	    <p>
 	    We maintain several <a href="mailinglists.html">mailing lists</a>.
 	    Anyone can join, but you must be a member of a list to post to it.
-	    We have a <a href="http://wiki.openssl.org">public wiki</a>,
+	    We have a <a href="https://wiki.openssl.org">public wiki</a>,
 	    and anyone can request an account and start adding content.
 	    We have a <a href="/blog">team blog</a>, where members of
 	    the development team will occasionally post.
@@ -43,12 +43,12 @@
 	    for information on how to report it.</p>
 
 	    <p>We have set up a request tracker at
-	    <a href="http://rt.openssl.org">http://rt.openssl.org</a>,
+	    <a href="https://rt.openssl.org">http://rt.openssl.org</a>,
 	    with read-only access using <em>guest</em> as the name
 	    and password.
 	    Requests can be viewed on-line by using the following URL,
 	    replacing <em>NNNN</em> with the request number:
-	    http://rt.openssl.org/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=<em>NNNN</em>
+	    https://rt.openssl.org/Ticket/Display.html?user=guest&amp;pass=guest&amp;id=<em>NNNN</em>
 	    </p>
 
 	    <p>To report a bug or make an enhancement request, send email
@@ -88,4 +88,3 @@
 </body>
 
 </html>
-

From rsalz at openssl.org  Sun Aug 16 23:00:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:00:03 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439766003.200963.2339.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a845a6aabc995d32f3337666ac13f731d9a1bbaf (commit)
      from  18230e5da090636496156e5516d3e35590aed979 (commit)


- Log -----------------------------------------------------------------
commit a845a6aabc995d32f3337666ac13f731d9a1bbaf
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:58:58 2015 -0400

    Part of MR1002
    
    Removing FAQ from the releasesm need to put it into the website.
    Eventually we should just edit the HTML directly, but for now
    just keep the text version around.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore   |    1 -
 Makefile     |    5 +-
 docs/faq.txt | 1091 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 1092 insertions(+), 5 deletions(-)
 create mode 100644 docs/faq.txt

diff --git a/.gitignore b/.gitignore
index 0d1f8ae..e9f8260 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 *.inc
 blog
 sitemap.txt
-docs/faq.txt
 news/changelog.txt
 source/license.txt
 source/.htaccess
diff --git a/Makefile b/Makefile
index 252ed02..2b2942d 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ RELEASEDIR = /var/www/openssl/source
 
 # All simple generated files.
 SIMPLE = newsflash.inc sitemap.txt \
-	 docs/faq.txt docs/faq.inc docs/fips.inc \
+	 docs/faq.inc docs/fips.inc \
 	 news/changelog.inc news/changelog.txt \
 	 news/newsflash.inc \
 	 news/vulnerabilities.inc \
@@ -70,9 +70,6 @@ news/vulnerabilities.inc: bin/vulnerabilities.xsl news/vulnerabilities.xml
 	@rm -f $@
 	xsltproc bin/vulnerabilities.xsl news/vulnerabilities.xml >$@
 
-docs/faq.txt: $(SNAP)/FAQ
-	@rm -f $@
-	cp $? $@
 docs/faq.inc: docs/faq.txt
 	@rm -f $@
 	./bin/mk-faq <$? >$@
diff --git a/docs/faq.txt b/docs/faq.txt
new file mode 100644
index 0000000..0ff792b
--- /dev/null
+++ b/docs/faq.txt
@@ -0,0 +1,1091 @@
+OpenSSL  -  Frequently Asked Questions
+--------------------------------------
+
+[MISC] Miscellaneous questions
+
+* Which is the current version of OpenSSL?
+* Where is the documentation?
+* How can I contact the OpenSSL developers?
+* Where can I get a compiled version of OpenSSL?
+* Why aren't tools like 'autoconf' and 'libtool' used?
+* What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
+* How does the versioning scheme work?
+
+[LEGAL] Legal questions
+
+* Do I need patent licenses to use OpenSSL?
+* Can I use OpenSSL with GPL software? 
+
+[USER] Questions on using the OpenSSL applications
+
+* Why do I get a "PRNG not seeded" error message?
+* Why do I get an "unable to write 'random state'" error message?
+* How do I create certificates or certificate requests?
+* Why can't I create certificate requests?
+* Why does <SSL program> fail with a certificate verify error?
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+* How can I create DSA certificates?
+* Why can't I make an SSL connection using a DSA certificate?
+* How can I remove the passphrase on a private key?
+* Why can't I use OpenSSL certificates with SSL client authentication?
+* Why does my browser give a warning about a mismatched hostname?
+* How do I install a CA certificate into a browser?
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+* Why does OpenSSL set the authority key identifier extension incorrectly?
+* How can I set up a bundle of commercial root CA certificates?
+* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
+
+[BUILD] Questions about building and testing OpenSSL
+
+* Why does the linker complain about undefined symbols?
+* Why does the OpenSSL test fail with "bc: command not found"?
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL test fail with "bc: stack empty"?
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
+* Why does the OpenSSL compilation fail with "ar: command not found"?
+* Why does the OpenSSL compilation fail on Win32 with VC++?
+* What is special about OpenSSL on Redhat?
+* Why does the OpenSSL compilation fail on MacOS X?
+* Why does the OpenSSL test suite fail on MacOS X?
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+* Why does compiler fail to compile sha512.c?
+* Test suite still fails, what to do?
+* I think I've found a bug, what should I do?
+* I'm SURE I've found a bug, how do I report it?
+* I've found a security issue, how do I report it?
+
+[PROG] Questions about programming with OpenSSL
+
+* Is OpenSSL thread-safe?
+* I've compiled a program under Windows and it crashes: why?
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+* I've called <some function> and it fails, why?
+* I just get a load of numbers for the error output, what do they mean?
+* Why do I get errors about unknown algorithms?
+* Why can't the OpenSSH configure script detect OpenSSL?
+* Can I use OpenSSL's SSL library with non-blocking I/O?
+* Why doesn't my server application receive a client certificate?
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+* I think I've detected a memory leak, is this a bug?
+* Why does Valgrind complain about the use of uninitialized data?
+* Why doesn't a memory BIO work when a file does?
+* Where are the declarations and implementations of d2i_X509() etc?
+* When debugging I observe SIGILL during OpenSSL initialization: why?
+
+===============================================================================
+
+[MISC] ========================================================================
+
+* Which is the current version of OpenSSL?
+
+The current version is available from <URL: http://www.openssl.org>.
+
+In addition to the current stable release, you can also access daily
+snapshots of the OpenSSL development version at <URL:
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
+
+
+* Where is the documentation?
+
+OpenSSL is a library that provides cryptographic functionality to
+applications such as secure web servers.  Be sure to read the
+documentation of the application you want to use.  The INSTALL file
+explains how to install this library.
+
+OpenSSL includes a command line utility that can be used to perform a
+variety of cryptographic functions.  It is described in the openssl(1)
+manpage.  Documentation for developers is currently being written. Many
+manual pages are available; overviews over libcrypto and
+libssl are given in the crypto(3) and ssl(3) manpages.
+
+The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
+different directory if you specified one as described in INSTALL).
+In addition, you can read the most current versions at
+<URL: http://www.openssl.org/docs/>. Note that the online documents refer
+to the very latest development versions of OpenSSL and may include features
+not present in released versions. If in doubt refer to the documentation
+that came with the version of OpenSSL you are using. The pod format
+documentation is included in each OpenSSL distribution under the docs
+directory.
+
+There is some documentation about certificate extensions and PKCS#12
+in doc/openssl.txt
+
+The original SSLeay documentation is included in OpenSSL as
+doc/ssleay.txt.  It may be useful when none of the other resources
+help, but please note that it reflects the obsolete version SSLeay
+0.6.6.
+
+
+* How can I contact the OpenSSL developers?
+
+The README file describes how to submit bug reports and patches to
+OpenSSL.  Information on the OpenSSL mailing lists is available from
+<URL: http://www.openssl.org>.
+
+
+* Where can I get a compiled version of OpenSSL?
+
+You can finder pointers to binary distributions in
+<URL: http://www.openssl.org/about/binaries.html> .
+
+Some applications that use OpenSSL are distributed in binary form.
+When using such an application, you don't need to install OpenSSL
+yourself; the application will include the required parts (e.g. DLLs).
+
+If you want to build OpenSSL on a Windows system and you don't have
+a C compiler, read the "Mingw32" section of INSTALL.W32 for information
+on how to obtain and install the free GNU C compiler.
+
+A number of Linux and *BSD distributions include OpenSSL.
+
+
+* Why aren't tools like 'autoconf' and 'libtool' used?
+
+autoconf will probably be used in future OpenSSL versions. If it was
+less Unix-centric, it might have been used much earlier.
+
+* What is an 'engine' version?
+
+With version 0.9.6 OpenSSL was extended to interface to external crypto
+hardware. This was realized in a special release '0.9.6-engine'. With
+version 0.9.7 the changes were merged into the main development line,
+so that the special release is no longer necessary.
+
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server, see a
+list of keys at <URL: http://www.openssl.org/about/>). Then
+just do:
+
+   pgp TARBALL.asc
+
+* How does the versioning scheme work?
+
+After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
+releases (e.g. 1.0.1a) can only contain bug and security fixes and no
+new features. Minor releases change the last number (e.g. 1.0.2) and 
+can contain new features that retain binary compatibility. Changes to
+the middle number are considered major releases and neither source nor
+binary compatibility is guaranteed.
+
+Therefore the answer to the common question "when will feature X be
+backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
+in the next minor release.
+
+* What happens when the letter release reaches z?
+
+It was decided after the release of OpenSSL 0.9.8y the next version should
+be 0.9.8za then 0.9.8zb and so on.
+
+
+[LEGAL] =======================================================================
+
+* Do I need patent licenses to use OpenSSL?
+
+For information on intellectual property rights, please consult a lawyer.
+The OpenSSL team does not offer legal advice.
+
+You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
+ ./config no-idea no-mdc2 no-rc5
+
+
+* Can I use OpenSSL with GPL software?
+
+On many systems including the major Linux and BSD distributions, yes (the
+GPL does not place restrictions on using libraries that are part of the
+normal operating system distribution).
+
+On other systems, the situation is less clear. Some GPL software copyright
+holders claim that you infringe on their rights if you use OpenSSL with
+their software on operating systems that don't normally include OpenSSL.
+
+If you develop open source software that uses OpenSSL, you may find it
+useful to choose an other license than the GPL, or state explicitly that
+"This program is released under the GPL with the additional exemption that
+compiling, linking, and/or using OpenSSL is allowed."  If you are using
+GPL software developed by others, you may want to ask the copyright holder
+for permission to use their software with OpenSSL.
+
+
+[USER] ========================================================================
+
+* Why do I get a "PRNG not seeded" error message?
+
+Cryptographic software needs a source of unpredictable data to work
+correctly.  Many open source operating systems provide a "randomness
+device" (/dev/urandom or /dev/random) that serves this purpose.
+All OpenSSL versions try to use /dev/urandom by default; starting with
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
+available.
+
+On other systems, applications have to call the RAND_add() or
+RAND_seed() function with appropriate data before generating keys or
+performing public key encryption. (These functions initialize the
+pseudo-random number generator, PRNG.)  Some broken applications do
+not do this.  As of version 0.9.5, the OpenSSL functions that need
+randomness report an error if the random number generator has not been
+seeded with at least 128 bits of randomness.  If this error occurs and
+is not discussed in the documentation of the application you are
+using, please contact the author of that application; it is likely
+that it never worked correctly.  OpenSSL 0.9.5 and later make the
+error visible by refusing to perform potentially insecure encryption.
+
+If you are using Solaris 8, you can add /dev/urandom and /dev/random
+devices by installing patch 112438 (Sparc) or 112439 (x86), which are
+available via the Patchfinder at <URL: http://sunsolve.sun.com>
+(Solaris 9 includes these devices by default). For /dev/random support
+for earlier Solaris versions, see Sun's statement at
+<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
+(the SUNWski package is available in patch 105710).
+
+On systems without /dev/urandom and /dev/random, it is a good idea to
+use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
+details.  Starting with version 0.9.7, OpenSSL will automatically look
+for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
+/etc/entropy.
+
+Most components of the openssl command line utility automatically try
+to seed the random number generator from a file.  The name of the
+default seeding file is determined as follows: If environment variable
+RANDFILE is set, then it names the seeding file.  Otherwise if
+environment variable HOME is set, then the seeding file is $HOME/.rnd.
+If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
+use file .rnd in the current directory while OpenSSL 0.9.6a uses no
+default seeding file at all.  OpenSSL 0.9.6b and later will behave
+similarly to 0.9.6a, but will use a default of "C:\" for HOME on
+Windows systems if the environment variable has not been set.
+
+If the default seeding file does not exist or is too short, the "PRNG
+not seeded" error message may occur.
+
+The openssl command line utility will write back a new state to the
+default seeding file (and create this file if necessary) unless
+there was no sufficient seeding.
+
+Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
+Use the "-rand" option of the OpenSSL command line tools instead.
+The $RANDFILE environment variable and $HOME/.rnd are only used by the
+OpenSSL command line tools. Applications using the OpenSSL library
+provide their own configuration options to specify the entropy source,
+please check out the documentation coming the with application.
+
+
+* Why do I get an "unable to write 'random state'" error message?
+
+
+Sometimes the openssl command line utility does not abort with
+a "PRNG not seeded" error message, but complains that it is
+"unable to write 'random state'".  This message refers to the
+default seeding file (see previous answer).  A possible reason
+is that no default filename is known because neither RANDFILE
+nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
+current directory in this case, but this has changed with 0.9.6a.)
+
+
+* How do I create certificates or certificate requests?
+
+Check out the CA.pl(1) manual page. This provides a simple wrapper round
+the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
+out the manual pages for the individual utilities and the certificate
+extensions documentation (in ca(1), req(1), x509v3_config(5) )
+
+
+* Why can't I create certificate requests?
+
+You typically get the error:
+
+	unable to find 'distinguished_name' in config
+	problems making Certificate Request
+
+This is because it can't find the configuration file. Check out the
+DIAGNOSTICS section of req(1) for more information.
+
+
+* Why does <SSL program> fail with a certificate verify error?
+
+This problem is usually indicated by log messages saying something like
+"unable to get local issuer certificate" or "self signed certificate".
+When a certificate is verified its root CA must be "trusted" by OpenSSL
+this typically means that the CA certificate must be placed in a directory
+or file and the relevant program configured to read it. The OpenSSL program
+'verify' behaves in a similar way and issues similar error messages: check
+the verify(1) program manual page for more information.
+
+
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+
+This is almost certainly because you are using an old "export grade" browser
+which only supports weak encryption. Upgrade your browser to support 128 bit
+ciphers.
+
+
+* How can I create DSA certificates?
+
+Check the CA.pl(1) manual page for a DSA certificate example.
+
+
+* Why can't I make an SSL connection to a server using a DSA certificate?
+
+Typically you'll see a message saying there are no shared ciphers when
+the same setup works fine with an RSA certificate. There are two possible
+causes. The client may not support connections to DSA servers most web
+browsers (including Netscape and MSIE) only support connections to servers
+supporting RSA cipher suites. The other cause is that a set of DH parameters
+has not been supplied to the server. DH parameters can be created with the
+dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
+check the source to s_server in apps/s_server.c for an example.
+
+
+* How can I remove the passphrase on a private key?
+
+Firstly you should be really *really* sure you want to do this. Leaving
+a private key unencrypted is a major security risk. If you decide that
+you do have to do this check the EXAMPLES sections of the rsa(1) and
+dsa(1) manual pages.
+
+
+* Why can't I use OpenSSL certificates with SSL client authentication?
+
+What will typically happen is that when a server requests authentication
+it will either not include your certificate or tell you that you have
+no client certificates (Netscape) or present you with an empty list box
+(MSIE). The reason for this is that when a server requests a client
+certificate it includes a list of CAs names which it will accept. Browsers
+will only let you select certificates from the list on the grounds that
+there is little point presenting a certificate which the server will
+reject.
+
+The solution is to add the relevant CA certificate to your servers "trusted
+CA list". How you do this depends on the server software in uses. You can
+print out the servers list of acceptable CAs using the OpenSSL s_client tool:
+
+openssl s_client -connect www.some.host:443 -prexit
+
+If your server only requests certificates on certain URLs then you may need
+to manually issue an HTTP GET command to get the list when s_client connects:
+
+GET /some/page/needing/a/certificate.html
+
+If your CA does not appear in the list then this confirms the problem.
+
+
+* Why does my browser give a warning about a mismatched hostname?
+
+Browsers expect the server's hostname to match the value in the commonName
+(CN) field of the certificate. If it does not then you get a warning.
+
+
+* How do I install a CA certificate into a browser?
+
+The usual way is to send the DER encoded certificate to the browser as
+MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
+link. On MSIE certain extensions such as .der or .cacert may also work, or you
+can import the certificate using the certificate import wizard.
+
+You can convert a certificate to DER form using the command:
+
+openssl x509 -in ca.pem -outform DER -out ca.der
+
+Occasionally someone suggests using a command such as:
+
+openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
+
+DO NOT DO THIS! This command will give away your CAs private key and
+reduces its security to zero: allowing anyone to forge certificates in
+whatever name they choose.
+
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+
+The ways to print out the oneline format of the DN (Distinguished Name) have
+been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
+interface, the "-nameopt" option could be introduded. See the manual
+page of the "openssl x509" command line tool for details. The old behaviour
+has however been left as default for the sake of compatibility.
+
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+
+The term "128 bit certificate" is a highly misleading marketing term. It does
+*not* refer to the size of the public key in the certificate! A certificate
+containing a 128 bit RSA key would have negligible security.
+
+There were various other names such as "magic certificates", "SGC
+certificates", "step up certificates" etc.
+
+You can't generally create such a certificate using OpenSSL but there is no
+need to any more. Nowadays web browsers using unrestricted strong encryption
+are generally available.
+
+When there were tight restrictions on the export of strong encryption
+software from the US only weak encryption algorithms could be freely exported
+(initially 40 bit and then 56 bit). It was widely recognised that this was
+inadequate. A relaxation of the rules allowed the use of strong encryption but
+only to an authorised server.
+
+Two slightly different techniques were developed to support this, one used by
+Netscape was called "step up", the other used by MSIE was called "Server Gated
+Cryptography" (SGC). When a browser initially connected to a server it would
+check to see if the certificate contained certain extensions and was issued by
+an authorised authority. If these test succeeded it would reconnect using
+strong encryption.
+
+Only certain (initially one) certificate authorities could issue the
+certificates and they generally cost more than ordinary certificates.
+
+Although OpenSSL can create certificates containing the appropriate extensions
+the certificate would not come from a permitted authority and so would not
+be recognized.
+
+The export laws were later changed to allow almost unrestricted use of strong
+encryption so these certificates are now obsolete.
+
+
+* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
+
+It doesn't: this extension is often the cause of confusion.
+
+Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
+certificate C contains AKID.
+
+The purpose of this extension is to identify the authority certificate B. This
+can be done either by including the subject key identifier of B or its issuer
+name and serial number.
+
+In this latter case because it is identifying certifcate B it must contain the
+issuer name and serial number of B.
+
+It is often wrongly assumed that it should contain the subject name of B. If it
+did this would be redundant information because it would duplicate the issuer
+name of C.
+
+
+* How can I set up a bundle of commercial root CA certificates?
+
+The OpenSSL software is shipped without any root CA certificate as the
+OpenSSL project does not have any policy on including or excluding
+any specific CA and does not intend to set up such a policy. Deciding
+about which CAs to support is up to application developers or
+administrators.
+
+Other projects do have other policies so you can for example extract the CA
+bundle used by Mozilla and/or modssl as described in this article:
+
+  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
+
+
+* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
+
+OpenSSL 1.0.1 is the first release to support TLS 1.2, among other things,
+this increases the size of the default ClientHello message to more than
+255 bytes in length. Some software cannot handle this and hangs. For more
+details and workarounds see:
+
+  <URL: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
+
+
+[BUILD] =======================================================================
+
+* Why does the linker complain about undefined symbols?
+
+Maybe the compilation was interrupted, and make doesn't notice that
+something is missing.  Run "make clean; make".
+
+If you used ./Configure instead of ./config, make sure that you
+selected the right target.  File formats may differ slightly between
+OS versions (for example sparcv8/sparcv9, or a.out/elf).
+
+In case you get errors about the following symbols, use the config
+option "no-asm", as described in INSTALL:
+
+ BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
+ CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
+ RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
+ bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
+ bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
+ des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
+ des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
+
+If none of these helps, you may want to try using the current snapshot.
+If the problem persists, please submit a bug report.
+
+
+* Why does the OpenSSL test fail with "bc: command not found"?
+
+You didn't install "bc", the Unix calculator.  If you want to run the
+tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
+
+
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+
+On some SCO installations or versions, bc has a bug that gets triggered
+when you run the test suite (using "make test").  The message returned is
+"bc: 1 not implemented".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
+for download instructions) can be safely used, for example.
+
+
+* Why does the OpenSSL test fail with "bc: stack empty"?
+
+On some DG/ux versions, bc seems to have a too small stack for calculations
+that the OpenSSL bntest throws at it.  This gets triggered when you run the
+test suite (using "make test").  The message returned is "bc: stack empty".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
+for download instructions) can be safely used, for example.
+
+
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
+
+On some Alpha installations running Tru64 Unix and Compaq C, the compilation
+of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
+memory to continue compilation.'  As far as the tests have shown, this may be
+a compiler bug.  What happens is that it eats up a lot of resident memory
+to build something, probably a table.  The problem is clearly in the
+optimization code, because if one eliminates optimization completely (-O0),
+the compilation goes through (and the compiler consumes about 2MB of resident
+memory instead of 240MB or whatever one's limit is currently).
+
+There are three options to solve this problem:
+
+1. set your current data segment size soft limit higher.  Experience shows
+that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
+this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
+kbytes to set the limit to.
+
+2. If you have a hard limit that is lower than what you need and you can't
+get it changed, you can compile all of OpenSSL with -O0 as optimization
+level.  This is however not a very nice thing to do for those who expect to
+get the best result from OpenSSL.  A bit more complicated solution is the
+following:
+
+----- snip:start -----
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
+       sed -e 's/ -O[0-9] / -O0 /'`"
+  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
+  make
+----- snip:end -----
+
+This will only compile sha_dgst.c with -O0, the rest with the optimization
+level chosen by the configuration process.  When the above is done, do the
+test and installation and you're set.
+
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
+should not be used and is not used in SSL/TLS nor any other recognized
+protocol in either case.
+
+
+* Why does the OpenSSL compilation fail with "ar: command not found"?
+
+Getting this message is quite usual on Solaris 2, because Sun has hidden
+away 'ar' and other development commands in directories that aren't in
+$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
+quickest way to fix this is to do the following (it assumes you use sh
+or any sh-compatible shell):
+
+----- snip:start -----
+  PATH=${PATH}:/usr/ccs/bin; export PATH
+----- snip:end -----
+
+and then redo the compilation.  What you should really do is make sure
+'/usr/ccs/bin' is permanently in your $PATH, for example through your
+'.profile' (again, assuming you use a sh-compatible shell).
+
+
+* Why does the OpenSSL compilation fail on Win32 with VC++?
+
+Sometimes, you may get reports from VC++ command line (cl) that it
+can't find standard include files like stdio.h and other weirdnesses.
+One possible cause is that the environment isn't correctly set up.
+To solve that problem for VC++ versions up to 6, one should run
+VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
+installation directory (somewhere under 'Program Files').  For VC++
+version 7 (and up?), which is also called VS.NET, the file is called
+VSVARS32.BAT instead.
+This needs to be done prior to running NMAKE, and the changes are only
+valid for the current DOS session.
+
+
+* What is special about OpenSSL on Redhat?
+
+Red Hat Linux (release 7.0 and later) include a preinstalled limited
+version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
+MDC2 in this version. The same may apply to other Linux distributions.
+Users may therefore wish to install more or all of the features left out.
+
+To do this you MUST ensure that you do not overwrite the openssl that is in
+/usr/bin on your Red Hat machine. Several packages depend on this file,
+including sendmail and ssh. /usr/local/bin is a good alternative choice. The
+libraries that come with Red Hat 7.0 onwards have different names and so are
+not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
+/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
+/lib/libcrypto.so.2 respectively).
+
+Please note that we have been advised by Red Hat attempting to recompile the
+openssl rpm with all the cryptography enabled will not work. All other
+packages depend on the original Red Hat supplied openssl package. It is also
+worth noting that due to the way Red Hat supplies its packages, updates to
+openssl on each distribution never change the package version, only the
+build number. For example, on Red Hat 7.1, the latest openssl package has
+version number 0.9.6 and build number 9 even though it contains all the
+relevant updates in packages up to and including 0.9.6b.
+
+A possible way around this is to persuade Red Hat to produce a non-US
+version of Red Hat Linux.
+
+
+* Why does the OpenSSL compilation fail on MacOS X?
+
+If the failure happens when trying to build the "openssl" binary, with
+a large number of undefined symbols, it's very probable that you have
+OpenSSL 0.9.6b delivered with the operating system (you can find out by
+running '/usr/bin/openssl version') and that you were trying to build
+OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
+MacOS X has a misfeature that's quite difficult to go around.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+
+* Why does the OpenSSL test suite fail on MacOS X?
+
+If the failure happens when running 'make test' and the RC4 test fails,
+it's very probable that you have OpenSSL 0.9.6b delivered with the
+operating system (you can find out by running '/usr/bin/openssl version')
+and that you were trying to build OpenSSL 0.9.6d.  The problem is that
+the loader ('ld') in MacOS X has a misfeature that's quite difficult to
+go around and has linked the programs "openssl" and the test programs
+with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
+libraries you just built.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+
+Failure in BN_sqr test is most likely caused by a failure to configure the
+toolkit for current platform or lack of support for the platform in question.
+Run './config -t' and './apps/openssl version -p'. Do these platform
+identifiers match? If they don't, then you most likely failed to run
+./config and you're hereby advised to do so before filing a bug report.
+If ./config itself fails to run, then it's most likely problem with your
+local environment and you should turn to your system administrator (or
+similar). If identifiers match (and/or no alternative identifier is
+suggested by ./config script), then the platform is unsupported. There might
+or might not be a workaround. Most notably on SPARC64 platforms with GNU
+C compiler you should be able to produce a working build by running
+'./config -m32'. I understand that -m32 might not be what you want/need,
+but the build should be operational. For further details turn to
+<openssl-dev at openssl.org>.
+
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+
+As of 0.9.7 assembler routines were overhauled for position independence
+of the machine code, which is essential for shared library support. For
+some reason OpenBSD is equipped with an out-of-date GNU assembler which
+finds the new code offensive. To work around the problem, configure with
+no-asm (and sacrifice a great deal of performance) or patch your assembler
+according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
+For your convenience a pre-compiled replacement binary is provided at
+<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
+Reportedly elder *BSD a.out platforms also suffer from this problem and
+remedy should be same. Provided binary is statically linked and should be
+working across wider range of *BSD branches, not just OpenBSD.
+
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+
+If the test program in question fails withs SIGILL, Illegal Instruction
+exception, then you more than likely to run SSE2-capable CPU, such as
+Intel P4, under control of kernel which does not support SSE2
+instruction extensions. See accompanying INSTALL file and
+OPENSSL_ia32cap(3) documentation page for further information.
+
+* Why does compiler fail to compile sha512.c?
+
+OpenSSL SHA-512 implementation depends on compiler support for 64-bit
+integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
+couple] lack support for this and therefore are incapable of compiling
+the module in question. The recommendation is to disable SHA-512 by
+adding no-sha512 to ./config [or ./Configure] command line. Another
+possible alternative might be to switch to GCC.
+
+* Test suite still fails, what to do?
+
+Another common reason for test failures is bugs in the toolchain
+or run-time environment.  Known cases of this are documented in the
+PROBLEMS file, please review it before you beat the drum. Even if you
+don't find anything in that file, please do consider the possibility
+of a compiler bug. Compiler bugs often appear in rather bizarre ways,
+they never make sense, and tend to emerge when you least expect
+them. One thing to try is to reduce the level of optimization (such
+as by editing the CFLAG variable line in the top-level Makefile),
+and then recompile and re-run the test.
+
+* I think I've found a bug, what should I do?
+
+If you are a new user then it is quite likely you haven't found a bug and
+something is happening you aren't familiar with. Check this FAQ, the associated
+documentation and the mailing lists for similar queries. If you are still
+unsure whether it is a bug or not submit a query to the openssl-users mailing
+list.
+
+If you think you have found a bug based on the output of static analysis tools
+then please manually check the issue is genuine. Such tools can produce a
+LOT of false positives.
+
+
+* I'm SURE I've found a bug, how do I report it?
+
+To avoid duplicated reports check the mailing lists and release notes for the
+relevant version of OpenSSL to see if the problem has been reported already.
+
+Bug reports with no security implications should be sent to the request
+tracker. This can be done by mailing the report to <rt at openssl.org> (or its
+alias <openssl-bugs at openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
+
+The report should be in plain text. Any patches should be sent as
+plain text attachments because some mailers corrupt patches sent inline.
+If your issue affects multiple versions of OpenSSL check any patches apply
+cleanly and, if possible include patches to each affected version.
+
+The report should be given a meaningful subject line briefly summarising the
+issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
+
+By sending reports to the request tracker the bug can then be given a priority
+and assigned to the appropriate maintainer. The history of discussions can be
+accessed and if the issue has been addressed or a reason why not. If patches
+are only sent to openssl-dev they can be mislaid if a team member has to
+wade through months of old messages to review the discussion.
+
+See also <URL: http://www.openssl.org/support/rt.html>
+
+
+* I've found a security issue, how do I report it?
+
+If you think your bug has security implications then please send it to
+openssl-security at openssl.org if you don't get a prompt reply at least 
+acknowledging receipt then resend or mail it directly to one of the
+more active team members (e.g. Steve). If you wish to use PGP to send
+in a report please use one or more of the keys of the team members listed
+at <URL: http://www.openssl.org/about/>
+
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+
+[PROG] ========================================================================
+
+* Is OpenSSL thread-safe?
+
+Provided an application sets up the thread callback functions, the
+answer is yes. There are limitations; for example, an SSL connection
+cannot be used concurrently by multiple threads.  This is true for
+most OpenSSL objects.
+
+To do this, your application must call CRYPTO_set_locking_callback()
+and one of the CRYPTO_THREADID_set...() API's.  See the OpenSSL threads
+manpage for details and "note on multi-threading" in the INSTALL file in
+the source distribution.
+
+* I've compiled a program under Windows and it crashes: why?
+
+This is usually because you've missed the comment in INSTALL.W32.
+Your application must link against the same version of the Win32
+C-Runtime against which your openssl libraries were linked.  The
+default version for OpenSSL is /MD - "Multithreaded DLL".
+
+If you are using Microsoft Visual C++'s IDE (Visual Studio), in
+many cases, your new project most likely defaulted to "Debug
+Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
+program will crash, typically on the first BIO related read or write
+operation.
+
+For each of the six possible link stage configurations within Win32,
+your application must link  against the same by which OpenSSL was
+built.  If you are using MS Visual C++ (Studio) this can be changed
+by:
+
+ 1. Select Settings... from the Project Menu.
+ 2. Select the C/C++ Tab.
+ 3. Select "Code Generation from the "Category" drop down list box
+ 4. Select the Appropriate library (see table below) from the "Use
+    run-time library" drop down list box.  Perform this step for both
+    your debug and release versions of your application (look at the
+    top left of the settings panel to change between the two)
+
+    Single Threaded           /ML        -  MS VC++ often defaults to
+                                            this for the release
+                                            version of a new project.
+    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
+                                            this for the debug version
+                                            of a new project.
+    Multithreaded             /MT
+    Debug Multithreaded       /MTd
+    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
+    Debug Multithreaded DLL   /MDd
+
+Note that debug and release libraries are NOT interchangeable.  If you
+built OpenSSL with /MD your application must use /MD and cannot use /MDd.
+
+As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
+.DLLs compiled with some specific run-time option [we insist on the
+default /MD] can be deployed with application compiled with different
+option or even different compiler. But there is a catch! Instead of
+re-compiling OpenSSL toolkit, as you would have to with prior versions,
+you have to compile small C snippet with compiler and/or options of
+your choice. The snippet gets installed as
+<install-root>/include/openssl/applink.c and should be either added to
+your application project or simply #include-d in one [and only one]
+of your application source files. Failure to link this shim module
+into your application manifests itself as fatal "no OPENSSL_Applink"
+run-time error. An explicit reminder is due that in this situation
+[mixing compiler options] it is as important to add CRYPTO_malloc_init
+prior first call to OpenSSL.
+
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+
+You have two options. You can either use a memory BIO in conjunction
+with the i2d_*_bio() or d2i_*_bio() functions or you can use the
+i2d_*(), d2i_*() functions directly. Since these are often the
+cause of grief here are some code fragments using PKCS7 as an example:
+
+----- snip:start -----
+ unsigned char *buf, *p;
+ int len = i2d_PKCS7(p7, NULL);
+
+ buf = OPENSSL_malloc(len); /* error checking omitted */
+ p = buf;
+ i2d_PKCS7(p7, &p);
+----- snip:end -----
+
+At this point buf contains the len bytes of the DER encoding of
+p7.
+
+The opposite assumes we already have len bytes in buf:
+
+----- snip:start -----
+ unsigned char *p = buf;
+
+ p7 = d2i_PKCS7(NULL, &p, len);
+----- snip:end -----
+
+At this point p7 contains a valid PKCS7 structure or NULL if an error
+occurred. If an error occurred ERR_print_errors(bio) should give more
+information.
+
+The reason for the temporary variable 'p' is that the ASN1 functions
+increment the passed pointer so it is ready to read or write the next
+structure. This is often a cause of problems: without the temporary
+variable the buffer pointer is changed to point just after the data
+that has been read or written. This may well be uninitialized data
+and attempts to free the buffer will have unpredictable results
+because it no longer points to the same address.
+
+Memory allocation and encoding can also be combined in a single
+operation by the ASN1 routines:
+
+----- snip:start -----
+ unsigned char *buf = NULL;
+ int len = i2d_PKCS7(p7, &buf);
+
+ if (len < 0) {
+     /* Error */
+ }
+ /* Do some things with 'buf' */
+ /* Finished with buf: free it */
+ OPENSSL_free(buf);
+----- snip:end -----
+
+In this special case the "buf" parameter is *not* incremented, it points
+to the start of the encoding.
+
+
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+
+The short answer is yes, because DER is a special case of BER and OpenSSL
+ASN1 decoders can process BER.
+
+The longer answer is that ASN1 structures can be encoded in a number of
+different ways. One set of ways is the Basic Encoding Rules (BER) with various
+permissible encodings. A restriction of BER is the Distinguished Encoding
+Rules (DER): these uniquely specify how a given structure is encoded.
+
+Therefore, because DER is a special case of BER, DER is an acceptable encoding
+for BER.
+
+
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+
+This usually happens when you try compiling something using the PKCS#12
+macros with a C++ compiler. There is hardly ever any need to use the
+PKCS#12 macros in a program, it is much easier to parse and create
+PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
+documented in doc/openssl.txt and with examples in demos/pkcs12. The
+'pkcs12' application has to use the macros because it prints out 
+debugging information.
+
+
+* I've called <some function> and it fails, why?
+
+Before submitting a report or asking in one of the mailing lists, you
+should try to determine the cause. In particular, you should call
+ERR_print_errors() or ERR_print_errors_fp() after the failed call
+and see if the message helps. Note that the problem may occur earlier
+than you think -- you should check for errors after every call where
+it is possible, otherwise the actual problem may be hidden because
+some OpenSSL functions clear the error state.
+
+
+* I just get a load of numbers for the error output, what do they mean?
+
+The actual format is described in the ERR_print_errors() manual page.
+You should call the function ERR_load_crypto_strings() before hand and
+the message will be output in text form. If you can't do this (for example
+it is a pre-compiled binary) you can use the errstr utility on the error
+code itself (the hex digits after the second colon).
+
+
+* Why do I get errors about unknown algorithms?
+
+The cause is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information. This
+can cause several problems such as being unable to read in an encrypted
+PEM file, unable to decrypt a PKCS#12 file or signature failure when
+verifying certificates.
+
+* Why can't the OpenSSH configure script detect OpenSSL?
+
+Several reasons for problems with the automatic detection exist.
+OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
+Sometimes the distribution has installed an older version in the system
+locations that is detected instead of a new one installed. The OpenSSL
+library might have been compiled for another CPU or another mode (32/64 bits).
+Permissions might be wrong.
+
+The general answer is to check the config.log file generated when running
+the OpenSSH configure script. It should contain the detailed information
+on why the OpenSSL library was not detected or considered incompatible.
+
+
+* Can I use OpenSSL's SSL library with non-blocking I/O?
+
+Yes; make sure to read the SSL_get_error(3) manual page!
+
+A pitfall to avoid: Don't assume that SSL_read() will just read from
+the underlying transport or that SSL_write() will just write to it --
+it is also possible that SSL_write() cannot do any useful work until
+there is data to read, or that SSL_read() cannot do anything until it
+is possible to send data.  One reason for this is that the peer may
+request a new TLS/SSL handshake at any time during the protocol,
+requiring a bi-directional message exchange; both SSL_read() and
+SSL_write() will try to continue any pending handshake.
+
+
+* Why doesn't my server application receive a client certificate?
+
+Due to the TLS protocol definition, a client will only send a certificate,
+if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
+SSL_CTX_set_verify() function to enable the use of client certificates.
+
+
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+
+For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
+versions, uniqueIdentifier was incorrectly used for X.509 certificates.
+The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
+Change your code to use the new name when compiling against OpenSSL 0.9.7.
+
+
+* I think I've detected a memory leak, is this a bug?
+
+In most cases the cause of an apparent memory leak is an OpenSSL internal table
+that is allocated when an application starts up. Since such tables do not grow
+in size over time they are harmless.
+
+These internal tables can be freed up when an application closes using various
+functions.  Currently these include following:
+
+Thread-local cleanup functions:
+
+  ERR_remove_state()
+
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+
+  ENGINE_cleanup() and CONF_modules_unload()
+
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
+
+
+* Why does Valgrind complain about the use of uninitialized data?
+
+When OpenSSL's PRNG routines are called to generate random numbers the supplied
+buffer contents are mixed into the entropy pool: so it technically does not
+matter whether the buffer is initialized at this point or not.  Valgrind (and
+other test tools) will complain about this. When using Valgrind, make sure the
+OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
+to get rid of these warnings.
+
+
+* Why doesn't a memory BIO work when a file does?
+
+This can occur in several cases for example reading an S/MIME email message.
+The reason is that a memory BIO can do one of two things when all the data
+has been read from it.
+
+The default behaviour is to indicate that no more data is available and that
+the call should be retried, this is to allow the application to fill up the BIO
+again if necessary.
+
+Alternatively it can indicate that no more data is available and that EOF has
+been reached.
+
+If a memory BIO is to behave in the same way as a file this second behaviour
+is needed. This must be done by calling:
+
+   BIO_set_mem_eof_return(bio, 0);
+
+See the manual pages for more details.
+
+
+* Where are the declarations and implementations of d2i_X509() etc?
+
+These are defined and implemented by macros of the form:
+
+
+ DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
+
+The implementation passes an ASN1 "template" defining the structure into an
+ASN1 interpreter using generalised functions such as ASN1_item_d2i().
+
+* When debugging I observe SIGILL during OpenSSL initialization: why?
+
+OpenSSL adapts to processor it executes on and for this reason has to
+query its capabilities. Unfortunately on some processors the only way
+to achieve this for non-privileged code is to attempt instructions
+that can cause Illegal Instruction exceptions. The initialization
+procedure is coded to handle these exceptions to manipulate corresponding
+bits in capabilities vector. This normally appears transparent, except
+when you execute it under debugger, which stops prior delivering signal
+to handler. Simply resuming execution does the trick, but when debugging
+a lot it might feel counterproductive. Two options. Either set explicit
+capability environment variable in order to bypass the capability query
+(see corresponding crypto/*cap.c for details). Or configure debugger not
+to stop upon SIGILL exception, e.g. in gdb case add 'handle SIGILL nostop'
+to your .gdbinit.
+
+===============================================================================

From rsalz at openssl.org  Sun Aug 16 23:02:45 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:02:45 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439766165.813807.3112.nullmailer@dev.openssl.org>

The branch master has been updated
       via  4f46473a86c9e3741203b22d4d401a3763583494 (commit)
      from  ac1123320145f731fb04a4cc3df1fbd9c3d5e513 (commit)


- Log -----------------------------------------------------------------
commit 4f46473a86c9e3741203b22d4d401a3763583494
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:38:24 2015 -0400

    Move FAQ to the web.
    
    Best hope of keeping current.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 1093 +------------------------------------------------------------------
 1 file changed, 2 insertions(+), 1091 deletions(-)

diff --git a/FAQ b/FAQ
index 0ff792b..22c5cf7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,1091 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-* When debugging I observe SIGILL during OpenSSL initialization: why?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/about/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
-   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
-   pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and 
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-* What happens when the letter release reaches z?
-
-It was decided after the release of OpenSSL 0.9.8y the next version should
-be 0.9.8za then 0.9.8zb and so on.
-
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-For information on intellectual property rights, please consult a lawyer.
-The OpenSSL team does not offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed."  If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly.  Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.)  Some broken applications do
-not do this.  As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness.  If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly.  OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details.  Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file.  The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file.  Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all.  OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'".  This message refers to the
-default seeding file (see previous answer).  A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" command line tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slightly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
-
-
-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
-
-OpenSSL 1.0.1 is the first release to support TLS 1.2, among other things,
-this increases the size of the default ClientHello message to more than
-255 bytes in length. Some software cannot handle this and hangs. For more
-details and workarounds see:
-
-  <URL: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing.  Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target.  File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator.  If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test").  The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it.  This gets triggered when you run the
-test suite (using "make test").  The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
-memory to continue compilation.'  As far as the tests have shown, this may be
-a compiler bug.  What happens is that it eats up a lot of resident memory
-to build something, probably a table.  The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher.  Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level.  This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL.  A bit more complicated solution is the
-following:
-
------ snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
-       sed -e 's/ -O[0-9] / -O0 /'`"
-  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
-  make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process.  When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
-  PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation.  What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files').  For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
-MDC2 in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d.  The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extensions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for test failures is bugs in the toolchain
-or run-time environment.  Known cases of this are documented in the
-PROBLEMS file, please review it before you beat the drum. Even if you
-don't find anything in that file, please do consider the possibility
-of a compiler bug. Compiler bugs often appear in rather bizarre ways,
-they never make sense, and tend to emerge when you least expect
-them. One thing to try is to reduce the level of optimization (such
-as by editing the CFLAG variable line in the top-level Makefile),
-and then recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-If you think you have found a bug based on the output of static analysis tools
-then please manually check the issue is genuine. Such tools can produce a
-LOT of false positives.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-To avoid duplicated reports check the mailing lists and release notes for the
-relevant version of OpenSSL to see if the problem has been reported already.
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least 
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve). If you wish to use PGP to send
-in a report please use one or more of the keys of the team members listed
-at <URL: http://www.openssl.org/about/>
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues. 
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Provided an application sets up the thread callback functions, the
-answer is yes. There are limitations; for example, an SSL connection
-cannot be used concurrently by multiple threads.  This is true for
-most OpenSSL objects.
-
-To do this, your application must call CRYPTO_set_locking_callback()
-and one of the CRYPTO_THREADID_set...() API's.  See the OpenSSL threads
-manpage for details and "note on multi-threading" in the INSTALL file in
-the source distribution.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked.  The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link  against the same by which OpenSSL was
-built.  If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
-    run-time library" drop down list box.  Perform this step for both
-    your debug and release versions of your application (look at the
-    top left of the settings panel to change between the two)
-
-    Single Threaded           /ML        -  MS VC++ often defaults to
-                                            this for the release
-                                            version of a new project.
-    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
-                                            this for the debug version
-                                            of a new project.
-    Multithreaded             /MT
-    Debug Multithreaded       /MTd
-    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
-    Debug Multithreaded DLL   /MDd
-
-Note that debug and release libraries are NOT interchangeable.  If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
------ snip:start -----
- unsigned char *buf, *p;
- int len = i2d_PKCS7(p7, NULL);
-
- buf = OPENSSL_malloc(len); /* error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
------ snip:end -----
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
------ snip:start -----
- unsigned char *p = buf;
-
- p7 = d2i_PKCS7(NULL, &p, len);
------ snip:end -----
-
-At this point p7 contains a valid PKCS7 structure or NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-Memory allocation and encoding can also be combined in a single
-operation by the ASN1 routines:
-
------ snip:start -----
- unsigned char *buf = NULL;
- int len = i2d_PKCS7(p7, &buf);
-
- if (len < 0) {
-     /* Error */
- }
- /* Do some things with 'buf' */
- /* Finished with buf: free it */
- OPENSSL_free(buf);
------ snip:end -----
-
-In this special case the "buf" parameter is *not* incremented, it points
-to the start of the encoding.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out 
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data.  One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions.  Currently these include following:
-
-Thread-local cleanup functions:
-
-  ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
-  ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
-  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not.  Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
-   BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-* When debugging I observe SIGILL during OpenSSL initialization: why?
-
-OpenSSL adapts to processor it executes on and for this reason has to
-query its capabilities. Unfortunately on some processors the only way
-to achieve this for non-privileged code is to attempt instructions
-that can cause Illegal Instruction exceptions. The initialization
-procedure is coded to handle these exceptions to manipulate corresponding
-bits in capabilities vector. This normally appears transparent, except
-when you execute it under debugger, which stops prior delivering signal
-to handler. Simply resuming execution does the trick, but when debugging
-a lot it might feel counterproductive. Two options. Either set explicit
-capability environment variable in order to bypass the capability query
-(see corresponding crypto/*cap.c for details). Or configure debugger not
-to stop upon SIGILL exception, e.g. in gdb case add 'handle SIGILL nostop'
-to your .gdbinit.
-
-===============================================================================
+The FAQ is now maintained on the web:
+        https://www.openssl.org/docs/faq.html

From rsalz at openssl.org  Sun Aug 16 23:03:34 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:03:34 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439766214.718835.4139.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  40356e4914154fdcc02bce8943348148e20c4a0f (commit)
      from  3d23b2c255e194ebb9dabd198d263028b475d012 (commit)


- Log -----------------------------------------------------------------
commit 40356e4914154fdcc02bce8943348148e20c4a0f
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:38:24 2015 -0400

    Move FAQ to the web.
    
    Best hope of keeping current.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 1055 +------------------------------------------------------------------
 1 file changed, 2 insertions(+), 1053 deletions(-)

diff --git a/FAQ b/FAQ
index 3be8310..22c5cf7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,1053 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1a was released on Apr 19th, 2012.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
-   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
-   pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and 
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-* What happens when the letter release reaches z?
-
-It was decided after the release of OpenSSL 0.9.8y the next version should
-be 0.9.8za then 0.9.8zb and so on.
-
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-For information on intellectual property rights, please consult a lawyer.
-The OpenSSL team does not offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed."  If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly.  Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.)  Some broken applications do
-not do this.  As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness.  If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly.  OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details.  Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file.  The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file.  Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all.  OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'".  This message refers to the
-default seeding file (see previous answer).  A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" commandline tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slighly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing.  Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target.  File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator.  If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test").  The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it.  This gets triggered when you run the
-test suite (using "make test").  The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
-memory to continue compilation.'  As far as the tests have shown, this may be
-a compiler bug.  What happens is that it eats up a lot of resident memory
-to build something, probably a table.  The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher.  Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level.  This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL.  A bit more complicated solution is the
-following:
-
------ snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
-       sed -e 's/ -O[0-9] / -O0 /'`"
-  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
-  make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process.  When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
-  PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation.  What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files').  For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
-MDC2 in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d.  The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extentions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for failure to complete some particular test is
-simply bad code generated by a buggy component in toolchain or deficiency
-in run-time environment. There are few cases documented in PROBLEMS file,
-consult it for possible workaround before you beat the drum. Even if you
-don't find solution or even mention there, do reserve for possibility of
-a compiler bug. Compiler bugs might appear in rather bizarre ways, they
-never make sense, and tend to emerge when you least expect them. In order
-to identify one, drop optimization level, e.g. by editing CFLAG line in
-top-level Makefile, recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least 
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve).
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues. 
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Yes (with limitations: an SSL connection may not concurrently be used
-by multiple threads).  On Windows and many Unix systems, OpenSSL
-automatically uses the multi-threaded versions of the standard
-libraries.  If your platform is not one of these, consult the INSTALL
-file.
-
-Multi-threaded applications must provide two callback functions to
-OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
-and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
-and friends. This is described in the threads(3) manpage.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked.  The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link  against the same by which OpenSSL was
-built.  If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
-    run-time library" drop down list box.  Perform this step for both
-    your debug and release versions of your application (look at the
-    top left of the settings panel to change between the two)
-
-    Single Threaded           /ML        -  MS VC++ often defaults to
-                                            this for the release
-                                            version of a new project.
-    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
-                                            this for the debug version
-                                            of a new project.
-    Multithreaded             /MT
-    Debug Multithreaded       /MTd
-    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
-    Debug Multithreaded DLL   /MDd
-
-Note that debug and release libraries are NOT interchangeable.  If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
- unsigned char *buf, *p;
- int len;
-
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
- unsigned char *p;
- p = buf;
- p7 = d2i_PKCS7(NULL, &p, len);
-
-At this point p7 contains a valid PKCS7 structure or NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-Memory allocation and encoding can also be combined in a single
-operation by the ASN1 routines:
-
- unsigned char *buf = NULL;	/* mandatory */
- int len;
- len = i2d_PKCS7(p7, &buf);
- if (len < 0)
-	/* Error */
- /* Do some things with 'buf' */
- /* Finished with buf: free it */
- OPENSSL_free(buf);
-
-In this special case the "buf" parameter is *not* incremented, it points
-to the start of the encoding.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out 
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data.  One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions.  Currently these include following:
-
-Thread-local cleanup functions:
-
-  ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
-  ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
-  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not.  Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
-   BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-
-===============================================================================
+The FAQ is now maintained on the web:
+        https://www.openssl.org/docs/faq.html

From rsalz at openssl.org  Sun Aug 16 23:04:07 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:04:07 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439766247.723101.4400.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  98e75c0b699eb4a1b68ed3f1ab44ec0cc4a7555d (commit)
      from  2cf51451f3a94be3fdf7d281b122eb74d72a839e (commit)


- Log -----------------------------------------------------------------
commit 98e75c0b699eb4a1b68ed3f1ab44ec0cc4a7555d
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:38:24 2015 -0400

    Move FAQ to the web.
    
    Best hope of keeping current.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 1041 +------------------------------------------------------------------
 1 file changed, 2 insertions(+), 1039 deletions(-)

diff --git a/FAQ b/FAQ
index f8ea604..22c5cf7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,1039 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1e was released on Feb 11th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
-   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
-   pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and 
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-The patents section of the README file lists patents that may apply to
-you if you want to use OpenSSL.  For information on intellectual
-property rights, please consult a lawyer.  The OpenSSL team does not
-offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed."  If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly.  Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.)  Some broken applications do
-not do this.  As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness.  If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly.  OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details.  Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file.  The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file.  Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all.  OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'".  This message refers to the
-default seeding file (see previous answer).  A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" commandline tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slighly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing.  Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target.  File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator.  If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test").  The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it.  This gets triggered when you run the
-test suite (using "make test").  The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
-memory to continue compilation.'  As far as the tests have shown, this may be
-a compiler bug.  What happens is that it eats up a lot of resident memory
-to build something, probably a table.  The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher.  Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level.  This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL.  A bit more complicated solution is the
-following:
-
------ snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
-       sed -e 's/ -O[0-9] / -O0 /'`"
-  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
-  make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process.  When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
-  PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation.  What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files').  For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
-is disabled in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-FYI: Patent numbers and expiry dates of US patents:
-MDC-2: 4,908,861 13/03/2007
-IDEA:  5,214,703 25/05/2010
-RC5:   5,724,428 03/03/2015
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d.  The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extentions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for failure to complete some particular test is
-simply bad code generated by a buggy component in toolchain or deficiency
-in run-time environment. There are few cases documented in PROBLEMS file,
-consult it for possible workaround before you beat the drum. Even if you
-don't find solution or even mention there, do reserve for possibility of
-a compiler bug. Compiler bugs might appear in rather bizarre ways, they
-never make sense, and tend to emerge when you least expect them. In order
-to identify one, drop optimization level, e.g. by editing CFLAG line in
-top-level Makefile, recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least 
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve).
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues. 
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Yes (with limitations: an SSL connection may not concurrently be used
-by multiple threads).  On Windows and many Unix systems, OpenSSL
-automatically uses the multi-threaded versions of the standard
-libraries.  If your platform is not one of these, consult the INSTALL
-file.
-
-Multi-threaded applications must provide two callback functions to
-OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
-and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
-and friends. This is described in the threads(3) manpage.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked.  The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link  against the same by which OpenSSL was
-built.  If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
-    run-time library" drop down list box.  Perform this step for both
-    your debug and release versions of your application (look at the
-    top left of the settings panel to change between the two)
-
-    Single Threaded           /ML        -  MS VC++ often defaults to
-                                            this for the release
-                                            version of a new project.
-    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
-                                            this for the debug version
-                                            of a new project.
-    Multithreaded             /MT
-    Debug Multithreaded       /MTd
-    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
-    Debug Multithreaded DLL   /MDd
-
-Note that debug and release libraries are NOT interchangeable.  If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
- unsigned char *buf, *p;
- int len;
-
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
- unsigned char *p;
- p = buf;
- p7 = d2i_PKCS7(NULL, &p, len);
-
-At this point p7 contains a valid PKCS7 structure of NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out 
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data.  One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions.  Currently these include following:
-
-Thread-local cleanup functions:
-
-  ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
-  ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
-  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not.  Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
-   BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-
-===============================================================================
+The FAQ is now maintained on the web:
+        https://www.openssl.org/docs/faq.html

From rsalz at openssl.org  Sun Aug 16 23:04:38 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:04:38 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_0-stable update
Message-ID: <1439766278.737444.4643.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_0-stable has been updated
       via  9604f87590f3f1925f895b1934846cb7c7dd5eba (commit)
      from  519bd5013446d511d8d55e6770d1cc2641238da3 (commit)


- Log -----------------------------------------------------------------
commit 9604f87590f3f1925f895b1934846cb7c7dd5eba
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:38:24 2015 -0400

    Move FAQ to the web.
    
    Best hope of keeping current.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 1041 +------------------------------------------------------------------
 1 file changed, 2 insertions(+), 1039 deletions(-)

diff --git a/FAQ b/FAQ
index 7336694..22c5cf7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,1039 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1c was released on Feb 5th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
-   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
-   pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and 
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-The patents section of the README file lists patents that may apply to
-you if you want to use OpenSSL.  For information on intellectual
-property rights, please consult a lawyer.  The OpenSSL team does not
-offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed."  If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly.  Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.)  Some broken applications do
-not do this.  As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness.  If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly.  OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details.  Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file.  The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file.  Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all.  OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'".  This message refers to the
-default seeding file (see previous answer).  A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" commandline tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slighly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing.  Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target.  File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator.  If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test").  The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it.  This gets triggered when you run the
-test suite (using "make test").  The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
-memory to continue compilation.'  As far as the tests have shown, this may be
-a compiler bug.  What happens is that it eats up a lot of resident memory
-to build something, probably a table.  The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher.  Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level.  This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL.  A bit more complicated solution is the
-following:
-
------ snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
-       sed -e 's/ -O[0-9] / -O0 /'`"
-  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
-  make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process.  When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
-  PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation.  What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files').  For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
-is disabled in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-FYI: Patent numbers and expiry dates of US patents:
-MDC-2: 4,908,861 13/03/2007
-IDEA:  5,214,703 25/05/2010
-RC5:   5,724,428 03/03/2015
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d.  The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extentions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for failure to complete some particular test is
-simply bad code generated by a buggy component in toolchain or deficiency
-in run-time environment. There are few cases documented in PROBLEMS file,
-consult it for possible workaround before you beat the drum. Even if you
-don't find solution or even mention there, do reserve for possibility of
-a compiler bug. Compiler bugs might appear in rather bizarre ways, they
-never make sense, and tend to emerge when you least expect them. In order
-to identify one, drop optimization level, e.g. by editing CFLAG line in
-top-level Makefile, recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least 
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve).
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues. 
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Yes (with limitations: an SSL connection may not concurrently be used
-by multiple threads).  On Windows and many Unix systems, OpenSSL
-automatically uses the multi-threaded versions of the standard
-libraries.  If your platform is not one of these, consult the INSTALL
-file.
-
-Multi-threaded applications must provide two callback functions to
-OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
-and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
-and friends. This is described in the threads(3) manpage.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked.  The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link  against the same by which OpenSSL was
-built.  If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
-    run-time library" drop down list box.  Perform this step for both
-    your debug and release versions of your application (look at the
-    top left of the settings panel to change between the two)
-
-    Single Threaded           /ML        -  MS VC++ often defaults to
-                                            this for the release
-                                            version of a new project.
-    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
-                                            this for the debug version
-                                            of a new project.
-    Multithreaded             /MT
-    Debug Multithreaded       /MTd
-    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
-    Debug Multithreaded DLL   /MDd
-
-Note that debug and release libraries are NOT interchangeable.  If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
- unsigned char *buf, *p;
- int len;
-
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
- unsigned char *p;
- p = buf;
- p7 = d2i_PKCS7(NULL, &p, len);
-
-At this point p7 contains a valid PKCS7 structure of NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out 
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data.  One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions.  Currently these include following:
-
-Thread-local cleanup functions:
-
-  ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
-  ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
-  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not.  Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
-   BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-
-===============================================================================
+The FAQ is now maintained on the web:
+        https://www.openssl.org/docs/faq.html

From rsalz at openssl.org  Sun Aug 16 23:05:01 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:05:01 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_0_9_8-stable update
Message-ID: <1439766301.308148.4908.nullmailer@dev.openssl.org>

The branch OpenSSL_0_9_8-stable has been updated
       via  ab69c5a3795e09fa0d655ec696ba86ae70a362d7 (commit)
      from  a95168889f5e9fc67aa946b95510cb712761d841 (commit)


- Log -----------------------------------------------------------------
commit ab69c5a3795e09fa0d655ec696ba86ae70a362d7
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 18:38:24 2015 -0400

    Move FAQ to the web.
    
    Best hope of keeping current.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)

-----------------------------------------------------------------------

Summary of changes:
 FAQ | 1041 +------------------------------------------------------------------
 1 file changed, 2 insertions(+), 1039 deletions(-)

diff --git a/FAQ b/FAQ
index 7217250..22c5cf7 100644
--- a/FAQ
+++ b/FAQ
@@ -1,1039 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1d was released on Feb 5th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
-   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
-   pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and 
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-The patents section of the README file lists patents that may apply to
-you if you want to use OpenSSL.  For information on intellectual
-property rights, please consult a lawyer.  The OpenSSL team does not
-offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed."  If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly.  Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.)  Some broken applications do
-not do this.  As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness.  If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly.  OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details.  Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file.  The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file.  Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all.  OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'".  This message refers to the
-default seeding file (see previous answer).  A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" commandline tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slighly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing.  Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target.  File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator.  If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test").  The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it.  This gets triggered when you run the
-test suite (using "make test").  The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
-memory to continue compilation.'  As far as the tests have shown, this may be
-a compiler bug.  What happens is that it eats up a lot of resident memory
-to build something, probably a table.  The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher.  Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level.  This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL.  A bit more complicated solution is the
-following:
-
------ snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
-       sed -e 's/ -O[0-9] / -O0 /'`"
-  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
-  make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process.  When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
-  PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation.  What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files').  For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
-is disabled in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-FYI: Patent numbers and expiry dates of US patents:
-MDC-2: 4,908,861 13/03/2007
-IDEA:  5,214,703 25/05/2010
-RC5:   5,724,428 03/03/2015
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d.  The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extentions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for failure to complete some particular test is
-simply bad code generated by a buggy component in toolchain or deficiency
-in run-time environment. There are few cases documented in PROBLEMS file,
-consult it for possible workaround before you beat the drum. Even if you
-don't find solution or even mention there, do reserve for possibility of
-a compiler bug. Compiler bugs might appear in rather bizarre ways, they
-never make sense, and tend to emerge when you least expect them. In order
-to identify one, drop optimization level, e.g. by editing CFLAG line in
-top-level Makefile, recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least 
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve).
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues. 
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Yes (with limitations: an SSL connection may not concurrently be used
-by multiple threads).  On Windows and many Unix systems, OpenSSL
-automatically uses the multi-threaded versions of the standard
-libraries.  If your platform is not one of these, consult the INSTALL
-file.
-
-Multi-threaded applications must provide two callback functions to
-OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
-and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
-and friends. This is described in the threads(3) manpage.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked.  The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link  against the same by which OpenSSL was
-built.  If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
-    run-time library" drop down list box.  Perform this step for both
-    your debug and release versions of your application (look at the
-    top left of the settings panel to change between the two)
-
-    Single Threaded           /ML        -  MS VC++ often defaults to
-                                            this for the release
-                                            version of a new project.
-    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
-                                            this for the debug version
-                                            of a new project.
-    Multithreaded             /MT
-    Debug Multithreaded       /MTd
-    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
-    Debug Multithreaded DLL   /MDd
-
-Note that debug and release libraries are NOT interchangeable.  If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
- unsigned char *buf, *p;
- int len;
-
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
- unsigned char *p;
- p = buf;
- p7 = d2i_PKCS7(NULL, &p, len);
-
-At this point p7 contains a valid PKCS7 structure of NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out 
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data.  One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions.  Currently these include following:
-
-Thread-local cleanup functions:
-
-  ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
-  ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
-  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not.  Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
-   BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-
-===============================================================================
+The FAQ is now maintained on the web:
+        https://www.openssl.org/docs/faq.html

From rsalz at openssl.org  Sun Aug 16 23:36:19 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 16 Aug 2015 23:36:19 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439768179.980537.7937.nullmailer@dev.openssl.org>

The branch master has been updated
       via  1fe9edb17942f938e6035129ede62a5a27866bd3 (commit)
       via  0fe00acd768dbc5785677d0ef375bf4580a7f9d5 (commit)
      from  a845a6aabc995d32f3337666ac13f731d9a1bbaf (commit)


- Log -----------------------------------------------------------------
commit 1fe9edb17942f938e6035129ede62a5a27866bd3
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 19:36:03 2015 -0400

    Fix FAQ links for new website

commit 0fe00acd768dbc5785677d0ef375bf4580a7f9d5
Author: Viktor Szakats <vszakats at users.noreply.github.com>
Date:   Mon Aug 17 01:20:51 2015 +0200

    use https URLs where available
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>

-----------------------------------------------------------------------

Summary of changes:
 bin/vulnerabilities.xsl     |  2 +-
 community/binaries.html     |  4 ++--
 community/index.html        |  2 +-
 community/mailinglists.html | 22 +++++++++++-----------
 community/sidebar.inc       |  2 +-
 community/thanks.html       |  2 +-
 docs/faq.txt                | 20 ++++++++++----------
 docs/fips/privatelabel.html |  6 +++---
 docs/fipsvalidation.html    | 12 ++++++------
 inc/head.inc                |  2 +-
 news/secadv/20130205.txt    |  2 +-
 policies/codingstyle.txt    |  2 +-
 source/mirror.html          |  2 +-
 source/mirror.inc           | 31 -------------------------------
 support/acks.html           |  6 +++---
 support/donations-cn.html   |  2 +-
 16 files changed, 44 insertions(+), 75 deletions(-)
 delete mode 100644 source/mirror.inc

diff --git a/bin/vulnerabilities.xsl b/bin/vulnerabilities.xsl
index 83971a6..8c7b915 100644
--- a/bin/vulnerabilities.xsl
+++ b/bin/vulnerabilities.xsl
@@ -130,7 +130,7 @@
 	    The Common Vulnerabilities and Exposures project
 	    has assigned the name 
 	  </xsl:if>
-	  <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-{@name}">CVE-<xsl:value-of select="@name"/> </a>
+	  <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-{@name}">CVE-<xsl:value-of select="@name"/> </a>
 	  <xsl:if test="@description = 'full'">
 	    to this issue.
 	  </xsl:if>
diff --git a/community/binaries.html b/community/binaries.html
index 7774af5..0842413 100644
--- a/community/binaries.html
+++ b/community/binaries.html
@@ -29,7 +29,7 @@
 	      <dd>Works with MSVC++, Builder 3/4/5, and MinGW.  Comes in form
 	      of self-install executables.
 	      <a
-		href="http://www.slproweb.com/products/Win32OpenSSL.html">http://www.slproweb.com/products/Win32OpenSSL.html</a>
+		href="https://slproweb.com/products/Win32OpenSSL.html">https://slproweb.com/products/Win32OpenSSL.html</a>
 	      </dd>
 
 	      <dt>OpenSSL for Windows</dt>
@@ -37,7 +37,7 @@
 	      dependencies to the Microsoft Visual Studio Runtime DLLs, except
 	      for the system provided msvcrt.dll.
 	      <a
-		href="http://indy.fulgan.com/SSL/">http://indy.fulgan.com/SSL/</a>
+		href="https://indy.fulgan.com/SSL/">https://indy.fulgan.com/SSL/</a>
 	      </dd>
 
 	      <dt>OpenSSL for Solaris</dt>
diff --git a/community/index.html b/community/index.html
index 9129cf4..b15110e 100644
--- a/community/index.html
+++ b/community/index.html
@@ -43,7 +43,7 @@
 	    for information on how to report it.</p>
 
 	    <p>We have set up a request tracker at
-	    <a href="https://rt.openssl.org">http://rt.openssl.org</a>,
+	    <a href="https://rt.openssl.org">https://rt.openssl.org</a>,
 	    with read-only access using <em>guest</em> as the name
 	    and password.
 	    Requests can be viewed on-line by using the following URL,
diff --git a/community/mailinglists.html b/community/mailinglists.html
index 5ca5d4c..a9197e8 100644
--- a/community/mailinglists.html
+++ b/community/mailinglists.html
@@ -13,7 +13,7 @@
 	  <div class="entry-content">
 	    <p>
 	    Here is are the
-	    <a href="http://mta.openssl.org/">mailing lists</a> we run.
+	    <a href="https://mta.openssl.org/">mailing lists</a> we run.
 	    You must be a member of the list to post to it.
 	    </p>
 
@@ -54,31 +54,31 @@
 	      <tr><td>List</td><td>Archives</td></tr>
 	      <tr><td>openssl-announce</td><td>
 		  <a
-		    href="http://marc.info/?l=openssl-announce">http://marc.info/?l=openssl-announce</a><br>
+		    href="https://marc.info/?l=openssl-announce">https://marc.info/?l=openssl-announce</a><br>
 		  <a
-		    href="http://www.mail-archive.com/openssl-announce at openssl.org/">http://www.mail-archive.com/openssl-announce at openssl.org/</a>
+		    href="https://www.mail-archive.com/openssl-announce at openssl.org/">https://www.mail-archive.com/openssl-announce at openssl.org/</a>
 	      </td></tr>
 	      <tr><td>openssl-users</td><td>
 		  <a
-		    href="http://marc.info/?l=openssl-users">http://marc.info/?l=openssl-users</a><br>
+		    href="https://marc.info/?l=openssl-users">https://marc.info/?l=openssl-users</a><br>
 		  <a
-		    href="http://www.mail-archive.com/openssl-users at openssl.org/">http://www.mail-archive.com/openssl-users at openssl.org/</a><br>
+		    href="https://www.mail-archive.com/openssl-users at openssl.org/">https://www.mail-archive.com/openssl-users at openssl.org/</a><br>
 		  <a
-		    href="http://groups.google.com/groups?group=mailing.openssl.users">http://groups.google.com/groups?group=mailing.openssl.users</a><br>
+		    href="https://groups.google.com/groups?group=mailing.openssl.users">https://groups.google.com/groups?group=mailing.openssl.users</a><br>
 	      </td></tr>
 	      <tr><td>openssl-dev</td><td>
 		  <a
-		    href="http://marc.info/?l=openssl-dev">http://marc.info/?l=openssl-dev</a><br>
+		    href="https://marc.info/?l=openssl-dev">https://marc.info/?l=openssl-dev</a><br>
 		  <a
-		    href="http://www.mail-archive.com/openssl-dev at openssl.org/">http://www.mail-archive.com/openssl-dev at openssl.org/</a><br>
+		    href="https://www.mail-archive.com/openssl-dev at openssl.org/">https://www.mail-archive.com/openssl-dev at openssl.org/</a><br>
 		  <a
-		    href="http://groups.google.com/groups?group=mailing.openssl.dev">http://groups.google.com/groups?group=mailing.openssl.dev</a>
+		    href="https://groups.google.com/groups?group=mailing.openssl.dev">https://groups.google.com/groups?group=mailing.openssl.dev</a>
 	      </td></tr>
 	      <tr><td>openssl-commits</td><td>
 		  <a
-		    href="http://marc.info/?l=openssl-cvs">http://marc.info/?l=openssl-cvs</a>
+		    href="https://marc.info/?l=openssl-cvs">https://marc.info/?l=openssl-cvs</a>
 		  <a
-		    href="http://groups.google.com/groups?group=mailing.openssl.cvs">http://groups.google.com/groups?group=mailing.openssl.cvs</a>
+		    href="https://groups.google.com/groups?group=mailing.openssl.cvs">https://groups.google.com/groups?group=mailing.openssl.cvs</a>
 		</table>
 	      </div>
 	  <footer>
diff --git a/community/sidebar.inc b/community/sidebar.inc
index 7017277..f975066 100644
--- a/community/sidebar.inc
+++ b/community/sidebar.inc
@@ -16,7 +16,7 @@
           <a href="mailinglists.html">Mailing Lists</a>
       </li>
       <li>
-          <a href="http://wiki.openssl.org">Wiki</a>
+          <a href="https://wiki.openssl.org">Wiki</a>
       </li>
       <li>
           <a href="/blog">Blog</a>
diff --git a/community/thanks.html b/community/thanks.html
index 8433046..5e2ba3b 100644
--- a/community/thanks.html
+++ b/community/thanks.html
@@ -50,7 +50,7 @@
 
 	      <li>Thanks to the IT Support Group of the Department of
 	      Information Technology and Electrical Engineering at the
-	      <a href="http://www.ethz.ch/">Swiss Federal Institute of Technology Zurich</a>
+	      <a href="https://www.ethz.ch/">Swiss Federal Institute of Technology Zurich</a>
 	      (ETHZ) for providing the hardware and network resources
 	      from 1998 to 2002.
 	      </li>
diff --git a/docs/faq.txt b/docs/faq.txt
index 0ff792b..0197da3 100644
--- a/docs/faq.txt
+++ b/docs/faq.txt
@@ -84,7 +84,7 @@ OpenSSL  -  Frequently Asked Questions
 
 * Which is the current version of OpenSSL?
 
-The current version is available from <URL: http://www.openssl.org>.
+The current version is available from <URL: https://www.openssl.org>.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -107,7 +107,7 @@ libssl are given in the crypto(3) and ssl(3) manpages.
 The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
 different directory if you specified one as described in INSTALL).
 In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
+<URL: https://www.openssl.org/docs/>. Note that the online documents refer
 to the very latest development versions of OpenSSL and may include features
 not present in released versions. If in doubt refer to the documentation
 that came with the version of OpenSSL you are using. The pod format
@@ -127,13 +127,13 @@ help, but please note that it reflects the obsolete version SSLeay
 
 The README file describes how to submit bug reports and patches to
 OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
+<URL: https://www.openssl.org/community/mailinglists.html>.
 
 
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/about/binaries.html> .
+<URL: https://www.openssl.org/community/binaries.html> .
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
@@ -167,7 +167,7 @@ Use MD5 to check that a tarball from a mirror site is identical:
 
 You can check authenticity using pgp or gpg. You need the OpenSSL team
 member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
+list of keys at <URL: https://www.openssl.org/community/team.html>). Then
 just do:
 
    pgp TARBALL.asc
@@ -492,7 +492,7 @@ this increases the size of the default ClientHello message to more than
 255 bytes in length. Some software cannot handle this and hangs. For more
 details and workarounds see:
 
-  <URL: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
+  <URL: https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
 
 
 [BUILD] =======================================================================
@@ -697,9 +697,9 @@ of the machine code, which is essential for shared library support. For
 some reason OpenBSD is equipped with an out-of-date GNU assembler which
 finds the new code offensive. To work around the problem, configure with
 no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
+according to <URL: https://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
 For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
+<URL: https://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
 Reportedly elder *BSD a.out platforms also suffer from this problem and
 remedy should be same. Provided binary is statically linked and should be
 working across wider range of *BSD branches, not just OpenBSD.
@@ -770,7 +770,7 @@ accessed and if the issue has been addressed or a reason why not. If patches
 are only sent to openssl-dev they can be mislaid if a team member has to
 wade through months of old messages to review the discussion.
 
-See also <URL: http://www.openssl.org/support/rt.html>
+See also <URL: https://www.openssl.org/community>
 
 
 * I've found a security issue, how do I report it?
@@ -780,7 +780,7 @@ openssl-security at openssl.org if you don't get a prompt reply at least
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve). If you wish to use PGP to send
 in a report please use one or more of the keys of the team members listed
-at <URL: http://www.openssl.org/about/>
+at <URL: https://www.openssl.org/community/team.html>
 
 Note that bugs only present in the openssl utility are not in general
 considered to be security issues. 
diff --git a/docs/fips/privatelabel.html b/docs/fips/privatelabel.html
index 00a9740..ab13f0b 100644
--- a/docs/fips/privatelabel.html
+++ b/docs/fips/privatelabel.html
@@ -24,7 +24,7 @@
 	    money required to pursue new validations. As of 2015 we are no
 	    longer performing any private label validations. The addition of
 	    new platforms to the existing #1747 or <a
-	      href="http://openssl.com/fips/ransom.html">comparable</a>
+	      href="https://openssl.com/fips/ransom.html">comparable</a>
 	    validations is still possible and those validation actions are still
 	    being performed.</p>
 
@@ -68,7 +68,7 @@
 
 	    <p>We will handle all interaction with the accredited testing lab
 	    and the <a
-	      href="http://csrc.nist.gov/groups/STM/cmvp/index.html">CMVP</a>.
+	      href="https://csrc.nist.gov/groups/STM/cmvp/index.html">CMVP</a>.
 	    You sign one contract with the OSF with half of the price due as a
 	    down payment and the remainder due only when your certificate is <a
 	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">posted</a>
@@ -120,7 +120,7 @@
 
 	    <hr>
 	    <p>Interested? Contact
-	    <a href="http://openssl.com/fips">OpenSSL Software Services</a>.
+	    <a href="https://openssl.com/fips">OpenSSL Software Services</a>.
 	    </p>
 
 	  </div>
diff --git a/docs/fipsvalidation.html b/docs/fipsvalidation.html
index 534c87b..f978210 100644
--- a/docs/fipsvalidation.html
+++ b/docs/fipsvalidation.html
@@ -27,7 +27,7 @@
 	    Due to new requirements introduced in 2013 the current v2.0 Module
 	    is no longer suitable as a reference for private label
 	    validations; see the <a
-	    href="http://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
+	    href="https://www.openssl.com/fips/ig95.html">I.G. 9.5 FAQ</a>.
 	    Due to earlier changes in the FIPS 140-2 validation requirements
 	    the v1.2 Module is no longer be a suitable model for private label
 	    validations in its current form past the year 2010; see the NIST <a
@@ -63,12 +63,12 @@
 
 	    <hr>
 	    <img src="/img/pkware-logo-med.jpg">
-	    <a href="http://www.pkware.com/">PKWARE, Inc.</a>, platform sponsor
+	    <a href="https://www.pkware.com/">PKWARE, Inc.</a>, platform sponsor
 	    (HPUX 11i on Itanium 32, 64 bit with asm optimisation)
 
 	    <hr>
             <img src="/img/cerberus-logo-med.jpg">
-	    <a href="http://www.cerberusftp.com/">Cerberus, LLC</a>, general sponsor
+	    <a href="https://www.cerberusftp.com/">Cerberus, LLC</a>, general sponsor
 	    <hr>
 	    <img src="/img/DHS-logo-med.jpg">
 	    <a href="http://www.cyber.st.dhs.gov/host.html">DHS Science and Technology Directorate-sponsored Homeland Open Security Technology (HOST) program</a>,
@@ -76,7 +76,7 @@
 
 	    <hr>
 	    <img src="/img/innominate-logo-med.jpg">
-	    <a href="http://www.innominate.com/">Innominate Security Technologies AG</a>,
+	    <a href="https://www.innominate.com/">Innominate Security Technologies AG</a>,
 	    platform sponsor (Linux on Freescale MPC8313)
 
 	    <hr>
@@ -86,14 +86,14 @@
 
 	    <hr>
 	    <img src="/img/citrix-logo-med.jpg">
-	    <a href="http://www.citrix.com/">Citrix Systems, Inc.</a>,
+	    <a href="https://www.citrix.com/">Citrix Systems, Inc.</a>,
 	    platform sponsor (multiple platforms)
 
 	    <hr>
 
 	    <p>If you have an interest in sponsoring any changes or additions
 	    to this validation please contact <a
-	      href="http://openssl.com/fips">OpenSSL Validation Services</a>.</p>
+	      href="https://openssl.com/fips">OpenSSL Validation Services</a>.</p>
 	    <p>Some commercial software vendors ask us "what do we gain from
 	    sponsoring a validation that our competition can also use?".  Our
 	    answer is "nothing, if you think in terms of obstructing your
diff --git a/inc/head.inc b/inc/head.inc
index 9367a7f..e13a700 100644
--- a/inc/head.inc
+++ b/inc/head.inc
@@ -20,6 +20,6 @@
   <link href="//fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
 
   <!--[if lt IE 9]>
-    <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
+    <script src="https://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
   <![endif]-->
 <!-- end -->
diff --git a/news/secadv/20130205.txt b/news/secadv/20130205.txt
index e7a46ae..4d4a610 100644
--- a/news/secadv/20130205.txt
+++ b/news/secadv/20130205.txt
@@ -59,5 +59,5 @@ References
 URL for this Security Advisory:
 http://www.openssl.org/news/secadv_20130204.txt
 Wikipedia AES-NI description:
-http://en.wikipedia.org/wiki/AES-NI
+https://en.wikipedia.org/wiki/AES-NI
 
diff --git a/policies/codingstyle.txt b/policies/codingstyle.txt
index 1b22575..ada3cbc 100644
--- a/policies/codingstyle.txt
+++ b/policies/codingstyle.txt
@@ -569,7 +569,7 @@ ISBN 0-201-61586-X.
 URL: http://cm.bell-labs.com/cm/cs/tpop/
 
 GNU manuals - where in compliance with K&R and this text - for cpp, gcc,
-gcc internals and indent, all available from http://www.gnu.org/manual/
+gcc internals and indent, all available from https://www.gnu.org/manual/
 
 WG14 is the international standardization working group for the programming
 language C, URL: http://www.open-std.org/JTC1/SC22/WG14/
diff --git a/source/mirror.html b/source/mirror.html
index 58e282b..04680d5 100644
--- a/source/mirror.html
+++ b/source/mirror.html
@@ -45,7 +45,7 @@
 	      <tr><td>CA</td><td><a
 		    href="http://openssl.skazkaforyou.com/">http://openssl.skazkaforyou.com/</a></td></tr>
 	      <tr><td>CA</td><td><a
-		    href="http://openssl.raffsoftware.com/">http://openssl.raffsoftware.com/</a></td></tr>
+		    href="https://openssl.raffsoftware.com/">https://openssl.raffsoftware.com/</a></td></tr>
 	      <tr><td>DE</td><td><a
 		    href="http://artfiles.org/openssl.org/">http://artfiles.org/openssl.org/</a></td></tr>
 
diff --git a/source/mirror.inc b/source/mirror.inc
deleted file mode 100644
index 4e8c7bf..0000000
--- a/source/mirror.inc
+++ /dev/null
@@ -1,31 +0,0 @@
-
-<ul type=square>
-<define-tag mirror>
-<preserve url>
-<preserve loc>
-<set-var %attributes>
-<li><a href="<get-var url>" rel="nofollow"><get-var url></a>
-    &nbsp;&nbsp;[<get-var loc>]
-<restore loc>
-<restore url>
-</define-tag>
-
-<mirror url="ftp://ftp.openssl.org/source/" loc="DE"> 
-<mirror url="ftp://mirror.switch.ch/mirror/openssl/" loc="CH">
-<mirror url="http://mirror.switch.ch/ftp/mirror/openssl/" loc="CH">
-<mirror url="ftp://ftp.pca.dfn.de/pub/tools/net/openssl/" loc="DE">
-<mirror url="ftp://sunsite.uio.no/pub/security/openssl/" loc="NO">
-<mirror url="ftp://ftp.sunet.se/pub/security/tools/net/openssl/" loc="SE">
-<mirror url="ftp://gd.tuwien.ac.at/infosys/security/openssl/" loc="AT">
-<mirror url="ftp://ftp.kfki.hu/pub/packages/security/openssl/" loc="HU">
-<mirror url="ftp://guest.kuria.katowice.pl/pub/openssl/" loc="PL">
-<mirror url="ftp://ftp.fi.muni.cz/pub/openssl/" loc="CZ">
-<mirror url="ftp://ftp.linux.hr/pub/openssl/" loc="HR">
-<mirror url="http://openssl.initrd.net/" loc="DE">
-<mirror url="rsync://ftp.tpnet.pl/pub/security/openssl/" loc="PL">
-<mirror url="http://openssl.skazkaforyou.com/" loc="CA">
-<mirror url="http://openssl.raffsoftware.com/" loc="CA">
-<mirror url="http://artfiles.org/openssl.org/" loc="DE"> 
-
-</ul>
-
diff --git a/support/acks.html b/support/acks.html
index 1368ee1..d8eb88e 100644
--- a/support/acks.html
+++ b/support/acks.html
@@ -36,7 +36,7 @@
 	  planning:</p>
 	  <a href="http://company.nokia.com/en"><img src="/img/nokia-logo-med.jpg"></a>
 	  <a href="http://www.huawei.com/"><img src="/img/huawei-logo-med.jpg"></a>
-	  <a href="http://www.oracle.com/"><img src="/img/oracle-logo-med.jpg"></a>
+	  <a href="https://www.oracle.com/"><img src="/img/oracle-logo-med.jpg"></a>
 
 	  <hr noshade size=1>
 	  <p>Major sustaining support:</p>
@@ -45,7 +45,7 @@
 	  <hr noshade size=1>
 	  <p>Major support:</p>
 	  <a href="https://www.globalsign.com/"><img src="/img/globalsign-logo-med.jpg"></a>
-	  <a href="http://www.qualys.com/"><img src="/img/qualsys-logo-med.jpg"></a>
+	  <a href="https://www.qualys.com/"><img src="/img/qualsys-logo-med.jpg"></a>
 
 	  <hr noshade size=1>
 	  <p>Very significant support:</p>
@@ -53,7 +53,7 @@
 
 	  <hr noshade size=1>
 	  <p>Significant support:</p>
-	  <a href="http://www.psw.net/"><img src="/img/psw-logo.gif" alt="SSL-Zertifikate"></a>
+	  <a href="https://www.psw.net/"><img src="/img/psw-logo.gif" alt="SSL-Zertifikate"></a>
 	  <a href="https://miltonsecurity.com/"><img src="/img/milton-logo-med.jpg" alt="Milton Security"></a>
 	  <a href="http://acano.com/"><img src="/img/acano-logo.jpg"></a>
 
diff --git a/support/donations-cn.html b/support/donations-cn.html
index 48b9c69..eefe8a9 100644
--- a/support/donations-cn.html
+++ b/support/donations-cn.html
@@ -45,7 +45,7 @@ Paypal??
 2. ??????????Paypal??????????????????Paypal??????????????????????????????????????? ?paypal at opensslfoundation.org??????????????????? 
 <br>
 3. ???Paypal???????????
-<a href="http://openssl.org/support/donations.html">
+<a href="https://openssl.org/support/donations.html">
 ?????
 </a>
 ??????2????????

From rsalz at openssl.org  Mon Aug 17 01:09:00 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 01:09:00 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439773740.175788.15388.nullmailer@dev.openssl.org>

The branch master has been updated
       via  eb647452eb73be491521980f45582c63f7194521 (commit)
      from  4f46473a86c9e3741203b22d4d401a3763583494 (commit)


- Log -----------------------------------------------------------------
commit eb647452eb73be491521980f45582c63f7194521
Author: Rich Salz <rsalz at openssl.org>
Date:   Sun Aug 16 21:08:25 2015 -0400

    GH345: Remove stderr output
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/app_rand.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/apps/app_rand.c b/apps/app_rand.c
index 906144b..4ee8475 100644
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -121,10 +121,7 @@ int app_RAND_load_file(const char *file, int dont_warn)
     char buffer[200];
 
 #ifdef OPENSSL_SYS_WINDOWS
-    BIO_printf(bio_err, "Loading 'screen' into random state -");
-    BIO_flush(bio_err);
     RAND_screen();
-    BIO_printf(bio_err, " done\n");
 #endif
 
     if (file == NULL)

From rsalz at openssl.org  Mon Aug 17 01:10:18 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 01:10:18 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439773818.734731.16255.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  6786c70ec112ac11b31ff19bb9e52a70ba0b5220 (commit)
      from  40356e4914154fdcc02bce8943348148e20c4a0f (commit)


- Log -----------------------------------------------------------------
commit 6786c70ec112ac11b31ff19bb9e52a70ba0b5220
Author: Rich Salz <rsalz at openssl.org>
Date:   Sun Aug 16 21:09:45 2015 -0400

    GH345: Remove stderr output
    
    Manually-cherry-picked since master varied a lot.
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/app_rand.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/apps/app_rand.c b/apps/app_rand.c
index 595fc78..7f40bba 100644
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -124,10 +124,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
     char buffer[200];
 
 #ifdef OPENSSL_SYS_WINDOWS
-    BIO_printf(bio_e, "Loading 'screen' into random state -");
-    BIO_flush(bio_e);
     RAND_screen();
-    BIO_printf(bio_e, " done\n");
 #endif
 
     if (file == NULL)

From rsalz at openssl.org  Mon Aug 17 01:39:00 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 01:39:00 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439775540.777402.18759.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a5f867abcf46517d10e2219a5d9b38498b32a837 (commit)
      from  1fe9edb17942f938e6035129ede62a5a27866bd3 (commit)


- Log -----------------------------------------------------------------
commit a5f867abcf46517d10e2219a5d9b38498b32a837
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 16 21:38:56 2015 -0400

    fix comment terminator

-----------------------------------------------------------------------

Summary of changes:
 news/pgpkey.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/news/pgpkey.html b/news/pgpkey.html
index 4e15e38..b89628f 100644
--- a/news/pgpkey.html
+++ b/news/pgpkey.html
@@ -18,7 +18,7 @@
 	    <a href="openssl-security.asc">openssl-security.asc</a>
 	    </p>
 	    <pre>
-	    <!--#include virtual="openssl-security.asc">
+	    <!--#include virtual="openssl-security.asc" -->
 	    </pre>
 	  </div>
 	  <footer>

From rsalz at openssl.org  Mon Aug 17 12:12:23 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 12:12:23 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439813543.892438.11115.nullmailer@dev.openssl.org>

The branch master has been updated
       via  493fe41bd59abe4aa72112e6708bc443f752dde3 (commit)
      from  a5f867abcf46517d10e2219a5d9b38498b32a837 (commit)


- Log -----------------------------------------------------------------
commit 493fe41bd59abe4aa72112e6708bc443f752dde3
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 08:12:16 2015 -0400

    alphabetize; remove openssl.org

-----------------------------------------------------------------------

Summary of changes:
 source/mirror.html | 41 +++++++++++++++++++----------------------
 1 file changed, 19 insertions(+), 22 deletions(-)

diff --git a/source/mirror.html b/source/mirror.html
index 04680d5..0f223ad 100644
--- a/source/mirror.html
+++ b/source/mirror.html
@@ -16,44 +16,41 @@
 	    <table>
 	      <tr><td>Locale</td><td>URL</td></tr>
 
-	      <tr><td>DE</td><td><a
-		    href="ftp://ftp.openssl.org/source/">ftp://ftp.openssl.org/source/</a></td></tr>
+	      <tr><td>AT</td><td><a
+		    href="ftp://gd.tuwien.ac.at/infosys/security/openssl/">ftp://gd.tuwien.ac.at/infosys/security/openssl/</a></td></tr>
+	      <tr><td>CA</td><td><a
+		    href="http://openssl.skazkaforyou.com/">http://openssl.skazkaforyou.com/</a></td></tr>
+	      <tr><td>CA</td><td><a
+		    href="https://openssl.raffsoftware.com/">https://openssl.raffsoftware.com/</a></td></tr>
 	      <tr><td>CH</td><td><a
 		    href="ftp://mirror.switch.ch/mirror/openssl/">ftp://mirror.switch.ch/mirror/openssl/</a></td></tr>
 	      <tr><td>CH</td><td><a
 		    href="http://mirror.switch.ch/ftp/mirror/openssl/">http://mirror.switch.ch/ftp/mirror/openssl/</a></td></tr>
+	      <tr><td>CZ</td><td><a
+		    href="ftp://ftp.fi.muni.cz/pub/openssl/">ftp://ftp.fi.muni.cz/pub/openssl/</a></td></tr>
 	      <tr><td>DE</td><td><a
 		    href="ftp://ftp.pca.dfn.de/pub/tools/net/openssl/">ftp://ftp.pca.dfn.de/pub/tools/net/openssl/</a></td></tr>
-	      <tr><td>NO</td><td><a
-		    href="ftp://sunsite.uio.no/pub/security/openssl/">ftp://sunsite.uio.no/pub/security/openssl/</a></td></tr>
-	      <tr><td>SE</td><td><a
-		    href="ftp://ftp.sunet.se/pub/security/tools/net/openssl/">ftp://ftp.sunet.se/pub/security/tools/net/openssl/</a></td></tr>
-	      <tr><td>AT</td><td><a
-		    href="ftp://gd.tuwien.ac.at/infosys/security/openssl/">ftp://gd.tuwien.ac.at/infosys/security/openssl/</a></td></tr>
+	      <tr><td>DE</td><td><a
+		    href="http://artfiles.org/openssl.org/">http://artfiles.org/openssl.org/</a></td></tr>
+	      <tr><td>DE</td><td><a
+		    href="http://openssl.initrd.net/">http://openssl.initrd.net/</a></td></tr>
+	      <tr><td>HR</td><td><a
+		    href="ftp://ftp.linux.hr/pub/openssl/">ftp://ftp.linux.hr/pub/openssl/</a></td></tr>
 	      <tr><td>HU</td><td><a
 		    href="ftp://ftp.kfki.hu/pub/packages/security/openssl/">ftp://ftp.kfki.hu/pub/packages/security/openssl/</a></td></tr>
+	      <tr><td>NO</td><td><a
+		    href="ftp://sunsite.uio.no/pub/security/openssl/">ftp://sunsite.uio.no/pub/security/openssl/</a></td></tr>
 	      <tr><td>PL</td><td><a
 		    href="ftp://guest.kuria.katowice.pl/pub/openssl/">ftp://guest.kuria.katowice.pl/pub/openssl/</a></td></tr>
-	      <tr><td>CZ</td><td><a
-		    href="ftp://ftp.fi.muni.cz/pub/openssl/">ftp://ftp.fi.muni.cz/pub/openssl/</a></td></tr>
-	      <tr><td>HR</td><td><a
-		    href="ftp://ftp.linux.hr/pub/openssl/">ftp://ftp.linux.hr/pub/openssl/</a></td></tr>
-	      <tr><td>DE</td><td><a
-		    href="http://openssl.initrd.net/">http://openssl.initrd.net/</a></td></tr>
 	      <tr><td>PL</td><td><a
 		    href="rsync://ftp.tpnet.pl/pub/security/openssl/">rsync://ftp.tpnet.pl/pub/security/openssl/</a></td></tr>
-	      <tr><td>CA</td><td><a
-		    href="http://openssl.skazkaforyou.com/">http://openssl.skazkaforyou.com/</a></td></tr>
-	      <tr><td>CA</td><td><a
-		    href="https://openssl.raffsoftware.com/">https://openssl.raffsoftware.com/</a></td></tr>
-	      <tr><td>DE</td><td><a
-		    href="http://artfiles.org/openssl.org/">http://artfiles.org/openssl.org/</a></td></tr>
+	      <tr><td>SE</td><td><a
+		    href="ftp://ftp.sunet.se/pub/security/tools/net/openssl/">ftp://ftp.sunet.se/pub/security/tools/net/openssl/</a></td></tr>
 
 	  </table>
 
 	  <p>&nbsp;</p>
-	    <h3>No additional mirrors</h3>
-	    <p>We are not interested in taking on additional mirrors at the
+          <p>We are not interested in adding additional mirrors at the
 	    time.</p>
 	  </div>
 	  <footer>

From tjh at openssl.org  Mon Aug 17 12:28:06 2015
From: tjh at openssl.org (Tim Hudson)
Date: Mon, 17 Aug 2015 12:28:06 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439814486.024240.13270.nullmailer@dev.openssl.org>

The branch master has been updated
       via  dfba17b4f3b2f87b50f2251a608d1911bfd202bc (commit)
       via  686e344918229cae90562384c01606ba88ed51ba (commit)
      from  eb647452eb73be491521980f45582c63f7194521 (commit)


- Log -----------------------------------------------------------------
commit dfba17b4f3b2f87b50f2251a608d1911bfd202bc
Author: Tim Hudson <tjh at openssl.org>
Date:   Mon Aug 17 22:20:06 2015 +1000

    Restore previous behaviour of only running one algorithm when -evp alg is used.
    
    Submitted by: Eric Young <eay at pobox.com>
    Reviewed-by: Ben Laurie <ben at openssl.org>

commit 686e344918229cae90562384c01606ba88ed51ba
Author: Tim Hudson <tjh at openssl.org>
Date:   Mon Aug 17 22:16:39 2015 +1000

    restore usage of -elapsed that was disabled in the ifdef reorg
    
    Reviewed-by: Ben Laurie <ben at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/speed.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index ca93d2c..b4722f1 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -364,10 +364,8 @@ OPTIONS speed_options[] = {
     {"mr", OPT_MR, '-', "Produce machine readable output"},
     {"mb", OPT_MB, '-'},
     {"misalign", OPT_MISALIGN, 'n', "Amount to mis-align buffers"},
-#if defined(TIMES) || defined(USE_TOD)
     {"elapsed", OPT_ELAPSED, '-',
      "Measure time in real time instead of CPU user time"},
-#endif
 #ifndef NO_FORK
     {"multi", OPT_MULTI, 'p', "Run benchmarks in parallel"},
 #endif
@@ -755,9 +753,6 @@ int speed_main(int argc, char **argv)
     long ecdh_c[EC_NUM][2];
     int ecdh_doit[EC_NUM];
 #endif
-#ifndef TIMES
-    usertime = -1;
-#endif
 
     memset(results, 0, sizeof(results));
 #ifndef OPENSSL_NO_DSA
@@ -949,7 +944,7 @@ int speed_main(int argc, char **argv)
 #endif
 
     /* No parameters; turn on everything. */
-    if (argc == 0) {
+    if ((argc == 0) && !doit[D_EVP]) {
         for (i = 0; i < ALGOR_NUM; i++)
             if (i != D_EVP)
                 doit[i] = 1;

From matt at openssl.org  Mon Aug 17 14:37:46 2015
From: matt at openssl.org (Matt Caswell)
Date: Mon, 17 Aug 2015 14:37:46 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439822266.816794.27291.nullmailer@dev.openssl.org>

The branch master has been updated
       via  31001f813172f73e4a27300ef39fc45e2b372a38 (commit)
      from  dfba17b4f3b2f87b50f2251a608d1911bfd202bc (commit)


- Log -----------------------------------------------------------------
commit 31001f813172f73e4a27300ef39fc45e2b372a38
Author: Dmitry Belyavsky <beldmit at gmail.com>
Date:   Mon Aug 17 11:22:52 2015 +0100

    Add new GOST OIDs
    
    Add new OIDs for latest GOST updates
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/objects/obj_dat.h    | 216 +++++++++++++++++++++++++++++++++++++++++++-
 crypto/objects/obj_mac.num  |  35 +++++++
 crypto/objects/obj_xref.h   |   6 ++
 crypto/objects/obj_xref.txt |   2 +
 crypto/objects/objects.txt  |  51 +++++++++++
 include/openssl/obj_mac.h   | 155 +++++++++++++++++++++++++++++++
 6 files changed, 460 insertions(+), 5 deletions(-)

diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 1ccbced..6210784 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -62,12 +62,12 @@
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 974
-#define NUM_SN 967
-#define NUM_LN 967
-#define NUM_OBJ 903
+#define NUM_NID 1009
+#define NUM_SN 1002
+#define NUM_LN 1002
+#define NUM_OBJ 936
 
-static const unsigned char lvalues[6364]={
+static const unsigned char lvalues[6604]={
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  0] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  6] OBJ_pkcs */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 13] OBJ_md2 */
@@ -965,6 +965,39 @@ static const unsigned char lvalues[6364]={
 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x31,     /* [6338] OBJ_camellia_256_ctr */
 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x32,     /* [6346] OBJ_camellia_256_cmac */
 0x2B,0x06,0x01,0x04,0x01,0xDA,0x47,0x04,0x0B,/* [6354] OBJ_id_scrypt */
+0x2A,0x85,0x03,0x07,0x01,                    /* [6363] OBJ_id_tc26 */
+0x2A,0x85,0x03,0x07,0x01,0x01,               /* [6368] OBJ_id_tc26_algorithms */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x01,          /* [6374] OBJ_id_tc26_sign */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x01,     /* [6381] OBJ_id_GostR3410_2012_256 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x02,     /* [6389] OBJ_id_GostR3410_2012_512 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x02,          /* [6397] OBJ_id_tc26_digest */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x02,     /* [6404] OBJ_id_GostR3411_2012_256 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x03,     /* [6412] OBJ_id_GostR3411_2012_512 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x03,          /* [6420] OBJ_id_tc26_signwithdigest */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x02,     /* [6427] OBJ_id_tc26_signwithdigest_gost3410_2012_256 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x03,     /* [6435] OBJ_id_tc26_signwithdigest_gost3410_2012_512 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x04,          /* [6443] OBJ_id_tc26_mac */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01,     /* [6450] OBJ_id_tc26_hmac_gost_3411_2012_256 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02,     /* [6458] OBJ_id_tc26_hmac_gost_3411_2012_512 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x05,          /* [6466] OBJ_id_tc26_cipher */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x06,          /* [6473] OBJ_id_tc26_agreement */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x01,     /* [6480] OBJ_id_tc26_agreement_gost_3410_2012_256 */
+0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x02,     /* [6488] OBJ_id_tc26_agreement_gost_3410_2012_512 */
+0x2A,0x85,0x03,0x07,0x01,0x02,               /* [6496] OBJ_id_tc26_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x01,          /* [6502] OBJ_id_tc26_sign_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,     /* [6509] OBJ_id_tc26_gost_3410_2012_512_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x00,/* [6517] OBJ_id_tc26_gost_3410_2012_512_paramSetTest */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,/* [6526] OBJ_id_tc26_gost_3410_2012_512_paramSetA */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,/* [6535] OBJ_id_tc26_gost_3410_2012_512_paramSetB */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x02,          /* [6544] OBJ_id_tc26_digest_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x05,          /* [6551] OBJ_id_tc26_cipher_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,     /* [6558] OBJ_id_tc26_gost_28147_constants */
+0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,0x01,/* [6566] OBJ_id_tc26_gost_28147_param_Z */
+0x2A,0x85,0x03,0x03,0x81,0x03,0x01,0x01,     /* [6575] OBJ_INN */
+0x2A,0x85,0x03,0x64,0x01,                    /* [6583] OBJ_OGRN */
+0x2A,0x85,0x03,0x64,0x03,                    /* [6588] OBJ_SNILS */
+0x2A,0x85,0x03,0x64,0x6F,                    /* [6593] OBJ_subjectSignTool */
+0x2A,0x85,0x03,0x64,0x70,                    /* [6598] OBJ_issuerSignTool */
 };
 
 static const ASN1_OBJECT nid_objs[NUM_NID]={
@@ -2555,6 +2588,76 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
 {"CAMELLIA-256-CMAC","camellia-256-cmac",NID_camellia_256_cmac,8,
 	&(lvalues[6346]),0},
 {"id-scrypt","id-scrypt",NID_id_scrypt,9,&(lvalues[6354]),0},
+{"id-tc26","id-tc26",NID_id_tc26,5,&(lvalues[6363]),0},
+{"gost89-cnt-12","gost89-cnt-12",NID_gost89_cnt_12,0,NULL,0},
+{"gost-mac-12","gost-mac-12",NID_gost_mac_12,0,NULL,0},
+{"id-tc26-algorithms","id-tc26-algorithms",NID_id_tc26_algorithms,6,
+	&(lvalues[6368]),0},
+{"id-tc26-sign","id-tc26-sign",NID_id_tc26_sign,7,&(lvalues[6374]),0},
+{"gost2012_256","GOST R 34.10-2012 with 256 bit modulus",
+	NID_id_GostR3410_2012_256,8,&(lvalues[6381]),0},
+{"gost2012_512","GOST R 34.10-2012 with 512 bit modulus",
+	NID_id_GostR3410_2012_512,8,&(lvalues[6389]),0},
+{"id-tc26-digest","id-tc26-digest",NID_id_tc26_digest,7,
+	&(lvalues[6397]),0},
+{"md_gost12_256","GOST R 34.11-2012 with 256 bit hash",
+	NID_id_GostR3411_2012_256,8,&(lvalues[6404]),0},
+{"md_gost12_512","GOST R 34.11-2012 with 512 bit hash",
+	NID_id_GostR3411_2012_512,8,&(lvalues[6412]),0},
+{"id-tc26-signwithdigest","id-tc26-signwithdigest",
+	NID_id_tc26_signwithdigest,7,&(lvalues[6420]),0},
+{"id-tc26-signwithdigest-gost3410-2012-256",
+	"GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)",
+	NID_id_tc26_signwithdigest_gost3410_2012_256,8,&(lvalues[6427]),0},
+{"id-tc26-signwithdigest-gost3410-2012-512",
+	"GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)",
+	NID_id_tc26_signwithdigest_gost3410_2012_512,8,&(lvalues[6435]),0},
+{"id-tc26-mac","id-tc26-mac",NID_id_tc26_mac,7,&(lvalues[6443]),0},
+{"id-tc26-hmac-gost-3411-2012-256","HMAC GOST 34.11-2012 256 bit",
+	NID_id_tc26_hmac_gost_3411_2012_256,8,&(lvalues[6450]),0},
+{"id-tc26-hmac-gost-3411-2012-512","HMAC GOST 34.11-2012 512 bit",
+	NID_id_tc26_hmac_gost_3411_2012_512,8,&(lvalues[6458]),0},
+{"id-tc26-cipher","id-tc26-cipher",NID_id_tc26_cipher,7,
+	&(lvalues[6466]),0},
+{"id-tc26-agreement","id-tc26-agreement",NID_id_tc26_agreement,7,
+	&(lvalues[6473]),0},
+{"id-tc26-agreement-gost-3410-2012-256",
+	"id-tc26-agreement-gost-3410-2012-256",
+	NID_id_tc26_agreement_gost_3410_2012_256,8,&(lvalues[6480]),0},
+{"id-tc26-agreement-gost-3410-2012-512",
+	"id-tc26-agreement-gost-3410-2012-512",
+	NID_id_tc26_agreement_gost_3410_2012_512,8,&(lvalues[6488]),0},
+{"id-tc26-constants","id-tc26-constants",NID_id_tc26_constants,6,
+	&(lvalues[6496]),0},
+{"id-tc26-sign-constants","id-tc26-sign-constants",
+	NID_id_tc26_sign_constants,7,&(lvalues[6502]),0},
+{"id-tc26-gost-3410-2012-512-constants",
+	"id-tc26-gost-3410-2012-512-constants",
+	NID_id_tc26_gost_3410_2012_512_constants,8,&(lvalues[6509]),0},
+{"id-tc26-gost-3410-2012-512-paramSetTest",
+	"GOST R 34.10-2012 (512 bit) testing parameter set",
+	NID_id_tc26_gost_3410_2012_512_paramSetTest,9,&(lvalues[6517]),0},
+{"id-tc26-gost-3410-2012-512-paramSetA",
+	"GOST R 34.10-2012 (512 bit) ParamSet A",
+	NID_id_tc26_gost_3410_2012_512_paramSetA,9,&(lvalues[6526]),0},
+{"id-tc26-gost-3410-2012-512-paramSetB",
+	"GOST R 34.10-2012 (512 bit) ParamSet B",
+	NID_id_tc26_gost_3410_2012_512_paramSetB,9,&(lvalues[6535]),0},
+{"id-tc26-digest-constants","id-tc26-digest-constants",
+	NID_id_tc26_digest_constants,7,&(lvalues[6544]),0},
+{"id-tc26-cipher-constants","id-tc26-cipher-constants",
+	NID_id_tc26_cipher_constants,7,&(lvalues[6551]),0},
+{"id-tc26-gost-28147-constants","id-tc26-gost-28147-constants",
+	NID_id_tc26_gost_28147_constants,8,&(lvalues[6558]),0},
+{"id-tc26-gost-28147-param-Z","GOST 28147-89 TC26 parameter set",
+	NID_id_tc26_gost_28147_param_Z,9,&(lvalues[6566]),0},
+{"INN","INN",NID_INN,8,&(lvalues[6575]),0},
+{"OGRN","OGRN",NID_OGRN,5,&(lvalues[6583]),0},
+{"SNILS","SNILS",NID_SNILS,5,&(lvalues[6588]),0},
+{"subjectSignTool","Signing Tool of Subject",NID_subjectSignTool,5,
+	&(lvalues[6593]),0},
+{"issuerSignTool","Signing Tool of Issuer",NID_issuerSignTool,5,
+	&(lvalues[6598]),0},
 };
 
 static const unsigned int sn_objs[NUM_SN]={
@@ -2670,6 +2773,7 @@ static const unsigned int sn_objs[NUM_SN]={
 35,	/* "IDEA-CFB" */
 36,	/* "IDEA-ECB" */
 46,	/* "IDEA-OFB" */
+1004,	/* "INN" */
 181,	/* "ISO" */
 183,	/* "ISO-US" */
 645,	/* "ITU-T" */
@@ -2691,6 +2795,7 @@ static const unsigned int sn_objs[NUM_SN]={
 17,	/* "O" */
 178,	/* "OCSP" */
 180,	/* "OCSPSigning" */
+1005,	/* "OGRN" */
 379,	/* "ORG" */
 18,	/* "OU" */
 749,	/* "Oakley-EC2N-3" */
@@ -2755,6 +2860,7 @@ static const unsigned int sn_objs[NUM_SN]={
 188,	/* "SMIME" */
 167,	/* "SMIME-CAPS" */
 100,	/* "SN" */
+1006,	/* "SNILS" */
 16,	/* "ST" */
 143,	/* "SXNetID" */
 458,	/* "UID" */
@@ -2913,10 +3019,14 @@ static const unsigned int sn_objs[NUM_SN]={
 156,	/* "friendlyName" */
 509,	/* "generationQualifier" */
 815,	/* "gost-mac" */
+976,	/* "gost-mac-12" */
 811,	/* "gost2001" */
 851,	/* "gost2001cc" */
+979,	/* "gost2012_256" */
+980,	/* "gost2012_512" */
 813,	/* "gost89" */
 814,	/* "gost89-cnt" */
+975,	/* "gost89-cnt-12" */
 812,	/* "gost94" */
 850,	/* "gost94cc" */
 797,	/* "hmacWithMD5" */
@@ -3171,6 +3281,30 @@ static const unsigned int sn_objs[NUM_SN]={
 194,	/* "id-smime-spq" */
 250,	/* "id-smime-spq-ets-sqt-unotice" */
 249,	/* "id-smime-spq-ets-sqt-uri" */
+974,	/* "id-tc26" */
+991,	/* "id-tc26-agreement" */
+992,	/* "id-tc26-agreement-gost-3410-2012-256" */
+993,	/* "id-tc26-agreement-gost-3410-2012-512" */
+977,	/* "id-tc26-algorithms" */
+990,	/* "id-tc26-cipher" */
+1001,	/* "id-tc26-cipher-constants" */
+994,	/* "id-tc26-constants" */
+981,	/* "id-tc26-digest" */
+1000,	/* "id-tc26-digest-constants" */
+1002,	/* "id-tc26-gost-28147-constants" */
+1003,	/* "id-tc26-gost-28147-param-Z" */
+996,	/* "id-tc26-gost-3410-2012-512-constants" */
+998,	/* "id-tc26-gost-3410-2012-512-paramSetA" */
+999,	/* "id-tc26-gost-3410-2012-512-paramSetB" */
+997,	/* "id-tc26-gost-3410-2012-512-paramSetTest" */
+988,	/* "id-tc26-hmac-gost-3411-2012-256" */
+989,	/* "id-tc26-hmac-gost-3411-2012-512" */
+987,	/* "id-tc26-mac" */
+978,	/* "id-tc26-sign" */
+995,	/* "id-tc26-sign-constants" */
+984,	/* "id-tc26-signwithdigest" */
+985,	/* "id-tc26-signwithdigest-gost3410-2012-256" */
+986,	/* "id-tc26-signwithdigest-gost3410-2012-512" */
 676,	/* "identified-organization" */
 461,	/* "info" */
 748,	/* "inhibitAnyPolicy" */
@@ -3182,6 +3316,7 @@ static const unsigned int sn_objs[NUM_SN]={
 295,	/* "ipsecTunnel" */
 296,	/* "ipsecUser" */
 86,	/* "issuerAltName" */
+1008,	/* "issuerSignTool" */
 770,	/* "issuingDistributionPoint" */
 492,	/* "janetMailbox" */
 957,	/* "jurisdictionC" */
@@ -3196,6 +3331,8 @@ static const unsigned int sn_objs[NUM_SN]={
 460,	/* "mail" */
 493,	/* "mailPreferenceOption" */
 467,	/* "manager" */
+982,	/* "md_gost12_256" */
+983,	/* "md_gost12_512" */
 809,	/* "md_gost94" */
 875,	/* "member" */
 182,	/* "member-body" */
@@ -3484,6 +3621,7 @@ static const unsigned int sn_objs[NUM_SN]={
 769,	/* "subjectDirectoryAttributes" */
 398,	/* "subjectInfoAccess" */
 82,	/* "subjectKeyIdentifier" */
+1007,	/* "subjectSignTool" */
 498,	/* "subtreeMaximumQuality" */
 497,	/* "subtreeMinimumQuality" */
 890,	/* "supportedAlgorithms" */
@@ -3554,12 +3692,22 @@ static const unsigned int ln_objs[NUM_LN]={
 813,	/* "GOST 28147-89" */
 849,	/* "GOST 28147-89 Cryptocom ParamSet" */
 815,	/* "GOST 28147-89 MAC" */
+1003,	/* "GOST 28147-89 TC26 parameter set" */
 851,	/* "GOST 34.10-2001 Cryptocom" */
 850,	/* "GOST 34.10-94 Cryptocom" */
 811,	/* "GOST R 34.10-2001" */
 817,	/* "GOST R 34.10-2001 DH" */
+998,	/* "GOST R 34.10-2012 (512 bit) ParamSet A" */
+999,	/* "GOST R 34.10-2012 (512 bit) ParamSet B" */
+997,	/* "GOST R 34.10-2012 (512 bit) testing parameter set" */
+979,	/* "GOST R 34.10-2012 with 256 bit modulus" */
+980,	/* "GOST R 34.10-2012 with 512 bit modulus" */
+985,	/* "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)" */
+986,	/* "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)" */
 812,	/* "GOST R 34.10-94" */
 818,	/* "GOST R 34.10-94 DH" */
+982,	/* "GOST R 34.11-2012 with 256 bit hash" */
+983,	/* "GOST R 34.11-2012 with 512 bit hash" */
 809,	/* "GOST R 34.11-94" */
 816,	/* "GOST R 34.11-94 PRF" */
 807,	/* "GOST R 34.11-94 with GOST R 34.10-2001" */
@@ -3567,12 +3715,15 @@ static const unsigned int ln_objs[NUM_LN]={
 808,	/* "GOST R 34.11-94 with GOST R 34.10-94" */
 852,	/* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */
 854,	/* "GOST R 3410-2001 Parameter Set Cryptocom" */
+988,	/* "HMAC GOST 34.11-2012 256 bit" */
+989,	/* "HMAC GOST 34.11-2012 512 bit" */
 810,	/* "HMAC GOST 34.11-94" */
 432,	/* "Hold Instruction Call Issuer" */
 430,	/* "Hold Instruction Code" */
 431,	/* "Hold Instruction None" */
 433,	/* "Hold Instruction Reject" */
 634,	/* "ICC or token signature" */
+1004,	/* "INN" */
 294,	/* "IPSec End System" */
 295,	/* "IPSec Tunnel" */
 296,	/* "IPSec User" */
@@ -3617,6 +3768,7 @@ static const unsigned int ln_objs[NUM_LN]={
 366,	/* "OCSP Nonce" */
 371,	/* "OCSP Service Locator" */
 180,	/* "OCSP Signing" */
+1005,	/* "OGRN" */
 161,	/* "PBES2" */
 69,	/* "PBKDF2" */
 162,	/* "PBMAC1" */
@@ -3630,10 +3782,13 @@ static const unsigned int ln_objs[NUM_LN]={
  2,	/* "RSA Data Security, Inc. PKCS" */
 188,	/* "S/MIME" */
 167,	/* "S/MIME Capabilities" */
+1006,	/* "SNILS" */
 387,	/* "SNMPv2" */
 512,	/* "Secure Electronic Transactions" */
 386,	/* "Security" */
 394,	/* "Selected Attribute Types" */
+1008,	/* "Signing Tool of Issuer" */
+1007,	/* "Signing Tool of Subject" */
 143,	/* "Strong Extranet ID" */
 398,	/* "Subject Information Access" */
 130,	/* "TLS Web Client Authentication" */
@@ -3897,7 +4052,9 @@ static const unsigned int ln_objs[NUM_LN]={
 509,	/* "generationQualifier" */
 601,	/* "generic cryptogram" */
 99,	/* "givenName" */
+976,	/* "gost-mac-12" */
 814,	/* "gost89-cnt" */
+975,	/* "gost89-cnt-12" */
 855,	/* "hmac" */
 780,	/* "hmac-md5" */
 781,	/* "hmac-sha1" */
@@ -4126,6 +4283,22 @@ static const unsigned int ln_objs[NUM_LN]={
 194,	/* "id-smime-spq" */
 250,	/* "id-smime-spq-ets-sqt-unotice" */
 249,	/* "id-smime-spq-ets-sqt-uri" */
+974,	/* "id-tc26" */
+991,	/* "id-tc26-agreement" */
+992,	/* "id-tc26-agreement-gost-3410-2012-256" */
+993,	/* "id-tc26-agreement-gost-3410-2012-512" */
+977,	/* "id-tc26-algorithms" */
+990,	/* "id-tc26-cipher" */
+1001,	/* "id-tc26-cipher-constants" */
+994,	/* "id-tc26-constants" */
+981,	/* "id-tc26-digest" */
+1000,	/* "id-tc26-digest-constants" */
+1002,	/* "id-tc26-gost-28147-constants" */
+996,	/* "id-tc26-gost-3410-2012-512-constants" */
+987,	/* "id-tc26-mac" */
+978,	/* "id-tc26-sign" */
+995,	/* "id-tc26-sign-constants" */
+984,	/* "id-tc26-signwithdigest" */
 34,	/* "idea-cbc" */
 35,	/* "idea-cfb" */
 36,	/* "idea-ecb" */
@@ -4734,6 +4907,11 @@ static const unsigned int obj_objs[NUM_OBJ]={
 639,	/* OBJ_set_brand_JCB                2 23 42 8 35 */
 805,	/* OBJ_cryptopro                    1 2 643 2 2 */
 806,	/* OBJ_cryptocom                    1 2 643 2 9 */
+974,	/* OBJ_id_tc26                      1 2 643 7 1 */
+1005,	/* OBJ_OGRN                         1 2 643 100 1 */
+1006,	/* OBJ_SNILS                        1 2 643 100 3 */
+1007,	/* OBJ_subjectSignTool              1 2 643 100 111 */
+1008,	/* OBJ_issuerSignTool               1 2 643 100 112 */
 184,	/* OBJ_X9_57                        1 2 840 10040 */
 405,	/* OBJ_ansi_X9_62                   1 2 840 10045 */
 389,	/* OBJ_Enterprises                  1 3 6 1 4 1 */
@@ -4817,6 +4995,8 @@ static const unsigned int obj_objs[NUM_OBJ]={
 816,	/* OBJ_id_GostR3411_94_prf          1 2 643 2 2 23 */
 817,	/* OBJ_id_GostR3410_2001DH          1 2 643 2 2 98 */
 818,	/* OBJ_id_GostR3410_94DH            1 2 643 2 2 99 */
+977,	/* OBJ_id_tc26_algorithms           1 2 643 7 1 1 */
+994,	/* OBJ_id_tc26_constants            1 2 643 7 1 2 */
  1,	/* OBJ_rsadsi                       1 2 840 113549 */
 185,	/* OBJ_X9cm                         1 2 840 10040 4 */
 127,	/* OBJ_id_pkix                      1 3 6 1 5 5 7 */
@@ -4867,6 +5047,15 @@ static const unsigned int obj_objs[NUM_OBJ]={
 842,	/* OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1 2 643 2 2 35 3 */
 843,	/* OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet 1 2 643 2 2 36 0 */
 844,	/* OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet 1 2 643 2 2 36 1 */
+978,	/* OBJ_id_tc26_sign                 1 2 643 7 1 1 1 */
+981,	/* OBJ_id_tc26_digest               1 2 643 7 1 1 2 */
+984,	/* OBJ_id_tc26_signwithdigest       1 2 643 7 1 1 3 */
+987,	/* OBJ_id_tc26_mac                  1 2 643 7 1 1 4 */
+990,	/* OBJ_id_tc26_cipher               1 2 643 7 1 1 5 */
+991,	/* OBJ_id_tc26_agreement            1 2 643 7 1 1 6 */
+995,	/* OBJ_id_tc26_sign_constants       1 2 643 7 1 2 1 */
+1000,	/* OBJ_id_tc26_digest_constants     1 2 643 7 1 2 2 */
+1001,	/* OBJ_id_tc26_cipher_constants     1 2 643 7 1 2 5 */
  2,	/* OBJ_pkcs                         1 2 840 113549 1 */
 431,	/* OBJ_hold_instruction_none        1 2 840 10040 2 1 */
 432,	/* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
@@ -4930,6 +5119,19 @@ static const unsigned int obj_objs[NUM_OBJ]={
 851,	/* OBJ_id_GostR3410_2001_cc         1 2 643 2 9 1 5 4 */
 849,	/* OBJ_id_Gost28147_89_cc           1 2 643 2 9 1 6 1 */
 854,	/* OBJ_id_GostR3410_2001_ParamSet_cc 1 2 643 2 9 1 8 1 */
+1004,	/* OBJ_INN                          1 2 643 3 131 1 1 */
+979,	/* OBJ_id_GostR3410_2012_256        1 2 643 7 1 1 1 1 */
+980,	/* OBJ_id_GostR3410_2012_512        1 2 643 7 1 1 1 2 */
+982,	/* OBJ_id_GostR3411_2012_256        1 2 643 7 1 1 2 2 */
+983,	/* OBJ_id_GostR3411_2012_512        1 2 643 7 1 1 2 3 */
+985,	/* OBJ_id_tc26_signwithdigest_gost3410_2012_256 1 2 643 7 1 1 3 2 */
+986,	/* OBJ_id_tc26_signwithdigest_gost3410_2012_512 1 2 643 7 1 1 3 3 */
+988,	/* OBJ_id_tc26_hmac_gost_3411_2012_256 1 2 643 7 1 1 4 1 */
+989,	/* OBJ_id_tc26_hmac_gost_3411_2012_512 1 2 643 7 1 1 4 2 */
+992,	/* OBJ_id_tc26_agreement_gost_3410_2012_256 1 2 643 7 1 1 6 1 */
+993,	/* OBJ_id_tc26_agreement_gost_3410_2012_512 1 2 643 7 1 1 6 2 */
+996,	/* OBJ_id_tc26_gost_3410_2012_512_constants 1 2 643 7 1 2 1 2 */
+1002,	/* OBJ_id_tc26_gost_28147_constants 1 2 643 7 1 2 5 1 */
 186,	/* OBJ_pkcs1                        1 2 840 113549 1 1 */
 27,	/* OBJ_pkcs3                        1 2 840 113549 1 3 */
 187,	/* OBJ_pkcs5                        1 2 840 113549 1 5 */
@@ -5097,6 +5299,10 @@ static const unsigned int obj_objs[NUM_OBJ]={
 439,	/* OBJ_pilotAttributeSyntax         0 9 2342 19200300 100 3 */
 440,	/* OBJ_pilotObjectClass             0 9 2342 19200300 100 4 */
 441,	/* OBJ_pilotGroups                  0 9 2342 19200300 100 10 */
+997,	/* OBJ_id_tc26_gost_3410_2012_512_paramSetTest 1 2 643 7 1 2 1 2 0 */
+998,	/* OBJ_id_tc26_gost_3410_2012_512_paramSetA 1 2 643 7 1 2 1 2 1 */
+999,	/* OBJ_id_tc26_gost_3410_2012_512_paramSetB 1 2 643 7 1 2 1 2 2 */
+1003,	/* OBJ_id_tc26_gost_28147_param_Z   1 2 643 7 1 2 5 1 1 */
 108,	/* OBJ_cast5_cbc                    1 2 840 113533 7 66 10 */
 112,	/* OBJ_pbeWithMD5AndCast5_CBC       1 2 840 113533 7 66 12 */
 782,	/* OBJ_id_PasswordBasedMAC          1 2 840 113533 7 66 13 */
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index af57c68..e813b62 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -971,3 +971,38 @@ camellia_256_ccm		970
 camellia_256_ctr		971
 camellia_256_cmac		972
 id_scrypt		973
+id_tc26		974
+gost89_cnt_12		975
+gost_mac_12		976
+id_tc26_algorithms		977
+id_tc26_sign		978
+id_GostR3410_2012_256		979
+id_GostR3410_2012_512		980
+id_tc26_digest		981
+id_GostR3411_2012_256		982
+id_GostR3411_2012_512		983
+id_tc26_signwithdigest		984
+id_tc26_signwithdigest_gost3410_2012_256		985
+id_tc26_signwithdigest_gost3410_2012_512		986
+id_tc26_mac		987
+id_tc26_hmac_gost_3411_2012_256		988
+id_tc26_hmac_gost_3411_2012_512		989
+id_tc26_cipher		990
+id_tc26_agreement		991
+id_tc26_agreement_gost_3410_2012_256		992
+id_tc26_agreement_gost_3410_2012_512		993
+id_tc26_constants		994
+id_tc26_sign_constants		995
+id_tc26_gost_3410_2012_512_constants		996
+id_tc26_gost_3410_2012_512_paramSetTest		997
+id_tc26_gost_3410_2012_512_paramSetA		998
+id_tc26_gost_3410_2012_512_paramSetB		999
+id_tc26_digest_constants		1000
+id_tc26_cipher_constants		1001
+id_tc26_gost_28147_constants		1002
+id_tc26_gost_28147_param_Z		1003
+INN		1004
+OGRN		1005
+SNILS		1006
+subjectSignTool		1007
+issuerSignTool		1008
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
index e453e99..c07adee 100644
--- a/crypto/objects/obj_xref.h
+++ b/crypto/objects/obj_xref.h
@@ -56,6 +56,10 @@ static const nid_triple sigoid_srt[] = {
      NID_dh_cofactor_kdf},
     {NID_dhSinglePass_cofactorDH_sha512kdf_scheme, NID_sha512,
      NID_dh_cofactor_kdf},
+    {NID_id_tc26_signwithdigest_gost3410_2012_256, NID_id_GostR3411_2012_256,
+     NID_id_GostR3410_2012_256},
+    {NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512,
+     NID_id_GostR3410_2012_512},
 };
 
 static const nid_triple *const sigoid_srt_xref[] = {
@@ -96,4 +100,6 @@ static const nid_triple *const sigoid_srt_xref[] = {
     &sigoid_srt[26],
     &sigoid_srt[27],
     &sigoid_srt[28],
+    &sigoid_srt[40],
+    &sigoid_srt[41],
 };
diff --git a/crypto/objects/obj_xref.txt b/crypto/objects/obj_xref.txt
index 19c9422..981103b 100644
--- a/crypto/objects/obj_xref.txt
+++ b/crypto/objects/obj_xref.txt
@@ -44,6 +44,8 @@ id_GostR3411_94_with_GostR3410_2001	id_GostR3411_94 id_GostR3410_2001
 id_GostR3411_94_with_GostR3410_94	id_GostR3411_94 id_GostR3410_94
 id_GostR3411_94_with_GostR3410_94_cc	id_GostR3411_94 id_GostR3410_94_cc
 id_GostR3411_94_with_GostR3410_2001_cc	id_GostR3411_94 id_GostR3410_2001_cc
+id_tc26_signwithdigest_gost3410_2012_256 id_GostR3411_2012_256 id_GostR3410_2012_256
+id_tc26_signwithdigest_gost3410_2012_512 id_GostR3411_2012_512 id_GostR3410_2012_512
 # ECDH KDFs and their corresponding message digests and schemes
 dhSinglePass_stdDH_sha1kdf_scheme		sha1	dh_std_kdf
 dhSinglePass_stdDH_sha224kdf_scheme		sha224	dh_std_kdf
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 655f405..06928c6 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -1156,6 +1156,7 @@ iso 0 10118 3 0 55	: whirlpool
 
 member-body 643 2 2	: cryptopro
 member-body 643 2 9	: cryptocom
+member-body 643 7 1	: id-tc26
 
 cryptopro 3		: id-GostR3411-94-with-GostR3410-2001 : GOST R 34.11-94 with GOST R 34.10-2001
 cryptopro 4		: id-GostR3411-94-with-GostR3410-94 : GOST R 34.11-94 with GOST R 34.10-94
@@ -1169,8 +1170,10 @@ cryptopro 20		: gost94	: GOST R 34.10-94
 !Cname id-Gost28147-89
 cryptopro 21		: gost89 		: GOST 28147-89
 			: gost89-cnt
+			: gost89-cnt-12
 !Cname id-Gost28147-89-MAC
 cryptopro 22		: gost-mac	: GOST 28147-89 MAC
+			: gost-mac-12
 !Cname id-GostR3411-94-prf
 cryptopro 23		: prf-gostr3411-94	: GOST R 34.11-94 PRF
 cryptopro 98		: id-GostR3410-2001DH	: GOST R 34.10-2001 DH
@@ -1229,6 +1232,54 @@ cryptocom 1 3 4		: id-GostR3411-94-with-GostR3410-2001-cc : GOST R 34.11-94 with
 
 cryptocom 1 8 1		: id-GostR3410-2001-ParamSet-cc : GOST R 3410-2001 Parameter Set Cryptocom
 
+# TC26 GOST OIDs
+
+id-tc26 1 		: id-tc26-algorithms
+id-tc26-algorithms 1	: id-tc26-sign
+!Cname id-GostR3410-2012-256
+id-tc26-sign 1		: gost2012_256: GOST R 34.10-2012 with 256 bit modulus
+!Cname id-GostR3410-2012-512
+id-tc26-sign 2		: gost2012_512: GOST R 34.10-2012 with 512 bit modulus
+
+id-tc26-algorithms 2	: id-tc26-digest
+!Cname id-GostR3411-2012-256
+id-tc26-digest 2	: md_gost12_256: GOST R 34.11-2012 with 256 bit hash
+!Cname id-GostR3411-2012-512
+id-tc26-digest 3	: md_gost12_512: GOST R 34.11-2012 with 512 bit hash
+
+id-tc26-algorithms 3	: id-tc26-signwithdigest
+id-tc26-signwithdigest 2: id-tc26-signwithdigest-gost3410-2012-256: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
+id-tc26-signwithdigest 3: id-tc26-signwithdigest-gost3410-2012-512: GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)
+
+id-tc26-algorithms 4	: id-tc26-mac
+id-tc26-mac 1		: id-tc26-hmac-gost-3411-2012-256 : HMAC GOST 34.11-2012 256 bit
+id-tc26-mac 2		: id-tc26-hmac-gost-3411-2012-512 : HMAC GOST 34.11-2012 512 bit
+
+id-tc26-algorithms 5	: id-tc26-cipher
+
+id-tc26-algorithms 6	: id-tc26-agreement
+id-tc26-agreement 1	: id-tc26-agreement-gost-3410-2012-256
+id-tc26-agreement 2	: id-tc26-agreement-gost-3410-2012-512
+
+id-tc26 2 		: id-tc26-constants
+
+id-tc26-constants 1	: id-tc26-sign-constants
+id-tc26-sign-constants 2: id-tc26-gost-3410-2012-512-constants
+id-tc26-gost-3410-2012-512-constants 0	: id-tc26-gost-3410-2012-512-paramSetTest: GOST R 34.10-2012 (512 bit) testing parameter set
+id-tc26-gost-3410-2012-512-constants 1	: id-tc26-gost-3410-2012-512-paramSetA: GOST R 34.10-2012 (512 bit) ParamSet A
+id-tc26-gost-3410-2012-512-constants 2	: id-tc26-gost-3410-2012-512-paramSetB: GOST R 34.10-2012 (512 bit) ParamSet B
+
+id-tc26-constants 2     : id-tc26-digest-constants
+id-tc26-constants 5     : id-tc26-cipher-constants
+id-tc26-cipher-constants 1	: id-tc26-gost-28147-constants
+id-tc26-gost-28147-constants 1	: id-tc26-gost-28147-param-Z : GOST 28147-89 TC26 parameter set
+
+member-body 643 3 131 1 1	: INN	: INN
+member-body 643 100 1		: OGRN	: OGRN
+member-body 643 100 3		: SNILS	: SNILS
+member-body 643 100 111	: subjectSignTool	: Signing Tool of Subject
+member-body 643 100 112	: issuerSignTool	: Signing Tool of Issuer
+
 # Definitions for Camellia cipher - CBC MODE
 
 1 2 392 200011 61 1 1 1 2 : CAMELLIA-128-CBC		: camellia-128-cbc
diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
index 0e6a99e..fdf5b62 100644
--- a/include/openssl/obj_mac.h
+++ b/include/openssl/obj_mac.h
@@ -3690,6 +3690,10 @@
 #define NID_cryptocom           806
 #define OBJ_cryptocom           OBJ_member_body,643L,2L,9L
 
+#define SN_id_tc26              "id-tc26"
+#define NID_id_tc26             974
+#define OBJ_id_tc26             OBJ_member_body,643L,7L,1L
+
 #define SN_id_GostR3411_94_with_GostR3410_2001          "id-GostR3411-94-with-GostR3410-2001"
 #define LN_id_GostR3411_94_with_GostR3410_2001          "GOST R 34.11-94 with GOST R 34.10-2001"
 #define NID_id_GostR3411_94_with_GostR3410_2001         807
@@ -3728,11 +3732,17 @@
 #define SN_gost89_cnt           "gost89-cnt"
 #define NID_gost89_cnt          814
 
+#define SN_gost89_cnt_12                "gost89-cnt-12"
+#define NID_gost89_cnt_12               975
+
 #define SN_id_Gost28147_89_MAC          "gost-mac"
 #define LN_id_Gost28147_89_MAC          "GOST 28147-89 MAC"
 #define NID_id_Gost28147_89_MAC         815
 #define OBJ_id_Gost28147_89_MAC         OBJ_cryptopro,22L
 
+#define SN_gost_mac_12          "gost-mac-12"
+#define NID_gost_mac_12         976
+
 #define SN_id_GostR3411_94_prf          "prf-gostr3411-94"
 #define LN_id_GostR3411_94_prf          "GOST R 34.11-94 PRF"
 #define NID_id_GostR3411_94_prf         816
@@ -3898,6 +3908,151 @@
 #define NID_id_GostR3410_2001_ParamSet_cc               854
 #define OBJ_id_GostR3410_2001_ParamSet_cc               OBJ_cryptocom,1L,8L,1L
 
+#define SN_id_tc26_algorithms           "id-tc26-algorithms"
+#define NID_id_tc26_algorithms          977
+#define OBJ_id_tc26_algorithms          OBJ_id_tc26,1L
+
+#define SN_id_tc26_sign         "id-tc26-sign"
+#define NID_id_tc26_sign                978
+#define OBJ_id_tc26_sign                OBJ_id_tc26_algorithms,1L
+
+#define SN_id_GostR3410_2012_256                "gost2012_256"
+#define LN_id_GostR3410_2012_256                "GOST R 34.10-2012 with 256 bit modulus"
+#define NID_id_GostR3410_2012_256               979
+#define OBJ_id_GostR3410_2012_256               OBJ_id_tc26_sign,1L
+
+#define SN_id_GostR3410_2012_512                "gost2012_512"
+#define LN_id_GostR3410_2012_512                "GOST R 34.10-2012 with 512 bit modulus"
+#define NID_id_GostR3410_2012_512               980
+#define OBJ_id_GostR3410_2012_512               OBJ_id_tc26_sign,2L
+
+#define SN_id_tc26_digest               "id-tc26-digest"
+#define NID_id_tc26_digest              981
+#define OBJ_id_tc26_digest              OBJ_id_tc26_algorithms,2L
+
+#define SN_id_GostR3411_2012_256                "md_gost12_256"
+#define LN_id_GostR3411_2012_256                "GOST R 34.11-2012 with 256 bit hash"
+#define NID_id_GostR3411_2012_256               982
+#define OBJ_id_GostR3411_2012_256               OBJ_id_tc26_digest,2L
+
+#define SN_id_GostR3411_2012_512                "md_gost12_512"
+#define LN_id_GostR3411_2012_512                "GOST R 34.11-2012 with 512 bit hash"
+#define NID_id_GostR3411_2012_512               983
+#define OBJ_id_GostR3411_2012_512               OBJ_id_tc26_digest,3L
+
+#define SN_id_tc26_signwithdigest               "id-tc26-signwithdigest"
+#define NID_id_tc26_signwithdigest              984
+#define OBJ_id_tc26_signwithdigest              OBJ_id_tc26_algorithms,3L
+
+#define SN_id_tc26_signwithdigest_gost3410_2012_256             "id-tc26-signwithdigest-gost3410-2012-256"
+#define LN_id_tc26_signwithdigest_gost3410_2012_256             "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)"
+#define NID_id_tc26_signwithdigest_gost3410_2012_256            985
+#define OBJ_id_tc26_signwithdigest_gost3410_2012_256            OBJ_id_tc26_signwithdigest,2L
+
+#define SN_id_tc26_signwithdigest_gost3410_2012_512             "id-tc26-signwithdigest-gost3410-2012-512"
+#define LN_id_tc26_signwithdigest_gost3410_2012_512             "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)"
+#define NID_id_tc26_signwithdigest_gost3410_2012_512            986
+#define OBJ_id_tc26_signwithdigest_gost3410_2012_512            OBJ_id_tc26_signwithdigest,3L
+
+#define SN_id_tc26_mac          "id-tc26-mac"
+#define NID_id_tc26_mac         987
+#define OBJ_id_tc26_mac         OBJ_id_tc26_algorithms,4L
+
+#define SN_id_tc26_hmac_gost_3411_2012_256              "id-tc26-hmac-gost-3411-2012-256"
+#define LN_id_tc26_hmac_gost_3411_2012_256              "HMAC GOST 34.11-2012 256 bit"
+#define NID_id_tc26_hmac_gost_3411_2012_256             988
+#define OBJ_id_tc26_hmac_gost_3411_2012_256             OBJ_id_tc26_mac,1L
+
+#define SN_id_tc26_hmac_gost_3411_2012_512              "id-tc26-hmac-gost-3411-2012-512"
+#define LN_id_tc26_hmac_gost_3411_2012_512              "HMAC GOST 34.11-2012 512 bit"
+#define NID_id_tc26_hmac_gost_3411_2012_512             989
+#define OBJ_id_tc26_hmac_gost_3411_2012_512             OBJ_id_tc26_mac,2L
+
+#define SN_id_tc26_cipher               "id-tc26-cipher"
+#define NID_id_tc26_cipher              990
+#define OBJ_id_tc26_cipher              OBJ_id_tc26_algorithms,5L
+
+#define SN_id_tc26_agreement            "id-tc26-agreement"
+#define NID_id_tc26_agreement           991
+#define OBJ_id_tc26_agreement           OBJ_id_tc26_algorithms,6L
+
+#define SN_id_tc26_agreement_gost_3410_2012_256         "id-tc26-agreement-gost-3410-2012-256"
+#define NID_id_tc26_agreement_gost_3410_2012_256                992
+#define OBJ_id_tc26_agreement_gost_3410_2012_256                OBJ_id_tc26_agreement,1L
+
+#define SN_id_tc26_agreement_gost_3410_2012_512         "id-tc26-agreement-gost-3410-2012-512"
+#define NID_id_tc26_agreement_gost_3410_2012_512                993
+#define OBJ_id_tc26_agreement_gost_3410_2012_512                OBJ_id_tc26_agreement,2L
+
+#define SN_id_tc26_constants            "id-tc26-constants"
+#define NID_id_tc26_constants           994
+#define OBJ_id_tc26_constants           OBJ_id_tc26,2L
+
+#define SN_id_tc26_sign_constants               "id-tc26-sign-constants"
+#define NID_id_tc26_sign_constants              995
+#define OBJ_id_tc26_sign_constants              OBJ_id_tc26_constants,1L
+
+#define SN_id_tc26_gost_3410_2012_512_constants         "id-tc26-gost-3410-2012-512-constants"
+#define NID_id_tc26_gost_3410_2012_512_constants                996
+#define OBJ_id_tc26_gost_3410_2012_512_constants                OBJ_id_tc26_sign_constants,2L
+
+#define SN_id_tc26_gost_3410_2012_512_paramSetTest              "id-tc26-gost-3410-2012-512-paramSetTest"
+#define LN_id_tc26_gost_3410_2012_512_paramSetTest              "GOST R 34.10-2012 (512 bit) testing parameter set"
+#define NID_id_tc26_gost_3410_2012_512_paramSetTest             997
+#define OBJ_id_tc26_gost_3410_2012_512_paramSetTest             OBJ_id_tc26_gost_3410_2012_512_constants,0L
+
+#define SN_id_tc26_gost_3410_2012_512_paramSetA         "id-tc26-gost-3410-2012-512-paramSetA"
+#define LN_id_tc26_gost_3410_2012_512_paramSetA         "GOST R 34.10-2012 (512 bit) ParamSet A"
+#define NID_id_tc26_gost_3410_2012_512_paramSetA                998
+#define OBJ_id_tc26_gost_3410_2012_512_paramSetA                OBJ_id_tc26_gost_3410_2012_512_constants,1L
+
+#define SN_id_tc26_gost_3410_2012_512_paramSetB         "id-tc26-gost-3410-2012-512-paramSetB"
+#define LN_id_tc26_gost_3410_2012_512_paramSetB         "GOST R 34.10-2012 (512 bit) ParamSet B"
+#define NID_id_tc26_gost_3410_2012_512_paramSetB                999
+#define OBJ_id_tc26_gost_3410_2012_512_paramSetB                OBJ_id_tc26_gost_3410_2012_512_constants,2L
+
+#define SN_id_tc26_digest_constants             "id-tc26-digest-constants"
+#define NID_id_tc26_digest_constants            1000
+#define OBJ_id_tc26_digest_constants            OBJ_id_tc26_constants,2L
+
+#define SN_id_tc26_cipher_constants             "id-tc26-cipher-constants"
+#define NID_id_tc26_cipher_constants            1001
+#define OBJ_id_tc26_cipher_constants            OBJ_id_tc26_constants,5L
+
+#define SN_id_tc26_gost_28147_constants         "id-tc26-gost-28147-constants"
+#define NID_id_tc26_gost_28147_constants                1002
+#define OBJ_id_tc26_gost_28147_constants                OBJ_id_tc26_cipher_constants,1L
+
+#define SN_id_tc26_gost_28147_param_Z           "id-tc26-gost-28147-param-Z"
+#define LN_id_tc26_gost_28147_param_Z           "GOST 28147-89 TC26 parameter set"
+#define NID_id_tc26_gost_28147_param_Z          1003
+#define OBJ_id_tc26_gost_28147_param_Z          OBJ_id_tc26_gost_28147_constants,1L
+
+#define SN_INN          "INN"
+#define LN_INN          "INN"
+#define NID_INN         1004
+#define OBJ_INN         OBJ_member_body,643L,3L,131L,1L,1L
+
+#define SN_OGRN         "OGRN"
+#define LN_OGRN         "OGRN"
+#define NID_OGRN                1005
+#define OBJ_OGRN                OBJ_member_body,643L,100L,1L
+
+#define SN_SNILS                "SNILS"
+#define LN_SNILS                "SNILS"
+#define NID_SNILS               1006
+#define OBJ_SNILS               OBJ_member_body,643L,100L,3L
+
+#define SN_subjectSignTool              "subjectSignTool"
+#define LN_subjectSignTool              "Signing Tool of Subject"
+#define NID_subjectSignTool             1007
+#define OBJ_subjectSignTool             OBJ_member_body,643L,100L,111L
+
+#define SN_issuerSignTool               "issuerSignTool"
+#define LN_issuerSignTool               "Signing Tool of Issuer"
+#define NID_issuerSignTool              1008
+#define OBJ_issuerSignTool              OBJ_member_body,643L,100L,112L
+
 #define SN_camellia_128_cbc             "CAMELLIA-128-CBC"
 #define LN_camellia_128_cbc             "camellia-128-cbc"
 #define NID_camellia_128_cbc            751

From rsalz at openssl.org  Mon Aug 17 15:52:38 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 15:52:38 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439826758.405751.3291.nullmailer@dev.openssl.org>

The branch master has been updated
       via  95690a5c283c96369fa5eb1db874ff9141eb8fce (commit)
      from  493fe41bd59abe4aa72112e6708bc443f752dde3 (commit)


- Log -----------------------------------------------------------------
commit 95690a5c283c96369fa5eb1db874ff9141eb8fce
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 11:51:58 2015 -0400

    Fix breadcrumbs and over-eager .htaccess

-----------------------------------------------------------------------

Summary of changes:
 docs/.htaccess              | 8 +++-----
 docs/faq.html               | 2 +-
 source/old/0.9.x/index.html | 7 ++++---
 source/old/1.0.0/index.html | 5 +++--
 source/old/1.0.1/index.html | 5 +++--
 source/old/1.0.2/index.html | 5 +++--
 source/old/fips/index.html  | 5 +++--
 source/old/index.html       | 2 +-
 8 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/docs/.htaccess b/docs/.htaccess
index 39c9d22..756b70a 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -1,6 +1,4 @@
 RewriteEngine on
-RewriteBase /docs
-RewriteRule fips/ fips.html [L,R=302,NC]
-RewriteRule fips/fipsnotes.html fips.html [L,R=302,NC]
-RewriteRule docs/fips/fipsvalidation.html fips.html [L,R=302,NC]
-RewriteRule docs/fips/index.html fips.html [L,R=302,NC]
+RewriteRule /docs/fips/fipsnotes.html fips.html [L,R=302,NC]
+RewriteRule /docs/fips/fipsvalidation.html fips.html [L,R=302,NC]
+RewriteRule /docs/fips/index.html fips.html [L,R=302,NC]
diff --git a/docs/faq.html b/docs/faq.html
index 0f8a061..6f4be47 100644
--- a/docs/faq.html
+++ b/docs/faq.html
@@ -15,7 +15,7 @@
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">News</a>
+	    : <a href=".">Documentation</a>
 	    : <a href="">Frequently Asked Questions</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/source/old/0.9.x/index.html b/source/old/0.9.x/index.html
index aa1e633..6d13cf6 100644
--- a/source/old/0.9.x/index.html
+++ b/source/old/0.9.x/index.html
@@ -20,10 +20,12 @@
           </table>
           <p>&nbsp;</p>
         </div>
+        <!--#include virtual="../../sidebar.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
-          : <a href="">Old Releases</a>
+          : <a href="/source">Downloads</a>
+          : <a href="/source/old">Old Releases</a>
+          : <a href="">0.9.x</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
         <!--#include virtual="/inc/legalities.inc" -->
@@ -31,7 +33,6 @@
 
 
     </div>
-    <!--#include virtual="../../sidebar.inc" -->
   </div>
 
 </div>
diff --git a/source/old/1.0.0/index.html b/source/old/1.0.0/index.html
index efbb214..4cdfc1a 100644
--- a/source/old/1.0.0/index.html
+++ b/source/old/1.0.0/index.html
@@ -23,8 +23,9 @@
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
-          : <a href="">Old Releases</a>
+          : <a href="/source">Downloads</a>
+          : <a href="/source/old">Old Releases</a>
+          : <a href="">1.0.0</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
diff --git a/source/old/1.0.1/index.html b/source/old/1.0.1/index.html
index cf46c10..b90c9ce 100644
--- a/source/old/1.0.1/index.html
+++ b/source/old/1.0.1/index.html
@@ -23,8 +23,9 @@
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
-          : <a href="">Old Releases</a>
+          : <a href="/source">Downloads</a>
+          : <a href="/source/old">Old Releases</a>
+          : <a href="">1.0.1</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
diff --git a/source/old/1.0.2/index.html b/source/old/1.0.2/index.html
index 9934b85..e07fea5 100644
--- a/source/old/1.0.2/index.html
+++ b/source/old/1.0.2/index.html
@@ -23,8 +23,9 @@
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
-          : <a href="">Old Releases</a>
+          : <a href="/source">Downloads</a>
+          : <a href="/source/old">Old Releases</a>
+          : <a href="">1.0.2</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
index a5058b2..a04d6a6 100644
--- a/source/old/fips/index.html
+++ b/source/old/fips/index.html
@@ -23,8 +23,9 @@
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
-          : <a href="">Old Releases</a>
+          : <a href="/source">Downloads</a>
+          : <a href="/source/old">Old Releases</a>
+          : <a href="">fips</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
       </article>
diff --git a/source/old/index.html b/source/old/index.html
index 9e5b4e5..8d4e1c8 100644
--- a/source/old/index.html
+++ b/source/old/index.html
@@ -21,7 +21,7 @@
         <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
-          : <a href=".">Source</a>
+          : <a href=".">Downloads</a>
           : <a href="">Old Releases</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>

From rsalz at openssl.org  Mon Aug 17 15:54:59 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 15:54:59 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439826899.860195.3889.nullmailer@dev.openssl.org>

The branch master has been updated
       via  482ff77fec76d1610466d8b36bf2d37a9fd0349a (commit)
      from  95690a5c283c96369fa5eb1db874ff9141eb8fce (commit)


- Log -----------------------------------------------------------------
commit 482ff77fec76d1610466d8b36bf2d37a9fd0349a
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 11:54:54 2015 -0400

    move #include to right place

-----------------------------------------------------------------------

Summary of changes:
 source/old/0.9.x/index.html | 6 ++----
 source/old/1.0.0/index.html | 2 +-
 source/old/1.0.1/index.html | 2 +-
 source/old/1.0.2/index.html | 2 +-
 source/old/fips/index.html  | 2 +-
 5 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/source/old/0.9.x/index.html b/source/old/0.9.x/index.html
index 6d13cf6..f66199b 100644
--- a/source/old/0.9.x/index.html
+++ b/source/old/0.9.x/index.html
@@ -19,8 +19,8 @@
             <!--#include virtual="index.inc" -->
           </table>
           <p>&nbsp;</p>
+          <!--#include virtual="/inc/legalities.inc" -->
         </div>
-        <!--#include virtual="../../sidebar.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href="/source">Downloads</a>
@@ -28,11 +28,9 @@
           : <a href="">0.9.x</a>
           <br/><a href="/sitemap.txt">Sitemap</a>
         </footer>
-        <!--#include virtual="/inc/legalities.inc" -->
       </article>
-
-
     </div>
+    <!--#include virtual="../../sidebar.inc" -->
   </div>
 
 </div>
diff --git a/source/old/1.0.0/index.html b/source/old/1.0.0/index.html
index 4cdfc1a..125ef28 100644
--- a/source/old/1.0.0/index.html
+++ b/source/old/1.0.0/index.html
@@ -19,8 +19,8 @@
             <!--#include virtual="index.inc" -->
           </table>
           <p>&nbsp;</p>
+          <!--#include virtual="/inc/legalities.inc" -->
         </div>
-        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href="/source">Downloads</a>
diff --git a/source/old/1.0.1/index.html b/source/old/1.0.1/index.html
index b90c9ce..627193c 100644
--- a/source/old/1.0.1/index.html
+++ b/source/old/1.0.1/index.html
@@ -19,8 +19,8 @@
             <!--#include virtual="index.inc" -->
           </table>
           <p>&nbsp;</p>
+          <!--#include virtual="/inc/legalities.inc" -->
         </div>
-        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href="/source">Downloads</a>
diff --git a/source/old/1.0.2/index.html b/source/old/1.0.2/index.html
index e07fea5..930d2bf 100644
--- a/source/old/1.0.2/index.html
+++ b/source/old/1.0.2/index.html
@@ -19,8 +19,8 @@
             <!--#include virtual="index.inc" -->
           </table>
           <p>&nbsp;</p>
+          <!--#include virtual="/inc/legalities.inc" -->
         </div>
-        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href="/source">Downloads</a>
diff --git a/source/old/fips/index.html b/source/old/fips/index.html
index a04d6a6..4842af3 100644
--- a/source/old/fips/index.html
+++ b/source/old/fips/index.html
@@ -19,8 +19,8 @@
             <!--#include virtual="index.inc" -->
           </table>
           <p>&nbsp;</p>
+          <!--#include virtual="/inc/legalities.inc" -->
         </div>
-        <!--#include virtual="/inc/legalities.inc" -->
         <footer>
           You are here: <a href="/">Home</a>
           : <a href="/source">Downloads</a>

From levitte at openssl.org  Mon Aug 17 16:22:04 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 17 Aug 2015 16:22:04 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1439828524.610183.7397.nullmailer@dev.openssl.org>

The branch master has been updated
       via  3da9505dc02b0594633c73a11343f54bb5dbf536 (commit)
      from  31001f813172f73e4a27300ef39fc45e2b372a38 (commit)


- Log -----------------------------------------------------------------
commit 3da9505dc02b0594633c73a11343f54bb5dbf536
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 17 18:10:16 2015 +0200

    Add new types to indent.pro
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 util/indent.pro | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/util/indent.pro b/util/indent.pro
index 2a51225..4d1bd45 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -725,3 +725,9 @@
 -T int16_t
 -T uint8_t
 -T int8_t
+-T STRINT_PAIR
+-T felem
+-T felem_bytearray
+-T SH_LIST
+-T PACKET
+-T RECORD_LAYER

From levitte at openssl.org  Mon Aug 17 16:24:54 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 17 Aug 2015 16:24:54 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1439828694.096661.8519.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  b012b497eaac76da42ef6741d50c3c17ec8ed732 (commit)
      from  6786c70ec112ac11b31ff19bb9e52a70ba0b5220 (commit)


- Log -----------------------------------------------------------------
commit b012b497eaac76da42ef6741d50c3c17ec8ed732
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 17 18:10:16 2015 +0200

    Add new types to indent.pro
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 3da9505dc02b0594633c73a11343f54bb5dbf536)

-----------------------------------------------------------------------

Summary of changes:
 util/indent.pro | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/util/indent.pro b/util/indent.pro
index e871431..4dcda5d 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -749,3 +749,19 @@
 -T ssl_trace_tbl
 -T _stdcall
 -T tls12_lookup
+-T OPTIONS
+-T OPT_PAIR
+-T uint64_t
+-T int64_t
+-T uint32_t
+-T int32_t
+-T uint16_t
+-T int16_t
+-T uint8_t
+-T int8_t
+-T STRINT_PAIR
+-T felem
+-T felem_bytearray
+-T SH_LIST
+-T PACKET
+-T RECORD_LAYER

From levitte at openssl.org  Mon Aug 17 16:25:37 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 17 Aug 2015 16:25:37 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1439828737.737488.8773.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  2507c8cfb3664cfd9bf94e597e83afb4646451de (commit)
      from  98e75c0b699eb4a1b68ed3f1ab44ec0cc4a7555d (commit)


- Log -----------------------------------------------------------------
commit 2507c8cfb3664cfd9bf94e597e83afb4646451de
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 17 18:10:16 2015 +0200

    Add new types to indent.pro
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 3da9505dc02b0594633c73a11343f54bb5dbf536)

-----------------------------------------------------------------------

Summary of changes:
 util/indent.pro | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/util/indent.pro b/util/indent.pro
index e871431..4dcda5d 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -749,3 +749,19 @@
 -T ssl_trace_tbl
 -T _stdcall
 -T tls12_lookup
+-T OPTIONS
+-T OPT_PAIR
+-T uint64_t
+-T int64_t
+-T uint32_t
+-T int32_t
+-T uint16_t
+-T int16_t
+-T uint8_t
+-T int8_t
+-T STRINT_PAIR
+-T felem
+-T felem_bytearray
+-T SH_LIST
+-T PACKET
+-T RECORD_LAYER

From rsalz at openssl.org  Mon Aug 17 16:52:39 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 16:52:39 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439830359.659549.11517.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a98bd690c360dcb61e000dd9c0d3a43bc5c39ac5 (commit)
      from  482ff77fec76d1610466d8b36bf2d37a9fd0349a (commit)


- Log -----------------------------------------------------------------
commit a98bd690c360dcb61e000dd9c0d3a43bc5c39ac5
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 12:52:35 2015 -0400

    update version fro 2.0.1 to 2.0.9

-----------------------------------------------------------------------

Summary of changes:
 docs/fips.html           | 8 +++++---
 docs/fipsvalidation.html | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/fips.html b/docs/fips.html
index a942515..ecf4157 100644
--- a/docs/fips.html
+++ b/docs/fips.html
@@ -22,7 +22,7 @@
 
 
 	    <p>The most recent open source based validation of a cryptographic
-	    module (Module) compatible with the OpenSSL libraries is v2.0.1,
+	    module (Module) compatible with the OpenSSL libraries is v2.0.9,
 	    FIPS 140-2 certificate <a
 	    href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
 	    This Module is documented in the
@@ -33,8 +33,10 @@
 	    includes the largest number of formally tested platforms for any
 	    validated module.</p>
 
-	    The <a href="/source/openssl-fips-2.0.1.tar.gz">source code</a> and
-	    <a href="fips/UserGuide-2.0.pdf">User Guide</a> are available.
+	    The <a href="/source/openssl-fips-2.0.9.tar.gz">source code</a>,
+	    <a href="fips/UserGuide-2.0.pdf">User Guide</a>, and
+            <a href="fips/SecurityPolicy-2.0.9.pdf">Secure Policy</a>
+            are available.
 	    Here is the complete set of files:</p>
 
 
diff --git a/docs/fipsvalidation.html b/docs/fipsvalidation.html
index f978210..32155da 100644
--- a/docs/fipsvalidation.html
+++ b/docs/fipsvalidation.html
@@ -11,7 +11,7 @@
 
 	  <div class="entry-content">
 	    <p>The most recent open source based validation of a cryptographic
-	    module (Module) compatible with the OpenSSL libraries is v2.0.1,
+	    module (Module) compatible with the OpenSSL libraries is v2.0.9,
 	    FIPS 140-2 certificate <a
 	    href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
 	    This Module is documented in the

From rsalz at openssl.org  Mon Aug 17 17:03:28 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 17:03:28 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439831008.702118.12741.nullmailer@dev.openssl.org>

The branch master has been updated
       via  51bd993076419bff35c388606e25d3996f65e225 (commit)
      from  a98bd690c360dcb61e000dd9c0d3a43bc5c39ac5 (commit)


- Log -----------------------------------------------------------------
commit 51bd993076419bff35c388606e25d3996f65e225
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 13:03:25 2015 -0400

    fix typo

-----------------------------------------------------------------------

Summary of changes:
 docs/fips.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/fips.html b/docs/fips.html
index ecf4157..84be232 100644
--- a/docs/fips.html
+++ b/docs/fips.html
@@ -35,7 +35,7 @@
 
 	    The <a href="/source/openssl-fips-2.0.9.tar.gz">source code</a>,
 	    <a href="fips/UserGuide-2.0.pdf">User Guide</a>, and
-            <a href="fips/SecurityPolicy-2.0.9.pdf">Secure Policy</a>
+            <a href="fips/SecurityPolicy-2.0.9.pdf">Security Policy</a>
             are available.
 	    Here is the complete set of files:</p>
 

From rsalz at openssl.org  Mon Aug 17 23:15:02 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 17 Aug 2015 23:15:02 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439853302.050241.16289.nullmailer@dev.openssl.org>

The branch master has been updated
       via  992df581a4be334caea668d039fa17840b8fa12b (commit)
      from  51bd993076419bff35c388606e25d3996f65e225 (commit)


- Log -----------------------------------------------------------------
commit 992df581a4be334caea668d039fa17840b8fa12b
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 19:14:58 2015 -0400

    fix some URL formatting

-----------------------------------------------------------------------

Summary of changes:
 docs/faq.txt | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docs/faq.txt b/docs/faq.txt
index 0197da3..f4356a7 100644
--- a/docs/faq.txt
+++ b/docs/faq.txt
@@ -481,8 +481,7 @@ administrators.
 
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
-
-  <URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
+<URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
 
 
 * Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
@@ -491,8 +490,7 @@ OpenSSL 1.0.1 is the first release to support TLS 1.2, among other things,
 this increases the size of the default ClientHello message to more than
 255 bytes in length. Some software cannot handle this and hangs. For more
 details and workarounds see:
-
-  <URL: https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
+<URL: https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771>
 
 
 [BUILD] =======================================================================

From rsalz at openssl.org  Tue Aug 18 01:53:11 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 01:53:11 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439862791.620276.1382.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ecb4761f1005798aae0dbeb33159649bc66c6b5d (commit)
      from  992df581a4be334caea668d039fa17840b8fa12b (commit)


- Log -----------------------------------------------------------------
commit ecb4761f1005798aae0dbeb33159649bc66c6b5d
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 21:52:20 2015 -0400

    skelton for manpages hierarchy

-----------------------------------------------------------------------

Summary of changes:
 docs/manpages.html  | 44 ++++++++++++++++++++++++++++++++++++++++++++
 docs/mp-098.html    | 39 +++++++++++++++++++++++++++++++++++++++
 docs/mp-100.html    | 39 +++++++++++++++++++++++++++++++++++++++
 docs/mp-101.html    | 39 +++++++++++++++++++++++++++++++++++++++
 docs/mp-102.html    | 39 +++++++++++++++++++++++++++++++++++++++
 docs/mp-master.html | 39 +++++++++++++++++++++++++++++++++++++++
 docs/sidebar.inc    |  3 +++
 7 files changed, 242 insertions(+)
 create mode 100644 docs/manpages.html
 create mode 100644 docs/mp-098.html
 create mode 100644 docs/mp-100.html
 create mode 100644 docs/mp-101.html
 create mode 100644 docs/mp-102.html
 create mode 100644 docs/mp-master.html

diff --git a/docs/manpages.html b/docs/manpages.html
new file mode 100644
index 0000000..3e7f2ff
--- /dev/null
+++ b/docs/manpages.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages</h2></header>
+	  <div class="entry-content">
+            <p>
+            <strong>
+              <hr>
+              STILL A WORK IN PROGRESS.  NOT FINISHED!
+              <hr>
+            </strong>
+            </p>
+	    <p>
+            The manual pages for all releases are available online:
+	    </p>
+            <ul>
+              <li><a href="mp-master.html">Master</a></li>
+              <li><a href="mp-102.html">1.0.2</a></li>
+              <li><a href="mp-101.html">1.0.1</a></li>
+              <li><a href="mp-100.html">1.0.0</a></li>
+              <li><a href="mp-098.html">0.9.8</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="">Manpages</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/mp-098.html b/docs/mp-098.html
new file mode 100644
index 0000000..17d9a7e
--- /dev/null
+++ b/docs/mp-098.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages for 0.9.8</h2></header>
+	  <div class="entry-content">
+	    <p>
+            The manual pages for the 0.9.8 branch are
+            available here.
+            The OpenSSL documentation is divided into three
+            parts:
+	    </p>
+            <ul>
+              <li><a href="0.9.8/apps/openssl.html">The openssl command</a></li>
+              <li><a href="0.9.8/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="0.9.8/crypto/crypto.html">The crypto library</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="manpages">Manpages</a>
+	    : <a href="">0.9.8</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/mp-100.html b/docs/mp-100.html
new file mode 100644
index 0000000..c08ec5b
--- /dev/null
+++ b/docs/mp-100.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages for 1.0.0</h2></header>
+	  <div class="entry-content">
+	    <p>
+            The manual pages for the 1.0.0 branch are
+            available here.
+            The OpenSSL documentation is divided into three
+            parts:
+	    </p>
+            <ul>
+              <li><a href="1.0.0/apps/openssl.html">The openssl command</a></li>
+              <li><a href="1.0.0/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="1.0.0/crypto/crypto.html">The crypto library</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="manpages">Manpages</a>
+	    : <a href="">1.0.0</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/mp-101.html b/docs/mp-101.html
new file mode 100644
index 0000000..0cffdc8
--- /dev/null
+++ b/docs/mp-101.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages for 1.0.1</h2></header>
+	  <div class="entry-content">
+	    <p>
+            The manual pages for the 1.0.1 branch are
+            available here.
+            The OpenSSL documentation is divided into three
+            parts:
+	    </p>
+            <ul>
+              <li><a href="1.0.1/apps/openssl.html">The openssl command</a></li>
+              <li><a href="1.0.1/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="1.0.1/crypto/crypto.html">The crypto library</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="manpages">Manpages</a>
+	    : <a href="">1.0.1</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/mp-102.html b/docs/mp-102.html
new file mode 100644
index 0000000..4193430
--- /dev/null
+++ b/docs/mp-102.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <div class="entry-content">
+	    <p>
+            The manual pages for the 1.0.2 branch are
+            available here.
+            The OpenSSL documentation is divided into three
+            parts:
+	    </p>
+            <ul>
+              <li><a href="1.0.2/apps/openssl.html">The openssl command</a></li>
+              <li><a href="1.0.2/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="1.0.2/crypto/crypto.html">The crypto library</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="manpages">Manpages</a>
+	    : <a href="">1.0.2</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/mp-master.html b/docs/mp-master.html
new file mode 100644
index 0000000..d4c923a
--- /dev/null
+++ b/docs/mp-master.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>Manpages for master</h2></header>
+	  <div class="entry-content">
+	    <p>
+            The manual pages for the master branch are
+            available here.
+            The OpenSSL documentation is divided into three
+            parts:
+	    </p>
+            <ul>
+              <li><a href="master/apps/openssl.html">The openssl command</a></li>
+              <li><a href="master/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="master/crypto/crypto.html">The crypto library</a></li>
+            </ul>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+	    : <a href=".">Documentation</a>
+	    : <a href="manpages">Manpages</a>
+	    : <a href="">master</a>
+	    <br/><a href="/sitemap.txt">Sitemap</a>
+	  </footer>
+	</article>
+      </div>
+      <!--#include virtual="sidebar.inc" -->
+    </div>
+  </div>
+<!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+
diff --git a/docs/sidebar.inc b/docs/sidebar.inc
index 13d62a7..a603a43 100644
--- a/docs/sidebar.inc
+++ b/docs/sidebar.inc
@@ -7,6 +7,9 @@
 	<a href="faq.html">FAQ</a>
       </li>
       <li>
+	<a href="manpages.html">Manpages</a>
+      </li>
+      <li>
         <a href="fips.html">FIPS-140 Validation</a>
       </li>
     </ul>

From rsalz at openssl.org  Tue Aug 18 02:15:35 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 02:15:35 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439864135.384646.4170.nullmailer@dev.openssl.org>

The branch master has been updated
       via  754b4f4d892bbaaf333bb5a0be2078e80b5927d2 (commit)
      from  ecb4761f1005798aae0dbeb33159649bc66c6b5d (commit)


- Log -----------------------------------------------------------------
commit 754b4f4d892bbaaf333bb5a0be2078e80b5927d2
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 22:15:31 2015 -0400

    fix prose to match sidebar ordering

-----------------------------------------------------------------------

Summary of changes:
 docs/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/index.html b/docs/index.html
index 72e3f1e..df2a681 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -19,6 +19,9 @@
 	    <a href="fips.html">FIPS-140 validation</a> is also
 	    available.</p>
 
+	    <p>Online versions of the manpages are not yet available,
+	    but will be shortly.</p>
+
 	    <p>Ivan Risti&#x0107;, the creator of
 	    <a href="https://ssllabs.com">https://ssllabs.com</a>,
 	    has a free download of his <em>OpenSSL Cookbook</em>
@@ -29,9 +32,6 @@
 	      href="https://www.feistyduck.com/books/openssl-cookbook/">https://www.feistyduck.com/books/openssl-cookbook/</a>.
 	    It is highly recommended.
 	    </p>
-
-	    <p>Online versions of the manpages are not yet available,
-	    but will be shortly.</p>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>

From rsalz at openssl.org  Tue Aug 18 14:46:39 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 14:46:39 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439909199.779031.6455.nullmailer@dev.openssl.org>

The branch master has been updated
       via  513aa39c856bcd2f1248451222056ac0b420e900 (commit)
      from  754b4f4d892bbaaf333bb5a0be2078e80b5927d2 (commit)


- Log -----------------------------------------------------------------
commit 513aa39c856bcd2f1248451222056ac0b420e900
Author: Viktor Szakats <vszakats at users.noreply.github.com>
Date:   Tue Aug 18 15:05:36 2015 +0200

    FAQ: use https URLs
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>

-----------------------------------------------------------------------

Summary of changes:
 docs/faq.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/faq.txt b/docs/faq.txt
index f4356a7..85b8092 100644
--- a/docs/faq.txt
+++ b/docs/faq.txt
@@ -481,7 +481,7 @@ administrators.
 
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
-<URL: http://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
+<URL: https://www.mail-archive.com/modssl-users at modssl.org/msg16980.html>
 
 
 * Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?
@@ -532,7 +532,7 @@ when you run the test suite (using "make test").  The message returned is
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc
-and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>
+and compile/install it.  GNU bc (see <URL: https://www.gnu.org/software/software.html>
 for download instructions) can be safely used, for example.
 
 

From rsalz at openssl.org  Tue Aug 18 19:11:44 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 19:11:44 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439925104.224919.18118.nullmailer@dev.openssl.org>

The branch master has been updated
       via  518b232a5a318b65897e3352b4ad21c6fc4d9448 (commit)
      from  513aa39c856bcd2f1248451222056ac0b420e900 (commit)


- Log -----------------------------------------------------------------
commit 518b232a5a318b65897e3352b4ad21c6fc4d9448
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 18 15:11:30 2015 -0400

    create per-branch subdirs.

-----------------------------------------------------------------------

Summary of changes:
 docs/{mp-098.html => man098/index.html}       | 10 +++++-----
 docs/{mp-100.html => man100/index.html}       | 10 +++++-----
 docs/{mp-101.html => man101/index.html}       | 10 +++++-----
 docs/{mp-102.html => man102/index.html}       | 10 +++++-----
 docs/{mp-master.html => manmaster/index.html} | 10 +++++-----
 docs/manpages.html                            | 10 +++++-----
 6 files changed, 30 insertions(+), 30 deletions(-)
 rename docs/{mp-098.html => man098/index.html} (72%)
 rename docs/{mp-100.html => man100/index.html} (72%)
 rename docs/{mp-101.html => man101/index.html} (72%)
 rename docs/{mp-102.html => man102/index.html} (72%)
 rename docs/{mp-master.html => manmaster/index.html} (71%)

diff --git a/docs/mp-098.html b/docs/man098/index.html
similarity index 72%
rename from docs/mp-098.html
rename to docs/man098/index.html
index 17d9a7e..5395471 100644
--- a/docs/mp-098.html
+++ b/docs/man098/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="0.9.8/apps/openssl.html">The openssl command</a></li>
-              <li><a href="0.9.8/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="0.9.8/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps/openssl.html">The openssl command</a></li>
+              <li><a href="ssl/ssl.html">The ssl library</a></li>
+              <li><a href="crypto/crypto.html">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">Documentation</a>
-	    : <a href="manpages">Manpages</a>
+	    : <a href="/docs">Documentation</a>
+	    : <a href="/docsmanpages.html">Manpages</a>
 	    : <a href="">0.9.8</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/mp-100.html b/docs/man100/index.html
similarity index 72%
rename from docs/mp-100.html
rename to docs/man100/index.html
index c08ec5b..52cd523 100644
--- a/docs/mp-100.html
+++ b/docs/man100/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="1.0.0/apps/openssl.html">The openssl command</a></li>
-              <li><a href="1.0.0/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="1.0.0/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="/apps/openssl.html">The openssl command</a></li>
+              <li><a href="/ssl/ssl.html">The ssl library</a></li>
+              <li><a href="/crypto/crypto.html">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">Documentation</a>
-	    : <a href="manpages">Manpages</a>
+	    : <a href="/docs">Documentation</a>
+	    : <a href="/docs/manpages.html">Manpages</a>
 	    : <a href="">1.0.0</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/mp-101.html b/docs/man101/index.html
similarity index 72%
rename from docs/mp-101.html
rename to docs/man101/index.html
index 0cffdc8..0e1ebe6 100644
--- a/docs/mp-101.html
+++ b/docs/man101/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="1.0.1/apps/openssl.html">The openssl command</a></li>
-              <li><a href="1.0.1/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="1.0.1/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps/openssl.html">The openssl command</a></li>
+              <li><a href="ssl/ssl.html">The ssl library</a></li>
+              <li><a href="crypto/crypto.html">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">Documentation</a>
-	    : <a href="manpages">Manpages</a>
+	    : <a href="/docs">Documentation</a>
+	    : <a href="/docs/manpages.html">Manpages</a>
 	    : <a href="">1.0.1</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/mp-102.html b/docs/man102/index.html
similarity index 72%
rename from docs/mp-102.html
rename to docs/man102/index.html
index 4193430..ff4b6f7 100644
--- a/docs/mp-102.html
+++ b/docs/man102/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="1.0.2/apps/openssl.html">The openssl command</a></li>
-              <li><a href="1.0.2/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="1.0.2/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps/openssl.html">The openssl command</a></li>
+              <li><a href="ssl/ssl.html">The ssl library</a></li>
+              <li><a href="crypto/crypto.html">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">Documentation</a>
-	    : <a href="manpages">Manpages</a>
+	    : <a href="/docs">Documentation</a>
+	    : <a href="/docs/manpages.html">Manpages</a>
 	    : <a href="">1.0.2</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/mp-master.html b/docs/manmaster/index.html
similarity index 71%
rename from docs/mp-master.html
rename to docs/manmaster/index.html
index d4c923a..25750c3 100644
--- a/docs/mp-master.html
+++ b/docs/manmaster/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="master/apps/openssl.html">The openssl command</a></li>
-              <li><a href="master/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="master/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps/openssl.html">The openssl command</a></li>
+              <li><a href="ssl/ssl.html">The ssl library</a></li>
+              <li><a href="crypto/crypto.html">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
-	    : <a href=".">Documentation</a>
-	    : <a href="manpages">Manpages</a>
+	    : <a href="/docs">Documentation</a>
+	    : <a href="/docs/manpages.html">Manpages</a>
 	    : <a href="">master</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/manpages.html b/docs/manpages.html
index 3e7f2ff..ccf1568 100644
--- a/docs/manpages.html
+++ b/docs/manpages.html
@@ -20,11 +20,11 @@
             The manual pages for all releases are available online:
 	    </p>
             <ul>
-              <li><a href="mp-master.html">Master</a></li>
-              <li><a href="mp-102.html">1.0.2</a></li>
-              <li><a href="mp-101.html">1.0.1</a></li>
-              <li><a href="mp-100.html">1.0.0</a></li>
-              <li><a href="mp-098.html">0.9.8</a></li>
+              <li><a href="manmaster">Master</a></li>
+              <li><a href="man102">1.0.2</a></li>
+              <li><a href="man101">1.0.1</a></li>
+              <li><a href="man100">1.0.0</a></li>
+              <li><a href="man098">0.9.8</a></li>
             </ul>
 	  </div>
 	  <footer>

From rsalz at openssl.org  Tue Aug 18 19:19:38 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 19:19:38 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439925578.083086.30423.nullmailer@dev.openssl.org>

The branch master has been updated
       via  06c02c5ca3ea1dd8b6bf9b4bfb1d7c9cde317378 (commit)
      from  518b232a5a318b65897e3352b4ad21c6fc4d9448 (commit)


- Log -----------------------------------------------------------------
commit 06c02c5ca3ea1dd8b6bf9b4bfb1d7c9cde317378
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 18 15:19:35 2015 -0400

    add manpage sidebar

-----------------------------------------------------------------------

Summary of changes:
 docs/man098/index.html    |  2 +-
 docs/man100/index.html    |  2 +-
 docs/man101/index.html    |  2 +-
 docs/man102/index.html    |  2 +-
 docs/manmaster/index.html |  2 +-
 inc/mansidebar.inc        | 14 ++++++++++++++
 6 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 inc/mansidebar.inc

diff --git a/docs/man098/index.html b/docs/man098/index.html
index 5395471..6e3a215 100644
--- a/docs/man098/index.html
+++ b/docs/man098/index.html
@@ -30,7 +30,7 @@
 	  </footer>
 	</article>
       </div>
-      <!--#include virtual="sidebar.inc" -->
+      <!--#include virtual="/inc/mansidebar.inc" -->
     </div>
   </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/docs/man100/index.html b/docs/man100/index.html
index 52cd523..6ff5644 100644
--- a/docs/man100/index.html
+++ b/docs/man100/index.html
@@ -30,7 +30,7 @@
 	  </footer>
 	</article>
       </div>
-      <!--#include virtual="sidebar.inc" -->
+      <!--#include virtual="/inc/mansidebar.inc" -->
     </div>
   </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/docs/man101/index.html b/docs/man101/index.html
index 0e1ebe6..ff6bf0e 100644
--- a/docs/man101/index.html
+++ b/docs/man101/index.html
@@ -30,7 +30,7 @@
 	  </footer>
 	</article>
       </div>
-      <!--#include virtual="sidebar.inc" -->
+      <!--#include virtual="/inc/mansidebar.inc" -->
     </div>
   </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/docs/man102/index.html b/docs/man102/index.html
index ff4b6f7..23b15b3 100644
--- a/docs/man102/index.html
+++ b/docs/man102/index.html
@@ -30,7 +30,7 @@
 	  </footer>
 	</article>
       </div>
-      <!--#include virtual="sidebar.inc" -->
+      <!--#include virtual="/inc/mansidebar.inc" -->
     </div>
   </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/docs/manmaster/index.html b/docs/manmaster/index.html
index 25750c3..1c5348e 100644
--- a/docs/manmaster/index.html
+++ b/docs/manmaster/index.html
@@ -30,7 +30,7 @@
 	  </footer>
 	</article>
       </div>
-      <!--#include virtual="sidebar.inc" -->
+      <!--#include virtual="/inc/mansidebar.inc" -->
     </div>
   </div>
 <!--#include virtual="/inc/footer.inc" -->
diff --git a/inc/mansidebar.inc b/inc/mansidebar.inc
new file mode 100644
index 0000000..8536082
--- /dev/null
+++ b/inc/mansidebar.inc
@@ -0,0 +1,14 @@
+<!-- sidebar.inc -->
+<aside class="sidebar">
+  <section>
+    <h1><a href=".">Manpages</a></h1>
+    <ul>
+      <li><a href="manmaster">Master</a></li>
+      <li><a href="man102">1.0.2</a></li>
+      <li><a href="man101">1.0.1</a></li>
+      <li><a href="man100">1.0.0</a></li>
+      <li><a href="man098">0.9.8</a></li>
+    </ul>
+  </section>
+</aside>
+<!-- end -->

From rsalz at openssl.org  Tue Aug 18 19:20:22 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 19:20:22 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439925622.607971.31860.nullmailer@dev.openssl.org>

The branch master has been updated
       via  3310befa6cadcb277da97e7cb56bcc6abaa0cae2 (commit)
      from  06c02c5ca3ea1dd8b6bf9b4bfb1d7c9cde317378 (commit)


- Log -----------------------------------------------------------------
commit 3310befa6cadcb277da97e7cb56bcc6abaa0cae2
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 18 15:20:19 2015 -0400

    fix sidebar.

-----------------------------------------------------------------------

Summary of changes:
 inc/mansidebar.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/inc/mansidebar.inc b/inc/mansidebar.inc
index 8536082..e5769b4 100644
--- a/inc/mansidebar.inc
+++ b/inc/mansidebar.inc
@@ -3,11 +3,11 @@
   <section>
     <h1><a href=".">Manpages</a></h1>
     <ul>
-      <li><a href="manmaster">Master</a></li>
-      <li><a href="man102">1.0.2</a></li>
-      <li><a href="man101">1.0.1</a></li>
-      <li><a href="man100">1.0.0</a></li>
-      <li><a href="man098">0.9.8</a></li>
+      <li><a href="/docs/manmaster">Master</a></li>
+      <li><a href="/docs/man102">1.0.2</a></li>
+      <li><a href="/docs/man101">1.0.1</a></li>
+      <li><a href="/docs/man100">1.0.0</a></li>
+      <li><a href="/docs/man098">0.9.8</a></li>
     </ul>
   </section>
 </aside>

From rsalz at openssl.org  Tue Aug 18 19:28:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 18 Aug 2015 19:28:17 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439926097.487101.11482.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ed1682d91272eadb55306f525f84660e8bf19458 (commit)
      from  3310befa6cadcb277da97e7cb56bcc6abaa0cae2 (commit)


- Log -----------------------------------------------------------------
commit ed1682d91272eadb55306f525f84660e8bf19458
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 18 15:28:14 2015 -0400

    rename man subdirs

-----------------------------------------------------------------------

Summary of changes:
 docs/{man098 => man0.9.8}/index.html |  0
 docs/{man100 => man1.0.0}/index.html |  0
 docs/{man101 => man1.0.1}/index.html |  0
 docs/{man102 => man1.0.2}/index.html |  0
 docs/manpages.html                   |  8 ++++----
 inc/mansidebar.inc                   | 10 +++++-----
 6 files changed, 9 insertions(+), 9 deletions(-)
 rename docs/{man098 => man0.9.8}/index.html (100%)
 rename docs/{man100 => man1.0.0}/index.html (100%)
 rename docs/{man101 => man1.0.1}/index.html (100%)
 rename docs/{man102 => man1.0.2}/index.html (100%)

diff --git a/docs/man098/index.html b/docs/man0.9.8/index.html
similarity index 100%
rename from docs/man098/index.html
rename to docs/man0.9.8/index.html
diff --git a/docs/man100/index.html b/docs/man1.0.0/index.html
similarity index 100%
rename from docs/man100/index.html
rename to docs/man1.0.0/index.html
diff --git a/docs/man101/index.html b/docs/man1.0.1/index.html
similarity index 100%
rename from docs/man101/index.html
rename to docs/man1.0.1/index.html
diff --git a/docs/man102/index.html b/docs/man1.0.2/index.html
similarity index 100%
rename from docs/man102/index.html
rename to docs/man1.0.2/index.html
diff --git a/docs/manpages.html b/docs/manpages.html
index ccf1568..f07f8b7 100644
--- a/docs/manpages.html
+++ b/docs/manpages.html
@@ -21,10 +21,10 @@
 	    </p>
             <ul>
               <li><a href="manmaster">Master</a></li>
-              <li><a href="man102">1.0.2</a></li>
-              <li><a href="man101">1.0.1</a></li>
-              <li><a href="man100">1.0.0</a></li>
-              <li><a href="man098">0.9.8</a></li>
+              <li><a href="man1.0.2">1.0.2</a></li>
+              <li><a href="man1.0.1">1.0.1</a></li>
+              <li><a href="man1.0.0">1.0.0</a></li>
+              <li><a href="man0.9.8">0.9.8</a></li>
             </ul>
 	  </div>
 	  <footer>
diff --git a/inc/mansidebar.inc b/inc/mansidebar.inc
index e5769b4..e005f65 100644
--- a/inc/mansidebar.inc
+++ b/inc/mansidebar.inc
@@ -1,13 +1,13 @@
 <!-- sidebar.inc -->
 <aside class="sidebar">
   <section>
-    <h1><a href=".">Manpages</a></h1>
+    <h1><a href="/docs/manpages.html">Manpages</a></h1>
     <ul>
       <li><a href="/docs/manmaster">Master</a></li>
-      <li><a href="/docs/man102">1.0.2</a></li>
-      <li><a href="/docs/man101">1.0.1</a></li>
-      <li><a href="/docs/man100">1.0.0</a></li>
-      <li><a href="/docs/man098">0.9.8</a></li>
+      <li><a href="/docs/man1.0.2">1.0.2</a></li>
+      <li><a href="/docs/man1.0.1">1.0.1</a></li>
+      <li><a href="/docs/man1.0.0">1.0.0</a></li>
+      <li><a href="/docs/man0.9.8">0.9.8</a></li>
     </ul>
   </section>
 </aside>

From rsalz at openssl.org  Wed Aug 19 01:51:20 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 01:51:20 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439949080.496643.2693.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2649223c44ae1865687ba9b67911778d1cc84516 (commit)
      from  ed1682d91272eadb55306f525f84660e8bf19458 (commit)


- Log -----------------------------------------------------------------
commit 2649223c44ae1865687ba9b67911778d1cc84516
Author: Rich Salz <rsalz at akamai.com>
Date:   Tue Aug 18 21:51:16 2015 -0400

    fix rewrite rule for old fips files

-----------------------------------------------------------------------

Summary of changes:
 docs/.htaccess |  6 ++--
 manpage.css    | 96 ----------------------------------------------------------
 2 files changed, 3 insertions(+), 99 deletions(-)
 delete mode 100644 manpage.css

diff --git a/docs/.htaccess b/docs/.htaccess
index 756b70a..499430b 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -1,4 +1,4 @@
 RewriteEngine on
-RewriteRule /docs/fips/fipsnotes.html fips.html [L,R=302,NC]
-RewriteRule /docs/fips/fipsvalidation.html fips.html [L,R=302,NC]
-RewriteRule /docs/fips/index.html fips.html [L,R=302,NC]
+RewriteRule fips/fipsnotes.html /docs/fipsnotes.html [L,R=302,NC]
+RewriteRule fips/fipsvalidation.html /docs/fipsvalidation.html [L,R=302,NC]
+RewriteRule fips/index.html /docs/fips/fips.html [L,R=302,NC]
diff --git a/manpage.css b/manpage.css
deleted file mode 100644
index 1fc97bc..0000000
--- a/manpage.css
+++ /dev/null
@@ -1,96 +0,0 @@
-BODY {
-	background: white;
-	color: black;
-	font-family: arial,sans-serif;
-	margin: 0;
-	padding: 1ex;
-}
-TABLE {
-	border-collapse: collapse;
-	border-spacing: 0;
-	border-width: 0;
-	color: inherit;
-}
-IMG { border: 0; }
-FORM { margin: 0; }
-input { margin: 2px; }
-A.fred {
-	text-decoration: none;
-}
-A:link, A:visited {
-	background: transparent;
-	color: #006699;
-}
-TD {
-	margin: 0;
-	padding: 0;
-}
-DIV {
-	border-width: 0;
-}
-DT {
-	margin-top: 1em;
-}
-TH {
-	background: #bbbbbb;
-	color: inherit;
-	padding: 0.4ex 1ex;
-	text-align: left;
-}
-TH A:link, TH A:visited {
-	background: transparent;
-	color: black;
-}
-A.m:link, A.m:visited {
-	background: #006699;
-	color: white;
-	font: bold 10pt Arial,Helvetica,sans-serif;
-	text-decoration: none;
-}
-A.o:link, A.o:visited {
-	background: #006699;
-	color: #ccffcc;
-	font: bold 10pt Arial,Helvetica,sans-serif;
-	text-decoration: none;
-}
-A.o:hover {
-	background: transparent;
-	color: #ff6600;
-	text-decoration: underline;
-}
-A.m:hover {
-	background: transparent;
-	color: #ff6600;
-	text-decoration: underline;
-}
-table.dlsip     {
-	background: #dddddd;
-	border: 0.4ex solid #dddddd;
-}
-.pod PRE     {
-	background: #eeeeee;
-	border: 1px solid #888888;
-	color: black;
-	padding-top: 1em;
-	white-space: pre;
-}
-.pod H1      {
-	background: transparent;
-	color: #006699;
-	font-size: large;
-}
-.pod H2      {
-	background: transparent;
-	color: #006699;
-	font-size: medium;
-}
-.pod IMG     {
-	vertical-align: top;
-}
-.pod .toc A  {
-	text-decoration: none;
-}
-.pod .toc LI {
-	line-height: 1.2em;
-	list-style-type: none;
-}

From levitte at openssl.org  Wed Aug 19 08:31:04 2015
From: levitte at openssl.org (Richard Levitte)
Date: Wed, 19 Aug 2015 08:31:04 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439973064.535288.19158.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f537b5075db25abbb78adc7192bec14bf0c5adcb (commit)
      from  2649223c44ae1865687ba9b67911778d1cc84516 (commit)


- Log -----------------------------------------------------------------
commit f537b5075db25abbb78adc7192bec14bf0c5adcb
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Aug 19 10:30:44 2015 +0200

    Add missing img/noise.png

-----------------------------------------------------------------------

Summary of changes:
 img/noise.png | Bin 0 -> 17742 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 img/noise.png

diff --git a/img/noise.png b/img/noise.png
new file mode 100644
index 0000000..432e05b
Binary files /dev/null and b/img/noise.png differ

From rsalz at openssl.org  Wed Aug 19 14:34:31 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 14:34:31 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439994871.483029.5156.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e60328d87d7ed3ebf918ef15dc9d5033518ad110 (commit)
      from  f537b5075db25abbb78adc7192bec14bf0c5adcb (commit)


- Log -----------------------------------------------------------------
commit e60328d87d7ed3ebf918ef15dc9d5033518ad110
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 10:34:24 2015 -0400

    fix missing closing tag

-----------------------------------------------------------------------

Summary of changes:
 docs/fipsnotes.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/fipsnotes.html b/docs/fipsnotes.html
index 56bcc55..7d66084 100644
--- a/docs/fipsnotes.html
+++ b/docs/fipsnotes.html
@@ -58,7 +58,7 @@
 	    above summary does not adequately address.  You have been
 	    warned!</p>
 
-	    <h2><a name="privatelable">The "Private Label" Validation</></h2>
+	    <h2><a name="privatelable">The "Private Label" Validation</a></h2>
 
 	    <p>We refer to validations based directly on the OpenSSL FIPS
 	    Object Module as "private label" validations.  These are also

From rsalz at openssl.org  Wed Aug 19 15:00:26 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 15:00:26 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1439996426.718436.12714.nullmailer@dev.openssl.org>

The branch master has been updated
       via  08e91ab70c9dbf61204aaf92251e1259bf67225c (commit)
      from  e60328d87d7ed3ebf918ef15dc9d5033518ad110 (commit)


- Log -----------------------------------------------------------------
commit 08e91ab70c9dbf61204aaf92251e1259bf67225c
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 11:00:08 2015 -0400

    Support for all manpage versions

-----------------------------------------------------------------------

Summary of changes:
 .gitignore    | 3 +++
 bin/mk-latest | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/.gitignore b/.gitignore
index e9f8260..f78f20a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,6 @@ source/*.patch
 source/old/*/*.tar.gz*
 source/old/*/*.patch
 source/old/*/*.txt.asc
+docs/*/apps
+docs/*/crypto
+docs/*/ssl
diff --git a/bin/mk-latest b/bin/mk-latest
index 14f586f..e7c05b2 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -43,6 +43,12 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule openssl-(1\.0\.2.*) old/1.0.1/openssl-$1 [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule openssl-(fips.*)  old/fips/openssl-$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule apps(.*)  manmaster/apps/$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule crypto(.*)  manmaster/crypto/$1 [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ssl(.*)  manmaster/ssl/$1 [L]
 
 <Files *.gz.asc>
     RemoveEncoding .gz

From rsalz at openssl.org  Wed Aug 19 16:40:16 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 16:40:16 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440002416.745437.1080.nullmailer@dev.openssl.org>

The branch master has been updated
       via  c4cd68f249965cf0578c19e489b486105a1d040b (commit)
      from  08e91ab70c9dbf61204aaf92251e1259bf67225c (commit)


- Log -----------------------------------------------------------------
commit c4cd68f249965cf0578c19e489b486105a1d040b
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 12:38:24 2015 -0400

    Add manpage scripts

-----------------------------------------------------------------------

Summary of changes:
 Makefile            |  16 +++--
 bin/getnames.pl     |  30 ---------
 bin/mk-manpages     | 180 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 bin/run-pod2html.sh |  45 -------------
 4 files changed, 192 insertions(+), 79 deletions(-)
 delete mode 100644 bin/getnames.pl
 create mode 100755 bin/mk-manpages
 delete mode 100755 bin/run-pod2html.sh

diff --git a/Makefile b/Makefile
index 2b2942d..2421530 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,10 @@
 ##
 ## Build procedure for www.openssl.org
 
+##  Checkouts.
+CHECKOUTS = /var/cache/openssl/checkouts/openssl
 ##  Snapshot directory
-SNAP = /var/cache/openssl/checkouts/openssl
+SNAP = $(CHECKOUST)/openssl
 ## Where releases are found.
 RELEASEDIR = /var/www/openssl/source
 
@@ -31,17 +33,23 @@ relupd: all
 	    echo "     sudo -u openssl -H make"; \
 	    exit 1; \
 	fi
-	cd $(SNAP)/.. ; for dir in openssl* ; do \
+	cd $(CHECKOUTS) ; for dir in openssl* ; do \
 	    echo Updating $$dir ; ( cd $$dir ; git pull $(QUIET) ) ; \
 	done
 	git pull $(QUIET)
-	$(MAKE)
+	$(MAKE) all manpages
+
+manpages:
+	./bin/mk-manpages $(CHECKOUTS)/master master doc
+	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.2-stable 1.0.2 doc
+	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.1-stable 1.0.1 doc
+	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.0-stable 1.0.0 doc
+	#./bin/mk-manpages $(CHECKOUTS)/openssl-0.9.8-stable 0.9.8 doc
 
 # Legacy targets
 hack-source_htaccess: all
 simple: all
 generated: all
-manpages: all
 rebuild: all
 
 clean:
diff --git a/bin/getnames.pl b/bin/getnames.pl
deleted file mode 100644
index 58ee6d0..0000000
--- a/bin/getnames.pl
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/perl
-
-my $func = $ARGV[0];
-$func =~ s/\.pod//;
-$func =~ s at .*/@@;
-
-open(FH, $ARGV[0]) || die "Can't open $ARGV[1], $!";
-$/ = "";			# Eat a paragraph at once.
-while (<FH>) {
-    chop;
-    s/\n/ /gm;
-    if (/^=head1 /) {
-	$name = 0;
-    } elsif ($name) {
-	if (/ - /) {
-	    s/ - .*//;
-	    s/,\s+/,/g;
-	    s/\s+,/,/g;
-	    s/^\s+//g;
-	    s/\s+$//g;
-	    s/\s/_/g;
-	    push @words, split ',';
-	}
-    }
-    if (/^=head1 *NAME *$/) {
-	$name = 1;
-    }
-}
-
-print join("\n", grep { $_ ne $func } @words),"\n";
diff --git a/bin/mk-manpages b/bin/mk-manpages
new file mode 100755
index 0000000..506ab57
--- /dev/null
+++ b/bin/mk-manpages
@@ -0,0 +1,180 @@
+#! /usr/bin/perl -w
+
+use strict;
+use Pod::Html;
+use Pod::Simple::XHTML;
+
+my @releases = ( 'master', '1.0.2', '1.0.1', '1.0.1', '0.9.8');
+my %relmap = map { $_ => 1 } @releases;
+my @sections = ( 'apps', 'crypto', 'ssl' );
+
+# Remove all files from a manpage subtree, and leave only
+# the index and the section subdirs.
+sub
+cleanup()
+{
+    my ( $wwwdir, $release ) = @_;
+    my $dir = "$wwwdir/man$release";
+    die "No $dir/index.html" unless -f "$dir/index.html";
+    foreach my $sect ( @sections ) {
+	mkdir "$dir/$sect" unless -d "$dir/$sect";
+	foreach my $f ( glob("$dir/$sect/*") ) {
+	    unlink $f || warn "Can't unlink $f, $!";
+	}
+    }
+}
+
+
+## Generate a manpage.
+sub
+genhtml()
+{
+    my ( $release, $section, $filename, $title, $file ) = @_;
+    my $header = <<EOFH;
+<!DOCTYPE html>
+<html lang="en">
+<!--#include virtual="/inc/head.inc" -->
+<body>
+  <!--#include virtual="/inc/banner.inc" -->
+  <div id="main">
+    <div id="content">
+      <div class="blog-index">
+	<article>
+	  <header><h2>$title</h2></header>
+	  <div class="entry-content">
+	    <p>
+
+EOFH
+    my $sidebar = <<EOS;
+<aside class="sidebar">
+  <section>
+    <h1><a href="/docs/manpages.html">All Versions</a></h1>
+    <ul>
+EOS
+    foreach my $v ( @releases ) {
+	if ( $release eq $v ) {
+	    $sidebar .= 
+"<li><a href=\"/docs/man$v/$section/$file.html\"><em>this branch</em></a></li>
+";
+	} else {
+	    $sidebar .=
+"<li><a href=\"/docs/man$v/$section/$file.html\">$v</a></li>\n";
+	}
+    }
+    $sidebar .= <<EOS;
+    </ul>
+  </section>
+</aside>
+EOS
+    my $footer = <<EOFT;
+	    </p>
+	  </div>
+	  <footer>
+	    You are here: <a href="/">Home</a>
+            : <a href="/docs">Docs</a>
+            : <a href="/docs/manpages.html">Manpages</a>
+            : <a href="/docs/man$release">$release</a>
+	    : <a href="/docs/man$release/$section">$section</a>
+	    : <a href="/docs/man$release/$section/$file.html">$file</a>
+            <br/><a href="/sitemap.txt">Sitemap</a>
+          </footer>
+	</article>
+      </div>
+      $sidebar
+    </div>
+  </div>
+  <!--#include virtual="/inc/footer.inc" -->
+</body>
+</html>
+EOFT
+
+    open(my $fh, $filename) || die "Can't open $filename, $!";
+    my $infile = do { local $/; <$fh>; };
+    # L<asdf...|qwer...> ==> L<qwer>
+    $infile =~ s/L<[^|>]*\|([^>]+)>/L<$1>/g;
+    # L<asdf(x)> --> L<asdf>
+    $infile =~ s/L<([^>]+)\(\d\)>/L<$1>/g;
+
+    my $out;
+    my $pod = Pod::Simple::XHTML->new;
+    $pod->html_h_level(3);
+# $pod->index(1);
+    $pod->perldoc_url_prefix("https://www.openssl.org/docs/man$release/$section/");
+    $pod->perldoc_url_postfix(".html");
+    $pod->html_header($header);
+    $pod->html_footer($footer);
+# $pod->force_title("TILETITLETITLE");
+# $pod->backlink(1);
+    $pod->output_string(\$out);
+    $pod->parse_string_document($infile);
+    return $out;
+}
+
+# Return all the OTHER names in a manpage.
+sub
+getnames()
+{
+    my ( $infile, $basename ) = @_;
+    my @words = ();
+    open(my $fh, "<", $infile) || die "Can't open $infile, $!";
+    {
+	local $/ = "";
+	my $found = 0;
+	while ( <$fh> ) {
+	    chop;
+	    s/\n/ /gm;
+	    if (/^=head1 /) {
+		$found = 0;
+	    } elsif ( $found ) {
+		if (/ - /) {
+		    s/ - .*//;
+		    s/,\s+/,/g;
+		    s/\s+,/,/g;
+		    s/^\s+//g;
+		    s/\s+$//g;
+		    s/\s/_/g;
+		    push @words, split ',';
+		}
+	    }
+	    if (/^=head1\s*NAME\s*$/) {
+		$found = 1;
+	    }
+	}
+    }
+    return grep { $_ ne $basename } @words;
+}
+
+die "Mssing args\n" if $#ARGV < 2;
+
+# Verify source dir.
+my $SRCDIR = shift || die "Source dir missing";
+die "No source directory $SRCDIR" unless -d $SRCDIR;
+foreach my $sect ( @sections ) {
+    my $dir = "$SRCDIR/doc/$sect";
+    die "No directory $dir" unless -d $dir;
+}
+# Verify release.
+my $RELEASE = shift || die "RELEASE missing";
+die "Unknown release $RELEASE" unless defined $relmap{$RELEASE};
+# Cleanup and verify the destination.
+my $WWWDIR = shift || die "Destination missing";
+die "No destination directory $WWWDIR" unless -d $WWWDIR;
+&cleanup($WWWDIR, $RELEASE);
+
+foreach my $sect ( @sections  ) {
+    foreach my $filename ( glob("$SRCDIR/doc/$sect/*.pod") ) {
+	my $basename = $filename;
+	$basename =~ s at .*/@@;
+	$basename =~ s at .pod@@;
+	my $out = &genhtml ($RELEASE, $sect, $filename, "???", $basename);
+	my $outfile = "$WWWDIR/man$RELEASE/$sect/$basename.html";
+	open(my $fh, ">", $outfile) || die "Can't open $outfile, $!";
+	print $fh $out || die "Can't print $outfile, $!";
+	close($fh) || die "Can't close $outfile, $!";
+	my @altnames = &getnames($filename, $basename);
+	foreach my $alt ( @altnames ) {
+	    my $target = "$WWWDIR/man$RELEASE/$sect/$alt.html";
+	    link $outfile, $target || die "Can't link $outfile,$target, $!";
+	}
+    }
+}
diff --git a/bin/run-pod2html.sh b/bin/run-pod2html.sh
deleted file mode 100755
index 0f96a4f..0000000
--- a/bin/run-pod2html.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#! /bin/sh
-SRC=$1
-DEST=docs
-HERE=`/bin/pwd`
-
-# Somewhere between perl version 5.15 and 5.18, pod2html stopped extracting the
-# title from the pod file's NAME section.  When that's the case, we need to do
-# that work ourselves and give pod2html the extracted title with --title.  --title
-# isn't available in earlier perl verions, so we need to test the behaviour to
-# decide how to act.
-#
-extract_title=false
-pod2html_testtext="=cut
-
-=head1 NAME
-
-foo - bar
-
-=head1 SYNOPSIS
-"
-if echo "$pod2html_testtext" | pod2html | grep -q '^<title></title>$'; then
-    extract_title=true
-fi
-#
-# Test done.
-
-for SUB in apps crypto ssl; do
-    DIR=$DEST/$SUB
-    rm -rf $DIR
-    mkdir -p $DIR
-    for IN in $SRC/$SUB/*.pod; do
-	FN=`basename $IN .pod`
-	title_arg=''
-	if $extract_title; then
-	    title_arg="--title=`cat $IN | sed -e '1,/^=head1 NAME/d' -e '/^=/,$d' -e '/^\s*$/d'`"
-	fi
-	cat $IN \
-	| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-	| pod2html --podroot=$SRC --css=/manpage.css --htmlroot=/docs --podpath=$SUB:apps:crypto:ssl "$title_arg" \
-	| sed -r 's/<!DOCTYPE.*//g' > $DIR/$FN.html
-	for L in `perl $HERE/getnames.pl $IN` ; do
-	    ln $DIR/$FN.html $DIR/$L.html || echo FAIL $DIR/$FN.html $DIR/$L.html
-	done
-    done
-done

From rsalz at openssl.org  Wed Aug 19 18:28:47 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 18:28:47 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440008927.432652.29695.nullmailer@dev.openssl.org>

The branch master has been updated
       via  3eb55384519ee3290b5182b525ea632be1004890 (commit)
      from  c4cd68f249965cf0578c19e489b486105a1d040b (commit)


- Log -----------------------------------------------------------------
commit 3eb55384519ee3290b5182b525ea632be1004890
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 14:28:38 2015 -0400

    making manpages work

-----------------------------------------------------------------------

Summary of changes:
 Makefile           | 20 +++++++++++---------
 bin/mk-latest      |  6 ------
 bin/mk-manpages    |  7 +++++--
 docs/.htaccess     |  6 ++++++
 docs/manpages.html |  7 -------
 5 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/Makefile b/Makefile
index 2421530..10cb6d1 100644
--- a/Makefile
+++ b/Makefile
@@ -2,9 +2,9 @@
 ## Build procedure for www.openssl.org
 
 ##  Checkouts.
-CHECKOUTS = /var/cache/openssl/checkouts/openssl
+CHECKOUTS = /var/cache/openssl/checkouts
 ##  Snapshot directory
-SNAP = $(CHECKOUST)/openssl
+SNAP = $(CHECKOUTS)/openssl
 ## Where releases are found.
 RELEASEDIR = /var/www/openssl/source
 
@@ -25,7 +25,7 @@ SRCLISTS = \
 	   source/old/1.0.2/index.inc \
 	   source/old/fips/index.inc \
 
-all: $(SIMPLE) $(SRCLISTS)
+all: $(SIMPLE) $(SRCLISTS) manmaster
 
 relupd: all
 	if [ "`id -un`" != openssl ]; then \
@@ -39,12 +39,14 @@ relupd: all
 	git pull $(QUIET)
 	$(MAKE) all manpages
 
-manpages:
-	./bin/mk-manpages $(CHECKOUTS)/master master doc
-	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.2-stable 1.0.2 doc
-	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.1-stable 1.0.1 doc
-	#./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.0-stable 1.0.0 doc
-	#./bin/mk-manpages $(CHECKOUTS)/openssl-0.9.8-stable 0.9.8 doc
+manpages: manmaster
+	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.2-stable 1.0.2 docs
+	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.1-stable 1.0.1 docs
+	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.0-stable 1.0.0 docs
+	./bin/mk-manpages $(CHECKOUTS)/openssl-0.9.8-stable 0.9.8 docs
+
+manmaster:
+	./bin/mk-manpages $(CHECKOUTS)/openssl master docs
 
 # Legacy targets
 hack-source_htaccess: all
diff --git a/bin/mk-latest b/bin/mk-latest
index e7c05b2..14f586f 100755
--- a/bin/mk-latest
+++ b/bin/mk-latest
@@ -43,12 +43,6 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule openssl-(1\.0\.2.*) old/1.0.1/openssl-$1 [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule openssl-(fips.*)  old/fips/openssl-$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule apps(.*)  manmaster/apps/$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule crypto(.*)  manmaster/crypto/$1 [L]
-RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ssl(.*)  manmaster/ssl/$1 [L]
 
 <Files *.gz.asc>
     RemoveEncoding .gz
diff --git a/bin/mk-manpages b/bin/mk-manpages
index 506ab57..bf3519a 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -48,7 +48,7 @@ EOFH
     my $sidebar = <<EOS;
 <aside class="sidebar">
   <section>
-    <h1><a href="/docs/manpages.html">All Versions</a></h1>
+    <h1><a href="/docs/manpages.html">Other Versions</a></h1>
     <ul>
 EOS
     foreach my $v ( @releases ) {
@@ -101,6 +101,8 @@ EOFT
 # $pod->index(1);
     $pod->perldoc_url_prefix("https://www.openssl.org/docs/man$release/$section/");
     $pod->perldoc_url_postfix(".html");
+    $pod->man_url_prefix("https://www.openssl.org/docs/man$release/$section/");
+    $pod->man_url_postfix(".html");
     $pod->html_header($header);
     $pod->html_footer($footer);
 # $pod->force_title("TILETITLETITLE");
@@ -166,7 +168,8 @@ foreach my $sect ( @sections  ) {
 	my $basename = $filename;
 	$basename =~ s at .*/@@;
 	$basename =~ s at .pod@@;
-	my $out = &genhtml ($RELEASE, $sect, $filename, "???", $basename);
+	my $title = $basename;
+	my $out = &genhtml($RELEASE, $sect, $filename, $title, $basename);
 	my $outfile = "$WWWDIR/man$RELEASE/$sect/$basename.html";
 	open(my $fh, ">", $outfile) || die "Can't open $outfile, $!";
 	print $fh $out || die "Can't print $outfile, $!";
diff --git a/docs/.htaccess b/docs/.htaccess
index 499430b..03e477b 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -2,3 +2,9 @@ RewriteEngine on
 RewriteRule fips/fipsnotes.html /docs/fipsnotes.html [L,R=302,NC]
 RewriteRule fips/fipsvalidation.html /docs/fipsvalidation.html [L,R=302,NC]
 RewriteRule fips/index.html /docs/fips/fips.html [L,R=302,NC]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule apps/(.*)  /docs/manmaster/apps/$1 [L,R=302,NC]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule crypto/(.*)  /docs/manmaster/crypto/$1 [L,R=302,NC]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule ssl/(.*)  /docs/manmaster/ssl/$1 [L,R=302,NC]
diff --git a/docs/manpages.html b/docs/manpages.html
index f07f8b7..e7fe326 100644
--- a/docs/manpages.html
+++ b/docs/manpages.html
@@ -9,13 +9,6 @@
 	<article>
 	  <header><h2>Manpages</h2></header>
 	  <div class="entry-content">
-            <p>
-            <strong>
-              <hr>
-              STILL A WORK IN PROGRESS.  NOT FINISHED!
-              <hr>
-            </strong>
-            </p>
 	    <p>
             The manual pages for all releases are available online:
 	    </p>

From rsalz at openssl.org  Wed Aug 19 18:39:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 18:39:03 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440009543.211084.12316.nullmailer@dev.openssl.org>

The branch master has been updated
       via  66ed6af5c2ef7a461f25adca7e017ade11fa3ae7 (commit)
      from  3eb55384519ee3290b5182b525ea632be1004890 (commit)


- Log -----------------------------------------------------------------
commit 66ed6af5c2ef7a461f25adca7e017ade11fa3ae7
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 14:38:55 2015 -0400

    fix navbar

-----------------------------------------------------------------------

Summary of changes:
 bin/mk-manpages | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/bin/mk-manpages b/bin/mk-manpages
index bf3519a..432689c 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -48,18 +48,16 @@ EOFH
     my $sidebar = <<EOS;
 <aside class="sidebar">
   <section>
-    <h1><a href="/docs/manpages.html">Other Versions</a></h1>
+    <h1><a href="/docs/manpages.html">$release manpages</a></h1>
     <ul>
+      <li><a href="../apps/openssl.html">The openssl command</a></li>
+      <li><a href="../ssl/ssl.html">The ssl library</a></li>
+      <li><a href="../crypto/crypto.html">The crypto library</a></li>
 EOS
     foreach my $v ( @releases ) {
-	if ( $release eq $v ) {
-	    $sidebar .= 
-"<li><a href=\"/docs/man$v/$section/$file.html\"><em>this branch</em></a></li>
-";
-	} else {
-	    $sidebar .=
-"<li><a href=\"/docs/man$v/$section/$file.html\">$v</a></li>\n";
-	}
+        $sidebar .=
+"<li><a href=\"/docs/man$v/$section/$file.html\">$v version</a></li>\n"
+            if $release ne $v;
     }
     $sidebar .= <<EOS;
     </ul>

From rsalz at openssl.org  Wed Aug 19 18:42:35 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 18:42:35 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440009755.274946.17410.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2e398641f4438e1696c64ff787b2411d9fc9d781 (commit)
      from  66ed6af5c2ef7a461f25adca7e017ade11fa3ae7 (commit)


- Log -----------------------------------------------------------------
commit 2e398641f4438e1696c64ff787b2411d9fc9d781
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 14:42:33 2015 -0400

    fix typo

-----------------------------------------------------------------------

Summary of changes:
 bin/mk-manpages | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/mk-manpages b/bin/mk-manpages
index 432689c..4a0f228 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -4,7 +4,7 @@ use strict;
 use Pod::Html;
 use Pod::Simple::XHTML;
 
-my @releases = ( 'master', '1.0.2', '1.0.1', '1.0.1', '0.9.8');
+my @releases = ( 'master', '1.0.2', '1.0.1', '1.0.0', '0.9.8');
 my %relmap = map { $_ => 1 } @releases;
 my @sections = ( 'apps', 'crypto', 'ssl' );
 

From rsalz at openssl.org  Wed Aug 19 18:48:20 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 18:48:20 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440010100.492430.26799.nullmailer@dev.openssl.org>

The branch master has been updated
       via  700c222a599884f5a0026d06f4c8d4bc21411a29 (commit)
      from  2e398641f4438e1696c64ff787b2411d9fc9d781 (commit)


- Log -----------------------------------------------------------------
commit 700c222a599884f5a0026d06f4c8d4bc21411a29
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 14:48:17 2015 -0400

    add a hack /1/ rewrite rule

-----------------------------------------------------------------------

Summary of changes:
 docs/.htaccess | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/.htaccess b/docs/.htaccess
index 03e477b..6db9398 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -3,6 +3,8 @@ RewriteRule fips/fipsnotes.html /docs/fipsnotes.html [L,R=302,NC]
 RewriteRule fips/fipsvalidation.html /docs/fipsvalidation.html [L,R=302,NC]
 RewriteRule fips/index.html /docs/fips/fips.html [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
+RewriteRule manmaster/apps/1/(.*)  /docs/manmaster/apps/$1 [L,R=302,NC]
+RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule apps/(.*)  /docs/manmaster/apps/$1 [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule crypto/(.*)  /docs/manmaster/crypto/$1 [L,R=302,NC]

From rsalz at openssl.org  Wed Aug 19 20:29:49 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 19 Aug 2015 20:29:49 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440016189.215236.14126.nullmailer@dev.openssl.org>

The branch master has been updated
       via  62b7ae141caea8915c19a6250d9278b45edbf539 (commit)
      from  700c222a599884f5a0026d06f4c8d4bc21411a29 (commit)


- Log -----------------------------------------------------------------
commit 62b7ae141caea8915c19a6250d9278b45edbf539
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 16:29:44 2015 -0400

    manpages actually are now working

-----------------------------------------------------------------------

Summary of changes:
 docs/index.html | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/index.html b/docs/index.html
index df2a681..9755c6a 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -19,6 +19,10 @@
 	    <a href="fips.html">FIPS-140 validation</a> is also
 	    available.</p>
 
+            <p>The <a href="manpages.html">manual pages</a> for all
+            releases are available.  There are still problems with some
+            of the links; thanks for your understanding.</p>
+
 	    <p>Online versions of the manpages are not yet available,
 	    but will be shortly.</p>
 

From rsalz at openssl.org  Thu Aug 20 03:12:42 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 03:12:42 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440040362.031020.23206.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ee72f9113a9330c6782bf50c922c1f882d143531 (commit)
      from  62b7ae141caea8915c19a6250d9278b45edbf539 (commit)


- Log -----------------------------------------------------------------
commit ee72f9113a9330c6782bf50c922c1f882d143531
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 23:12:38 2015 -0400

    Don't add man* subdir contents to sitemap

-----------------------------------------------------------------------

Summary of changes:
 bin/mk-sitemap | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bin/mk-sitemap b/bin/mk-sitemap
index ee76444..b362ff1 100755
--- a/bin/mk-sitemap
+++ b/bin/mk-sitemap
@@ -33,6 +33,7 @@ dodir()
 	my $simple = $entry;
 	$simple =~ s at .*/@@;
 	print "\n", "\t" x $level, $simple, "/\n";
+        next if $entry =~ m/man0.9.8|man1.0..|manmaster/;
 	&dodir($entry, $level + 1);
     }
 }

From rsalz at openssl.org  Thu Aug 20 03:14:45 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 03:14:45 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440040485.531239.26035.nullmailer@dev.openssl.org>

The branch master has been updated
       via  45a87b54c521e492834f4eb702679bd2c60f4ef0 (commit)
      from  ee72f9113a9330c6782bf50c922c1f882d143531 (commit)


- Log -----------------------------------------------------------------
commit 45a87b54c521e492834f4eb702679bd2c60f4ef0
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 19 23:14:42 2015 -0400

    remove old "not yet" text

-----------------------------------------------------------------------

Summary of changes:
 docs/index.html | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/docs/index.html b/docs/index.html
index 9755c6a..d60f577 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -23,9 +23,6 @@
             releases are available.  There are still problems with some
             of the links; thanks for your understanding.</p>
 
-	    <p>Online versions of the manpages are not yet available,
-	    but will be shortly.</p>
-
 	    <p>Ivan Risti&#x0107;, the creator of
 	    <a href="https://ssllabs.com">https://ssllabs.com</a>,
 	    has a free download of his <em>OpenSSL Cookbook</em>

From rsalz at openssl.org  Thu Aug 20 18:55:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 18:55:17 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440096917.399324.31288.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a96a5660270a185aafd2c081602d88ad3767f7dc (commit)
      from  45a87b54c521e492834f4eb702679bd2c60f4ef0 (commit)


- Log -----------------------------------------------------------------
commit a96a5660270a185aafd2c081602d88ad3767f7dc
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 14:54:14 2015 -0400

    add auto-index to apps,crypto,ssl
    
    Make a top-level index page for each of the apps/crypto/ssl
    subdirs of a manpage tree.  Make it point to the overall intro
    doc (e.g., openssl.html for apps, etc) and include a full file list
    as well.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore                                     | 25 +++++++++++++++-------
 Makefile                                       | 16 +++++++++-----
 bin/mk-manpages                                |  5 ++++-
 docs/.htaccess                                 |  6 +++---
 docs/{man1.0.2 => man0.9.8/apps}/index.html    | 28 +++++++++++++++----------
 docs/{man1.0.2 => man0.9.8/crypto}/index.html  | 29 +++++++++++++++-----------
 docs/man0.9.8/index.html                       |  8 +++----
 docs/{man1.0.2 => man0.9.8/ssl}/index.html     | 28 +++++++++++++++----------
 docs/{man1.0.2 => man1.0.0/apps}/index.html    | 28 +++++++++++++++----------
 docs/{man1.0.2 => man1.0.0/crypto}/index.html  | 29 +++++++++++++++-----------
 docs/man1.0.0/index.html                       |  6 +++---
 docs/{man1.0.2 => man1.0.0/ssl}/index.html     | 28 +++++++++++++++----------
 docs/{man1.0.2 => man1.0.1/apps}/index.html    | 28 +++++++++++++++----------
 docs/{man1.0.2 => man1.0.1/crypto}/index.html  | 29 +++++++++++++++-----------
 docs/man1.0.1/index.html                       |  6 +++---
 docs/{man1.0.2 => man1.0.1/ssl}/index.html     | 28 +++++++++++++++----------
 docs/man1.0.2/{ => apps}/index.html            | 28 +++++++++++++++----------
 docs/man1.0.2/{ => crypto}/index.html          | 29 +++++++++++++++-----------
 docs/man1.0.2/index.html                       |  6 +++---
 docs/man1.0.2/{ => ssl}/index.html             | 28 +++++++++++++++----------
 docs/{man1.0.2 => manmaster/apps}/index.html   | 28 +++++++++++++++----------
 docs/{man1.0.2 => manmaster/crypto}/index.html | 29 +++++++++++++++-----------
 docs/manmaster/index.html                      |  6 +++---
 docs/{man1.0.2 => manmaster/ssl}/index.html    | 28 +++++++++++++++----------
 docs/manpages.html                             |  2 +-
 inc/mansidebar.inc                             |  2 +-
 26 files changed, 309 insertions(+), 204 deletions(-)
 copy docs/{man1.0.2 => man0.9.8/apps}/index.html (56%)
 copy docs/{man1.0.2 => man0.9.8/crypto}/index.html (56%)
 copy docs/{man1.0.2 => man0.9.8/ssl}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.0/apps}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.0/crypto}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.0/ssl}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.1/apps}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.1/crypto}/index.html (56%)
 copy docs/{man1.0.2 => man1.0.1/ssl}/index.html (56%)
 copy docs/man1.0.2/{ => apps}/index.html (56%)
 copy docs/man1.0.2/{ => crypto}/index.html (56%)
 copy docs/man1.0.2/{ => ssl}/index.html (56%)
 copy docs/{man1.0.2 => manmaster/apps}/index.html (56%)
 copy docs/{man1.0.2 => manmaster/crypto}/index.html (56%)
 copy docs/{man1.0.2 => manmaster/ssl}/index.html (56%)

diff --git a/.gitignore b/.gitignore
index f78f20a..583aaa9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,15 +1,26 @@
 *.swp
-*.inc
 blog
 sitemap.txt
+docs/*/apps/*
+!docs/*/apps/index.html
+docs/*/crypto/*
+!docs/*/crypto/index.html
+docs/*/ssl/*
+!docs/*/ssl/index.html
+docs/faq.inc
+docs/fips.inc
+mk-manpages.pl
+news/changelog.inc
 news/changelog.txt
-source/license.txt
-source/.htaccess
+news/newsflash.inc
+news/vulnerabilities.inc
+newsflash.inc
 source/*.gz*
 source/*.patch
-source/old/*/*.tar.gz*
+source/.htaccess
+source/index.inc
+source/license.txt
 source/old/*/*.patch
+source/old/*/*.tar.gz*
 source/old/*/*.txt.asc
-docs/*/apps
-docs/*/crypto
-docs/*/ssl
+source/old/*/index.inc
diff --git a/Makefile b/Makefile
index 10cb6d1..d5708e4 100644
--- a/Makefile
+++ b/Makefile
@@ -39,14 +39,20 @@ relupd: all
 	git pull $(QUIET)
 	$(MAKE) all manpages
 
+define makemanpges
+	./bin/mk-manpages $(1) $(2) docs
+	./bin/mk-filelist docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc
+	./bin/mk-filelist docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc
+	./bin/mk-filelist docs/man$(2)/ssl '' '*.html' >docs/man$(2)/ssl/index.inc
+endef
 manpages: manmaster
-	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.2-stable 1.0.2 docs
-	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.1-stable 1.0.1 docs
-	./bin/mk-manpages $(CHECKOUTS)/openssl-1.0.0-stable 1.0.0 docs
-	./bin/mk-manpages $(CHECKOUTS)/openssl-0.9.8-stable 0.9.8 docs
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.2-stable 1.0.2)
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.1-stable 1.0.1)
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.0-stable 1.0.0)
+	$(call makemanpages,$(CHECKOUTS)/openssl-0.9.8-stable 0.9.8)
 
 manmaster:
-	./bin/mk-manpages $(CHECKOUTS)/openssl master docs
+	$(call makemanpges,$(CHECKOUTS)/openssl,master)
 
 # Legacy targets
 hack-source_htaccess: all
diff --git a/bin/mk-manpages b/bin/mk-manpages
index 4a0f228..eb6f65a 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -18,8 +18,11 @@ cleanup()
     die "No $dir/index.html" unless -f "$dir/index.html";
     foreach my $sect ( @sections ) {
 	mkdir "$dir/$sect" unless -d "$dir/$sect";
+	my $idx1 = "$dir/$sect/index.html";
+	my $idx2 = "$dir/$sect/index.inc";
 	foreach my $f ( glob("$dir/$sect/*") ) {
-	    unlink $f || warn "Can't unlink $f, $!";
+	    unlink $f || warn "Can't unlink $f, $!"
+		unless $f eq $idx1 || $f eq $idx2;
 	}
     }
 }
diff --git a/docs/.htaccess b/docs/.htaccess
index 6db9398..b6710c3 100644
--- a/docs/.htaccess
+++ b/docs/.htaccess
@@ -5,8 +5,8 @@ RewriteRule fips/index.html /docs/fips/fips.html [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule manmaster/apps/1/(.*)  /docs/manmaster/apps/$1 [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule apps/(.*)  /docs/manmaster/apps/$1 [L,R=302,NC]
+RewriteRule apps/(..*)  /docs/manmaster/apps/$1 [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule crypto/(.*)  /docs/manmaster/crypto/$1 [L,R=302,NC]
+RewriteRule crypto/(..*)  /docs/manmaster/crypto/$1 [L,R=302,NC]
 RewriteCond %{REQUEST_FILENAME} !-f
-RewriteRule ssl/(.*)  /docs/manmaster/ssl/$1 [L,R=302,NC]
+RewriteRule ssl/(..*)  /docs/manmaster/ssl/$1 [L,R=302,NC]
diff --git a/docs/man1.0.2/index.html b/docs/man0.9.8/apps/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man0.9.8/apps/index.html
index 23b15b3..0532205 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man0.9.8/apps/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>commands</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="openssl.html">openssl</a> manpage provides a
+	    general overview of all the commands.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man0.9.8">master</a>
+	    : <a href="/docs/man0.9.8/apps">commands</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man0.9.8/crypto/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man0.9.8/crypto/index.html
index 23b15b3..0ffdd83 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man0.9.8/crypto/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>crypto library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="crypto.html">crypto</a> manpage provides a
+	    general overview of the crypto library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man0.9.8">master</a>
+	    : <a href="/docs/man0.9.8/crypto">crypto</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -36,4 +42,3 @@
 <!--#include virtual="/inc/footer.inc" -->
 </body>
 </html>
-
diff --git a/docs/man0.9.8/index.html b/docs/man0.9.8/index.html
index 6e3a215..88b6fdb 100644
--- a/docs/man0.9.8/index.html
+++ b/docs/man0.9.8/index.html
@@ -16,15 +16,15 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps">The commands</a></li>
+              <li><a href="ssl">The ssl library</a></li>
+              <li><a href="crypto">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
-	    : <a href="/docsmanpages.html">Manpages</a>
+	    : <a href="/docs/manpages.html">Manpages</a>
 	    : <a href="">0.9.8</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
diff --git a/docs/man1.0.2/index.html b/docs/man0.9.8/ssl/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man0.9.8/ssl/index.html
index 23b15b3..a27e08e 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man0.9.8/ssl/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>ssl library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="ssl.html">ssl</a> manpage provides a
+	    general overview of the ssl library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man0.9.8">master</a>
+	    : <a href="/docs/man0.9.8/ssl">ssl</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.0/apps/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.0/apps/index.html
index 23b15b3..b449ff6 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.0/apps/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>commands</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="openssl.html">openssl</a> manpage provides a
+	    general overview of all the commands.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.0">master</a>
+	    : <a href="/docs/man1.0.0/apps">commands</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.0/crypto/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.0/crypto/index.html
index 23b15b3..7d387df 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.0/crypto/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>crypto library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="crypto.html">crypto</a> manpage provides a
+	    general overview of the crypto library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.0">master</a>
+	    : <a href="/docs/man1.0.0/crypto">crypto</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -36,4 +42,3 @@
 <!--#include virtual="/inc/footer.inc" -->
 </body>
 </html>
-
diff --git a/docs/man1.0.0/index.html b/docs/man1.0.0/index.html
index 6ff5644..0b84607 100644
--- a/docs/man1.0.0/index.html
+++ b/docs/man1.0.0/index.html
@@ -16,9 +16,9 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="/apps/openssl.html">The openssl command</a></li>
-              <li><a href="/ssl/ssl.html">The ssl library</a></li>
-              <li><a href="/crypto/crypto.html">The crypto library</a></li>
+              <li><a href="/apps">The commands</a></li>
+              <li><a href="/ssl">The ssl library</a></li>
+              <li><a href="/crypto">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.0/ssl/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.0/ssl/index.html
index 23b15b3..32ec28a 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.0/ssl/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>ssl library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="ssl.html">ssl</a> manpage provides a
+	    general overview of the ssl library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.0">master</a>
+	    : <a href="/docs/man1.0.0/ssl">ssl</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.1/apps/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.1/apps/index.html
index 23b15b3..17c5e92 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.1/apps/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>commands</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="openssl.html">openssl</a> manpage provides a
+	    general overview of all the commands.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.1">master</a>
+	    : <a href="/docs/man1.0.1/apps">commands</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.1/crypto/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.1/crypto/index.html
index 23b15b3..d25091b 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.1/crypto/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>crypto library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="crypto.html">crypto</a> manpage provides a
+	    general overview of the crypto library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.1">master</a>
+	    : <a href="/docs/man1.0.1/crypto">crypto</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -36,4 +42,3 @@
 <!--#include virtual="/inc/footer.inc" -->
 </body>
 </html>
-
diff --git a/docs/man1.0.1/index.html b/docs/man1.0.1/index.html
index ff6bf0e..580c87f 100644
--- a/docs/man1.0.1/index.html
+++ b/docs/man1.0.1/index.html
@@ -16,9 +16,9 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps">The commands</a></li>
+              <li><a href="ssl">The ssl library</a></li>
+              <li><a href="crypto">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.1/ssl/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.1/ssl/index.html
index 23b15b3..afc66b7 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.1/ssl/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>ssl library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="ssl.html">ssl</a> manpage provides a
+	    general overview of the ssl library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.1">master</a>
+	    : <a href="/docs/man1.0.1/ssl">ssl</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.2/apps/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.2/apps/index.html
index 23b15b3..21b3d91 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.2/apps/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>commands</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="openssl.html">openssl</a> manpage provides a
+	    general overview of all the commands.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.2">master</a>
+	    : <a href="/docs/man1.0.2/apps">commands</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.2/crypto/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.2/crypto/index.html
index 23b15b3..faf5b1c 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.2/crypto/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>crypto library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="crypto.html">crypto</a> manpage provides a
+	    general overview of the crypto library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.2">master</a>
+	    : <a href="/docs/man1.0.2/crypto">crypto</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -36,4 +42,3 @@
 <!--#include virtual="/inc/footer.inc" -->
 </body>
 </html>
-
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.2/index.html
index 23b15b3..34b0fdb 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.2/index.html
@@ -16,9 +16,9 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps">The commands</a></li>
+              <li><a href="ssl">The ssl library</a></li>
+              <li><a href="crypto">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
diff --git a/docs/man1.0.2/index.html b/docs/man1.0.2/ssl/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/man1.0.2/ssl/index.html
index 23b15b3..e0c0864 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/man1.0.2/ssl/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>ssl library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="ssl.html">ssl</a> manpage provides a
+	    general overview of the ssl library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/man1.0.2">master</a>
+	    : <a href="/docs/man1.0.2/ssl">ssl</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/manmaster/apps/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/manmaster/apps/index.html
index 23b15b3..afda6dd 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/manmaster/apps/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>commands</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="openssl.html">openssl</a> manpage provides a
+	    general overview of all the commands.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/manmaster">master</a>
+	    : <a href="/docs/manmaster/apps">commands</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/man1.0.2/index.html b/docs/manmaster/crypto/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/manmaster/crypto/index.html
index 23b15b3..74414a0 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/manmaster/crypto/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>crypto library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="crypto.html">crypto</a> manpage provides a
+	    general overview of the crypto library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/manmaster">master</a>
+	    : <a href="/docs/manmaster/crypto">crypto</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
@@ -36,4 +42,3 @@
 <!--#include virtual="/inc/footer.inc" -->
 </body>
 </html>
-
diff --git a/docs/manmaster/index.html b/docs/manmaster/index.html
index 1c5348e..b9d39b8 100644
--- a/docs/manmaster/index.html
+++ b/docs/manmaster/index.html
@@ -16,9 +16,9 @@
             parts:
 	    </p>
             <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
+              <li><a href="apps">The commands</a></li>
+              <li><a href="ssl">The ssl library</a></li>
+              <li><a href="crypto">The crypto library</a></li>
             </ul>
 	  </div>
 	  <footer>
diff --git a/docs/man1.0.2/index.html b/docs/manmaster/ssl/index.html
similarity index 56%
copy from docs/man1.0.2/index.html
copy to docs/manmaster/ssl/index.html
index 23b15b3..1001761 100644
--- a/docs/man1.0.2/index.html
+++ b/docs/manmaster/ssl/index.html
@@ -7,25 +7,31 @@
     <div id="content">
       <div class="blog-index">
 	<article>
-	  <header><h2>Manpages for 1.0.2</h2></header>
+	  <header><h2>ssl library</h2></header>
 	  <div class="entry-content">
 	    <p>
-            The manual pages for the 1.0.2 branch are
-            available here.
-            The OpenSSL documentation is divided into three
-            parts:
+	    The <a href="ssl.html">ssl</a> manpage provides a
+	    general overview of the ssl library.
+	    The detailed list is here:
 	    </p>
-            <ul>
-              <li><a href="apps/openssl.html">The openssl command</a></li>
-              <li><a href="ssl/ssl.html">The ssl library</a></li>
-              <li><a href="crypto/crypto.html">The crypto library</a></li>
-            </ul>
+
+	    <table>
+	      <tr>
+		<td>KBytes&nbsp;</td>
+		<td>Date&nbsp;&nbsp;</td>
+		<td>File&nbsp;</td>
+	      </tr>
+	      <!--#include virtual="index.inc" -->
+	    </table>
+	    <p>&nbsp;</p>
+
 	  </div>
 	  <footer>
 	    You are here: <a href="/">Home</a>
 	    : <a href="/docs">Documentation</a>
 	    : <a href="/docs/manpages.html">Manpages</a>
-	    : <a href="">1.0.2</a>
+	    : <a href="/docs/manmaster">master</a>
+	    : <a href="/docs/manmaster/ssl">ssl</a>
 	    <br/><a href="/sitemap.txt">Sitemap</a>
 	  </footer>
 	</article>
diff --git a/docs/manpages.html b/docs/manpages.html
index e7fe326..5bb3ef1 100644
--- a/docs/manpages.html
+++ b/docs/manpages.html
@@ -13,7 +13,7 @@
             The manual pages for all releases are available online:
 	    </p>
             <ul>
-              <li><a href="manmaster">Master</a></li>
+              <li><a href="manmaster">master</a></li>
               <li><a href="man1.0.2">1.0.2</a></li>
               <li><a href="man1.0.1">1.0.1</a></li>
               <li><a href="man1.0.0">1.0.0</a></li>
diff --git a/inc/mansidebar.inc b/inc/mansidebar.inc
index e005f65..22de745 100644
--- a/inc/mansidebar.inc
+++ b/inc/mansidebar.inc
@@ -3,7 +3,7 @@
   <section>
     <h1><a href="/docs/manpages.html">Manpages</a></h1>
     <ul>
-      <li><a href="/docs/manmaster">Master</a></li>
+      <li><a href="/docs/manmaster">master</a></li>
       <li><a href="/docs/man1.0.2">1.0.2</a></li>
       <li><a href="/docs/man1.0.1">1.0.1</a></li>
       <li><a href="/docs/man1.0.0">1.0.0</a></li>

From rsalz at openssl.org  Thu Aug 20 19:06:05 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 19:06:05 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440097565.165927.3604.nullmailer@dev.openssl.org>

The branch master has been updated
       via  acec1b53ccf96e4b819fde6d25f09e9c84689422 (commit)
      from  a96a5660270a185aafd2c081602d88ad3767f7dc (commit)


- Log -----------------------------------------------------------------
commit acec1b53ccf96e4b819fde6d25f09e9c84689422
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 15:06:02 2015 -0400

    fix typo

-----------------------------------------------------------------------

Summary of changes:
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index d5708e4..ecd6ba0 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ relupd: all
 	git pull $(QUIET)
 	$(MAKE) all manpages
 
-define makemanpges
+define makemanpeges
 	./bin/mk-manpages $(1) $(2) docs
 	./bin/mk-filelist docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc
 	./bin/mk-filelist docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc
@@ -52,7 +52,7 @@ manpages: manmaster
 	$(call makemanpages,$(CHECKOUTS)/openssl-0.9.8-stable 0.9.8)
 
 manmaster:
-	$(call makemanpges,$(CHECKOUTS)/openssl,master)
+	$(call makemanpeges,$(CHECKOUTS)/openssl,master)
 
 # Legacy targets
 hack-source_htaccess: all

From rsalz at openssl.org  Thu Aug 20 19:06:52 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 19:06:52 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440097612.143416.3944.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a11df28b8a42e5999b4991b76d0a40c12ee8d995 (commit)
      from  acec1b53ccf96e4b819fde6d25f09e9c84689422 (commit)


- Log -----------------------------------------------------------------
commit a11df28b8a42e5999b4991b76d0a40c12ee8d995
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 15:06:50 2015 -0400

    refix typo :(

-----------------------------------------------------------------------

Summary of changes:
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ecd6ba0..7a0ab98 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,7 @@ relupd: all
 	git pull $(QUIET)
 	$(MAKE) all manpages
 
-define makemanpeges
+define makemanpages
 	./bin/mk-manpages $(1) $(2) docs
 	./bin/mk-filelist docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc
 	./bin/mk-filelist docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc
@@ -52,7 +52,7 @@ manpages: manmaster
 	$(call makemanpages,$(CHECKOUTS)/openssl-0.9.8-stable 0.9.8)
 
 manmaster:
-	$(call makemanpeges,$(CHECKOUTS)/openssl,master)
+	$(call makemanpages,$(CHECKOUTS)/openssl,master)
 
 # Legacy targets
 hack-source_htaccess: all

From rsalz at openssl.org  Thu Aug 20 19:09:15 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 19:09:15 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440097755.736563.4570.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f44641eeb0aad6a3313a2240723537bb20b13244 (commit)
      from  a11df28b8a42e5999b4991b76d0a40c12ee8d995 (commit)


- Log -----------------------------------------------------------------
commit f44641eeb0aad6a3313a2240723537bb20b13244
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 15:09:13 2015 -0400

    yatf (yet another typo fix)

-----------------------------------------------------------------------

Summary of changes:
 Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 7a0ab98..276efc3 100644
--- a/Makefile
+++ b/Makefile
@@ -46,10 +46,10 @@ define makemanpages
 	./bin/mk-filelist docs/man$(2)/ssl '' '*.html' >docs/man$(2)/ssl/index.inc
 endef
 manpages: manmaster
-	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.2-stable 1.0.2)
-	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.1-stable 1.0.1)
-	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.0-stable 1.0.0)
-	$(call makemanpages,$(CHECKOUTS)/openssl-0.9.8-stable 0.9.8)
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.2-stable,1.0.2)
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.1-stable,1.0.1)
+	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.0-stable,1.0.0)
+	$(call makemanpages,$(CHECKOUTS)/openssl-0.9.8-stable,0.9.8)
 
 manmaster:
 	$(call makemanpages,$(CHECKOUTS)/openssl,master)

From rsalz at openssl.org  Thu Aug 20 19:17:22 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 20 Aug 2015 19:17:22 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440098242.276484.5658.nullmailer@dev.openssl.org>

The branch master has been updated
       via  64db0cd34882209d6a5dca1db75d6a56ff3d4bee (commit)
      from  f44641eeb0aad6a3313a2240723537bb20b13244 (commit)


- Log -----------------------------------------------------------------
commit 64db0cd34882209d6a5dca1db75d6a56ff3d4bee
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 15:17:20 2015 -0400

    add alpha-sort for manpages

-----------------------------------------------------------------------

Summary of changes:
 Makefile        |  6 +++---
 bin/mk-filelist | 10 +++++++++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 276efc3..40921b5 100644
--- a/Makefile
+++ b/Makefile
@@ -41,9 +41,9 @@ relupd: all
 
 define makemanpages
 	./bin/mk-manpages $(1) $(2) docs
-	./bin/mk-filelist docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc
-	./bin/mk-filelist docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc
-	./bin/mk-filelist docs/man$(2)/ssl '' '*.html' >docs/man$(2)/ssl/index.inc
+	./bin/mk-filelist -a docs/man$(2)/apps '' '*.html' >docs/man$(2)/apps/index.inc
+	./bin/mk-filelist -a docs/man$(2)/crypto '' '*.html' >docs/man$(2)/crypto/index.inc
+	./bin/mk-filelist -a docs/man$(2)/ssl '' '*.html' >docs/man$(2)/ssl/index.inc
 endef
 manpages: manmaster
 	$(call makemanpages,$(CHECKOUTS)/openssl-1.0.2-stable,1.0.2)
diff --git a/bin/mk-filelist b/bin/mk-filelist
index e6b6088..b39e5da 100755
--- a/bin/mk-filelist
+++ b/bin/mk-filelist
@@ -2,6 +2,12 @@
 use strict;
 
 die "Missing args\n" if $#ARGV < 2;
+my $timebased = 1;
+if ($ARGV[0] eq '-a') {
+    $timebased = 0;
+    shift;
+}
+
 my $SRCDIR = $ARGV[0]; shift;
 my $URLBASE = $ARGV[0]; shift;
 my $GLOB = join(' ', @ARGV);
@@ -11,7 +17,9 @@ my @months = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
 
 sub ls {
     my ($pat) = @_;
-    my @F = sort { (stat($b))[9] <=> (stat($a))[9]; } (glob($pat));
+    my @F = $timebased
+                ? sort { (stat($b))[9] <=> (stat($a))[9]; } (glob($pat))
+                : sort (glob($pat));
     my @R = ();
     foreach my $f (@F) {
         next if ($f =~ m|^index.*|);

From rsalz at openssl.org  Fri Aug 21 02:08:18 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 21 Aug 2015 02:08:18 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440122898.942375.29808.nullmailer@dev.openssl.org>

The branch master has been updated
       via  24f4b18875a9bb7d5761947cccd2256b866a1600 (commit)
      from  64db0cd34882209d6a5dca1db75d6a56ff3d4bee (commit)


- Log -----------------------------------------------------------------
commit 24f4b18875a9bb7d5761947cccd2256b866a1600
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 20 22:08:14 2015 -0400

    alpha order for release list

-----------------------------------------------------------------------

Summary of changes:
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 40921b5..d986f42 100644
--- a/Makefile
+++ b/Makefile
@@ -101,7 +101,7 @@ source/license.txt: $(SNAP)/LICENSE
 	cp $? $@
 source/index.inc:
 	@rm -f $@
-	./bin/mk-filelist $(RELEASEDIR) '' 'openssl-*.tar.gz' >$@
+	./bin/mk-filelist -a $(RELEASEDIR) '' 'openssl-*.tar.gz' >$@
 
 source/old/0.9.x/index.inc:
 	@rm -f $@

From rsalz at openssl.org  Fri Aug 21 19:07:25 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 21 Aug 2015 19:07:25 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440184045.415255.27348.nullmailer@dev.openssl.org>

The branch master has been updated
       via  cd8935dc250abcc389ce1228fd73020346022392 (commit)
      from  24f4b18875a9bb7d5761947cccd2256b866a1600 (commit)


- Log -----------------------------------------------------------------
commit cd8935dc250abcc389ce1228fd73020346022392
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Aug 21 15:07:22 2015 -0400

    simplify

-----------------------------------------------------------------------

Summary of changes:
 bin/mk-changelog | 50 ++++++++++++++++++--------------------------------
 1 file changed, 18 insertions(+), 32 deletions(-)

diff --git a/bin/mk-changelog b/bin/mk-changelog
index 60135c9..18902d5 100755
--- a/bin/mk-changelog
+++ b/bin/mk-changelog
@@ -1,48 +1,34 @@
 #! /usr/bin/perl -w
 use strict;
 
-# Read whole input.
-my $page;
-{
-    local $/;
-    $page .= <STDIN>;
-}
-
-# HTML entities.
-$page =~ s|&|&amp;|sg;
-$page =~ s|<|&lt;|sg;
-$page =~ s|>|&gt;|sg;
-
-# Make sub-headings.
-$page =~ s|^.+?(Changes.+?\n+)|$1|s;
-$page =~ s|(Changes between.+?)\n|</pre>\n<h3>$1</h3>\n<pre>\n|sg;
-
-# Wrap it, and remove empty <pre></pre>
-$page = '<pre>' . $page . '</pre>';
-$page =~ s|<pre></pre>||g;
-
-# Make a TOC
 my $ctr = 0;
 my $toc;
 my $out;
 my $top = '  <a href="#toc"><img src="/img/up.gif"/></a>';
-for (split /^/, $page) {
-    if ( /<h3>/ ) {
-	my $name = $_;
-	$name =~ s|<h3>(.*)</h3>|$1|;
-	chop ($name);
-	$out .= '<h3><a name="x' . $ctr . '">' . $name . "</a>$top</h3>\n";
-	$toc .= '<li><a href="#x' . $ctr . '">' . $name . "</a></li>\n";
+my $skipping = 1;
+
+while ( <STDIN> ) {
+    chop;
+    # HTML entities.
+    s|&|&amp;|sg;
+    s|<|&lt;|sg;
+    s|>|&gt;|sg;
+    if ( /^( Changes between.*)/ ) {
+        $out .= "</pre>\n" unless $skipping;
+        $skipping = 0;
+	$out .= "<h3><a name=\"x$ctr\">$1</a>$top</h3>\n<pre>\n";
+	$toc .= "  <li><a href=\"#x$ctr\">$1</a></li>\n";
 	$ctr++;
-    } else {
-	$out .= $_;
+    } elsif ( ! $skipping ) {
+        $out .= $_ . "\n";
     }
 }
+$out .= "</pre>\n";
 
 print "<h3><a name='toc'>Table of contents</a></h3>\n";
-print "<ul>";
+print "<ul>\n";
 print $toc;
-print "</ul>";
+print "</ul>\n";
 print $out;
 
 exit(0);

From rsalz at openssl.org  Fri Aug 21 19:12:15 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 21 Aug 2015 19:12:15 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440184335.459032.2509.nullmailer@dev.openssl.org>

The branch master has been updated
       via  9b86974e0c705ea321ddbc9a9d8562c894809e5b (commit)
      from  3da9505dc02b0594633c73a11343f54bb5dbf536 (commit)


- Log -----------------------------------------------------------------
commit 9b86974e0c705ea321ddbc9a9d8562c894809e5b
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 17 15:21:33 2015 -0400

    Fix L<> content in manpages
    
    L<foo|foo> is sub-optimal  If the xref is the same as the title,
    which is what we do, then you only need L<foo>.  This fixes all
    1457 occurrences in 349 files.  Approximately.  (And pod used to
    need both.)
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/CA.pl.pod                             |   6 +-
 doc/apps/asn1parse.pod                         |   4 +-
 doc/apps/c_rehash.pod                          |   6 +-
 doc/apps/ca.pod                                |  12 +-
 doc/apps/ciphers.pod                           |   2 +-
 doc/apps/cms.pod                               |   8 +-
 doc/apps/config.pod                            |   2 +-
 doc/apps/crl.pod                               |   4 +-
 doc/apps/crl2pkcs7.pod                         |   2 +-
 doc/apps/dgst.pod                              |   4 +-
 doc/apps/dhparam.pod                           |   4 +-
 doc/apps/dsa.pod                               |   8 +-
 doc/apps/dsaparam.pod                          |   6 +-
 doc/apps/ec.pod                                |   6 +-
 doc/apps/ecparam.pod                           |   4 +-
 doc/apps/enc.pod                               |   2 +-
 doc/apps/errstr.pod                            |   6 +-
 doc/apps/gendsa.pod                            |   6 +-
 doc/apps/genpkey.pod                           |   2 +-
 doc/apps/genrsa.pod                            |   6 +-
 doc/apps/openssl.pod                           |  26 ++--
 doc/apps/pkcs12.pod                            |  12 +-
 doc/apps/pkcs7.pod                             |   2 +-
 doc/apps/pkcs8.pod                             |   8 +-
 doc/apps/pkey.pod                              |   8 +-
 doc/apps/pkeyparam.pod                         |   4 +-
 doc/apps/pkeyutl.pod                           |   6 +-
 doc/apps/rand.pod                              |   4 +-
 doc/apps/req.pod                               |  20 +--
 doc/apps/rsa.pod                               |   8 +-
 doc/apps/rsautl.pod                            |   2 +-
 doc/apps/s_client.pod                          |   8 +-
 doc/apps/s_server.pod                          |   8 +-
 doc/apps/s_time.pod                            |  14 +-
 doc/apps/sess_id.pod                           |   2 +-
 doc/apps/smime.pod                             |   6 +-
 doc/apps/spkac.pod                             |   4 +-
 doc/apps/ts.pod                                |  32 ++---
 doc/apps/tsget.pod                             |   2 +-
 doc/apps/verify.pod                            |   2 +-
 doc/apps/x509.pod                              |  10 +-
 doc/apps/x509v3_config.pod                     |   8 +-
 doc/crypto/ASN1_INTEGER_get_int64.pod          |   2 +-
 doc/crypto/ASN1_OBJECT_new.pod                 |   4 +-
 doc/crypto/ASN1_STRING_length.pod              |   2 +-
 doc/crypto/ASN1_STRING_new.pod                 |   2 +-
 doc/crypto/ASN1_STRING_print_ex.pod            |   4 +-
 doc/crypto/ASN1_generate_nconf.pod             |   4 +-
 doc/crypto/BIO_f_buffer.pod                    |  10 +-
 doc/crypto/BIO_f_ssl.pod                       |   2 +-
 doc/crypto/BIO_new_CMS.pod                     |   4 +-
 doc/crypto/BIO_read.pod                        |   6 +-
 doc/crypto/BIO_s_accept.pod                    |   2 +-
 doc/crypto/BIO_s_bio.pod                       |   4 +-
 doc/crypto/BIO_s_fd.pod                        |  12 +-
 doc/crypto/BIO_s_file.pod                      |  12 +-
 doc/crypto/BN_BLINDING_new.pod                 |   2 +-
 doc/crypto/BN_CTX_new.pod                      |  10 +-
 doc/crypto/BN_CTX_start.pod                    |   6 +-
 doc/crypto/BN_add.pod                          |  14 +-
 doc/crypto/BN_add_word.pod                     |   4 +-
 doc/crypto/BN_bn2bin.pod                       |   8 +-
 doc/crypto/BN_cmp.pod                          |   2 +-
 doc/crypto/BN_copy.pod                         |   4 +-
 doc/crypto/BN_generate_prime.pod               |   4 +-
 doc/crypto/BN_mod_inverse.pod                  |   4 +-
 doc/crypto/BN_mod_mul_montgomery.pod           |   8 +-
 doc/crypto/BN_mod_mul_reciprocal.pod           |   8 +-
 doc/crypto/BN_new.pod                          |   4 +-
 doc/crypto/BN_num_bytes.pod                    |   4 +-
 doc/crypto/BN_rand.pod                         |   6 +-
 doc/crypto/BN_set_bit.pod                      |   4 +-
 doc/crypto/BN_swap.pod                         |   2 +-
 doc/crypto/BN_zero.pod                         |   2 +-
 doc/crypto/CMS_add0_cert.pod                   |   6 +-
 doc/crypto/CMS_add1_recipient_cert.pod         |   4 +-
 doc/crypto/CMS_add1_signer.pod                 |   4 +-
 doc/crypto/CMS_compress.pod                    |   2 +-
 doc/crypto/CMS_decrypt.pod                     |   2 +-
 doc/crypto/CMS_encrypt.pod                     |   2 +-
 doc/crypto/CMS_final.pod                       |   4 +-
 doc/crypto/CMS_get0_RecipientInfos.pod         |   4 +-
 doc/crypto/CMS_get0_SignerInfos.pod            |   4 +-
 doc/crypto/CMS_get0_type.pod                   |   2 +-
 doc/crypto/CMS_get1_ReceiptRequest.pod         |   6 +-
 doc/crypto/CMS_sign.pod                        |   2 +-
 doc/crypto/CMS_sign_receipt.pod                |   6 +-
 doc/crypto/CMS_uncompress.pod                  |   2 +-
 doc/crypto/CMS_verify.pod                      |   4 +-
 doc/crypto/CMS_verify_receipt.pod              |   8 +-
 doc/crypto/CONF_modules_free.pod               |   4 +-
 doc/crypto/CONF_modules_load_file.pod          |   4 +-
 doc/crypto/CRYPTO_secure_malloc.pod            |   4 +-
 doc/crypto/CRYPTO_set_ex_data.pod              |   8 +-
 doc/crypto/DH_generate_key.pod                 |   4 +-
 doc/crypto/DH_generate_parameters.pod          |  10 +-
 doc/crypto/DH_get_ex_new_index.pod             |   2 +-
 doc/crypto/DH_new.pod                          |   8 +-
 doc/crypto/DH_set_method.pod                   |   4 +-
 doc/crypto/DH_size.pod                         |   4 +-
 doc/crypto/DSA_SIG_new.pod                     |   6 +-
 doc/crypto/DSA_do_sign.pod                     |  10 +-
 doc/crypto/DSA_dup_DH.pod                      |   4 +-
 doc/crypto/DSA_generate_key.pod                |   6 +-
 doc/crypto/DSA_generate_parameters.pod         |  10 +-
 doc/crypto/DSA_get_ex_new_index.pod            |   2 +-
 doc/crypto/DSA_new.pod                         |   8 +-
 doc/crypto/DSA_set_method.pod                  |   4 +-
 doc/crypto/DSA_sign.pod                        |   6 +-
 doc/crypto/DSA_size.pod                        |   2 +-
 doc/crypto/EC_GFp_simple_method.pod            |  14 +-
 doc/crypto/EC_GROUP_copy.pod                   |   8 +-
 doc/crypto/EC_GROUP_new.pod                    |   8 +-
 doc/crypto/EC_KEY_new.pod                      |  18 +--
 doc/crypto/EC_POINT_add.pod                    |   8 +-
 doc/crypto/EC_POINT_new.pod                    |   6 +-
 doc/crypto/ERR_GET_LIB.pod                     |   2 +-
 doc/crypto/ERR_clear_error.pod                 |   2 +-
 doc/crypto/ERR_error_string.pod                |  14 +-
 doc/crypto/ERR_get_error.pod                   |   8 +-
 doc/crypto/ERR_load_crypto_strings.pod         |   2 +-
 doc/crypto/ERR_load_strings.pod                |   2 +-
 doc/crypto/ERR_print_errors.pod                |   8 +-
 doc/crypto/ERR_put_error.pod                   |   4 +-
 doc/crypto/ERR_remove_state.pod                |   2 +-
 doc/crypto/ERR_set_mark.pod                    |   2 +-
 doc/crypto/EVP_BytesToKey.pod                  |   6 +-
 doc/crypto/EVP_DigestInit.pod                  |   4 +-
 doc/crypto/EVP_DigestSignInit.pod              |  12 +-
 doc/crypto/EVP_DigestVerifyInit.pod            |  12 +-
 doc/crypto/EVP_EncryptInit.pod                 |   2 +-
 doc/crypto/EVP_OpenInit.pod                    |   8 +-
 doc/crypto/EVP_PKEY_CTX_ctrl.pod               |  16 +--
 doc/crypto/EVP_PKEY_CTX_new.pod                |   2 +-
 doc/crypto/EVP_PKEY_cmp.pod                    |   4 +-
 doc/crypto/EVP_PKEY_decrypt.pod                |  12 +-
 doc/crypto/EVP_PKEY_derive.pod                 |  12 +-
 doc/crypto/EVP_PKEY_encrypt.pod                |  20 +--
 doc/crypto/EVP_PKEY_get_default_digest.pod     |   8 +-
 doc/crypto/EVP_PKEY_keygen.pod                 |  14 +-
 doc/crypto/EVP_PKEY_new.pod                    |   4 +-
 doc/crypto/EVP_PKEY_print_private.pod          |   4 +-
 doc/crypto/EVP_PKEY_set1_RSA.pod               |   2 +-
 doc/crypto/EVP_PKEY_sign.pod                   |  20 +--
 doc/crypto/EVP_PKEY_verify.pod                 |  12 +-
 doc/crypto/EVP_PKEY_verify_recover.pod         |  12 +-
 doc/crypto/EVP_SealInit.pod                    |   8 +-
 doc/crypto/EVP_SignInit.pod                    |  14 +-
 doc/crypto/EVP_VerifyInit.pod                  |  16 +--
 doc/crypto/OBJ_nid2obj.pod                     |   2 +-
 doc/crypto/OCSP_REQUEST_new.pod                |  12 +-
 doc/crypto/OCSP_cert_to_id.pod                 |  12 +-
 doc/crypto/OCSP_request_add1_nonce.pod         |  12 +-
 doc/crypto/OCSP_response_find_status.pod       |  12 +-
 doc/crypto/OCSP_response_status.pod            |  12 +-
 doc/crypto/OCSP_sendreq_new.pod                |  12 +-
 doc/crypto/OPENSSL_VERSION_NUMBER.pod          |   2 +-
 doc/crypto/OPENSSL_config.pod                  |   6 +-
 doc/crypto/OPENSSL_load_builtin_modules.pod    |   2 +-
 doc/crypto/OpenSSL_add_all_algorithms.pod      |   4 +-
 doc/crypto/PEM_write_bio_CMS_stream.pod        |  10 +-
 doc/crypto/PEM_write_bio_PKCS7_stream.pod      |  10 +-
 doc/crypto/PKCS12_create.pod                   |   2 +-
 doc/crypto/PKCS12_parse.pod                    |   4 +-
 doc/crypto/PKCS5_PBKDF2_HMAC.pod               |   4 +-
 doc/crypto/PKCS7_decrypt.pod                   |   2 +-
 doc/crypto/PKCS7_encrypt.pod                   |   2 +-
 doc/crypto/PKCS7_sign.pod                      |   2 +-
 doc/crypto/PKCS7_sign_add_signer.pod           |   4 +-
 doc/crypto/PKCS7_verify.pod                    |   4 +-
 doc/crypto/RAND_add.pod                        |   8 +-
 doc/crypto/RAND_bytes.pod                      |   6 +-
 doc/crypto/RAND_cleanup.pod                    |   2 +-
 doc/crypto/RAND_egd.pod                        |  10 +-
 doc/crypto/RAND_load_file.pod                  |   2 +-
 doc/crypto/RAND_set_rand_method.pod            |   2 +-
 doc/crypto/RSA_blinding_on.pod                 |   2 +-
 doc/crypto/RSA_check_key.pod                   |  10 +-
 doc/crypto/RSA_generate_key.pod                |  12 +-
 doc/crypto/RSA_get_ex_new_index.pod            |   4 +-
 doc/crypto/RSA_new.pod                         |   8 +-
 doc/crypto/RSA_padding_add_PKCS1_type_1.pod    |   8 +-
 doc/crypto/RSA_print.pod                       |   2 +-
 doc/crypto/RSA_private_encrypt.pod             |   8 +-
 doc/crypto/RSA_public_encrypt.pod              |   6 +-
 doc/crypto/RSA_set_method.pod                  |   4 +-
 doc/crypto/RSA_sign.pod                        |  12 +-
 doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod      |   8 +-
 doc/crypto/RSA_size.pod                        |   2 +-
 doc/crypto/SMIME_read_CMS.pod                  |   8 +-
 doc/crypto/SMIME_read_PKCS7.pod                |   8 +-
 doc/crypto/SMIME_write_CMS.pod                 |   6 +-
 doc/crypto/SMIME_write_PKCS7.pod               |   6 +-
 doc/crypto/SSLeay_version.pod                  |   2 +-
 doc/crypto/X509_NAME_ENTRY_get_object.pod      |   4 +-
 doc/crypto/X509_NAME_add_entry_by_txt.pod      |   2 +-
 doc/crypto/X509_NAME_get_index_by_NID.pod      |   2 +-
 doc/crypto/X509_NAME_print_ex.pod              |   4 +-
 doc/crypto/X509_STORE_CTX_get_error.pod        |   2 +-
 doc/crypto/X509_STORE_CTX_get_ex_new_index.pod |   2 +-
 doc/crypto/X509_STORE_CTX_new.pod              |   4 +-
 doc/crypto/X509_STORE_CTX_set_verify_cb.pod    |   6 +-
 doc/crypto/X509_STORE_set_verify_cb_func.pod   |   4 +-
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod     |   8 +-
 doc/crypto/X509_check_host.pod                 |  12 +-
 doc/crypto/X509_new.pod                        |   4 +-
 doc/crypto/X509_verify_cert.pod                |   4 +-
 doc/crypto/bio.pod                             |  28 ++--
 doc/crypto/blowfish.pod                        |   8 +-
 doc/crypto/bn.pod                              |  36 +++---
 doc/crypto/bn_internal.pod                     |   4 +-
 doc/crypto/buffer.pod                          |   2 +-
 doc/crypto/crypto.pod                          |  30 ++---
 doc/crypto/d2i_ASN1_OBJECT.pod                 |   4 +-
 doc/crypto/d2i_CMS_ContentInfo.pod             |   4 +-
 doc/crypto/d2i_DHparams.pod                    |   4 +-
 doc/crypto/d2i_DSAPublicKey.pod                |   4 +-
 doc/crypto/d2i_ECPKParameters.pod              |   8 +-
 doc/crypto/d2i_ECPrivateKey.pod                |  20 +--
 doc/crypto/d2i_PKCS8PrivateKey.pod             |   8 +-
 doc/crypto/d2i_RSAPublicKey.pod                |   4 +-
 doc/crypto/d2i_X509.pod                        |   8 +-
 doc/crypto/d2i_X509_ALGOR.pod                  |   4 +-
 doc/crypto/d2i_X509_CRL.pod                    |   4 +-
 doc/crypto/d2i_X509_NAME.pod                   |   4 +-
 doc/crypto/d2i_X509_REQ.pod                    |   4 +-
 doc/crypto/d2i_X509_SIG.pod                    |   4 +-
 doc/crypto/des.pod                             |  12 +-
 doc/crypto/des_modes.pod                       |   4 +-
 doc/crypto/dh.pod                              |  16 +--
 doc/crypto/dsa.pod                             |  26 ++--
 doc/crypto/ec.pod                              |  20 +--
 doc/crypto/ecdsa.pod                           |   4 +-
 doc/crypto/engine.pod                          |   2 +-
 doc/crypto/err.pod                             |  32 ++---
 doc/crypto/evp.pod                             |  72 +++++------
 doc/crypto/hmac.pod                            |   2 +-
 doc/crypto/i2d_CMS_bio_stream.pod              |  10 +-
 doc/crypto/i2d_PKCS7_bio_stream.pod            |  10 +-
 doc/crypto/lh_stats.pod                        |   2 +-
 doc/crypto/lhash.pod                           |   2 +-
 doc/crypto/md5.pod                             |   4 +-
 doc/crypto/mdc2.pod                            |   4 +-
 doc/crypto/rand.pod                            |  18 +--
 doc/crypto/rc4.pod                             |   4 +-
 doc/crypto/ripemd.pod                          |   4 +-
 doc/crypto/rsa.pod                             |  24 ++--
 doc/crypto/sha.pod                             |   4 +-
 doc/crypto/threads.pod                         |   2 +-
 doc/crypto/ui.pod                              |   4 +-
 doc/crypto/x509.pod                            |  26 ++--
 doc/ssl/SSL_CIPHER_get_name.pod                |   4 +-
 doc/ssl/SSL_COMP_add_compression_method.pod    |   2 +-
 doc/ssl/SSL_CONF_CTX_new.pod                   |  10 +-
 doc/ssl/SSL_CONF_CTX_set1_prefix.pod           |  10 +-
 doc/ssl/SSL_CONF_CTX_set_flags.pod             |  10 +-
 doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod           |  10 +-
 doc/ssl/SSL_CONF_cmd.pod                       |  10 +-
 doc/ssl/SSL_CONF_cmd_argv.pod                  |  10 +-
 doc/ssl/SSL_CTX_add1_chain_cert.pod            |   2 +-
 doc/ssl/SSL_CTX_add_extra_chain_cert.pod       |  30 ++---
 doc/ssl/SSL_CTX_add_session.pod                |  10 +-
 doc/ssl/SSL_CTX_ctrl.pod                       |   2 +-
 doc/ssl/SSL_CTX_flush_sessions.pod             |  12 +-
 doc/ssl/SSL_CTX_free.pod                       |   4 +-
 doc/ssl/SSL_CTX_get0_param.pod                 |   2 +-
 doc/ssl/SSL_CTX_get_ex_new_index.pod           |  10 +-
 doc/ssl/SSL_CTX_get_verify_mode.pod            |   2 +-
 doc/ssl/SSL_CTX_load_verify_locations.pod      |  18 +--
 doc/ssl/SSL_CTX_new.pod                        |   4 +-
 doc/ssl/SSL_CTX_sess_number.pod                |   8 +-
 doc/ssl/SSL_CTX_sess_set_cache_size.pod        |  10 +-
 doc/ssl/SSL_CTX_sess_set_get_cb.pod            |  20 +--
 doc/ssl/SSL_CTX_sessions.pod                   |  12 +-
 doc/ssl/SSL_CTX_set1_curves.pod                |   2 +-
 doc/ssl/SSL_CTX_set1_sigalgs.pod               |   4 +-
 doc/ssl/SSL_CTX_set1_verify_cert_store.pod     |  26 ++--
 doc/ssl/SSL_CTX_set_cert_cb.pod                |  10 +-
 doc/ssl/SSL_CTX_set_cert_store.pod             |  12 +-
 doc/ssl/SSL_CTX_set_cert_verify_callback.pod   |  12 +-
 doc/ssl/SSL_CTX_set_cipher_list.pod            |  18 +--
 doc/ssl/SSL_CTX_set_client_CA_list.pod         |  12 +-
 doc/ssl/SSL_CTX_set_client_cert_cb.pod         |  20 +--
 doc/ssl/SSL_CTX_set_default_passwd_cb.pod      |   4 +-
 doc/ssl/SSL_CTX_set_generate_session_id.pod    |   2 +-
 doc/ssl/SSL_CTX_set_info_callback.pod          |   8 +-
 doc/ssl/SSL_CTX_set_max_cert_list.pod          |   8 +-
 doc/ssl/SSL_CTX_set_mode.pod                   |   4 +-
 doc/ssl/SSL_CTX_set_msg_callback.pod           |   4 +-
 doc/ssl/SSL_CTX_set_options.pod                |  14 +-
 doc/ssl/SSL_CTX_set_quiet_shutdown.pod         |  20 +--
 doc/ssl/SSL_CTX_set_read_ahead.pod             |   2 +-
 doc/ssl/SSL_CTX_set_session_cache_mode.pod     |  28 ++--
 doc/ssl/SSL_CTX_set_session_id_context.pod     |   2 +-
 doc/ssl/SSL_CTX_set_ssl_version.pod            |  14 +-
 doc/ssl/SSL_CTX_set_timeout.pod                |  18 +--
 doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod   |  12 +-
 doc/ssl/SSL_CTX_set_tmp_dh_callback.pod        |  12 +-
 doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod       |  10 +-
 doc/ssl/SSL_CTX_set_verify.pod                 |  28 ++--
 doc/ssl/SSL_CTX_use_certificate.pod            |  26 ++--
 doc/ssl/SSL_SESSION_free.pod                   |  16 +--
 doc/ssl/SSL_SESSION_get_ex_new_index.pod       |  10 +-
 doc/ssl/SSL_SESSION_get_time.pod               |   8 +-
 doc/ssl/SSL_SESSION_has_ticket.pod             |   8 +-
 doc/ssl/SSL_accept.pod                         |  10 +-
 doc/ssl/SSL_alert_type_string.pod              |   2 +-
 doc/ssl/SSL_check_chain.pod                    |   4 +-
 doc/ssl/SSL_clear.pod                          |  24 ++--
 doc/ssl/SSL_connect.pod                        |  10 +-
 doc/ssl/SSL_do_handshake.pod                   |  10 +-
 doc/ssl/SSL_free.pod                           |  10 +-
 doc/ssl/SSL_get_SSL_CTX.pod                    |   4 +-
 doc/ssl/SSL_get_ciphers.pod                    |   6 +-
 doc/ssl/SSL_get_client_CA_list.pod             |  10 +-
 doc/ssl/SSL_get_client_random.pod              |   6 +-
 doc/ssl/SSL_get_current_cipher.pod             |   4 +-
 doc/ssl/SSL_get_default_timeout.pod            |  12 +-
 doc/ssl/SSL_get_error.pod                      |   2 +-
 doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod |   6 +-
 doc/ssl/SSL_get_ex_new_index.pod               |  14 +-
 doc/ssl/SSL_get_extms_support.pod              |   2 +-
 doc/ssl/SSL_get_fd.pod                         |   2 +-
 doc/ssl/SSL_get_peer_cert_chain.pod            |   4 +-
 doc/ssl/SSL_get_peer_certificate.pod           |   8 +-
 doc/ssl/SSL_get_rbio.pod                       |   2 +-
 doc/ssl/SSL_get_session.pod                    |  14 +-
 doc/ssl/SSL_get_shared_sigalgs.pod             |   4 +-
 doc/ssl/SSL_get_verify_result.pod              |  10 +-
 doc/ssl/SSL_get_version.pod                    |   2 +-
 doc/ssl/SSL_library_init.pod                   |   4 +-
 doc/ssl/SSL_load_client_CA_file.pod            |   6 +-
 doc/ssl/SSL_new.pod                            |   8 +-
 doc/ssl/SSL_pending.pod                        |   8 +-
 doc/ssl/SSL_read.pod                           |  32 ++---
 doc/ssl/SSL_rstate_string.pod                  |   2 +-
 doc/ssl/SSL_session_reused.pod                 |   4 +-
 doc/ssl/SSL_set_bio.pod                        |   6 +-
 doc/ssl/SSL_set_connect_state.pod              |  20 +--
 doc/ssl/SSL_set_fd.pod                         |   6 +-
 doc/ssl/SSL_set_session.pod                    |  10 +-
 doc/ssl/SSL_set_shutdown.pod                   |  12 +-
 doc/ssl/SSL_set_verify_result.pod              |   8 +-
 doc/ssl/SSL_shutdown.pod                       |  20 +--
 doc/ssl/SSL_state_string.pod                   |   2 +-
 doc/ssl/SSL_want.pod                           |  16 +--
 doc/ssl/SSL_write.pod                          |  24 ++--
 doc/ssl/d2i_SSL_SESSION.pod                    |   8 +-
 doc/ssl/ssl.pod                                | 170 ++++++++++++-------------
 349 files changed, 1468 insertions(+), 1468 deletions(-)

diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod
index 92ae288..35a40aa 100644
--- a/doc/apps/CA.pl.pod
+++ b/doc/apps/CA.pl.pod
@@ -128,7 +128,7 @@ the request and finally create a PKCS#12 file containing it.
 =head1 DSA CERTIFICATES
 
 Although the B<CA.pl> creates RSA CAs and requests it is still possible to
-use it with DSA certificates and requests using the L<req(1)|req(1)> command
+use it with DSA certificates and requests using the L<req(1)> command
 directly. The following example shows the steps that would typically be taken.
 
 Create some DSA parameters:
@@ -184,7 +184,7 @@ configuration file, not just its directory.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<req(1)|req(1)>, L<pkcs12(1)|pkcs12(1)>,
-L<config(5)|config(5)>
+L<x509(1)>, L<ca(1)>, L<req(1)>, L<pkcs12(1)>,
+L<config(5)>
 
 =cut
diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod
index b44fb9f..afe94b0 100644
--- a/doc/apps/asn1parse.pod
+++ b/doc/apps/asn1parse.pod
@@ -83,7 +83,7 @@ option can be used multiple times to "drill down" into a nested structure.
 =item B<-genstr string>, B<-genconf file>
 
 generate encoded data based on B<string>, B<file> or both using
-L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format. If B<file> only is
+L<ASN1_generate_nconf(3)> format. If B<file> only is
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
@@ -189,6 +189,6 @@ ASN.1 types is not well handled (if at all).
 
 =head1 SEE ALSO
 
-L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>
+L<ASN1_generate_nconf(3)>
 
 =cut
diff --git a/doc/apps/c_rehash.pod b/doc/apps/c_rehash.pod
index c3d98b6..e0a3d19 100644
--- a/doc/apps/c_rehash.pod
+++ b/doc/apps/c_rehash.pod
@@ -109,6 +109,6 @@ Ignored if directories are listed on the command line.
 
 =head1 SEE ALSO
 
-L<openssl(1)|openssl(1)>,
-L<crl(1)|crl(1)>.
-L<x509(1)|x509(1)>.
+L<openssl(1)>,
+L<crl(1)>.
+L<x509(1)>.
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 1d18070..be0153a 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -141,7 +141,7 @@ self-signed certificate.
 =item B<-passin arg>
 
 the key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-verbose>
 
@@ -214,7 +214,7 @@ to be added when a certificate is issued (defaults to B<x509_extensions>
 unless the B<-extfile> option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
 is present (even if it is empty), then a V3 certificate is created. See the:w
-L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+L<x509v3_config(5)> manual page for details of the
 extension section format.
 
 =item B<-extfile file>
@@ -319,7 +319,7 @@ created, if the CRL extension section is present (even if it is
 empty) then a V2 CRL is created. The CRL extensions specified are
 CRL extensions and B<not> CRL entry extensions.  It should be noted
 that some software (for example Netscape) can't handle V2 CRLs. See
-L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+L<x509v3_config(5)> manual page for details of the
 extension section format.
 
 =back
@@ -380,7 +380,7 @@ CA private key. Mandatory.
 =item B<RANDFILE>
 
 a file used to read and write random number seed information, or
-an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+an EGD socket (see L<RAND_egd(3)>).
 
 =item B<default_days>
 
@@ -690,7 +690,7 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
 
 =head1 SEE ALSO
 
-L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
-L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)> 
+L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
+L<config(5)>, L<x509v3_config(5)> 
 
 =cut
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 3f146e8..64f122f 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -721,7 +721,7 @@ Set security level to 2 and display all ciphers consistent with level 2:
 
 =head1 SEE ALSO
 
-L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ssl(3)|ssl(3)>
+L<s_client(1)>, L<s_server(1)>, L<ssl(3)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index 9001371..6b4beb4 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -434,12 +434,12 @@ or to modify default parameters for ECDH.
 =item B<-passin arg>
 
 the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -465,7 +465,7 @@ B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
-L<B<verify>|verify(1)> manual page for details.
+L<verify(1)> manual page for details.
 
 =back
 
@@ -515,7 +515,7 @@ tried whether they succeed or not and if no recipients match the message
 is "decrypted" using a random key which will typically output garbage. 
 The B<-debug_decrypt> option can be used to disable the MMA attack protection
 and return an error if no recipient can be found: this option should be used
-with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+with caution. For a fuller description see L<CMS_decrypt(3)>).
 
 =head1 EXIT CODES
 
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index e125915..22bb6c5 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -345,6 +345,6 @@ file.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>, L<req(1)|req(1)>, L<ca(1)|ca(1)>
+L<x509(1)>, L<req(1)>, L<ca(1)>
 
 =cut
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod
index 044a9da..7dccbcc 100644
--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -57,7 +57,7 @@ print out the CRL in text form.
 =item B<-nameopt option>
 
 option which determines how the subject or issuer names are displayed. See
-the description of B<-nameopt> in L<x509(1)|x509(1)>.
+the description of B<-nameopt> in L<x509(1)>.
 
 =item B<-noout>
 
@@ -123,6 +123,6 @@ and files too.
 
 =head1 SEE ALSO
 
-L<crl2pkcs7(1)|crl2pkcs7(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+L<crl2pkcs7(1)>, L<ca(1)>, L<x509(1)>
 
 =cut
diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod
index 3797bc0..1a6e362 100644
--- a/doc/apps/crl2pkcs7.pod
+++ b/doc/apps/crl2pkcs7.pod
@@ -86,6 +86,6 @@ install user certificates and CAs in MSIE using the Xenroll control.
 
 =head1 SEE ALSO
 
-L<pkcs7(1)|pkcs7(1)>
+L<pkcs7(1)>
 
 =cut
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 236e1b7..8c416f2 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -101,7 +101,7 @@ Names and values of these options are algorithm-specific.
 =item B<-passin arg>
 
 the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-verify filename>
 
@@ -152,7 +152,7 @@ for example exactly 32 chars for gost-mac.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others. 
diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod
index 1cd4c76..8bb196d 100644
--- a/doc/apps/dhparam.pod
+++ b/doc/apps/dhparam.pod
@@ -79,7 +79,7 @@ default generator 2.
 =item B<-rand> I<file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -139,7 +139,7 @@ There should be a way to generate and manipulate DH keys.
 
 =head1 SEE ALSO
 
-L<dsaparam(1)|dsaparam(1)>
+L<dsaparam(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod
index 8bf6cc9..4331cc3 100644
--- a/doc/apps/dsa.pod
+++ b/doc/apps/dsa.pod
@@ -66,7 +66,7 @@ prompted for.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -78,7 +78,7 @@ filename.
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
@@ -158,7 +158,7 @@ To just output the public part of a private key:
 
 =head1 SEE ALSO
 
-L<dsaparam(1)|dsaparam(1)>, L<gendsa(1)|gendsa(1)>, L<rsa(1)|rsa(1)>,
-L<genrsa(1)|genrsa(1)>
+L<dsaparam(1)>, L<gendsa(1)>, L<rsa(1)>,
+L<genrsa(1)>
 
 =cut
diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod
index ba5ec4d..1933857 100644
--- a/doc/apps/dsaparam.pod
+++ b/doc/apps/dsaparam.pod
@@ -72,7 +72,7 @@ parameters.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -104,7 +104,7 @@ DSA parameters is often used to generate several distinct keys.
 
 =head1 SEE ALSO
 
-L<gendsa(1)|gendsa(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<rsa(1)|rsa(1)>
+L<gendsa(1)>, L<dsa(1)>, L<genrsa(1)>,
+L<rsa(1)>
 
 =cut
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod
index 5c7b45d..ebc49ea 100644
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -60,7 +60,7 @@ prompted for.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -72,7 +72,7 @@ filename.
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-des|-des3|-idea>
 
@@ -177,7 +177,7 @@ To change the point conversion form to B<compressed>:
 
 =head1 SEE ALSO
 
-L<ecparam(1)|ecparam(1)>, L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>
+L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index 88e9d1e..bfb155a 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -114,7 +114,7 @@ This option will generate a EC private key using the specified parameters.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -166,7 +166,7 @@ To print out the EC parameters to standard output:
 
 =head1 SEE ALSO
 
-L<ec(1)|ec(1)>, L<dsaparam(1)|dsaparam(1)>
+L<ec(1)>, L<dsaparam(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 8f4ef99..1d25cf3 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -53,7 +53,7 @@ the output filename, standard output by default.
 =item B<-pass arg>
 
 the password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-salt>
 
diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod
index b3c6ccf..02bd3dc 100644
--- a/doc/apps/errstr.pod
+++ b/doc/apps/errstr.pod
@@ -31,9 +31,9 @@ to produce the error message:
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<err(3)>,
+L<ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)>
 
 
 =cut
diff --git a/doc/apps/gendsa.pod b/doc/apps/gendsa.pod
index d9f56be..9a8278f 100644
--- a/doc/apps/gendsa.pod
+++ b/doc/apps/gendsa.pod
@@ -39,7 +39,7 @@ If none of these options is specified no encryption is used.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -66,7 +66,7 @@ much quicker that RSA key generation for example.
 
 =head1 SEE ALSO
 
-L<dsaparam(1)|dsaparam(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<rsa(1)|rsa(1)>
+L<dsaparam(1)>, L<dsa(1)>, L<genrsa(1)>,
+L<rsa(1)>
 
 =cut
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 0bce0b5..d574caa 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -38,7 +38,7 @@ This specifies the output format DER or PEM.
 =item B<-pass arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-cipher>
 
diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index cb03d09..c27f773 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -46,7 +46,7 @@ used.
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
@@ -62,7 +62,7 @@ the public exponent to use, either 65537 or 3. The default is 65537.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -102,7 +102,7 @@ be much larger (typically 1024 bits).
 
 =head1 SEE ALSO
 
-L<gendsa(1)|gendsa(1)>
+L<gendsa(1)>
 
 =cut
 
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod
index 3e651b8..d996eda 100644
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -396,19 +396,19 @@ read the password from standard input.
 
 =head1 SEE ALSO
 
-L<asn1parse(1)|asn1parse(1)>, L<ca(1)|ca(1)>, L<config(5)|config(5)>,
-L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkcs7(1)>, L<dgst(1)|dgst(1)>,
-L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
-L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
-L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
-L<passwd(1)|passwd(1)>,
-L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
-L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
-L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
-L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
-L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
-L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
+L<asn1parse(1)>, L<ca(1)>, L<config(5)>,
+L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
+L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
+L<enc(1)>, L<gendsa(1)>, L<genpkey(1)>,
+L<genrsa(1)>, L<nseq(1)>, L<openssl(1)>,
+L<passwd(1)>,
+L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
+L<rand(1)>, L<req(1)>, L<rsa(1)>,
+L<rsautl(1)>, L<s_client(1)>,
+L<s_server(1)>, L<s_time(1)>,
+L<smime(1)>, L<spkac(1)>,
+L<verify(1)>, L<version(1)>, L<x509(1)>,
+L<crypto(3)>, L<ssl(3)>, L<x509v3_config(5)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index 7449848..f956c8e 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -71,13 +71,13 @@ default.  They are all written in PEM format.
 
 the PKCS#12 file (i.e. input file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)|openssl(1)>.
+L<openssl(1)>.
 
 =item B<-passout arg>
 
 pass phrase source to encrypt any outputted private keys with. For more
 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
-in L<openssl(1)|openssl(1)>.
+in L<openssl(1)>.
 
 =item B<-password arg>
 
@@ -192,13 +192,13 @@ displays them.
 
 the PKCS#12 file (i.e. output file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)|openssl(1)>.
+L<openssl(1)>.
 
 =item B<-passin password>
 
 pass phrase source to decrypt any input private keys with. For more information
 about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-L<openssl(1)|openssl(1)>.
+L<openssl(1)>.
 
 =item B<-chain>
 
@@ -266,7 +266,7 @@ don't attempt to provide the MAC integrity.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -364,5 +364,5 @@ file from the keys and certificates using a newer version of OpenSSL. For exampl
 
 =head1 SEE ALSO
 
-L<pkcs8(1)|pkcs8(1)>
+L<pkcs8(1)>
 
diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod
index acfb810..024175e 100644
--- a/doc/apps/pkcs7.pod
+++ b/doc/apps/pkcs7.pod
@@ -100,6 +100,6 @@ cannot currently parse, for example, the new CMS as described in RFC2630.
 
 =head1 SEE ALSO
 
-L<crl2pkcs7(1)|crl2pkcs7(1)>
+L<crl2pkcs7(1)>
 
 =cut
diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod
index 433e55c..ed8c4ad 100644
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -67,7 +67,7 @@ prompted for.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -79,7 +79,7 @@ filename.
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-iter count>
 
@@ -276,8 +276,8 @@ the old format at present.
 
 =head1 SEE ALSO
 
-L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)> 
+L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
+L<gendsa(1)> 
 
 =head1 HISTORY
 
diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod
index 4851223..68f9409 100644
--- a/doc/apps/pkey.pod
+++ b/doc/apps/pkey.pod
@@ -49,7 +49,7 @@ prompted for.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -61,7 +61,7 @@ filename.
 =item B<-passout password>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-cipher>
 
@@ -129,7 +129,7 @@ To just output the public part of a private key:
 
 =head1 SEE ALSO
 
-L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)> 
+L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>,
+L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> 
 
 =cut
diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod
index 154f672..acfe9f9 100644
--- a/doc/apps/pkeyparam.pod
+++ b/doc/apps/pkeyparam.pod
@@ -63,7 +63,7 @@ PEM format is supported because the key type is determined by the PEM headers.
 
 =head1 SEE ALSO
 
-L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)> 
+L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>,
+L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> 
 
 =cut
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod
index 1f7596d..b437635 100644
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -59,7 +59,7 @@ the key format PEM, DER or ENGINE.
 =item B<-passin arg>
 
 the input key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 
 =item B<-peerkey file>
@@ -218,5 +218,5 @@ Derive a shared secret value:
 
 =head1 SEE ALSO
 
-L<genpkey(1)|genpkey(1)>, L<pkey(1)|pkey(1)>, L<rsautl(1)|rsautl(1)>
-L<dgst(1)|dgst(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>
+L<genpkey(1)>, L<pkey(1)>, L<rsautl(1)>
+L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
diff --git a/doc/apps/rand.pod b/doc/apps/rand.pod
index d1d213e..3679e6b 100644
--- a/doc/apps/rand.pod
+++ b/doc/apps/rand.pod
@@ -32,7 +32,7 @@ Write to I<file> instead of standard output.
 
 =item B<-rand> I<file(s)>
 
-Use specified file or files or EGD socket (see L<RAND_egd(3)|RAND_egd(3)>)
+Use specified file or files or EGD socket (see L<RAND_egd(3)>)
 for seeding the random number generator.
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -50,6 +50,6 @@ Show the output as a hex string.
 
 =head1 SEE ALSO
 
-L<RAND_bytes(3)|RAND_bytes(3)>
+L<RAND_bytes(3)>
 
 =cut
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 2ce2bca..ae884a2 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -79,7 +79,7 @@ options (B<-new> and B<-newkey>) are not specified.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -89,7 +89,7 @@ default.
 =item B<-passout arg>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-text>
 
@@ -137,7 +137,7 @@ characters may be escaped by \ (backslash), no spaces are skipped.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -270,14 +270,14 @@ configuration file, must be valid UTF8 strings.
 option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
-set multiple options. See the L<x509(1)|x509(1)> manual page for details.
+set multiple options. See the L<x509(1)> manual page for details.
 
 =item B<-reqopt>
 
 customise the output format used with B<-text>. The B<option> argument can be
 a single option or multiple options separated by commas. 
 
-See discussion of the  B<-certopt> parameter in the L<B<x509>|x509(1)>
+See discussion of the  B<-certopt> parameter in the L<x509(1)>
 command.
 
 
@@ -374,7 +374,7 @@ and long names are the same when this option is used.
 =item B<RANDFILE>
 
 This specifies a filename in which random number seed information is
-placed and read from, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+placed and read from, or an EGD socket (see L<RAND_egd(3)>).
 It is used for private key generation.
 
 =item B<encrypt_key>
@@ -408,7 +408,7 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
 by the B<-reqexts> command line switch. See the 
-L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+L<x509v3_config(5)> manual page for details of the
 extension section format.
 
 =item B<x509_extensions>
@@ -670,8 +670,8 @@ address in subjectAltName should be input by the user.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>,
-L<x509v3_config(5)|x509v3_config(5)> 
+L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
+L<gendsa(1)>, L<config(5)>,
+L<x509v3_config(5)> 
 
 =cut
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod
index 734c602..427c6c6 100644
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -68,7 +68,7 @@ prompted for.
 =item B<-passin arg>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
 
@@ -80,7 +80,7 @@ filename.
 =item B<-passout password>
 
 the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
@@ -197,7 +197,7 @@ without having to manually edit them.
 
 =head1 SEE ALSO
 
-L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)> 
+L<pkcs8(1)>, L<dsa(1)>, L<genrsa(1)>,
+L<gendsa(1)> 
 
 =cut
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index 1a498c2..bc87674 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -180,4 +180,4 @@ which it can be seen agrees with the recovered value above.
 
 =head1 SEE ALSO
 
-L<dgst(1)|dgst(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>
+L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index e91b9f1..04982e6 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -132,7 +132,7 @@ The private format to use: DER or PEM. PEM is the default.
 =item B<-pass arg>
 
 the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-verify depth>
 
@@ -167,7 +167,7 @@ B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various certificate chain validation options. See the
-L<B<verify>|verify(1)> manual page for details.
+L<verify(1)> manual page for details.
 
 =item B<-reconnect>
 
@@ -325,7 +325,7 @@ for all available algorithms.
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -417,7 +417,7 @@ information whenever a session is renegotiated.
 
 =head1 SEE ALSO
 
-L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+L<sess_id(1)>, L<s_server(1)>, L<ciphers(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index b2c2907..567df2c 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -139,7 +139,7 @@ The private format to use: DER or PEM. PEM is the default.
 =item B<-pass arg>
 
 the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-dcert filename>, B<-dkey keyname>
 
@@ -222,7 +222,7 @@ B<-no_alt_chains>, B<-use_deltas>, B<-verify_depth>, B<-verify_email>,
 B<-verify_hostname>, B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set different peer certificate verification options.
-See the L<B<verify>|verify(1)> manual page for details.
+See the L<verify(1)> manual page for details.
 
 =item B<-verify_return_error>
 
@@ -356,7 +356,7 @@ IDs (eg. with a certain prefix).
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -474,7 +474,7 @@ unknown cipher suites a client says it supports.
 
 =head1 SEE ALSO
 
-L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
+L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index b8dad09..50ac0e0 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -97,7 +97,7 @@ these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
 servers and permit them to use SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
-the L<s_client(1)|s_client(1)> program and may not connect to all servers.
+the L<s_client(1)> program and may not connect to all servers.
 
 Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
@@ -113,7 +113,7 @@ option enables various workarounds.
 this allows the cipher list sent by the client to be modified. Although
 the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client.
-See the L<ciphers(1)|ciphers(1)> command for more information.
+See the L<ciphers(1)> command for more information.
 
 =item B<-time length>
 
@@ -131,7 +131,7 @@ To connect to an SSL HTTP server and get the default page the command
  openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
 
 would typically be used (https uses port 443). 'commoncipher' is a cipher to
-which both client and server can agree, see the L<ciphers(1)|ciphers(1)> command
+which both client and server can agree, see the L<ciphers(1)> command
 for details.
 
 If the handshake fails then there are several possible causes, if it is
@@ -144,10 +144,10 @@ A frequent problem when attempting to get client certificates working
 is that a web client complains it has no certificates or gives an empty
 list to choose from. This is normally because the server is not sending
 the clients certificate authority in its "acceptable CA list" when it
-requests a certificate. By using L<s_client(1)|s_client(1)> the CA list can be
+requests a certificate. By using L<s_client(1)> the CA list can be
 viewed and checked. However some servers only request client authentication
 after a specific URL is requested. To obtain the list in this case it
-is necessary to use the B<-prexit> option of L<s_client(1)|s_client(1)> and
+is necessary to use the B<-prexit> option of L<s_client(1)> and
 send an HTTP request for an appropriate page.
 
 If a certificate is specified on the command line using the B<-cert>
@@ -158,7 +158,7 @@ on the command line is no guarantee that the certificate works.
 =head1 BUGS
 
 Because this program does not have all the options of the
-L<s_client(1)|s_client(1)> program to turn protocols on and off, you may not be
+L<s_client(1)> program to turn protocols on and off, you may not be
 able to measure the performance of all protocols with all servers.
 
 The B<-verify> option should really exit if the server verification
@@ -166,6 +166,6 @@ fails.
 
 =head1 SEE ALSO
 
-L<s_client(1)|s_client(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
 
 =cut
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index a8b0ef0..3914057 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -143,6 +143,6 @@ The cipher and start time should be printed out in human readable form.
 
 =head1 SEE ALSO
 
-L<ciphers(1)|ciphers(1)>, L<s_server(1)|s_server(1)>
+L<ciphers(1)>, L<s_server(1)>
 
 =cut
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 31a85fb..e9fbfda 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -266,12 +266,12 @@ multiple times to specify successive keys.
 =item B<-passin arg>
 
 the private key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
-generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
 all others.
@@ -297,7 +297,7 @@ B<-use_deltas>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
 B<-verify_ip>, B<-verify_name>, B<-x509_strict>
 
 Set various options of certificate chain verification. See
-L<B<verify>|verify(1)> manual page for details.
+L<verify(1)> manual page for details.
 
 =back
 
diff --git a/doc/apps/spkac.pod b/doc/apps/spkac.pod
index 97fb80e..553fd2d 100644
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -48,7 +48,7 @@ present.
 =item B<-passin password>
 
 the input file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-challenge string>
 
@@ -128,6 +128,6 @@ to be used in a "replay attack".
 
 =head1 SEE ALSO
 
-L<ca(1)|ca(1)>
+L<ca(1)>
 
 =cut
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index 5aab465..ff086d8 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -200,7 +200,7 @@ The name of the file containing a DER encoded time stamp request. (Optional)
 =item B<-passin> password_src
 
 Specifies the password source for the private key of the TSA. See
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)|openssl(1)>. (Optional)
+B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional)
 
 =item B<-signer> tsa_cert.pem
 
@@ -312,7 +312,7 @@ of a time stamp response (TimeStampResp). (Optional)
 =item B<-CApath> trusted_cert_path
 
 The name of the directory containing the trusted CA certificates of the
-client. See the similar option of L<verify(1)|verify(1)> for additional
+client. See the similar option of L<verify(1)> for additional
 details. Either this option or B<-CAfile> must be specified. (Optional)
 
 
@@ -320,7 +320,7 @@ details. Either this option or B<-CAfile> must be specified. (Optional)
 
 The name of the file containing a set of trusted self-signed CA
 certificates in PEM format. See the similar option of
-L<verify(1)|verify(1)> for additional details. Either this option
+L<verify(1)> for additional details. Either this option
 or B<-CApath> must be specified.
 (Optional)
 
@@ -337,7 +337,7 @@ all intermediate CA certificates unless the response includes them.
 =head1 CONFIGURATION FILE OPTIONS
 
 The B<-query> and B<-reply> commands make use of a configuration file
-defined by the B<OPENSSL_CONF> environment variable. See L<config(5)|config(5)>
+defined by the B<OPENSSL_CONF> environment variable. See L<config(5)>
 for a general description of the syntax of the config file. The
 B<-query> command uses only the symbolic OID names section
 and it can work without it. However, the B<-reply> command needs the
@@ -356,15 +356,15 @@ section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
 
 =item B<oid_section>
 
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
 
 =item B<RANDFILE>
 
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
 
 =item B<serial>
 
@@ -493,8 +493,8 @@ Before generating a response a signing certificate must be created for
 the TSA that contains the B<timeStamping> critical extended key usage extension
 without any other key usage extensions. You can add the
 'extendedKeyUsage = critical,timeStamping' line to the user certificate section
-of the config file to generate a proper certificate. See L<req(1)|req(1)>,
-L<ca(1)|ca(1)>, L<x509(1)|x509(1)> for instructions. The examples
+of the config file to generate a proper certificate. See L<req(1)>,
+L<ca(1)>, L<x509(1)> for instructions. The examples
 below assume that cacert.pem contains the certificate of the CA,
 tsacert.pem is the signing certificate issued by cacert.pem and
 tsakey.pem is the private key of the TSA.
@@ -559,14 +559,14 @@ Zoltan Glozik <zglozik at opentsa.org>. Known issues:
 =over 4
 
 =item * No support for time stamps over SMTP, though it is quite easy
-to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)>
-and L<perl(1)|perl(1)>. HTTP server support is provided in the form of
+to implement an automatic e-mail based TSA with L<procmail(1)>
+and L<perl(1)>. HTTP server support is provided in the form of
 a separate apache module. HTTP client support is provided by
-L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported.
+L<tsget(1)>. Pure TCP/IP protocol is not supported.
 
 =item * The file containing the last serial number of the TSA is not
 locked when being read or written. This is a problem if more than one
-instance of L<openssl(1)|openssl(1)> is trying to create a time stamp
+instance of L<openssl(1)> is trying to create a time stamp
 response at the same time. This is not an issue when using the apache
 server module, it does proper locking.
 
@@ -587,8 +587,8 @@ Zoltan Glozik <zglozik at opentsa.org>, OpenTSA project (http://www.opentsa.org)
 
 =head1 SEE ALSO
 
-L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<config(5)|config(5)>
+L<tsget(1)>, L<openssl(1)>, L<req(1)>,
+L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
+L<config(5)>
 
 =cut
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod
index 56db985..3452c63 100644
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -188,7 +188,7 @@ Zoltan Glozik <zglozik at opentsa.org>, OpenTSA project (http://www.opentsa.org)
 
 =head1 SEE ALSO
 
-L<openssl(1)|openssl(1)>, L<ts(1)|ts(1)>, L<curl(1)|curl(1)>, 
+L<openssl(1)>, L<ts(1)>, L<curl(1)>, 
 B<RFC 3161>
 
 =cut
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index b1253da..f7364f3 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -498,7 +498,7 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
 
 =head1 SEE ALSO
 
-L<x509(1)|x509(1)>
+L<x509(1)>
 
 =head1 HISTORY
 
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index a0127fe..0c6aaef 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -330,7 +330,7 @@ the request.
 =item B<-passin arg>
 
 the key password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-clrext>
 
@@ -416,7 +416,7 @@ the section to add certificate extensions from. If this option is not
 specified then the extensions should either be contained in the unnamed
 (default) section or the default section should contain a variable called
 "extensions" which contains the section to use. See the
-L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
+L<x509v3_config(5)> manual page for details of the
 extension section format.
 
 =item B<-force_pubkey key>
@@ -872,9 +872,9 @@ OpenSSL 0.9.5 and later.
 
 =head1 SEE ALSO
 
-L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>,
-L<x509v3_config(5)|x509v3_config(5)> 
+L<req(1)>, L<ca(1)>, L<genrsa(1)>,
+L<gendsa(1)>, L<verify(1)>,
+L<x509v3_config(5)> 
 
 =head1 HISTORY
 
diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
index d1e6788..297cbaa 100644
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -176,7 +176,7 @@ prefacing the name with a B<+> character.
 
 otherName can include arbitrary data associated with an OID: the value
 should be the OID followed by a semicolon and the content in standard
-L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format.
+L<ASN1_generate_nconf(3)> format.
 
 Examples:
 
@@ -439,7 +439,7 @@ the data is formatted correctly for the given extension type.
 There are two ways to encode arbitrary extensions.
 
 The first way is to use the word ASN1 followed by the extension content
-using the same syntax as L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>.
+using the same syntax as L<ASN1_generate_nconf(3)>.
 For example:
 
  1.2.3.4=critical,ASN1:UTF8String:Some random data
@@ -520,8 +520,8 @@ for arbitrary extensions was added in OpenSSL 0.9.8
 
 =head1 SEE ALSO
 
-L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>,
-L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>
+L<req(1)>, L<ca(1)>, L<x509(1)>,
+L<ASN1_generate_nconf(3)>
 
 
 =cut
diff --git a/doc/crypto/ASN1_INTEGER_get_int64.pod b/doc/crypto/ASN1_INTEGER_get_int64.pod
index 8911afd..a9e38f8 100644
--- a/doc/crypto/ASN1_INTEGER_get_int64.pod
+++ b/doc/crypto/ASN1_INTEGER_get_int64.pod
@@ -111,7 +111,7 @@ of NULL if an error occurs. They can fail if the pased type is incorrect
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ASN1_OBJECT_new.pod b/doc/crypto/ASN1_OBJECT_new.pod
index 36fc571..4bdfe02 100644
--- a/doc/crypto/ASN1_OBJECT_new.pod
+++ b/doc/crypto/ASN1_OBJECT_new.pod
@@ -30,14 +30,14 @@ such as OBJ_nid2obj() are used instead.
 =head1 RETURN VALUES
 
 If the allocation fails, ASN1_OBJECT_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+code that can be obtained by L<ERR_get_error(3)>.
 Otherwise it returns a pointer to the newly allocated structure.
 
 ASN1_OBJECT_free() returns no value.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_ASN1_OBJECT(3)|d2i_ASN1_OBJECT(3)>
+L<ERR_get_error(3)>, L<d2i_ASN1_OBJECT(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ASN1_STRING_length.pod b/doc/crypto/ASN1_STRING_length.pod
index 6fb9c94..4c9ad0a 100644
--- a/doc/crypto/ASN1_STRING_length.pod
+++ b/doc/crypto/ASN1_STRING_length.pod
@@ -76,7 +76,7 @@ when calling ASN1_STRING_set().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ASN1_STRING_new.pod b/doc/crypto/ASN1_STRING_new.pod
index 6c0b303..76e983a 100644
--- a/doc/crypto/ASN1_STRING_new.pod
+++ b/doc/crypto/ASN1_STRING_new.pod
@@ -38,7 +38,7 @@ ASN1_STRING_free() does not return a value.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ASN1_STRING_print_ex.pod b/doc/crypto/ASN1_STRING_print_ex.pod
index 19c82ff..2be7f7c 100644
--- a/doc/crypto/ASN1_STRING_print_ex.pod
+++ b/doc/crypto/ASN1_STRING_print_ex.pod
@@ -86,8 +86,8 @@ equivalent to:
 
 =head1 SEE ALSO
 
-L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
-L<ASN1_tag2str(3)|ASN1_tag2str(3)>
+L<X509_NAME_print_ex(3)>,
+L<ASN1_tag2str(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ASN1_generate_nconf.pod b/doc/crypto/ASN1_generate_nconf.pod
index 5dc1091..8c845ac 100644
--- a/doc/crypto/ASN1_generate_nconf.pod
+++ b/doc/crypto/ASN1_generate_nconf.pod
@@ -252,11 +252,11 @@ structure:
 ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
 data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
 
-The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes that can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BIO_f_buffer.pod b/doc/crypto/BIO_f_buffer.pod
index 4b525ef..d07c419 100644
--- a/doc/crypto/BIO_f_buffer.pod
+++ b/doc/crypto/BIO_f_buffer.pod
@@ -66,8 +66,8 @@ there was an error.
 
 =head1 SEE ALSO
 
-L<BIO(3)|BIO(3)>,
-L<BIO_reset(3)|BIO_reset(3)>,
-L<BIO_flush(3)|BIO_flush(3)>,
-L<BIO_pop(3)|BIO_pop(3)>,
-L<BIO_ctrl(3)|BIO_ctrl(3)>.
+L<BIO(3)>,
+L<BIO_reset(3)>,
+L<BIO_flush(3)>,
+L<BIO_pop(3)>,
+L<BIO_ctrl(3)>.
diff --git a/doc/crypto/BIO_f_ssl.pod b/doc/crypto/BIO_f_ssl.pod
index a0531b0..00b29bd 100644
--- a/doc/crypto/BIO_f_ssl.pod
+++ b/doc/crypto/BIO_f_ssl.pod
@@ -132,7 +132,7 @@ TBA
 
 This SSL/TLS client example, attempts to retrieve a page from an
 SSL/TLS web server. The I/O routines are identical to those of the
-unencrypted example in L<BIO_s_connect(3)|BIO_s_connect(3)>.
+unencrypted example in L<BIO_s_connect(3)>.
 
  BIO *sbio, *out;
  int len;
diff --git a/doc/crypto/BIO_new_CMS.pod b/doc/crypto/BIO_new_CMS.pod
index 9e3a4b7..0069b8d 100644
--- a/doc/crypto/BIO_new_CMS.pod
+++ b/doc/crypto/BIO_new_CMS.pod
@@ -56,8 +56,8 @@ occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_encrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BIO_read.pod b/doc/crypto/BIO_read.pod
index b345281..960ea45 100644
--- a/doc/crypto/BIO_read.pod
+++ b/doc/crypto/BIO_read.pod
@@ -52,15 +52,15 @@ I/O structure and may block as a result. Instead select() (or equivalent)
 should be combined with non blocking I/O so successive reads will request
 a retry instead of blocking.
 
-See L<BIO_should_retry(3)|BIO_should_retry(3)> for details of how to
+See L<BIO_should_retry(3)> for details of how to
 determine the cause of a retry and other I/O issues.
 
 If the BIO_gets() function is not supported by a BIO then it possible to
-work around this by adding a buffering BIO L<BIO_f_buffer(3)|BIO_f_buffer(3)>
+work around this by adding a buffering BIO L<BIO_f_buffer(3)>
 to the chain.
 
 =head1 SEE ALSO
 
-L<BIO_should_retry(3)|BIO_should_retry(3)>
+L<BIO_should_retry(3)>
 
 TBA
diff --git a/doc/crypto/BIO_s_accept.pod b/doc/crypto/BIO_s_accept.pod
index 45b73df..8a23d42 100644
--- a/doc/crypto/BIO_s_accept.pod
+++ b/doc/crypto/BIO_s_accept.pod
@@ -54,7 +54,7 @@ connection and reset the BIO into a state where it awaits another
 incoming connection.
 
 BIO_get_fd() and BIO_set_fd() can be called to retrieve or set
-the accept socket. See L<BIO_s_fd(3)|BIO_s_fd(3)>
+the accept socket. See L<BIO_s_fd(3)>
 
 BIO_set_accept_port() uses the string B<name> to set the accept
 port. The port is represented as a string of the form "host:port",
diff --git a/doc/crypto/BIO_s_bio.pod b/doc/crypto/BIO_s_bio.pod
index 0f15990..998796b 100644
--- a/doc/crypto/BIO_s_bio.pod
+++ b/doc/crypto/BIO_s_bio.pod
@@ -176,7 +176,7 @@ the peer might be waiting for the data before being able to continue.
 
 =head1 SEE ALSO
 
-L<SSL_set_bio(3)|SSL_set_bio(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
-L<BIO_should_retry(3)|BIO_should_retry(3)>, L<BIO_read(3)|BIO_read(3)>
+L<SSL_set_bio(3)>, L<ssl(3)>, L<bio(3)>,
+L<BIO_should_retry(3)>, L<BIO_read(3)>
 
 =cut
diff --git a/doc/crypto/BIO_s_fd.pod b/doc/crypto/BIO_s_fd.pod
index b1de1d1..2f6b033 100644
--- a/doc/crypto/BIO_s_fd.pod
+++ b/doc/crypto/BIO_s_fd.pod
@@ -48,7 +48,7 @@ BIO_new_fd() returns a file descriptor BIO using B<fd> and B<close_flag>.
 The behaviour of BIO_read() and BIO_write() depends on the behavior of the
 platforms read() and write() calls on the descriptor. If the underlying 
 file descriptor is in a non blocking mode then the BIO will behave in the
-manner described in the L<BIO_read(3)|BIO_read(3)> and L<BIO_should_retry(3)|BIO_should_retry(3)>
+manner described in the L<BIO_read(3)> and L<BIO_should_retry(3)>
 manual pages.
 
 File descriptor BIOs should not be used for socket I/O. Use socket BIOs
@@ -82,8 +82,8 @@ This is a file descriptor BIO version of "Hello World":
 
 =head1 SEE ALSO
 
-L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
-L<BIO_reset(3)|BIO_reset(3)>, L<BIO_read(3)|BIO_read(3)>,
-L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
-L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
-L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
+L<BIO_seek(3)>, L<BIO_tell(3)>,
+L<BIO_reset(3)>, L<BIO_read(3)>,
+L<BIO_write(3)>, L<BIO_puts(3)>,
+L<BIO_gets(3)>, L<BIO_printf(3)>,
+L<BIO_set_close(3)>, L<BIO_get_close(3)>
diff --git a/doc/crypto/BIO_s_file.pod b/doc/crypto/BIO_s_file.pod
index 188aea3..5adc569 100644
--- a/doc/crypto/BIO_s_file.pod
+++ b/doc/crypto/BIO_s_file.pod
@@ -140,9 +140,9 @@ occurred this differs from other types of BIO which will typically return
 
 =head1 SEE ALSO
 
-L<BIO_seek(3)|BIO_seek(3)>, L<BIO_tell(3)|BIO_tell(3)>,
-L<BIO_reset(3)|BIO_reset(3)>, L<BIO_flush(3)|BIO_flush(3)>,
-L<BIO_read(3)|BIO_read(3)>,
-L<BIO_write(3)|BIO_write(3)>, L<BIO_puts(3)|BIO_puts(3)>,
-L<BIO_gets(3)|BIO_gets(3)>, L<BIO_printf(3)|BIO_printf(3)>,
-L<BIO_set_close(3)|BIO_set_close(3)>, L<BIO_get_close(3)|BIO_get_close(3)>
+L<BIO_seek(3)>, L<BIO_tell(3)>,
+L<BIO_reset(3)>, L<BIO_flush(3)>,
+L<BIO_read(3)>,
+L<BIO_write(3)>, L<BIO_puts(3)>,
+L<BIO_gets(3)>, L<BIO_printf(3)>,
+L<BIO_set_close(3)>, L<BIO_get_close(3)>
diff --git a/doc/crypto/BN_BLINDING_new.pod b/doc/crypto/BN_BLINDING_new.pod
index f8102ba..65c6eab 100644
--- a/doc/crypto/BN_BLINDING_new.pod
+++ b/doc/crypto/BN_BLINDING_new.pod
@@ -98,7 +98,7 @@ parameters or NULL on error.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>
+L<bn(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_CTX_new.pod b/doc/crypto/BN_CTX_new.pod
index 958e551..005c9f8 100644
--- a/doc/crypto/BN_CTX_new.pod
+++ b/doc/crypto/BN_CTX_new.pod
@@ -28,8 +28,8 @@ B<BIGNUM>s.
 
 BN_CTX_free() frees the components of the B<BN_CTX>, and if it was
 created by BN_CTX_new(), also the structure itself.
-If L<BN_CTX_start(3)|BN_CTX_start(3)> has been used on the B<BN_CTX>,
-L<BN_CTX_end(3)|BN_CTX_end(3)> must be called before the B<BN_CTX>
+If L<BN_CTX_start(3)> has been used on the B<BN_CTX>,
+L<BN_CTX_end(3)> must be called before the B<BN_CTX>
 may be freed by BN_CTX_free().
 If B<c> is NULL, nothing is done.
 
@@ -38,7 +38,7 @@ If B<c> is NULL, nothing is done.
 BN_CTX_new() and BN_CTX_secure_new() return a pointer to the B<BN_CTX>.
 If the allocation fails,
 they return B<NULL> and sets an error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 BN_CTX_free() has no return values.
 
@@ -57,8 +57,8 @@ replace use of BN_CTX_init with BN_CTX_new instead:
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_start(3)|BN_CTX_start(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_add(3)>,
+L<BN_CTX_start(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_CTX_start.pod b/doc/crypto/BN_CTX_start.pod
index dfcefe1..57ddff6 100644
--- a/doc/crypto/BN_CTX_start.pod
+++ b/doc/crypto/BN_CTX_start.pod
@@ -17,7 +17,7 @@ BN_CTX_start, BN_CTX_get, BN_CTX_end - use temporary BIGNUM variables
 =head1 DESCRIPTION
 
 These functions are used to obtain temporary B<BIGNUM> variables from
-a B<BN_CTX> (which can been created by using L<BN_CTX_new(3)|BN_CTX_new(3)>)
+a B<BN_CTX> (which can been created by using L<BN_CTX_new(3)>)
 in order to save the overhead of repeatedly creating and
 freeing B<BIGNUM>s in functions that are called from inside a loop.
 
@@ -38,12 +38,12 @@ BN_CTX_get() returns a pointer to the B<BIGNUM>, or B<NULL> on error.
 Once BN_CTX_get() has failed, the subsequent calls will return B<NULL>
 as well, so it is sufficient to check the return value of the last
 BN_CTX_get() call. In case of an error, an error code is set, which
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+can be obtained by L<ERR_get_error(3)>.
 
 
 =head1 SEE ALSO
 
-L<BN_CTX_new(3)|BN_CTX_new(3)>
+L<BN_CTX_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_add.pod b/doc/crypto/BN_add.pod
index 88c7a79..38eeb3c 100644
--- a/doc/crypto/BN_add.pod
+++ b/doc/crypto/BN_add.pod
@@ -52,7 +52,7 @@ BN_sub() subtracts I<b> from I<a> and places the result in I<r> (C<r=a-b>).
 
 BN_mul() multiplies I<a> and I<b> and places the result in I<r> (C<r=a*b>).
 I<r> may be the same B<BIGNUM> as I<a> or I<b>.
-For multiplication by powers of 2, use L<BN_lshift(3)|BN_lshift(3)>.
+For multiplication by powers of 2, use L<BN_lshift(3)>.
 
 BN_sqr() takes the square of I<a> and places the result in I<r>
 (C<r=a^2>). I<r> and I<a> may be the same B<BIGNUM>.
@@ -80,8 +80,8 @@ BN_mod_mul() multiplies I<a> by I<b> and finds the non-negative
 remainder respective to modulus I<m> (C<r=(a*b) mod m>). I<r> may be
 the same B<BIGNUM> as I<a> or I<b>. For more efficient algorithms for
 repeated computations using the same modulus, see
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> and
-L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>.
+L<BN_mod_mul_montgomery(3)> and
+L<BN_mod_mul_reciprocal(3)>.
 
 BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
 result in I<r>.
@@ -98,7 +98,7 @@ places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or
 I<b>.
 
 For all functions, I<ctx> is a previously allocated B<BN_CTX> used for
-temporary variables; see L<BN_CTX_new(3)|BN_CTX_new(3)>.
+temporary variables; see L<BN_CTX_new(3)>.
 
 Unless noted otherwise, the result B<BIGNUM> must be different from
 the arguments.
@@ -107,12 +107,12 @@ the arguments.
 
 For all functions, 1 is returned for success, 0 on error. The return
 value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
-L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_CTX_new(3)>,
+L<BN_add_word(3)>, L<BN_set_bit(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_add_word.pod b/doc/crypto/BN_add_word.pod
index 70667d2..4f472ad 100644
--- a/doc/crypto/BN_add_word.pod
+++ b/doc/crypto/BN_add_word.pod
@@ -40,14 +40,14 @@ For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 =head1 RETURN VALUES
 
 BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
-on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+on error. The error codes can be obtained by L<ERR_get_error(3)>.
 
 BN_mod_word() and BN_div_word() return B<a>%B<w> on success and
 B<(BN_ULONG)-1> if an error occurred.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_add(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod
index a4b17ca..dbcd11f 100644
--- a/doc/crypto/BN_bn2bin.pod
+++ b/doc/crypto/BN_bn2bin.pod
@@ -76,13 +76,13 @@ BN_print_fp() and BN_print() return 1 on success, 0 on write errors.
 BN_bn2mpi() returns the length of the representation. BN_mpi2bn()
 returns the B<BIGNUM>, and NULL on error.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_zero(3)|BN_zero(3)>,
-L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>,
-L<BN_num_bytes(3)|BN_num_bytes(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_zero(3)>,
+L<ASN1_INTEGER_to_BN(3)>,
+L<BN_num_bytes(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_cmp.pod b/doc/crypto/BN_cmp.pod
index 23e9ed0..6a9e341 100644
--- a/doc/crypto/BN_cmp.pod
+++ b/doc/crypto/BN_cmp.pod
@@ -37,7 +37,7 @@ the condition is true, 0 otherwise.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>
+L<bn(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_copy.pod b/doc/crypto/BN_copy.pod
index 388dd7d..834440f 100644
--- a/doc/crypto/BN_copy.pod
+++ b/doc/crypto/BN_copy.pod
@@ -21,11 +21,11 @@ containing the value B<from>.
 
 BN_copy() returns B<to> on success, NULL on error. BN_dup() returns
 the new B<BIGNUM>, and NULL on error. The error codes can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)>.
+by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+L<bn(3)>, L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod
index 858eb0f..316d12f 100644
--- a/doc/crypto/BN_generate_prime.pod
+++ b/doc/crypto/BN_generate_prime.pod
@@ -154,7 +154,7 @@ structure.
 
 Callback functions should return 1 on success or 0 on error.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 REMOVED FUNCTIONALITY
 
@@ -173,7 +173,7 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new:
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<rand(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_mod_inverse.pod b/doc/crypto/BN_mod_inverse.pod
index 3ea3975..97bb378 100644
--- a/doc/crypto/BN_mod_inverse.pod
+++ b/doc/crypto/BN_mod_inverse.pod
@@ -23,11 +23,11 @@ variables. B<r> may be the same B<BIGNUM> as B<a> or B<n>.
 =head1 RETURN VALUES
 
 BN_mod_inverse() returns the B<BIGNUM> containing the inverse, and
-NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+NULL on error. The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_add(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_mod_mul_montgomery.pod b/doc/crypto/BN_mod_mul_montgomery.pod
index d637e17..9a18a09 100644
--- a/doc/crypto/BN_mod_mul_montgomery.pod
+++ b/doc/crypto/BN_mod_mul_montgomery.pod
@@ -28,7 +28,7 @@ BN_from_montgomery, BN_to_montgomery - Montgomery multiplication
 =head1 DESCRIPTION
 
 These functions implement Montgomery multiplication. They are used
-automatically when L<BN_mod_exp(3)|BN_mod_exp(3)> is called with suitable input,
+automatically when L<BN_mod_exp(3)> is called with suitable input,
 but they may be useful when several operations are to be performed
 using the same modulus.
 
@@ -62,7 +62,7 @@ on error.
 BN_MONT_CTX_free() has no return value.
 
 For the other functions, 1 is returned for success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 WARNING
 
@@ -91,8 +91,8 @@ BN_MONT_CTX_new:
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_new(3)|BN_CTX_new(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_add(3)>,
+L<BN_CTX_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_mod_mul_reciprocal.pod b/doc/crypto/BN_mod_mul_reciprocal.pod
index 7a7d503..20357dc 100644
--- a/doc/crypto/BN_mod_mul_reciprocal.pod
+++ b/doc/crypto/BN_mod_mul_reciprocal.pod
@@ -24,7 +24,7 @@ reciprocal
 =head1 DESCRIPTION
 
 BN_mod_mul_reciprocal() can be used to perform an efficient
-L<BN_mod_mul(3)|BN_mod_mul(3)> operation when the operation will be performed
+L<BN_mod_mul(3)> operation when the operation will be performed
 repeatedly with the same modulus. It computes B<r>=(B<a>*B<b>)%B<m>
 using B<recp>=1/B<m>, which is set as described below.  B<ctx> is a
 previously allocated B<BN_CTX> used for temporary variables.
@@ -54,7 +54,7 @@ on error.
 BN_RECP_CTX_init() and BN_RECP_CTX_free() have no return values.
 
 For the other functions, 1 is returned for success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 REMOVED FUNCTIONALITY
 
@@ -78,8 +78,8 @@ instead:
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>,
-L<BN_CTX_new(3)|BN_CTX_new(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<BN_add(3)>,
+L<BN_CTX_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod
index fa157d3..f5b5100 100644
--- a/doc/crypto/BN_new.pod
+++ b/doc/crypto/BN_new.pod
@@ -33,7 +33,7 @@ If B<a> is NULL, nothing is done.
 
 BN_new() returns a pointer to the B<BIGNUM>. If the allocation fails,
 it returns B<NULL> and sets an error code that can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)>.
+by L<ERR_get_error(3)>.
 
 BN_clear(), BN_free() and BN_clear_free() have no return values.
 
@@ -57,7 +57,7 @@ Applications should replace use of BN_init with BN_new instead:
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+L<bn(3)>, L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_num_bytes.pod b/doc/crypto/BN_num_bytes.pod
index a6a2e3f..54f200b 100644
--- a/doc/crypto/BN_num_bytes.pod
+++ b/doc/crypto/BN_num_bytes.pod
@@ -46,8 +46,8 @@ more probability).
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<DH_size(3)|DH_size(3)>, L<DSA_size(3)|DSA_size(3)>,
-L<RSA_size(3)|RSA_size(3)>
+L<bn(3)>, L<DH_size(3)>, L<DSA_size(3)>,
+L<RSA_size(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod
index b3aec96..0676063 100644
--- a/doc/crypto/BN_rand.pod
+++ b/doc/crypto/BN_rand.pod
@@ -42,12 +42,12 @@ The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
 =head1 RETURN VALUES
 
 The functions return 1 on success, 0 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
+L<bn(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<RAND_add(3)>, L<RAND_bytes(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_set_bit.pod b/doc/crypto/BN_set_bit.pod
index a32cca2..20c24f0 100644
--- a/doc/crypto/BN_set_bit.pod
+++ b/doc/crypto/BN_set_bit.pod
@@ -51,11 +51,11 @@ For the shift functions, B<r> and B<a> may be the same variable.
 BN_is_bit_set() returns 1 if the bit is set, 0 otherwise.
 
 All other functions return 1 for success, 0 on error. The error codes
-can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>, L<BN_add(3)|BN_add(3)>
+L<bn(3)>, L<BN_num_bytes(3)>, L<BN_add(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_swap.pod b/doc/crypto/BN_swap.pod
index 79efaa1..8e764e3 100644
--- a/doc/crypto/BN_swap.pod
+++ b/doc/crypto/BN_swap.pod
@@ -14,7 +14,7 @@ BN_swap - exchange BIGNUMs
 
 BN_swap() exchanges the values of I<a> and I<b>.
 
-L<bn(3)|bn(3)>
+L<bn(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/BN_zero.pod b/doc/crypto/BN_zero.pod
index b555ec3..6b0c639 100644
--- a/doc/crypto/BN_zero.pod
+++ b/doc/crypto/BN_zero.pod
@@ -45,7 +45,7 @@ unsigned long but this value is also returned on error.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+L<bn(3)>, L<BN_bn2bin(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_add0_cert.pod b/doc/crypto/CMS_add0_cert.pod
index 8678ca1..ec12801 100644
--- a/doc/crypto/CMS_add0_cert.pod
+++ b/doc/crypto/CMS_add0_cert.pod
@@ -54,9 +54,9 @@ in practice is if the B<cms> type is invalid.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
+L<ERR_get_error(3)>,
+L<CMS_sign(3)>,
+L<CMS_encrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_add1_recipient_cert.pod b/doc/crypto/CMS_add1_recipient_cert.pod
index d7d8e25..4f94703 100644
--- a/doc/crypto/CMS_add1_recipient_cert.pod
+++ b/doc/crypto/CMS_add1_recipient_cert.pod
@@ -51,8 +51,8 @@ occurs.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<CMS_final(3)|CMS_final(3)>,
+L<ERR_get_error(3)>, L<CMS_decrypt(3)>,
+L<CMS_final(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_add1_signer.pod b/doc/crypto/CMS_add1_signer.pod
index a055b82..2bcac66 100644
--- a/doc/crypto/CMS_add1_signer.pod
+++ b/doc/crypto/CMS_add1_signer.pod
@@ -91,8 +91,8 @@ structure just added or NULL if an error occurs.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_final(3)|CMS_final(3)>,
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_final(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_compress.pod b/doc/crypto/CMS_compress.pod
index 0a07152..583b1ec 100644
--- a/doc/crypto/CMS_compress.pod
+++ b/doc/crypto/CMS_compress.pod
@@ -63,7 +63,7 @@ occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_uncompress(3)|CMS_uncompress(3)>
+L<ERR_get_error(3)>, L<CMS_uncompress(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_decrypt.pod b/doc/crypto/CMS_decrypt.pod
index 3fa9212..99e4811 100644
--- a/doc/crypto/CMS_decrypt.pod
+++ b/doc/crypto/CMS_decrypt.pod
@@ -70,7 +70,7 @@ mentioned in CMS_verify() also applies to CMS_decrypt().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
+L<ERR_get_error(3)>, L<CMS_encrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_encrypt.pod b/doc/crypto/CMS_encrypt.pod
index 1ee5b27..4750942 100644
--- a/doc/crypto/CMS_encrypt.pod
+++ b/doc/crypto/CMS_encrypt.pod
@@ -86,7 +86,7 @@ occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>
+L<ERR_get_error(3)>, L<CMS_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_final.pod b/doc/crypto/CMS_final.pod
index 36cf96b..227ca83 100644
--- a/doc/crypto/CMS_final.pod
+++ b/doc/crypto/CMS_final.pod
@@ -31,8 +31,8 @@ CMS_final() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_encrypt(3)|CMS_encrypt(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_encrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_get0_RecipientInfos.pod b/doc/crypto/CMS_get0_RecipientInfos.pod
index fe49772..cc14af7 100644
--- a/doc/crypto/CMS_get0_RecipientInfos.pod
+++ b/doc/crypto/CMS_get0_RecipientInfos.pod
@@ -107,11 +107,11 @@ CMS_RecipientInfo_encrypt() return 1 for success or 0 if an error occurs.
 CMS_RecipientInfo_ktri_cert_cmp() and CMS_RecipientInfo_kekri_cmp() return 0
 for a successful comparison and non zero otherwise.
 
-Any error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+Any error can be obtained from L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_decrypt(3)|CMS_decrypt(3)>
+L<ERR_get_error(3)>, L<CMS_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_get0_SignerInfos.pod b/doc/crypto/CMS_get0_SignerInfos.pod
index b46c0e0..531c338 100644
--- a/doc/crypto/CMS_get0_SignerInfos.pod
+++ b/doc/crypto/CMS_get0_SignerInfos.pod
@@ -68,11 +68,11 @@ zero otherwise.
 
 CMS_SignerInfo_set1_signer_cert() does not return a value.
 
-Any error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+Any error can be obtained from L<ERR_get_error(3)>
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_verify(3)|CMS_verify(3)>
+L<ERR_get_error(3)>, L<CMS_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_get0_type.pod b/doc/crypto/CMS_get0_type.pod
index 3ed92bd..75ef40a 100644
--- a/doc/crypto/CMS_get0_type.pod
+++ b/doc/crypto/CMS_get0_type.pod
@@ -67,7 +67,7 @@ error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_get1_ReceiptRequest.pod b/doc/crypto/CMS_get1_ReceiptRequest.pod
index f546376..f94baac 100644
--- a/doc/crypto/CMS_get1_ReceiptRequest.pod
+++ b/doc/crypto/CMS_get1_ReceiptRequest.pod
@@ -56,9 +56,9 @@ it is present but malformed.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_sign_receipt(3)|CMS_sign_receipt(3)>, L<CMS_verify(3)|CMS_verify(3)>
-L<CMS_verify_receipt(3)|CMS_verify_receipt(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_sign_receipt(3)>, L<CMS_verify(3)>
+L<CMS_verify_receipt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_sign.pod b/doc/crypto/CMS_sign.pod
index 2cc72de..e05f854 100644
--- a/doc/crypto/CMS_sign.pod
+++ b/doc/crypto/CMS_sign.pod
@@ -109,7 +109,7 @@ occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_verify(3)|CMS_verify(3)>
+L<ERR_get_error(3)>, L<CMS_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_sign_receipt.pod b/doc/crypto/CMS_sign_receipt.pod
index cae1f83..2083c88 100644
--- a/doc/crypto/CMS_sign_receipt.pod
+++ b/doc/crypto/CMS_sign_receipt.pod
@@ -34,9 +34,9 @@ an error occurred.  The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_verify_receipt(3)|CMS_verify_receipt(3)>,
-L<CMS_sign(3)|CMS_sign(3)>
+L<ERR_get_error(3)>,
+L<CMS_verify_receipt(3)>,
+L<CMS_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_uncompress.pod b/doc/crypto/CMS_uncompress.pod
index c6056b0..c6943ac 100644
--- a/doc/crypto/CMS_uncompress.pod
+++ b/doc/crypto/CMS_uncompress.pod
@@ -45,7 +45,7 @@ mentioned in CMS_verify() also applies to CMS_decompress().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_compress(3)|CMS_compress(3)>
+L<ERR_get_error(3)>, L<CMS_compress(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_verify.pod b/doc/crypto/CMS_verify.pod
index 7a2c1ee..47ca32b 100644
--- a/doc/crypto/CMS_verify.pod
+++ b/doc/crypto/CMS_verify.pod
@@ -104,7 +104,7 @@ occurred.
 
 CMS_get0_signers() returns all signers or NULL if an error occurred.
 
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
 
 =head1 BUGS
 
@@ -117,7 +117,7 @@ be held in memory if it is not detached.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CMS_verify_receipt.pod b/doc/crypto/CMS_verify_receipt.pod
index 9283e0e..1dcc3b8 100644
--- a/doc/crypto/CMS_verify_receipt.pod
+++ b/doc/crypto/CMS_verify_receipt.pod
@@ -32,13 +32,13 @@ supported since they do not make sense in the context of signed receipts.
 CMS_verify_receipt() returns 1 for a successful verification and zero if an
 error occurred.
 
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<CMS_sign_receipt(3)|CMS_sign_receipt(3)>,
-L<CMS_verify(3)|CMS_verify(3)>,
+L<ERR_get_error(3)>,
+L<CMS_sign_receipt(3)>,
+L<CMS_verify(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CONF_modules_free.pod b/doc/crypto/CONF_modules_free.pod
index 347020c..866bd3f 100644
--- a/doc/crypto/CONF_modules_free.pod
+++ b/doc/crypto/CONF_modules_free.pod
@@ -36,8 +36,8 @@ None of the functions return a value.
 
 =head1 SEE ALSO
 
-L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
+L<conf(5)>, L<OPENSSL_config(3)>,
+L<CONF_modules_load_file(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CONF_modules_load_file.pod b/doc/crypto/CONF_modules_load_file.pod
index 731911a..e9930fe 100644
--- a/doc/crypto/CONF_modules_load_file.pod
+++ b/doc/crypto/CONF_modules_load_file.pod
@@ -127,8 +127,8 @@ return value of the failing module (this will always be zero or negative).
 
 =head1 SEE ALSO
 
-L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_free(3)|CONF_free(3)>, L<err(3)|err(3)>
+L<conf(5)>, L<OPENSSL_config(3)>,
+L<CONF_free(3)>, L<err(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CRYPTO_secure_malloc.pod b/doc/crypto/CRYPTO_secure_malloc.pod
index a3b416e..5d233db 100644
--- a/doc/crypto/CRYPTO_secure_malloc.pod
+++ b/doc/crypto/CRYPTO_secure_malloc.pod
@@ -80,8 +80,8 @@ return no values.
 
 =head1 SEE ALSO
 
-L<BN_new(3)|BN_new(3)>,
-L<bn_internal(3)|bn_internal(3)>
+L<BN_new(3)>,
+L<bn_internal(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/CRYPTO_set_ex_data.pod b/doc/crypto/CRYPTO_set_ex_data.pod
index 7409c02..8b6c3de 100644
--- a/doc/crypto/CRYPTO_set_ex_data.pod
+++ b/doc/crypto/CRYPTO_set_ex_data.pod
@@ -38,13 +38,13 @@ B<CRYPTO_get_ex_data()> returns the application data or 0 on failure. 0 may also
 be valid application data but currently it can only fail if given an invalid B<idx>
 parameter.
 
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+On failure an error code can be obtained from L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
-L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>
+L<RSA_get_ex_new_index(3)>,
+L<DSA_get_ex_new_index(3)>,
+L<DH_get_ex_new_index(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_generate_key.pod b/doc/crypto/DH_generate_key.pod
index 81f09fd..d787704 100644
--- a/doc/crypto/DH_generate_key.pod
+++ b/doc/crypto/DH_generate_key.pod
@@ -36,11 +36,11 @@ DH_generate_key() returns 1 on success, 0 otherwise.
 DH_compute_key() returns the size of the shared secret on success, -1
 on error.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)>
+L<dh(3)>, L<ERR_get_error(3)>, L<rand(3)>, L<DH_size(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod
index 7f81a04..ebbb184 100644
--- a/doc/crypto/DH_generate_parameters.pod
+++ b/doc/crypto/DH_generate_parameters.pod
@@ -31,9 +31,9 @@ B<generator> is a small number E<gt> 1, typically 2 or 5.
 
 A callback function may be used to provide feedback about the progress
 of the key generation. If B<cb> is not B<NULL>, it will be
-called as described in L<BN_generate_prime(3)|BN_generate_prime(3)> while a random prime
+called as described in L<BN_generate_prime(3)> while a random prime
 number is generated, and when a prime has been found, B<BN_GENCB_call(cb, 3, 0)>
-is called. See L<BN_generate_prime(3)|BN_generate_prime(3)> for information on
+is called. See L<BN_generate_prime(3)> for information on
 the BN_GENCB_call() function.
 
 DH_check() validates Diffie-Hellman parameters. It checks that B<p> is
@@ -51,7 +51,7 @@ performed, 0 otherwise.
 DH_generate_parameters() (deprecated) returns a pointer to the DH structure, or
 NULL if the parameter generation fails.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -68,8 +68,8 @@ a usable generator.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DH_free(3)|DH_free(3)>
+L<dh(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DH_free(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_get_ex_new_index.pod b/doc/crypto/DH_get_ex_new_index.pod
index fa5eab2..1871463 100644
--- a/doc/crypto/DH_get_ex_new_index.pod
+++ b/doc/crypto/DH_get_ex_new_index.pod
@@ -26,7 +26,7 @@ as described in L<RSA_get_ex_new_index(3)>.
 
 =head1 SEE ALSO
 
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dh(3)|dh(3)>
+L<RSA_get_ex_new_index(3)>, L<dh(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_new.pod b/doc/crypto/DH_new.pod
index 6245e4a..2d9fecd 100644
--- a/doc/crypto/DH_new.pod
+++ b/doc/crypto/DH_new.pod
@@ -23,16 +23,16 @@ If B<dh> is NULL nothing is done.
 =head1 RETURN VALUES
 
 If the allocation fails, DH_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+code that can be obtained by L<ERR_get_error(3)>. Otherwise it returns
 a pointer to the newly allocated structure.
 
 DH_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
-L<DH_generate_key(3)|DH_generate_key(3)>
+L<dh(3)>, L<ERR_get_error(3)>,
+L<DH_generate_parameters(3)>,
+L<DH_generate_key(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_set_method.pod b/doc/crypto/DH_set_method.pod
index d5cdc3b..8b80f5c 100644
--- a/doc/crypto/DH_set_method.pod
+++ b/doc/crypto/DH_set_method.pod
@@ -94,7 +94,7 @@ the method for B<dh> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).
 
 DH_new_method() returns NULL and sets an error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
+L<ERR_get_error(3)> if the allocation fails. Otherwise it
 returns a pointer to the newly allocated structure.
 
 =head1 NOTES
@@ -109,7 +109,7 @@ algorithms.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
+L<dh(3)>, L<DH_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DH_size.pod b/doc/crypto/DH_size.pod
index e73f325..ab28072 100644
--- a/doc/crypto/DH_size.pod
+++ b/doc/crypto/DH_size.pod
@@ -28,8 +28,8 @@ The size.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<DH_generate_key(3)|DH_generate_key(3)>,
-L<BN_num_bits(3)|BN_num_bits(3)>
+L<dh(3)>, L<DH_generate_key(3)>,
+L<BN_num_bits(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_SIG_new.pod b/doc/crypto/DSA_SIG_new.pod
index 3ac6140..aa2cb7d 100644
--- a/doc/crypto/DSA_SIG_new.pod
+++ b/doc/crypto/DSA_SIG_new.pod
@@ -23,15 +23,15 @@ values are erased before the memory is returned to the system.
 
 If the allocation fails, DSA_SIG_new() returns B<NULL> and sets an
 error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+L<ERR_get_error(3)>. Otherwise it returns a pointer
 to the newly allocated structure.
 
 DSA_SIG_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)>, L<ERR_get_error(3)>,
+L<DSA_do_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod
index 5dfc733..7a1970b 100644
--- a/doc/crypto/DSA_do_sign.pod
+++ b/doc/crypto/DSA_do_sign.pod
@@ -19,7 +19,7 @@ DSA_do_sign() computes a digital signature on the B<len> byte message
 digest B<dgst> using the private key B<dsa> and returns it in a
 newly allocated B<DSA_SIG> structure.
 
-L<DSA_sign_setup(3)|DSA_sign_setup(3)> may be used to precompute part
+L<DSA_sign_setup(3)> may be used to precompute part
 of the signing operation in case signature generation is
 time-critical.
 
@@ -32,13 +32,13 @@ key.
 DSA_do_sign() returns the signature, NULL on error.  DSA_do_verify()
 returns 1 for a valid signature, 0 for an incorrect signature and -1
 on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_SIG_new(3)|DSA_SIG_new(3)>,
-L<DSA_sign(3)|DSA_sign(3)>
+L<dsa(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DSA_SIG_new(3)>,
+L<DSA_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_dup_DH.pod b/doc/crypto/DSA_dup_DH.pod
index 7f6f0d1..b2e5325 100644
--- a/doc/crypto/DSA_dup_DH.pod
+++ b/doc/crypto/DSA_dup_DH.pod
@@ -19,7 +19,7 @@ contain its length.
 =head1 RETURN VALUE
 
 DSA_dup_DH() returns the new B<DH> structure, and NULL on error. The
-error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 NOTE
 
@@ -27,7 +27,7 @@ Be careful to avoid small subgroup attacks when using this.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+L<dh(3)>, L<dsa(3)>, L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_generate_key.pod b/doc/crypto/DSA_generate_key.pod
index af83ccf..34a9efb 100644
--- a/doc/crypto/DSA_generate_key.pod
+++ b/doc/crypto/DSA_generate_key.pod
@@ -20,12 +20,12 @@ The PRNG must be seeded prior to calling DSA_generate_key().
 =head1 RETURN VALUE
 
 DSA_generate_key() returns 1 on success, 0 otherwise.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>
+L<dsa(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DSA_generate_parameters(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index 16a67f2..d2a0418 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -39,7 +39,7 @@ A callback function may be used to provide feedback about the progress
 of the key generation. If B<cb> is not B<NULL>, it will be
 called as shown below. For information on the BN_GENCB structure and the
 BN_GENCB_call function discussed below, refer to
-L<BN_generate_prime(3)|BN_generate_prime(3)>.
+L<BN_generate_prime(3)>.
 
 =over 4
 
@@ -89,7 +89,7 @@ When the generator has been found, B<BN_GENCB_call(cb, 3, 1)> is called.
 DSA_generate_parameters() (deprecated) works in much the same way as for DSA_generate_parameters_ex, except that no B<dsa> parameter is passed and
 instead a newly allocated B<DSA> structure is returned. Additionally "old
 style" callbacks are used instead of the newer BN_GENCB based approach.
-Refer to L<BN_generate_prime(3)|BN_generate_prime(3)> for further information.
+Refer to L<BN_generate_prime(3)> for further information.
 
 =head1 RETURN VALUE
 
@@ -98,7 +98,7 @@ DSA_generate_parameters_ex() returns a 1 on success, or 0 otherwise.
 DSA_generate_parameters() returns a pointer to the DSA structure, or
 B<NULL> if the parameter generation fails.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 BUGS
 
@@ -106,8 +106,8 @@ Seed lengths E<gt> 20 are not supported.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_free(3)|DSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
+L<dsa(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DSA_free(3)>, L<BN_generate_prime(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_get_ex_new_index.pod b/doc/crypto/DSA_get_ex_new_index.pod
index fb6efc1..43b29b3 100644
--- a/doc/crypto/DSA_get_ex_new_index.pod
+++ b/doc/crypto/DSA_get_ex_new_index.pod
@@ -26,7 +26,7 @@ as described in L<RSA_get_ex_new_index(3)>.
 
 =head1 SEE ALSO
 
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<dsa(3)|dsa(3)>
+L<RSA_get_ex_new_index(3)>, L<dsa(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_new.pod b/doc/crypto/DSA_new.pod
index 3a6d582..766cfd3 100644
--- a/doc/crypto/DSA_new.pod
+++ b/doc/crypto/DSA_new.pod
@@ -25,16 +25,16 @@ If B<dsa> is NULL nothing is done.
 
 If the allocation fails, DSA_new() returns B<NULL> and sets an error
 code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns a pointer
+L<ERR_get_error(3)>. Otherwise it returns a pointer
 to the newly allocated structure.
 
 DSA_free() returns no value.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
-L<DSA_generate_key(3)|DSA_generate_key(3)>
+L<dsa(3)>, L<ERR_get_error(3)>,
+L<DSA_generate_parameters(3)>,
+L<DSA_generate_key(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod
index 9c1434b..fe0d6e3 100644
--- a/doc/crypto/DSA_set_method.pod
+++ b/doc/crypto/DSA_set_method.pod
@@ -108,7 +108,7 @@ the method for B<dsa> (including unloading the ENGINE handle if the previous
 method was supplied by an ENGINE).
 
 DSA_new_method() returns NULL and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
+obtained by L<ERR_get_error(3)> if the allocation
 fails. Otherwise it returns a pointer to the newly allocated structure.
 
 =head1 NOTES
@@ -123,7 +123,7 @@ algorithms.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
+L<dsa(3)>, L<DSA_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod
index 97389e8..da923ab 100644
--- a/doc/crypto/DSA_sign.pod
+++ b/doc/crypto/DSA_sign.pod
@@ -46,7 +46,7 @@ is called.
 DSA_sign() and DSA_sign_setup() return 1 on success, 0 on error.
 DSA_verify() returns 1 for a valid signature, 0 for an incorrect
 signature and -1 on error. The error codes can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 =head1 CONFORMING TO
 
@@ -55,8 +55,8 @@ Standard, DSS), ANSI X9.30
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>,
-L<DSA_do_sign(3)|DSA_do_sign(3)>
+L<dsa(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DSA_do_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/DSA_size.pod b/doc/crypto/DSA_size.pod
index ba4f650..bc96cbd 100644
--- a/doc/crypto/DSA_size.pod
+++ b/doc/crypto/DSA_size.pod
@@ -24,7 +24,7 @@ The size in bytes.
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<DSA_sign(3)|DSA_sign(3)>
+L<dsa(3)>, L<DSA_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EC_GFp_simple_method.pod b/doc/crypto/EC_GFp_simple_method.pod
index aff20ac..2a21c93 100644
--- a/doc/crypto/EC_GFp_simple_method.pod
+++ b/doc/crypto/EC_GFp_simple_method.pod
@@ -22,7 +22,7 @@ EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_me
 =head1 DESCRIPTION
 
 The Elliptic Curve library provides a number of different implementations through a single common interface.
-When constructing a curve using EC_GROUP_new (see L<EC_GROUP_new(3)|EC_GROUP_new(3)>) an
+When constructing a curve using EC_GROUP_new (see L<EC_GROUP_new(3)>) an
 implementation method must be provided. The functions described here all return a const pointer to an
 B<EC_METHOD> structure that can be passed to EC_GROUP_NEW. It is important that the correct implementation
 type for the form of curve selected is used.
@@ -31,9 +31,9 @@ For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_meth
 
 For Fp curves the lowest common denominator implementation is the EC_GFp_simple_method implementation. All
 other implementations are based on this one. EC_GFp_mont_method builds on EC_GFp_simple_method but adds the
-use of montgomery multiplication (see L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>). EC_GFp_nist_method
+use of montgomery multiplication (see L<BN_mod_mul_montgomery(3)>). EC_GFp_nist_method
 offers an implementation optimised for use with NIST recommended curves (NIST curves are available through
-EC_GROUP_new_by_curve_name as described in L<EC_GROUP_new(3)|EC_GROUP_new(3)>).
+EC_GROUP_new_by_curve_name as described in L<EC_GROUP_new(3)>).
 
 The functions EC_GFp_nistp224_method, EC_GFp_nistp256_method and EC_GFp_nistp521_method offer 64 bit
 optimised implementations for the NIST P224, P256 and P521 curves respectively. Note, however, that these
@@ -52,9 +52,9 @@ EC_METHOD_get_field_type returns an integer that identifies the type of field th
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<d2i_ECPKParameters(3)>,
+L<BN_mod_mul_montgomery(3)>
 
 =cut
diff --git a/doc/crypto/EC_GROUP_copy.pod b/doc/crypto/EC_GROUP_copy.pod
index a13d2ad..591ba90 100644
--- a/doc/crypto/EC_GROUP_copy.pod
+++ b/doc/crypto/EC_GROUP_copy.pod
@@ -66,7 +66,7 @@ The functions EC_GROUP_get_order and EC_GROUP_get_cofactor populate the provided
 with the respective order and cofactors for the B<group>.
 
 The functions EC_GROUP_set_curve_name and EC_GROUP_get_curve_name, set and get the NID for the curve respectively
-(see L<EC_GROUP_new(3)|EC_GROUP_new(3)>). If a curve does not have a NID associated with it, then EC_GROUP_get_curve_name
+(see L<EC_GROUP_new(3)>). If a curve does not have a NID associated with it, then EC_GROUP_get_curve_name
 will return 0.
 
 The asn1_flag value is used to determine whether the curve encoding uses
@@ -175,8 +175,8 @@ trinomial or pentanomial respectively. Alternatively in the event of an error a
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>,
+L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)>
 
 =cut
diff --git a/doc/crypto/EC_GROUP_new.pod b/doc/crypto/EC_GROUP_new.pod
index 73d5219..70d9955 100644
--- a/doc/crypto/EC_GROUP_new.pod
+++ b/doc/crypto/EC_GROUP_new.pod
@@ -41,7 +41,7 @@ Operations in a binary field are performed relative to an B<irreducible polynomi
 use a trinomial or a pentanomial for this parameter.
 
 A new curve can be constructed by calling EC_GROUP_new, using the implementation provided by B<meth> (see
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>). It is then necessary to call either EC_GROUP_set_curve_GFp or
+L<EC_GFp_simple_method(3)>). It is then necessary to call either EC_GROUP_set_curve_GFp or
 EC_GROUP_set_curve_GF2m as appropriate to create a curve defined over Fp or over F2^m respectively.
 
 EC_GROUP_set_curve_GFp sets the curve parameters B<p>, B<a> and B<b> for a curve over Fp stored in B<group>.
@@ -90,8 +90,8 @@ EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROU
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)>
 
 =cut
diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod
index fc42cbc..71095e5 100644
--- a/doc/crypto/EC_KEY_new.pod
+++ b/doc/crypto/EC_KEY_new.pod
@@ -42,7 +42,7 @@ An EC_KEY represents a public key and (optionally) an associated private key. A
 The reference count for the newly created EC_KEY is initially set to 1. A curve can be associated with the EC_KEY by calling
 EC_KEY_set_group.
 
-Alternatively a new EC_KEY can be constructed by calling EC_KEY_new_by_curve_name and supplying the nid of the associated curve. Refer to L<EC_GROUP_new(3)|EC_GROUP_new(3)> for a description of curve names. This function simply wraps calls to EC_KEY_new and 
+Alternatively a new EC_KEY can be constructed by calling EC_KEY_new_by_curve_name and supplying the nid of the associated curve. Refer to L<EC_GROUP_new(3)> for a description of curve names. This function simply wraps calls to EC_KEY_new and 
 EC_GROUP_new_by_curve_name.
 
 Calling EC_KEY_free decrements the reference count for the EC_KEY object, and if it has dropped to zero then frees the memory associated
@@ -69,16 +69,16 @@ on the key to confirm that it is valid.
 The functions EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, and EC_KEY_set_public_key get and set the EC_GROUP object, the private key and the EC_POINT public key for the B<key> respectively.
 
 The functions EC_KEY_get_conv_form and EC_KEY_set_conv_form get and set the point_conversion_form for the B<key>. For a description
-of point_conversion_forms please refer to L<EC_POINT_new(3)|EC_POINT_new(3)>.
+of point_conversion_forms please refer to L<EC_POINT_new(3)>.
 
 EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the
 elliptic curve scheme being used with the EC_KEY object. This data is treated as a "black box" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the B<data> parameter, which must have have associated functions for duplicating, freeing and "clear_freeing" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and "clear_freeing" the data item must be provided again, and they must be the same as they were when the data item was inserted.
 
 EC_KEY_set_flags sets the flags in the B<flags> parameter on the EC_KEY object. Any flags that are already set are left set. The currently defined standard flags are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this EC_KEY. EC_KEY_clear_flags clears the flags indicated by the B<flags> parameter. All other flags are left in their existing state.
 
-EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for further information on the asn1_flag.
+EC_KEY_set_asn1_flag sets the asn1_flag on the underlying EC_GROUP object (if set). Refer to L<EC_GROUP_copy(3)> for further information on the asn1_flag.
 
-EC_KEY_precompute_mult stores multiples of the underlying EC_GROUP generator for faster point multiplication. See also L<EC_POINT_add(3)|EC_POINT_add(3)>.
+EC_KEY_precompute_mult stores multiples of the underlying EC_GROUP generator for faster point multiplication. See also L<EC_POINT_add(3)>.
 
 
 =head1 RETURN VALUES
@@ -100,10 +100,10 @@ EC_KEY_get_conv_form return the point_conversion_form for the EC_KEY.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>, L<EC_POINT_new(3)|EC_POINT_new(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>,
+L<EC_GROUP_copy(3)>, L<EC_POINT_new(3)>,
+L<EC_POINT_add(3)>,
+L<EC_GFp_simple_method(3)>,
+L<d2i_ECPKParameters(3)>
 
 =cut
diff --git a/doc/crypto/EC_POINT_add.pod b/doc/crypto/EC_POINT_add.pod
index ae92640..eaa7f52 100644
--- a/doc/crypto/EC_POINT_add.pod
+++ b/doc/crypto/EC_POINT_add.pod
@@ -46,7 +46,7 @@ EC_POINTs_mul calculates the value generator * B<n> + B<q[0]> * B<m[0]> + ... +
 B<n> may be NULL.
 
 The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst
-EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See L<EC_GROUP_copy(3)|EC_GROUP_copy(3)> for information
+EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See L<EC_GROUP_copy(3)> for information
 about the generator.
 
 
@@ -65,8 +65,8 @@ EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 i
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_new(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)>
 
 =cut
diff --git a/doc/crypto/EC_POINT_new.pod b/doc/crypto/EC_POINT_new.pod
index 0a20fce..122dccb 100644
--- a/doc/crypto/EC_POINT_new.pod
+++ b/doc/crypto/EC_POINT_new.pod
@@ -123,8 +123,8 @@ EC_POINT_hex2point returns the pointer to the EC_POINT supplied, or NULL on erro
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)>
 
 =cut
diff --git a/doc/crypto/ERR_GET_LIB.pod b/doc/crypto/ERR_GET_LIB.pod
index 2a129da..fe31f03 100644
--- a/doc/crypto/ERR_GET_LIB.pod
+++ b/doc/crypto/ERR_GET_LIB.pod
@@ -41,7 +41,7 @@ The library number, function code and reason code respectively.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+L<err(3)>, L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_clear_error.pod b/doc/crypto/ERR_clear_error.pod
index 566e1f4..d1da2b6 100644
--- a/doc/crypto/ERR_clear_error.pod
+++ b/doc/crypto/ERR_clear_error.pod
@@ -20,7 +20,7 @@ ERR_clear_error() has no return value.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>
+L<err(3)>, L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_error_string.pod b/doc/crypto/ERR_error_string.pod
index cdfa7fe..b3f9a43 100644
--- a/doc/crypto/ERR_error_string.pod
+++ b/doc/crypto/ERR_error_string.pod
@@ -40,13 +40,13 @@ ERR_reason_error_string() return the library name, function
 name and reason string respectively.
 
 The OpenSSL error strings should be loaded by calling
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)> or, for SSL
-applications, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<ERR_load_crypto_strings(3)> or, for SSL
+applications, L<SSL_load_error_strings(3)>
 first.
 If there is no text string registered for the given error code,
 the error string will contain the numeric code.
 
-L<ERR_print_errors(3)|ERR_print_errors(3)> can be used to print
+L<ERR_print_errors(3)> can be used to print
 all error codes currently in the queue.
 
 =head1 RETURN VALUES
@@ -60,10 +60,10 @@ none is registered for the error code.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
-L<ERR_print_errors(3)|ERR_print_errors(3)>
+L<err(3)>, L<ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)>
+L<ERR_print_errors(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_get_error.pod b/doc/crypto/ERR_get_error.pod
index 01e196c..90b620c 100644
--- a/doc/crypto/ERR_get_error.pod
+++ b/doc/crypto/ERR_get_error.pod
@@ -38,9 +38,9 @@ error queue without modifying it.
 ERR_peek_last_error() returns the latest error code from the thread's
 error queue without modifying it.
 
-See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
+See L<ERR_GET_LIB(3)> for obtaining information about
 location and reason of the error, and
-L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
+L<ERR_error_string(3)> for human-readable error
 messages.
 
 ERR_get_error_line(), ERR_peek_error_line() and
@@ -64,8 +64,8 @@ The error code, or 0 if there is no error in the queue.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>
+L<err(3)>, L<ERR_error_string(3)>,
+L<ERR_GET_LIB(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_load_crypto_strings.pod b/doc/crypto/ERR_load_crypto_strings.pod
index 9bdec75..b5ff885 100644
--- a/doc/crypto/ERR_load_crypto_strings.pod
+++ b/doc/crypto/ERR_load_crypto_strings.pod
@@ -35,7 +35,7 @@ ERR_free_strings() return no values.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>
+L<err(3)>, L<ERR_error_string(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_load_strings.pod b/doc/crypto/ERR_load_strings.pod
index 5acdd0e..9edf7a3 100644
--- a/doc/crypto/ERR_load_strings.pod
+++ b/doc/crypto/ERR_load_strings.pod
@@ -43,7 +43,7 @@ ERR_get_next_error_library() returns a new library number.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+L<err(3)>, L<ERR_load_strings(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_print_errors.pod b/doc/crypto/ERR_print_errors.pod
index b100a5f..db890a9 100644
--- a/doc/crypto/ERR_print_errors.pod
+++ b/doc/crypto/ERR_print_errors.pod
@@ -38,10 +38,10 @@ ERR_print_errors() and ERR_print_errors_fp() return no values.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+L<err(3)>, L<ERR_error_string(3)>,
+L<ERR_get_error(3)>,
+L<ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_put_error.pod b/doc/crypto/ERR_put_error.pod
index acd241f..a87dcae 100644
--- a/doc/crypto/ERR_put_error.pod
+++ b/doc/crypto/ERR_put_error.pod
@@ -23,7 +23,7 @@ This function is usually called by a macro.
 ERR_add_error_data() associates the concatenation of its B<num> string
 arguments with the error code added last.
 
-L<ERR_load_strings(3)|ERR_load_strings(3)> can be used to register
+L<ERR_load_strings(3)> can be used to register
 error strings so that the application can a generate human-readable
 error messages for the error code.
 
@@ -34,7 +34,7 @@ no values.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>, L<ERR_load_strings(3)|ERR_load_strings(3)>
+L<err(3)>, L<ERR_load_strings(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_remove_state.pod b/doc/crypto/ERR_remove_state.pod
index a4d38c1..236aeb4 100644
--- a/doc/crypto/ERR_remove_state.pod
+++ b/doc/crypto/ERR_remove_state.pod
@@ -34,7 +34,7 @@ ERR_remove_thread_state and ERR_remove_state() return no value.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>
+L<err(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/ERR_set_mark.pod b/doc/crypto/ERR_set_mark.pod
index d3ca4f2..122a81b 100644
--- a/doc/crypto/ERR_set_mark.pod
+++ b/doc/crypto/ERR_set_mark.pod
@@ -29,7 +29,7 @@ implies that the stack became empty, otherwise 1.
 
 =head1 SEE ALSO
 
-L<err(3)|err(3)>
+L<err(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_BytesToKey.pod b/doc/crypto/EVP_BytesToKey.pod
index dca5239..c2470df 100644
--- a/doc/crypto/EVP_BytesToKey.pod
+++ b/doc/crypto/EVP_BytesToKey.pod
@@ -62,9 +62,9 @@ or 0 on error.
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<PKCS5_PBKDF2_HMAC(3)|PKCS5_PBKDF2_HMAC(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+L<evp(3)>, L<rand(3)>,
+L<PKCS5_PBKDF2_HMAC(3)>,
+L<EVP_EncryptInit(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod
index 06e6d4f..2d7f0dc 100644
--- a/doc/crypto/EVP_DigestInit.pod
+++ b/doc/crypto/EVP_DigestInit.pod
@@ -255,8 +255,8 @@ digest name passed on the command line.
 
 =head1 SEE ALSO
 
-L<dgst(1)|dgst(1)>,
-L<evp(3)|evp(3)>
+L<dgst(1)>,
+L<evp(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_DigestSignInit.pod b/doc/crypto/EVP_DigestSignInit.pod
index 5ad1926..caad7fa 100644
--- a/doc/crypto/EVP_DigestSignInit.pod
+++ b/doc/crypto/EVP_DigestSignInit.pod
@@ -42,7 +42,7 @@ EVP_DigestSignInit() EVP_DigestSignUpdate() and EVP_DigestSignaFinal() return
 value of -2 indicates the operation is not supported by the public key
 algorithm.
 
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained from L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -73,11 +73,11 @@ which indicates the maximum possible signature for any set of parameters.
 
 =head1 SEE ALSO
 
-L<EVP_DigestVerifyInit(3)|EVP_DigestVerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+L<EVP_DigestVerifyInit(3)>,
+L<EVP_DigestInit(3)>, L<err(3)>,
+L<evp(3)>, L<hmac(3)>, L<md2(3)>,
+L<md5(3)>, L<mdc2(3)>, L<ripemd(3)>,
+L<sha(3)>, L<dgst(1)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod
index e0217e4..2068ce7 100644
--- a/doc/crypto/EVP_DigestVerifyInit.pod
+++ b/doc/crypto/EVP_DigestVerifyInit.pod
@@ -42,7 +42,7 @@ indicates that the signature did not verify successfully (that is tbs did
 not match the original data or the signature was of invalid form) it is not an
 indication of a more serious error.
 
-The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained from L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -68,11 +68,11 @@ will occur.
 
 =head1 SEE ALSO
 
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+L<EVP_DigestSignInit(3)>,
+L<EVP_DigestInit(3)>, L<err(3)>,
+L<evp(3)>, L<hmac(3)>, L<md2(3)>,
+L<md5(3)>, L<mdc2(3)>, L<ripemd(3)>,
+L<sha(3)>, L<dgst(1)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 3dfc55d..4a31686 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -610,7 +610,7 @@ with a 128-bit key:
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>
+L<evp(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_OpenInit.pod b/doc/crypto/EVP_OpenInit.pod
index 2e710da..e207b01 100644
--- a/doc/crypto/EVP_OpenInit.pod
+++ b/doc/crypto/EVP_OpenInit.pod
@@ -28,7 +28,7 @@ The IV is supplied in the B<iv> parameter.
 
 EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties
 as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as 
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+documented on the L<EVP_EncryptInit(3)> manual
 page.
 
 =head1 NOTES
@@ -54,9 +54,9 @@ EVP_OpenFinal() returns 0 if the decrypt failed or 1 for success.
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_SealInit(3)|EVP_SealInit(3)>
+L<evp(3)>, L<rand(3)>,
+L<EVP_EncryptInit(3)>,
+L<EVP_SealInit(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
index 026c10b..5710cfb 100644
--- a/doc/crypto/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/crypto/EVP_PKEY_CTX_ctrl.pod
@@ -128,14 +128,14 @@ indicates the operation is not supported by the public key algorithm.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)>
+L<EVP_PKEY_keygen(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_CTX_new.pod b/doc/crypto/EVP_PKEY_CTX_new.pod
index d30e007..5fb5d58 100644
--- a/doc/crypto/EVP_PKEY_CTX_new.pod
+++ b/doc/crypto/EVP_PKEY_CTX_new.pod
@@ -44,7 +44,7 @@ EVP_PKEY_CTX_free() does not return a value.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
+L<EVP_PKEY_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_cmp.pod b/doc/crypto/EVP_PKEY_cmp.pod
index 94fcf66..9e0107f 100644
--- a/doc/crypto/EVP_PKEY_cmp.pod
+++ b/doc/crypto/EVP_PKEY_cmp.pod
@@ -55,7 +55,7 @@ keys match, 0 if they don't match, -1 if the key types are different and
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_keygen(3)> 
 
 =cut
diff --git a/doc/crypto/EVP_PKEY_decrypt.pod b/doc/crypto/EVP_PKEY_decrypt.pod
index 8479832..e94f3a8 100644
--- a/doc/crypto/EVP_PKEY_decrypt.pod
+++ b/doc/crypto/EVP_PKEY_decrypt.pod
@@ -79,12 +79,12 @@ Decrypt data using OAEP (for RSA keys):
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_derive.pod b/doc/crypto/EVP_PKEY_derive.pod
index 27464be..f6f3ac7 100644
--- a/doc/crypto/EVP_PKEY_derive.pod
+++ b/doc/crypto/EVP_PKEY_derive.pod
@@ -79,12 +79,12 @@ Derive shared secret (for example DH or EC keys):
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_encrypt.pod b/doc/crypto/EVP_PKEY_encrypt.pod
index 6799ce1..819d864 100644
--- a/doc/crypto/EVP_PKEY_encrypt.pod
+++ b/doc/crypto/EVP_PKEY_encrypt.pod
@@ -43,8 +43,8 @@ indicates the operation is not supported by the public key algorithm.
 
 =head1 EXAMPLE
 
-Encrypt data using OAEP (for RSA keys). See also L<PEM_read_PUBKEY(3)|pem(3)> or
-L<d2i_X509(3)|d2i_X509(3)> for means to load a public key. You may also simply
+Encrypt data using OAEP (for RSA keys). See also L<pem(3)> or
+L<d2i_X509(3)> for means to load a public key. You may also simply
 set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
 
  #include <openssl/evp.h>
@@ -83,14 +83,14 @@ set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>,
-L<engine(3)|engine(3)>,
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<d2i_X509(3)>,
+L<engine(3)>,
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_get_default_digest.pod b/doc/crypto/EVP_PKEY_get_default_digest.pod
index 8ff597d..8ac104e 100644
--- a/doc/crypto/EVP_PKEY_get_default_digest.pod
+++ b/doc/crypto/EVP_PKEY_get_default_digest.pod
@@ -29,10 +29,10 @@ public key algorithm.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_keygen.pod b/doc/crypto/EVP_PKEY_keygen.pod
index 2f0256d..c86e013 100644
--- a/doc/crypto/EVP_PKEY_keygen.pod
+++ b/doc/crypto/EVP_PKEY_keygen.pod
@@ -146,13 +146,13 @@ Example of generation callback for OpenSSL public key implementations:
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_new.pod b/doc/crypto/EVP_PKEY_new.pod
index d26b03f..acdfd00 100644
--- a/doc/crypto/EVP_PKEY_new.pod
+++ b/doc/crypto/EVP_PKEY_new.pod
@@ -28,7 +28,7 @@ particular algorithm.
 
 The structure returned by EVP_PKEY_new() is empty. To add a
 private key to this empty structure the functions described in
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)> should be used.
+L<EVP_PKEY_set1_RSA(3)> should be used.
 
 =head1 RETURN VALUES
 
@@ -39,7 +39,7 @@ EVP_PKEY_free() does not return a value.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)>
+L<EVP_PKEY_set1_RSA(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_print_private.pod b/doc/crypto/EVP_PKEY_print_private.pod
index ce9d70d..8664c49 100644
--- a/doc/crypto/EVP_PKEY_print_private.pod
+++ b/doc/crypto/EVP_PKEY_print_private.pod
@@ -43,8 +43,8 @@ the public key algorithm.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_keygen(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod
index 6f10175..bb164ed 100644
--- a/doc/crypto/EVP_PKEY_set1_RSA.pod
+++ b/doc/crypto/EVP_PKEY_set1_RSA.pod
@@ -71,7 +71,7 @@ and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>
+L<EVP_PKEY_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_sign.pod b/doc/crypto/EVP_PKEY_sign.pod
index 21974b4..f189206 100644
--- a/doc/crypto/EVP_PKEY_sign.pod
+++ b/doc/crypto/EVP_PKEY_sign.pod
@@ -30,12 +30,12 @@ B<sig> and the amount of data written to B<siglen>.
 
 EVP_PKEY_sign() does not hash the data to be signed, and therefore is
 normally used to sign digests. For signing arbitrary messages, see the
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)> and
-L<EVP_SignInit(3)|EVP_SignInit(3)> signing interfaces instead.
+L<EVP_DigestSignInit(3)> and
+L<EVP_SignInit(3)> signing interfaces instead.
 
 After the call to EVP_PKEY_sign_init() algorithm specific control
 operations can be performed to set any appropriate parameters for the
-operation (see L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>).
+operation (see L<EVP_PKEY_CTX_ctrl(3)>).
 
 The function EVP_PKEY_sign() can be called more than once on the same
 context if several operations are performed using the same parameters.
@@ -91,13 +91,13 @@ Sign data using RSA with PKCS#1 padding and SHA256 digest:
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_CTX_ctrl(3)|EVP_PKEY_CTX_ctrl(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_CTX_ctrl(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_verify.pod b/doc/crypto/EVP_PKEY_verify.pod
index 90612ba..4952b7f 100644
--- a/doc/crypto/EVP_PKEY_verify.pod
+++ b/doc/crypto/EVP_PKEY_verify.pod
@@ -77,12 +77,12 @@ Verify signature using PKCS#1 and SHA256 digest:
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_PKEY_verify_recover.pod b/doc/crypto/EVP_PKEY_verify_recover.pod
index 23a28a9..6c2287b 100644
--- a/doc/crypto/EVP_PKEY_verify_recover.pod
+++ b/doc/crypto/EVP_PKEY_verify_recover.pod
@@ -89,12 +89,12 @@ Recover digest originally signed using PKCS#1 and SHA256 digest:
 
 =head1 SEE ALSO
 
-L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+L<EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_SealInit.pod b/doc/crypto/EVP_SealInit.pod
index 19112a5..50271be 100644
--- a/doc/crypto/EVP_SealInit.pod
+++ b/doc/crypto/EVP_SealInit.pod
@@ -43,7 +43,7 @@ and can be B<NULL>.
 
 EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties
 as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as 
-documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual
+documented on the L<EVP_EncryptInit(3)> manual
 page. 
 
 =head1 RETURN VALUES
@@ -74,9 +74,9 @@ with B<type> set to NULL.
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_OpenInit(3)|EVP_OpenInit(3)>
+L<evp(3)>, L<rand(3)>,
+L<EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_SignInit.pod b/doc/crypto/EVP_SignInit.pod
index 06d02a5..9a91b91 100644
--- a/doc/crypto/EVP_SignInit.pod
+++ b/doc/crypto/EVP_SignInit.pod
@@ -49,7 +49,7 @@ for success and 0 for failure.
 
 EVP_PKEY_size() returns the maximum size of a signature in bytes.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -60,7 +60,7 @@ transparent to the algorithm used and much more flexible.
 Due to the link between message digests and public key algorithms the correct
 digest algorithm must be used with the correct public key type. A list of
 algorithms and associated public key algorithms appears in 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+L<EVP_DigestInit(3)>.
 
 When signing with DSA private keys the random number generator must be seeded
 or the operation will fail. The random number generator does not need to be
@@ -90,11 +90,11 @@ The previous two bugs are fixed in the newer EVP_SignDigest*() function.
 
 =head1 SEE ALSO
 
-L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+L<EVP_VerifyInit(3)>,
+L<EVP_DigestInit(3)>, L<err(3)>,
+L<evp(3)>, L<hmac(3)>, L<md2(3)>,
+L<md5(3)>, L<mdc2(3)>, L<ripemd(3)>,
+L<sha(3)>, L<dgst(1)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/EVP_VerifyInit.pod b/doc/crypto/EVP_VerifyInit.pod
index 9097f09..ee27de1 100644
--- a/doc/crypto/EVP_VerifyInit.pod
+++ b/doc/crypto/EVP_VerifyInit.pod
@@ -41,7 +41,7 @@ failure.
 EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
 other error occurred.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -52,7 +52,7 @@ transparent to the algorithm used and much more flexible.
 Due to the link between message digests and public key algorithms the correct
 digest algorithm must be used with the correct public key type. A list of
 algorithms and associated public key algorithms appears in 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
+L<EVP_DigestInit(3)>.
 
 The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
 This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can be called
@@ -78,12 +78,12 @@ The previous two bugs are fixed in the newer EVP_VerifyDigest*() function.
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>,
-L<EVP_SignInit(3)|EVP_SignInit(3)>,
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>, L<err(3)|err(3)>,
-L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+L<evp(3)>,
+L<EVP_SignInit(3)>,
+L<EVP_DigestInit(3)>, L<err(3)>,
+L<evp(3)>, L<hmac(3)>, L<md2(3)>,
+L<md5(3)>, L<mdc2(3)>, L<ripemd(3)>,
+L<sha(3)>, L<dgst(1)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/OBJ_nid2obj.pod b/doc/crypto/OBJ_nid2obj.pod
index 7acb4c4..b2b815d 100644
--- a/doc/crypto/OBJ_nid2obj.pod
+++ b/doc/crypto/OBJ_nid2obj.pod
@@ -156,7 +156,7 @@ a NID or B<NID_undef> on error.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/OCSP_REQUEST_new.pod b/doc/crypto/OCSP_REQUEST_new.pod
index 563fed3..b74f56a 100644
--- a/doc/crypto/OCSP_REQUEST_new.pod
+++ b/doc/crypto/OCSP_REQUEST_new.pod
@@ -97,11 +97,11 @@ B<issuer>:
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>,
-L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
-L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
-L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
-L<OCSP_response_status(3)|OCSP_response_status(3)>,
-L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
+L<crypto(3)>,
+L<OCSP_cert_to_id(3)>,
+L<OCSP_request_add1_nonce(3)>,
+L<OCSP_response_find_status(3)>,
+L<OCSP_response_status(3)>,
+L<OCSP_sendreq_new(3)>
 
 =cut
diff --git a/doc/crypto/OCSP_cert_to_id.pod b/doc/crypto/OCSP_cert_to_id.pod
index 2eab1d3..8eb1844 100644
--- a/doc/crypto/OCSP_cert_to_id.pod
+++ b/doc/crypto/OCSP_cert_to_id.pod
@@ -68,11 +68,11 @@ B<OCSP_CERTID> structure is freed.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>,
-L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
-L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
-L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
-L<OCSP_response_status(3)|OCSP_response_status(3)>,
-L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
+L<crypto(3)>,
+L<OCSP_request_add1_nonce(3)>,
+L<OCSP_REQUEST_new(3)>,
+L<OCSP_response_find_status(3)>,
+L<OCSP_response_status(3)>,
+L<OCSP_sendreq_new(3)>
 
 =cut
diff --git a/doc/crypto/OCSP_request_add1_nonce.pod b/doc/crypto/OCSP_request_add1_nonce.pod
index 8fe3197..a95000e 100644
--- a/doc/crypto/OCSP_request_add1_nonce.pod
+++ b/doc/crypto/OCSP_request_add1_nonce.pod
@@ -63,11 +63,11 @@ condition.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>,
-L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
-L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
-L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
-L<OCSP_response_status(3)|OCSP_response_status(3)>,
-L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
+L<crypto(3)>,
+L<OCSP_cert_to_id(3)>,
+L<OCSP_REQUEST_new(3)>,
+L<OCSP_response_find_status(3)>,
+L<OCSP_response_status(3)>,
+L<OCSP_sendreq_new(3)>
 
 =cut
diff --git a/doc/crypto/OCSP_response_find_status.pod b/doc/crypto/OCSP_response_find_status.pod
index 1f4666a..9ea2b7c 100644
--- a/doc/crypto/OCSP_response_find_status.pod
+++ b/doc/crypto/OCSP_response_find_status.pod
@@ -94,11 +94,11 @@ parameters can be set to NULL if their value is not required.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>,
-L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
-L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
-L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
-L<OCSP_response_status(3)|OCSP_response_status(3)>,
-L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
+L<crypto(3)>,
+L<OCSP_cert_to_id(3)>,
+L<OCSP_request_add1_nonce(3)>,
+L<OCSP_REQUEST_new(3)>,
+L<OCSP_response_status(3)>,
+L<OCSP_sendreq_new(3)>
 
 =cut
diff --git a/doc/crypto/OCSP_response_status.pod b/doc/crypto/OCSP_response_status.pod
index 7121872..5946734 100644
--- a/doc/crypto/OCSP_response_status.pod
+++ b/doc/crypto/OCSP_response_status.pod
@@ -47,11 +47,11 @@ B<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>
-L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>
-L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>
-L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>
-L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>
-L<OCSP_sendreq_new(3)|OCSP_sendreq_new(3)>
+L<crypto(3)>
+L<OCSP_cert_to_id(3)>
+L<OCSP_request_add1_nonce(3)>
+L<OCSP_REQUEST_new(3)>
+L<OCSP_response_find_status(3)>
+L<OCSP_sendreq_new(3)>
 
 =cut
diff --git a/doc/crypto/OCSP_sendreq_new.pod b/doc/crypto/OCSP_sendreq_new.pod
index cab11f7..b051512 100644
--- a/doc/crypto/OCSP_sendreq_new.pod
+++ b/doc/crypto/OCSP_sendreq_new.pod
@@ -103,11 +103,11 @@ applications is not recommended.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>,
-L<OCSP_cert_to_id(3)|OCSP_cert_to_id(3)>,
-L<OCSP_request_add1_nonce(3)|OCSP_request_add1_nonce(3)>,
-L<OCSP_REQUEST_new(3)|OCSP_REQUEST_new(3)>,
-L<OCSP_response_find_status(3)|OCSP_response_find_status(3)>,
-L<OCSP_response_status(3)|OCSP_response_status(3)>
+L<crypto(3)>,
+L<OCSP_cert_to_id(3)>,
+L<OCSP_request_add1_nonce(3)>,
+L<OCSP_REQUEST_new(3)>,
+L<OCSP_response_find_status(3)>,
+L<OCSP_response_status(3)>
 
 =cut
diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod
index f7ca7cb..f76a9d3 100644
--- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod
+++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod
@@ -90,7 +90,7 @@ The version number.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>
+L<crypto(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/OPENSSL_config.pod b/doc/crypto/OPENSSL_config.pod
index 91d61f3..cc86f24 100644
--- a/doc/crypto/OPENSSL_config.pod
+++ b/doc/crypto/OPENSSL_config.pod
@@ -58,9 +58,9 @@ Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
 
 =head1 SEE ALSO
 
-L<conf(5)|conf(5)>,
-L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>,
-L<CONF_modules_free(3)|CONF_modules_free(3)>
+L<conf(5)>,
+L<CONF_modules_load_file(3)>,
+L<CONF_modules_free(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/OPENSSL_load_builtin_modules.pod b/doc/crypto/OPENSSL_load_builtin_modules.pod
index de62912..8ff3d79 100644
--- a/doc/crypto/OPENSSL_load_builtin_modules.pod
+++ b/doc/crypto/OPENSSL_load_builtin_modules.pod
@@ -42,7 +42,7 @@ None of the functions return a value.
 
 =head1 SEE ALSO
 
-L<conf(3)|conf(3)>, L<OPENSSL_config(3)|OPENSSL_config(3)>
+L<conf(3)>, L<OPENSSL_config(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/OpenSSL_add_all_algorithms.pod b/doc/crypto/OpenSSL_add_all_algorithms.pod
index bcb79e5..3ca0576 100644
--- a/doc/crypto/OpenSSL_add_all_algorithms.pod
+++ b/doc/crypto/OpenSSL_add_all_algorithms.pod
@@ -60,7 +60,7 @@ too much of a problem in practice.
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+L<evp(3)>, L<EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)>
 
 =cut
diff --git a/doc/crypto/PEM_write_bio_CMS_stream.pod b/doc/crypto/PEM_write_bio_CMS_stream.pod
index e070c45..35260c1 100644
--- a/doc/crypto/PEM_write_bio_CMS_stream.pod
+++ b/doc/crypto/PEM_write_bio_CMS_stream.pod
@@ -28,11 +28,11 @@ PEM_write_bio_CMS_stream() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<SMIME_write_CMS(3)|SMIME_write_CMS(3)>,
-L<i2d_CMS_bio_stream(3)|i2d_CMS_bio_stream(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_verify(3)>, L<CMS_encrypt(3)>
+L<CMS_decrypt(3)>,
+L<SMIME_write_CMS(3)>,
+L<i2d_CMS_bio_stream(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PEM_write_bio_PKCS7_stream.pod b/doc/crypto/PEM_write_bio_PKCS7_stream.pod
index 16fc9b6..121d418 100644
--- a/doc/crypto/PEM_write_bio_PKCS7_stream.pod
+++ b/doc/crypto/PEM_write_bio_PKCS7_stream.pod
@@ -28,11 +28,11 @@ PEM_write_bio_PKCS7_stream() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>,
-L<SMIME_write_PKCS7(3)|SMIME_write_PKCS7(3)>,
-L<i2d_PKCS7_bio_stream(3)|i2d_PKCS7_bio_stream(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>,
+L<PKCS7_verify(3)>, L<PKCS7_encrypt(3)>
+L<PKCS7_decrypt(3)>,
+L<SMIME_write_PKCS7(3)>,
+L<i2d_PKCS7_bio_stream(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS12_create.pod b/doc/crypto/PKCS12_create.pod
index 88397fe..76edc48 100644
--- a/doc/crypto/PKCS12_create.pod
+++ b/doc/crypto/PKCS12_create.pod
@@ -66,7 +66,7 @@ B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
 
 =head1 SEE ALSO
 
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
+L<d2i_PKCS12(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod
index c54cf2a..3691a9b 100644
--- a/doc/crypto/PKCS12_parse.pod
+++ b/doc/crypto/PKCS12_parse.pod
@@ -33,7 +33,7 @@ B<X509> structure.
 
 PKCS12_parse() returns 1 for success and zero if an error occurred.
 
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
 
 =head1 BUGS
 
@@ -48,7 +48,7 @@ Attributes currently cannot be stored in the private key B<EVP_PKEY> structure.
 
 =head1 SEE ALSO
 
-L<d2i_PKCS12(3)|d2i_PKCS12(3)>
+L<d2i_PKCS12(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS5_PBKDF2_HMAC.pod b/doc/crypto/PKCS5_PBKDF2_HMAC.pod
index 7287993..b04e476 100644
--- a/doc/crypto/PKCS5_PBKDF2_HMAC.pod
+++ b/doc/crypto/PKCS5_PBKDF2_HMAC.pod
@@ -58,8 +58,8 @@ PKCS5_PBKDF2_HMAC() and PBKCS5_PBKDF2_HMAC_SHA1() return 1 on success or 0 on er
 
 =head1 SEE ALSO
 
-L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>
+L<evp(3)>, L<rand(3)>,
+L<EVP_BytesToKey(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS7_decrypt.pod b/doc/crypto/PKCS7_decrypt.pod
index 325699d..9bb367d 100644
--- a/doc/crypto/PKCS7_decrypt.pod
+++ b/doc/crypto/PKCS7_decrypt.pod
@@ -46,7 +46,7 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
+L<ERR_get_error(3)>, L<PKCS7_encrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS7_encrypt.pod b/doc/crypto/PKCS7_encrypt.pod
index 2cd925a..71618d9 100644
--- a/doc/crypto/PKCS7_encrypt.pod
+++ b/doc/crypto/PKCS7_encrypt.pod
@@ -70,7 +70,7 @@ The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
+L<ERR_get_error(3)>, L<PKCS7_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod
index c788c4b..f6fe3b6 100644
--- a/doc/crypto/PKCS7_sign.pod
+++ b/doc/crypto/PKCS7_sign.pod
@@ -103,7 +103,7 @@ occurred.  The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)>
+L<ERR_get_error(3)>, L<PKCS7_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS7_sign_add_signer.pod b/doc/crypto/PKCS7_sign_add_signer.pod
index f09a0f9..580a9a1 100644
--- a/doc/crypto/PKCS7_sign_add_signer.pod
+++ b/doc/crypto/PKCS7_sign_add_signer.pod
@@ -77,8 +77,8 @@ structure just added or NULL if an error occurs.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_final(3)|PKCS7_final(3)>,
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>,
+L<PKCS7_final(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod
index cad304e..b440f4d 100644
--- a/doc/crypto/PKCS7_verify.pod
+++ b/doc/crypto/PKCS7_verify.pod
@@ -96,7 +96,7 @@ if an error occurs.
 
 PKCS7_get0_signers() returns all signers or B<NULL> if an error occurred.
 
-The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
+The error can be obtained from L<ERR_get_error(3)>
 
 =head1 BUGS
 
@@ -109,7 +109,7 @@ mentioned in PKCS7_sign() also applies to PKCS7_verify().
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_add.pod b/doc/crypto/RAND_add.pod
index 67c66f3..b160eeb 100644
--- a/doc/crypto/RAND_add.pod
+++ b/doc/crypto/RAND_add.pod
@@ -37,8 +37,8 @@ OpenSSL makes sure that the PRNG state is unique for each thread. On
 systems that provide C</dev/urandom>, the randomness device is used
 to seed the PRNG transparently. However, on all other systems, the
 application is responsible for seeding the PRNG by calling RAND_add(),
-L<RAND_egd(3)|RAND_egd(3)>
-or L<RAND_load_file(3)|RAND_load_file(3)>.
+L<RAND_egd(3)>
+or L<RAND_load_file(3)>.
 
 RAND_seed() is equivalent to RAND_add() when B<num == entropy>.
 
@@ -65,8 +65,8 @@ The other functions do not return values.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<RAND_egd(3)|RAND_egd(3)>,
-L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)>, L<RAND_egd(3)>,
+L<RAND_load_file(3)>, L<RAND_cleanup(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod
index f3a5ed2..6a41c37 100644
--- a/doc/crypto/RAND_bytes.pod
+++ b/doc/crypto/RAND_bytes.pod
@@ -34,15 +34,15 @@ the new pseudo-random bytes unless disabled at compile time (see FAQ).
 =head1 RETURN VALUES
 
 RAND_bytes() returns 1 on success, 0 otherwise. The error code can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
+obtained by L<ERR_get_error(3)>. RAND_pseudo_bytes() returns 1 if the
 bytes generated are cryptographically strong, 0 otherwise. Both
 functions return -1 if they are not supported by the current RAND
 method.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>,
-L<RAND_add(3)|RAND_add(3)>
+L<rand(3)>, L<ERR_get_error(3)>,
+L<RAND_add(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_cleanup.pod b/doc/crypto/RAND_cleanup.pod
index 3a8f074..e9b3af9 100644
--- a/doc/crypto/RAND_cleanup.pod
+++ b/doc/crypto/RAND_cleanup.pod
@@ -20,7 +20,7 @@ RAND_cleanup() returns no value.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>
+L<rand(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_egd.pod b/doc/crypto/RAND_egd.pod
index 80fa734..5a28545 100644
--- a/doc/crypto/RAND_egd.pod
+++ b/doc/crypto/RAND_egd.pod
@@ -16,12 +16,12 @@ RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes - query entropy gathering daemon
 =head1 DESCRIPTION
 
 RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
-It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+It queries 255 bytes and uses L<RAND_add(3)> to seed the
 OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for
 RAND_egd_bytes(path, 255);
 
 RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>.
-It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
+It queries B<bytes> bytes and uses L<RAND_add(3)> to seed the
 OpenSSL built-in PRNG.
 This function is more flexible than RAND_egd().
 When only one secret key must
@@ -32,7 +32,7 @@ that can be retrieved from EGD over time is limited.
 RAND_query_egd_bytes() performs the actual query of the EGD daemon on socket
 B<path>. If B<buf> is given, B<bytes> bytes are queried and written into
 B<buf>. If B<buf> is NULL, B<bytes> bytes are queried and used to seed the
-OpenSSL built-in PRNG using L<RAND_add(3)|RAND_add(3)>.
+OpenSSL built-in PRNG using L<RAND_add(3)>.
 
 =head1 NOTES
 
@@ -72,8 +72,8 @@ success, and -1 if the connection failed. The PRNG state is not considered.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
-L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)>, L<RAND_add(3)>,
+L<RAND_cleanup(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_load_file.pod b/doc/crypto/RAND_load_file.pod
index d8c134e..e19757e 100644
--- a/doc/crypto/RAND_load_file.pod
+++ b/doc/crypto/RAND_load_file.pod
@@ -43,7 +43,7 @@ error.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
+L<rand(3)>, L<RAND_add(3)>, L<RAND_cleanup(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RAND_set_rand_method.pod b/doc/crypto/RAND_set_rand_method.pod
index e5b780f..a2828e3 100644
--- a/doc/crypto/RAND_set_rand_method.pod
+++ b/doc/crypto/RAND_set_rand_method.pod
@@ -67,7 +67,7 @@ algorithms.
 
 =head1 SEE ALSO
 
-L<rand(3)|rand(3)>, L<engine(3)|engine(3)>
+L<rand(3)>, L<engine(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_blinding_on.pod b/doc/crypto/RSA_blinding_on.pod
index fd2c69a..e512bbf 100644
--- a/doc/crypto/RSA_blinding_on.pod
+++ b/doc/crypto/RSA_blinding_on.pod
@@ -34,7 +34,7 @@ RSA_blinding_off() returns no value.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<rand(3)|rand(3)>
+L<rsa(3)>, L<rand(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_check_key.pod b/doc/crypto/RSA_check_key.pod
index 522a6c2..ec02063 100644
--- a/doc/crypto/RSA_check_key.pod
+++ b/doc/crypto/RSA_check_key.pod
@@ -29,7 +29,7 @@ Therefore, it cannot be used with any arbitrary RSA key object,
 even if it is otherwise fit for regular RSA operation.
 
 The B<cb> parameter is a callback that will be invoked in the same
-manner as L<BN_is_prime_ex(3)|BN_is_prime_ex(3)>.
+manner as L<BN_is_prime_ex(3)>.
 
 RSA_check_key() is equivalent to RSA_check_key_ex() with a NULL B<cb>.
 
@@ -40,7 +40,7 @@ return 1 if B<rsa> is a valid RSA key, and 0 otherwise.
 They return -1 if an error occurs while checking the key.
 
 If the key is invalid or an error occurred, the reason code can be
-obtained using L<ERR_get_error(3)|ERR_get_error(3)>.
+obtained using L<ERR_get_error(3)>.
 
 =head1 NOTES
 
@@ -65,9 +65,9 @@ provide their own verifiers.
 
 =head1 SEE ALSO
 
-L<BN_is_prime_ex(3)|BN_is_prime_ex(3)>,
-L<rsa(3)|rsa(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<BN_is_prime_ex(3)>,
+L<rsa(3)>,
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_generate_key.pod b/doc/crypto/RSA_generate_key.pod
index 881391a..130acf9 100644
--- a/doc/crypto/RSA_generate_key.pod
+++ b/doc/crypto/RSA_generate_key.pod
@@ -28,14 +28,14 @@ The exponent is an odd number, typically 3, 17 or 65537.
 A callback function may be used to provide feedback about the
 progress of the key generation. If B<cb> is not B<NULL>, it
 will be called as follows using the BN_GENCB_call() function
-described on the L<BN_generate_prime(3)|BN_generate_prime(3)> page.
+described on the L<BN_generate_prime(3)> page.
 
 =over 4
 
 =item *
 
 While a random prime number is generated, it is called as
-described in L<BN_generate_prime(3)|BN_generate_prime(3)>.
+described in L<BN_generate_prime(3)>.
 
 =item *
 
@@ -54,13 +54,13 @@ The process is then repeated for prime q with B<BN_GENCB_call(cb, 3, 1)>.
 RSA_generate_key is deprecated (new applications should use
 RSA_generate_key_ex instead). RSA_generate_key works in the same was as
 RSA_generate_key_ex except it uses "old style" call backs. See
-L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
+L<BN_generate_prime(3)> for further details.
 
 =head1 RETURN VALUE
 
 If key generation fails, RSA_generate_key() returns B<NULL>.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 BUGS
 
@@ -70,8 +70,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_free(3)|RSA_free(3)>, L<BN_generate_prime(3)|BN_generate_prime(3)>
+L<ERR_get_error(3)>, L<rand(3)>, L<rsa(3)>,
+L<RSA_free(3)>, L<BN_generate_prime(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_get_ex_new_index.pod b/doc/crypto/RSA_get_ex_new_index.pod
index 7d0fd1f..9b52559 100644
--- a/doc/crypto/RSA_get_ex_new_index.pod
+++ b/doc/crypto/RSA_get_ex_new_index.pod
@@ -97,7 +97,7 @@ parameter.
 
 B<new_func()> and B<dup_func()> should return 0 for failure and 1 for success.
 
-On failure an error code can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
+On failure an error code can be obtained from L<ERR_get_error(3)>.
 
 =head1 BUGS
 
@@ -110,7 +110,7 @@ present in the parent RSA structure when it is called.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+L<rsa(3)>, L<CRYPTO_set_ex_data(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_new.pod b/doc/crypto/RSA_new.pod
index 70901a5..0ce325d 100644
--- a/doc/crypto/RSA_new.pod
+++ b/doc/crypto/RSA_new.pod
@@ -24,16 +24,16 @@ If B<rsa> is NULL nothing is done.
 =head1 RETURN VALUES
 
 If the allocation fails, RSA_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. Otherwise it returns
+code that can be obtained by L<ERR_get_error(3)>. Otherwise it returns
 a pointer to the newly allocated structure.
 
 RSA_free() returns no value.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>,
-L<RSA_new_method(3)|RSA_new_method(3)>
+L<ERR_get_error(3)>, L<rsa(3)>,
+L<RSA_generate_key(3)>,
+L<RSA_new_method(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index b8f678f..9389254 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -102,13 +102,13 @@ of length B<pl>. B<p> may be B<NULL> if B<pl> is 0.
 The RSA_padding_add_xxx() functions return 1 on success, 0 on error.
 The RSA_padding_check_xxx() functions return the length of the
 recovered data, -1 on error. Error codes can be obtained by calling
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
-L<RSA_private_decrypt(3)|RSA_private_decrypt(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+L<RSA_public_encrypt(3)>,
+L<RSA_private_decrypt(3)>,
+L<RSA_sign(3)>, L<RSA_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_print.pod b/doc/crypto/RSA_print.pod
index c971e91..7690f31 100644
--- a/doc/crypto/RSA_print.pod
+++ b/doc/crypto/RSA_print.pod
@@ -38,7 +38,7 @@ These functions return 1 on success, 0 on error.
 
 =head1 SEE ALSO
 
-L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>, L<BN_bn2bin(3)|BN_bn2bin(3)>
+L<dh(3)>, L<dsa(3)>, L<rsa(3)>, L<BN_bn2bin(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_private_encrypt.pod b/doc/crypto/RSA_private_encrypt.pod
index 746a80c..8e4425c 100644
--- a/doc/crypto/RSA_private_encrypt.pod
+++ b/doc/crypto/RSA_private_encrypt.pod
@@ -31,7 +31,7 @@ B<padding> denotes one of the following modes:
 
 PKCS #1 v1.5 padding. This function does not handle the
 B<algorithmIdentifier> specified in PKCS #1. When generating or
-verifying PKCS #1 signatures, L<RSA_sign(3)|RSA_sign(3)> and L<RSA_verify(3)|RSA_verify(3)> should be
+verifying PKCS #1 signatures, L<RSA_sign(3)> and L<RSA_verify(3)> should be
 used.
 
 =item RSA_NO_PADDING
@@ -55,12 +55,12 @@ RSA_size(rsa)). RSA_public_decrypt() returns the size of the
 recovered message digest.
 
 On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+obtained by L<ERR_get_error(3)>.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)>, L<rsa(3)>,
+L<RSA_sign(3)>, L<RSA_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
index ab0fe3b..35a0fb5 100644
--- a/doc/crypto/RSA_public_encrypt.pod
+++ b/doc/crypto/RSA_public_encrypt.pod
@@ -65,7 +65,7 @@ RSA_size(B<rsa>)). RSA_private_decrypt() returns the size of the
 recovered plaintext.
 
 On error, -1 is returned; the error codes can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+obtained by L<ERR_get_error(3)>.
 
 =head1 CONFORMING TO
 
@@ -73,8 +73,8 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<RSA_size(3)|RSA_size(3)>
+L<ERR_get_error(3)>, L<rand(3)>, L<rsa(3)>,
+L<RSA_size(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod
index 0ef0781..7ccb216 100644
--- a/doc/crypto/RSA_set_method.pod
+++ b/doc/crypto/RSA_set_method.pod
@@ -156,7 +156,7 @@ ENGINE). For this reason, the return type may be replaced with a B<void>
 declaration in a future release.
 
 RSA_new_method() returns NULL and sets an error code that can be obtained
-by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
+by L<ERR_get_error(3)> if the allocation fails. Otherwise
 it returns a pointer to the newly allocated structure.
 
 =head1 NOTES
@@ -183,7 +183,7 @@ not currently exist).
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<RSA_new(3)|RSA_new(3)>
+L<rsa(3)>, L<RSA_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_sign.pod b/doc/crypto/RSA_sign.pod
index fc16b1f..4e98925 100644
--- a/doc/crypto/RSA_sign.pod
+++ b/doc/crypto/RSA_sign.pod
@@ -22,12 +22,12 @@ signature in B<sigret> and the signature size in B<siglen>. B<sigret>
 must point to RSA_size(B<rsa>) bytes of memory.
 Note that PKCS #1 adds meta-data, placing limits on the size of the
 key that can be used.
-See L<RSA_private_encrypt(3)|RSA_private_encrypt(3)> for lower-level
+See L<RSA_private_encrypt(3)> for lower-level
 operations.
 
 B<type> denotes the message digest algorithm that was used to generate
 B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
-see L<objects(3)|objects(3)> for details. If B<type> is B<NID_md5_sha1>,
+see L<objects(3)> for details. If B<type> is B<NID_md5_sha1>,
 an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
 and no algorithm identifier) is created.
 
@@ -41,7 +41,7 @@ B<rsa> is the signer's public key.
 RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
 on successful verification, 0 otherwise.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 BUGS
 
@@ -54,9 +54,9 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> 
+L<ERR_get_error(3)>, L<objects(3)>,
+L<rsa(3)>, L<RSA_private_encrypt(3)>,
+L<RSA_public_decrypt(3)> 
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
index e70380b..f505ddb 100644
--- a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -39,7 +39,7 @@ RSA_sign_ASN1_OCTET_STRING() returns 1 on success, 0 otherwise.
 RSA_verify_ASN1_OCTET_STRING() returns 1 on successful verification, 0
 otherwise.
 
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 BUGS
 
@@ -47,9 +47,9 @@ These functions serve no recognizable purpose.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>,
-L<RSA_verify(3)|RSA_verify(3)>
+L<ERR_get_error(3)>, L<objects(3)>,
+L<rand(3)>, L<rsa(3)>, L<RSA_sign(3)>,
+L<RSA_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/RSA_size.pod b/doc/crypto/RSA_size.pod
index f68d5e8..dc57bd1 100644
--- a/doc/crypto/RSA_size.pod
+++ b/doc/crypto/RSA_size.pod
@@ -28,7 +28,7 @@ The size.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<BN_num_bits(3)|BN_num_bits(3)>
+L<rsa(3)>, L<BN_num_bits(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/SMIME_read_CMS.pod b/doc/crypto/SMIME_read_CMS.pod
index acc5524..15bec59 100644
--- a/doc/crypto/SMIME_read_CMS.pod
+++ b/doc/crypto/SMIME_read_CMS.pod
@@ -58,10 +58,10 @@ if an error occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_type(3)|CMS_type(3)>
-L<SMIME_read_CMS(3)|SMIME_read_CMS(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
+L<ERR_get_error(3)>, L<CMS_type(3)>
+L<SMIME_read_CMS(3)>, L<CMS_sign(3)>,
+L<CMS_verify(3)>, L<CMS_encrypt(3)>
+L<CMS_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/SMIME_read_PKCS7.pod b/doc/crypto/SMIME_read_PKCS7.pod
index 9d46715..40f950f 100644
--- a/doc/crypto/SMIME_read_PKCS7.pod
+++ b/doc/crypto/SMIME_read_PKCS7.pod
@@ -61,10 +61,10 @@ is an error occurred. The error can be obtained from ERR_get_error(3).
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_type(3)|PKCS7_type(3)>
-L<SMIME_read_PKCS7(3)|SMIME_read_PKCS7(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
+L<ERR_get_error(3)>, L<PKCS7_type(3)>
+L<SMIME_read_PKCS7(3)>, L<PKCS7_sign(3)>,
+L<PKCS7_verify(3)>, L<PKCS7_encrypt(3)>
+L<PKCS7_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/SMIME_write_CMS.pod b/doc/crypto/SMIME_write_CMS.pod
index 04bedfb..1cd1baa 100644
--- a/doc/crypto/SMIME_write_CMS.pod
+++ b/doc/crypto/SMIME_write_CMS.pod
@@ -53,9 +53,9 @@ SMIME_write_CMS() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_verify(3)>, L<CMS_encrypt(3)>
+L<CMS_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/SMIME_write_PKCS7.pod b/doc/crypto/SMIME_write_PKCS7.pod
index 4a7cd08..85bc478 100644
--- a/doc/crypto/SMIME_write_PKCS7.pod
+++ b/doc/crypto/SMIME_write_PKCS7.pod
@@ -54,9 +54,9 @@ SMIME_write_PKCS7() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>,
+L<PKCS7_verify(3)>, L<PKCS7_encrypt(3)>
+L<PKCS7_decrypt(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/SSLeay_version.pod b/doc/crypto/SSLeay_version.pod
index 1500c2a..c54c3fe 100644
--- a/doc/crypto/SSLeay_version.pod
+++ b/doc/crypto/SSLeay_version.pod
@@ -65,7 +65,7 @@ Textual description.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>
+L<crypto(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_NAME_ENTRY_get_object.pod b/doc/crypto/X509_NAME_ENTRY_get_object.pod
index 4716e7e..2cb96c5 100644
--- a/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ b/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -64,8 +64,8 @@ set first so the relevant field information can be looked up internally.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
+L<ERR_get_error(3)>, L<d2i_X509_NAME(3)>,
+L<OBJ_nid2obj(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_NAME_add_entry_by_txt.pod b/doc/crypto/X509_NAME_add_entry_by_txt.pod
index 3bdc07f..c10ea0f 100644
--- a/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ b/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -109,7 +109,7 @@ can result in invalid field types its use is strongly discouraged.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
+L<ERR_get_error(3)>, L<d2i_X509_NAME(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_NAME_get_index_by_NID.pod b/doc/crypto/X509_NAME_get_index_by_NID.pod
index 380356e..e6dfff3 100644
--- a/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ b/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -110,7 +110,7 @@ requested entry or B<NULL> if the index is invalid.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>
+L<ERR_get_error(3)>, L<d2i_X509_NAME(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_NAME_print_ex.pod b/doc/crypto/X509_NAME_print_ex.pod
index 2579a5d..0d8e5fe 100644
--- a/doc/crypto/X509_NAME_print_ex.pod
+++ b/doc/crypto/X509_NAME_print_ex.pod
@@ -40,7 +40,7 @@ applications.
 
 Although there are a large number of possible flags for most purposes
 B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
-As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
+As noted on the L<ASN1_STRING_print_ex(3)> manual page
 for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
 B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
 
@@ -96,7 +96,7 @@ B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls
 
 =head1 SEE ALSO
 
-L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)>
+L<ASN1_STRING_print_ex(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_STORE_CTX_get_error.pod b/doc/crypto/X509_STORE_CTX_get_error.pod
index 7748e90..75be453 100644
--- a/doc/crypto/X509_STORE_CTX_get_error.pod
+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
@@ -296,7 +296,7 @@ thread safe but will never happen unless an invalid code is passed.
 
 =head1 SEE ALSO
 
-L<X509_verify_cert(3)|X509_verify_cert(3)>
+L<X509_verify_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod b/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
index 8a9243d..58368fd 100644
--- a/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
+++ b/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
@@ -31,7 +31,7 @@ structure.
 
 =head1 SEE ALSO
 
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>
+L<RSA_get_ex_new_index(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod
index f8907d7..1f3ded6 100644
--- a/doc/crypto/X509_STORE_CTX_new.pod
+++ b/doc/crypto/X509_STORE_CTX_new.pod
@@ -126,8 +126,8 @@ used.
 
 =head1 SEE ALSO
 
-L<X509_verify_cert(3)|X509_verify_cert(3)>
-L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
+L<X509_verify_cert(3)>
+L<X509_VERIFY_PARAM_set_flags(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
index b9787a6..8ff47f6 100644
--- a/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
+++ b/doc/crypto/X509_STORE_CTX_set_verify_cb.pod
@@ -149,9 +149,9 @@ B<ex_data>.
 
 =head1 SEE ALSO
 
-L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
-L<X509_STORE_set_verify_cb_func(3)|X509_STORE_set_verify_cb_func(3)>
-L<X509_STORE_CTX_get_ex_new_index(3)|X509_STORE_CTX_get_ex_new_index(3)>
+L<X509_STORE_CTX_get_error(3)>
+L<X509_STORE_set_verify_cb_func(3)>
+L<X509_STORE_CTX_get_ex_new_index(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_STORE_set_verify_cb_func.pod b/doc/crypto/X509_STORE_set_verify_cb_func.pod
index 29e3bbe..b5bc1ea 100644
--- a/doc/crypto/X509_STORE_set_verify_cb_func.pod
+++ b/doc/crypto/X509_STORE_set_verify_cb_func.pod
@@ -41,8 +41,8 @@ a value.
 
 =head1 SEE ALSO
 
-L<X509_STORE_CTX_set_verify_cb(3)|X509_STORE_CTX_set_verify_cb(3)>
-L<CMS_verify(3)|CMS_verify(3)>
+L<X509_STORE_CTX_set_verify_cb(3)>
+L<CMS_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 066ce0f..ec91d5d 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -232,10 +232,10 @@ connections associated with an B<SSL_CTX> structure B<ctx>:
 
 =head1 SEE ALSO
 
-L<X509_verify_cert(3)|X509_verify_cert(3)>,
-L<X509_check_host(3)|X509_check_host(3)>,
-L<X509_check_email(3)|X509_check_email(3)>,
-L<X509_check_ip(3)|X509_check_ip(3)>
+L<X509_verify_cert(3)>,
+L<X509_check_host(3)>,
+L<X509_check_email(3)>,
+L<X509_check_ip(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 5804115..23447f4 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -126,12 +126,12 @@ DANE support is added to OpenSSL.
 
 =head1 SEE ALSO
 
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<X509_VERIFY_PARAM_set1_host(3)|X509_VERIFY_PARAM_set1_host(3)>,
-L<X509_VERIFY_PARAM_add1_host(3)|X509_VERIFY_PARAM_add1_host(3)>,
-L<X509_VERIFY_PARAM_set1_email(3)|X509_VERIFY_PARAM_set1_email(3)>,
-L<X509_VERIFY_PARAM_set1_ip(3)|X509_VERIFY_PARAM_set1_ip(3)>,
-L<X509_VERIFY_PARAM_set1_ipasc(3)|X509_VERIFY_PARAM_set1_ipasc(3)>
+L<SSL_get_verify_result(3)>,
+L<X509_VERIFY_PARAM_set1_host(3)>,
+L<X509_VERIFY_PARAM_add1_host(3)>,
+L<X509_VERIFY_PARAM_set1_email(3)>,
+L<X509_VERIFY_PARAM_set1_ip(3)>,
+L<X509_VERIFY_PARAM_set1_ipasc(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_new.pod b/doc/crypto/X509_new.pod
index d6f3d30..2e49a6e 100644
--- a/doc/crypto/X509_new.pod
+++ b/doc/crypto/X509_new.pod
@@ -24,14 +24,14 @@ If B<a> is NULL nothing is done.
 =head1 RETURN VALUES
 
 If the allocation fails, X509_new() returns B<NULL> and sets an error
-code that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+code that can be obtained by L<ERR_get_error(3)>.
 Otherwise it returns a pointer to the newly allocated structure.
 
 X509_free() returns no value.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509(3)|d2i_X509(3)>
+L<ERR_get_error(3)>, L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/X509_verify_cert.pod b/doc/crypto/X509_verify_cert.pod
index 48055b0..1780bfe 100644
--- a/doc/crypto/X509_verify_cert.pod
+++ b/doc/crypto/X509_verify_cert.pod
@@ -14,7 +14,7 @@ X509_verify_cert - discover and verify X509 certificate chain
 
 The X509_verify_cert() function attempts to discover and validate a
 certificate chain based on parameters in B<ctx>. A complete description of
-the process is contained in the L<verify(1)|verify(1)> manual page.
+the process is contained in the L<verify(1)> manual page.
 
 =head1 RETURN VALUES
 
@@ -45,7 +45,7 @@ functiosn which use B<x509_vfy.h>.
 
 =head1 SEE ALSO
 
-L<X509_STORE_CTX_get_error(3)|X509_STORE_CTX_get_error(3)>
+L<X509_STORE_CTX_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/bio.pod b/doc/crypto/bio.pod
index 9debe4f..fc1da92 100644
--- a/doc/crypto/bio.pod
+++ b/doc/crypto/bio.pod
@@ -39,17 +39,17 @@ BIO).
 
 =head1 SEE ALSO
 
-L<BIO_ctrl(3)|BIO_ctrl(3)>,
-L<BIO_f_base64(3)|BIO_f_base64(3)>, L<BIO_f_buffer(3)|BIO_f_buffer(3)>,
-L<BIO_f_cipher(3)|BIO_f_cipher(3)>, L<BIO_f_md(3)|BIO_f_md(3)>,
-L<BIO_f_null(3)|BIO_f_null(3)>, L<BIO_f_ssl(3)|BIO_f_ssl(3)>,
-L<BIO_find_type(3)|BIO_find_type(3)>, L<BIO_new(3)|BIO_new(3)>,
-L<BIO_new_bio_pair(3)|BIO_new_bio_pair(3)>,
-L<BIO_push(3)|BIO_push(3)>, L<BIO_read(3)|BIO_read(3)>,
-L<BIO_s_accept(3)|BIO_s_accept(3)>, L<BIO_s_bio(3)|BIO_s_bio(3)>,
-L<BIO_s_connect(3)|BIO_s_connect(3)>, L<BIO_s_fd(3)|BIO_s_fd(3)>,
-L<BIO_s_file(3)|BIO_s_file(3)>, L<BIO_s_mem(3)|BIO_s_mem(3)>,
-L<BIO_s_secmem(3)|BIO_s_mem(3)>,
-L<BIO_s_null(3)|BIO_s_null(3)>, L<BIO_s_socket(3)|BIO_s_socket(3)>,
-L<BIO_set_callback(3)|BIO_set_callback(3)>,
-L<BIO_should_retry(3)|BIO_should_retry(3)>
+L<BIO_ctrl(3)>,
+L<BIO_f_base64(3)>, L<BIO_f_buffer(3)>,
+L<BIO_f_cipher(3)>, L<BIO_f_md(3)>,
+L<BIO_f_null(3)>, L<BIO_f_ssl(3)>,
+L<BIO_find_type(3)>, L<BIO_new(3)>,
+L<BIO_new_bio_pair(3)>,
+L<BIO_push(3)>, L<BIO_read(3)>,
+L<BIO_s_accept(3)>, L<BIO_s_bio(3)>,
+L<BIO_s_connect(3)>, L<BIO_s_fd(3)>,
+L<BIO_s_file(3)>, L<BIO_s_mem(3)>,
+L<BIO_s_mem(3)>,
+L<BIO_s_null(3)>, L<BIO_s_socket(3)>,
+L<BIO_set_callback(3)>,
+L<BIO_should_retry(3)>
diff --git a/doc/crypto/blowfish.pod b/doc/crypto/blowfish.pod
index 31438ab..25b954c 100644
--- a/doc/crypto/blowfish.pod
+++ b/doc/crypto/blowfish.pod
@@ -33,7 +33,7 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
 considered good for strong encryption.  Blowfish can be used in the same
-modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
+modes as DES (see L<des_modes(7)>).  Blowfish is currently one
 of the faster block ciphers.  It is quite a bit faster than DES, and much
 faster than IDEA or RC2.
 
@@ -97,12 +97,12 @@ None of the functions presented here return any value.
 =head1 NOTE
 
 Applications should use the higher level functions
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> etc. instead of calling these
+L<EVP_EncryptInit(3)> etc. instead of calling these
 functions directly.
 
 =head1 SEE ALSO
 
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<des_modes(7)|des_modes(7)>
+L<EVP_EncryptInit(3)>,
+L<des_modes(7)>
 
 =cut
diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod
index ab809f9..37d638d 100644
--- a/doc/crypto/bn.pod
+++ b/doc/crypto/bn.pod
@@ -163,26 +163,26 @@ The basic object in this library is a B<BIGNUM>. It is used to hold a
 single large integer. This type should be considered opaque and fields
 should not be modified or accessed directly.
 
-The creation of B<BIGNUM> objects is described in L<BN_new(3)|BN_new(3)>;
-L<BN_add(3)|BN_add(3)> describes most of the arithmetic operations.
-Comparison is described in L<BN_cmp(3)|BN_cmp(3)>; L<BN_zero(3)|BN_zero(3)>
-describes certain assignments, L<BN_rand(3)|BN_rand(3)> the generation of
-random numbers, L<BN_generate_prime(3)|BN_generate_prime(3)> deals with prime
-numbers and L<BN_set_bit(3)|BN_set_bit(3)> with bit operations. The conversion
-of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
+The creation of B<BIGNUM> objects is described in L<BN_new(3)>;
+L<BN_add(3)> describes most of the arithmetic operations.
+Comparison is described in L<BN_cmp(3)>; L<BN_zero(3)>
+describes certain assignments, L<BN_rand(3)> the generation of
+random numbers, L<BN_generate_prime(3)> deals with prime
+numbers and L<BN_set_bit(3)> with bit operations. The conversion
+of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)>.
 
 =head1 SEE ALSO
 
-L<bn_internal(3)|bn_internal(3)>,
-L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
-L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
-L<BN_copy(3)|BN_copy(3)>, L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
-L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
-L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
-L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
-L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
-L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>,
-L<BN_BLINDING_new(3)|BN_BLINDING_new(3)>
+L<bn_internal(3)>,
+L<dh(3)>, L<err(3)>, L<rand(3)>, L<rsa(3)>,
+L<BN_new(3)>, L<BN_CTX_new(3)>,
+L<BN_copy(3)>, L<BN_swap(3)>, L<BN_num_bytes(3)>,
+L<BN_add(3)>, L<BN_add_word(3)>,
+L<BN_cmp(3)>, L<BN_zero(3)>, L<BN_rand(3)>,
+L<BN_generate_prime(3)>, L<BN_set_bit(3)>,
+L<BN_bn2bin(3)>, L<BN_mod_inverse(3)>,
+L<BN_mod_mul_reciprocal(3)>,
+L<BN_mod_mul_montgomery(3)>,
+L<BN_BLINDING_new(3)>
 
 =cut
diff --git a/doc/crypto/bn_internal.pod b/doc/crypto/bn_internal.pod
index 91840b0..e609a08 100644
--- a/doc/crypto/bn_internal.pod
+++ b/doc/crypto/bn_internal.pod
@@ -105,7 +105,7 @@ B<BIGNUM> variables during their execution.  Since dynamic memory
 allocation to create B<BIGNUM>s is rather expensive when used in
 conjunction with repeated subroutine calls, the B<BN_CTX> structure is
 used.  This structure contains B<BN_CTX_NUM> B<BIGNUM>s, see
-L<BN_CTX_start(3)|BN_CTX_start(3)>.
+L<BN_CTX_start(3)>.
 
 =head2 Low-level arithmetic operations
 
@@ -233,6 +233,6 @@ and bn_set_max() are defined as empty macros.
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>
+L<bn(3)>
 
 =cut
diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod
index 3804c56..c56cc89 100644
--- a/doc/crypto/buffer.pod
+++ b/doc/crypto/buffer.pod
@@ -71,7 +71,7 @@ BUF_MEM_grow() returns zero on error or the new size (i.e. B<len>).
 
 =head1 SEE ALSO
 
-L<bio(3)|bio(3)>,
+L<bio(3)>,
 L<CRYPTO_secure_malloc(3)>.
 
 =head1 HISTORY
diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod
index f18edfe..b8f4fb8 100644
--- a/doc/crypto/crypto.pod
+++ b/doc/crypto/crypto.pod
@@ -27,38 +27,38 @@ hash functions and a cryptographic pseudo-random number generator.
 
 =item SYMMETRIC CIPHERS
 
-L<blowfish(3)|blowfish(3)>, L<cast(3)|cast(3)>, L<des(3)|des(3)>,
-L<idea(3)|idea(3)>, L<rc2(3)|rc2(3)>, L<rc4(3)|rc4(3)>, L<rc5(3)|rc5(3)> 
+L<blowfish(3)>, L<cast(3)>, L<des(3)>,
+L<idea(3)>, L<rc2(3)>, L<rc4(3)>, L<rc5(3)> 
 
 =item PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT
 
-L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rsa(3)|rsa(3)>
+L<dsa(3)>, L<dh(3)>, L<rsa(3)>
 
 =item CERTIFICATES
 
-L<x509(3)|x509(3)>, L<x509v3(3)|x509v3(3)>
+L<x509(3)>, L<x509v3(3)>
 
 =item AUTHENTICATION CODES, HASH FUNCTIONS
 
-L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md4(3)|md4(3)>,
-L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
-L<sha(3)|sha(3)>
+L<hmac(3)>, L<md2(3)>, L<md4(3)>,
+L<md5(3)>, L<mdc2(3)>, L<ripemd(3)>,
+L<sha(3)>
 
 =item AUXILIARY FUNCTIONS
 
-L<err(3)|err(3)>, L<threads(3)|threads(3)>, L<rand(3)|rand(3)>,
-L<OPENSSL_VERSION_NUMBER(3)|OPENSSL_VERSION_NUMBER(3)>
+L<err(3)>, L<threads(3)>, L<rand(3)>,
+L<OPENSSL_VERSION_NUMBER(3)>
 
 =item INPUT/OUTPUT, DATA ENCODING
 
-L<asn1(3)|asn1(3)>, L<bio(3)|bio(3)>, L<evp(3)|evp(3)>, L<pem(3)|pem(3)>,
-L<pkcs7(3)|pkcs7(3)>, L<pkcs12(3)|pkcs12(3)> 
+L<asn1(3)>, L<bio(3)>, L<evp(3)>, L<pem(3)>,
+L<pkcs7(3)>, L<pkcs12(3)> 
 
 =item INTERNAL FUNCTIONS
 
-L<bn(3)|bn(3)>, L<buffer(3)|buffer(3)>, L<ec(3)|ec(3)>, L<lhash(3)|lhash(3)>,
-L<objects(3)|objects(3)>, L<stack(3)|stack(3)>,
-L<txt_db(3)|txt_db(3)> 
+L<bn(3)>, L<buffer(3)>, L<ec(3)>, L<lhash(3)>,
+L<objects(3)>, L<stack(3)>,
+L<txt_db(3)> 
 
 =back
 
@@ -80,6 +80,6 @@ so both (B<x> and B<obj> above) should be freed up.
 
 =head1 SEE ALSO
 
-L<openssl(1)|openssl(1)>, L<ssl(3)|ssl(3)>
+L<openssl(1)>, L<ssl(3)>
 
 =cut
diff --git a/doc/crypto/d2i_ASN1_OBJECT.pod b/doc/crypto/d2i_ASN1_OBJECT.pod
index d9a6912..32c6b05 100644
--- a/doc/crypto/d2i_ASN1_OBJECT.pod
+++ b/doc/crypto/d2i_ASN1_OBJECT.pod
@@ -16,11 +16,11 @@ d2i_ASN1_OBJECT, i2d_ASN1_OBJECT - ASN1 OBJECT IDENTIFIER functions
 These functions decode and encode an ASN1 OBJECT IDENTIFIER.
 
 Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_CMS_ContentInfo.pod b/doc/crypto/d2i_CMS_ContentInfo.pod
index 6ddb2f6..463f617 100644
--- a/doc/crypto/d2i_CMS_ContentInfo.pod
+++ b/doc/crypto/d2i_CMS_ContentInfo.pod
@@ -16,11 +16,11 @@ d2i_CMS_ContentInfo, i2d_CMS_ContentInfo - CMS ContentInfo functions
 These functions decode and encode an CMS ContentInfo structure.
 
 Otherwise they behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_DHparams.pod b/doc/crypto/d2i_DHparams.pod
index d8bdf22..f13d0b5 100644
--- a/doc/crypto/d2i_DHparams.pod
+++ b/doc/crypto/d2i_DHparams.pod
@@ -17,11 +17,11 @@ These functions decode and encode PKCS#3 DH parameters using the
 DHparameter structure described in PKCS#3.
 
 Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_DSAPublicKey.pod b/doc/crypto/d2i_DSAPublicKey.pod
index 44451cf..549fab0 100644
--- a/doc/crypto/d2i_DSAPublicKey.pod
+++ b/doc/crypto/d2i_DSAPublicKey.pod
@@ -49,7 +49,7 @@ d2i_DSA_SIG(), i2d_DSA_SIG() decode and encode a DSA signature using a
 B<Dss-Sig-Value> structure as defined in RFC2459.
 
 The usage of all of these functions is similar to the d2i_X509() and
-i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+i2d_X509() described in the L<d2i_X509(3)> manual page.
 
 =head1 NOTES
 
@@ -74,7 +74,7 @@ B<priv_key> fields respectively.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_ECPKParameters.pod b/doc/crypto/d2i_ECPKParameters.pod
index 704b4ab..abb6f4f 100644
--- a/doc/crypto/d2i_ECPKParameters.pod
+++ b/doc/crypto/d2i_ECPKParameters.pod
@@ -58,7 +58,7 @@ i2d_ECPKParameters_fp() is similar to i2d_ECPKParameters() except it writes
 the encoding of the structure B<x> to BIO B<bp> and it
 returns 1 for success and 0 for failure.
 
-These functions are very similar to the X509 functions described in L<d2i_X509(3)|d2i_X509(3)>,
+These functions are very similar to the X509 functions described in L<d2i_X509(3)>,
 where further notes and examples are available.
 
 The ECPKParameters_print and ECPKParameters_print_fp functions print a human-readable output
@@ -77,8 +77,8 @@ return 1 for success and 0 if an error occurs.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_X509(3)|d2i_X509(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_X509(3)>
 
 =cut
diff --git a/doc/crypto/d2i_ECPrivateKey.pod b/doc/crypto/d2i_ECPrivateKey.pod
index adeffe6..0859579 100644
--- a/doc/crypto/d2i_ECPrivateKey.pod
+++ b/doc/crypto/d2i_ECPrivateKey.pod
@@ -21,11 +21,11 @@ The ECPrivateKey encode and decode routines encode and parse an
 B<EC_KEY> structure into a binary format (ASN.1 DER) and back again.
 
 These functions are similar to the d2i_X509() functions, and you should refer to
-that page for a detailed description (see L<d2i_X509(3)|d2i_X509(3)>).
+that page for a detailed description (see L<d2i_X509(3)>).
 
 The format of the external representation of the public key written by
 i2d_ECPrivateKey (such as whether it is stored in a compressed form or not) is
-described by the point_conversion_form. See L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>
+described by the point_conversion_form. See L<EC_GROUP_copy(3)>
 for a description of point_conversion_form.
 
 When reading a private key encoded without an associated public key (e.g. if
@@ -46,22 +46,22 @@ set then the public key is not encoded along with the private key.
 
 d2i_ECPrivateKey() returns a valid B<EC_KEY> structure or B<NULL> if an error
 occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 i2d_ECPrivateKey() returns the number of bytes successfully encoded or a
 negative value if an error occurs. The error code can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)>.
 
 EC_KEY_get_enc_flags returns the value of the current encoding flags for the
 EC_KEY.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<ec(3)|ec(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>,
-L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>, L<EC_POINT_new(3)|EC_POINT_new(3)>,
-L<EC_POINT_add(3)|EC_POINT_add(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>,
-L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>,
-L<d2i_ECPrivateKey(3)|d2i_ECPrivateKey(3)>
+L<crypto(3)>, L<ec(3)>, L<EC_GROUP_new(3)>,
+L<EC_GROUP_copy(3)>, L<EC_POINT_new(3)>,
+L<EC_POINT_add(3)>,
+L<EC_GFp_simple_method(3)>,
+L<d2i_ECPKParameters(3)>,
+L<d2i_ECPrivateKey(3)>
 
 =cut
diff --git a/doc/crypto/d2i_PKCS8PrivateKey.pod b/doc/crypto/d2i_PKCS8PrivateKey.pod
index a54b779..a4213fa 100644
--- a/doc/crypto/d2i_PKCS8PrivateKey.pod
+++ b/doc/crypto/d2i_PKCS8PrivateKey.pod
@@ -35,11 +35,11 @@ The PKCS#8 functions encode and decode private keys in PKCS#8 format using both
 PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption algorithms.
 
 Other than the use of DER as opposed to PEM these functions are identical to the
-corresponding B<PEM> function as described in the L<pem(3)|pem(3)> manual page.
+corresponding B<PEM> function as described in the L<pem(3)> manual page.
 
 =head1 NOTES
 
-Before using these functions L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>
+Before using these functions L<OpenSSL_add_all_algorithms(3)>
 should be called to initialize the internal algorithm lookup tables otherwise errors about
 unknown algorithms will occur if an attempt is made to decrypt a private key. 
 
@@ -47,10 +47,10 @@ These functions are currently the only way to store encrypted private keys using
 
 Currently all the functions use BIOs or FILE pointers, there are no functions which
 work directly on memory: this can be readily worked around by converting the buffers
-to memory BIOs, see L<BIO_s_mem(3)|BIO_s_mem(3)> for details.
+to memory BIOs, see L<BIO_s_mem(3)> for details.
 
 =head1 SEE ALSO
 
-L<pem(3)|pem(3)>
+L<pem(3)>
 
 =cut
diff --git a/doc/crypto/d2i_RSAPublicKey.pod b/doc/crypto/d2i_RSAPublicKey.pod
index aa6078b..9786d75 100644
--- a/doc/crypto/d2i_RSAPublicKey.pod
+++ b/doc/crypto/d2i_RSAPublicKey.pod
@@ -42,7 +42,7 @@ d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in
 NET format.
 
 The usage of all of these functions is similar to the d2i_X509() and
-i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+i2d_X509() described in the L<d2i_X509(3)> manual page.
 
 =head1 NOTES
 
@@ -58,7 +58,7 @@ avoided if possible.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod
index 5b7c16f..8a5a9c9 100644
--- a/doc/crypto/d2i_X509.pod
+++ b/doc/crypto/d2i_X509.pod
@@ -236,21 +236,21 @@ i2d_re_X509_tbs().
 
 d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
 or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+L<ERR_get_error(3)>. If the "reuse" capability has been used
 with a valid X509 structure being passed in via B<px> then the object is not
 freed in the event of error but may be in a potentially invalid or inconsistent
 state.
 
 i2d_X509() returns the number of bytes successfully encoded or a negative
 value if an error occurs. The error code can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>. 
+L<ERR_get_error(3)>. 
 
 i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error 
-occurs The error code can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. 
+occurs The error code can be obtained by L<ERR_get_error(3)>. 
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>
+L<ERR_get_error(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_ALGOR.pod b/doc/crypto/d2i_X509_ALGOR.pod
index 09849b5..fb8a75d 100644
--- a/doc/crypto/d2i_X509_ALGOR.pod
+++ b/doc/crypto/d2i_X509_ALGOR.pod
@@ -23,7 +23,7 @@ The functions d2i_X509() and i2d_X509() decode and encode an B<X509_ALGOR>
 structure which is equivalent to the B<AlgorithmIdentifier> structure.
 
 Otherwise they behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 X509_ALGOR_dup() returns a copy of B<alg>.
 
@@ -46,7 +46,7 @@ encodings and non-zero otherwise.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_CRL.pod b/doc/crypto/d2i_X509_CRL.pod
index 5ace93a..dfa3334 100644
--- a/doc/crypto/d2i_X509_CRL.pod
+++ b/doc/crypto/d2i_X509_CRL.pod
@@ -24,11 +24,11 @@ These functions decode and encode an X509 CRL (certificate revocation
 list).
 
 Otherwise the functions behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_NAME.pod b/doc/crypto/d2i_X509_NAME.pod
index fe0b6c0..69f3762 100644
--- a/doc/crypto/d2i_X509_NAME.pod
+++ b/doc/crypto/d2i_X509_NAME.pod
@@ -18,11 +18,11 @@ the same as the B<Name> type defined in RFC2459 (and elsewhere) and used
 for example in certificate subject and issuer names.
 
 Otherwise the functions behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_REQ.pod b/doc/crypto/d2i_X509_REQ.pod
index 3a52df4..1b2a588 100644
--- a/doc/crypto/d2i_X509_REQ.pod
+++ b/doc/crypto/d2i_X509_REQ.pod
@@ -23,11 +23,11 @@ i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
 These functions decode and encode a PKCS#10 certificate request.
 
 Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/d2i_X509_SIG.pod b/doc/crypto/d2i_X509_SIG.pod
index 38a6f20..3efb556 100644
--- a/doc/crypto/d2i_X509_SIG.pod
+++ b/doc/crypto/d2i_X509_SIG.pod
@@ -17,11 +17,11 @@ These functions decode and encode an X509_SIG structure which is
 equivalent to the B<DigestInfo> structure defined in PKCS#1 and PKCS#7.
 
 Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
-described in the L<d2i_X509(3)|d2i_X509(3)> manual page.
+described in the L<d2i_X509(3)> manual page.
 
 =head1 SEE ALSO
 
-L<d2i_X509(3)|d2i_X509(3)>
+L<d2i_X509(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/des.pod b/doc/crypto/des.pod
index 6742a4c..a6938aa 100644
--- a/doc/crypto/des.pod
+++ b/doc/crypto/des.pod
@@ -111,7 +111,7 @@ each byte is the parity bit.  The key schedule is an expanded form of
 the key; it is used to speed the encryption process.
 
 DES_random_key() generates a random key.  The PRNG must be seeded
-prior to using this function (see L<rand(3)|rand(3)>).  If the PRNG
+prior to using this function (see L<rand(3)>).  If the PRNG
 could not generate a secure key, 0 is returned.
 
 Before a DES key can be used, it must be converted into the
@@ -226,7 +226,7 @@ DES_cbc_cksum() produces an 8 byte checksum based on the input stream
 (via CBC encryption).  The last 4 bytes of the checksum are returned
 and the complete 8 bytes are placed in I<output>. This function is
 used by Kerberos v4.  Other applications should use
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead.
+L<EVP_DigestInit(3)> etc. instead.
 
 DES_quad_cksum() is a Kerberos v4 function.  It returns a 4 byte
 checksum from the input bytes.  The algorithm can be iterated over the
@@ -306,11 +306,11 @@ the MIT Kerberos library.
 =head1 NOTES
 
 Applications should use the higher level functions
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> etc. instead of calling these
+L<EVP_EncryptInit(3)> etc. instead of calling these
 functions directly.
 
 Single-key DES is insecure due to its short key size.  ECB mode is
-not suitable for most applications; see L<des_modes(7)|des_modes(7)>.
+not suitable for most applications; see L<des_modes(7)>.
 
 =head1 AUTHOR
 
@@ -319,7 +319,7 @@ Eric Young (eay at cryptsoft.com). Modified for the OpenSSL project
 
 =head1 SEE ALSO
 
-L<des_modes(7)|des_modes(7)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+L<des_modes(7)>,
+L<EVP_EncryptInit(3)>
 
 =cut
diff --git a/doc/crypto/des_modes.pod b/doc/crypto/des_modes.pod
index e883ca8..bd6a358 100644
--- a/doc/crypto/des_modes.pod
+++ b/doc/crypto/des_modes.pod
@@ -248,8 +248,8 @@ it to:
 
 =head1 SEE ALSO
 
-L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>,
-L<rc2(3)|rc2(3)>
+L<blowfish(3)>, L<des(3)>, L<idea(3)>,
+L<rc2(3)>
 
 =cut
 
diff --git a/doc/crypto/dh.pod b/doc/crypto/dh.pod
index 1c8a327..6115e8c 100644
--- a/doc/crypto/dh.pod
+++ b/doc/crypto/dh.pod
@@ -40,7 +40,7 @@ dh - Diffie-Hellman key agreement
 
 These functions implement the Diffie-Hellman key agreement protocol.
 The generation of shared DH parameters is described in
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>; L<DH_generate_key(3)|DH_generate_key(3)> describes how
+L<DH_generate_parameters(3)>; L<DH_generate_key(3)> describes how
 to perform a key agreement.
 
 The B<DH> structure consists of several BIGNUM components.
@@ -65,12 +65,12 @@ modify keys.
 
 =head1 SEE ALSO
 
-L<dhparam(1)|dhparam(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)>,
-L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<engine(3)|engine(3)>,
-L<DH_set_method(3)|DH_set_method(3)>, L<DH_new(3)|DH_new(3)>,
-L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>,
-L<DH_generate_parameters(3)|DH_generate_parameters(3)>,
-L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>,
-L<RSA_print(3)|RSA_print(3)> 
+L<dhparam(1)>, L<bn(3)>, L<dsa(3)>, L<err(3)>,
+L<rand(3)>, L<rsa(3)>, L<engine(3)>,
+L<DH_set_method(3)>, L<DH_new(3)>,
+L<DH_get_ex_new_index(3)>,
+L<DH_generate_parameters(3)>,
+L<DH_compute_key(3)>, L<d2i_DHparams(3)>,
+L<RSA_print(3)> 
 
 =cut
diff --git a/doc/crypto/dsa.pod b/doc/crypto/dsa.pod
index da07d2b..f0b74c1 100644
--- a/doc/crypto/dsa.pod
+++ b/doc/crypto/dsa.pod
@@ -65,10 +65,10 @@ dsa - Digital Signature Algorithm
 
 These functions implement the Digital Signature Algorithm (DSA).  The
 generation of shared DSA parameters is described in
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>;
-L<DSA_generate_key(3)|DSA_generate_key(3)> describes how to
+L<DSA_generate_parameters(3)>;
+L<DSA_generate_key(3)> describes how to
 generate a signature key. Signature generation and verification are
-described in L<DSA_sign(3)|DSA_sign(3)>.
+described in L<DSA_sign(3)>.
 
 The B<DSA> structure consists of several BIGNUM components.
 
@@ -100,15 +100,15 @@ Standard, DSS), ANSI X9.30
 
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>, L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>,
-L<rsa(3)|rsa(3)>, L<sha(3)|sha(3)>, L<engine(3)|engine(3)>,
-L<DSA_new(3)|DSA_new(3)>,
-L<DSA_size(3)|DSA_size(3)>,
-L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>,
-L<DSA_dup_DH(3)|DSA_dup_DH(3)>,
-L<DSA_generate_key(3)|DSA_generate_key(3)>,
-L<DSA_sign(3)|DSA_sign(3)>, L<DSA_set_method(3)|DSA_set_method(3)>,
-L<DSA_get_ex_new_index(3)|DSA_get_ex_new_index(3)>,
-L<RSA_print(3)|RSA_print(3)>
+L<bn(3)>, L<dh(3)>, L<err(3)>, L<rand(3)>,
+L<rsa(3)>, L<sha(3)>, L<engine(3)>,
+L<DSA_new(3)>,
+L<DSA_size(3)>,
+L<DSA_generate_parameters(3)>,
+L<DSA_dup_DH(3)>,
+L<DSA_generate_key(3)>,
+L<DSA_sign(3)>, L<DSA_set_method(3)>,
+L<DSA_get_ex_new_index(3)>,
+L<RSA_print(3)>
 
 =cut
diff --git a/doc/crypto/ec.pod b/doc/crypto/ec.pod
index aee0fdf..515dd29 100644
--- a/doc/crypto/ec.pod
+++ b/doc/crypto/ec.pod
@@ -180,22 +180,22 @@ for different scenarios. No matter which implementation is being used, the inter
 handles calling the correct implementation when an interface function is invoked. An implementation is represented by
 an B<EC_METHOD> structure.
 
-The creation and destruction of B<EC_GROUP> objects is described in L<EC_GROUP_new(3)|EC_GROUP_new(3)>. Functions for
-manipulating B<EC_GROUP> objects are described in L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>.
+The creation and destruction of B<EC_GROUP> objects is described in L<EC_GROUP_new(3)>. Functions for
+manipulating B<EC_GROUP> objects are described in L<EC_GROUP_copy(3)>.
 
-Functions for creating, destroying and manipulating B<EC_POINT> objects are explained in L<EC_POINT_new(3)|EC_POINT_new(3)>,
-whilst functions for performing mathematical operations and tests on B<EC_POINTs> are covered in L<EC_POINT_add(3)|EC_POINT_add(3)>.
+Functions for creating, destroying and manipulating B<EC_POINT> objects are explained in L<EC_POINT_new(3)>,
+whilst functions for performing mathematical operations and tests on B<EC_POINTs> are covered in L<EC_POINT_add(3)>.
 
-For working with private and public keys refer to L<EC_KEY_new(3)|EC_KEY_new(3)>. Implementations are covered in
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>.
+For working with private and public keys refer to L<EC_KEY_new(3)>. Implementations are covered in
+L<EC_GFp_simple_method(3)>.
 
-For information on encoding and decoding curve parameters to and from ASN1 see L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>.
+For information on encoding and decoding curve parameters to and from ASN1 see L<d2i_ECPKParameters(3)>.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>, L<EC_GROUP_new(3)|EC_GROUP_new(3)>, L<EC_GROUP_copy(3)|EC_GROUP_copy(3)>,
-L<EC_POINT_new(3)|EC_POINT_new(3)>, L<EC_POINT_add(3)|EC_POINT_add(3)>, L<EC_KEY_new(3)|EC_KEY_new(3)>,
-L<EC_GFp_simple_method(3)|EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)|d2i_ECPKParameters(3)>
+L<crypto(3)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
+L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
+L<EC_GFp_simple_method(3)>, L<d2i_ECPKParameters(3)>
 
 
 =cut
diff --git a/doc/crypto/ecdsa.pod b/doc/crypto/ecdsa.pod
index 46c071b..f49d2ce 100644
--- a/doc/crypto/ecdsa.pod
+++ b/doc/crypto/ecdsa.pod
@@ -119,7 +119,7 @@ on error.
 
 ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
 signature, 0 for an invalid signature and -1 on error.
-The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+The error codes can be obtained by L<ERR_get_error(3)>.
 
 =head1 EXAMPLES
 
@@ -193,7 +193,7 @@ ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
 
 =head1 SEE ALSO
 
-L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>
+L<dsa(3)>, L<rsa(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/engine.pod b/doc/crypto/engine.pod
index 7f6cd43..c1be658 100644
--- a/doc/crypto/engine.pod
+++ b/doc/crypto/engine.pod
@@ -594,6 +594,6 @@ implementations.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>
+L<rsa(3)>, L<dsa(3)>, L<dh(3)>, L<rand(3)>
 
 =cut
diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod
index 1a19a19..1a3c223 100644
--- a/doc/crypto/err.pod
+++ b/doc/crypto/err.pod
@@ -51,18 +51,18 @@ by the return value, and an error code is stored in an error queue
 associated with the current thread. The B<err> library provides
 functions to obtain these error codes and textual error messages.
 
-The L<ERR_get_error(3)|ERR_get_error(3)> manpage describes how to
+The L<ERR_get_error(3)> manpage describes how to
 access error codes.
 
 Error codes contain information about where the error occurred, and
-what went wrong. L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> describes how to
+what went wrong. L<ERR_GET_LIB(3)> describes how to
 extract this information. A method to obtain human-readable error
-messages is described in L<ERR_error_string(3)|ERR_error_string(3)>.
+messages is described in L<ERR_error_string(3)>.
 
-L<ERR_clear_error(3)|ERR_clear_error(3)> can be used to clear the
+L<ERR_clear_error(3)> can be used to clear the
 error queue.
 
-Note that L<ERR_remove_state(3)|ERR_remove_state(3)> should be used to
+Note that L<ERR_remove_state(3)> should be used to
 avoid memory leaks when threads are terminated.
 
 =head1 ADDING NEW ERROR CODES TO OPENSSL
@@ -171,16 +171,16 @@ ERR_get_string_table(void) respectively.
 
 =head1 SEE ALSO
 
-L<CRYPTO_set_locking_callback(3)|CRYPTO_set_locking_callback(3)>,
-L<ERR_get_error(3)|ERR_get_error(3)>,
-L<ERR_GET_LIB(3)|ERR_GET_LIB(3)>,
-L<ERR_clear_error(3)|ERR_clear_error(3)>,
-L<ERR_error_string(3)|ERR_error_string(3)>,
-L<ERR_print_errors(3)|ERR_print_errors(3)>,
-L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
-L<ERR_remove_state(3)|ERR_remove_state(3)>,
-L<ERR_put_error(3)|ERR_put_error(3)>,
-L<ERR_load_strings(3)|ERR_load_strings(3)>,
-L<SSL_get_error(3)|SSL_get_error(3)>
+L<CRYPTO_set_locking_callback(3)>,
+L<ERR_get_error(3)>,
+L<ERR_GET_LIB(3)>,
+L<ERR_clear_error(3)>,
+L<ERR_error_string(3)>,
+L<ERR_print_errors(3)>,
+L<ERR_load_crypto_strings(3)>,
+L<ERR_remove_state(3)>,
+L<ERR_put_error(3)>,
+L<ERR_load_strings(3)>,
+L<SSL_get_error(3)>
 
 =cut
diff --git a/doc/crypto/evp.pod b/doc/crypto/evp.pod
index 29fab9f..58ce83d 100644
--- a/doc/crypto/evp.pod
+++ b/doc/crypto/evp.pod
@@ -27,44 +27,44 @@ functions.  The L<B<EVP_Digest>I<...>|EVP_DigestInit(3)> functions provide messa
 
 The B<EVP_PKEY>I<...> functions provide a high level interface to
 asymmetric algorithms. To create a new EVP_PKEY see
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>. EVP_PKEYs can be associated
+L<EVP_PKEY_new(3)>. EVP_PKEYs can be associated
 with a private key of a particular algorithm by using the functions
-described on the L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)> page, or
-new keys can be generated using L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>.
-EVP_PKEYs can be compared using L<EVP_PKEY_cmp(3)|EVP_PKEY_cmp(3)>, or printed using
-L<EVP_PKEY_print_private(3)|EVP_PKEY_print_private(3)>.
+described on the L<EVP_PKEY_set1_RSA(3)> page, or
+new keys can be generated using L<EVP_PKEY_keygen(3)>.
+EVP_PKEYs can be compared using L<EVP_PKEY_cmp(3)>, or printed using
+L<EVP_PKEY_print_private(3)>.
 
 The EVP_PKEY functions support the full range of asymmetric algorithm operations:
 
 =over
 
-=item For key agreement see L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
+=item For key agreement see L<EVP_PKEY_derive(3)>
 
-=item For signing and verifying see L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)> and L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>.
+=item For signing and verifying see L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)> and L<EVP_PKEY_verify_recover(3)>.
 However, note that
 these functions do not perform a digest of the data to be signed. Therefore
-normally you would use the L<B<EVP_DigestSign>I<...>|EVP_DigestSignInit(3)>
+normally you would use the L<EVP_DigestSignInit(3)>
 functions for this purpose.
 
-=item For encryption and decryption see L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>
-and L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)> respectively. However, note that
+=item For encryption and decryption see L<EVP_PKEY_encrypt(3)>
+and L<EVP_PKEY_decrypt(3)> respectively. However, note that
 these functions perform encryption and decryption only. As public key
 encryption is an expensive operation, normally you would wrap
-an encrypted message in a "digital envelope" using the L<B<EVP_Seal>I<...>|EVP_SealInit(3)> and
-L<B<EVP_Open>I<...>|EVP_OpenInit(3)> functions.
+an encrypted message in a "digital envelope" using the L<EVP_SealInit(3)> and
+L<EVP_OpenInit(3)> functions.
 
 =back
 
-The L<EVP_BytesToKey(3)|EVP_BytesToKey(3)> function provides some limited support for password
+The L<EVP_BytesToKey(3)> function provides some limited support for password
 based encryption. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible
 implementation. However, new applications should not typically use this (preferring, for example,
 PBKDF2 from PCKS#5).
 
-Algorithms are loaded with L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>.
+Algorithms are loaded with L<OpenSSL_add_all_algorithms(3)>.
 
 All the symmetric algorithms (ciphers), digests and asymmetric algorithms
-(public key algorithms) can be replaced by L<ENGINE|engine(3)> modules providing alternative
+(public key algorithms) can be replaced by L<engine(3)> modules providing alternative
 implementations. If ENGINE implementations of ciphers or digests are registered
 as defaults, then the various EVP functions will automatically use those
 implementations automatically in preference to built in software
@@ -79,25 +79,25 @@ using the high level interface.
 
 =head1 SEE ALSO
 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
-L<EVP_OpenInit(3)|EVP_OpenInit(3)>,
-L<EVP_SealInit(3)|EVP_SealInit(3)>,
-L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
-L<EVP_SignInit(3)|EVP_SignInit(3)>,
-L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
-L<EVP_PKEY_new(3)|EVP_PKEY_new(3)>,
-L<EVP_PKEY_set1_RSA(3)|EVP_PKEY_set1_RSA(3)>,
-L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>,
-L<EVP_PKEY_print_private(3)|EVP_PKEY_print_private(3)>,
-L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
-L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
-L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
-L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>,
-L<EVP_BytesToKey(3)|EVP_BytesToKey(3)>,
-L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)>,
-L<engine(3)|engine(3)>
+L<EVP_DigestInit(3)>,
+L<EVP_EncryptInit(3)>,
+L<EVP_OpenInit(3)>,
+L<EVP_SealInit(3)>,
+L<EVP_DigestSignInit(3)>,
+L<EVP_SignInit(3)>,
+L<EVP_VerifyInit(3)>,
+L<EVP_PKEY_new(3)>,
+L<EVP_PKEY_set1_RSA(3)>,
+L<EVP_PKEY_keygen(3)>,
+L<EVP_PKEY_print_private(3)>,
+L<EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)>,
+L<EVP_PKEY_verify_recover(3)>,
+L<EVP_PKEY_derive(3)>,
+L<EVP_BytesToKey(3)>,
+L<OpenSSL_add_all_algorithms(3)>,
+L<engine(3)>
 
 =cut
diff --git a/doc/crypto/hmac.pod b/doc/crypto/hmac.pod
index 58a57f4..372a0f4 100644
--- a/doc/crypto/hmac.pod
+++ b/doc/crypto/hmac.pod
@@ -90,7 +90,7 @@ RFC 2104
 
 =head1 SEE ALSO
 
-L<sha(3)|sha(3)>, L<evp(3)|evp(3)>
+L<sha(3)>, L<evp(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/i2d_CMS_bio_stream.pod b/doc/crypto/i2d_CMS_bio_stream.pod
index 558bdd0..42b06c2 100644
--- a/doc/crypto/i2d_CMS_bio_stream.pod
+++ b/doc/crypto/i2d_CMS_bio_stream.pod
@@ -31,11 +31,11 @@ i2d_CMS_bio_stream() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<CMS_sign(3)|CMS_sign(3)>,
-L<CMS_verify(3)|CMS_verify(3)>, L<CMS_encrypt(3)|CMS_encrypt(3)>
-L<CMS_decrypt(3)|CMS_decrypt(3)>,
-L<SMIME_write_CMS(3)|SMIME_write_CMS(3)>,
-L<PEM_write_bio_CMS_stream(3)|PEM_write_bio_CMS_stream(3)>
+L<ERR_get_error(3)>, L<CMS_sign(3)>,
+L<CMS_verify(3)>, L<CMS_encrypt(3)>
+L<CMS_decrypt(3)>,
+L<SMIME_write_CMS(3)>,
+L<PEM_write_bio_CMS_stream(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/i2d_PKCS7_bio_stream.pod b/doc/crypto/i2d_PKCS7_bio_stream.pod
index a37231e..7a96cf9 100644
--- a/doc/crypto/i2d_PKCS7_bio_stream.pod
+++ b/doc/crypto/i2d_PKCS7_bio_stream.pod
@@ -31,11 +31,11 @@ i2d_PKCS7_bio_stream() returns 1 for success or 0 for failure.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_sign(3)|PKCS7_sign(3)>,
-L<PKCS7_verify(3)|PKCS7_verify(3)>, L<PKCS7_encrypt(3)|PKCS7_encrypt(3)>
-L<PKCS7_decrypt(3)|PKCS7_decrypt(3)>,
-L<SMIME_write_PKCS7(3)|SMIME_write_PKCS7(3)>,
-L<PEM_write_bio_PKCS7_stream(3)|PEM_write_bio_PKCS7_stream(3)>
+L<ERR_get_error(3)>, L<PKCS7_sign(3)>,
+L<PKCS7_verify(3)>, L<PKCS7_encrypt(3)>
+L<PKCS7_decrypt(3)>,
+L<SMIME_write_PKCS7(3)>,
+L<PEM_write_bio_PKCS7_stream(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/lh_stats.pod b/doc/crypto/lh_stats.pod
index 3eeaa72..2a78c14 100644
--- a/doc/crypto/lh_stats.pod
+++ b/doc/crypto/lh_stats.pod
@@ -49,7 +49,7 @@ These functions do not return values.
 
 =head1 SEE ALSO
 
-L<bio(3)|bio(3)>, L<lhash(3)|lhash(3)>
+L<bio(3)>, L<lhash(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/lhash.pod b/doc/crypto/lhash.pod
index 73a19b6..25410fa 100644
--- a/doc/crypto/lhash.pod
+++ b/doc/crypto/lhash.pod
@@ -282,7 +282,7 @@ used in the function passed to lh_<type>_new().
 
 =head1 SEE ALSO
 
-L<lh_stats(3)|lh_stats(3)>
+L<lh_stats(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/md5.pod b/doc/crypto/md5.pod
index 41a5478..a8c0718 100644
--- a/doc/crypto/md5.pod
+++ b/doc/crypto/md5.pod
@@ -64,7 +64,7 @@ MD4_Init(), MD4_Update(), MD4_Final(), MD5_Init(), MD5_Update(), and
 MD5_Final() are analogous using an B<MD4_CTX> and B<MD5_CTX> structure.
 
 Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<EVP_DigestInit(3)>
 etc. instead of calling the hash functions directly.
 
 =head1 NOTE
@@ -87,6 +87,6 @@ RFC 1319, RFC 1320, RFC 1321
 
 =head1 SEE ALSO
 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<EVP_DigestInit(3)>
 
 =cut
diff --git a/doc/crypto/mdc2.pod b/doc/crypto/mdc2.pod
index 2795868..f7cc425 100644
--- a/doc/crypto/mdc2.pod
+++ b/doc/crypto/mdc2.pod
@@ -39,7 +39,7 @@ MDC2_Final() places the message digest in B<md>, which must have space
 for MDC2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MDC2_CTX>.
 
 Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the
+L<EVP_DigestInit(3)> etc. instead of calling the
 hash functions directly.
 
 =head1 RETURN VALUES
@@ -54,6 +54,6 @@ ISO/IEC 10118-2, with DES
 
 =head1 SEE ALSO
 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<EVP_DigestInit(3)>
 
 =cut
diff --git a/doc/crypto/rand.pod b/doc/crypto/rand.pod
index d102df2..25172d9 100644
--- a/doc/crypto/rand.pod
+++ b/doc/crypto/rand.pod
@@ -55,11 +55,11 @@ need randomness.
 
 A cryptographic PRNG must be seeded with unpredictable data such as
 mouse movements or keys pressed at random by the user. This is
-described in L<RAND_add(3)|RAND_add(3)>. Its state can be saved in a seed file
-(see L<RAND_load_file(3)|RAND_load_file(3)>) to avoid having to go through the
+described in L<RAND_add(3)>. Its state can be saved in a seed file
+(see L<RAND_load_file(3)>) to avoid having to go through the
 seeding process whenever the application is started.
 
-L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the
+L<RAND_bytes(3)> describes how to obtain random data from the
 PRNG. 
 
 =head1 INTERNALS
@@ -162,14 +162,14 @@ overwritten) and 7 (by not using the 10 bytes given to the caller to
 update the 'state', but they are used to update 'md').
 
 So of the points raised, only 2 is not addressed (but see
-L<RAND_add(3)|RAND_add(3)>).
+L<RAND_add(3)>).
 
 =head1 SEE ALSO
 
-L<BN_rand(3)|BN_rand(3)>, L<RAND_add(3)|RAND_add(3)>,
-L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_egd(3)|RAND_egd(3)>,
-L<RAND_bytes(3)|RAND_bytes(3)>,
-L<RAND_set_rand_method(3)|RAND_set_rand_method(3)>,
-L<RAND_cleanup(3)|RAND_cleanup(3)> 
+L<BN_rand(3)>, L<RAND_add(3)>,
+L<RAND_load_file(3)>, L<RAND_egd(3)>,
+L<RAND_bytes(3)>,
+L<RAND_set_rand_method(3)>,
+L<RAND_cleanup(3)> 
 
 =cut
diff --git a/doc/crypto/rc4.pod b/doc/crypto/rc4.pod
index bbf0f27..cbbf5de 100644
--- a/doc/crypto/rc4.pod
+++ b/doc/crypto/rc4.pod
@@ -44,7 +44,7 @@ RC4_set_key() and RC4() do not return values.
 =head1 NOTE
 
 Applications should use the higher level functions
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> etc. instead of calling these
+L<EVP_EncryptInit(3)> etc. instead of calling these
 functions directly.
 
 It is difficult to securely use stream ciphers. For example, do not perform
@@ -56,6 +56,6 @@ RC4_set_key() and RC4() are available in all versions of SSLeay and OpenSSL.
 
 =head1 SEE ALSO
 
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
+L<EVP_EncryptInit(3)>
 
 =cut
diff --git a/doc/crypto/ripemd.pod b/doc/crypto/ripemd.pod
index e5ca3ad..c7a94cc 100644
--- a/doc/crypto/ripemd.pod
+++ b/doc/crypto/ripemd.pod
@@ -49,7 +49,7 @@ success, 0 otherwise.
 =head1 NOTE
 
 Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling these
+L<EVP_DigestInit(3)> etc. instead of calling these
 functions directly.
 
 =head1 CONFORMING TO
@@ -58,6 +58,6 @@ ISO/IEC 10118-3 (draft) (??)
 
 =head1 SEE ALSO
 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<EVP_DigestInit(3)>
 
 =cut
diff --git a/doc/crypto/rsa.pod b/doc/crypto/rsa.pod
index 743334f..a1cec7f 100644
--- a/doc/crypto/rsa.pod
+++ b/doc/crypto/rsa.pod
@@ -105,17 +105,17 @@ RSA was covered by a US patent which expired in September 2000.
 
 =head1 SEE ALSO
 
-L<rsa(1)|rsa(1)>, L<bn(3)|bn(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>,
-L<rand(3)|rand(3)>, L<engine(3)|engine(3)>, L<RSA_new(3)|RSA_new(3)>,
-L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
-L<RSA_sign(3)|RSA_sign(3)>, L<RSA_size(3)|RSA_size(3)>,
-L<RSA_generate_key(3)|RSA_generate_key(3)>,
-L<RSA_check_key(3)|RSA_check_key(3)>,
-L<RSA_blinding_on(3)|RSA_blinding_on(3)>,
-L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>,
-L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>,
-L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> 
+L<rsa(1)>, L<bn(3)>, L<dsa(3)>, L<dh(3)>,
+L<rand(3)>, L<engine(3)>, L<RSA_new(3)>,
+L<RSA_public_encrypt(3)>,
+L<RSA_sign(3)>, L<RSA_size(3)>,
+L<RSA_generate_key(3)>,
+L<RSA_check_key(3)>,
+L<RSA_blinding_on(3)>,
+L<RSA_set_method(3)>, L<RSA_print(3)>,
+L<RSA_get_ex_new_index(3)>,
+L<RSA_private_encrypt(3)>,
+L<RSA_sign_ASN1_OCTET_STRING(3)>,
+L<RSA_padding_add_PKCS1_type_1(3)> 
 
 =cut
diff --git a/doc/crypto/sha.pod b/doc/crypto/sha.pod
index 67a0461..26f1df3 100644
--- a/doc/crypto/sha.pod
+++ b/doc/crypto/sha.pod
@@ -44,7 +44,7 @@ SHA512_Final - Secure Hash Algorithm
 =head1 DESCRIPTION
 
 Applications should use the higher level functions
-L<EVP_DigestInit(3)|EVP_DigestInit(3)> etc. instead of calling the hash
+L<EVP_DigestInit(3)> etc. instead of calling the hash
 functions directly.
 
 SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
@@ -94,6 +94,6 @@ ANSI X9.30
 
 =head1 SEE ALSO
 
-L<EVP_DigestInit(3)|EVP_DigestInit(3)>
+L<EVP_DigestInit(3)>
 
 =cut
diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod
index 37be84f..fd43a2c 100644
--- a/doc/crypto/threads.pod
+++ b/doc/crypto/threads.pod
@@ -205,6 +205,6 @@ thread IDs to always be represented by 'unsigned long'.
 
 =head1 SEE ALSO
 
-L<crypto(3)|crypto(3)>
+L<crypto(3)>
 
 =cut
diff --git a/doc/crypto/ui.pod b/doc/crypto/ui.pod
index 9dbc2da..bb4a8a5 100644
--- a/doc/crypto/ui.pod
+++ b/doc/crypto/ui.pod
@@ -69,7 +69,7 @@ UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface
 
 UI stands for User Interface, and is general purpose set of routines to
 prompt the user for text-based information.  Through user-written methods
-(see L<ui_create(3)|ui_create(3)>), prompting can be done in any way
+(see L<ui_create(3)>), prompting can be done in any way
 imaginable, be it plain text prompting, through dialog boxes or from a
 cell phone.
 
@@ -181,7 +181,7 @@ UI_set_method() changes the UI method associated with a given UI.
 
 =head1 SEE ALSO
 
-L<ui_create(3)|ui_create(3)>, L<ui_compat(3)|ui_compat(3)>
+L<ui_create(3)>, L<ui_compat(3)>
 
 =head1 HISTORY
 
diff --git a/doc/crypto/x509.pod b/doc/crypto/x509.pod
index f9e58e0..8639525 100644
--- a/doc/crypto/x509.pod
+++ b/doc/crypto/x509.pod
@@ -47,18 +47,18 @@ B<X509_EXTENSION_>I<...> handle certificate extensions.
 
 =head1 SEE ALSO
 
-L<X509_NAME_ENTRY_get_object(3)|X509_NAME_ENTRY_get_object(3)>,
-L<X509_NAME_add_entry_by_txt(3)|X509_NAME_add_entry_by_txt(3)>,
-L<X509_NAME_add_entry_by_NID(3)|X509_NAME_add_entry_by_NID(3)>,
-L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
-L<X509_NAME_new(3)|X509_NAME_new(3)>,
-L<d2i_X509(3)|d2i_X509(3)>,
-L<d2i_X509_ALGOR(3)|d2i_X509_ALGOR(3)>,
-L<d2i_X509_CRL(3)|d2i_X509_CRL(3)>,
-L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<d2i_X509_REQ(3)|d2i_X509_REQ(3)>,
-L<d2i_X509_SIG(3)|d2i_X509_SIG(3)>,
-L<crypto(3)|crypto(3)>,
-L<x509v3(3)|x509v3(3)>
+L<X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_add_entry_by_NID(3)>,
+L<X509_NAME_print_ex(3)>,
+L<X509_NAME_new(3)>,
+L<d2i_X509(3)>,
+L<d2i_X509_ALGOR(3)>,
+L<d2i_X509_CRL(3)>,
+L<d2i_X509_NAME(3)>,
+L<d2i_X509_REQ(3)>,
+L<d2i_X509_SIG(3)>,
+L<crypto(3)>,
+L<x509v3(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod
index baac900..3ea94b8 100644
--- a/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/doc/ssl/SSL_CIPHER_get_name.pod
@@ -125,7 +125,7 @@ See DESCRIPTION
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
-L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>
+L<ssl(3)>, L<SSL_get_current_cipher(3)>,
+L<SSL_get_ciphers(3)>, L<ciphers(1)>
 
 =cut
diff --git a/doc/ssl/SSL_COMP_add_compression_method.pod b/doc/ssl/SSL_COMP_add_compression_method.pod
index 2bb4403..6a0caff 100644
--- a/doc/ssl/SSL_COMP_add_compression_method.pod
+++ b/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -71,6 +71,6 @@ The operation failed. Check the error queue to find out the reason.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CONF_CTX_new.pod b/doc/ssl/SSL_CONF_CTX_new.pod
index 79c8c94..329e3c7 100644
--- a/doc/ssl/SSL_CONF_CTX_new.pod
+++ b/doc/ssl/SSL_CONF_CTX_new.pod
@@ -28,11 +28,11 @@ SSL_CONF_CTX_free() does not return a value.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_CTX_set_flags(3)>,
+L<SSL_CONF_CTX_set_ssl_ctx(3)>,
+L<SSL_CONF_CTX_set1_prefix(3)>,
+L<SSL_CONF_cmd(3)>,
+L<SSL_CONF_cmd_argv(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
index 7699018..5083a73 100644
--- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
+++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
@@ -36,11 +36,11 @@ SSL_CONF_CTX_set1_prefix() returns 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_CTX_new(3)>,
+L<SSL_CONF_CTX_set_flags(3)>,
+L<SSL_CONF_CTX_set_ssl_ctx(3)>,
+L<SSL_CONF_cmd(3)>,
+L<SSL_CONF_cmd_argv(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CONF_CTX_set_flags.pod b/doc/ssl/SSL_CONF_CTX_set_flags.pod
index fdff470..10cfc4d 100644
--- a/doc/ssl/SSL_CONF_CTX_set_flags.pod
+++ b/doc/ssl/SSL_CONF_CTX_set_flags.pod
@@ -62,11 +62,11 @@ value after setting or clearing flags.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_CTX_new(3)>,
+L<SSL_CONF_CTX_set_ssl_ctx(3)>,
+L<SSL_CONF_CTX_set1_prefix(3)>,
+L<SSL_CONF_cmd(3)>,
+L<SSL_CONF_cmd_argv(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
index 2049a53..e7ede42 100644
--- a/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
+++ b/doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
@@ -34,11 +34,11 @@ SSL_CONF_CTX_set_ssl_ctx() and SSL_CTX_set_ssl() do not return a value.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_CTX_new(3)>,
+L<SSL_CONF_CTX_set_flags(3)>,
+L<SSL_CONF_CTX_set1_prefix(3)>,
+L<SSL_CONF_cmd(3)>,
+L<SSL_CONF_cmd_argv(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index 16b368a..e8eeb15 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -457,11 +457,11 @@ SSL_CONF_finish() returns 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd_argv(3)|SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_CTX_new(3)>,
+L<SSL_CONF_CTX_set_flags(3)>,
+L<SSL_CONF_CTX_set1_prefix(3)>,
+L<SSL_CONF_CTX_set_ssl_ctx(3)>,
+L<SSL_CONF_cmd_argv(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CONF_cmd_argv.pod b/doc/ssl/SSL_CONF_cmd_argv.pod
index 6e66441..c06b44f 100644
--- a/doc/ssl/SSL_CONF_cmd_argv.pod
+++ b/doc/ssl/SSL_CONF_cmd_argv.pod
@@ -29,11 +29,11 @@ to an error: for example a syntax error in the argument.
 
 =head1 SEE ALSO
 
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>,
-L<SSL_CONF_CTX_set_flags(3)|SSL_CONF_CTX_set_flags(3)>,
-L<SSL_CONF_CTX_set1_prefix(3)|SSL_CONF_CTX_set1_prefix(3)>,
-L<SSL_CONF_CTX_set_ssl_ctx(3)|SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd(3)|SSL_CONF_cmd(3)>
+L<SSL_CONF_CTX_new(3)>,
+L<SSL_CONF_CTX_set_flags(3)>,
+L<SSL_CONF_CTX_set1_prefix(3)>,
+L<SSL_CONF_CTX_set_ssl_ctx(3)>,
+L<SSL_CONF_cmd(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_add1_chain_cert.pod b/doc/ssl/SSL_CTX_add1_chain_cert.pod
index 786f31e..545b82e 100644
--- a/doc/ssl/SSL_CTX_add1_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add1_chain_cert.pod
@@ -140,7 +140,7 @@ All other functions return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+L<SSL_CTX_add_extra_chain_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index 04300fb..63cf2b2 100644
--- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -30,7 +30,7 @@ following the end entity certificate.
 
 If no chain is specified, the library will try to complete the chain from the
 available CA certificates in the trusted CA storage, see
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+L<SSL_CTX_load_verify_locations(3)>.
 
 The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be
 freed by the library when the B<SSL_CTX> is destroyed. An application
@@ -53,19 +53,19 @@ reason for failure.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
-L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
-L<SSL_CTX_set0_chain(3)|SSL_CTX_set0_chain(3)>
-L<SSL_CTX_set1_chain(3)|SSL_CTX_set1_chain(3)>
-L<SSL_CTX_add0_chain_cert(3)|SSL_CTX_add0_chain_cert(3)>
-L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)>
-L<SSL_set0_chain(3)|SSL_set0_chain(3)>
-L<SSL_set1_chain(3)|SSL_set1_chain(3)>
-L<SSL_add0_chain_cert(3)|SSL_add0_chain_cert(3)>
-L<SSL_add1_chain_cert(3)|SSL_add1_chain_cert(3)>
-L<SSL_CTX_build_cert_chain(3)|SSL_CTX_build_cert_chain(3)>
-L<SSL_build_cert_chain(3)|SSL_build_cert_chain(3)>
+L<ssl(3)>,
+L<SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_set_client_cert_cb(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_set0_chain(3)>
+L<SSL_CTX_set1_chain(3)>
+L<SSL_CTX_add0_chain_cert(3)>
+L<SSL_CTX_add1_chain_cert(3)>
+L<SSL_set0_chain(3)>
+L<SSL_set1_chain(3)>
+L<SSL_add0_chain_cert(3)>
+L<SSL_add1_chain_cert(3)>
+L<SSL_CTX_build_cert_chain(3)>
+L<SSL_build_cert_chain(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod
index c660a18..fb8cf6a 100644
--- a/doc/ssl/SSL_CTX_add_session.pod
+++ b/doc/ssl/SSL_CTX_add_session.pod
@@ -19,10 +19,10 @@ SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session
 SSL_CTX_add_session() adds the session B<c> to the context B<ctx>. The
 reference count for session B<c> is incremented by 1. If a session with
 the same session id already exists, the old session is removed by calling
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
+L<SSL_SESSION_free(3)>.
 
 SSL_CTX_remove_session() removes the session B<c> from the context B<ctx>.
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> is called once for B<c>.
+L<SSL_SESSION_free(3)> is called once for B<c>.
 
 SSL_add_session() and SSL_remove_session() are synonyms for their
 SSL_CTX_*() counterparts.
@@ -66,8 +66,8 @@ The following values are returned by all functions:
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_ctrl.pod b/doc/ssl/SSL_CTX_ctrl.pod
index fb6adcf..b59d267 100644
--- a/doc/ssl/SSL_CTX_ctrl.pod
+++ b/doc/ssl/SSL_CTX_ctrl.pod
@@ -29,6 +29,6 @@ supplied via the B<cmd> parameter.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_flush_sessions.pod b/doc/ssl/SSL_CTX_flush_sessions.pod
index 148c36c..103e13f 100644
--- a/doc/ssl/SSL_CTX_flush_sessions.pod
+++ b/doc/ssl/SSL_CTX_flush_sessions.pod
@@ -25,7 +25,7 @@ up to the specified maximum number (see SSL_CTX_sess_set_cache_size()).
 As sessions will not be reused ones they are expired, they should be
 removed from the cache to save resources. This can either be done
  automatically whenever 255 new sessions were established (see
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+L<SSL_CTX_set_session_cache_mode(3)>)
 or manually by calling SSL_CTX_flush_sessions(). 
 
 The parameter B<tm> specifies the time which should be used for the
@@ -35,15 +35,15 @@ will be used.
 SSL_CTX_flush_sessions() will only check sessions stored in the internal
 cache. When a session is found and removed, the remove_session_cb is however
 called to synchronize with the external cache (see
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
+L<SSL_CTX_sess_set_get_cb(3)>).
 
 =head1 RETURN VALUES
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_free.pod b/doc/ssl/SSL_CTX_free.pod
index f37617d..22ce550 100644
--- a/doc/ssl/SSL_CTX_free.pod
+++ b/doc/ssl/SSL_CTX_free.pod
@@ -37,7 +37,7 @@ SSL_CTX_free() does not provide diagnostic information.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+L<SSL_CTX_new(3)>, L<ssl(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_get0_param.pod b/doc/ssl/SSL_CTX_get0_param.pod
index ba16b50..6fdc2bd 100644
--- a/doc/ssl/SSL_CTX_get0_param.pod
+++ b/doc/ssl/SSL_CTX_get0_param.pod
@@ -46,7 +46,7 @@ for failure.
 
 =head1 SEE ALSO
 
-L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
+L<X509_VERIFY_PARAM_set_flags(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_get_ex_new_index.pod b/doc/ssl/SSL_CTX_get_ex_new_index.pod
index 0c40a91..fc72837 100644
--- a/doc/ssl/SSL_CTX_get_ex_new_index.pod
+++ b/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -40,14 +40,14 @@ SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from
 B<ctx>.
 
 A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>.
+can be found in L<RSA_get_ex_new_index(3)>.
 The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+L<CRYPTO_set_ex_data(3)>.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+L<ssl(3)>,
+L<RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_get_verify_mode.pod b/doc/ssl/SSL_CTX_get_verify_mode.pod
index 2a3747e..f75c2da 100644
--- a/doc/ssl/SSL_CTX_get_verify_mode.pod
+++ b/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -45,6 +45,6 @@ See DESCRIPTION
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+L<ssl(3)>, L<SSL_CTX_set_verify(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_load_verify_locations.pod b/doc/ssl/SSL_CTX_load_verify_locations.pod
index d1d8977..8f7d627 100644
--- a/doc/ssl/SSL_CTX_load_verify_locations.pod
+++ b/doc/ssl/SSL_CTX_load_verify_locations.pod
@@ -59,14 +59,14 @@ In server mode, when requesting a client certificate, the server must send
 the list of CAs of which it will accept client certificates. This list
 is not influenced by the contents of B<CAfile> or B<CApath> and must
 explicitly be set using the
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+L<SSL_CTX_set_client_CA_list(3)>
 family of functions.
 
 When building its own certificate chain, an OpenSSL client/server will
 try to fill in missing certificates from B<CAfile>/B<CApath>, if the
 certificate chain was not explicitly specified (see
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>.
+L<SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_use_certificate(3)>.
 
 =head1 WARNINGS
 
@@ -114,11 +114,11 @@ The operation succeeded.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
-L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
-L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)>,
+L<SSL_get_client_CA_list(3)>,
+L<SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_set_cert_store(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index c788b9b..3cbf7a7 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -109,7 +109,7 @@ were introduced in OpenSSL 1.1.0.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<ssl(3)|ssl(3)>,  L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+L<SSL_CTX_free(3)>, L<SSL_accept(3)>,
+L<ssl(3)>,  L<SSL_set_connect_state(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_sess_number.pod b/doc/ssl/SSL_CTX_sess_number.pod
index 19aa4e2..aa82c30 100644
--- a/doc/ssl/SSL_CTX_sess_number.pod
+++ b/doc/ssl/SSL_CTX_sess_number.pod
@@ -45,7 +45,7 @@ SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations
 in server mode.
 
 SSL_CTX_sess_hits() returns the number of successfully reused sessions.
-In client mode a session set with L<SSL_set_session(3)|SSL_set_session(3)>
+In client mode a session set with L<SSL_set_session(3)>
 successfully reused is counted as a hit. In server mode a session successfully
 retrieved from internal or external cache is counted as a hit.
 
@@ -69,8 +69,8 @@ The functions return the values indicated in the DESCRIPTION section.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
-L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>
+L<ssl(3)>, L<SSL_set_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>
+L<SSL_CTX_sess_set_cache_size(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/doc/ssl/SSL_CTX_sess_set_cache_size.pod
index 4aeda09..3239675 100644
--- a/doc/ssl/SSL_CTX_sess_set_cache_size.pod
+++ b/doc/ssl/SSL_CTX_sess_set_cache_size.pod
@@ -29,7 +29,7 @@ case is the size 0, which is used for unlimited size.
 If adding the session makes the cache exceed its size, then unused
 sessions are dropped from the end of the cache.
 Cache space may also be reclaimed by calling
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> to remove
+L<SSL_CTX_flush_sessions(3)> to remove
 expired sessions.
 
 If the size of the session cache is reduced and more sessions are already
@@ -45,9 +45,9 @@ SSL_CTX_sess_get_cache_size() returns the currently valid size.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_sess_number(3)>,
+L<SSL_CTX_flush_sessions(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod
index b9d54a4..edde048 100644
--- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod
+++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -37,7 +37,7 @@ of exceeding the timeout value.
 SSL_CTX_sess_set_get_cb() sets the callback function which is called,
 whenever a SSL/TLS client proposed to resume a session but the session
 could not be found in the internal session cache (see
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+L<SSL_CTX_set_session_cache_mode(3)>).
 (SSL/TLS server only.)
 
 SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and
@@ -50,11 +50,11 @@ the NULL pointer is returned.
 In order to allow external session caching, synchronization with the internal
 session cache is realized via callback functions. Inside these callback
 functions, session can be saved to disk or put into a database using the
-L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)> interface.
+L<d2i_SSL_SESSION(3)> interface.
 
 The new_session_cb() is called, whenever a new session has been negotiated
 and session caching is enabled (see
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>).
+L<SSL_CTX_set_session_cache_mode(3)>).
 The new_session_cb() is passed the B<ssl> connection and the ssl session
 B<sess>. If the callback returns B<0>, the session will be immediately
 removed again.
@@ -63,7 +63,7 @@ The remove_session_cb() is called, whenever the SSL engine removes a session
 from the internal cache. This happens when the session is removed because
 it is expired or when a connection was not shutdown cleanly. It also happens
 for all sessions in the internal session cache when
-L<SSL_CTX_free(3)|SSL_CTX_free(3)> is called. The remove_session_cb() is passed
+L<SSL_CTX_free(3)> is called. The remove_session_cb() is passed
 the B<ctx> and the ssl session B<sess>. It does not provide any feedback.
 
 The get_session_cb() is only called on SSL/TLS servers with the session id
@@ -74,14 +74,14 @@ B<data>. With the parameter B<copy> the callback can require the
 SSL engine to increment the reference count of the SSL_SESSION object,
 Normally the reference count is not incremented and therefore the
 session must not be explicitly freed with
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
+L<SSL_SESSION_free(3)>.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
-L<SSL_CTX_free(3)|SSL_CTX_free(3)>
+L<ssl(3)>, L<d2i_SSL_SESSION(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_flush_sessions(3)>,
+L<SSL_SESSION_free(3)>,
+L<SSL_CTX_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_sessions.pod b/doc/ssl/SSL_CTX_sessions.pod
index e05aab3..0099b31 100644
--- a/doc/ssl/SSL_CTX_sessions.pod
+++ b/doc/ssl/SSL_CTX_sessions.pod
@@ -18,17 +18,17 @@ internal session cache for B<ctx>.
 =head1 NOTES
 
 The sessions in the internal session cache are kept in an
-L<lhash(3)|lhash(3)> type database. It is possible to directly
+L<lhash(3)> type database. It is possible to directly
 access this database e.g. for searching. In parallel, the sessions
 form a linked list which is maintained separately from the
-L<lhash(3)|lhash(3)> operations, so that the database must not be
+L<lhash(3)> operations, so that the database must not be
 modified directly but by using the
-L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)> family of functions.
+L<SSL_CTX_add_session(3)> family of functions.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<lhash(3)|lhash(3)>,
-L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+L<ssl(3)>, L<lhash(3)>,
+L<SSL_CTX_add_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod
index 18d0c9a..e2d4803 100644
--- a/doc/ssl/SSL_CTX_set1_curves.pod
+++ b/doc/ssl/SSL_CTX_set1_curves.pod
@@ -94,7 +94,7 @@ returns -1.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+L<SSL_CTX_add_extra_chain_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set1_sigalgs.pod b/doc/ssl/SSL_CTX_set1_sigalgs.pod
index b263160..5786ea1 100644
--- a/doc/ssl/SSL_CTX_set1_sigalgs.pod
+++ b/doc/ssl/SSL_CTX_set1_sigalgs.pod
@@ -98,7 +98,7 @@ All these functions return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_shared_sigalgs(3)|SSL_get_shared_sigalgs(3)>,
-L<SSL_CONF_CTX_new(3)|SSL_CONF_CTX_new(3)>
+L<ssl(3)>, L<SSL_get_shared_sigalgs(3)>,
+L<SSL_CONF_CTX_new(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
index 493cca4..af09f88 100644
--- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
+++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
@@ -55,8 +55,8 @@ The chain store is used to build the certificate chain.
 
 If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set or a certificate chain is
 configured already (for example using the functions such as 
-L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)> or
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>) then
+L<SSL_CTX_add1_chain_cert(3)> or
+L<SSL_CTX_add_extra_chain_cert(3)>) then
 automatic chain building is disabled.
 
 If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set then automatic chain building
@@ -72,17 +72,17 @@ All these functions return 1 for success and 0 for failure.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
-L<SSL_CTX_set0_chain(3)|SSL_CTX_set0_chain(3)>
-L<SSL_CTX_set1_chain(3)|SSL_CTX_set1_chain(3)>
-L<SSL_CTX_add0_chain_cert(3)|SSL_CTX_add0_chain_cert(3)>
-L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)>
-L<SSL_set0_chain(3)|SSL_set0_chain(3)>
-L<SSL_set1_chain(3)|SSL_set1_chain(3)>
-L<SSL_add0_chain_cert(3)|SSL_add0_chain_cert(3)>
-L<SSL_add1_chain_cert(3)|SSL_add1_chain_cert(3)>
-L<SSL_CTX_build_cert_chain(3)|SSL_CTX_build_cert_chain(3)>
-L<SSL_build_cert_chain(3)|SSL_build_cert_chain(3)>
+L<SSL_CTX_add_extra_chain_cert(3)>
+L<SSL_CTX_set0_chain(3)>
+L<SSL_CTX_set1_chain(3)>
+L<SSL_CTX_add0_chain_cert(3)>
+L<SSL_CTX_add1_chain_cert(3)>
+L<SSL_set0_chain(3)>
+L<SSL_set1_chain(3)>
+L<SSL_add0_chain_cert(3)>
+L<SSL_add1_chain_cert(3)>
+L<SSL_CTX_build_cert_chain(3)>
+L<SSL_build_cert_chain(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_cert_cb.pod b/doc/ssl/SSL_CTX_set_cert_cb.pod
index 1677ff0..77fdb95 100644
--- a/doc/ssl/SSL_CTX_set_cert_cb.pod
+++ b/doc/ssl/SSL_CTX_set_cert_cb.pod
@@ -27,7 +27,7 @@ the callback is successful it B<MUST> return 1 even if no certificates have
 been set. A zero is returned on error which will abort the handshake with a
 fatal internal error alert. A negative return value will suspend the handshake
 and the handshake function will return immediately.
-L<SSL_get_error(3)|SSL_get_error(3)> will return SSL_ERROR_WANT_X509_LOOKUP to
+L<SSL_get_error(3)> will return SSL_ERROR_WANT_X509_LOOKUP to
 indicate, that the handshake was suspended. The next call to the handshake
 function will again lead to the call of cert_cb(). It is the job of the
 cert_cb() to store information about the state of the last call,
@@ -60,9 +60,9 @@ support it will B<not> be used.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_use_certificate(3)|SSL_use_certificate(3)>,
-L<SSL_add1_chain_cert(3)|SSL_add1_chain_cert(3)>,
-L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+L<ssl(3)>, L<SSL_use_certificate(3)>,
+L<SSL_add1_chain_cert(3)>,
+L<SSL_get_client_CA_list(3)>,
+L<SSL_clear(3)>, L<SSL_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_cert_store.pod b/doc/ssl/SSL_CTX_set_cert_store.pod
index 846416e..03a0937 100644
--- a/doc/ssl/SSL_CTX_set_cert_store.pod
+++ b/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -28,17 +28,17 @@ via lookup methods, handled inside the X509_STORE. From the X509_STORE
 the X509_STORE_CTX used when verifying certificates is created.
 
 Typically the trusted certificate store is handled indirectly via using
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+L<SSL_CTX_load_verify_locations(3)>.
 Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
 it is possible to manipulate the X509_STORE object beyond the
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_load_verify_locations(3)>
 call.
 
 Currently no detailed documentation on how to use the X509_STORE
 object is available. Not all members of the X509_STORE are used when
 the verification takes place. So will e.g. the verify_callback() be
 overridden with the verify_callback() set via the
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> family of functions.
+L<SSL_CTX_set_verify(3)> family of functions.
 This document must therefore be updated when documentation about the
 X509_STORE object and its handling becomes available.
 
@@ -57,8 +57,8 @@ SSL_CTX_get_cert_store() returns the current setting.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+L<ssl(3)>,
+L<SSL_CTX_load_verify_locations(3)>,
+L<SSL_CTX_set_verify(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
index c0f4f85..8b802ab 100644
--- a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
+++ b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
@@ -14,7 +14,7 @@ SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
 
 SSL_CTX_set_cert_verify_callback() sets the verification callback function for
 I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at
-the time when L<SSL_new(3)|SSL_new(3)> is called.
+the time when L<SSL_new(3)> is called.
 
 =head1 NOTES
 
@@ -38,13 +38,13 @@ member of I<x509_store_ctx> so that the calling application will be informed
 about the detailed result of the verification procedure! 
 
 Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
-function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
+function set using L<SSL_CTX_set_verify(3)>.
 
 =head1 WARNINGS
 
 Do not mix the verification callback described in this function with the
 B<verify_callback> function called during the verification process. The
-latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+latter is set using the L<SSL_CTX_set_verify(3)>
 family of functions.
 
 Providing a complete verification procedure including certificate purpose
@@ -60,9 +60,9 @@ SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<ssl(3)>, L<SSL_CTX_set_verify(3)>,
+L<SSL_get_verify_result(3)>,
+L<SSL_CTX_load_verify_locations(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod
index c2c349f..ccd10c8 100644
--- a/doc/ssl/SSL_CTX_set_cipher_list.pod
+++ b/doc/ssl/SSL_CTX_set_cipher_list.pod
@@ -15,7 +15,7 @@ SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPH
 
 SSL_CTX_set_cipher_list() sets the list of available ciphers for B<ctx>
 using the control string B<str>. The format of the string is described
-in L<ciphers(1)|ciphers(1)>. The list of ciphers is inherited by all
+in L<ciphers(1)>. The list of ciphers is inherited by all
 B<ssl> objects created from B<ctx>.
 
 SSL_set_cipher_list() sets the list of ciphers only for B<ssl>.
@@ -40,13 +40,13 @@ A RSA cipher can only be chosen, when a RSA certificate is available.
 RSA export ciphers with a keylength of 512 bits for the RSA key require
 a temporary 512 bit RSA key, as typically the supplied key has a length
 of 1024 bit (see
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
+L<SSL_CTX_set_tmp_rsa_callback(3)>).
 RSA ciphers using DHE need a certificate and key and additional DH-parameters
-(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+(see L<SSL_CTX_set_tmp_dh_callback(3)>).
 
 A DSA cipher can only be chosen, when a DSA certificate is available.
 DSA ciphers always use DH key exchange and therefore need DH-parameters
-(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+(see L<SSL_CTX_set_tmp_dh_callback(3)>).
 
 When these conditions are not met for any cipher in the list (e.g. a
 client only supports export RSA ciphers with a asymmetric key length
@@ -61,10 +61,10 @@ could be selected and 0 on complete failure.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
-L<ciphers(1)|ciphers(1)>
+L<ssl(3)>, L<SSL_get_ciphers(3)>,
+L<SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_set_tmp_rsa_callback(3)>,
+L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<ciphers(1)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
index 4965385..cc05d77 100644
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -42,11 +42,11 @@ This list must explicitly be set using SSL_CTX_set_client_CA_list() for
 B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
 specified overrides the previous setting. The CAs listed do not become
 trusted (B<list> only contains the names, not the complete certificates); use
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> 
+L<SSL_CTX_load_verify_locations(3)> 
 to additionally load them for verification.
 
 If the list of acceptable CAs is compiled in a file, the
-L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
+L<SSL_load_client_CA_file(3)>
 function can be used to help importing the necessary data.
 
 SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
@@ -86,9 +86,9 @@ Scan all certificates in B<CAfile> and list them as acceptable CAs:
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
+L<ssl(3)>,
+L<SSL_get_client_CA_list(3)>,
+L<SSL_load_client_CA_file(3)>,
+L<SSL_CTX_load_verify_locations(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/doc/ssl/SSL_CTX_set_client_cert_cb.pod
index d0df69a..1b5f5f1 100644
--- a/doc/ssl/SSL_CTX_set_client_cert_cb.pod
+++ b/doc/ssl/SSL_CTX_set_client_cert_cb.pod
@@ -29,7 +29,7 @@ using the B<x509> and B<pkey> arguments and "1" must be returned. The
 certificate will be installed into B<ssl>, see the NOTES and BUGS sections.
 If no certificate should be set, "0" has to be returned and no certificate
 will be sent. A negative return value will suspend the handshake and the
-handshake function will return immediately. L<SSL_get_error(3)|SSL_get_error(3)>
+handshake function will return immediately. L<SSL_get_error(3)>
 will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
 suspended. The next call to the handshake function will again lead to the call
 of client_cert_cb(). It is the job of the client_cert_cb() to store information
@@ -42,7 +42,7 @@ from the client. A client certificate must only be sent, when the server
 did send the request.
 
 When a certificate was set using the
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)> family of functions,
+L<SSL_CTX_use_certificate(3)> family of functions,
 it will be sent to the server. The TLS standard requires that only a
 certificate is sent, if it matches the list of acceptable CAs sent by the
 server. This constraint is violated by the default behavior of the OpenSSL
@@ -56,7 +56,7 @@ If the callback function returns a certificate, the OpenSSL library
 will try to load the private key and certificate data into the SSL
 object using the SSL_use_certificate() and SSL_use_private_key() functions.
 Thus it will permanently install the certificate and key for this SSL
-object. It will not be reset by calling L<SSL_clear(3)|SSL_clear(3)>.
+object. It will not be reset by calling L<SSL_clear(3)>.
 If the callback returns no certificate, the OpenSSL library will not send
 a certificate.
 
@@ -72,7 +72,7 @@ either adding the intermediate CA certificates into the trusted
 certificate store for the SSL_CTX object (resulting in having to add
 CA certificates that otherwise maybe would not be trusted), or by adding
 the chain certificates using the
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+L<SSL_CTX_add_extra_chain_cert(3)>
 function, which is only available for the SSL_CTX object as a whole and that
 therefore probably can only apply for one client certificate, making
 the concept of the callback function (to allow the choice from several
@@ -80,15 +80,15 @@ certificates) questionable.
 
 Once the SSL object has been used in conjunction with the callback function,
 the certificate will be set for the SSL object and will not be cleared
-even when L<SSL_clear(3)|SSL_clear(3)> is being called. It is therefore
-mandatory to destroy the SSL object using L<SSL_free(3)|SSL_free(3)>
+even when L<SSL_clear(3)> is being called. It is therefore
+mandatory to destroy the SSL object using L<SSL_free(3)>
 and create a new one to return to the previous state.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
-L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+L<ssl(3)>, L<SSL_CTX_use_certificate(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_get_client_CA_list(3)>,
+L<SSL_clear(3)>, L<SSL_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
index 2b87f01..9455139 100644
--- a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
+++ b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -70,7 +70,7 @@ truncated.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>
+L<ssl(3)>,
+L<SSL_CTX_use_certificate(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod
index cd72572..f66e314 100644
--- a/doc/ssl/SSL_CTX_set_generate_session_id.pod
+++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod
@@ -121,7 +121,7 @@ same id is already in the cache.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_version(3)|SSL_get_version(3)>
+L<ssl(3)>, L<SSL_get_version(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_info_callback.pod b/doc/ssl/SSL_CTX_set_info_callback.pod
index e1e96a9..978ce26 100644
--- a/doc/ssl/SSL_CTX_set_info_callback.pod
+++ b/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -93,10 +93,10 @@ Callback has been called because a handshake is finished.
 =back
 
 The current state information can be obtained using the
-L<SSL_state_string(3)|SSL_state_string(3)> family of functions.
+L<SSL_state_string(3)> family of functions.
 
 The B<ret> information can be evaluated using the
-L<SSL_alert_type_string(3)|SSL_alert_type_string(3)> family of functions.
+L<SSL_alert_type_string(3)> family of functions.
 
 =head1 RETURN VALUES
 
@@ -147,7 +147,7 @@ about alerts being handled and error messages to the B<bio_err> BIO.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_state_string(3)|SSL_state_string(3)>,
-L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>
+L<ssl(3)>, L<SSL_state_string(3)>,
+L<SSL_alert_type_string(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_max_cert_list.pod b/doc/ssl/SSL_CTX_set_max_cert_list.pod
index c2bbda3..1f66b82 100644
--- a/doc/ssl/SSL_CTX_set_max_cert_list.pod
+++ b/doc/ssl/SSL_CTX_set_max_cert_list.pod
@@ -19,7 +19,7 @@ SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL
 SSL_CTX_set_max_cert_list() sets the maximum size allowed for the peer's
 certificate chain for all SSL objects created from B<ctx> to be <size> bytes.
 The SSL objects inherit the setting valid for B<ctx> at the time
-L<SSL_new(3)|SSL_new(3)> is being called.
+L<SSL_new(3)> is being called.
 
 SSL_CTX_get_max_cert_list() returns the currently set maximum size for B<ctx>.
 
@@ -41,7 +41,7 @@ chain is set.
 The default value for the maximum certificate chain size is 100kB (30kB
 on the 16bit DOS platform). This should be sufficient for usual certificate
 chains (OpenSSL's default maximum chain length is 10, see
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>, and certificates
+L<SSL_CTX_set_verify(3)>, and certificates
 without special extensions have a typical size of 1-2kB).
 
 For special applications it can be necessary to extend the maximum certificate
@@ -67,8 +67,8 @@ set value.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+L<ssl(3)>, L<SSL_new(3)>,
+L<SSL_CTX_set_verify(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod
index a109f34..92706e5e 100644
--- a/doc/ssl/SSL_CTX_set_mode.pod
+++ b/doc/ssl/SSL_CTX_set_mode.pod
@@ -52,7 +52,7 @@ non-blocking write().
 
 Never bother the application with retries if the transport is blocking.
 If a renegotiation take place during normal operation, a
-L<SSL_read(3)|SSL_read(3)> or L<SSL_write(3)|SSL_write(3)> would return
+L<SSL_read(3)> or L<SSL_write(3)> would return
 with -1 and indicate the need to retry with SSL_ERROR_WANT_READ.
 In a non-blocking environment applications must be prepared to handle
 incomplete read/write operations.
@@ -90,7 +90,7 @@ SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_read(3)|SSL_read(3)>, L<SSL_write(3)|SSL_write(3)>
+L<ssl(3)>, L<SSL_read(3)>, L<SSL_write(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_msg_callback.pod b/doc/ssl/SSL_CTX_set_msg_callback.pod
index 8b82d94..07498e3 100644
--- a/doc/ssl/SSL_CTX_set_msg_callback.pod
+++ b/doc/ssl/SSL_CTX_set_msg_callback.pod
@@ -25,7 +25,7 @@ available for arbitrary application use.
 
 SSL_CTX_set_msg_callback() and SSL_CTX_set_msg_callback_arg() specify
 default settings that will be copied to new B<SSL> objects by
-L<SSL_new(3)|SSL_new(3)>. SSL_set_msg_callback() and
+L<SSL_new(3)>. SSL_set_msg_callback() and
 SSL_set_msg_callback_arg() modify the actual settings of an B<SSL>
 object. Using a B<0> pointer for I<cb> disables the message callback.
 
@@ -89,7 +89,7 @@ I<version> will be B<SSL3_VERSION>.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>
+L<ssl(3)>, L<SSL_new(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 84dde28..519d01f 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -50,7 +50,7 @@ operation (|).
 SSL_CTX_set_options() and SSL_set_options() affect the (external)
 protocol behaviour of the SSL library. The (internal) behaviour of
 the API can be changed by using the similar
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> and SSL_set_mode() functions.
+L<SSL_CTX_set_mode(3)> and SSL_set_mode() functions.
 
 During a handshake, the option settings of the SSL object are used. When
 a new SSL object is created from a context using SSL_new(), the current
@@ -136,10 +136,10 @@ to the server's answer and violate the version rollback protection.)
 =item SSL_OP_SINGLE_DH_USE
 
 Always create a new key when using temporary/ephemeral DH parameters
-(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+(see L<SSL_CTX_set_tmp_dh_callback(3)>).
 This option must be used to prevent small subgroup attacks, when
 the DH parameters were not generated using "strong" primes
-(e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>).
+(e.g. when using DSA-parameters, see L<dhparam(1)>).
 If "strong" primes were used, it is not strictly necessary to generate
 a new DH key during each handshake but it is also recommended.
 B<SSL_OP_SINGLE_DH_USE> should therefore be enabled whenever
@@ -296,10 +296,10 @@ secure renegotiation and 0 if it does not.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
-L<dhparam(1)|dhparam(1)>
+L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>,
+L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_CTX_set_tmp_rsa_callback(3)>,
+L<dhparam(1)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
index 393f8ff..25bb664 100644
--- a/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
+++ b/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
@@ -18,14 +18,14 @@ SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
 
 SSL_CTX_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ctx> to be
 B<mode>. SSL objects created from B<ctx> inherit the B<mode> valid at the time
-L<SSL_new(3)|SSL_new(3)> is called. B<mode> may be 0 or 1.
+L<SSL_new(3)> is called. B<mode> may be 0 or 1.
 
 SSL_CTX_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ctx>.
 
 SSL_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ssl> to be
 B<mode>. The setting stays valid until B<ssl> is removed with
-L<SSL_free(3)|SSL_free(3)> or SSL_set_quiet_shutdown() is called again.
-It is not changed when L<SSL_clear(3)|SSL_clear(3)> is called.
+L<SSL_free(3)> or SSL_set_quiet_shutdown() is called again.
+It is not changed when L<SSL_clear(3)> is called.
 B<mode> may be 0 or 1.
 
 SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
@@ -33,13 +33,13 @@ SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
 =head1 NOTES
 
 Normally when a SSL connection is finished, the parties must send out
-"close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
+"close notify" alert messages using L<SSL_shutdown(3)>
 for a clean shutdown.
 
-When setting the "quiet shutdown" flag to 1, L<SSL_shutdown(3)|SSL_shutdown(3)>
+When setting the "quiet shutdown" flag to 1, L<SSL_shutdown(3)>
 will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
-(L<SSL_shutdown(3)|SSL_shutdown(3)> then behaves like
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> called with
+(L<SSL_shutdown(3)> then behaves like
+L<SSL_set_shutdown(3)> called with
 SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
 The session is thus considered to be shutdown, but no "close notify" alert
 is sent to the peer. This behaviour violates the TLS standard.
@@ -56,8 +56,8 @@ setting.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+L<ssl(3)>, L<SSL_shutdown(3)>,
+L<SSL_set_shutdown(3)>, L<SSL_new(3)>,
+L<SSL_clear(3)>, L<SSL_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_read_ahead.pod b/doc/ssl/SSL_CTX_set_read_ahead.pod
index 527164b..a904a85 100644
--- a/doc/ssl/SSL_CTX_set_read_ahead.pod
+++ b/doc/ssl/SSL_CTX_set_read_ahead.pod
@@ -46,6 +46,6 @@ and non zero otherwise.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod
index c5d2f43..0e0ea3c 100644
--- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod
+++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -37,7 +37,7 @@ the external storage if available.
 
 Since a client may try to reuse a session intended for use in a different
 context, the session id context must be set by the server (see
-L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>).
+L<SSL_CTX_set_session_id_context(3)>).
 
 The following session cache modes and modifiers are available:
 
@@ -53,7 +53,7 @@ Client sessions are added to the session cache. As there is no reliable way
 for the OpenSSL library to know whether a session should be reused or which
 session to choose (due to the abstract BIO layer the SSL engine does not
 have details about the connection), the application must select the session
-to be reused by using the L<SSL_set_session(3)|SSL_set_session(3)>
+to be reused by using the L<SSL_set_session(3)>
 function. This option is not activated by default.
 
 =item SSL_SESS_CACHE_SERVER
@@ -72,10 +72,10 @@ Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time.
 
 Normally the session cache is checked for expired sessions every
 255 connections using the
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> function. Since
+L<SSL_CTX_flush_sessions(3)> function. Since
 this may lead to a delay which cannot be controlled, the automatic
 flushing may be disabled and
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> can be called
+L<SSL_CTX_flush_sessions(3)> can be called
 explicitly by the application.
 
 =item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
@@ -94,7 +94,7 @@ sessions negotiated in an SSL/TLS handshake may be cached for possible reuse.
 Normally a new session is added to the internal cache as well as any external
 session caching (callback) that is configured for the SSL_CTX. This flag will
 prevent sessions being stored in the internal cache (though the application can
-add them manually using L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>). Note:
+add them manually using L<SSL_CTX_add_session(3)>). Note:
 in any SSL/TLS servers where external caching is configured, any successful
 session lookups in the external cache (ie. for session-resume requests) would
 normally be copied into the local cache before processing continues - this flag
@@ -119,15 +119,15 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_session_reused(3)|SSL_session_reused(3)>,
-L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
-L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
-L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
-L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
+L<ssl(3)>, L<SSL_set_session(3)>,
+L<SSL_session_reused(3)>,
+L<SSL_CTX_add_session(3)>,
+L<SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_set_session_id_context(3)>,
+L<SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_flush_sessions(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_session_id_context.pod b/doc/ssl/SSL_CTX_set_session_id_context.pod
index 7c9e515..712b518 100644
--- a/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ b/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -78,6 +78,6 @@ The operation succeeded.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_ssl_version.pod b/doc/ssl/SSL_CTX_set_ssl_version.pod
index e254f96..5bbc65e 100644
--- a/doc/ssl/SSL_CTX_set_ssl_version.pod
+++ b/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
 
 SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
 newly created from this B<ctx>. SSL objects already created with
-L<SSL_new(3)|SSL_new(3)> are not affected, except when
-L<SSL_clear(3)|SSL_clear(3)> is being called.
+L<SSL_new(3)> are not affected, except when
+L<SSL_clear(3)> is being called.
 
 SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
 object. It may be reset, when SSL_clear() is called.
@@ -29,9 +29,9 @@ set in B<ssl>.
 =head1 NOTES
 
 The available B<method> choices are described in
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>.
+L<SSL_CTX_new(3)>.
 
-When L<SSL_clear(3)|SSL_clear(3)> is called and no session is connected to
+When L<SSL_clear(3)> is called and no session is connected to
 an SSL object, the method of the SSL object is reset to the method currently
 set in the corresponding SSL_CTX object.
 
@@ -54,8 +54,8 @@ The operation succeeded.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>,
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+L<SSL_CTX_new(3)>, L<SSL_new(3)>,
+L<SSL_clear(3)>, L<ssl(3)>,
+L<SSL_set_connect_state(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_timeout.pod b/doc/ssl/SSL_CTX_set_timeout.pod
index e3de27c..eb9f404 100644
--- a/doc/ssl/SSL_CTX_set_timeout.pod
+++ b/doc/ssl/SSL_CTX_set_timeout.pod
@@ -30,15 +30,15 @@ valid at the time of the session negotiation. Changes of the timeout value
 do not affect already established sessions.
 
 The expiration time of a single session can be modified using the
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)> family of functions.
+L<SSL_SESSION_get_time(3)> family of functions.
 
 Expired sessions are removed from the internal session cache, whenever
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either
+L<SSL_CTX_flush_sessions(3)> is called, either
 directly by the application or automatically (see
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
+L<SSL_CTX_set_session_cache_mode(3)>)
 
 The default value for session timeout is decided on a per protocol
-basis, see L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>.
+basis, see L<SSL_get_default_timeout(3)>.
 All currently supported protocols have the same default timeout value
 of 300 seconds.
 
@@ -50,10 +50,10 @@ SSL_CTX_get_timeout() returns the currently set timeout value.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_get_time(3)>,
+L<SSL_CTX_flush_sessions(3)>,
+L<SSL_get_default_timeout(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
index 4e9fd84..1169e9b 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -178,12 +178,12 @@ returns 0 to indicate the callback function was set.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_session_reused(3)|SSL_session_reused(3)>,
-L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
-L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
-L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
+L<ssl(3)>, L<SSL_set_session(3)>,
+L<SSL_session_reused(3)>,
+L<SSL_CTX_add_session(3)>,
+L<SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_set_session_id_context(3)>,
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
index 64c8b65..3e08b88 100644
--- a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
@@ -74,14 +74,14 @@ DH parameters can be reused, as the actual key is newly generated during
 the negotiation. The risk in reusing DH parameters is that an attacker
 may specialize on a very often used DH group. Applications should therefore
 generate their own DH parameters during the installation process using the
-openssl L<dhparam(1)|dhparam(1)> application. This application
+openssl L<dhparam(1)> application. This application
 guarantees that "strong" primes are used.
 
 Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
 version of the OpenSSL distribution contain the 'SKIP' DH parameters,
 which use safe primes and were generated verifiably pseudo-randomly.
 These files can be converted into C code using the B<-C> option of the
-L<dhparam(1)|dhparam(1)> application. Generation of custom DH
+L<dhparam(1)> application. Generation of custom DH
 parameters during installation should still be preferred to stop an
 attacker from specializing on a commonly used group. File dh1024.pem
 contains old parameters that must not be used by applications.
@@ -140,9 +140,9 @@ on failure. Check the error queue to find out the reason of failure.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<ciphers(1)|ciphers(1)>, L<dhparam(1)|dhparam(1)>
+L<ssl(3)>, L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_tmp_rsa_callback(3)>,
+L<SSL_CTX_set_options(3)>,
+L<ciphers(1)>, L<dhparam(1)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
index 94c55b8..296699d 100644
--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
@@ -72,7 +72,7 @@ violates the standard and can break interoperability with clients.
 It is therefore strongly recommended to not use ephemeral RSA key
 exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead
 in order to achieve forward secrecy (see
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+L<SSL_CTX_set_tmp_dh_callback(3)>).
 
 An application may either directly specify the key or can supply the key via a
 callback function. The callback approach has the advantage, that the callback
@@ -151,9 +151,9 @@ RSA key is needed and 0 otherwise.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
-L<SSL_new(3)|SSL_new(3)>, L<ciphers(1)|ciphers(1)>
+L<ssl(3)>, L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_options(3)>,
+L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_new(3)>, L<ciphers(1)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod
index b6ba6bb..5da4166 100644
--- a/doc/ssl/SSL_CTX_set_verify.pod
+++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -29,7 +29,7 @@ shall be specified, the NULL pointer can be used for B<verify_callback>. In
 this case last B<verify_callback> set specifically for this B<ssl> remains. If
 no special B<callback> was set before, the default callback for the underlying
 B<ctx> is used, that was valid at the time B<ssl> was created with
-L<SSL_new(3)|SSL_new(3)>.
+L<SSL_new(3)>.
 
 SSL_CTX_set_verify_depth() sets the maximum B<depth> for the certificate chain
 verification that shall be allowed for B<ctx>. (See the BUGS section.)
@@ -52,7 +52,7 @@ client, so the client will not send a certificate.
 B<Client mode:> if not using an anonymous cipher (by default disabled), the
 server will send a certificate which will be checked. The result of the
 certificate verification process can be checked after the TLS/SSL handshake
-using the L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> function.
+using the L<SSL_get_verify_result(3)> function.
 The handshake will be continued regardless of the verification result.
 
 =item SSL_VERIFY_PEER
@@ -95,7 +95,7 @@ set at any time.
 The actual verification procedure is performed either using the built-in
 verification procedure or using another application provided verification
 function set with
-L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>.
+L<SSL_CTX_set_cert_verify_callback(3)>.
 The following descriptions apply in the case of the built-in procedure. An
 application provided procedure also has access to the verify depth information
 and the verify_callback() function, but the way this information is used
@@ -138,7 +138,7 @@ the verification process is continued. If B<verify_callback> always returns
 1, the TLS/SSL handshake will not be terminated with respect to verification
 failures and the connection will be established. The calling process can
 however retrieve the error code of the last verification error using
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> or by maintaining its
+L<SSL_get_verify_result(3)> or by maintaining its
 own error storage managed by B<verify_callback>.
 
 If no B<verify_callback> is specified, the default callback will be used.
@@ -176,8 +176,8 @@ certificates.
 
 The example makes use of the ex_data technique to store application data
 into/retrieve application data from the SSL structure
-(see L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
-L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
+(see L<SSL_get_ex_new_index(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
 
  ...
  typedef struct {
@@ -282,13 +282,13 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
-L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
-L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
-L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
-L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>
+L<ssl(3)>, L<SSL_new(3)>,
+L<SSL_CTX_get_verify_mode(3)>,
+L<SSL_get_verify_result(3)>,
+L<SSL_CTX_load_verify_locations(3)>,
+L<SSL_get_peer_certificate(3)>,
+L<SSL_CTX_set_cert_verify_callback(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod
index 6514d01..76c4883 100644
--- a/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/doc/ssl/SSL_CTX_use_certificate.pod
@@ -42,18 +42,18 @@ or SSL object, respectively.
 
 The SSL_CTX_* class of functions loads the certificates and keys into the
 SSL_CTX object B<ctx>. The information is passed to SSL objects B<ssl>
-created from B<ctx> with L<SSL_new(3)|SSL_new(3)> by copying, so that
+created from B<ctx> with L<SSL_new(3)> by copying, so that
 changes applied to B<ctx> do not propagate to already existing SSL objects.
 
 The SSL_* class of functions only loads certificates and keys into a
 specific SSL object. The specific information is kept, when
-L<SSL_clear(3)|SSL_clear(3)> is called for this SSL object.
+L<SSL_clear(3)> is called for this SSL object.
 
 SSL_CTX_use_certificate() loads the certificate B<x> into B<ctx>,
 SSL_use_certificate() loads B<x> into B<ssl>. The rest of the
 certificates needed to form the complete certificate chain can be
 specified using the
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+L<SSL_CTX_add_extra_chain_cert(3)>
 function.
 
 SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from
@@ -112,7 +112,7 @@ this B<ssl>, the last item added into B<ctx> will be checked.
   
 The internal certificate store of OpenSSL can hold several private
 key/certificate pairs at a time. The certificate used depends on the
-cipher selected, see also L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>.
+cipher selected, see also L<SSL_CTX_set_cipher_list(3)>.
 
 When reading certificates and private keys from file, files of type
 SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
@@ -122,7 +122,7 @@ Files of type SSL_FILETYPE_PEM can contain more than one item.
 
 SSL_CTX_use_certificate_chain_file() adds the first certificate found
 in the file to the certificate store. The other certificates are added
-to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)|SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single
+to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single
 certificate chain store for all certificate types, OpenSSL 1.0.2 and later
 have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() 
 should be used instead of the SSL_CTX_use_certificate_file() function in order
@@ -133,12 +133,12 @@ the trusted CA storage.
 If additional certificates are needed to complete the chain during the
 TLS negotiation, CA certificates are additionally looked up in the
 locations of trusted CA certificates, see
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
+L<SSL_CTX_load_verify_locations(3)>.
 
 The private keys loaded from file can be encrypted. In order to successfully
 load encrypted keys, a function returning the passphrase must have been
 supplied, see
-L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>.
+L<SSL_CTX_set_default_passwd_cb(3)>.
 (Certificate files might be encrypted as well from the technical point
 of view, it however does not make sense as the data in the certificate
 is considered public anyway.)
@@ -150,12 +150,12 @@ Otherwise check out the error stack to find out the reason.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
-L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
-L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>,
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
+L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>,
+L<SSL_CTX_load_verify_locations(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_client_cert_cb(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_SESSION_free.pod b/doc/ssl/SSL_SESSION_free.pod
index f30fe13..5791da1 100644
--- a/doc/ssl/SSL_SESSION_free.pod
+++ b/doc/ssl/SSL_SESSION_free.pod
@@ -21,7 +21,7 @@ If B<session> is NULL nothing is done.
 
 SSL_SESSION objects are allocated, when a TLS/SSL handshake operation
 is successfully completed. Depending on the settings, see
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
 the SSL_SESSION objects are internally referenced by the SSL_CTX and
 linked into its session cache. SSL objects may be using the SSL_SESSION object;
 as a session may be reused, several SSL objects may be using one SSL_SESSION
@@ -32,13 +32,13 @@ dangling pointers. These failures may also appear delayed, e.g.
 when an SSL_SESSION object was completely freed as the reference count
 incorrectly became 0, but it is still referenced in the internal
 session cache and the cache list is processed during a
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> operation.
+L<SSL_CTX_flush_sessions(3)> operation.
 
 SSL_SESSION_free() must only be called for SSL_SESSION objects, for
 which the reference count was explicitly incremented (e.g.
-by calling SSL_get1_session(), see L<SSL_get_session(3)|SSL_get_session(3)>)
+by calling SSL_get1_session(), see L<SSL_get_session(3)>)
 or when the SSL_SESSION object was generated outside a TLS handshake
-operation, e.g. by using L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>.
+operation, e.g. by using L<d2i_SSL_SESSION(3)>.
 It must not be called on other SSL_SESSION objects, as this would cause
 incorrect reference counts and therefore program failures.
 
@@ -48,9 +48,9 @@ SSL_SESSION_free() does not provide diagnostic information.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
- L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
+L<ssl(3)>, L<SSL_get_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_flush_sessions(3)>,
+L<d2i_SSL_SESSION(3)>
 
 =cut
diff --git a/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/doc/ssl/SSL_SESSION_get_ex_new_index.pod
index 657cda9..f5390c1 100644
--- a/doc/ssl/SSL_SESSION_get_ex_new_index.pod
+++ b/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -40,9 +40,9 @@ SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from
 B<session>.
 
 A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>.
+can be found in L<RSA_get_ex_new_index(3)>.
 The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+L<CRYPTO_set_ex_data(3)>.
 
 =head1 WARNINGS
 
@@ -54,8 +54,8 @@ therefore not be restored.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+L<ssl(3)>,
+L<RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)>
 
 =cut
diff --git a/doc/ssl/SSL_SESSION_get_time.pod b/doc/ssl/SSL_SESSION_get_time.pod
index 490337a..dbbf7bf 100644
--- a/doc/ssl/SSL_SESSION_get_time.pod
+++ b/doc/ssl/SSL_SESSION_get_time.pod
@@ -41,7 +41,7 @@ functions are synonyms for the SSL_SESSION_*() counterparts.
 Sessions are expired by examining the creation time and the timeout value.
 Both are set at creation time of the session to the actual time and the
 default timeout value at creation, respectively, as set by
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>.
+L<SSL_CTX_set_timeout(3)>.
 Using these functions it is possible to extend or shorten the lifetime
 of the session.
 
@@ -57,8 +57,8 @@ If any of the function is passed the NULL pointer for the session B<s>,
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
-L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_timeout(3)>,
+L<SSL_get_default_timeout(3)>
 
 =cut
diff --git a/doc/ssl/SSL_SESSION_has_ticket.pod b/doc/ssl/SSL_SESSION_has_ticket.pod
index d9b2a06..92d261f 100644
--- a/doc/ssl/SSL_SESSION_has_ticket.pod
+++ b/doc/ssl/SSL_SESSION_has_ticket.pod
@@ -29,10 +29,10 @@ may also become invalid as a result of a call to SSL_CTX_flush_sessions().
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<ssl(3)>,
+L<d2i_SSL_SESSION(3)>,
+L<SSL_SESSION_get_time(3)>,
+L<SSL_SESSION_free(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
index 89ad6bd..a827fb5 100644
--- a/doc/ssl/SSL_accept.pod
+++ b/doc/ssl/SSL_accept.pod
@@ -64,10 +64,10 @@ to find out the reason.
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
-L<SSL_do_handshake(3)|SSL_do_handshake(3)>,
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>
+L<SSL_get_error(3)>, L<SSL_connect(3)>,
+L<SSL_shutdown(3)>, L<ssl(3)>, L<bio(3)>,
+L<SSL_set_connect_state(3)>,
+L<SSL_do_handshake(3)>,
+L<SSL_CTX_new(3)>
 
 =cut
diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod
index 0329c34..c61b61b 100644
--- a/doc/ssl/SSL_alert_type_string.pod
+++ b/doc/ssl/SSL_alert_type_string.pod
@@ -228,6 +228,6 @@ Probably B<value> does not contain a correct alert message.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
+L<ssl(3)>, L<SSL_CTX_set_info_callback(3)>
 
 =cut
diff --git a/doc/ssl/SSL_check_chain.pod b/doc/ssl/SSL_check_chain.pod
index d3b7601..da6d8ab 100644
--- a/doc/ssl/SSL_check_chain.pod
+++ b/doc/ssl/SSL_check_chain.pod
@@ -79,7 +79,7 @@ for earlier versions of TLS or DTLS.
 
 =head1 SEE ALSO
 
-L<SSL_CTX_set_cert_cb(3)|SSL_CTX_set_cert_cb(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_CTX_set_cert_cb(3)>,
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod
index 1b9ea1f..9a760b5 100644
--- a/doc/ssl/SSL_clear.pod
+++ b/doc/ssl/SSL_clear.pod
@@ -21,8 +21,8 @@ SSL_clear is used to prepare an SSL object for a new connection. While all
 settings are kept, a side effect is the handling of the current SSL session.
 If a session is still B<open>, it is considered bad and will be removed
 from the session cache, as required by RFC2246. A session is considered open,
-if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
-or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to
+if L<SSL_shutdown(3)> was not called for the connection
+or at least L<SSL_set_shutdown(3)> was used to
 set the SSL_SENT_SHUTDOWN state.
 
 If a session was closed cleanly, the session object will be kept and all
@@ -31,7 +31,7 @@ used during the session will be kept for the next handshake. So if the
 session was a TLSv1 session, a SSL client object will use a TLSv1 client
 method for the next handshake and a SSL server object will use a TLSv1
 server method, even if TLS_*_methods were chosen on startup. This
-will might lead to connection failures (see L<SSL_new(3)|SSL_new(3)>)
+will might lead to connection failures (see L<SSL_new(3)>)
 for a description of the method's properties.
 
 =head1 WARNINGS
@@ -42,12 +42,12 @@ reset operation however keeps several settings of the last sessions
 handshake). It only makes sense for a new connection with the exact
 same peer that shares these settings, and may fail if that peer
 changes its settings between connections. Use the sequence
-L<SSL_get_session(3)|SSL_get_session(3)>;
-L<SSL_new(3)|SSL_new(3)>;
-L<SSL_set_session(3)|SSL_set_session(3)>;
-L<SSL_free(3)|SSL_free(3)>
+L<SSL_get_session(3)>;
+L<SSL_new(3)>;
+L<SSL_set_session(3)>;
+L<SSL_free(3)>
 instead to avoid such failures
-(or simply L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>
+(or simply L<SSL_free(3)>; L<SSL_new(3)>
 if session reuse is not desired).
 
 =head1 RETURN VALUES
@@ -67,9 +67,9 @@ The SSL_clear() operation was successful.
 
 =back
 
-L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>
+L<SSL_new(3)>, L<SSL_free(3)>,
+L<SSL_shutdown(3)>, L<SSL_set_shutdown(3)>,
+L<SSL_CTX_set_options(3)>, L<ssl(3)>,
+L<SSL_CTX_set_client_cert_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
index 68e2b82..8101d4d 100644
--- a/doc/ssl/SSL_connect.pod
+++ b/doc/ssl/SSL_connect.pod
@@ -64,10 +64,10 @@ to find out the reason.
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
-L<SSL_do_handshake(3)|SSL_do_handshake(3)>,
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>
+L<SSL_get_error(3)>, L<SSL_accept(3)>,
+L<SSL_shutdown(3)>, L<ssl(3)>, L<bio(3)>,
+L<SSL_set_connect_state(3)>,
+L<SSL_do_handshake(3)>,
+L<SSL_CTX_new(3)>
 
 =cut
diff --git a/doc/ssl/SSL_do_handshake.pod b/doc/ssl/SSL_do_handshake.pod
index 8b590c9..01b71ae 100644
--- a/doc/ssl/SSL_do_handshake.pod
+++ b/doc/ssl/SSL_do_handshake.pod
@@ -15,8 +15,8 @@ SSL_do_handshake - perform a TLS/SSL handshake
 SSL_do_handshake() will wait for a SSL/TLS handshake to take place. If the
 connection is in client mode, the handshake will be started. The handshake
 routines may have to be explicitly set in advance using either
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or
-L<SSL_set_accept_state(3)|SSL_set_accept_state(3)>.
+L<SSL_set_connect_state(3)> or
+L<SSL_set_accept_state(3)>.
 
 =head1 NOTES
 
@@ -65,8 +65,8 @@ to find out the reason.
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
+L<SSL_get_error(3)>, L<SSL_connect(3)>,
+L<SSL_accept(3)>, L<ssl(3)>, L<bio(3)>,
+L<SSL_set_connect_state(3)>
 
 =cut
diff --git a/doc/ssl/SSL_free.pod b/doc/ssl/SSL_free.pod
index e3e6f56..2715443 100644
--- a/doc/ssl/SSL_free.pod
+++ b/doc/ssl/SSL_free.pod
@@ -29,8 +29,8 @@ failure.
 The ssl session has reference counts from two users: the SSL object, for
 which the reference count is removed by SSL_free() and the internal
 session cache. If the session is considered bad, because
-L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
-and L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was not used to set the
+L<SSL_shutdown(3)> was not called for the connection
+and L<SSL_set_shutdown(3)> was not used to set the
 SSL_SENT_SHUTDOWN state, the session will also be removed
 from the session cache as required by RFC2246.
 
@@ -38,8 +38,8 @@ from the session cache as required by RFC2246.
 
 SSL_free() does not provide diagnostic information.
 
-L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_new(3)>, L<SSL_clear(3)>,
+L<SSL_shutdown(3)>, L<SSL_set_shutdown(3)>,
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_SSL_CTX.pod b/doc/ssl/SSL_get_SSL_CTX.pod
index 659c482..ed3a3b2 100644
--- a/doc/ssl/SSL_get_SSL_CTX.pod
+++ b/doc/ssl/SSL_get_SSL_CTX.pod
@@ -13,7 +13,7 @@ SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
 =head1 DESCRIPTION
 
 SSL_get_SSL_CTX() returns a pointer to the SSL_CTX object, from which
-B<ssl> was created with L<SSL_new(3)|SSL_new(3)>.
+B<ssl> was created with L<SSL_new(3)>.
 
 =head1 RETURN VALUES
 
@@ -21,6 +21,6 @@ The pointer to the SSL_CTX object is returned.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>
+L<ssl(3)>, L<SSL_new(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_ciphers.pod b/doc/ssl/SSL_get_ciphers.pod
index 3417454..65781da 100644
--- a/doc/ssl/SSL_get_ciphers.pod
+++ b/doc/ssl/SSL_get_ciphers.pod
@@ -30,7 +30,7 @@ is returned.
 =head1 NOTES
 
 The details of the ciphers obtained by SSL_get_ciphers() can be obtained using
-the L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)> family of functions.
+the L<SSL_CIPHER_get_name(3)> family of functions.
 
 Call SSL_get_cipher_list() with B<priority> starting from 0 to obtain the
 sorted list of available ciphers, until NULL is returned.
@@ -46,7 +46,7 @@ See DESCRIPTION
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>
+L<ssl(3)>, L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CIPHER_get_name(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod
index 68181b2..62be122 100644
--- a/doc/ssl/SSL_get_client_CA_list.pod
+++ b/doc/ssl/SSL_get_client_CA_list.pod
@@ -14,11 +14,11 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
 =head1 DESCRIPTION
 
 SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
-B<ctx> using L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>.
+B<ctx> using L<SSL_CTX_set_client_CA_list(3)>.
 
 SSL_get_client_CA_list() returns the list of client CAs explicitly
 set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>, when in
+L<SSL_CTX_set_client_CA_list(3)>, when in
 server mode. In client mode, SSL_get_client_CA_list returns the list of
 client CAs sent from the server, if any.
 
@@ -46,8 +46,8 @@ the server did not send a list of CAs (client mode).
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
-L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)>,
+L<SSL_CTX_set_client_cert_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_client_random.pod b/doc/ssl/SSL_get_client_random.pod
index 2cddf73..3db5a26 100644
--- a/doc/ssl/SSL_get_client_random.pod
+++ b/doc/ssl/SSL_get_client_random.pod
@@ -71,9 +71,9 @@ of bytes they would copy--that is, the length of the underlying field.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<RAND_bytes(3)|RAND_bytes(3)>,
-L<SSL_export_keying_material(3)|SSL_export_keying_material(3)>
+L<ssl(3)>,
+L<RAND_bytes(3)>,
+L<SSL_export_keying_material(3)>
 
 
 =cut
diff --git a/doc/ssl/SSL_get_current_cipher.pod b/doc/ssl/SSL_get_current_cipher.pod
index e5ab124..9151203 100644
--- a/doc/ssl/SSL_get_current_cipher.pod
+++ b/doc/ssl/SSL_get_current_cipher.pod
@@ -29,7 +29,7 @@ SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the
 name of the currently used cipher. SSL_get_cipher_bits() is a
 macro to obtain the number of secret/algorithm bits used and 
 SSL_get_cipher_version() returns the protocol name.
-See L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)> for more details.
+See L<SSL_CIPHER_get_name(3)> for more details.
 
 =head1 RETURN VALUES
 
@@ -38,6 +38,6 @@ no session has been established.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>
+L<ssl(3)>, L<SSL_CIPHER_get_name(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_default_timeout.pod b/doc/ssl/SSL_get_default_timeout.pod
index 3a067fe..9bde222 100644
--- a/doc/ssl/SSL_get_default_timeout.pod
+++ b/doc/ssl/SSL_get_default_timeout.pod
@@ -20,7 +20,7 @@ SSL_SESSION objects negotiated for the protocol valid for B<ssl>.
 Whenever a new session is negotiated, it is assigned a timeout value,
 after which it will not be accepted for session reuse. If the timeout
 value was not explicitly set using
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, the hardcoded default
+L<SSL_CTX_set_timeout(3)>, the hardcoded default
 timeout for the protocol will be used.
 
 SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
@@ -32,10 +32,10 @@ See description.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_SESSION_get_time(3)>,
+L<SSL_CTX_flush_sessions(3)>,
+L<SSL_get_default_timeout(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod
index 48c6b15..015f2c7 100644
--- a/doc/ssl/SSL_get_error.pod
+++ b/doc/ssl/SSL_get_error.pod
@@ -105,7 +105,7 @@ OpenSSL error queue contains more information on the error.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<err(3)|err(3)>
+L<ssl(3)>, L<err(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
index 165c6a5..2957a2a 100644
--- a/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
+++ b/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod
@@ -51,11 +51,11 @@ An error occurred, check the error stack for a detailed error message.
 The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to
 access the SSL object for the connection to be accessed during the
 verify_callback() when checking the peers certificate. Please check
-the example in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
+the example in L<SSL_CTX_set_verify(3)>,
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>
+L<ssl(3)>, L<SSL_CTX_set_verify(3)>,
+L<CRYPTO_set_ex_data(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_ex_new_index.pod b/doc/ssl/SSL_get_ex_new_index.pod
index 228d23d..6c2e919 100644
--- a/doc/ssl/SSL_get_ex_new_index.pod
+++ b/doc/ssl/SSL_get_ex_new_index.pod
@@ -40,20 +40,20 @@ SSL_get_ex_data() is used to retrieve the information for B<idx> from
 B<ssl>.
 
 A detailed description for the B<*_get_ex_new_index()> functionality
-can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>.
+can be found in L<RSA_get_ex_new_index(3)>.
 The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>.
+L<CRYPTO_set_ex_data(3)>.
 
 =head1 EXAMPLES
 
 An example on how to use the functionality is included in the example
-verify_callback() in L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
+verify_callback() in L<SSL_CTX_set_verify(3)>.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>,
-L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+L<ssl(3)>,
+L<RSA_get_ex_new_index(3)>,
+L<CRYPTO_set_ex_data(3)>,
+L<SSL_CTX_set_verify(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_extms_support.pod b/doc/ssl/SSL_get_extms_support.pod
index 4e24824..ecfd090 100644
--- a/doc/ssl/SSL_get_extms_support.pod
+++ b/doc/ssl/SSL_get_extms_support.pod
@@ -26,6 +26,6 @@ was used.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_fd.pod b/doc/ssl/SSL_get_fd.pod
index 19e52d6..8895747 100644
--- a/doc/ssl/SSL_get_fd.pod
+++ b/doc/ssl/SSL_get_fd.pod
@@ -39,6 +39,6 @@ The file descriptor linked to B<ssl>.
 
 =head1 SEE ALSO
 
-L<SSL_set_fd(3)|SSL_set_fd(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+L<SSL_set_fd(3)>, L<ssl(3)> , L<bio(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_peer_cert_chain.pod b/doc/ssl/SSL_get_peer_cert_chain.pod
index 059376c..4d3e6d5 100644
--- a/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -16,7 +16,7 @@ SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
 forming the certificate chain of the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
-L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
+L<SSL_get_peer_certificate(3)>.
 If the peer did not present a certificate, NULL is returned.
 
 =head1 NOTES
@@ -47,6 +47,6 @@ The return value points to the certificate chain presented by the peer.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>
+L<ssl(3)>, L<SSL_get_peer_certificate(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_peer_certificate.pod b/doc/ssl/SSL_get_peer_certificate.pod
index ef7c8be..c605a7c 100644
--- a/doc/ssl/SSL_get_peer_certificate.pod
+++ b/doc/ssl/SSL_get_peer_certificate.pod
@@ -20,11 +20,11 @@ peer presented. If the peer did not present a certificate, NULL is returned.
 Due to the protocol definition, a TLS/SSL server will always send a
 certificate, if present. A client will only send a certificate when
 explicitly requested to do so by the server (see
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>). If an anonymous cipher
+L<SSL_CTX_set_verify(3)>). If an anonymous cipher
 is used, no certificates are sent.
 
 That a certificate is returned does not indicate information about the
-verification state, use L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>
+verification state, use L<SSL_get_verify_result(3)>
 to check the verification state.
 
 The reference count of the X509 object is incremented by one, so that it
@@ -49,7 +49,7 @@ The return value points to the certificate presented by the peer.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
+L<ssl(3)>, L<SSL_get_verify_result(3)>,
+L<SSL_CTX_set_verify(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_rbio.pod b/doc/ssl/SSL_get_rbio.pod
index 08dea6a..4e91ce0 100644
--- a/doc/ssl/SSL_get_rbio.pod
+++ b/doc/ssl/SSL_get_rbio.pod
@@ -35,6 +35,6 @@ The BIO linked to B<ssl>.
 
 =head1 SEE ALSO
 
-L<SSL_set_bio(3)|SSL_set_bio(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+L<SSL_set_bio(3)>, L<ssl(3)> , L<bio(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_session.pod b/doc/ssl/SSL_get_session.pod
index 1a30f7b..d360e8a 100644
--- a/doc/ssl/SSL_get_session.pod
+++ b/doc/ssl/SSL_get_session.pod
@@ -30,16 +30,16 @@ connection without a new handshake.
 
 SSL_get0_session() returns a pointer to the actual session. As the
 reference counter is not incremented, the pointer is only valid while
-the connection is in use. If L<SSL_clear(3)|SSL_clear(3)> or
-L<SSL_free(3)|SSL_free(3)> is called, the session may be removed completely
+the connection is in use. If L<SSL_clear(3)> or
+L<SSL_free(3)> is called, the session may be removed completely
 (if considered bad), and the pointer obtained will become invalid. Even
 if the session is valid, it can be removed at any time due to timeout
-during L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>.
+during L<SSL_CTX_flush_sessions(3)>.
 
 If the data is to be kept, SSL_get1_session() will increment the reference
 count, so that the session will not be implicitly removed by other operations
 but stays in memory. In order to remove the session
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)> must be explicitly called once
+L<SSL_SESSION_free(3)> must be explicitly called once
 to decrement the reference count again.
 
 SSL_SESSION objects keep internal link information about the session cache
@@ -66,8 +66,8 @@ The return value points to the data of an SSL session.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>,
-L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
+L<ssl(3)>, L<SSL_free(3)>,
+L<SSL_clear(3)>,
+L<SSL_SESSION_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_shared_sigalgs.pod b/doc/ssl/SSL_get_shared_sigalgs.pod
index 16f7d48..ad305e6 100644
--- a/doc/ssl/SSL_get_shared_sigalgs.pod
+++ b/doc/ssl/SSL_get_shared_sigalgs.pod
@@ -71,7 +71,7 @@ or is not an appropriate combination (for example MD5 and DSA).
 
 =head1 SEE ALSO
 
-L<SSL_CTX_set_cert_cb(3)|SSL_CTX_set_cert_cb(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_CTX_set_cert_cb(3)>,
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_get_verify_result.pod b/doc/ssl/SSL_get_verify_result.pod
index 55b56a5..8b25eb2 100644
--- a/doc/ssl/SSL_get_verify_result.pod
+++ b/doc/ssl/SSL_get_verify_result.pod
@@ -30,7 +30,7 @@ when a session is reused.
 If no peer certificate was presented, the returned result code is
 X509_V_OK. This is because no verification error occurred, it does however
 not indicate success. SSL_get_verify_result() is only useful in connection
-with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
+with L<SSL_get_peer_certificate(3)>.
 
 =head1 RETURN VALUES
 
@@ -44,14 +44,14 @@ The verification succeeded or no peer certificate was presented.
 
 =item Any other value
 
-Documented in L<verify(1)|verify(1)>.
+Documented in L<verify(1)>.
 
 =back
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_set_verify_result(3)|SSL_set_verify_result(3)>,
-L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
-L<verify(1)|verify(1)>
+L<ssl(3)>, L<SSL_set_verify_result(3)>,
+L<SSL_get_peer_certificate(3)>,
+L<verify(1)>
 
 =cut
diff --git a/doc/ssl/SSL_get_version.pod b/doc/ssl/SSL_get_version.pod
index b91bb47..e0c7034 100644
--- a/doc/ssl/SSL_get_version.pod
+++ b/doc/ssl/SSL_get_version.pod
@@ -45,6 +45,6 @@ This indicates that no version has been set (no connection established).
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod
index 8766776..1c99e76 100644
--- a/doc/ssl/SSL_library_init.pod
+++ b/doc/ssl/SSL_library_init.pod
@@ -51,7 +51,7 @@ OpenSSL_add_all_algorithms() as well.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>,
-L<RAND_add(3)|RAND_add(3)>
+L<ssl(3)>, L<SSL_load_error_strings(3)>,
+L<RAND_add(3)>
 
 =cut
diff --git a/doc/ssl/SSL_load_client_CA_file.pod b/doc/ssl/SSL_load_client_CA_file.pod
index 02527dc..f9da0c2 100644
--- a/doc/ssl/SSL_load_client_CA_file.pod
+++ b/doc/ssl/SSL_load_client_CA_file.pod
@@ -20,7 +20,7 @@ a STACK_OF(X509_NAME) with the subject names found.
 SSL_load_client_CA_file() reads a file of PEM formatted certificates and
 extracts the X509_NAMES of the certificates found. While the name suggests
 the specific usage as support function for
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
+L<SSL_CTX_set_client_CA_list(3)>,
 it is not limited to CA certificates.
 
 =head1 EXAMPLES
@@ -56,7 +56,7 @@ Pointer to the subject names of the successfully read certificates.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
+L<ssl(3)>,
+L<SSL_CTX_set_client_CA_list(3)>
 
 =cut
diff --git a/doc/ssl/SSL_new.pod b/doc/ssl/SSL_new.pod
index f0774a5..4c350c5 100644
--- a/doc/ssl/SSL_new.pod
+++ b/doc/ssl/SSL_new.pod
@@ -36,9 +36,9 @@ The return value points to an allocated SSL structure.
 
 =head1 SEE ALSO
 
-L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>,
-L<ssl(3)|ssl(3)>
+L<SSL_free(3)>, L<SSL_clear(3)>,
+L<SSL_CTX_set_options(3)>,
+L<SSL_get_SSL_CTX(3)>,
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_pending.pod b/doc/ssl/SSL_pending.pod
index 9dd071b..a263241 100644
--- a/doc/ssl/SSL_pending.pod
+++ b/doc/ssl/SSL_pending.pod
@@ -19,7 +19,7 @@ B<ssl> for immediate read.
 
 Data are received in blocks from the peer. Therefore data can be buffered
 inside B<ssl> and are ready for immediate retrieval with
-L<SSL_read(3)|SSL_read(3)>.
+L<SSL_read(3)>.
 
 =head1 RETURN VALUES
 
@@ -30,7 +30,7 @@ The number of bytes pending is returned.
 SSL_pending() takes into account only bytes from the TLS/SSL record
 that is currently being processed (if any).  If the B<SSL> object's
 I<read_ahead> flag is set (see
-L<SSL_CTX_set_read_ahead(3)|SSL_CTX_set_read_ahead(3)>), additional protocol
+L<SSL_CTX_set_read_ahead(3)>), additional protocol
 bytes may have been read containing more TLS/SSL records; these are ignored by
 SSL_pending().
 
@@ -39,7 +39,7 @@ of pending data is application data.
 
 =head1 SEE ALSO
 
-L<SSL_read(3)|SSL_read(3)>,
-L<SSL_CTX_set_read_ahead(3)|SSL_CTX_set_read_ahead(3)>, L<ssl(3)|ssl(3)>
+L<SSL_read(3)>,
+L<SSL_CTX_set_read_ahead(3)>, L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod
index 8ca0ce5..947c868 100644
--- a/doc/ssl/SSL_read.pod
+++ b/doc/ssl/SSL_read.pod
@@ -18,16 +18,16 @@ buffer B<buf>.
 =head1 NOTES
 
 If necessary, SSL_read() will negotiate a TLS/SSL session, if
-not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
-L<SSL_accept(3)|SSL_accept(3)>. If the
+not already explicitly performed by L<SSL_connect(3)> or
+L<SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_read() operation. The behaviour of SSL_read() depends on the
 underlying BIO. 
 
 For the transparent negotiation to succeed, the B<ssl> must have been
 initialized to client or server mode. This is being done by calling
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
-before the first call to an SSL_read() or L<SSL_write(3)|SSL_write(3)>
+L<SSL_set_connect_state(3)> or SSL_set_accept_state()
+before the first call to an SSL_read() or L<SSL_write(3)>
 function.
 
 SSL_read() works based on the SSL/TLS records. The data are received in
@@ -49,12 +49,12 @@ If the underlying BIO is B<blocking>, SSL_read() will only return, once the
 read operation has been finished or an error occurred, except when a
 renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
 This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
+L<SSL_CTX_set_mode(3)> call.
 
 If the underlying BIO is B<non-blocking>, SSL_read() will also return
 when the underlying BIO could not satisfy the needs of SSL_read()
 to continue the operation. In this case a call to
-L<SSL_get_error(3)|SSL_get_error(3)> with the
+L<SSL_get_error(3)> with the
 return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
 call to SSL_read() can also cause write operations! The calling process
@@ -64,7 +64,7 @@ non-blocking socket, nothing is to be done, but select() can be used to check
 for the required condition. When using a buffering BIO, like a BIO pair, data
 must be written into or retrieved out of the BIO before being able to continue.
 
-L<SSL_pending(3)|SSL_pending(3)> can be used to find out whether there
+L<SSL_pending(3)> can be used to find out whether there
 are buffered bytes available for immediate retrieval. In this case
 SSL_read() can be called without blocking or actually receiving new
 data from the underlying socket.
@@ -91,8 +91,8 @@ bytes actually read from the TLS/SSL connection.
 The read operation was not successful. The reason may either be a clean
 shutdown due to a "close notify" alert sent by the peer (in which case
 the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set
-(see L<SSL_shutdown(3)|SSL_shutdown(3)>,
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>). It is also possible, that
+(see L<SSL_shutdown(3)>,
+L<SSL_set_shutdown(3)>). It is also possible, that
 the peer simply shut down the underlying transport and the shutdown is
 incomplete. Call SSL_get_error() with the return value B<ret> to find out,
 whether an error occurred or the connection was shut down cleanly
@@ -113,12 +113,12 @@ return value B<ret> to find out the reason.
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
-L<SSL_pending(3)|SSL_pending(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_get_error(3)>, L<SSL_write(3)>,
+L<SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)>,
+L<SSL_connect(3)>, L<SSL_accept(3)>
+L<SSL_set_connect_state(3)>,
+L<SSL_pending(3)>,
+L<SSL_shutdown(3)>, L<SSL_set_shutdown(3)>,
+L<ssl(3)>, L<bio(3)>
 
 =cut
diff --git a/doc/ssl/SSL_rstate_string.pod b/doc/ssl/SSL_rstate_string.pod
index bdb8a1f..7309483 100644
--- a/doc/ssl/SSL_rstate_string.pod
+++ b/doc/ssl/SSL_rstate_string.pod
@@ -54,6 +54,6 @@ The read state is unknown. This should never happen.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>
+L<ssl(3)>
 
 =cut
diff --git a/doc/ssl/SSL_session_reused.pod b/doc/ssl/SSL_session_reused.pod
index b09d8a7..4a738fa 100644
--- a/doc/ssl/SSL_session_reused.pod
+++ b/doc/ssl/SSL_session_reused.pod
@@ -39,7 +39,7 @@ A session was reused.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+L<ssl(3)>, L<SSL_set_session(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>
 
 =cut
diff --git a/doc/ssl/SSL_set_bio.pod b/doc/ssl/SSL_set_bio.pod
index 8b96ee9..3e87ee1 100644
--- a/doc/ssl/SSL_set_bio.pod
+++ b/doc/ssl/SSL_set_bio.pod
@@ -32,9 +32,9 @@ SSL_set_bio(), SSL_set_rbio() and SSL_set_wbio() cannot fail.
 
 =head1 SEE ALSO
 
-L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_get_rbio(3)>,
+L<SSL_connect(3)>, L<SSL_accept(3)>,
+L<SSL_shutdown(3)>, L<ssl(3)>, L<bio(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_set_connect_state.pod b/doc/ssl/SSL_set_connect_state.pod
index a68de31..4c3626c 100644
--- a/doc/ssl/SSL_set_connect_state.pod
+++ b/doc/ssl/SSL_set_connect_state.pod
@@ -20,11 +20,11 @@ SSL_set_accept_state() sets B<ssl> to work in server mode.
 
 =head1 NOTES
 
-When the SSL_CTX object was created with L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
+When the SSL_CTX object was created with L<SSL_CTX_new(3)>,
 it was either assigned a dedicated client method, a dedicated server
 method, or a generic method, that can be used for both client and
 server connections. (The method might have been changed with
-L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
+L<SSL_CTX_set_ssl_version(3)> or
 SSL_set_ssl_method().)
 
 When beginning a new handshake, the SSL engine must know whether it must
@@ -32,10 +32,10 @@ call the connect (client) or accept (server) routines. Even though it may
 be clear from the method chosen, whether client or server mode was
 requested, the handshake routines must be explicitly set.
 
-When using the L<SSL_connect(3)|SSL_connect(3)> or
-L<SSL_accept(3)|SSL_accept(3)> routines, the correct handshake
+When using the L<SSL_connect(3)> or
+L<SSL_accept(3)> routines, the correct handshake
 routines are automatically set. When performing a transparent negotiation
-using L<SSL_write(3)|SSL_write(3)> or L<SSL_read(3)|SSL_read(3)>, the
+using L<SSL_write(3)> or L<SSL_read(3)>, the
 handshake routines must be explicitly set in advance using either
 SSL_set_connect_state() or SSL_set_accept_state().
 
@@ -46,10 +46,10 @@ information.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_write(3)|SSL_write(3)>, L<SSL_read(3)|SSL_read(3)>,
-L<SSL_do_handshake(3)|SSL_do_handshake(3)>,
-L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>
+L<ssl(3)>, L<SSL_new(3)>, L<SSL_CTX_new(3)>,
+LL<SSL_connect(3)>, L<SSL_accept(3)>,
+L<SSL_write(3)>, L<SSL_read(3)>,
+L<SSL_do_handshake(3)>,
+L<SSL_CTX_set_ssl_version(3)>
 
 =cut
diff --git a/doc/ssl/SSL_set_fd.pod b/doc/ssl/SSL_set_fd.pod
index 35a2325..faf1d17 100644
--- a/doc/ssl/SSL_set_fd.pod
+++ b/doc/ssl/SSL_set_fd.pod
@@ -47,8 +47,8 @@ The operation succeeded.
 
 =head1 SEE ALSO
 
-L<SSL_get_fd(3)|SSL_get_fd(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
+L<SSL_get_fd(3)>, L<SSL_set_bio(3)>,
+L<SSL_connect(3)>, L<SSL_accept(3)>,
+L<SSL_shutdown(3)>, L<ssl(3)> , L<bio(3)>
 
 =cut
diff --git a/doc/ssl/SSL_set_session.pod b/doc/ssl/SSL_set_session.pod
index 197b521..c9e31c4 100644
--- a/doc/ssl/SSL_set_session.pod
+++ b/doc/ssl/SSL_set_session.pod
@@ -17,7 +17,7 @@ is to be established. SSL_set_session() is only useful for TLS/SSL clients.
 When the session is set, the reference count of B<session> is incremented
 by 1. If the session is not reused, the reference count is decremented
 again during SSL_connect(). Whether the session was reused can be queried
-with the L<SSL_session_reused(3)|SSL_session_reused(3)> call.
+with the L<SSL_session_reused(3)> call.
 
 If there is already a session set inside B<ssl> (because it was set with
 SSL_set_session() before or because the same B<ssl> was already used for
@@ -49,9 +49,9 @@ The operation succeeded.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
-L<SSL_get_session(3)|SSL_get_session(3)>,
-L<SSL_session_reused(3)|SSL_session_reused(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
+L<ssl(3)>, L<SSL_SESSION_free(3)>,
+L<SSL_get_session(3)>,
+L<SSL_session_reused(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>
 
 =cut
diff --git a/doc/ssl/SSL_set_shutdown.pod b/doc/ssl/SSL_set_shutdown.pod
index fe01308..91d7697 100644
--- a/doc/ssl/SSL_set_shutdown.pod
+++ b/doc/ssl/SSL_set_shutdown.pod
@@ -44,18 +44,18 @@ SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time.
 
 The shutdown state of the connection is used to determine the state of
 the ssl session. If the session is still open, when
-L<SSL_clear(3)|SSL_clear(3)> or L<SSL_free(3)|SSL_free(3)> is called,
+L<SSL_clear(3)> or L<SSL_free(3)> is called,
 it is considered bad and removed according to RFC2246.
 The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN
 (according to the TLS RFC, it is acceptable to only send the "close notify"
 alert but to not wait for the peer's answer, when the underlying connection
 is closed).
 SSL_set_shutdown() can be used to set this state without sending a
-close alert to the peer (see L<SSL_shutdown(3)|SSL_shutdown(3)>).
+close alert to the peer (see L<SSL_shutdown(3)>).
 
 If a "close notify" was received, SSL_RECEIVED_SHUTDOWN will be set,
 for setting SSL_SENT_SHUTDOWN the application must however still call
-L<SSL_shutdown(3)|SSL_shutdown(3)> or SSL_set_shutdown() itself.
+L<SSL_shutdown(3)> or SSL_set_shutdown() itself.
 
 =head1 RETURN VALUES
 
@@ -65,8 +65,8 @@ SSL_get_shutdown() returns the current setting.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
-L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
+L<ssl(3)>, L<SSL_shutdown(3)>,
+L<SSL_CTX_set_quiet_shutdown(3)>,
+L<SSL_clear(3)>, L<SSL_free(3)>
 
 =cut
diff --git a/doc/ssl/SSL_set_verify_result.pod b/doc/ssl/SSL_set_verify_result.pod
index 04ab101..2c6d0b4 100644
--- a/doc/ssl/SSL_set_verify_result.pod
+++ b/doc/ssl/SSL_set_verify_result.pod
@@ -23,7 +23,7 @@ the verification result of the B<ssl> object. It does not become part of the
 established session, so if the session is to be reused later, the original
 value will reappear.
 
-The valid codes for B<verify_result> are documented in L<verify(1)|verify(1)>.
+The valid codes for B<verify_result> are documented in L<verify(1)>.
 
 =head1 RETURN VALUES
 
@@ -31,8 +31,8 @@ SSL_set_verify_result() does not provide a return value.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
-L<verify(1)|verify(1)>
+L<ssl(3)>, L<SSL_get_verify_result(3)>,
+L<SSL_get_peer_certificate(3)>,
+L<verify(1)>
 
 =cut
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
index b2bf9cb..169079a 100644
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@@ -50,11 +50,11 @@ with 1.
 
 =item If the peer already sent the "close notify" alert B<and> it was
 already processed implicitly inside another function
-(L<SSL_read(3)|SSL_read(3)>), the SSL_RECEIVED_SHUTDOWN flag is set.
+(L<SSL_read(3)>), the SSL_RECEIVED_SHUTDOWN flag is set.
 SSL_shutdown() will send the "close notify" alert, set the SSL_SENT_SHUTDOWN
 flag and will immediately return with 1.
 Whether SSL_RECEIVED_SHUTDOWN is already set can be checked using the
-SSL_get_shutdown() (see also L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> call.
+SSL_get_shutdown() (see also L<SSL_set_shutdown(3)> call.
 
 =back
 
@@ -80,7 +80,7 @@ into or retrieved out of the BIO before being able to continue.
 
 SSL_shutdown() can be modified to only set the connection to "shutdown"
 state but not actually send the "close notify" alert messages,
-see L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>.
+see L<SSL_CTX_set_quiet_shutdown(3)>.
 When "quiet shutdown" is enabled, SSL_shutdown() will always succeed
 and return 1.
 
@@ -94,7 +94,7 @@ The following return values can occur:
 
 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
 if a bidirectional shutdown shall be performed.
-The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
+The output of L<SSL_get_error(3)> may be misleading, as an
 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
 
 =item Z<>1
@@ -107,17 +107,17 @@ and the peer's "close notify" alert was received.
 The shutdown was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. It can also occur if
 action is need to continue the operation for non-blocking BIOs.
-Call L<SSL_get_error(3)|SSL_get_error(3)> with the return value B<ret>
+Call L<SSL_get_error(3)> with the return value B<ret>
 to find out the reason.
 
 =back
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>,
-L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_get_error(3)>, L<SSL_connect(3)>,
+L<SSL_accept(3)>, L<SSL_set_shutdown(3)>,
+L<SSL_CTX_set_quiet_shutdown(3)>,
+L<SSL_clear(3)>, L<SSL_free(3)>,
+L<ssl(3)>, L<bio(3)>
 
 =cut
diff --git a/doc/ssl/SSL_state_string.pod b/doc/ssl/SSL_state_string.pod
index fe25d47..0d2ba61 100644
--- a/doc/ssl/SSL_state_string.pod
+++ b/doc/ssl/SSL_state_string.pod
@@ -40,6 +40,6 @@ Detailed description of possible states to be included later.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
+L<ssl(3)>, L<SSL_CTX_set_info_callback(3)>
 
 =cut
diff --git a/doc/ssl/SSL_want.pod b/doc/ssl/SSL_want.pod
index c0059c0..e8b426c 100644
--- a/doc/ssl/SSL_want.pod
+++ b/doc/ssl/SSL_want.pod
@@ -24,15 +24,15 @@ by SSL_want().
 =head1 NOTES
 
 SSL_want() examines the internal state information of the SSL object. Its
-return values are similar to that of L<SSL_get_error(3)|SSL_get_error(3)>.
-Unlike L<SSL_get_error(3)|SSL_get_error(3)>, which also evaluates the
+return values are similar to that of L<SSL_get_error(3)>.
+Unlike L<SSL_get_error(3)>, which also evaluates the
 error queue, the results are obtained by examining an internal state flag
 only. The information must therefore only be used for normal operation under
 non-blocking I/O. Error conditions are not handled and must be treated
-using L<SSL_get_error(3)|SSL_get_error(3)>.
+using L<SSL_get_error(3)>.
 
 The result returned by SSL_want() should always be consistent with
-the result of L<SSL_get_error(3)|SSL_get_error(3)>.
+the result of L<SSL_get_error(3)>.
 
 =head1 RETURN VALUES
 
@@ -48,21 +48,21 @@ There is no data to be written or to be read.
 
 There are data in the SSL buffer that must be written to the underlying
 B<BIO> layer in order to complete the actual SSL_*() operation.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+A call to L<SSL_get_error(3)> should return
 SSL_ERROR_WANT_WRITE.
 
 =item SSL_READING
 
 More data must be read from the underlying B<BIO> layer in order to
 complete the actual SSL_*() operation.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+A call to L<SSL_get_error(3)> should return
 SSL_ERROR_WANT_READ.
 
 =item SSL_X509_LOOKUP
 
 The operation did not complete because an application callback set by
 SSL_CTX_set_client_cert_cb() has asked to be called again.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
+A call to L<SSL_get_error(3)> should return
 SSL_ERROR_WANT_X509_LOOKUP.
 
 =back
@@ -72,6 +72,6 @@ return 1, when the corresponding condition is true or 0 otherwise.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<err(3)|err(3)>, L<SSL_get_error(3)|SSL_get_error(3)>
+L<ssl(3)>, L<err(3)>, L<SSL_get_error(3)>
 
 =cut
diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod
index a57617f..a9841ed 100644
--- a/doc/ssl/SSL_write.pod
+++ b/doc/ssl/SSL_write.pod
@@ -18,27 +18,27 @@ B<ssl> connection.
 =head1 NOTES
 
 If necessary, SSL_write() will negotiate a TLS/SSL session, if
-not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
-L<SSL_accept(3)|SSL_accept(3)>. If the
+not already explicitly performed by L<SSL_connect(3)> or
+L<SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_write() operation. The behaviour of SSL_write() depends on the
 underlying BIO. 
 
 For the transparent negotiation to succeed, the B<ssl> must have been
 initialized to client or server mode. This is being done by calling
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
-before the first call to an L<SSL_read(3)|SSL_read(3)> or SSL_write() function.
+L<SSL_set_connect_state(3)> or SSL_set_accept_state()
+before the first call to an L<SSL_read(3)> or SSL_write() function.
 
 If the underlying BIO is B<blocking>, SSL_write() will only return, once the
 write operation has been finished or an error occurred, except when a
 renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
 This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
+L<SSL_CTX_set_mode(3)> call.
 
 If the underlying BIO is B<non-blocking>, SSL_write() will also return,
 when the underlying BIO could not satisfy the needs of SSL_write()
 to continue the operation. In this case a call to
-L<SSL_get_error(3)|SSL_get_error(3)> with the
+L<SSL_get_error(3)> with the
 return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
 B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
 call to SSL_write() can also cause read operations! The calling process
@@ -51,7 +51,7 @@ must be written into or retrieved out of the BIO before being able to continue.
 SSL_write() will only return with success, when the complete contents
 of B<buf> of length B<num> has been written. This default behaviour
 can be changed with the SSL_MODE_ENABLE_PARTIAL_WRITE option of
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>. When this flag is set,
+L<SSL_CTX_set_mode(3)>. When this flag is set,
 SSL_write() will also return with success, when a partial write has been
 successfully completed. In this case the SSL_write() operation is considered
 completed. The bytes are sent and a new SSL_write() operation with a new
@@ -100,10 +100,10 @@ return value B<ret> to find out the reason.
 
 =head1 SEE ALSO
 
-L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>,
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
-L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
-L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
+L<SSL_get_error(3)>, L<SSL_read(3)>,
+L<SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)>,
+L<SSL_connect(3)>, L<SSL_accept(3)>
+L<SSL_set_connect_state(3)>,
+L<ssl(3)>, L<bio(3)>
 
 =cut
diff --git a/doc/ssl/d2i_SSL_SESSION.pod b/doc/ssl/d2i_SSL_SESSION.pod
index bce06e2..985d158 100644
--- a/doc/ssl/d2i_SSL_SESSION.pod
+++ b/doc/ssl/d2i_SSL_SESSION.pod
@@ -31,10 +31,10 @@ a binary ASN1 representation.
 
 When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically
 allocated. The reference count is 1, so that the session must be
-explicitly removed using L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+explicitly removed using L<SSL_SESSION_free(3)>,
 unless the SSL_SESSION object is completely taken over, when being called
 inside the get_session_cb() (see
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
+L<SSL_CTX_sess_set_get_cb(3)>).
 
 SSL_SESSION objects keep internal link information about the session cache
 list, when being inserted into one SSL_CTX object's session cache.
@@ -70,7 +70,7 @@ When the session is not valid, B<0> is returned and no operation is performed.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
+L<ssl(3)>, L<SSL_SESSION_free(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>
 
 =cut
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index a094356..6443de7 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -14,25 +14,25 @@ Transport Layer Security (TLS v1) protocols. It provides a rich API which is
 documented here.
 
 At first the library must be initialized; see
-L<SSL_library_init(3)|SSL_library_init(3)>.
+L<SSL_library_init(3)>.
 
 Then an B<SSL_CTX> object is created as a framework to establish
-TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>).
+TLS/SSL enabled connections (see L<SSL_CTX_new(3)>).
 Various options regarding certificates, algorithms etc. can be set
 in this object.
 
 When a network connection has been created, it can be assigned to an
 B<SSL> object. After the B<SSL> object has been created using
-L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or
-L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network
+L<SSL_new(3)>, L<SSL_set_fd(3)> or
+L<SSL_set_bio(3)> can be used to associate the network
 connection with the object.
 
 Then the TLS/SSL handshake is performed using
-L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)>
+L<SSL_accept(3)> or L<SSL_connect(3)>
 respectively.
-L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used
+L<SSL_read(3)> and L<SSL_write(3)> are used
 to read and write data on the TLS/SSL connection.
-L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the
+L<SSL_shutdown(3)> can be used to shut down the
 TLS/SSL connection.
 
 =head1 DATA STRUCTURES
@@ -667,87 +667,87 @@ success or 0 on failure.
 
 =head1 SEE ALSO
 
-L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
-L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>,
-L<SSL_connect(3)|SSL_connect(3)>,
-L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>,
-L<SSL_COMP_add_compression_method(3)|SSL_COMP_add_compression_method(3)>,
-L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
-L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
-L<SSL_CTX_ctrl(3)|SSL_CTX_ctrl(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
-L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
-L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
-L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
-L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
-L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
-L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
-L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>,
-L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
-L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
-L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>,
-L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
-L<SSL_CTX_set_generate_session_id(3)|SSL_CTX_set_generate_session_id(3)>,
-L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>,
-L<SSL_CTX_set_max_cert_list(3)|SSL_CTX_set_max_cert_list(3)>,
-L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>,
-L<SSL_CTX_set_msg_callback(3)|SSL_CTX_set_msg_callback(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
-L<SSL_CTX_set_read_ahead(3)|SSL_CTX_set_read_ahead(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
-L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>,
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
-L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
-L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
-L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>,
-L<SSL_do_handshake(3)|SSL_do_handshake(3)>,
-L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>,
-L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
-L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
-L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>,
-L<SSL_get_error(3)|SSL_get_error(3)>,
-L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
-L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
-L<SSL_get_fd(3)|SSL_get_fd(3)>,
-L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>,
-L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
-L<SSL_get_session(3)|SSL_get_session(3)>,
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_get_version(3)|SSL_get_version(3)>,
-L<SSL_library_init(3)|SSL_library_init(3)>,
-L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
-L<SSL_new(3)|SSL_new(3)>,
-L<SSL_pending(3)|SSL_pending(3)>,
-L<SSL_read(3)|SSL_read(3)>,
-L<SSL_rstate_string(3)|SSL_rstate_string(3)>,
-L<SSL_session_reused(3)|SSL_session_reused(3)>,
-L<SSL_set_bio(3)|SSL_set_bio(3)>,
-L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
-L<SSL_set_fd(3)|SSL_set_fd(3)>,
-L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
-L<SSL_shutdown(3)|SSL_shutdown(3)>,
-L<SSL_state_string(3)|SSL_state_string(3)>,
-L<SSL_want(3)|SSL_want(3)>,
-L<SSL_write(3)|SSL_write(3)>,
-L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
-L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
-L<SSL_CTX_set_psk_client_callback(3)|SSL_CTX_set_psk_client_callback(3)>,
-L<SSL_CTX_use_psk_identity_hint(3)|SSL_CTX_use_psk_identity_hint(3)>,
-L<SSL_get_psk_identity(3)|SSL_get_psk_identity(3)>
+L<openssl(1)>, L<crypto(3)>,
+L<SSL_accept(3)>, L<SSL_clear(3)>,
+L<SSL_connect(3)>,
+L<SSL_CIPHER_get_name(3)>,
+L<SSL_COMP_add_compression_method(3)>,
+L<SSL_CTX_add_extra_chain_cert(3)>,
+L<SSL_CTX_add_session(3)>,
+L<SSL_CTX_ctrl(3)>,
+L<SSL_CTX_flush_sessions(3)>,
+L<SSL_CTX_get_ex_new_index(3)>,
+L<SSL_CTX_get_verify_mode(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+L<SSL_CTX_new(3)>,
+L<SSL_CTX_sess_number(3)>,
+L<SSL_CTX_sess_set_cache_size(3)>,
+L<SSL_CTX_sess_set_get_cb(3)>,
+L<SSL_CTX_sessions(3)>,
+L<SSL_CTX_set_cert_store(3)>,
+L<SSL_CTX_set_cert_verify_callback(3)>,
+L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_client_CA_list(3)>,
+L<SSL_CTX_set_client_cert_cb(3)>,
+L<SSL_CTX_set_default_passwd_cb(3)>,
+L<SSL_CTX_set_generate_session_id(3)>,
+L<SSL_CTX_set_info_callback(3)>,
+L<SSL_CTX_set_max_cert_list(3)>,
+L<SSL_CTX_set_mode(3)>,
+L<SSL_CTX_set_msg_callback(3)>,
+L<SSL_CTX_set_options(3)>,
+L<SSL_CTX_set_quiet_shutdown(3)>,
+L<SSL_CTX_set_read_ahead(3)>,
+L<SSL_CTX_set_session_cache_mode(3)>,
+L<SSL_CTX_set_session_id_context(3)>,
+L<SSL_CTX_set_ssl_version(3)>,
+L<SSL_CTX_set_timeout(3)>,
+L<SSL_CTX_set_tmp_rsa_callback(3)>,
+L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_CTX_set_verify(3)>,
+L<SSL_CTX_use_certificate(3)>,
+L<SSL_alert_type_string(3)>,
+L<SSL_do_handshake(3)>,
+L<SSL_get_SSL_CTX(3)>,
+L<SSL_get_ciphers(3)>,
+L<SSL_get_client_CA_list(3)>,
+L<SSL_get_default_timeout(3)>,
+L<SSL_get_error(3)>,
+L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
+L<SSL_get_ex_new_index(3)>,
+L<SSL_get_fd(3)>,
+L<SSL_get_peer_cert_chain(3)>,
+L<SSL_get_rbio(3)>,
+L<SSL_get_session(3)>,
+L<SSL_get_verify_result(3)>,
+L<SSL_get_version(3)>,
+L<SSL_library_init(3)>,
+L<SSL_load_client_CA_file(3)>,
+L<SSL_new(3)>,
+L<SSL_pending(3)>,
+L<SSL_read(3)>,
+L<SSL_rstate_string(3)>,
+L<SSL_session_reused(3)>,
+L<SSL_set_bio(3)>,
+L<SSL_set_connect_state(3)>,
+L<SSL_set_fd(3)>,
+L<SSL_set_session(3)>,
+L<SSL_set_shutdown(3)>,
+L<SSL_shutdown(3)>,
+L<SSL_state_string(3)>,
+L<SSL_want(3)>,
+L<SSL_write(3)>,
+L<SSL_SESSION_free(3)>,
+L<SSL_SESSION_get_ex_new_index(3)>,
+L<SSL_SESSION_get_time(3)>,
+L<d2i_SSL_SESSION(3)>,
+L<SSL_CTX_set_psk_client_callback(3)>,
+L<SSL_CTX_use_psk_identity_hint(3)>,
+L<SSL_get_psk_identity(3)>
 
 =head1 HISTORY
 
-The L<ssl(3)|ssl(3)> document appeared in OpenSSL 0.9.2
+The L<ssl(3)> document appeared in OpenSSL 0.9.2
 
 B<SSLv2_client_method>, B<SSLv2_server_method> and B<SSLv2_method> where removed
 in OpenSSL 1.1.0.

From rsalz at openssl.org  Mon Aug 24 02:47:53 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 24 Aug 2015 02:47:53 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440384473.139222.25187.nullmailer@dev.openssl.org>

The branch master has been updated
       via  7267b2d4e5ffbaf8e708d37f7c7667363a688604 (commit)
      from  cd8935dc250abcc389ce1228fd73020346022392 (commit)


- Log -----------------------------------------------------------------
commit 7267b2d4e5ffbaf8e708d37f7c7667363a688604
Author: Rich Salz <rsalz at akamai.com>
Date:   Sun Aug 23 22:47:22 2015 -0400

    Add branch changelogs
    
    Only plaintext for non-master tho :)
    And explain how forking/branch affects what's in the changelog.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore          |  1 +
 Makefile            | 14 ++++++++++++++
 news/changelog.html | 21 ++++++++++++++++++++-
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 583aaa9..ed3211e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ mk-manpages.pl
 news/changelog.inc
 news/changelog.txt
 news/newsflash.inc
+news/cl*.txt
 news/vulnerabilities.inc
 newsflash.inc
 source/*.gz*
diff --git a/Makefile b/Makefile
index d986f42..6df8a09 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ RELEASEDIR = /var/www/openssl/source
 SIMPLE = newsflash.inc sitemap.txt \
 	 docs/faq.inc docs/fips.inc \
 	 news/changelog.inc news/changelog.txt \
+	 news/cl098.txt news/cl100.txt news/cl101.txt news/cl102.txt \
 	 news/newsflash.inc \
 	 news/vulnerabilities.inc \
 	 source/.htaccess \
@@ -76,6 +77,19 @@ news/changelog.inc: news/changelog.txt bin/mk-changelog
 news/changelog.txt: $(SNAP)/CHANGES
 	@rm -f $@
 	cp $? $@
+news/cl098.txt: $(CHECKOUTS)/openssl-0.9.8-stable/CHANGES
+	@rm -f $@
+	cp $? $@
+news/cl100.txt: $(CHECKOUTS)/openssl-1.0.0-stable/CHANGES
+	@rm -f $@
+	cp $? $@
+news/cl101.txt: $(CHECKOUTS)/openssl-1.0.1-stable/CHANGES
+	@rm -f $@
+	cp $? $@
+news/cl102.txt: $(CHECKOUTS)/openssl-1.0.2-stable/CHANGES
+	@rm -f $@
+	cp $? $@
+
 news/newsflash.inc: news/newsflash.txt
 	sed <$? >$@ \
 	    -e '/^#/d' \
diff --git a/news/changelog.html b/news/changelog.html
index 66abe58..6cdc9fa 100644
--- a/news/changelog.html
+++ b/news/changelog.html
@@ -11,10 +11,29 @@
 	<article>
 	  <header><h2>Changelog</h2></header>
 	  <div class="entry-content">
-	    <p>
+            <p>
+            When a release is created, that branch is forked off, and its
+            changelog is also forked. For example, none of the changes
+            after 0.9.8n appear in the other logs, because 1.0.0 was
+            created after that release and before 0.9.8o. Any changes that
+            are merged across branches, however, should have an entry
+            in each branch's changelog.
+            </p>
+            <p>
+            This is the changelog for the master branch, the one that is
+            currenty in active development.
 	    The plain-text version of this document is available
 	    here: <a href="changelog.txt">changelog.txt</a>
+            </p>
 	    </p>
+            For other branches, the changelogs are distributed with
+            the source, but are also available here:
+            <ul>
+              <li><a href="cl098.txt">0.9.8</a></li>
+              <li><a href="cl100.txt">1.0.0</a></li>
+              <li><a href="cl101.txt">1.0.1</a></li>
+              <li><a href="cl102.txt">1.0.2</a></li>
+            </ul>
 	    <!--#include virtual="changelog.inc" -->
 	  </div>
 	  <footer>

From steve at openssl.org  Mon Aug 24 14:39:23 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Mon, 24 Aug 2015 14:39:23 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440427163.386179.28877.nullmailer@dev.openssl.org>

The branch master has been updated
       via  80eab79de0377b42bc02e01e5d8bafaa4eb4c1a2 (commit)
       via  9d04f83410ac052aecf7a3031ad20f5237c02014 (commit)
      from  9b86974e0c705ea321ddbc9a9d8562c894809e5b (commit)


- Log -----------------------------------------------------------------
commit 80eab79de0377b42bc02e01e5d8bafaa4eb4c1a2
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 24 15:04:47 2015 +0100

    More test cases.
    
    Add DSA tests.
    
    Add tests to verify signatures against public keys. This will also check
    that a public key is read in correctly.
    
    Reviewed-by: Ben Laurie <ben at openssl.org>

commit 9d04f83410ac052aecf7a3031ad20f5237c02014
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Thu Apr 30 14:16:07 2015 +0100

    Add DSA digest length checks.
    
    Reviewed-by: Ben Laurie <ben at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_pmeth.c |  18 ++++++--
 test/evptests.txt      | 115 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+), 4 deletions(-)

diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 594583f..1adab4f 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -125,10 +125,15 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md)
+    if (dctx->md) {
+        if (tbslen != (size_t)EVP_MD_size(dctx->md))
+            return 0;
         type = EVP_MD_type(dctx->md);
-    else
+    } else {
+        if (tbslen != SHA_DIGEST_LENGTH)
+            return 0;
         type = NID_sha1;
+    }
 
     ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa);
 
@@ -146,10 +151,15 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md)
+    if (dctx->md) {
+        if (tbslen != (size_t)EVP_MD_size(dctx->md))
+            return 0;
         type = EVP_MD_type(dctx->md);
-    else
+    } else {
+        if (tbslen != SHA_DIGEST_LENGTH)
+            return 0;
         type = NID_sha1;
+    }
 
     ret = DSA_verify(type, tbs, tbslen, sig, siglen, dsa);
 
diff --git a/test/evptests.txt b/test/evptests.txt
index a4faba7..2b0b7ba 100644
--- a/test/evptests.txt
+++ b/test/evptests.txt
@@ -2182,6 +2182,20 @@ SOamA2hu2OJWCl9q8fLCT69KqWDjghhvFe7c6aJJGucwaA3Uz3eLcPqoaCarMiNH
 fMkTd7GabVourqIZdgvu1Q==
 -----END PRIVATE KEY-----
 
+# Corresponding public key
+
+PublicKey = RSA-2048-PUBLIC
+
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzQCB6nsq4eoG1Z98c9n/
+uUoJYVwuS6fGNs7wjdNTPsMYVSWwFcdpuZp31nJb+cNTKptuX2Yn1fuFFgdo092p
+y9NZdFEXF9w9MJ0vxH7kH5fjKtt/ndhkocR2emZuzXG8Gqz151F/SzhZT+qbBeQt
+WtqZEgCAE+RTFqTZu47QhriNKHWLrK+SLUaoaLSF0jnJuusOK2RZJxD0Ky0eoKS0
+gCwL7Ksyj4posAc721Rv7qmAnShJkSs5DBUyvH4px2WPgXX65G80My/4e8qz5AZJ
+uYV3hp2g6nGDU/ByJ1SIaRNkh2DRIr5nbg/Eg90g/8Mb2pajGWbJqi51rQPeR+HE
+TwIDAQAB
+-----END PUBLIC KEY-----
+
 # EC P-256 key
 
 PrivateKey=P-256
@@ -2192,6 +2206,43 @@ MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiocvtiiTxNH/xbnw
 +JQkBywnGX14szuSDpXNtmTpkNzwz+oNlOKo5q+dDlgFbmUxBJJbn+bJ
 -----END PRIVATE KEY-----
 
+# EC public key for above
+
+PublicKey=P-256-PUBLIC
+
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUPQpznDyFsJSz14GLOH2Oc1dFl
+x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ==
+-----END PUBLIC KEY-----
+
+# DSA key
+PrivateKey=DSA-1024
+
+-----BEGIN PRIVATE KEY-----
+MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAO0SwRpkAeM21qSM5ch4CLEHpFk4
+19R5ve1UUr421y3HEUURsrVpxYKvyx8aOBQC/akz95cYxNN3y1JnJJMxPklhdJrJ
+f/WDYPxjMk8BqNJmeZtLuCVLKGwQomuo7ZkG955WRyLHYEdQ6uC7K2QTPKpW6psF
+YFaDYjAjSEKk2MFxAhUAykDkKLZdhPWzwM8/qYaE31VmWz0CgYEApNVF8oFK41ez
+Qci9XbSZJHyPB+3jML1YQkHxiiInaIz6GEFtjUbIUEYA/ovY+6ECNI1aIDHTd7CH
+woS0mp33oQYs43nt29B6UwbtMmbzCOQ9vGGwWVho+JtHyyPWrDuLmkvLtoQPaxYt
+6PVa3gncr2v3njcVuH+EQ6DuFR93zksEFgIUbyv6pqH+UQurernJn/7sUm2U2i0=
+-----END PRIVATE KEY-----
+
+PublicKey=DSA-1024-PUBLIC
+
+-----BEGIN PUBLIC KEY-----
+MIIBtzCCASwGByqGSM44BAEwggEfAoGBAO0SwRpkAeM21qSM5ch4CLEHpFk419R5
+ve1UUr421y3HEUURsrVpxYKvyx8aOBQC/akz95cYxNN3y1JnJJMxPklhdJrJf/WD
+YPxjMk8BqNJmeZtLuCVLKGwQomuo7ZkG955WRyLHYEdQ6uC7K2QTPKpW6psFYFaD
+YjAjSEKk2MFxAhUAykDkKLZdhPWzwM8/qYaE31VmWz0CgYEApNVF8oFK41ezQci9
+XbSZJHyPB+3jML1YQkHxiiInaIz6GEFtjUbIUEYA/ovY+6ECNI1aIDHTd7CHwoS0
+mp33oQYs43nt29B6UwbtMmbzCOQ9vGGwWVho+JtHyyPWrDuLmkvLtoQPaxYt6PVa
+3gncr2v3njcVuH+EQ6DuFR93zksDgYQAAoGAVXFwJ5wTuF0rQ6AWfTitm3/zUeRW
+SeKFo+Rg0GrBI+Wg2Tj+Yn6V8Xs+Xyjim1wsd2P6/BlJzCEr4nHjP9JcBICqM3vI
+9zCaT/vYsLD7/T7rF9AF/jV+LnkGJCzLbDYF04IkhtLNHOQob+Uc8PWB78e/1Lc4
+SzJw2oHciIOt+UU=
+-----END PUBLIC KEY-----
+
 # RSA tests
 
 Sign = RSA-2048
@@ -2266,6 +2317,13 @@ Input = "0123456789ABCDEF1234"
 Output = 49525db4d44c755e560cba980b1d85ea604b0e077fcadd4ba44072a3487bbddb835016200a7d8739cce2dc3223d9c20cbdd25059ab02277f1f21318efd18e21038ec89aa9d40680987129e8b41ba33bceb86518bdf47268b921cce2037acabca6575d832499538d6f40cdba0d40bd7f4d8ea6ca6e2eec87f294efc971407857f5d7db09f6a7b31e301f571c6d82a5e3d08d2bb3a36e673d28b910f5bec57f0fcc4d968fd7c94d0b9226dec17f5192ad8b42bcab6f26e1bea1fdc3b958199acb00f14ebcb2a352f3afcedd4c09000128a603bbeb9696dea13040445253972d46237a25c7845e3b464e6984c2348ea1f1210a9ff0b00d2d72b50db00c009bb39f9
 Result = VERIFY_ERROR
 
+# Verify using public key
+
+Verify = RSA-2048-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+
 # EC tests
 
 Verify = P-256
@@ -2315,6 +2373,63 @@ Input = "0123456789ABCDEF1234"
 Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
 Result = VERIFY_ERROR
 
+Verify = P-256-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+
+# DSA tests
+Verify = DSA-1024
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+
+# Modified signature
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d88
+Result = VERIFY_ERROR
+
+# Digest too short
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF123"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+Result = VERIFY_ERROR
+
+# Digest too long
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF12345"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+Result = VERIFY_ERROR
+
+# Garbage after signature
+Verify = DSA-1024-PUBLIC
+Input = "0123456789ABCDEF1234"
+Output = 302d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d8700
+Result = VERIFY_ERROR
+
+# Invalid tag
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 312d021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d87
+Result = VERIFY_ERROR
+
+# BER signature
+Verify = DSA-1024-PUBLIC
+Ctrl = digest:SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3080021500942b8c5850e05b59e24495116b1e8559e51b610e0214237aedf272d91f2397f63c9fc8790e1a6cde5d870000
+Result = VERIFY_ERROR
+
 # scrypt tests from draft-josefsson-scrypt-kdf-03
 PBE = scrypt
 Password = ""

From rsalz at openssl.org  Mon Aug 24 18:26:25 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 24 Aug 2015 18:26:25 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440440785.868255.27174.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ba856386f2f4d10a063f66396946e9ab9ffedb78 (commit)
      from  7267b2d4e5ffbaf8e708d37f7c7667363a688604 (commit)


- Log -----------------------------------------------------------------
commit ba856386f2f4d10a063f66396946e9ab9ffedb78
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 24 14:26:21 2015 -0400

    fix a few broken links

-----------------------------------------------------------------------

Summary of changes:
 docs/fipsvalidation.html |  4 ++--
 inc/banner.inc           | 12 ++++++------
 inc/head.inc             |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/fipsvalidation.html b/docs/fipsvalidation.html
index 32155da..cf373a8 100644
--- a/docs/fipsvalidation.html
+++ b/docs/fipsvalidation.html
@@ -15,13 +15,13 @@
 	    FIPS 140-2 certificate <a
 	    href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747">#1747</a>.
 	    This Module is documented in the
-	    <a href="UserGuide-2.0.pdf">2.0 User Guide</a>. It substantially
+	    <a href="fips/UserGuide-2.0.pdf">2.0 User Guide</a>. It substantially
 	      updates and improves the earlier v1.2 module, FIPS 140-2
 	      certificate
 	    <a
 	      href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051">#1051</a>,
 	    which is documented in the
-	    <a href="UserGuide-1.2.pdf">1.2 User Guide</a>.</p>
+	    <a href="fips/UserGuide-1.2.pdf">1.2 User Guide</a>.</p>
 
 	    <p><strong>Important Note:</strong>
 	    Due to new requirements introduced in 2013 the current v2.0 Module
diff --git a/inc/banner.inc b/inc/banner.inc
index e9ce3a0..95587ab 100644
--- a/inc/banner.inc
+++ b/inc/banner.inc
@@ -22,12 +22,12 @@
 
   <ul class="main-navigation">
     <li><a href="/" title="Home page">Home</a></li>
-    <li><a href="/source" title="Source code">Downloads</a></li>
-    <li><a href="/docs" title="FAQ, FIPS, manpages, ...">Docs</a></li>
-    <li><a href="/news" title="Latest information">News</a></li>
-    <li><a href="/policies" title="How we operate">Policies</a></li>
-    <li><a href="/community" title="Blog, bugs, email, ...">Community</a></li>
-    <li><a href="/support" title="Commercial support and contracting">Support</a></li>
+    <li><a href="/source/" title="Source code">Downloads</a></li>
+    <li><a href="/docs/" title="FAQ, FIPS, manpages, ...">Docs</a></li>
+    <li><a href="/news/" title="Latest information">News</a></li>
+    <li><a href="/policies/" title="How we operate">Policies</a></li>
+    <li><a href="/community/" title="Blog, bugs, email, ...">Community</a></li>
+    <li><a href="/support/" title="Commercial support and contracting">Support</a></li>
   </ul>
   </nav>
 <!-- end -->
diff --git a/inc/head.inc b/inc/head.inc
index e13a700..009e58a 100644
--- a/inc/head.inc
+++ b/inc/head.inc
@@ -8,7 +8,7 @@
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
 
   <link rel="canonical" href="https://www.openssl.org/">
-  <link href="favicon.png" rel="icon">
+  <link href="/favicon.ico" rel="icon">
   <link href="/inc/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
 
   <script src="/inc/modernizr-2.0.js"></script>

From rsalz at openssl.org  Mon Aug 24 19:54:40 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 24 Aug 2015 19:54:40 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440446080.984955.3473.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a847130696532ae0a2d3884daefdd8ac6cecdfdc (commit)
      from  80eab79de0377b42bc02e01e5d8bafaa4eb4c1a2 (commit)


- Log -----------------------------------------------------------------
commit a847130696532ae0a2d3884daefdd8ac6cecdfdc
Author: janpopan <janpopan at gmx.net>
Date:   Mon Aug 24 15:21:27 2015 -0400

    RT4015: Add missing date to CHANGES
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index cd75e0b..bcfae0a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -448,7 +448,7 @@
      whose return value is often ignored. 
      [Steve Henson]
 
- Changes between 1.0.2c and 1.0.2d [xx XXX xxxx]
+ Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
 
   *) Alternate chains certificate forgery
 

From rsalz at openssl.org  Mon Aug 24 19:58:33 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 24 Aug 2015 19:58:33 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440446313.862645.4572.nullmailer@dev.openssl.org>

The branch master has been updated
       via  e0d26bb36d4b903149c418eacf2e8f47fab38f67 (commit)
      from  a847130696532ae0a2d3884daefdd8ac6cecdfdc (commit)


- Log -----------------------------------------------------------------
commit e0d26bb36d4b903149c418eacf2e8f47fab38f67
Author: Peter Mosmans <petermosmans at github.com>
Date:   Mon Aug 24 15:13:48 2015 -0400

    GH337: Need backslash before leading #
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 1ac7f75..44340bf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@
 # editor artefacts
 *.swp
 .#*
-#*#
+\#*#
 *~
 
 # Top level excludes

From rsalz at openssl.org  Mon Aug 24 22:22:07 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 24 Aug 2015 22:22:07 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440454927.392003.16466.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2c4969708cef879fdfae1bd6f5c26d195a727edb (commit)
      from  e0d26bb36d4b903149c418eacf2e8f47fab38f67 (commit)


- Log -----------------------------------------------------------------
commit 2c4969708cef879fdfae1bd6f5c26d195a727edb
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 24 17:54:54 2015 -0400

    Small cleanup of crypto.pod
    
    Came up on the mailing list, from Ken Goldman.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/crypto.pod | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod
index b8f4fb8..45887a6 100644
--- a/doc/crypto/crypto.pod
+++ b/doc/crypto/crypto.pod
@@ -32,7 +32,7 @@ L<idea(3)>, L<rc2(3)>, L<rc4(3)>, L<rc5(3)>
 
 =item PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT
 
-L<dsa(3)>, L<dh(3)>, L<rsa(3)>
+L<dsa(3)>, L<dh(3)>, L<ec(3)>, L<rsa(3)>
 
 =item CERTIFICATES
 
@@ -54,9 +54,9 @@ L<OPENSSL_VERSION_NUMBER(3)>
 L<asn1(3)>, L<bio(3)>, L<evp(3)>, L<pem(3)>,
 L<pkcs7(3)>, L<pkcs12(3)> 
 
-=item INTERNAL FUNCTIONS
+=item UTILITY FUNCTIONS
 
-L<bn(3)>, L<buffer(3)>, L<ec(3)>, L<lhash(3)>,
+L<bn(3)>, L<buffer(3)>, L<lhash(3)>,
 L<objects(3)>, L<stack(3)>,
 L<txt_db(3)> 
 

From rsalz at openssl.org  Tue Aug 25 16:12:53 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:12:53 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440519173.175568.11359.nullmailer@dev.openssl.org>

The branch master has been updated
       via  32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d (commit)
      from  2c4969708cef879fdfae1bd6f5c26d195a727edb (commit)


- Log -----------------------------------------------------------------
commit 32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 24 15:25:14 2015 -0400

    GH372: Remove duplicate flags
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/genrsa.pod | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index c27f773..c817db5 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -10,12 +10,6 @@ B<openssl> B<genrsa>
 [B<-out filename>]
 [B<-passout arg>]
 [B<-aes128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
 [B<-aes192>]
 [B<-aes256>]
 [B<-camellia128>]

From rsalz at openssl.org  Tue Aug 25 16:13:07 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:13:07 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440519187.989338.12247.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  d72c446213f38da24c00bef504de29c0365ff556 (commit)
      from  b012b497eaac76da42ef6741d50c3c17ec8ed732 (commit)


- Log -----------------------------------------------------------------
commit d72c446213f38da24c00bef504de29c0365ff556
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 24 15:25:14 2015 -0400

    GH372: Remove duplicate flags
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d)

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/genrsa.pod | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index cb03d09..3dc9870 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -10,12 +10,6 @@ B<openssl> B<genrsa>
 [B<-out filename>]
 [B<-passout arg>]
 [B<-aes128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
 [B<-aes192>]
 [B<-aes256>]
 [B<-camellia128>]

From rsalz at openssl.org  Tue Aug 25 16:13:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:13:17 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440519197.112394.12485.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  bedcd9385f05a88397b01651fa08158b8cef2d91 (commit)
      from  2507c8cfb3664cfd9bf94e597e83afb4646451de (commit)


- Log -----------------------------------------------------------------
commit bedcd9385f05a88397b01651fa08158b8cef2d91
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 24 15:25:14 2015 -0400

    GH372: Remove duplicate flags
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d)

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/genrsa.pod | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/doc/apps/genrsa.pod b/doc/apps/genrsa.pod
index cb03d09..3dc9870 100644
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -10,12 +10,6 @@ B<openssl> B<genrsa>
 [B<-out filename>]
 [B<-passout arg>]
 [B<-aes128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
 [B<-aes192>]
 [B<-aes256>]
 [B<-camellia128>]

From rsalz at openssl.org  Tue Aug 25 16:15:23 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:15:23 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440519323.145948.12876.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  86de216da3ebea7f876a096e258cf4c9d219bc0a (commit)
      from  bedcd9385f05a88397b01651fa08158b8cef2d91 (commit)


- Log -----------------------------------------------------------------
commit 86de216da3ebea7f876a096e258cf4c9d219bc0a
Author: Markus Rinne <markus.ka.rinne at gmail.com>
Date:   Mon Aug 24 16:20:13 2015 -0400

    RT4019: Duplicate -hmac flag in dgst.pod
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/dgst.pod | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 9e15798..b27bb94 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,7 +13,6 @@ B<openssl> B<dgst>
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
-[B<-hmac arg>]
 [B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
@@ -64,10 +63,6 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B<sha1sum>.
 
-=item B<-hmac arg>
-
-set the HMAC key to "arg".
-
 =item B<-non-fips-allow>
 
 Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in

From rsalz at openssl.org  Tue Aug 25 16:15:41 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:15:41 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440519341.763522.13152.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  8e0b56b99647872cde4c4770852e1be04a8d243b (commit)
      from  d72c446213f38da24c00bef504de29c0365ff556 (commit)


- Log -----------------------------------------------------------------
commit 8e0b56b99647872cde4c4770852e1be04a8d243b
Author: Markus Rinne <markus.ka.rinne at gmail.com>
Date:   Mon Aug 24 16:20:13 2015 -0400

    RT4019: Duplicate -hmac flag in dgst.pod
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 86de216da3ebea7f876a096e258cf4c9d219bc0a)

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/dgst.pod | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 9e15798..b27bb94 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,7 +13,6 @@ B<openssl> B<dgst>
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
-[B<-hmac arg>]
 [B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
@@ -64,10 +63,6 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B<sha1sum>.
 
-=item B<-hmac arg>
-
-set the HMAC key to "arg".
-
 =item B<-non-fips-allow>
 
 Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in

From rsalz at openssl.org  Tue Aug 25 16:16:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:16:03 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440519363.145993.13429.nullmailer@dev.openssl.org>

The branch master has been updated
       via  fe50cd7ad4051086d98e792c35810074f449182e (commit)
      from  32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d (commit)


- Log -----------------------------------------------------------------
commit fe50cd7ad4051086d98e792c35810074f449182e
Author: Markus Rinne <markus.ka.rinne at gmail.com>
Date:   Mon Aug 24 16:20:13 2015 -0400

    RT4019: Duplicate -hmac flag in dgst.pod
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/dgst.pod | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 8c416f2..96d3cc0 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -13,7 +13,6 @@ B<openssl> B<dgst>
 [B<-hex>]
 [B<-binary>]
 [B<-r>]
-[B<-hmac arg>]
 [B<-non-fips-allow>]
 [B<-out filename>]
 [B<-sign filename>]
@@ -64,10 +63,6 @@ output the digest or signature in binary form.
 
 output the digest in the "coreutils" format used by programs like B<sha1sum>.
 
-=item B<-hmac arg>
-
-set the HMAC key to "arg".
-
 =item B<-non-fips-allow>
 
 Allow use of non FIPS digest when in FIPS mode.  This has no effect when not in

From rsalz at openssl.org  Tue Aug 25 16:19:47 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 16:19:47 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440519587.620958.14710.nullmailer@dev.openssl.org>

The branch master has been updated
       via  d6dfa55038fdb948cb214adf634f379eeb859f5d (commit)
      from  fe50cd7ad4051086d98e792c35810074f449182e (commit)


- Log -----------------------------------------------------------------
commit d6dfa55038fdb948cb214adf634f379eeb859f5d
Author: Chris Watts <cwatts1 at us.ibm.com>
Date:   Mon Aug 24 15:56:31 2015 -0700

    Ignore generated *.S ARM assembly files
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 44340bf..ac1c4c6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,7 @@
 
 # Auto generated assembly language source files
 *.s
+*.S
 !/crypto/bn/asm/pa-risc2.s
 !/crypto/bn/asm/pa-risc2W.s
 crypto/aes/asm/a_win32.asm

From rsalz at openssl.org  Tue Aug 25 21:41:52 2015
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 25 Aug 2015 21:41:52 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440538912.340021.26846.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f284b4b24546d19d351edd34e09f3f7c835675d8 (commit)
      from  ba856386f2f4d10a063f66396946e9ab9ffedb78 (commit)


- Log -----------------------------------------------------------------
commit f284b4b24546d19d351edd34e09f3f7c835675d8
Author: Phil Pearl <ppearl at zimbra.com>
Date:   Tue Aug 25 17:41:17 2015 -0400

    Fix links in manpages
    
    Modify the script to subclass Pod::XHTML to add the path-searching.
    THANKS!
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>

-----------------------------------------------------------------------

Summary of changes:
 bin/mk-manpages | 417 ++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 281 insertions(+), 136 deletions(-)

diff --git a/bin/mk-manpages b/bin/mk-manpages
index eb6f65a..fa1d26f 100755
--- a/bin/mk-manpages
+++ b/bin/mk-manpages
@@ -1,39 +1,229 @@
-#! /usr/bin/perl -w
+#! /usr/bin/perl
+
+{
+    package Local::PSX;
+    use Pod::Simple::XHTML;
+    use parent qw(Pod::Simple::XHTML);
+
+    sub resolve_man_page_link {
+        my ( $self, $to, $section ) = @_;
+        return undef unless defined $to;
+        my ( $page, $part ) = $to =~ /^([^(]+)(?:[(](\d+)[)])?$/;
+        return undef unless $page;
+
+        return ( $self->man_url_prefix || '' )
+          . $self->encode_entities($page) . ( $self->man_url_postfix || '' );
+    }
+}
+
+package Local::MkManPages;
 
 use strict;
-use Pod::Html;
-use Pod::Simple::XHTML;
+use warnings;
+use File::Basename qw(basename);
+use File::Spec ();
+use Getopt::Long qw(GetOptionsFromArray);
+use Pod::Usage qw(pod2usage);
+
+__PACKAGE__->run(@ARGV);
+
+sub Releases { return (qw(master 1.0.2 1.0.1 1.0.0 0.9.8)); }
+sub Sections { return (qw(apps crypto ssl)); }
+
+sub getRelease {
+    my ( $class, $ver ) = @_;
+    my %known = map { $_ => 1 } $class->Releases;
+    return @_ != 2 ? %known : defined $known{$ver} ? $ver : undef;
+}
+
+sub run {
+    my ( $class, @argv ) = @_;
+    my $opt = $class->process_options(@argv);
+    $class->cleanup( $opt->{WwwDir}, $opt->{RelVer} );
+    exit $class->main( $opt->{SrcDir}, $opt->{WwwDir}, $opt->{RelVer} );
+}
+
+sub main {
+    my ( $class, $srcdir, $wwwdir, $release ) = @_;
 
-my @releases = ( 'master', '1.0.2', '1.0.1', '1.0.0', '0.9.8');
-my %relmap = map { $_ => 1 } @releases;
-my @sections = ( 'apps', 'crypto', 'ssl' );
+    foreach my $sect ( $class->Sections ) {
+        my $dir = File::Spec->catfile( $srcdir, "doc", $sect );
+        opendir( my $dh, $dir ) or $class->die("opendir '$dir': $!");
+        while ( my $ent = readdir($dh) ) {
+            next if $ent =~ /^\./;
+            next if $ent !~ /\.pod$/;
+
+            my $filename = File::Spec->catfile( $dir, $ent );
+            my $basename = basename( $ent, ".pod" );
+            my $title = $basename;
+            my $out =
+              $class->genhtml( $release, $sect, $filename, $title, $basename );
+            my $outfile = File::Spec->catfile( $wwwdir, "man$release", $sect,
+                "$basename.html" );
+            open( my $fh, ">", $outfile )
+              or $class->die("Can't open $outfile: $!");
+            print $fh $out or $class->die("Can't print $outfile: $!");
+            close($fh) or $class->die("Can't close $outfile: $!");
+            my @altnames = $class->getnames( $filename, $basename );
+
+            foreach my $alt (@altnames) {
+                my $target = File::Spec->catfile( $wwwdir, "man$release", $sect,
+                    "$alt.html" );
+	        if ( ! -f $target ) {
+		    link( $outfile, $target )
+		      or $class->die("Can't link $outfile to $target: $!");
+	      }
+            }
+        }
+    }
+}
+
+# Generate a manpage
+sub genhtml {
+    my ( $class, $release, $section, $filename, $title, $file ) = @_;
+    my $header = $class->htmlHeader($title);
+    my $footer = $class->htmlFooter( $release, $section, $file );
+
+    open( my $fh, $filename ) || $class->die("Can't open $filename: $!");
+    my $infile = do { local $/; <$fh>; };
+
+    # L<asdf...|qwer...> ==> L<qwer>
+    $infile =~ s/L<[^|>]*\|([^>]+)>/L<$1>/g;
+
+    # L<asdf(x)> --> L<asdf>
+    $infile =~ s/L<([^>]+)\(\d\)>/L<$1>/g;
+
+    my $out;
+    my $pod = Local::PSX->new;
+    $pod->html_h_level(3);
+    $pod->perldoc_url_prefix(
+        "https://www.openssl.org/docs/man$release/$section/");
+    $pod->perldoc_url_postfix(".html");
+    $pod->man_url_prefix("https://www.openssl.org/docs/man$release/$section/");
+    $pod->man_url_postfix(".html");
+    $pod->html_header($header);
+    $pod->html_footer($footer);
+    $pod->output_string( \$out );
+    $pod->parse_string_document($infile);
+    return $out;
+}
+
+# Return all the OTHER names in a manpage
+sub getnames {
+    my ( $class, $infile, $basename ) = @_;
+    my @words = ();
+    open( my $fh, "<", $infile ) or $class->die("Can't open $infile: $!");
+    {
+        local $/ = "";
+        my $found = 0;
+        while (<$fh>) {
+            chop;
+            s/\n/ /gm;
+            if (/^=head1 /) {
+                $found = 0;
+            }
+            elsif ($found) {
+                if (/ - /) {
+                    s/ - .*//;
+                    s/,\s+/,/g;
+                    s/\s+,/,/g;
+                    s/^\s+//g;
+                    s/\s+$//g;
+                    s/\s/_/g;
+                    push @words, split ',';
+                }
+            }
+            if (/^=head1\s*NAME\s*$/) {
+                $found = 1;
+            }
+        }
+    }
+    return grep { $_ ne $basename } @words;
+}
+
+sub die {
+    my $class = shift;
+    $class->error(@_);
+    exit(2);
+}
+
+sub error {
+    my $class = shift;
+    my $prog  = basename($0);
+    warn("$prog: $_\n") for @_;
+}
 
 # Remove all files from a manpage subtree, and leave only
 # the index and the section subdirs.
-sub
-cleanup()
-{
-    my ( $wwwdir, $release ) = @_;
-    my $dir = "$wwwdir/man$release";
-    die "No $dir/index.html" unless -f "$dir/index.html";
-    foreach my $sect ( @sections ) {
-	mkdir "$dir/$sect" unless -d "$dir/$sect";
-	my $idx1 = "$dir/$sect/index.html";
-	my $idx2 = "$dir/$sect/index.inc";
-	foreach my $f ( glob("$dir/$sect/*") ) {
-	    unlink $f || warn "Can't unlink $f, $!"
-		unless $f eq $idx1 || $f eq $idx2;
-	}
+sub cleanup {
+    my ( $class, $wwwdir, $release ) = @_;
+    my $dir = File::Spec->catfile( $wwwdir, "man$release" );
+    my $idx = File::Spec->catfile( $dir,    "index.html" );
+
+    if ( !-d $dir ) {
+        mkdir($dir) or $class->die("mkdir '$dir': $!");
+    }
+
+    # TBD: was $class->die
+    $class->error("No $idx") unless ( -f $idx );
+    foreach my $sect ( $class->Sections ) {
+        my $sdir = File::Spec->catfile( $dir, $sect );
+        if ( !-d $sdir ) {
+            mkdir($sdir) or $class->die("mkdir '$sdir': $!");
+            next;
+        }
+
+        opendir( my $dh, $sdir ) or $class->die("opendir '$sdir': $!");
+        while ( my $ent = readdir($dh) ) {
+            next if $ent =~ /^\./;
+            next if $ent =~ /^index.(?:html|inc)$/;
+            my $f = File::Spec->catfile( $sdir, $ent );
+            unlink($f) or $class->error("Can't unlink '$f': $!");
+        }
     }
 }
 
+sub process_options {
+    my ( $class, @argv ) = @_;
+    my %opt;
 
-## Generate a manpage.
-sub
-genhtml()
-{
-    my ( $release, $section, $filename, $title, $file ) = @_;
-    my $header = <<EOFH;
+    GetOptionsFromArray( \@argv, \%opt, "help", "man" )
+      or pod2usage( -verbose => 0 );
+
+    pod2usage( -verbose => 1 ) if ( $opt{help} or @argv != 3 );
+    pod2usage( -verbose => 2 ) if ( $opt{man} );
+
+    # <src/dir> <rel.ver> <www/dir>
+    my @argkeys = qw(SrcDir RelVer WwwDir);
+    @opt{@argkeys} = @argv;
+
+    # no empty values, directories must exist
+    my @err;
+    foreach my $key (@argkeys) {
+        push( @err, "Invalid $key argument '$opt{$key}'" )
+          if ( $opt{$key} =~ /^\s*$/ );
+        push( @err, "Directory '$opt{$key}': $!" )
+          if ( $key =~ /Dir$/ and !-d $opt{$key} );
+    }
+    $class->die(@err) if @err;
+
+    # each source dir has a set of subdirs with documentation
+    foreach my $sect ( $class->Sections ) {
+        my $dir = File::Spec->catfile( $opt{SrcDir}, "doc", $sect );
+        push( @err, "No directory '$dir'" ) unless ( -d $dir );
+    }
+
+    # verify release
+    push( @err, "Unknown release '$opt{RelVer}'" )
+      unless ( $class->getRelease( $opt{RelVer} ) );
+    $class->die(@err) if @err;
+
+    return \%opt;
+}
+
+sub htmlHeader {
+    my ( $class, $title ) = @_;
+    return <<EOFH;
 <!DOCTYPE html>
 <html lang="en">
 <!--#include virtual="/inc/head.inc" -->
@@ -42,44 +232,54 @@ genhtml()
   <div id="main">
     <div id="content">
       <div class="blog-index">
-	<article>
-	  <header><h2>$title</h2></header>
-	  <div class="entry-content">
-	    <p>
+        <article>
+          <header><h2>$title</h2></header>
+          <div class="entry-content">
+            <p>
 
 EOFH
-    my $sidebar = <<EOS;
+}
+
+# note: links could be bogus if file DNE in one of the other releases
+sub htmlSidebar {
+    my ( $class, $release, $section, $file ) = @_;
+
+    my $lirel = "";
+    foreach my $v ( grep { $release ne $_ } $class->Releases ) {
+        $lirel .=
+"\n<li><a href=\"/docs/man$v/$section/$file.html\">$v version</a></li>";
+    }
+
+    return <<EOS;
 <aside class="sidebar">
   <section>
     <h1><a href="/docs/manpages.html">$release manpages</a></h1>
     <ul>
       <li><a href="../apps/openssl.html">The openssl command</a></li>
       <li><a href="../ssl/ssl.html">The ssl library</a></li>
-      <li><a href="../crypto/crypto.html">The crypto library</a></li>
-EOS
-    foreach my $v ( @releases ) {
-        $sidebar .=
-"<li><a href=\"/docs/man$v/$section/$file.html\">$v version</a></li>\n"
-            if $release ne $v;
-    }
-    $sidebar .= <<EOS;
+      <li><a href="../crypto/crypto.html">The crypto library</a></li>$lirel
     </ul>
   </section>
 </aside>
 EOS
-    my $footer = <<EOFT;
-	    </p>
-	  </div>
-	  <footer>
-	    You are here: <a href="/">Home</a>
+}
+
+sub htmlFooter {
+    my ( $class, $release, $section, $file ) = @_;
+    my $sidebar = $class->htmlSidebar( $release, $section, $file );
+    return <<EOFT;
+            </p>
+          </div>
+          <footer>
+            You are here: <a href="/">Home</a>
             : <a href="/docs">Docs</a>
             : <a href="/docs/manpages.html">Manpages</a>
             : <a href="/docs/man$release">$release</a>
-	    : <a href="/docs/man$release/$section">$section</a>
-	    : <a href="/docs/man$release/$section/$file.html">$file</a>
+            : <a href="/docs/man$release/$section">$section</a>
+            : <a href="/docs/man$release/$section/$file.html">$file</a>
             <br/><a href="/sitemap.txt">Sitemap</a>
           </footer>
-	</article>
+        </article>
       </div>
       $sidebar
     </div>
@@ -88,97 +288,42 @@ EOS
 </body>
 </html>
 EOFT
+}
 
-    open(my $fh, $filename) || die "Can't open $filename, $!";
-    my $infile = do { local $/; <$fh>; };
-    # L<asdf...|qwer...> ==> L<qwer>
-    $infile =~ s/L<[^|>]*\|([^>]+)>/L<$1>/g;
-    # L<asdf(x)> --> L<asdf>
-    $infile =~ s/L<([^>]+)\(\d\)>/L<$1>/g;
+__END__
 
-    my $out;
-    my $pod = Pod::Simple::XHTML->new;
-    $pod->html_h_level(3);
-# $pod->index(1);
-    $pod->perldoc_url_prefix("https://www.openssl.org/docs/man$release/$section/");
-    $pod->perldoc_url_postfix(".html");
-    $pod->man_url_prefix("https://www.openssl.org/docs/man$release/$section/");
-    $pod->man_url_postfix(".html");
-    $pod->html_header($header);
-    $pod->html_footer($footer);
-# $pod->force_title("TILETITLETITLE");
-# $pod->backlink(1);
-    $pod->output_string(\$out);
-    $pod->parse_string_document($infile);
-    return $out;
-}
+=pod
 
-# Return all the OTHER names in a manpage.
-sub
-getnames()
-{
-    my ( $infile, $basename ) = @_;
-    my @words = ();
-    open(my $fh, "<", $infile) || die "Can't open $infile, $!";
-    {
-	local $/ = "";
-	my $found = 0;
-	while ( <$fh> ) {
-	    chop;
-	    s/\n/ /gm;
-	    if (/^=head1 /) {
-		$found = 0;
-	    } elsif ( $found ) {
-		if (/ - /) {
-		    s/ - .*//;
-		    s/,\s+/,/g;
-		    s/\s+,/,/g;
-		    s/^\s+//g;
-		    s/\s+$//g;
-		    s/\s/_/g;
-		    push @words, split ',';
-		}
-	    }
-	    if (/^=head1\s*NAME\s*$/) {
-		$found = 1;
-	    }
-	}
-    }
-    return grep { $_ ne $basename } @words;
-}
+=head1 NAME
 
-die "Mssing args\n" if $#ARGV < 2;
+mk-manpages - htmlize man pages from POD for the OpenSSL website
 
-# Verify source dir.
-my $SRCDIR = shift || die "Source dir missing";
-die "No source directory $SRCDIR" unless -d $SRCDIR;
-foreach my $sect ( @sections ) {
-    my $dir = "$SRCDIR/doc/$sect";
-    die "No directory $dir" unless -d $dir;
-}
-# Verify release.
-my $RELEASE = shift || die "RELEASE missing";
-die "Unknown release $RELEASE" unless defined $relmap{$RELEASE};
-# Cleanup and verify the destination.
-my $WWWDIR = shift || die "Destination missing";
-die "No destination directory $WWWDIR" unless -d $WWWDIR;
-&cleanup($WWWDIR, $RELEASE);
-
-foreach my $sect ( @sections  ) {
-    foreach my $filename ( glob("$SRCDIR/doc/$sect/*.pod") ) {
-	my $basename = $filename;
-	$basename =~ s at .*/@@;
-	$basename =~ s at .pod@@;
-	my $title = $basename;
-	my $out = &genhtml($RELEASE, $sect, $filename, $title, $basename);
-	my $outfile = "$WWWDIR/man$RELEASE/$sect/$basename.html";
-	open(my $fh, ">", $outfile) || die "Can't open $outfile, $!";
-	print $fh $out || die "Can't print $outfile, $!";
-	close($fh) || die "Can't close $outfile, $!";
-	my @altnames = &getnames($filename, $basename);
-	foreach my $alt ( @altnames ) {
-	    my $target = "$WWWDIR/man$RELEASE/$sect/$alt.html";
-	    link $outfile, $target || die "Can't link $outfile,$target, $!";
-	}
-    }
-}
+=head1 SYNOPSIS
+
+mk-manpages [options] <SrcDir> <RelVer> <WwwDir>
+
+  <SrcDir>   top level directory of release <RelVer>, example 'OpenSSL_1_0_2-stable'
+  <RelVer>   version number associated with <SrcDir>, example '1.0.2'
+  <WwwDir>   top level directory beneath which generated html is stored, example 'web'
+
+    --help    display a brief help message
+    --man     display full documentation
+
+=head1 DESCRIPTION
+
+This utility is run on a web server generate the htmlized version of
+OpenSSL documentation from the original POD.  The resultant directory
+structure may look something like the following (where the contents of
+index.html do not come from this tool):
+
+ $ ls some/path/to/web
+ man0.9.8    man1.0.0    man1.0.1    man1.0.2    manmaster
+ $ ls some/path/to/web/man1.0.2
+ apps        crypto      index.html  ssl
+ $ ls some/path/to/web/man1.0.2/apps
+ CA.pl.html
+ asn1parse.html
+ c_rehash.html
+ ...
+
+=cut

From matt at openssl.org  Wed Aug 26 09:31:43 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 26 Aug 2015 09:31:43 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440581503.989449.19480.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ee4ffd6fccd169775ba74afb1dbfecff48ee413d (commit)
      from  d6dfa55038fdb948cb214adf634f379eeb859f5d (commit)


- Log -----------------------------------------------------------------
commit ee4ffd6fccd169775ba74afb1dbfecff48ee413d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 10:06:30 2015 +0100

    Fix DTLS session ticket renewal
    
    A DTLS client will abort a handshake if the server attempts to renew the
    session ticket. This is caused by a state machine discrepancy between DTLS
    and TLS discovered during the state machine rewrite work.
    
    The bug can be demonstrated as follows:
    
    Start a DTLS s_server instance:
    openssl s_server -dtls
    
    Start a client and obtain a session but no ticket:
    openssl s_client -dtls -sess_out session.pem -no_ticket
    
    Now start a client reusing the session, but allow a ticket:
    openssl s_client -dtls -sess_in session.pem
    
    The client will abort the handshake.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_clnt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index d411614..083333e 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -380,6 +380,10 @@ int dtls1_connect(SSL *s)
 #endif
 
                     s->state = SSL3_ST_CR_CHANGE_A;
+                    if (s->tlsext_ticket_expected) {
+                        /* receive renewed session ticket */
+                        s->state = SSL3_ST_CR_SESSION_TICKET_A;
+                    }
                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }

From matt at openssl.org  Wed Aug 26 09:31:55 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 26 Aug 2015 09:31:55 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440581515.468116.20253.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  2f2295a5961f942d0e1f5676166513fa57a1903b (commit)
      from  8e0b56b99647872cde4c4770852e1be04a8d243b (commit)


- Log -----------------------------------------------------------------
commit 2f2295a5961f942d0e1f5676166513fa57a1903b
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 10:06:30 2015 +0100

    Fix DTLS session ticket renewal
    
    A DTLS client will abort a handshake if the server attempts to renew the
    session ticket. This is caused by a state machine discrepancy between DTLS
    and TLS discovered during the state machine rewrite work.
    
    The bug can be demonstrated as follows:
    
    Start a DTLS s_server instance:
    openssl s_server -dtls
    
    Start a client and obtain a session but no ticket:
    openssl s_client -dtls -sess_out session.pem -no_ticket
    
    Now start a client reusing the session, but allow a ticket:
    openssl s_client -dtls -sess_in session.pem
    
    The client will abort the handshake.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit ee4ffd6fccd169775ba74afb1dbfecff48ee413d)
    
    Conflicts:
    	ssl/d1_clnt.c

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_clnt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index c84df98..feeaf6d 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -382,6 +382,10 @@ int dtls1_connect(SSL *s)
 #endif
 
                     s->state = SSL3_ST_CR_FINISHED_A;
+                    if (s->tlsext_ticket_expected) {
+                        /* receive renewed session ticket */
+                        s->state = SSL3_ST_CR_SESSION_TICKET_A;
+                    }
                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }

From matt at openssl.org  Wed Aug 26 09:32:09 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 26 Aug 2015 09:32:09 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440581529.059498.20492.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  be8b8603d6789c1dcb058f167c8b54e3f4b928c9 (commit)
      from  86de216da3ebea7f876a096e258cf4c9d219bc0a (commit)


- Log -----------------------------------------------------------------
commit be8b8603d6789c1dcb058f167c8b54e3f4b928c9
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 10:06:30 2015 +0100

    Fix DTLS session ticket renewal
    
    A DTLS client will abort a handshake if the server attempts to renew the
    session ticket. This is caused by a state machine discrepancy between DTLS
    and TLS discovered during the state machine rewrite work.
    
    The bug can be demonstrated as follows:
    
    Start a DTLS s_server instance:
    openssl s_server -dtls
    
    Start a client and obtain a session but no ticket:
    openssl s_client -dtls -sess_out session.pem -no_ticket
    
    Now start a client reusing the session, but allow a ticket:
    openssl s_client -dtls -sess_in session.pem
    
    The client will abort the handshake.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit ee4ffd6fccd169775ba74afb1dbfecff48ee413d)
    
    Conflicts:
    	ssl/d1_clnt.c

-----------------------------------------------------------------------

Summary of changes:
 ssl/d1_clnt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index a9c4ed0..20ed02c 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -366,6 +366,10 @@ int dtls1_connect(SSL *s)
 #endif
 
                     s->state = SSL3_ST_CR_FINISHED_A;
+                    if (s->tlsext_ticket_expected) {
+                        /* receive renewed session ticket */
+                        s->state = SSL3_ST_CR_SESSION_TICKET_A;
+                    }
                 } else
                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
             }

From matt at openssl.org  Wed Aug 26 09:44:07 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 26 Aug 2015 09:44:07 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440582247.288520.24867.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343 (commit)
       via  8af538e5c55f43f9ae996d3f2cae04222cda6762 (commit)
      from  ee4ffd6fccd169775ba74afb1dbfecff48ee413d (commit)


- Log -----------------------------------------------------------------
commit ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 15:17:14 2015 +0100

    Add NewSessionTicket test suite
    
    Add a set of tests for checking that NewSessionTicket messages are
    behaving as expected.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 8af538e5c55f43f9ae996d3f2cae04222cda6762
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Aug 13 16:58:20 2015 +0100

    Fix TLSProxy end of test detection
    
    Previously TLSProxy would detect a successful handshake once it saw the
    server Finished message. This causes problems with abbreviated handshakes,
    or if the client fails to process a message from the last server flight.
    
    This change additionally sends some application data and finishes when the
    client sends a CloseNotify.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/Makefile                |   8 +-
 test/sslsessionticktest.pl   | 173 +++++++++++++++++++++++++++++++++++++++++++
 util/TLSProxy/ClientHello.pm |   3 +-
 util/TLSProxy/Message.pm     |  31 +++++---
 util/TLSProxy/Proxy.pm       |  68 +++++++++++++++--
 5 files changed, 262 insertions(+), 21 deletions(-)
 create mode 100755 test/sslsessionticktest.pl

diff --git a/test/Makefile b/test/Makefile
index b59613c..782a34b 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -73,6 +73,7 @@ CLIENTHELLOTEST=	clienthellotest
 PACKETTEST=	packettest
 SSLVERTOLTEST=	sslvertoltest.pl
 SSLEXTENSIONTEST=	sslextensiontest.pl
+SSLSESSIONTICKTEST= 	sslsessionticktest.pl
 SSLSKEWITH0PTEST=	sslskewith0ptest.pl
 
 TESTS=		alltests
@@ -160,7 +161,7 @@ alltests: \
 	test_srp test_cms test_v3name test_ocsp \
 	test_gost2814789 test_heartbeat test_p5_crpt2 \
 	test_constant_time test_verify_extra test_clienthello test_packet \
-	test_sslvertol test_sslextension test_sslskewith0p
+	test_sslvertol test_sslextension test_sslsessionticket test_sslskewith0p
 
 test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
 	@echo $(START) $@
@@ -432,6 +433,11 @@ test_sslextension: ../apps/openssl$(EXE_EXT)
 	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
 	@[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared
 
+test_sslsessionticket: ../apps/openssl$(EXE_EXT)
+	@echo $(START) $@
+	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSESSIONTICKTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	@[ -n "$(SHARED_LIBS)" ] || echo test_sslsessionticket can only be performed with OpenSSL configured shared
+
 test_sslskewith0p: ../apps/openssl$(EXE_EXT)
 	@echo $(START) $@
 	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
diff --git a/test/sslsessionticktest.pl b/test/sslsessionticktest.pl
new file mode 100755
index 0000000..922a359
--- /dev/null
+++ b/test/sslsessionticktest.pl
@@ -0,0 +1,173 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core at openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay at cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh at cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+use File::Temp qw(tempfile);
+
+my $chellotickext = 0;
+my $shellotickext = 0;
+my $fullhand = 0;
+my $ticketseen = 0;
+
+my $proxy = TLSProxy::Proxy->new(
+    undef,
+    @ARGV
+);
+
+#Test 1: By default with no existing session we should get a session ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+#                 NewSessionTicket message seen; Full handshake
+$proxy->start();
+checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
+
+#Test 2: If the server does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->serverflags("-no_ticket");
+$proxy->start();
+checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
+
+#Test 3: If the client does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension not seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->clientflags("-no_ticket");
+$proxy->start();
+checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
+
+#Test 4: Test session resumption with session ticket
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session);
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
+
+#Test 5: Test session resumption with ticket capable client without a ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+#                 NewSessionTicket message seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session." -no_ticket");
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(5, "Session resumption with ticket capable client without a "
+                 ."ticket", 1, 1, 1, 0);
+
+sub checkmessages()
+{
+    my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
+                || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
+            #Get the extensions data
+            my %extensions = %{$message->extension_data};
+            if (defined
+                    $extensions{TLSProxy::ClientHello::EXT_SESSION_TICKET}) {
+                if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+                    $chellotickext = 1;
+                } else {
+                    $shellotickext = 1;
+                }
+            }
+        } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
+            #Must be doing a full handshake
+            $fullhand = 1;
+        } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
+            $ticketseen = 1;
+        }
+    }
+
+    TLSProxy::Message->success or die "FAILED: $testname: Hanshake failed "
+                                      ."(Test $testno)\n";
+    if (($testch && !$chellotickext) || (!$testch && $chellotickext)) {
+        die "FAILED: $testname: ClientHello extension Session Ticket check "
+            ."failed (Test $testno)\n";
+    }
+    if (($testsh && !$shellotickext) || (!$testsh && $shellotickext)) {
+        die "FAILED: $testname: ServerHello extension Session Ticket check "
+            ."failed (Test $testno)\n";
+    }
+    if (($testtickseen && !$ticketseen) || (!$testtickseen && $ticketseen)) {
+        die "FAILED: $testname: Session Ticket message presence check failed "
+            ."(Test $testno)\n";
+    }
+    if (($testhand && !$fullhand) || (!$testhand && $fullhand)) {
+        die "FAILED: $testname: Session Ticket full handshake check failed "
+            ."(Test $testno)\n";
+    }
+    print "SUCCESS: $testname (Test#$testno)\n";
+}
+
+sub clearall()
+{
+    $chellotickext = 0;
+    $shellotickext = 0;
+    $fullhand = 0;
+    $ticketseen = 0;
+    $proxy->clear();
+}
diff --git a/util/TLSProxy/ClientHello.pm b/util/TLSProxy/ClientHello.pm
index 54fb5bb..0b7dbbc 100644
--- a/util/TLSProxy/ClientHello.pm
+++ b/util/TLSProxy/ClientHello.pm
@@ -58,7 +58,8 @@ package TLSProxy::ClientHello;
 use parent 'TLSProxy::Message';
 
 use constant {
-    EXT_ENCRYPT_THEN_MAC => 22
+    EXT_ENCRYPT_THEN_MAC => 22,
+    EXT_SESSION_TICKET => 35
 };
 
 sub new
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 028322b..6376219 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -73,6 +73,18 @@ use constant {
     MT_CERTIFICATE_STATUS => 22,
     MT_NEXT_PROTO => 67
 };
+
+#Alert levels
+use constant {
+    AL_LEVEL_WARN => 1,
+    AL_LEVEL_FATAL => 2
+};
+
+#Alert descriptions
+use constant {
+    AL_DESC_CLOSE_NOTIFY => 0
+};
+
 my %message_type = (
     MT_HELLO_REQUEST, "HelloRequest",
     MT_CLIENT_HELLO, "ClientHello",
@@ -164,11 +176,6 @@ sub get_messages
                                               $startoffset);
                     push @messages, $message;
 
-                    #Check if we have finished the handshake
-                    if ($mt == MT_FINISHED && $server) {
-                        $success = 1;
-                        $end = 1;
-                    }
                     $payload = "";
                 } else {
                     #This is just part of the total message
@@ -210,11 +217,6 @@ sub get_messages
                                                   $startoffset);
                         push @messages, $message;
 
-                        #Check if we have finished the handshake
-                        if ($mt == MT_FINISHED && $server) {
-                            $success = 1;
-                            $end = 1;
-                        }
                         $payload = "";
                     } else {
                         #This is just part of the total message
@@ -230,8 +232,15 @@ sub get_messages
         print "  [ENCRYPTED APPLICATION DATA]\n";
         print "  [".$record->decrypt_data."]\n";
     } elsif ($record->content_type == TLSProxy::Record::RT_ALERT) {
-        #For now assume all alerts are fatal
+        my ($alertlev, $alertdesc) = unpack('CC', $record->decrypt_data);
+        #All alerts end the test
         $end = 1;
+        #A CloseNotify from the client indicates we have finished successfully
+        #(we assume)
+        if (!$server && $alertlev == AL_LEVEL_WARN
+            && $alertdesc == AL_DESC_CLOSE_NOTIFY) {
+            $success = 1;
+        }
     }
 
     return @messages;
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 571ab10..75094f1 100644
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -79,13 +79,16 @@ sub new
         server_addr => "localhost",
         server_port => 4443,
         filter => $filter,
+        serverflags => "",
+        clientflags => "",
+        serverconnects => 1,
 
         #Public read
         execute => $execute,
         cert => $cert,
         debug => $debug,
-        cipherc => "AES128-SHA",
-        ciphers => "",
+        cipherc => "",
+        ciphers => "AES128-SHA",
         flight => 0,
         record_list => [],
         message_list => [],
@@ -101,12 +104,15 @@ sub clear
 {
     my $self = shift;
 
-    $self->{cipherc} = "AES128-SHA";
-    $self->{ciphers} = "";
+    $self->{cipherc} = "";
+    $self->{ciphers} = "AES128-SHA";
     $self->{flight} = 0;
     $self->{record_list} = [];
     $self->{message_list} = [];
     $self->{message_rec_list} = [];
+    $self->{serverflags} = "";
+    $self->{clientflags} = "";
+    $self->{serverconnects} = 1;
 
     TLSProxy::Message->clear();
     TLSProxy::Record->clear();
@@ -120,6 +126,14 @@ sub restart
     $self->start;
 }
 
+sub clientrestart
+{
+    my $self = shift;
+
+    $self->clear;
+    $self->clientstart;
+}
+
 sub start
 {
     my ($self) = shift;
@@ -130,15 +144,24 @@ sub start
         open(STDOUT, ">", File::Spec->devnull())
             or die "Failed to redirect stdout";
         open(STDERR, ">&STDOUT");
-        my $execcmd = $self->execute." s_server -engine ossltest -accept "
+        my $execcmd = $self->execute." s_server -rev -engine ossltest -accept "
             .($self->server_port)
-            ." -cert ".$self->cert." -naccept 1";
+            ." -cert ".$self->cert." -naccept ".$self->serverconnects;
         if ($self->ciphers ne "") {
             $execcmd .= " -cipher ".$self->ciphers;
         }
+        if ($self->serverflags ne "") {
+            $execcmd .= " ".$self->serverflags;
+        }
         exec($execcmd);
     }
 
+    $self->clientstart;
+}
+
+sub clientstart
+{
+    my ($self) = shift;
     my $oldstdout;
 
     if(!$self->debug) {
@@ -167,12 +190,15 @@ sub start
             open(STDOUT, ">", File::Spec->devnull())
                 or die "Failed to redirect stdout";
             open(STDERR, ">&STDOUT");
-            my $execcmd = $self->execute
+            my $execcmd = "echo test | ".$self->execute
                  ." s_client -engine ossltest -connect "
                  .($self->proxy_addr).":".($self->proxy_port);
             if ($self->cipherc ne "") {
                 $execcmd .= " -cipher ".$self->cipherc;
             }
+            if ($self->clientflags ne "") {
+                $execcmd .= " ".$self->clientflags;
+            }
             exec($execcmd);
         }
     }
@@ -274,7 +300,9 @@ sub process_packet
     print "\n";
 
     #Finished parsing. Call user provided filter here
-    $self->filter->($self);
+    if(defined $self->filter) {
+        $self->filter->($self);
+    }
 
     #Reconstruct the packet
     $packet = "";
@@ -392,4 +420,28 @@ sub ciphers
     }
     return $self->{ciphers};
 }
+sub serverflags
+{
+    my $self = shift;
+    if (@_) {
+      $self->{serverflags} = shift;
+    }
+    return $self->{serverflags};
+}
+sub clientflags
+{
+    my $self = shift;
+    if (@_) {
+      $self->{clientflags} = shift;
+    }
+    return $self->{clientflags};
+}
+sub serverconnects
+{
+    my $self = shift;
+    if (@_) {
+      $self->{serverconnects} = shift;
+    }
+    return $self->{serverconnects};
+}
 1;

From rsalz at openssl.org  Wed Aug 26 11:01:04 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 11:01:04 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440586864.333796.3092.nullmailer@dev.openssl.org>

The branch master has been updated
       via  22dc08d00ae9517048b1ca44cd3810128eba0273 (commit)
      from  ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343 (commit)


- Log -----------------------------------------------------------------
commit 22dc08d00ae9517048b1ca44cd3810128eba0273
Author: Rich Salz <rsalz at akamai.com>
Date:   Mon Aug 10 12:45:25 2015 -0400

    BN_bin2bn handle leading zero's
    
    If a binary sequence is all zero's, call BN_zero.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_lib.c             |  5 ++++-
 engines/ccgost/gost2001_keyx.c |  2 +-
 engines/ccgost/gost_ameth.c    |  6 +++---
 engines/ccgost/gost_asn1.c     | 16 ----------------
 engines/ccgost/gost_lcl.h      |  2 --
 5 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 4e133ce..c8e8519 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -552,7 +552,9 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
     if (ret == NULL)
         return (NULL);
     bn_check_top(ret);
-    l = 0;
+    /* Skip leading zero's. */
+    for ( ; *s == 0 && len > 0; s++, len--)
+        continue;
     n = len;
     if (n == 0) {
         ret->top = 0;
@@ -566,6 +568,7 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
     }
     ret->top = i;
     ret->neg = 0;
+    l = 0;
     while (n--) {
         l = (l << 8L) | *(s++);
         if (m-- == 0) {
diff --git a/engines/ccgost/gost2001_keyx.c b/engines/ccgost/gost2001_keyx.c
index abbacbb..1fd0174 100644
--- a/engines/ccgost/gost2001_keyx.c
+++ b/engines/ccgost/gost2001_keyx.c
@@ -35,7 +35,7 @@ static int VKO_compute_key(unsigned char *shared_key, size_t shared_key_size,
         ukm_be[7 - i] = ukm[i];
     }
     BN_CTX_start(ctx);
-    UKM = getbnfrombuf(ukm_be, 8);
+    UKM = BN_bin2bn(ukm_be, 8, NULL);
     p = BN_CTX_get(ctx);
     order = BN_CTX_get(ctx);
     X = BN_CTX_get(ctx);
diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c
index 4f3bd90..5b1d045 100644
--- a/engines/ccgost/gost_ameth.c
+++ b/engines/ccgost/gost_ameth.c
@@ -276,7 +276,7 @@ static int priv_decode_gost(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf)
             rev_buf[31 - i] = s->data[i];
         }
         ASN1_STRING_free(s);
-        pk_num = getbnfrombuf(rev_buf, 32);
+        pk_num = BN_bin2bn(rev_buf, 32, NULL);
     } else {
         priv_key = d2i_ASN1_INTEGER(NULL, &p, priv_len);
         if (!priv_key)
@@ -490,8 +490,8 @@ static int pub_decode_gost01(EVP_PKEY *pk, X509_PUBKEY *pub)
     len = octet->length / 2;
     ASN1_OCTET_STRING_free(octet);
 
-    Y = getbnfrombuf(databuf, len);
-    X = getbnfrombuf(databuf + len, len);
+    Y = BN_bin2bn(databuf, len, NULL);
+    X = BN_bin2bn(databuf + len, len, NULL);
     OPENSSL_free(databuf);
     pub_key = EC_POINT_new(group);
     if (!EC_POINT_set_affine_coordinates_GFp(group, pub_key, X, Y, NULL)) {
diff --git a/engines/ccgost/gost_asn1.c b/engines/ccgost/gost_asn1.c
index 0412d2c..1168633 100644
--- a/engines/ccgost/gost_asn1.c
+++ b/engines/ccgost/gost_asn1.c
@@ -54,19 +54,3 @@ ASN1_NDEF_SEQUENCE(GOST_CLIENT_KEY_EXCHANGE_PARAMS) = { /* FIXME incomplete */
 
 ASN1_NDEF_SEQUENCE_END(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
 IMPLEMENT_ASN1_FUNCTIONS(GOST_CLIENT_KEY_EXCHANGE_PARAMS)
-
-/* Convert byte buffer to bignum, skipping leading zeros*/
-BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len)
-{
-    BIGNUM *b;
-
-    while (*buf == 0 && len > 0) {
-        buf++;
-        len--;
-    }
-    if (len)
-        return BN_bin2bn(buf, len, NULL);
-    b = BN_new();
-    BN_zero(b);
-    return b;
-}
diff --git a/engines/ccgost/gost_lcl.h b/engines/ccgost/gost_lcl.h
index 27fe0e7..b2541a7 100644
--- a/engines/ccgost/gost_lcl.h
+++ b/engines/ccgost/gost_lcl.h
@@ -213,8 +213,6 @@ BIGNUM *hashsum2bn(const unsigned char *dgst);
  * nesseccary
  */
 int store_bignum(BIGNUM *bn, unsigned char *buf, int len);
-/* Read bignum, which can have few MSB all-zeros    from buffer*/
-BIGNUM *getbnfrombuf(const unsigned char *buf, size_t len);
 /* Pack GOST R 34.10 signature according to CryptoPro rules */
 int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen);
 /* Unpack GOST R 34.10 signature according to CryptoPro rules */

From rsalz at openssl.org  Wed Aug 26 11:06:51 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 11:06:51 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440587211.334158.4913.nullmailer@dev.openssl.org>

The branch master has been updated
       via  4c42ebd2f39ee30bf44cd016a3a838ab2efe8c08 (commit)
      from  22dc08d00ae9517048b1ca44cd3810128eba0273 (commit)


- Log -----------------------------------------------------------------
commit 4c42ebd2f39ee30bf44cd016a3a838ab2efe8c08
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 26 00:25:11 2015 -0400

    Remove _locked memory functions.
    
    Undocumented, unused, unnecessary (replaced by secure arena).
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/mem.c               | 119 ---------------------------------------------
 crypto/rsa/rsa_lib.c       |   4 +-
 include/openssl/crypto.h   |  18 -------
 include/openssl/symhacks.h |   4 --
 util/libeay.num            |  12 ++---
 5 files changed, 8 insertions(+), 149 deletions(-)

diff --git a/crypto/mem.c b/crypto/mem.c
index 56c3585..8b9c8c3 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -103,17 +103,6 @@ static void *(*malloc_secure_ex_func)(size_t, const char *file, int line)
     = default_malloc_secure_ex;
 static void (*free_secure_func)(void *) = free;
 
-static void *(*malloc_locked_func) (size_t) = malloc;
-static void *default_malloc_locked_ex(size_t num, const char *file, int line)
-{
-    return malloc_locked_func(num);
-}
-
-static void *(*malloc_locked_ex_func) (size_t, const char *file, int line)
-    = default_malloc_locked_ex;
-
-static void (*free_locked_func) (void *) = free;
-
 /* may be changed as long as 'allow_customize_debug' is set */
 /* XXX use correct function pointer types */
 #ifdef CRYPTO_MDEBUG
@@ -159,9 +148,6 @@ int CRYPTO_set_mem_functions(void *(*m) (size_t), void *(*r) (void *, size_t),
     malloc_secure_func = m;
     malloc_secure_ex_func = default_malloc_secure_ex;
     free_secure_func = f;
-    malloc_locked_func = m;
-    malloc_locked_ex_func = default_malloc_locked_ex;
-    free_locked_func = f;
     return 1;
 }
 
@@ -181,9 +167,6 @@ int CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int),
     malloc_secure_func = 0;
     malloc_secure_ex_func = m;
     free_secure_func = f;
-    malloc_locked_func = 0;
-    malloc_locked_ex_func = m;
-    free_locked_func = f;
     return 1;
 }
 
@@ -198,11 +181,6 @@ int CRYPTO_set_secure_mem_functions(void *(*m)(size_t), void (*f)(void *))
     malloc_secure_func = m;
     malloc_secure_ex_func = default_malloc_secure_ex;
     free_secure_func = f;
-    /* If user wants to intercept the locked functions, do it after
-     * the secure functions. */
-    malloc_locked_func = m;
-    malloc_locked_ex_func = default_malloc_secure_ex;
-    free_locked_func = f;
     return 1;
 }
 
@@ -216,34 +194,6 @@ int CRYPTO_set_secure_mem_ex_functions(void *(*m)(size_t, const char *, int),
     malloc_secure_func = 0;
     malloc_secure_ex_func = m;
     free_secure_func = f;
-    malloc_locked_func = 0;
-    malloc_locked_ex_func = m;
-    free_locked_func = f;
-    return 1;
-}
-
-int CRYPTO_set_locked_mem_functions(void *(*m) (size_t), void (*f) (void *))
-{
-    if (!allow_customize)
-        return 0;
-    if ((m == NULL) || (f == NULL))
-        return 0;
-    malloc_locked_func = m;
-    malloc_locked_ex_func = default_malloc_locked_ex;
-    free_locked_func = f;
-    return 1;
-}
-
-int CRYPTO_set_locked_mem_ex_functions(void *(*m) (size_t, const char *, int),
-                                       void (*f) (void *))
-{
-    if (!allow_customize)
-        return 0;
-    if ((m == NULL) || (f == NULL))
-        return 0;
-    malloc_locked_func = 0;
-    malloc_locked_ex_func = m;
-    free_locked_func = f;
     return 1;
 }
 
@@ -307,27 +257,6 @@ void CRYPTO_get_secure_mem_ex_functions(void *(**m)(size_t,const char *,int),
         *f=free_secure_func;
 }
 
-void CRYPTO_get_locked_mem_functions(void *(**m) (size_t),
-                                     void (**f) (void *))
-{
-    if (m != NULL)
-        *m = (malloc_locked_ex_func == default_malloc_locked_ex) ?
-            malloc_locked_func : 0;
-    if (f != NULL)
-        *f = free_locked_func;
-}
-
-void CRYPTO_get_locked_mem_ex_functions(void
-                                        *(**m) (size_t, const char *, int),
-                                        void (**f) (void *))
-{
-    if (m != NULL)
-        *m = (malloc_locked_ex_func != default_malloc_locked_ex) ?
-            malloc_locked_ex_func : 0;
-    if (f != NULL)
-        *f = free_locked_func;
-}
-
 void CRYPTO_get_mem_debug_functions(void (**m)
                                      (void *, int, const char *, int, int),
                                     void (**r) (void *, void *, int,
@@ -347,54 +276,6 @@ void CRYPTO_get_mem_debug_functions(void (**m)
         *go = get_debug_options_func;
 }
 
-void *CRYPTO_malloc_locked(int num, const char *file, int line)
-{
-    void *ret = NULL;
-
-    if (num <= 0)
-        return NULL;
-
-    if (allow_customize)
-        allow_customize = 0;
-    if (malloc_debug_func != NULL) {
-        if (allow_customize_debug)
-            allow_customize_debug = 0;
-        malloc_debug_func(NULL, num, file, line, 0);
-    }
-    ret = malloc_locked_ex_func(num, file, line);
-#ifdef LEVITTE_DEBUG_MEM
-    fprintf(stderr, "LEVITTE_DEBUG_MEM:         > 0x%p (%d)\n", ret, num);
-#endif
-    if (malloc_debug_func != NULL)
-        malloc_debug_func(ret, num, file, line, 1);
-
-#ifndef OPENSSL_CPUID_OBJ
-    /*
-     * Create a dependency on the value of 'cleanse_ctr' so our memory
-     * sanitisation function can't be optimised out. NB: We only do this for
-     * >2Kb so the overhead doesn't bother us.
-     */
-    if (ret && (num > 2048)) {
-        extern unsigned char cleanse_ctr;
-        ((unsigned char *)ret)[0] = cleanse_ctr;
-    }
-#endif
-
-    return ret;
-}
-
-void CRYPTO_free_locked(void *str)
-{
-    if (free_debug_func != NULL)
-        free_debug_func(str, 0);
-#ifdef LEVITTE_DEBUG_MEM
-    fprintf(stderr, "LEVITTE_DEBUG_MEM:         < 0x%p\n", str);
-#endif
-    free_locked_func(str);
-    if (free_debug_func != NULL)
-        free_debug_func(NULL, 1);
-}
-
 void *CRYPTO_malloc(int num, const char *file, int line)
 {
     void *ret = NULL;
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 76c9796..b28021b 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -231,7 +231,7 @@ void RSA_free(RSA *r)
     BN_clear_free(r->iqmp);
     BN_BLINDING_free(r->blinding);
     BN_BLINDING_free(r->mt_blinding);
-    OPENSSL_free_locked(r->bignum_data);
+    OPENSSL_free(r->bignum_data);
     OPENSSL_free(r);
 }
 
@@ -287,7 +287,7 @@ int RSA_memory_lock(RSA *r)
     j = 1;
     for (i = 0; i < 6; i++)
         j += bn_get_top(*t[i]);
-    if ((p = OPENSSL_malloc_locked((off + j) * sizeof(BN_ULONG))) == NULL) {
+    if ((p = OPENSSL_malloc((off + j) * sizeof(BN_ULONG))) == NULL) {
         RSAerr(RSA_F_RSA_MEMORY_LOCK, ERR_R_MALLOC_FAILURE);
         return (0);
     }
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index faaf1d5..1d1c2b3 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -356,9 +356,6 @@ int CRYPTO_is_mem_check_on(void);
 # define OPENSSL_clear_free(addr, num) CRYPTO_clear_free(addr, num)
 # define OPENSSL_free(addr)      CRYPTO_free(addr)
 
-# define OPENSSL_malloc_locked(num) \
-        CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
-# define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
 # define OPENSSL_MALLOC_MAX_NELEMS(type)  (((1U<<(sizeof(int)*8-1))-1)/sizeof(type))
 
 const char *SSLeay_version(int type);
@@ -456,19 +453,11 @@ void (*CRYPTO_get_dynlock_destroy_callback(void)) (struct CRYPTO_dynlock_value
                                                    *l, const char *file,
                                                    int line);
 
-/*
- * CRYPTO_set_mem_functions includes CRYPTO_set_locked_mem_functions -- call
- * the latter last if you need different functions
- */
 int CRYPTO_set_mem_functions(void *(*m) (size_t), void *(*r) (void *, size_t),
                              void (*f) (void *));
-int CRYPTO_set_locked_mem_functions(void *(*m) (size_t),
-                                    void (*f) (void *));
 int CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int),
                                 void *(*r) (void *, size_t, const char *,
                                             int), void (*f) (void *));
-int CRYPTO_set_locked_mem_ex_functions(void *(*m) (size_t, const char *, int),
-                                       void (*f) (void *));
 int CRYPTO_set_mem_debug_functions(void (*m)
                                     (void *, int, const char *, int, int),
                                    void (*r) (void *, void *, int,
@@ -478,14 +467,9 @@ int CRYPTO_set_mem_debug_functions(void (*m)
 void CRYPTO_get_mem_functions(void *(**m) (size_t),
                               void *(**r) (void *, size_t),
                               void (**f) (void *));
-void CRYPTO_get_locked_mem_functions(void *(**m) (size_t),
-                                     void (**f) (void *));
 void CRYPTO_get_mem_ex_functions(void *(**m) (size_t, const char *, int),
                                  void *(**r) (void *, size_t, const char *,
                                               int), void (**f) (void *));
-void CRYPTO_get_locked_mem_ex_functions(void
-                                        *(**m) (size_t, const char *, int),
-                                        void (**f) (void *));
 void CRYPTO_get_mem_debug_functions(void (**m)
                                      (void *, int, const char *, int, int),
                                     void (**r) (void *, void *, int,
@@ -493,8 +477,6 @@ void CRYPTO_get_mem_debug_functions(void (**m)
                                     void (**f) (void *, int),
                                     void (**so) (long), long (**go) (void));
 
-void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *ptr);
 void *CRYPTO_malloc(int num, const char *file, int line);
 char *CRYPTO_strdup(const char *str, const char *file, int line);
 void CRYPTO_free(void *ptr);
diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h
index 3253df8..8e0edfc 100644
--- a/include/openssl/symhacks.h
+++ b/include/openssl/symhacks.h
@@ -128,10 +128,6 @@
 #  define CRYPTO_get_dynlock_destroy_callback     CRYPTO_get_dynlock_destroy_cb
 #  undef CRYPTO_get_dynlock_create_callback
 #  define CRYPTO_get_dynlock_create_callback      CRYPTO_get_dynlock_create_cb
-#  undef CRYPTO_set_locked_mem_ex_functions
-#  define CRYPTO_set_locked_mem_ex_functions      CRYPTO_set_locked_mem_ex_funcs
-#  undef CRYPTO_get_locked_mem_ex_functions
-#  define CRYPTO_get_locked_mem_ex_functions      CRYPTO_get_locked_mem_ex_funcs
 
 /* Hack some long SSL/TLS names */
 #  undef SSL_CTX_set_default_verify_paths
diff --git a/util/libeay.num b/util/libeay.num
index a82db68..fa6d9c2 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -1371,8 +1371,8 @@ X509V3_string_free                      1506	EXIST::FUNCTION:
 X509V3_section_free                     1507	EXIST::FUNCTION:
 X509V3_set_ctx                          1508	EXIST::FUNCTION:
 s2i_ASN1_INTEGER                        1509	EXIST::FUNCTION:
-CRYPTO_set_locked_mem_functions         1510	EXIST::FUNCTION:
-CRYPTO_get_locked_mem_functions         1511	EXIST::FUNCTION:
+CRYPTO_set_locked_mem_functions         1510	NOEXIST::FUNCTION:
+CRYPTO_get_locked_mem_functions         1511	NOEXIST::FUNCTION:
 CRYPTO_malloc_locked                    1512	EXIST::FUNCTION:
 CRYPTO_free_locked                      1513	EXIST::FUNCTION:
 BN_mod_exp2_mont                        1514	EXIST::FUNCTION:
@@ -2237,8 +2237,8 @@ DIRECTORYSTRING_it                      2767	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA
 DIRECTORYSTRING_it                      2767	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 d2i_OCSP_CRLID                          2768	EXIST::FUNCTION:
 EC_POINT_is_on_curve                    2769	EXIST::FUNCTION:EC
-CRYPTO_set_locked_mem_ex_functions      2770	EXIST:!VMS:FUNCTION:
-CRYPTO_set_locked_mem_ex_funcs          2770	EXIST:VMS:FUNCTION:
+CRYPTO_set_locked_mem_ex_funcs          2770	NOEXIST::FUNCTION:
+CRYPTO_set_locked_mem_ex_functions      2770	NOEXIST::FUNCTION:
 d2i_KRB5_CHECKSUM                       2771	NOEXIST::FUNCTION:
 ASN1_item_dup                           2772	EXIST::FUNCTION:
 X509_it                                 2773	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2252,8 +2252,8 @@ EC_POINT_get_Jprojective_coordinates_GFp 2779	EXIST:!VMS:FUNCTION:EC
 EC_POINT_get_Jproj_coords_GFp           2779	EXIST:VMS:FUNCTION:EC
 ZLONG_it                                2780	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ZLONG_it                                2780	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-CRYPTO_get_locked_mem_ex_functions      2781	EXIST:!VMS:FUNCTION:
-CRYPTO_get_locked_mem_ex_funcs          2781	EXIST:VMS:FUNCTION:
+CRYPTO_get_locked_mem_ex_funcs          2781	NOEXIST::FUNCTION:
+CRYPTO_get_locked_mem_ex_functions      2781	NOEXIST::FUNCTION:
 ASN1_TIME_check                         2782	EXIST::FUNCTION:
 UI_get0_user_data                       2783	EXIST::FUNCTION:
 HMAC_CTX_cleanup                        2784	EXIST::FUNCTION:

From rsalz at openssl.org  Wed Aug 26 11:09:35 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 11:09:35 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440587375.563232.5984.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  2d07f60a025df7cb34efce9f5122c8f682bbc070 (commit)
      from  2f2295a5961f942d0e1f5676166513fa57a1903b (commit)


- Log -----------------------------------------------------------------
commit 2d07f60a025df7cb34efce9f5122c8f682bbc070
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Wed Aug 19 17:12:31 2015 +0200

    GH371: Print debug info for ALPN extension
    
    Also known as RT 4106
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    
    (cherry picked from commit b48357d9953decc43333979ca11ebc1500040f4e)

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index dd3aa74..5b5e711 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -981,6 +981,11 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
         extname = "next protocol";
         break;
 #endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+    case TLSEXT_TYPE_application_layer_protocol_negotiation:
+        extname = "application layer protocol negotiation";
+        break;
+#endif
 
     case TLSEXT_TYPE_padding:
         extname = "TLS padding";

From rsalz at openssl.org  Wed Aug 26 11:09:53 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 11:09:53 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440587393.147998.6277.nullmailer@dev.openssl.org>

The branch master has been updated
       via  b48357d9953decc43333979ca11ebc1500040f4e (commit)
      from  4c42ebd2f39ee30bf44cd016a3a838ab2efe8c08 (commit)


- Log -----------------------------------------------------------------
commit b48357d9953decc43333979ca11ebc1500040f4e
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Wed Aug 19 17:12:31 2015 +0200

    GH371: Print debug info for ALPN extension
    
    Also known as RT 4106
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/s_cb.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2a18f74..07ce997 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -711,6 +711,10 @@ static STRINT_PAIR tlsext_types[] = {
 #ifdef TLSEXT_TYPE_encrypt_then_mac
     {"encrypt-then-mac", TLSEXT_TYPE_encrypt_then_mac},
 #endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+    {"application layer protocol negotiation",
+     TLSEXT_TYPE_application_layer_protocol_negotiation},
+#endif
     {NULL}
 };
 

From emilia at openssl.org  Wed Aug 26 12:28:12 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Wed, 26 Aug 2015 12:28:12 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440592092.924634.18127.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ec30e8566e43d888ab1d7cf01749a979896bb3d9 (commit)
       via  9cc3e8f1f2b9e9c36a2f61e914bc9711c35568b6 (commit)
       via  2aa815c343357524aa5a3775994d694de65544f8 (commit)
      from  b48357d9953decc43333979ca11ebc1500040f4e (commit)


- Log -----------------------------------------------------------------
commit ec30e8566e43d888ab1d7cf01749a979896bb3d9
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Aug 18 12:29:36 2015 +0200

    PACKET: add methods for reading length-prefixed TLS vectors.
    
    Rewrite ssl3_get_client_hello to use the new methods.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 9cc3e8f1f2b9e9c36a2f61e914bc9711c35568b6
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Aug 18 19:01:51 2015 +0200

    Fix SSLv2-compatible ClientHello processing.
    
    If the client challenge is less than 32 bytes, it is padded with leading - not trailing - zero bytes.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 2aa815c343357524aa5a3775994d694de65544f8
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Aug 18 14:55:53 2015 +0200

    PACKET: constify where possible
    
    The PACKET should hold a 'const unsigned char*' underneath as well
    but the legacy code passes the record buffer around as 'unsigned char*'
    (to callbacks, too) so that's a bigger refactor.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/packet_locl.h | 110 +++++++++++++++++++++++++++++++++++++++++++++++-------
 ssl/s3_srvr.c     | 105 +++++++++++++++++++++++++--------------------------
 test/packettest.c |  84 ++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 231 insertions(+), 68 deletions(-)

diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index a5e4d00..3f03fa7 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -82,12 +82,23 @@ typedef struct {
 /*
  * Returns the number of bytes remaining to be read in the PACKET
  */
-__owur static inline size_t PACKET_remaining(PACKET *pkt)
+__owur static inline size_t PACKET_remaining(const PACKET *pkt)
 {
     return (size_t)(pkt->end - pkt->curr);
 }
 
 /*
+ * Returns a pointer to the PACKET's current position.
+ * For use in non-PACKETized APIs.
+ * TODO(openssl-team): this should return 'const unsigned char*' but can't
+ * currently because legacy code passes 'unsigned char*'s around.
+ */
+static inline unsigned char *PACKET_data(const PACKET *pkt)
+{
+    return pkt->curr;
+}
+
+/*
  * Initialise a PACKET with |len| bytes held in |buf|. This does not make a
  * copy of the data so |buf| must be present for the whole time that the PACKET
  * is being used.
@@ -113,8 +124,8 @@ static inline int PACKET_buf_init(PACKET *pkt, unsigned char *buf, size_t len)
  * Data is not copied: the |subpkt| packet will share its underlying buffer with
  * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
  */
-__owur static inline int PACKET_peek_sub_packet(PACKET *pkt, PACKET *subpkt,
-                                               size_t len)
+__owur static inline int PACKET_peek_sub_packet(const PACKET *pkt,
+                                                PACKET *subpkt, size_t len)
 {
     if (PACKET_remaining(pkt) < len)
         return 0;
@@ -143,7 +154,8 @@ __owur static inline int PACKET_get_sub_packet(PACKET *pkt, PACKET *subpkt,
 /* Peek ahead at 2 bytes in network order from |pkt| and store the value in
  * |*data|
  */
-__owur static inline int PACKET_peek_net_2(PACKET *pkt, unsigned int *data)
+__owur static inline int PACKET_peek_net_2(const PACKET *pkt,
+                                           unsigned int *data)
 {
     if (PACKET_remaining(pkt) < 2)
         return 0;
@@ -169,7 +181,8 @@ __owur static inline int PACKET_get_net_2(PACKET *pkt, unsigned int *data)
 /* Peek ahead at 3 bytes in network order from |pkt| and store the value in
  * |*data|
  */
-__owur static inline int PACKET_peek_net_3(PACKET *pkt, unsigned long *data)
+__owur static inline int PACKET_peek_net_3(const PACKET *pkt,
+                                           unsigned long *data)
 {
     if (PACKET_remaining(pkt) < 3)
         return 0;
@@ -196,7 +209,8 @@ __owur static inline int PACKET_get_net_3(PACKET *pkt, unsigned long *data)
 /* Peek ahead at 4 bytes in network order from |pkt| and store the value in
  * |*data|
  */
-__owur static inline int PACKET_peek_net_4(PACKET *pkt, unsigned long *data)
+__owur static inline int PACKET_peek_net_4(const PACKET *pkt,
+                                           unsigned long *data)
 {
     if (PACKET_remaining(pkt) < 4)
         return 0;
@@ -222,7 +236,7 @@ __owur static inline int PACKET_get_net_4(PACKET *pkt, unsigned long *data)
 }
 
 /* Peek ahead at 1 byte from |pkt| and store the value in |*data| */
-__owur static inline int PACKET_peek_1(PACKET *pkt, unsigned int *data)
+__owur static inline int PACKET_peek_1(const PACKET *pkt, unsigned int *data)
 {
     if (!PACKET_remaining(pkt))
         return 0;
@@ -247,7 +261,7 @@ __owur static inline int PACKET_get_1(PACKET *pkt, unsigned int *data)
  * Peek ahead at 4 bytes in reverse network order from |pkt| and store the value
  * in |*data|
  */
-__owur static inline int PACKET_peek_4(PACKET *pkt, unsigned long *data)
+__owur static inline int PACKET_peek_4(const PACKET *pkt, unsigned long *data)
 {
     if (PACKET_remaining(pkt) < 4)
         return 0;
@@ -281,7 +295,7 @@ __owur static inline int PACKET_get_4(PACKET *pkt, unsigned long *data)
  * caller should not free this data directly (it will be freed when the
  * underlying buffer gets freed
  */
-__owur static inline int PACKET_peek_bytes(PACKET *pkt, unsigned char **data,
+__owur static inline int PACKET_peek_bytes(const PACKET *pkt, unsigned char **data,
                                           size_t len)
 {
     if (PACKET_remaining(pkt) < len)
@@ -310,7 +324,7 @@ __owur static inline int PACKET_get_bytes(PACKET *pkt, unsigned char **data,
 }
 
 /* Peek ahead at |len| bytes from |pkt| and copy them to |data| */
-__owur static inline int PACKET_peek_copy_bytes(PACKET *pkt,
+__owur static inline int PACKET_peek_copy_bytes(const PACKET *pkt,
                                                 unsigned char *data, size_t len)
 {
     if (PACKET_remaining(pkt) < len)
@@ -356,7 +370,7 @@ __owur static inline int PACKET_forward(PACKET *pkt, size_t len)
 }
 
 /* Store a bookmark for the current reading position in |*bm| */
-__owur static inline int PACKET_get_bookmark(PACKET *pkt, size_t *bm)
+__owur static inline int PACKET_get_bookmark(const PACKET *pkt, size_t *bm)
 {
     *bm = pkt->curr - pkt->start;
 
@@ -378,16 +392,86 @@ __owur static inline int PACKET_goto_bookmark(PACKET *pkt, size_t bm)
  * Stores the total length of the packet we have in the underlying buffer in
  * |*len|
  */
-__owur static inline int PACKET_length(PACKET *pkt, size_t *len)
+__owur static inline int PACKET_length(const PACKET *pkt, size_t *len)
 {
     *len = pkt->end - pkt->start;
 
     return 1;
 }
 
+/*
+ * Reads a variable-length vector prefixed with a one-byte length, and stores
+ * the contents in |subpkt|. |pkt| can equal |subpkt|.
+ * Data is not copied: the |subpkt| packet will share its underlying buffer with
+ * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
+ * Upon failure, the original |pkt| and |subpkt| are not modified.
+ */
+__owur static inline int PACKET_get_length_prefixed_1(PACKET *pkt, PACKET *subpkt)
+{
+  unsigned int length;
+  unsigned char *data;
+  PACKET tmp = *pkt;
+  if (!PACKET_get_1(&tmp, &length) ||
+      !PACKET_get_bytes(&tmp, &data, (size_t)length)) {
+      return 0;
+  }
+
+  *pkt = tmp;
+  subpkt->start = subpkt->curr = data;
+  subpkt->end = subpkt->start + length;
+
+  return 1;
+}
+
+/*
+ * Reads a variable-length vector prefixed with a two-byte length, and stores
+ * the contents in |subpkt|. |pkt| can equal |subpkt|.
+ * Data is not copied: the |subpkt| packet will share its underlying buffer with
+ * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
+ * Upon failure, the original |pkt| and |subpkt| are not modified.
+ */
+__owur static inline int PACKET_get_length_prefixed_2(PACKET *pkt, PACKET *subpkt)
+{
+  unsigned int length;
+  unsigned char *data;
+  PACKET tmp = *pkt;
+  if (!PACKET_get_net_2(&tmp, &length) ||
+      !PACKET_get_bytes(&tmp, &data, (size_t)length)) {
+      return 0;
+  }
+
+  *pkt = tmp;
+  subpkt->start = subpkt->curr = data;
+  subpkt->end = subpkt->start + length;
+
+  return 1;
+}
+
+/*
+ * Reads a variable-length vector prefixed with a three-byte length, and stores
+ * the contents in |subpkt|. |pkt| can equal |subpkt|.
+ * Data is not copied: the |subpkt| packet will share its underlying buffer with
+ * the original |pkt|, so data wrapped by |pkt| must outlive the |subpkt|.
+ * Upon failure, the original |pkt| and |subpkt| are not modified.
+ */
+__owur static inline int PACKET_get_length_prefixed_3(PACKET *pkt, PACKET *subpkt)
+{
+  unsigned long length;
+  unsigned char *data;
+  PACKET tmp = *pkt;
+  if (!PACKET_get_net_3(&tmp, &length) ||
+      !PACKET_get_bytes(&tmp, &data, (size_t)length)) {
+      return 0;
+  }
+
+  *pkt = tmp;
+  subpkt->start = subpkt->curr = data;
+  subpkt->end = subpkt->start + length;
+
+  return 1;
+}
 # ifdef __cplusplus
 }
 # endif
 
 #endif /* HEADER_PACKET_LOCL_H */
-
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 8bdb082..74c3696 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -838,19 +838,16 @@ int ssl3_send_hello_request(SSL *s)
 int ssl3_get_client_hello(SSL *s)
 {
     int i, ok, al = SSL_AD_INTERNAL_ERROR, ret = -1;
-    unsigned int j, cipherlen, complen;
-    unsigned int cookie_len = 0;
+    unsigned int j, complen = 0;
     long n;
     unsigned long id;
     SSL_CIPHER *c;
 #ifndef OPENSSL_NO_COMP
-    unsigned char *q = NULL;
     SSL_COMP *comp = NULL;
 #endif
     STACK_OF(SSL_CIPHER) *ciphers = NULL;
     int protverr = 1;
-    PACKET pkt;
-    unsigned char *sess, *cdata;
+    PACKET pkt, cipher_suite, compression;
 
     if (s->state == SSL3_ST_SR_CLNT_HELLO_C && !s->first_packet)
         goto retry_cert;
@@ -1013,30 +1010,31 @@ int ssl3_get_client_hello(SSL *s)
          * Note, this is only for SSLv3+ using the backward compatible format.
          * Real SSLv2 is not supported, and is rejected above.
          */
-        unsigned int csl, sil, cl;
+        unsigned int cipher_len, session_id_len, challenge_len;
 
-        if (!PACKET_get_net_2(&pkt, &csl)
-                || !PACKET_get_net_2(&pkt, &sil)
-                || !PACKET_get_net_2(&pkt, &cl)) {
+        if (!PACKET_get_net_2(&pkt, &cipher_len)
+                || !PACKET_get_net_2(&pkt, &session_id_len)
+                || !PACKET_get_net_2(&pkt, &challenge_len)) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
         }
 
-        if (csl == 0) {
+        if (cipher_len == 0) {
             /* we need at least one cipher */
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
             goto f_err;
         }
 
-        if (!PACKET_get_bytes(&pkt, &cdata, csl)) {
+        if (!PACKET_get_sub_packet(&pkt, &cipher_suite, cipher_len)) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
         }
 
-        if (ssl_bytes_to_cipher_list(s, cdata, csl, &(ciphers), 1) == NULL) {
+        if (ssl_bytes_to_cipher_list(s, PACKET_data(&cipher_suite),
+                                     cipher_len, &(ciphers), 1) == NULL) {
             goto err;
         }
 
@@ -1044,7 +1042,7 @@ int ssl3_get_client_hello(SSL *s)
          * Ignore any session id. We don't allow resumption in a backwards
          * compatible ClientHello
          */
-        if (!PACKET_forward(&pkt, sil)) {
+        if (!PACKET_forward(&pkt, session_id_len)) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
@@ -1055,25 +1053,24 @@ int ssl3_get_client_hello(SSL *s)
             goto err;
 
         /* Load the client random */
-        i = (cl > SSL3_RANDOM_SIZE) ? SSL3_RANDOM_SIZE : cl;
+        i = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE : challenge_len;
         memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
-        if (!PACKET_peek_copy_bytes(&pkt, s->s3->client_random, i)
-                || !PACKET_forward(&pkt, cl)
+        if (!PACKET_peek_copy_bytes(&pkt,
+                                    s->s3->client_random + SSL3_RANDOM_SIZE - i,
+                                    i)
+                || !PACKET_forward(&pkt, challenge_len)
                 || PACKET_remaining(&pkt) != 0) {
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH);
             al = SSL_AD_DECODE_ERROR;
             goto f_err;
         }
-
-        /* No compression, so set complen to 0 */
-        complen = 0;
     } else {
         /* If we get here we've got SSLv3+ in an SSLv3+ record */
-
+        PACKET session_id;
+        unsigned int cookie_len;
         /* load the client random and get the session-id */
         if (!PACKET_copy_bytes(&pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
-                || !PACKET_get_1(&pkt, &j)
-                || !PACKET_get_bytes(&pkt, &sess, j)) {
+		|| !PACKET_get_length_prefixed_1(&pkt, &session_id)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
@@ -1115,7 +1112,13 @@ int ssl3_get_client_hello(SSL *s)
             if (!ssl_get_new_session(s, 1))
                 goto err;
         } else {
-            i = ssl_get_prev_session(s, &pkt, sess, j);
+            /*
+             * TODO(openssl-team): ssl_get_prev_session passes a non-const
+             * 'unsigned char*' session id to a user callback. Grab a copy of
+             * the data?
+             */
+	    i = ssl_get_prev_session(s, &pkt, PACKET_data(&session_id),
+		                     PACKET_remaining(&session_id));
             /*
              * Only resume if the session's version matches the negotiated
              * version.
@@ -1138,11 +1141,13 @@ int ssl3_get_client_hello(SSL *s)
         }
 
         if (SSL_IS_DTLS(s)) {
-            if (!PACKET_get_1(&pkt, &cookie_len)) {
+            PACKET cookie;
+            if (!PACKET_get_length_prefixed_1(&pkt, &cookie)) {
                 al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
                 goto f_err;
             }
+	    cookie_len = PACKET_remaining(&cookie);
             /*
              * The ClientHello may contain a cookie even if the
              * HelloVerify message has not been sent--make sure that it
@@ -1159,10 +1164,13 @@ int ssl3_get_client_hello(SSL *s)
             if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)
                     && cookie_len > 0) {
                 /* Get cookie */
-                if (!PACKET_copy_bytes(&pkt, s->d1->rcvd_cookie,
-                                              cookie_len)) {
-                    al = SSL_AD_DECODE_ERROR;
-                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+                /*
+                 * TODO(openssl-team): rcvd_cookie appears unused outside this
+                 * function. Remove the field?
+                 */
+                if (!PACKET_copy_bytes(&cookie, s->d1->rcvd_cookie, cookie_len)) {
+                    al = SSL_AD_INTERNAL_ERROR;
+                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                     goto f_err;
                 }
 
@@ -1185,15 +1193,7 @@ int ssl3_get_client_hello(SSL *s)
                 }
                 /* Set to -2 so if successful we return 2 */
                 ret = -2;
-            } else {
-                /* Skip over cookie */
-                if (!PACKET_forward(&pkt, cookie_len)) {
-                    al = SSL_AD_DECODE_ERROR;
-                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-                    goto f_err;
-                }
             }
-
             if (s->method->version == DTLS_ANY_VERSION) {
                 /* Select version to use */
                 if (s->client_version <= DTLS1_2_VERSION &&
@@ -1221,26 +1221,21 @@ int ssl3_get_client_hello(SSL *s)
             }
         }
 
-        if (!PACKET_get_net_2(&pkt, &cipherlen)) {
+        if (!PACKET_get_length_prefixed_2(&pkt, &cipher_suite)) {
             al = SSL_AD_DECODE_ERROR;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
             goto f_err;
         }
 
-        if (cipherlen == 0) {
+        if (PACKET_remaining(&cipher_suite) == 0) {
             al = SSL_AD_ILLEGAL_PARAMETER;
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED);
             goto f_err;
         }
 
-        if (!PACKET_get_bytes(&pkt, &cdata, cipherlen)) {
-            /* not enough data */
-            al = SSL_AD_DECODE_ERROR;
-            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
-            goto f_err;
-        }
-
-        if (ssl_bytes_to_cipher_list(s, cdata, cipherlen, &(ciphers), 0) == NULL) {
+        if (ssl_bytes_to_cipher_list(s, PACKET_data(&cipher_suite),
+                                     PACKET_remaining(&cipher_suite),
+                                     &(ciphers), 0) == NULL) {
             goto err;
         }
 
@@ -1299,19 +1294,21 @@ int ssl3_get_client_hello(SSL *s)
         }
 
         /* compression */
-        if (!PACKET_get_1(&pkt, &complen)
-            || !PACKET_get_bytes(&pkt, &cdata, complen)) {
+        if (!PACKET_get_length_prefixed_1(&pkt, &compression)) {
             /* not enough data */
             al = SSL_AD_DECODE_ERROR;
+            /*
+             * TODO(openssl-team):
+             * SSL_R_LENGTH_TOO_SHORT and SSL_R_LENGTH_MISMATCH are used
+             * interchangeably. Pick one.
+             */
             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
             goto f_err;
         }
 
-#ifndef OPENSSL_NO_COMP
-        q = cdata;
-#endif
+        complen = PACKET_remaining(&compression);
         for (j = 0; j < complen; j++) {
-            if (cdata[j] == 0)
+            if (PACKET_data(&compression)[j] == 0)
                 break;
         }
 
@@ -1413,7 +1410,7 @@ int ssl3_get_client_hello(SSL *s)
         }
         /* Look for resumed method in compression list */
         for (k = 0; k < complen; k++) {
-            if (q[k] == comp_id)
+            if (PACKET_data(&compression)[k] == comp_id)
                 break;
         }
         if (k >= complen) {
@@ -1434,7 +1431,7 @@ int ssl3_get_client_hello(SSL *s)
             comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
             v = comp->id;
             for (o = 0; o < complen; o++) {
-                if (v == q[o]) {
+                if (v == PACKET_data(&compression)[o]) {
                     done = 1;
                     break;
                 }
diff --git a/test/packettest.c b/test/packettest.c
index c3ac53b..b3f7bbb 100644
--- a/test/packettest.c
+++ b/test/packettest.c
@@ -281,6 +281,85 @@ static int test_PACKET_buf_init()
     return 1;
 }
 
+static int test_PACKET_get_length_prefixed_1()
+{
+    unsigned char buf[BUF_LEN];
+    const size_t len = 16;
+    unsigned int i;
+    PACKET pkt, short_pkt, subpkt;
+
+    buf[0] = len;
+    for (i = 1; i < BUF_LEN; i++) {
+        buf[i] = (i * 2) & 0xff;
+    }
+
+    if (       !PACKET_buf_init(&pkt, buf, BUF_LEN)
+            || !PACKET_buf_init(&short_pkt, buf, len)
+            || !PACKET_get_length_prefixed_1(&pkt, &subpkt)
+            ||  PACKET_remaining(&subpkt) != len
+            || !PACKET_get_net_2(&subpkt, &i)
+            ||  i != 0x0204
+            ||  PACKET_get_length_prefixed_1(&short_pkt, &subpkt)
+            ||  PACKET_remaining(&short_pkt) != len) {
+        fprintf(stderr, "test_PACKET_get_length_prefixed_1() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_length_prefixed_2()
+{
+    unsigned char buf[1024];
+    const size_t len = 516;  /* 0x0204 */
+    unsigned int i;
+    PACKET pkt, short_pkt, subpkt;
+
+    for (i = 1; i <= 1024; i++) {
+        buf[i-1] = (i * 2) & 0xff;
+    }
+
+    if (       !PACKET_buf_init(&pkt, buf, 1024)
+            || !PACKET_buf_init(&short_pkt, buf, len)
+            || !PACKET_get_length_prefixed_2(&pkt, &subpkt)
+            ||  PACKET_remaining(&subpkt) != len
+            || !PACKET_get_net_2(&subpkt, &i)
+            ||  i != 0x0608
+            ||  PACKET_get_length_prefixed_2(&short_pkt, &subpkt)
+            ||  PACKET_remaining(&short_pkt) != len) {
+        fprintf(stderr, "test_PACKET_get_length_prefixed_2() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
+static int test_PACKET_get_length_prefixed_3()
+{
+    unsigned char buf[1024];
+    const size_t len = 516;  /* 0x000204 */
+    unsigned int i;
+    PACKET pkt, short_pkt, subpkt;
+
+    for (i = 0; i < 1024; i++) {
+        buf[i] = (i * 2) & 0xff;
+    }
+
+    if (       !PACKET_buf_init(&pkt, buf, 1024)
+            || !PACKET_buf_init(&short_pkt, buf, len)
+            || !PACKET_get_length_prefixed_3(&pkt, &subpkt)
+            ||  PACKET_remaining(&subpkt) != len
+            || !PACKET_get_net_2(&subpkt, &i)
+            ||  i != 0x0608
+            ||  PACKET_get_length_prefixed_3(&short_pkt, &subpkt)
+            ||  PACKET_remaining(&short_pkt) != len) {
+        fprintf(stderr, "test_PACKET_get_length_prefixed_3() failed\n");
+        return 0;
+    }
+
+    return 1;
+}
+
 int main(int argc, char **argv)
 {
     unsigned char buf[BUF_LEN];
@@ -309,7 +388,10 @@ int main(int argc, char **argv)
             || !test_PACKET_get_sub_packet(&pkt, start)
             || !test_PACKET_get_bytes(&pkt, start)
             || !test_PACKET_copy_bytes(&pkt, start)
-            || !test_PACKET_move_funcs(&pkt, start)) {
+            || !test_PACKET_move_funcs(&pkt, start)
+            || !test_PACKET_get_length_prefixed_1()
+            || !test_PACKET_get_length_prefixed_2()
+            || !test_PACKET_get_length_prefixed_3()) {
         return 1;
     }
     printf("PASS\n");

From matt at openssl.org  Wed Aug 26 15:31:31 2015
From: matt at openssl.org (Matt Caswell)
Date: Wed, 26 Aug 2015 15:31:31 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440603091.843004.17142.nullmailer@dev.openssl.org>

The branch master has been updated
       via  95cdad6344c72c84761a4da290d384f8de730407 (commit)
      from  ec30e8566e43d888ab1d7cf01749a979896bb3d9 (commit)


- Log -----------------------------------------------------------------
commit 95cdad6344c72c84761a4da290d384f8de730407
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Aug 26 16:22:45 2015 +0100

    Clean up reset of read/write sequences
    
    Use sizeof instead of an explicit size, and use the functions for the
    purpose.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/record/rec_layer_s3.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 5b28663..6beb8ce 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -166,8 +166,8 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
     SSL3_RECORD_clear(&rl->rrec);
     SSL3_RECORD_clear(&rl->wrec);
 
-    memset(rl->read_sequence, 0, sizeof(rl->read_sequence));
-    memset(rl->write_sequence, 0, sizeof(rl->write_sequence));
+    RECORD_LAYER_reset_read_sequence(rl);
+    RECORD_LAYER_reset_write_sequence(rl);
     
     if (rl->d)
         DTLS_RECORD_LAYER_clear(rl);
@@ -219,12 +219,12 @@ void RECORD_LAYER_dup(RECORD_LAYER *dst, RECORD_LAYER *src)
 
 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 {
-    memset(rl->read_sequence, 0, 8);
+    memset(rl->read_sequence, 0, sizeof(rl->read_sequence));
 }
 
 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 {
-    memset(rl->write_sequence, 0, 8);
+    memset(rl->write_sequence, 0, sizeof(rl->write_sequence));
 }
 
 int RECORD_LAYER_setup_comp_buffer(RECORD_LAYER *rl)

From rsalz at openssl.org  Wed Aug 26 20:19:14 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 20:19:14 +0000
Subject: [openssl-commits] [web]  master update
Message-ID: <1440620354.435754.28876.nullmailer@dev.openssl.org>

The branch master has been updated
       via  2ce8f60fb1b406aa811ef0f687bbd287621c6aeb (commit)
      from  f284b4b24546d19d351edd34e09f3f7c835675d8 (commit)


- Log -----------------------------------------------------------------
commit 2ce8f60fb1b406aa811ef0f687bbd287621c6aeb
Author: Rich Salz <rsalz at akamai.com>
Date:   Wed Aug 26 16:18:45 2015 -0400

    Add webmaster email address.
    
    At least one whiner needed to be told this.  Sheesh.

-----------------------------------------------------------------------

Summary of changes:
 inc/footer.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/inc/footer.inc b/inc/footer.inc
index e09888e..ab43dad 100644
--- a/inc/footer.inc
+++ b/inc/footer.inc
@@ -1,6 +1,9 @@
 <!-- footer.inc -->
 <footer role="contentinfo">
   <p>
+    Please report problems with this website to webmaster at openssl.org.
+  </p>
+  <p>
     Copyright &copy; 2015, OpenSSL Software Foundation.
   </p>
 </footer>

From rsalz at openssl.org  Wed Aug 26 21:31:53 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:31:53 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440624713.823768.8910.nullmailer@dev.openssl.org>

The branch master has been updated
       via  208b2d541dcb3b8f62639d2a8cc5771af4ba8755 (commit)
      from  95cdad6344c72c84761a4da290d384f8de730407 (commit)


- Log -----------------------------------------------------------------
commit 208b2d541dcb3b8f62639d2a8cc5771af4ba8755
Author: Viktor Dukhovni <viktor at dukhovni.org>
Date:   Wed Apr 23 21:58:30 2014 -0400

    GH correct organizationalUnitName
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/req.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index ae884a2..3cbabb7 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -489,7 +489,7 @@ be input by calling it "1.organizationName".
 The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrProvinceName. Additionally emailAddress
+organizationalUnitName, stateOrProvinceName. Additionally emailAddress
 is include as well as name, surname, givenName initials and dnQualifier.
 
 Additional object identifiers can be defined with the B<oid_file> or

From rsalz at openssl.org  Wed Aug 26 21:32:05 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:32:05 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440624725.632924.9786.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  06f6c551078fbdbb86dec469b2a280d1323153fb (commit)
      from  2d07f60a025df7cb34efce9f5122c8f682bbc070 (commit)


- Log -----------------------------------------------------------------
commit 06f6c551078fbdbb86dec469b2a280d1323153fb
Author: Viktor Dukhovni <viktor at dukhovni.org>
Date:   Wed Apr 23 21:58:30 2014 -0400

    GH correct organizationalUnitName
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 208b2d541dcb3b8f62639d2a8cc5771af4ba8755)

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/req.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index cb06b53..54a4d39 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -489,7 +489,7 @@ be input by calling it "1.organizationName".
 The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrProvinceName. Additionally emailAddress
+organizationalUnitName, stateOrProvinceName. Additionally emailAddress
 is include as well as name, surname, givenName initials and dnQualifier.
 
 Additional object identifiers can be defined with the B<oid_file> or

From rsalz at openssl.org  Wed Aug 26 21:32:13 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:32:13 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440624733.951735.10010.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  eb55a6f4558ce7a78647a21ac2ace8ddca7e7253 (commit)
      from  be8b8603d6789c1dcb058f167c8b54e3f4b928c9 (commit)


- Log -----------------------------------------------------------------
commit eb55a6f4558ce7a78647a21ac2ace8ddca7e7253
Author: Viktor Dukhovni <viktor at dukhovni.org>
Date:   Wed Apr 23 21:58:30 2014 -0400

    GH correct organizationalUnitName
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 208b2d541dcb3b8f62639d2a8cc5771af4ba8755)

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/req.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 0730d11..37ed377 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -490,7 +490,7 @@ be input by calling it "1.organizationName".
 The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrProvinceName. Additionally emailAddress
+organizationalUnitName, stateOrProvinceName. Additionally emailAddress
 is include as well as name, surname, givenName initials and dnQualifier.
 
 Additional object identifiers can be defined with the B<oid_file> or

From rsalz at openssl.org  Wed Aug 26 21:35:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:35:03 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440624903.376754.10580.nullmailer@dev.openssl.org>

The branch master has been updated
       via  8cbb153357896c4b224e0678550944f7851bc3b2 (commit)
      from  208b2d541dcb3b8f62639d2a8cc5771af4ba8755 (commit)


- Log -----------------------------------------------------------------
commit 8cbb153357896c4b224e0678550944f7851bc3b2
Author: David Brodski <bid at softing.com>
Date:   Tue May 13 18:06:27 2014 +0200

    Fixed problem with multiple load-unload of comp zlib
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/comp/c_zlib.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index 6a57f70..f0fc0af 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -309,7 +309,9 @@ COMP_METHOD *COMP_zlib(void)
 void COMP_zlib_cleanup(void)
 {
 #ifdef ZLIB_SHARED
-    DSO_free(zlib_dso);
+    if (zlib_dso != NULL)
+        DSO_free(zlib_dso);
+    zlib_dso = NULL;
 #endif
 }
 

From rsalz at openssl.org  Wed Aug 26 21:36:49 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:36:49 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440625009.932079.11525.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  80c25ba6764c797f52982d45a12414618d48524a (commit)
      from  eb55a6f4558ce7a78647a21ac2ace8ddca7e7253 (commit)


- Log -----------------------------------------------------------------
commit 80c25ba6764c797f52982d45a12414618d48524a
Author: David Brodski <bid at softing.com>
Date:   Tue May 13 18:06:27 2014 +0200

    Fixed problem with multiple load-unload of comp zlib
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 8cbb153357896c4b224e0678550944f7851bc3b2)

-----------------------------------------------------------------------

Summary of changes:
 crypto/comp/c_zlib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index 6731af8..9c32614 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -404,8 +404,9 @@ COMP_METHOD *COMP_zlib(void)
 void COMP_zlib_cleanup(void)
 {
 #ifdef ZLIB_SHARED
-    if (zlib_dso)
+    if (zlib_dso != NULL)
         DSO_free(zlib_dso);
+    zlib_dso = NULL;
 #endif
 }
 

From rsalz at openssl.org  Wed Aug 26 21:37:20 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:37:20 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440625040.651204.11806.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  6cc31d4212c839c61b079af15b0dd43572ef8e68 (commit)
      from  06f6c551078fbdbb86dec469b2a280d1323153fb (commit)


- Log -----------------------------------------------------------------
commit 6cc31d4212c839c61b079af15b0dd43572ef8e68
Author: David Brodski <bid at softing.com>
Date:   Tue May 13 18:06:27 2014 +0200

    Fixed problem with multiple load-unload of comp zlib
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 8cbb153357896c4b224e0678550944f7851bc3b2)

-----------------------------------------------------------------------

Summary of changes:
 crypto/comp/c_zlib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index 6731af8..9c32614 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -404,8 +404,9 @@ COMP_METHOD *COMP_zlib(void)
 void COMP_zlib_cleanup(void)
 {
 #ifdef ZLIB_SHARED
-    if (zlib_dso)
+    if (zlib_dso != NULL)
         DSO_free(zlib_dso);
+    zlib_dso = NULL;
 #endif
 }
 

From rsalz at openssl.org  Wed Aug 26 21:47:47 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:47:47 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440625667.141623.13540.nullmailer@dev.openssl.org>

The branch master has been updated
       via  ad775e04f6dab51b7f929b54f5aa3c2393f957c5 (commit)
      from  8cbb153357896c4b224e0678550944f7851bc3b2 (commit)


- Log -----------------------------------------------------------------
commit ad775e04f6dab51b7f929b54f5aa3c2393f957c5
Author: Hubert Kario <hkario at redhat.com>
Date:   Fri Jul 31 18:32:39 2015 +0200

    GH350: -help text few s_client and s_server flags
    
    add -help description of sigalgs, client_sigalgs, curves
    and named_curve
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.h | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/apps/apps.h b/apps/apps.h
index 99c5809..48c82e8 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -296,10 +296,15 @@ void unbuffer(FILE *fp);
         {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
         {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
         {"strict", OPT_S_STRICT, '-' }, \
-        {"sigalgs", OPT_S_SIGALGS, 's', }, \
-        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', }, \
-        {"curves", OPT_S_CURVES, 's', }, \
-        {"named_curve", OPT_S_NAMEDCURVE, 's', }, \
+        {"sigalgs", OPT_S_SIGALGS, 's', \
+            "Signature algorithms to support (colon-separated list)" }, \
+        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
+            "Signature algorithms to support for client certificate" \
+            " authentication (colon-separated list)" }, \
+        {"curves", OPT_S_CURVES, 's', \
+            "Elliptic curves to advertise (colon-separated list)" }, \
+        {"named_curve", OPT_S_NAMEDCURVE, 's', \
+            "Elliptic curve used for ECDHE (server-side only)" }, \
         {"cipher", OPT_S_CIPHER, 's', }, \
         {"dhparam", OPT_S_DHPARAM, '<' }, \
         {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }

From rsalz at openssl.org  Wed Aug 26 21:49:38 2015
From: rsalz at openssl.org (Rich Salz)
Date: Wed, 26 Aug 2015 21:49:38 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440625778.737348.14691.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  a7cb67f4f2457724fbfbc39377f55c26f3aafa80 (commit)
      from  6cc31d4212c839c61b079af15b0dd43572ef8e68 (commit)


- Log -----------------------------------------------------------------
commit a7cb67f4f2457724fbfbc39377f55c26f3aafa80
Author: Hubert Kario <hkario at redhat.com>
Date:   Fri Jul 31 19:02:07 2015 +0200

    GH351: -help text for some s_client/s_server flags
    
    add -help descriptions of -curves, -sigalgs, -client_sigalgs
    to s_client and s_server
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c | 8 ++++++++
 apps/s_server.c | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/apps/s_client.c b/apps/s_client.c
index e55f2c5..2c75e11 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -424,6 +424,14 @@ static void sc_usage(void)
                " -no_ticket        - disable use of RFC4507bis session tickets\n");
     BIO_printf(bio_err,
                " -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
+    BIO_printf(bio_err,
+               " -curves arg       - Elliptic curves to advertise (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -sigalgs arg      - Signature algorithms to support (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -client_sigalgs arg - Signature algorithms to support for client\n");
+    BIO_printf(bio_err,
+               "                       certificate authentication (colon-separated list)\n");
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
     BIO_printf(bio_err,
diff --git a/apps/s_server.c b/apps/s_server.c
index acef382..afc72b0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -652,6 +652,12 @@ static void sv_usage(void)
                " -no_ticket    - disable use of RFC4507bis session tickets\n");
     BIO_printf(bio_err,
                " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+    BIO_printf(bio_err,
+               " -sigalgs arg      - Signature algorithms to support (colon-separated list)\n");
+    BIO_printf(bio_err,
+               " -client_sigalgs arg  - Signature algorithms to support for client \n");
+    BIO_printf(bio_err,
+               "                        certificate authentication (colon-separated list)\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
     BIO_printf(bio_err,
                " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");

From rsalz at openssl.org  Thu Aug 27 18:28:02 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 27 Aug 2015 18:28:02 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440700082.303966.12739.nullmailer@dev.openssl.org>

The branch master has been updated
       via  c03726ca4153fca8d66185837008aa078969d386 (commit)
      from  ad775e04f6dab51b7f929b54f5aa3c2393f957c5 (commit)


- Log -----------------------------------------------------------------
commit c03726ca4153fca8d66185837008aa078969d386
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 27 12:28:08 2015 -0400

    Various doc fixes.
    
    Make all mention of digest algorithm use "any supported algorithm"
    
    RT2071, some new manpages from Victor B. Wagner <vitus at cryptocom.ru>:
        X509_LOOKUP_hash_dir.pod
        X509_check_ca.pod
        X509_check_issued.pod
    
    RT 1600:
        Remove references to non-existant objects(3)
        Add RETURN VALUES to BIO_do_accept page.
    
    RT1818:
        RSA_sign Can return values other than 0 on failure.
    
    RT3634:
        Fix AES CBC aliases (Steffen Nurpmeso <sdaoden at yandex.com>)
    
    RT3678:
        Some clarifications to BIO_new_pair
        (Devchandra L Meetei <dlmeetei at gmail.com>)
    
    RT3787:
        Fix some EVP_ function return values
        (Laetitia Baudoin <lbaudoin at google.com>)
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/apps/ca.pod                           |   5 +-
 doc/apps/dgst.pod                         |   4 ++
 doc/apps/enc.pod                          |   2 +-
 doc/apps/ocsp.pod                         |   6 +-
 doc/apps/openssl.pod                      |  16 ++---
 doc/apps/req.pod                          |  19 ++---
 doc/apps/ts.pod                           |   8 +--
 doc/apps/x509.pod                         |  15 ++--
 doc/crypto/BIO_s_accept.pod               |  10 ++-
 doc/crypto/BIO_s_bio.pod                  |  12 ++--
 doc/crypto/EVP_DigestVerifyInit.pod       |   3 +-
 doc/crypto/EVP_EncryptInit.pod            |   4 +-
 doc/crypto/RSA_sign.pod                   |  10 +--
 doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod |   2 +-
 doc/crypto/X509_LOOKUP_hash_dir.pod       | 114 ++++++++++++++++++++++++++++++
 doc/crypto/X509_check_ca.pod              |  36 ++++++++++
 doc/crypto/X509_check_issued.pod          |  36 ++++++++++
 doc/crypto/crypto.pod                     |   2 +-
 18 files changed, 253 insertions(+), 51 deletions(-)
 create mode 100644 doc/crypto/X509_LOOKUP_hash_dir.pod
 create mode 100644 doc/crypto/X509_check_ca.pod
 create mode 100644 doc/crypto/X509_check_issued.pod

diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index be0153a..3a3d1b6 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -167,7 +167,8 @@ the number of days to certify the certificate for.
 
 =item B<-md alg>
 
-the message digest to use. Possible values include md5, sha1 and mdc2.
+the message digest to use.
+Any digest supported by the OpenSSL B<dgst> command can be used.
 This option also applies to CRLs.
 
 =item B<-policy arg>
@@ -406,7 +407,7 @@ least one of these must be present to generate a CRL.
 
 =item B<default_md>
 
-the same as the B<-md> option. The message digest to use. Mandatory.
+the same as the B<-md> option. Mandatory.
 
 =item B<database>
 
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index 96d3cc0..1b1a7e1 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -185,6 +185,10 @@ To verify a signature:
 
 =head1 NOTES
 
+The digest mechanisms that are available will depend on the options
+used when building OpenSSL.
+The B<list digest-commands> command can be used to list them.
+
 New or agile applications should use probably use SHA-256. Other digests,
 particularly SHA-1 and MD5, are still widely used for interoperating
 with existing formats and protocols.
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 1d25cf3..26e678c 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -282,7 +282,7 @@ authentication tag.
  rc5-ofb            RC5 cipher in OFB mode
 
  aes-[128|192|256]-cbc	128/192/256 bit AES in CBC mode
- aes-[128|192|256]	Alias for aes-[128|192|256]-cbc
+ aes[128|192|256]	Alias for aes-[128|192|256]-cbc
  aes-[128|192|256]-cfb	128/192/256 bit AES in 128 bit CFB mode
  aes-[128|192|256]-cfb1	128/192/256 bit AES in 1 bit CFB mode
  aes-[128|192|256]-cfb8	128/192/256 bit AES in 8 bit CFB mode
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index a9b29b0..2566966 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -261,10 +261,12 @@ information is immediately available. In this case the age of the B<notBefore> f
 is checked to see it is not older than B<age> seconds old. By default this additional
 check is not performed.
 
-=item B<-md5|-sha1|-sha256|-ripemod160|...>
+=item B<-[digest]>
 
 this option sets digest algorithm to use for certificate identification
-in the OCSP request. By default SHA-1 is used. 
+in the OCSP request.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+The default is SHA-1.
 
 =back
 
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod
index d996eda..30ea9bd 100644
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -12,7 +12,7 @@ I<command>
 [ I<command_opts> ]
 [ I<command_args> ]
 
-B<openssl> [ B<list-standard-commands> | B<list-message-digest-commands> | B<list-cipher-commands> | B<list-cipher-algorithms> | B<list-message-digest-algorithms> | B<list-public-key-algorithms>]
+B<openssl> B<list> [ B<standard-commands> | B<digest-commands> | B<cipher-commands> | B<cipher-algorithms> | B<digest-algorithms> | B<public-key-algorithms>]
 
 B<openssl> B<no->I<XXX> [ I<arbitrary options> ]
 
@@ -41,20 +41,20 @@ The B<openssl> program provides a rich variety of commands (I<command> in the
 SYNOPSIS above), each of which often has a wealth of options and arguments
 (I<command_opts> and I<command_args> in the SYNOPSIS).
 
-The pseudo-commands B<list-standard-commands>, B<list-message-digest-commands>,
-and B<list-cipher-commands> output a list (one entry per line) of the names
+The list parameters B<standard-commands>, B<digest-commands>,
+and B<cipher-commands> output a list (one entry per line) of the names
 of all standard commands, message digest commands, or cipher commands,
 respectively, that are available in the present B<openssl> utility.
 
-The pseudo-commands B<list-cipher-algorithms> and
-B<list-message-digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
+The list parameters B<cipher-algorithms> and
+B<digest-algorithms> list all cipher and message digest names, one entry per line. Aliases are listed as:
 
  from => to
 
-The pseudo-command B<list-public-key-algorithms> lists all supported public
+The list parameter B<public-key-algorithms> lists all supported public
 key algorithms.
 
-The pseudo-command B<no->I<XXX> tests whether a command of the
+The command B<no->I<XXX> tests whether a command of the
 specified name is available.  If no command named I<XXX> exists, it
 returns 0 (success) and prints B<no->I<XXX>; otherwise it returns 1
 and prints I<XXX>.  In both cases, the output goes to B<stdout> and
@@ -63,7 +63,7 @@ are always ignored.  Since for each cipher there is a command of the
 same name, this provides an easy way for shell scripts to test for the
 availability of ciphers in the B<openssl> program.  (B<no->I<XXX> is
 not able to detect pseudo-commands such as B<quit>,
-B<list->I<...>B<-commands>, or B<no->I<XXX> itself.)
+B<list>, or B<no->I<XXX> itself.)
 
 =head2 STANDARD COMMANDS
 
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 3cbabb7..46bbfe6 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -127,13 +127,6 @@ in the configuration file and any requested extensions.
 If the B<-key> option is not used it will generate a new RSA private
 key using information specified in the configuration file.
 
-=item B<-subj arg>
-
-Replaces subject field of input request with specified data and outputs
-modified request. The arg must be formatted as
-I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
-
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
@@ -198,8 +191,9 @@ will not be encrypted.
 
 =item B<-[digest]>
 
-this specifies the message digest to sign the request with (such as
-B<-md5>, B<-sha1>). This overrides the digest algorithm specified in
+this specifies the message digest to sign the request.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+This overrides the digest algorithm specified in
 the configuration file.
 
 Some public key algorithms may override this choice. For instance, DSA
@@ -385,9 +379,10 @@ option. For compatibility B<encrypt_rsa_key> is an equivalent option.
 
 =item B<default_md>
 
-This option specifies the digest algorithm to use. Possible values
-include B<md5 sha1 mdc2>. If not present then MD5 is used. This
-option can be overridden on the command line.
+This option specifies the digest algorithm to use.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+If not present then MD5 is used.
+This option can be overridden on the command line.
 
 =item B<string_mask>
 
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index ff086d8..7a55b61 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -12,7 +12,7 @@ B<-query>
 [B<-config> configfile]
 [B<-data> file_to_hash]
 [B<-digest> digest_bytes]
-[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>]
+[B<-[digest]>]
 [B<-policy> object_id]
 [B<-no_nonce>]
 [B<-cert>]
@@ -124,10 +124,10 @@ per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
 1AF601...). The number of bytes must match the message digest algorithm
 in use. (Optional)
 
-=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
+=item B<-[digest]>
 
-The message digest to apply to the data file, it supports all the message
-digest algorithms that are supported by the openssl B<dgst> command.
+The message digest to apply to the data file.
+Any digest supported by the OpenSSL B<dgst> command can be used.
 The default is SHA-1. (Optional)
 
 =item B<-policy> object_id
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 0c6aaef..a06393d 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -55,7 +55,7 @@ B<openssl> B<x509>
 [B<-text>]
 [B<-certopt option>]
 [B<-C>]
-[B<-md2|-md5|-sha1|-mdc2>]
+[B<-[digest]>]
 [B<-clrext>]
 [B<-extfile filename>]
 [B<-extensions section>]
@@ -101,12 +101,15 @@ if this option is not specified.
 This specifies the output filename to write to or standard output by
 default.
 
-=item B<-md2|-md5|-sha1|-mdc2>
+=item B<-[digest]>
 
-the digest to use. This affects any signing or display option that uses a message
-digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
-specified then SHA1 is used. If the key being used to sign with is a DSA key
-then this option has no effect: SHA1 is always used with DSA keys.
+the digest to use.
+This affects any signing or display option that uses a message
+digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+If not specified then SHA1 is used.
+Note that if a DSA key is used for signing, then this flag is ignored
+and SHA1 is used.
 
 =item B<-engine id>
 
diff --git a/doc/crypto/BIO_s_accept.pod b/doc/crypto/BIO_s_accept.pod
index 8a23d42..80a8348 100644
--- a/doc/crypto/BIO_s_accept.pod
+++ b/doc/crypto/BIO_s_accept.pod
@@ -143,7 +143,15 @@ BIO_do_accept() are macros.
 
 =head1 RETURN VALUES
 
-TBA
+BIO_do_accept(),
+BIO_set_accept_port(), BIO_set_nbio_accept(), BIO_set_accept_bios(),
+and BIO_set_bind_mode(), return 1 for success and 0 or -1 for failure.
+
+BIO_get_accept_port() returns the port name or NULL on error.
+
+BIO_get_bind_mode() returns the set of B<BIO_BIND> flags, or -1 on failure.
+
+BIO_new_accept() returns a BIO or NULL on error.
 
 =head1 EXAMPLE
 
diff --git a/doc/crypto/BIO_s_bio.pod b/doc/crypto/BIO_s_bio.pod
index 998796b..0daa518 100644
--- a/doc/crypto/BIO_s_bio.pod
+++ b/doc/crypto/BIO_s_bio.pod
@@ -136,9 +136,9 @@ without having to go through the SSL-interface.
 
  BIO *internal_bio, *network_bio;
  ...
- BIO_new_bio_pair(internal_bio, 0, network_bio, 0);
+ BIO_new_bio_pair(&internal_bio, 0, &network_bio, 0);
  SSL_set_bio(ssl, internal_bio, internal_bio);
- SSL_operations();
+ SSL_operations(); //e.g SSL_read and SSL_write
  ...
 
  application |   TLS-engine
@@ -147,9 +147,13 @@ without having to go through the SSL-interface.
              |     /\    ||
              |     ||    \/
              |   BIO-pair (internal_bio)
-    +----------< BIO-pair (network_bio)
+             |   BIO-pair (network_bio)
+             |     ||     /\
+             |     \/     ||
+    +-----------< BIO_operations()
     |        |
-  socket     |
+    |        |
+   socket
 
   ...
   SSL_free(ssl);		/* implicitly frees internal_bio */
diff --git a/doc/crypto/EVP_DigestVerifyInit.pod b/doc/crypto/EVP_DigestVerifyInit.pod
index 2068ce7..44d3cdb 100644
--- a/doc/crypto/EVP_DigestVerifyInit.pod
+++ b/doc/crypto/EVP_DigestVerifyInit.pod
@@ -34,8 +34,7 @@ B<sig> of length B<siglen>.
 =head1 RETURN VALUES
 
 EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0
-or a negative value for failure. In particular a return value of -2 indicates
-the operation is not supported by the public key algorithm.
+for failure.
 
 Unlike other functions the return value 0 from EVP_DigestVerifyFinal() only
 indicates that the signature did not verify successfully (that is tbs did
diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod
index 4a31686..9a1bdef 100644
--- a/doc/crypto/EVP_EncryptInit.pod
+++ b/doc/crypto/EVP_EncryptInit.pod
@@ -282,8 +282,8 @@ OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
 
 EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
 
-EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for
-success or zero for failure.
+EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return greater
+than zero for success and zero or a negative number.
 
 =head1 CIPHER LISTING
 
diff --git a/doc/crypto/RSA_sign.pod b/doc/crypto/RSA_sign.pod
index 4e98925..a526eaf 100644
--- a/doc/crypto/RSA_sign.pod
+++ b/doc/crypto/RSA_sign.pod
@@ -26,8 +26,8 @@ See L<RSA_private_encrypt(3)> for lower-level
 operations.
 
 B<type> denotes the message digest algorithm that was used to generate
-B<m>. It usually is one of B<NID_sha1>, B<NID_ripemd160> and B<NID_md5>;
-see L<objects(3)> for details. If B<type> is B<NID_md5_sha1>,
+B<m>.
+If B<type> is B<NID_md5_sha1>,
 an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
 and no algorithm identifier) is created.
 
@@ -38,8 +38,8 @@ B<rsa> is the signer's public key.
 
 =head1 RETURN VALUES
 
-RSA_sign() returns 1 on success, 0 otherwise.  RSA_verify() returns 1
-on successful verification, 0 otherwise.
+RSA_sign() returns 1 on success.
+RSA_verify() returns 1 on successful verification.
 
 The error codes can be obtained by L<ERR_get_error(3)>.
 
@@ -54,7 +54,7 @@ SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)>, L<objects(3)>,
+L<ERR_get_error(3)>,
 L<rsa(3)>, L<RSA_private_encrypt(3)>,
 L<RSA_public_decrypt(3)> 
 
diff --git a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
index f505ddb..7b9ecfc 100644
--- a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
+++ b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod
@@ -47,7 +47,7 @@ These functions serve no recognizable purpose.
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)>, L<objects(3)>,
+L<ERR_get_error(3)>,
 L<rand(3)>, L<rsa(3)>, L<RSA_sign(3)>,
 L<RSA_verify(3)>
 
diff --git a/doc/crypto/X509_LOOKUP_hash_dir.pod b/doc/crypto/X509_LOOKUP_hash_dir.pod
new file mode 100644
index 0000000..680a9fd
--- /dev/null
+++ b/doc/crypto/X509_LOOKUP_hash_dir.pod
@@ -0,0 +1,114 @@
+=pod
+
+=head1 NAME
+
+X509_LOOKUP_hash_dir, X509_LOOKUP_file,
+X509_load_cert_file,
+X509_load_crl_file,
+X509_load_cert_crl_file - Default OpenSSL certificate
+lookup methods
+
+=head1 SYNOPSIS
+
+  #include <openssl/x509_vfy.h>
+
+  X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
+  X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
+
+  int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
+  int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
+  int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
+
+=head1 DESCRIPTION
+
+B<X509_LOOKUP_hash_dir> and B<X509_LOOKUP_file> are two certificate
+lookup methods to use with B<X509_STORE>, provided by OpenSSL library.
+
+Users of the library typically do not need to create instanses of these
+methods manually, they would be created automatically by
+L<X509_STORE_load_locations(3)> or
+L<SSL_CTX_load_verify_locations(3)>
+functions.
+
+Internally loading of certificates and CRLs is implemented via functions
+B<X509_load_cert_crl_file>, B<X509_load_cert_file> and
+B<X509_load_crl_file>. These functions support parameter I<type>, which
+can be one of constants B<FILETYPE_PEM>, B<FILETYPE_ASN1> and
+B<FILETYPE_DEFAULT>. They load certificates and/or CRLs from specified
+file into memory cache of B<X509_STORE> objects which given B<ctx>
+parameter is associated with.
+
+Functions B<X509_load_cert_file> and
+B<X509_load_crl_file> can load both PEM and DER formats depending of
+type value. Because DER format cannot contain more than one certificate
+or CRL object (while PEM can contain several concatenated PEM objects)
+B<X509_load_cert_crl_file> with B<FILETYPE_ASN1> is equivalent to
+B<X509_load_cert_file>.
+
+Constant B<FILETYPE_DEFAULT> with NULL filename causes these functions
+to load default certificate store file (see
+L<X509_STORE_set_default_paths>.
+
+
+Functions return number of objects loaded from file or 0 in case of
+error. 
+
+Both methods support adding several certificate locations into one
+B<X509_STORE>.
+
+This page documents certificate store formats used by these methods and
+caching policy.
+
+=head2  FILE METHOD
+
+B<X509_LOOKUP_file> method loads entire set of certificates and CRLs
+into memory immediately when file name is passed to it. 
+
+File format is ASCII text which contains concatenated PEM certificates
+and CRLs.
+
+This method should be used by applications which work with limited set
+of CAs.
+
+
+=head2 HASHED DIR METHOD
+
+B<X509_LOOKUP_hash_dir> is more sophisticated method, which loads
+certificates and CRLs on demand, but caches them in the memory once they
+are loaded. However, since OpenSSL 1.0.0beta1 it checks for newer CRLs
+upon each lookup, so if newer CRL would appear in the directory, it
+would be loaded.
+
+Directory should contain each certificate and CRL in the separate file
+in the PEM format, with file name derived from certificate subject (or CRL
+issuer) hash, as returned by L<X509_NAME_hash(3)>
+function of with option B<-hash> of L<x509(1)> or
+L<crl(1)> command.
+
+This hash value is appended by suffix .I<N> for certificates and
+B<.r>I<N> for CRLs where I<N> is sequentual
+number among certificates with same hash value, so it is possible to
+have in the store several certificates with same subject or several CRLs
+with same issuer (and, for example, different validity period).
+
+When checking for new CRLs once one CRL for given hash value is loaded, 
+hash_dir lookup method checks only for certificates with sequentual
+number greater than one of already cached CRL.
+
+Note that hash algorithm used for subject hashing is changed in OpenSSL
+1.0, so all certificate stores have to be rehashed upon transitopn from
+0.9.8 to 1.0.0.
+
+OpenSSL includes utility L<c_rehash(1)> which creates
+symlinks with correct hashed names for all files with .pem suffix in the
+given directory.
+
+=head1 SEE ALSO
+
+L<pem(3)>, L<d2i_X509_bio(3)>,
+L<X509_STORE_load_locations(3)>,
+L<X609_store_add_lookup(3)>,
+L<SSL_CTX_load_verify_locations(3)>,
+
+=cut
+
diff --git a/doc/crypto/X509_check_ca.pod b/doc/crypto/X509_check_ca.pod
new file mode 100644
index 0000000..87b6c26
--- /dev/null
+++ b/doc/crypto/X509_check_ca.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+X509_check_ca - check if given certificate is CA certificate
+
+=head1 SYNOPSIS
+
+   #include <openssl/x509v3.h>
+
+   int X509_check_ca(X509 *cert);
+
+=head1 DESCRIPTION
+
+This function checks if given certificate is CA certificate (can be used
+to sign other certificates).
+
+=head1 RETURN VALUE
+
+Function return 0, if it is not CA certificate, 1 if it is proper X509v3
+CA certificate with B<basicConstraints> extension CA:TRUE,
+3, if it is selfsigned X509 v1 certificate, 4, if it is certificate with
+B<keyUsage> extension with bit B<keyCertSign> set, but without
+B<basicConstraints>, and 5 if it has outdated Netscape Certificate Type
+extension telling that it is CA certificate.
+
+Actually, any non-zero value means that this certificate could have been
+used to sign other certificates.
+
+=head1 SEE ALSO
+
+L<X509_verify_cert(3)>,
+L<X509_check_issued(3)>,
+L<X509_check_purpose(3)>
+
+=cut
diff --git a/doc/crypto/X509_check_issued.pod b/doc/crypto/X509_check_issued.pod
new file mode 100644
index 0000000..0830e82
--- /dev/null
+++ b/doc/crypto/X509_check_issued.pod
@@ -0,0 +1,36 @@
+=pod
+
+=head1 NAME
+
+X509_check_issued - checks if certificate is issued by another
+certificate
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509v3.h>
+
+ int X509_check_issued(X509 *issuer, X509 *subject);
+
+
+=head1 DESCRIPTION
+
+This function checks if certificate I<subject> was issued using CA
+certificate I<issuer>. This function takes into account not only 
+matching of issuer field of I<subject> with subject field of I<issuer>,
+but also compares B<authorityKeyIdentifier> extension of I<subject> with
+B<subjectKeyIdentifier> of I<issuer> if B<authorityKeyIdentifier>
+present in the I<subject> certificate and checks B<keyUsage> field of
+I<issuer>.
+
+=head1 RETURN VALUE
+
+Function return B<X509_V_OK> if certificate I<subject> is issued by
+I<issuer> or some B<X509_V_ERR*> constant to indicate an error.
+
+=head1 SEE ALSO
+
+L<X509_verify_cert(3)>,
+L<X509_check_ca(3)>,
+L<verify(1)>
+
+=cut
diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod
index 45887a6..aad75af 100644
--- a/doc/crypto/crypto.pod
+++ b/doc/crypto/crypto.pod
@@ -57,7 +57,7 @@ L<pkcs7(3)>, L<pkcs12(3)>
 =item UTILITY FUNCTIONS
 
 L<bn(3)>, L<buffer(3)>, L<lhash(3)>,
-L<objects(3)>, L<stack(3)>,
+L<stack(3)>,
 L<txt_db(3)> 
 
 =back

From rsalz at openssl.org  Thu Aug 27 21:30:00 2015
From: rsalz at openssl.org (Rich Salz)
Date: Thu, 27 Aug 2015 21:30:00 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440711000.238999.5635.nullmailer@dev.openssl.org>

The branch master has been updated
       via  3c65047d30dacca345d30269b95af4a5c413e8d1 (commit)
      from  c03726ca4153fca8d66185837008aa078969d386 (commit)


- Log -----------------------------------------------------------------
commit 3c65047d30dacca345d30269b95af4a5c413e8d1
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Aug 27 17:17:26 2015 -0400

    Fix memory over-read
    
    Fix from David Baggett via tweet.
    
    Signed-off-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index c8e8519..2ca6bea 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -553,7 +553,7 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
         return (NULL);
     bn_check_top(ret);
     /* Skip leading zero's. */
-    for ( ; *s == 0 && len > 0; s++, len--)
+    for ( ; len > 0 && *s == 0; s++, len--)
         continue;
     n = len;
     if (n == 0) {

From rsalz at openssl.org  Fri Aug 28 02:57:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 02:57:17 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440730637.861691.16364.nullmailer@dev.openssl.org>

The branch master has been updated
       via  f00a10b89734e84fe80f98ad9e2e77b557c701ae (commit)
      from  3c65047d30dacca345d30269b95af4a5c413e8d1 (commit)


- Log -----------------------------------------------------------------
commit f00a10b89734e84fe80f98ad9e2e77b557c701ae
Author: Ismo Puustinen <ismo.puustinen at intel.com>
Date:   Fri Aug 7 22:14:47 2015 -0400

    GH367: Fix dsa keygen for too-short seed
    
    If the seed value for dsa key generation is too short (< qsize),
    return an error. Also update the documentation.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                |  4 ++++
 crypto/dsa/dsa_gen.c                   | 29 ++++++++++++-----------------
 doc/crypto/DSA_generate_parameters.pod | 11 +++++------
 3 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/CHANGES b/CHANGES
index bcfae0a..384abf8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
 
+  *) In DSA_generate_parameters_ex, if the provided seed is too short,
+     return an error
+     [Rich Salz and Ismo Puustinen <ismo.puustinen at intel.com>]
+
   *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
      from RFC4279, RFC4785, RFC5487, RFC5489.
 
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index e030cfa..a4fae17 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -132,18 +132,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     bits = (bits + 63) / 64 * 64;
 
-    /*
-     * NB: seed_len == 0 is special case: copy generated seed to seed_in if
-     * it is not NULL.
-     */
-    if (seed_len && (seed_len < (size_t)qsize))
-        seed_in = NULL;         /* seed buffer too small -- ignore */
-    if (seed_len > (size_t)qsize)
-        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger
-                                 * SEED, but our internal buffers are
-                                 * restricted to 160 bits */
-    if (seed_in != NULL)
+    if (seed_in != NULL) {
+        if (seed_len < (size_t)qsize)
+            return 0;
+        if (seed_len > (size_t)qsize) {
+            /* Don't overflow seed local variable. */
+            seed_len = qsize;
+        }
         memcpy(seed, seed_in, seed_len);
+    }
 
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
@@ -166,20 +163,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random;
+            int seed_is_random = seed_in == NULL;
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (!seed_len) {
+            if (seed_is_random) {
                 if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
-                seed_is_random = 1;
             } else {
-                seed_is_random = 0;
-                seed_len = 0;   /* use random seed if 'seed_in' turns out to
-                                 * be bad */
+                /* If we come back through, use random seed next time. */
+                seed_in = NULL;
             }
             memcpy(buf, seed, qsize);
             memcpy(buf2, seed, qsize);
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index d2a0418..92c89a0 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -23,13 +23,12 @@ Deprecated:
 DSA_generate_parameters_ex() generates primes p and q and a generator g
 for use in the DSA and stores the result in B<dsa>.
 
-B<bits> is the length of the prime to be generated; the DSS allows a
-maximum of 1024 bits.
+B<bits> is the length of the prime p to be generated.
+For lengths under 2048 bits, the length of q is 160 bits; for lengths
+at least 2048, it is set to 256 bits.
 
-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
-generated at random. Otherwise, the seed is used to generate
-them. If the given seed does not yield a prime q, a new random
-seed is chosen and placed at B<seed>.
+If B<seed> is NULL, the primes will be generated at random.
+If B<seed_len> is less than the length of q, an error is returned.
 
 DSA_generate_parameters_ex() places the iteration count in
 *B<counter_ret> and a counter used for finding a generator in

From rsalz at openssl.org  Fri Aug 28 15:18:21 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 15:18:21 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440775101.762824.26619.nullmailer@dev.openssl.org>

The branch master has been updated
       via  55500ea7c46c27a150a46832e1260891aaad8e52 (commit)
      from  f00a10b89734e84fe80f98ad9e2e77b557c701ae (commit)


- Log -----------------------------------------------------------------
commit 55500ea7c46c27a150a46832e1260891aaad8e52
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Aug 27 23:07:07 2015 -0400

    GH354: Memory leak fixes
    
    Fix more potential leaks in X509_verify_cert()
    Fix memory leak in ClientHello test
    Fix memory leak in gost2814789 test
    Fix potential memory leak in PKCS7_verify()
    Fix potential memory leaks in X509_add1_reject_object()
    Refactor to use "goto err" in cleanup.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_x509a.c    |  7 +++++--
 crypto/pkcs7/pk7_smime.c | 26 ++++++--------------------
 crypto/x509/x509_vfy.c   |  4 ++--
 test/clienthellotest.c   |  1 +
 test/gost2814789test.c   |  3 +++
 5 files changed, 17 insertions(+), 24 deletions(-)

diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c
index d81ccfb..e299b1f 100644
--- a/crypto/asn1/x_x509a.c
+++ b/crypto/asn1/x_x509a.c
@@ -172,11 +172,14 @@ int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
     if ((objtmp = OBJ_dup(obj)) == NULL)
         return 0;
     if ((aux = aux_get(x)) == NULL)
-        return 0;
+        goto err;
     if (aux->reject == NULL
         && (aux->reject = sk_ASN1_OBJECT_new_null()) == NULL)
-        return 0;
+        goto err;
     return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+ err:
+    ASN1_OBJECT_free(objtmp);
+    return 0;
 }
 
 void X509_trust_clear(X509 *x)
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index e52e746..91557af 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -255,8 +255,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     X509_STORE_CTX cert_ctx;
     char buf[4096];
     int i, j = 0, k, ret = 0;
-    BIO *p7bio;
-    BIO *tmpin, *tmpout;
+    BIO *p7bio = NULL;
+    BIO *tmpin = NULL, *tmpout = NULL;
 
     if (!p7) {
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_INVALID_NULL_POINTER);
@@ -274,18 +274,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         return 0;
     }
 
-    /*
-     * Very old Netscape illegally included empty content with
-     * a detached signature. To not support that, enable the
-     * following flag.
-     */
-#ifdef OPENSSL_DONT_SUPPORT_OLD_NETSCAPE
     /* Check for data and content: two sets of data */
     if (!PKCS7_get_detached(p7) && indata) {
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
         return 0;
     }
-#endif
 
     sinfos = PKCS7_get_signer_info(p7);
 
@@ -295,7 +288,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     }
 
     signers = PKCS7_get0_signers(p7, certs, flags);
-
     if (!signers)
         return 0;
 
@@ -308,14 +300,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                 if (!X509_STORE_CTX_init(&cert_ctx, store, signer,
                                          p7->d.sign->cert)) {
                     PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
-                    sk_X509_free(signers);
-                    return 0;
+                    goto err;
                 }
                 X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
             } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) {
                 PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
-                sk_X509_free(signers);
-                return 0;
+                goto err;
             }
             if (!(flags & PKCS7_NOCRL))
                 X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
@@ -328,8 +318,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                          PKCS7_R_CERTIFICATE_VERIFY_ERROR);
                 ERR_add_error_data(2, "Verify error:",
                                    X509_verify_cert_error_string(j));
-                sk_X509_free(signers);
-                return 0;
+                goto err;
             }
             /* Check for revocation status here */
         }
@@ -348,7 +337,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         tmpin = BIO_new_mem_buf(ptr, len);
         if (tmpin == NULL) {
             PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
-            return 0;
+            goto err;
         }
     } else
         tmpin = indata;
@@ -398,15 +387,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     ret = 1;
 
  err:
-
     if (tmpin == indata) {
         if (indata)
             BIO_pop(p7bio);
     }
     BIO_free_all(p7bio);
-
     sk_X509_free(signers);
-
     return ret;
 }
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 6b1f7fe..a3077b5 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -243,7 +243,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
             ok = ctx->get_issuer(&xtmp, ctx, x);
             if (ok < 0)
-                return ok;
+                goto end;
             /*
              * If successful for now free up cert so it will be picked up
              * again later.
@@ -341,7 +341,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             ok = ctx->get_issuer(&xtmp, ctx, x);
 
             if (ok < 0)
-                return ok;
+                goto end;
             if (ok == 0)
                 break;
             x = xtmp;
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index acc56f8..318d6e8 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -213,6 +213,7 @@ int main(int argc, char *argv[])
     EVP_cleanup();
     CRYPTO_cleanup_all_ex_data();
     CRYPTO_mem_leaks(err);
+    BIO_free(err);
 
     return testresult?0:1;
 }
diff --git a/test/gost2814789test.c b/test/gost2814789test.c
index b2cd41f..953e1e1 100644
--- a/test/gost2814789test.c
+++ b/test/gost2814789test.c
@@ -1411,6 +1411,7 @@ int main(int argc, char *argv[])
             }
             siglen = 4;
             OPENSSL_assert(EVP_DigestSignFinal(&mctx, bTest, &siglen));
+            EVP_PKEY_free(mac_key);
             EVP_MD_CTX_cleanup(&mctx);
             enlu = (int)tcs[t].ullLen;
             enlf = 0;
@@ -1434,6 +1435,8 @@ int main(int argc, char *argv[])
     printf(" passed\n");
     fflush(NULL);
 
+    NCONF_free(pConfig);
+
     return EXIT_SUCCESS;
 }
 #endif

From rsalz at openssl.org  Fri Aug 28 15:25:49 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 15:25:49 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1440775549.514570.29164.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  9a9744646805bcf5d25af990be0533f71bf5edd5 (commit)
      from  80c25ba6764c797f52982d45a12414618d48524a (commit)


- Log -----------------------------------------------------------------
commit 9a9744646805bcf5d25af990be0533f71bf5edd5
Author: Ismo Puustinen <ismo.puustinen at intel.com>
Date:   Fri Aug 7 22:14:47 2015 -0400

    GH367: Fix dsa keygen for too-short seed
    
    If the seed value for dsa key generation is too short (< qsize),
    return an error. Also update the documentation.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                |  7 ++++++-
 crypto/dsa/dsa_gen.c                   | 31 +++++++++++++------------------
 doc/crypto/DSA_generate_parameters.pod | 11 +++++------
 3 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/CHANGES b/CHANGES
index c2aba4b..6e19f3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,12 @@
 
  Changes between 1.0.1p and 1.0.1q [xx XXX xxxx]
 
-  *)
+  *) In DSA_generate_parameters_ex, if the provided seed is too short,
+     return an error
+     [Rich Salz and Ismo Puustinen <ismo.puustinen at intel.com>]
+
+  *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
+     from RFC4279, RFC4785, RFC5487, RFC5489.
 
  Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
 
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index d686ab0..44c47a3 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -161,18 +161,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     bits = (bits + 63) / 64 * 64;
 
-    /*
-     * NB: seed_len == 0 is special case: copy generated seed to seed_in if
-     * it is not NULL.
-     */
-    if (seed_len && (seed_len < (size_t)qsize))
-        seed_in = NULL;         /* seed buffer too small -- ignore */
-    if (seed_len > (size_t)qsize)
-        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger
-                                 * SEED, but our internal buffers are
-                                 * restricted to 160 bits */
-    if (seed_in != NULL)
+    if (seed_in != NULL) {
+        if (seed_len < (size_t)qsize)
+            return 0;
+        if (seed_len > (size_t)qsize) {
+            /* Don't overflow seed local variable. */
+            seed_len = qsize;
+        }
         memcpy(seed, seed_in, seed_len);
+    }
 
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
@@ -195,20 +192,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random;
+            int seed_is_random = seed_in == NULL;
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (!seed_len) {
-                if (RAND_pseudo_bytes(seed, qsize) < 0)
+            if (seed_is_random) {
+                if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
-                seed_is_random = 1;
             } else {
-                seed_is_random = 0;
-                seed_len = 0;   /* use random seed if 'seed_in' turns out to
-                                 * be bad */
+                /* If we come back through, use random seed next time. */
+                seed_in = NULL;
             }
             memcpy(buf, seed, qsize);
             memcpy(buf2, seed, qsize);
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index be7c924..ae30824 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -17,13 +17,12 @@ DSA_generate_parameters - generate DSA parameters
 DSA_generate_parameters() generates primes p and q and a generator g
 for use in the DSA.
 
-B<bits> is the length of the prime to be generated; the DSS allows a
-maximum of 1024 bits.
+B<bits> is the length of the prime p to be generated.
+For lengths under 2048 bits, the length of q is 160 bits; for lengths
+at least 2048, it is set to 256 bits.
 
-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
-generated at random. Otherwise, the seed is used to generate
-them. If the given seed does not yield a prime q, a new random
-seed is chosen and placed at B<seed>.
+If B<seed> is NULL, the primes will be generated at random.
+If B<seed_len> is less than the length of q, an error is returned.
 
 DSA_generate_parameters() places the iteration count in
 *B<counter_ret> and a counter used for finding a generator in

From rsalz at openssl.org  Fri Aug 28 15:26:04 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 15:26:04 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440775564.202394.29420.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  1d7df236dcb4f7c95707110753e5e77b19b9a0aa (commit)
      from  a7cb67f4f2457724fbfbc39377f55c26f3aafa80 (commit)


- Log -----------------------------------------------------------------
commit 1d7df236dcb4f7c95707110753e5e77b19b9a0aa
Author: Ismo Puustinen <ismo.puustinen at intel.com>
Date:   Fri Aug 7 22:14:47 2015 -0400

    GH367: Fix dsa keygen for too-short seed
    
    If the seed value for dsa key generation is too short (< qsize),
    return an error. Also update the documentation.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                                | 449 ++++++++++++++++++++++++++++++++-
 crypto/dsa/dsa_gen.c                   |  31 +--
 doc/crypto/DSA_generate_parameters.pod |  11 +-
 3 files changed, 466 insertions(+), 25 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2760606..082e15e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,454 @@
 
  Changes between 1.0.2d and 1.0.2e [xx XXX xxxx]
 
-  *)
+  *) In DSA_generate_parameters_ex, if the provided seed is too short,
+     return an error
+     [Rich Salz and Ismo Puustinen <ismo.puustinen at intel.com>]
+
+  *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
+     from RFC4279, RFC4785, RFC5487, RFC5489.
+
+     Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
+     original RSA_PSK patch.
+     [Steve Henson]
+
+  *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
+     era flag was never set throughout the codebase (only read). Also removed
+     SSL3_FLAGS_POP_BUFFER which was only used if
+     SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
+     [Matt Caswell]
+
+  *) Changed the default name options in the "ca", "crl", "req" and "x509"
+     to be "oneline" instead of "compat".
+     [Richard Levitte]
+
+  *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
+     not aware of clients that still exhibit this bug, and the workaround
+     hasn't been working properly for a while.
+     [Emilia K?sper]
+
+  *) The return type of BIO_number_read() and BIO_number_written() as well as
+     the corresponding num_read and num_write members in the BIO structure has
+     changed from unsigned long to uint64_t. On platforms where an unsigned
+     long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
+     transferred.
+     [Matt Caswell]
+
+  *) Given the pervasive nature of TLS extensions it is inadvisable to run
+     OpenSSL without support for them. It also means that maintaining
+     the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
+     not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
+     [Matt Caswell]
+
+  *) Removed support for the two export grade static DH ciphersuites
+     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+     were newly added (along with a number of other static DH ciphersuites) to
+     1.0.2. However the two export ones have *never* worked since they were
+     introduced. It seems strange in any case to be adding new export
+     ciphersuites, and given "logjam" it also does not seem correct to fix them.
+     [Matt Caswell]
+
+  *) Version negotiation has been rewritten. In particular SSLv23_method(),
+     SSLv23_client_method() and SSLv23_server_method() have been deprecated,
+     and turned into macros which simply call the new preferred function names
+     TLS_method(), TLS_client_method() and TLS_server_method(). All new code
+     should use the new names instead. Also as part of this change the ssl23.h
+     header file has been removed.
+     [Matt Caswell]
+
+  *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
+     code and the associated standard is no longer considered fit-for-purpose.
+     [Matt Caswell]
+
+  *) RT2547 was closed.  When generating a private key, try to make the
+     output file readable only by the owner.  This behavior change might
+     be noticeable when interacting with other software.
+
+  *) Added HTTP GET support to the ocsp command.
+     [Rich Salz]
+
+  *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
+     [Matt Caswell]
+
+  *) Added support for TLS extended master secret from
+     draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
+     initial patch which was a great help during development.
+     [Steve Henson]
+
+  *) All libssl internal structures have been removed from the public header
+     files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
+     now redundant). Users should not attempt to access internal structures
+     directly. Instead they should use the provided API functions.
+     [Matt Caswell]
+
+  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
+     Access to deprecated functions can be re-enabled by running config with
+     "enable-deprecated". In addition applications wishing to use deprecated
+     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
+     will, by default, disable some transitive includes that previously existed
+     in the header files (e.g. ec.h will no longer, by default, include bn.h)
+     [Matt Caswell]
+
+  *) Added support for OCB mode. OpenSSL has been granted a patent license
+     compatible with the OpenSSL license for use of OCB. Details are available
+     at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
+     for OCB can be removed by calling config with no-ocb.
+     [Matt Caswell]
+
+  *) SSLv2 support has been removed.  It still supports receiving a SSLv2
+     compatible client hello.
+     [Kurt Roeckx]
+
+  *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
+     done while fixing the error code for the key-too-small case.
+     [Annie Yousar <a.yousar at informatik.hu-berlin.de>]
+
+  *) CA.sh has been removmed; use CA.pl instead.
+     [Rich Salz]
+
+  *) Removed old DES API.
+     [Rich Salz]
+
+  *) Remove various unsupported platforms:
+        Sony NEWS4
+        BEOS and BEOS_R5
+        NeXT
+        SUNOS
+        MPE/iX
+        Sinix/ReliantUNIX RM400
+        DGUX
+        NCR
+        Tandem
+        Cray
+        16-bit platforms such as WIN16
+     [Rich Salz]
+
+  *) Clean up OPENSSL_NO_xxx #define's
+        Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
+        Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
+        OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
+        OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
+        OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
+        Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
+        OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
+        OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
+        OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
+        Remove MS_STATIC; it's a relic from platforms <32 bits.
+     [Rich Salz]
+
+  *) Cleaned up dead code
+        Remove all but one '#ifdef undef' which is to be looked at.
+     [Rich Salz]
+
+  *) Clean up calling of xxx_free routines.
+        Just like free(), fix most of the xxx_free routines to accept
+        NULL.  Remove the non-null checks from callers.  Save much code.
+     [Rich Salz]
+
+  *) Add secure heap for storage of private keys (when possible).
+     Add BIO_s_secmem(), CBIGNUM, etc.
+     Contributed by Akamai Technologies under our Corporate CLA.
+     [Rich Salz]
+
+  *) Experimental support for a new, fast, unbiased prime candidate generator,
+     bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
+     [Felix Laurie von Massenbach <felix at erbridge.co.uk>]
+
+  *) New output format NSS in the sess_id command line tool. This allows
+     exporting the session id and the master key in NSS keylog format.
+     [Martin Kaiser <martin at kaiser.cx>]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <mancha1 at zoho.com>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
+     [mancha <mancha1 at zoho.com>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <mancha1 at zoho.com>]
+
+  *) A missing bounds check in the handling of the TLS heartbeat extension
+     can be used to reveal up to 64k of memory to a connected client or
+     server.
+
+     Thanks for Neel Mehta of Google Security for discovering this bug and to
+     Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for
+     preparing the fix (CVE-2014-0160)
+     [Adam Langley, Bodo Moeller]
+
+  *) Fix for the attack described in the paper "Recovering OpenSSL
+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
+     http://eprint.iacr.org/2014/140
+
+     Thanks to Yuval Yarom and Naomi Benger for discovering this
+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+     [Yuval Yarom and Naomi Benger]
+
+  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+     this fixes a limitation in previous versions of OpenSSL.
+     [Steve Henson]
+
+  *) Experimental encrypt-then-mac support.
+    
+     Experimental support for encrypt then mac from
+     draft-gutmann-tls-encrypt-then-mac-02.txt
+
+     To enable it set the appropriate extension number (0x42 for the test
+     server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
+ 
+     For non-compliant peers (i.e. just about everything) this should have no
+     effect.
+
+     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
+
+     [Steve Henson]
+
+  *) Add EVP support for key wrapping algorithms, to avoid problems with
+     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
+     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
+     algorithms and include tests cases.
+     [Steve Henson]
+
+  *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
+     enveloped data.
+     [Steve Henson]
+
+  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+     MGF1 digest and OAEP label.
+     [Steve Henson]
+
+  *) Make openssl verify return errors.
+     [Chris Palmer <palmer at google.com> and Ben Laurie]
+
+  *) New function ASN1_TIME_diff to calculate the difference between two
+     ASN1_TIME structures or one structure and the current time.
+     [Steve Henson]
+
+  *) Update fips_test_suite to support multiple command line options. New
+     test to induce all self test errors in sequence and check expected
+     failures.
+     [Steve Henson]
+
+  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
+     sign or verify all in one operation.
+     [Steve Henson]
+
+  *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
+     test programs and fips_test_suite. Includes functionality to parse
+     the minimal script output of fipsalgest.pl directly.
+     [Steve Henson]
+
+  *) Add authorisation parameter to FIPS_module_mode_set().
+     [Steve Henson]
+
+  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
+     [Steve Henson]
+
+  *) Use separate DRBG fields for internal and external flags. New function
+     FIPS_drbg_health_check() to perform on demand health checking. Add
+     generation tests to fips_test_suite with reduced health check interval to 
+     demonstrate periodic health checking. Add "nodh" option to
+     fips_test_suite to skip very slow DH test.
+     [Steve Henson]
+
+  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
+     based on NID.
+     [Steve Henson]
+
+  *) More extensive health check for DRBG checking many more failure modes.
+     New function FIPS_selftest_drbg_all() to handle every possible DRBG
+     combination: call this in fips_test_suite.
+     [Steve Henson]
+
+  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
+     and POST to handle Dual EC cases.
+     [Steve Henson]
+
+  *) Add support for canonical generation of DSA parameter 'g'. See 
+     FIPS 186-3 A.2.3.
+
+  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
+     POST to handle HMAC cases.
+     [Steve Henson]
+
+  *) Add functions FIPS_module_version() and FIPS_module_version_text()
+     to return numerical and string versions of the FIPS module number.
+     [Steve Henson]
+
+  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
+     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
+     outside the validated module in the FIPS capable OpenSSL.
+     [Steve Henson]
+
+  *) Minor change to DRBG entropy callback semantics. In some cases
+     there is no multiple of the block length between min_len and
+     max_len. Allow the callback to return more than max_len bytes
+     of entropy but discard any extra: it is the callback's responsibility
+     to ensure that the extra data discarded does not impact the
+     requested amount of entropy.
+     [Steve Henson]
+
+  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
+     information in FIPS186-3, SP800-57 and SP800-131A.
+     [Steve Henson]
+
+  *) CCM support via EVP. Interface is very similar to GCM case except we
+     must supply all data in one chunk (i.e. no update, final) and the
+     message length must be supplied if AAD is used. Add algorithm test
+     support.
+     [Steve Henson]
+
+  *) Initial version of POST overhaul. Add POST callback to allow the status
+     of POST to be monitored and/or failures induced. Modify fips_test_suite
+     to use callback. Always run all selftests even if one fails.
+     [Steve Henson]
+
+  *) XTS support including algorithm test driver in the fips_gcmtest program.
+     Note: this does increase the maximum key length from 32 to 64 bytes but
+     there should be no binary compatibility issues as existing applications
+     will never use XTS mode.
+     [Steve Henson]
+
+  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
+     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
+     performs algorithm blocking for unapproved PRNG types. Also do not
+     set PRNG type in FIPS_mode_set(): leave this to the application.
+     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
+     the standard OpenSSL PRNG: set additional data to a date time vector.
+     [Steve Henson]
+
+  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
+     This shouldn't present any incompatibility problems because applications
+     shouldn't be using these directly and any that are will need to rethink
+     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
+     [Steve Henson]
+
+  *) Extensive self tests and health checking required by SP800-90 DRBG.
+     Remove strength parameter from FIPS_drbg_instantiate and always
+     instantiate at maximum supported strength.
+     [Steve Henson]
+
+  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
+     [Steve Henson]
+
+  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
+     [Steve Henson]
+
+  *) New function DH_compute_key_padded() to compute a DH key and pad with
+     leading zeroes if needed: this complies with SP800-56A et al.
+     [Steve Henson]
+
+  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
+     anything, incomplete, subject to change and largely untested at present.
+     [Steve Henson]
+
+  *) Modify fipscanisteronly build option to only build the necessary object
+     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
+     [Steve Henson]
+
+  *) Add experimental option FIPSSYMS to give all symbols in
+     fipscanister.o and FIPS or fips prefix. This will avoid
+     conflicts with future versions of OpenSSL. Add perl script
+     util/fipsas.pl to preprocess assembly language source files
+     and rename any affected symbols.
+     [Steve Henson]
+
+  *) Add selftest checks and algorithm block of non-fips algorithms in
+     FIPS mode. Remove DES2 from selftests.
+     [Steve Henson]
+
+  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
+     return internal method without any ENGINE dependencies. Add new
+     tiny fips sign and verify functions.
+     [Steve Henson]
+
+  *) New build option no-ec2m to disable characteristic 2 code.
+     [Steve Henson]
+
+  *) New build option "fipscanisteronly". This only builds fipscanister.o
+     and (currently) associated fips utilities. Uses the file Makefile.fips
+     instead of Makefile.org as the prototype.
+     [Steve Henson]
+
+  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
+     Update fips_gcmtest to use IV generator.
+     [Steve Henson]
+
+  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
+     setting output buffer to NULL. The *Final function must be
+     called although it will not retrieve any additional data. The tag
+     can be set or retrieved with a ctrl. The IV length is by default 12
+     bytes (96 bits) but can be set to an alternative value. If the IV
+     length exceeds the maximum IV length (currently 16 bytes) it cannot be
+     set before the key. 
+     [Steve Henson]
+
+  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
+     underlying do_cipher function handles all cipher semantics itself
+     including padding and finalisation. This is useful if (for example)
+     an ENGINE cipher handles block padding itself. The behaviour of
+     do_cipher is subtly changed if this flag is set: the return value
+     is the number of characters written to the output buffer (zero is
+     no longer an error code) or a negative error code. Also if the
+     input buffer is NULL and length 0 finalisation should be performed.
+     [Steve Henson]
+
+  *) If a candidate issuer certificate is already part of the constructed
+     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+     [Steve Henson]
+
+  *) Improve forward-security support: add functions
+
+       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
+       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
+
+     for use by SSL/TLS servers; the callback function will be called whenever a
+     new session is created, and gets to decide whether the session may be
+     cached to make it resumable (return 0) or not (return 1).  (As by the
+     SSL/TLS protocol specifications, the session_id sent by the server will be
+     empty to indicate that the session is not resumable; also, the server will
+     not generate RFC 4507 (RFC 5077) session tickets.)
+
+     A simple reasonable callback implementation is to return is_forward_secure.
+     This parameter will be set to 1 or 0 depending on the ciphersuite selected
+     by the SSL/TLS server library, indicating whether it can provide forward
+     security.
+     [Emilia K?sper <emilia.kasper at esat.kuleuven.be> (Google)]
+
+  *) New -verify_name option in command line utilities to set verification
+     parameters by name.
+     [Steve Henson]
+
+  *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
+     Add CMAC pkey methods.
+     [Steve Henson]
+
+  *) Experimental renegotiation in s_server -www mode. If the client 
+     browses /reneg connection is renegotiated. If /renegcert it is
+     renegotiated requesting a certificate.
+     [Steve Henson]
+
+  *) Add an "external" session cache for debugging purposes to s_server. This
+     should help trace issues which normally are only apparent in deployed
+     multi-process servers.
+     [Steve Henson]
+
+  *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
+     return value is ignored. NB. The functions RAND_add(), RAND_seed(),
+     BIO_set_cipher() and some obscure PEM functions were changed so they
+     can now return an error. The RAND changes required a change to the
+     RAND_METHOD structure.
+     [Steve Henson]
+
+  *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
+     a gcc attribute to warn if the result of a function is ignored. This
+     is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
+     whose return value is often ignored. 
+     [Steve Henson]
+>>>>>>> f00a10b... GH367: Fix dsa keygen for too-short seed
 
  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
 
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 5a328aa..847c874 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -163,18 +163,15 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     bits = (bits + 63) / 64 * 64;
 
-    /*
-     * NB: seed_len == 0 is special case: copy generated seed to seed_in if
-     * it is not NULL.
-     */
-    if (seed_len && (seed_len < (size_t)qsize))
-        seed_in = NULL;         /* seed buffer too small -- ignore */
-    if (seed_len > (size_t)qsize)
-        seed_len = qsize;       /* App. 2.2 of FIPS PUB 186 allows larger
-                                 * SEED, but our internal buffers are
-                                 * restricted to 160 bits */
-    if (seed_in != NULL)
+    if (seed_in != NULL) {
+        if (seed_len < (size_t)qsize)
+            return 0;
+        if (seed_len > (size_t)qsize) {
+            /* Don't overflow seed local variable. */
+            seed_len = qsize;
+        }
         memcpy(seed, seed_in, seed_len);
+    }
 
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
@@ -197,20 +194,18 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random;
+            int seed_is_random = seed_in == NULL;
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (!seed_len) {
-                if (RAND_pseudo_bytes(seed, qsize) < 0)
+            if (seed_is_random) {
+                if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
-                seed_is_random = 1;
             } else {
-                seed_is_random = 0;
-                seed_len = 0;   /* use random seed if 'seed_in' turns out to
-                                 * be bad */
+                /* If we come back through, use random seed next time. */
+                seed_in = NULL;
             }
             memcpy(buf, seed, qsize);
             memcpy(buf2, seed, qsize);
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index 16a67f2..7db1522 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -23,13 +23,12 @@ Deprecated:
 DSA_generate_parameters_ex() generates primes p and q and a generator g
 for use in the DSA and stores the result in B<dsa>.
 
-B<bits> is the length of the prime to be generated; the DSS allows a
-maximum of 1024 bits.
+B<bits> is the length of the prime p to be generated.
+For lengths under 2048 bits, the length of q is 160 bits; for lengths
+at least 2048, it is set to 256 bits.
 
-If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
-generated at random. Otherwise, the seed is used to generate
-them. If the given seed does not yield a prime q, a new random
-seed is chosen and placed at B<seed>.
+If B<seed> is NULL, the primes will be generated at random.
+If B<seed_len> is less than the length of q, an error is returned.
 
 DSA_generate_parameters_ex() places the iteration count in
 *B<counter_ret> and a counter used for finding a generator in

From rsalz at openssl.org  Fri Aug 28 16:03:13 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 16:03:13 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440777793.310117.5221.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  c8491de393639dbc4508306b7dbedb3872b74293 (commit)
      from  1d7df236dcb4f7c95707110753e5e77b19b9a0aa (commit)


- Log -----------------------------------------------------------------
commit c8491de393639dbc4508306b7dbedb3872b74293
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Aug 27 23:07:07 2015 -0400

    GH354: Memory leak fixes
    
    Fix more potential leaks in X509_verify_cert()
    Fix memory leak in ClientHello test
    Fix memory leak in gost2814789 test
    Fix potential memory leak in PKCS7_verify()
    Fix potential memory leaks in X509_add1_reject_object()
    Refactor to use "goto err" in cleanup.
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 55500ea7c46c27a150a46832e1260891aaad8e52)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_x509a.c    |  7 +++++--
 crypto/pkcs7/pk7_smime.c | 25 ++++++-------------------
 crypto/x509/x509_vfy.c   |  4 ++--
 ssl/clienthellotest.c    |  1 +
 4 files changed, 14 insertions(+), 23 deletions(-)

diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c
index 76bbc13..ad93592 100644
--- a/crypto/asn1/x_x509a.c
+++ b/crypto/asn1/x_x509a.c
@@ -163,10 +163,13 @@ int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
     if (!(objtmp = OBJ_dup(obj)))
         return 0;
     if (!(aux = aux_get(x)))
-        return 0;
+        goto err;
     if (!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null()))
-        return 0;
+        goto err;
     return sk_ASN1_OBJECT_push(aux->reject, objtmp);
+ err:
+    ASN1_OBJECT_free(objtmp);
+    return 0;
 }
 
 void X509_trust_clear(X509 *x)
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index dbd4100..c4d3724 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -256,8 +256,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     X509_STORE_CTX cert_ctx;
     char buf[4096];
     int i, j = 0, k, ret = 0;
-    BIO *p7bio;
-    BIO *tmpin, *tmpout;
+    BIO *p7bio = NULL;
+    BIO *tmpin = NULL, *tmpout = NULL;
 
     if (!p7) {
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_INVALID_NULL_POINTER);
@@ -274,18 +274,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
         return 0;
     }
-#if 0
-    /*
-     * NB: this test commented out because some versions of Netscape
-     * illegally include zero length content when signing data.
-     */
 
     /* Check for data and content: two sets of data */
     if (!PKCS7_get_detached(p7) && indata) {
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
         return 0;
     }
-#endif
 
     sinfos = PKCS7_get_signer_info(p7);
 
@@ -295,7 +289,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     }
 
     signers = PKCS7_get0_signers(p7, certs, flags);
-
     if (!signers)
         return 0;
 
@@ -308,14 +301,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                 if (!X509_STORE_CTX_init(&cert_ctx, store, signer,
                                          p7->d.sign->cert)) {
                     PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
-                    sk_X509_free(signers);
-                    return 0;
+                    goto err;
                 }
                 X509_STORE_CTX_set_default(&cert_ctx, "smime_sign");
             } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) {
                 PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB);
-                sk_X509_free(signers);
-                return 0;
+                goto err;
             }
             if (!(flags & PKCS7_NOCRL))
                 X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl);
@@ -328,8 +319,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                          PKCS7_R_CERTIFICATE_VERIFY_ERROR);
                 ERR_add_error_data(2, "Verify error:",
                                    X509_verify_cert_error_string(j));
-                sk_X509_free(signers);
-                return 0;
+                goto err;
             }
             /* Check for revocation status here */
         }
@@ -348,7 +338,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         tmpin = BIO_new_mem_buf(ptr, len);
         if (tmpin == NULL) {
             PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
-            return 0;
+            goto err;
         }
     } else
         tmpin = indata;
@@ -398,15 +388,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     ret = 1;
 
  err:
-
     if (tmpin == indata) {
         if (indata)
             BIO_pop(p7bio);
     }
     BIO_free_all(p7bio);
-
     sk_X509_free(signers);
-
     return ret;
 }
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 15a4fb9..7bac197 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -249,7 +249,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
             ok = ctx->get_issuer(&xtmp, ctx, x);
             if (ok < 0)
-                return ok;
+                goto end;
             /*
              * If successful for now free up cert so it will be picked up
              * again later.
@@ -347,7 +347,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             ok = ctx->get_issuer(&xtmp, ctx, x);
 
             if (ok < 0)
-                return ok;
+                goto end;
             if (ok == 0)
                 break;
             x = xtmp;
diff --git a/ssl/clienthellotest.c b/ssl/clienthellotest.c
index a00a7ea..77517c6 100644
--- a/ssl/clienthellotest.c
+++ b/ssl/clienthellotest.c
@@ -213,6 +213,7 @@ int main(int argc, char *argv[])
     EVP_cleanup();
     CRYPTO_cleanup_all_ex_data();
     CRYPTO_mem_leaks(err);
+    BIO_free(err);
 
     return testresult?0:1;
 }

From rsalz at openssl.org  Fri Aug 28 19:55:22 2015
From: rsalz at openssl.org (Rich Salz)
Date: Fri, 28 Aug 2015 19:55:22 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440791722.638785.21802.nullmailer@dev.openssl.org>

The branch master has been updated
       via  1f003251ffffc2573d5a879661d6c6ccb8cc40e4 (commit)
      from  55500ea7c46c27a150a46832e1260891aaad8e52 (commit)


- Log -----------------------------------------------------------------
commit 1f003251ffffc2573d5a879661d6c6ccb8cc40e4
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Aug 28 15:53:41 2015 -0400

    Fix 4c42ebd; forgot to inutil util/libeay.num
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 util/libeay.num | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/libeay.num b/util/libeay.num
index fa6d9c2..bb78665 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -1373,8 +1373,8 @@ X509V3_set_ctx                          1508	EXIST::FUNCTION:
 s2i_ASN1_INTEGER                        1509	EXIST::FUNCTION:
 CRYPTO_set_locked_mem_functions         1510	NOEXIST::FUNCTION:
 CRYPTO_get_locked_mem_functions         1511	NOEXIST::FUNCTION:
-CRYPTO_malloc_locked                    1512	EXIST::FUNCTION:
-CRYPTO_free_locked                      1513	EXIST::FUNCTION:
+CRYPTO_malloc_locked                    1512	NOEXIST::FUNCTION:
+CRYPTO_free_locked                      1513	NOEXIST::FUNCTION:
 BN_mod_exp2_mont                        1514	EXIST::FUNCTION:
 ERR_get_error_line_data                 1515	EXIST::FUNCTION:
 ERR_peek_error_line_data                1516	EXIST::FUNCTION:

From rsalz at openssl.org  Sun Aug 30 20:40:39 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 30 Aug 2015 20:40:39 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1440967239.262037.2987.nullmailer@dev.openssl.org>

The branch master has been updated
       via  9db0c91c39fb548c36d6c3c944f50d4c068eefb7 (commit)
      from  1f003251ffffc2573d5a879661d6c6ccb8cc40e4 (commit)


- Log -----------------------------------------------------------------
commit 9db0c91c39fb548c36d6c3c944f50d4c068eefb7
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Aug 28 17:49:30 2015 -0400

    Remove the "times" directory.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 times/090/586-100.nt   | 32 -------------------
 times/091/486-50.nt    | 30 ------------------
 times/091/586-100.lnx  | 32 -------------------
 times/091/68000.bsd    | 32 -------------------
 times/091/686-200.lnx  | 32 -------------------
 times/091/alpha064.osf | 32 -------------------
 times/091/alpha164.lnx | 32 -------------------
 times/091/alpha164.osf | 31 ------------------
 times/091/mips-rel.pl  | 21 ------------
 times/091/r10000.irx   | 37 ----------------------
 times/091/r3000.ult    | 32 -------------------
 times/091/r4400.irx    | 32 -------------------
 times/100.lnx          | 32 -------------------
 times/100.nt           | 29 -----------------
 times/200.lnx          | 30 ------------------
 times/486-66.dos       | 22 -------------
 times/486-66.nt        | 22 -------------
 times/486-66.w31       | 23 --------------
 times/5.lnx            | 29 -----------------
 times/586-085i.nt      | 29 -----------------
 times/586-100.LN3      | 26 ---------------
 times/586-100.NT2      | 26 ---------------
 times/586-100.dos      | 24 --------------
 times/586-100.ln4      | 26 ---------------
 times/586-100.lnx      | 23 --------------
 times/586-100.nt       | 23 --------------
 times/586-100.ntx      | 30 ------------------
 times/586-100.w31      | 27 ----------------
 times/586-1002.lnx     | 26 ---------------
 times/586p-100.lnx     | 26 ---------------
 times/686-200.bsd      | 25 ---------------
 times/686-200.lnx      | 26 ---------------
 times/686-200.nt       | 24 --------------
 times/L1               | 27 ----------------
 times/R10000.t         | 24 --------------
 times/R4400.t          | 26 ---------------
 times/aix.t            | 34 --------------------
 times/aixold.t         | 23 --------------
 times/alpha.t          | 81 -----------------------------------------------
 times/alpha400.t       | 25 ---------------
 times/cyrix100.lnx     | 22 -------------
 times/dgux-x86.t       | 23 --------------
 times/dgux.t           | 17 ----------
 times/hpux-acc.t       | 25 ---------------
 times/hpux-kr.t        | 23 --------------
 times/hpux.t           | 86 --------------------------------------------------
 times/p2.w95           | 22 -------------
 times/pent2.t          | 24 --------------
 times/readme           | 11 -------
 times/s586-100.lnx     | 25 ---------------
 times/s586-100.nt      | 23 --------------
 times/sgi.t            | 29 -----------------
 times/sparc.t          | 26 ---------------
 times/sparc2           | 21 ------------
 times/sparcLX.t        | 22 -------------
 times/usparc.t         | 25 ---------------
 times/x86/bfs.cpp      | 67 ---------------------------------------
 times/x86/casts.cpp    | 67 ---------------------------------------
 times/x86/des3s.cpp    | 67 ---------------------------------------
 times/x86/dess.cpp     | 67 ---------------------------------------
 times/x86/md4s.cpp     | 78 ---------------------------------------------
 times/x86/md5s.cpp     | 78 ---------------------------------------------
 times/x86/rc4s.cpp     | 73 ------------------------------------------
 times/x86/sha1s.cpp    | 79 ----------------------------------------------
 64 files changed, 2163 deletions(-)
 delete mode 100644 times/090/586-100.nt
 delete mode 100644 times/091/486-50.nt
 delete mode 100644 times/091/586-100.lnx
 delete mode 100644 times/091/68000.bsd
 delete mode 100644 times/091/686-200.lnx
 delete mode 100644 times/091/alpha064.osf
 delete mode 100644 times/091/alpha164.lnx
 delete mode 100644 times/091/alpha164.osf
 delete mode 100644 times/091/mips-rel.pl
 delete mode 100644 times/091/r10000.irx
 delete mode 100644 times/091/r3000.ult
 delete mode 100644 times/091/r4400.irx
 delete mode 100644 times/100.lnx
 delete mode 100644 times/100.nt
 delete mode 100644 times/200.lnx
 delete mode 100644 times/486-66.dos
 delete mode 100644 times/486-66.nt
 delete mode 100644 times/486-66.w31
 delete mode 100644 times/5.lnx
 delete mode 100644 times/586-085i.nt
 delete mode 100644 times/586-100.LN3
 delete mode 100644 times/586-100.NT2
 delete mode 100644 times/586-100.dos
 delete mode 100644 times/586-100.ln4
 delete mode 100644 times/586-100.lnx
 delete mode 100644 times/586-100.nt
 delete mode 100644 times/586-100.ntx
 delete mode 100644 times/586-100.w31
 delete mode 100644 times/586-1002.lnx
 delete mode 100644 times/586p-100.lnx
 delete mode 100644 times/686-200.bsd
 delete mode 100644 times/686-200.lnx
 delete mode 100644 times/686-200.nt
 delete mode 100644 times/L1
 delete mode 100644 times/R10000.t
 delete mode 100644 times/R4400.t
 delete mode 100644 times/aix.t
 delete mode 100644 times/aixold.t
 delete mode 100644 times/alpha.t
 delete mode 100644 times/alpha400.t
 delete mode 100644 times/cyrix100.lnx
 delete mode 100644 times/dgux-x86.t
 delete mode 100644 times/dgux.t
 delete mode 100644 times/hpux-acc.t
 delete mode 100644 times/hpux-kr.t
 delete mode 100644 times/hpux.t
 delete mode 100644 times/p2.w95
 delete mode 100644 times/pent2.t
 delete mode 100644 times/readme
 delete mode 100644 times/s586-100.lnx
 delete mode 100644 times/s586-100.nt
 delete mode 100644 times/sgi.t
 delete mode 100644 times/sparc.t
 delete mode 100644 times/sparc2
 delete mode 100644 times/sparcLX.t
 delete mode 100644 times/usparc.t
 delete mode 100644 times/x86/bfs.cpp
 delete mode 100644 times/x86/casts.cpp
 delete mode 100644 times/x86/des3s.cpp
 delete mode 100644 times/x86/dess.cpp
 delete mode 100644 times/x86/md4s.cpp
 delete mode 100644 times/x86/md5s.cpp
 delete mode 100644 times/x86/rc4s.cpp
 delete mode 100644 times/x86/sha1s.cpp

diff --git a/times/090/586-100.nt b/times/090/586-100.nt
deleted file mode 100644
index 297ec3e..0000000
--- a/times/090/586-100.nt
+++ /dev/null
@@ -1,32 +0,0 @@
-SSLeay 0.9.0 08-Apr-1998
-built on Wed Apr  8 12:47:17 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
--DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 92.25k      256.80k      347.01k      380.40k      390.31k
-mdc2               240.72k      251.10k      252.00k      250.80k      251.40k
-md5               1013.61k     5651.94k    11831.61k    16294.89k    17901.43k
-hmac(md5)          419.50k     2828.07k     7770.11k    13824.34k    17091.70k
-sha1               524.31k     2721.45k     5216.15k     6766.10k     7308.42k
-rmd160             462.09k     2288.59k     4260.77k     5446.44k     5841.65k
-rc4               7895.90k    10326.73k    10555.43k    10728.22k    10429.44k
-des cbc           2036.86k     2208.92k     2237.68k     2237.20k     2181.35k
-des ede3           649.92k      739.42k      749.07k      748.86k      738.27k
-idea cbc           823.19k      885.10k      894.92k      896.45k      891.87k
-rc2 cbc            792.63k      859.00k      867.45k      868.96k      865.30k
-rc5-32/12 cbc     3502.26k     4026.79k     4107.23k     4121.76k     4073.72k
-blowfish cbc      3752.96k     4026.79k     4075.31k     3965.87k     3892.26k
-cast cbc          2566.27k     2807.43k     2821.79k     2792.48k     2719.34k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0179s   0.0020s     56.0    501.7
-rsa 1024 bits   0.0950s   0.0060s     10.5    166.6
-rsa 2048 bits   0.6299s   0.0209s      1.6     47.8
-rsa 4096 bits   4.5870s   0.0787s      0.2     12.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0180s   0.0339s     55.6     29.5
-dsa 1024 bits   0.0555s   0.1076s     18.0      9.3
-dsa 2048 bits   0.1971s   0.3918s      5.1      2.6
-
diff --git a/times/091/486-50.nt b/times/091/486-50.nt
deleted file mode 100644
index 84820d9..0000000
--- a/times/091/486-50.nt
+++ /dev/null
@@ -1,30 +0,0 @@
-486-50 NT 4.0
-
-SSLeay 0.9.1a 06-Jul-1998
-built on Sat Jul 18 18:03:20 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 28.77k       80.30k      108.50k      118.98k      122.47k
-mdc2                51.52k       54.06k       54.54k       54.65k       54.62k
-md5                304.39k     1565.04k     3061.54k     3996.10k     4240.10k
-hmac(md5)          119.53k      793.23k     2061.29k     3454.95k     4121.76k
-sha1               127.51k      596.93k     1055.54k     1313.84k     1413.18k
-rmd160             128.50k      572.49k     1001.03k     1248.01k     1323.63k
-rc4               1224.40k     1545.11k     1590.29k     1600.20k     1576.90k
-des cbc            448.19k      503.45k      512.30k      513.30k      508.23k
-des ede3           148.66k      162.48k      163.68k      163.94k      164.24k
-idea cbc           194.18k      211.10k      212.99k      213.18k      212.64k
-rc2 cbc            245.78k      271.01k      274.12k      274.38k      273.52k
-rc5-32/12 cbc     1252.48k     1625.20k     1700.03k     1711.12k     1677.18k
-blowfish cbc       725.16k      828.26k      850.01k      846.99k      833.79k
-cast cbc           643.30k      717.22k      739.48k      741.57k      735.33k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0904s   0.0104s     11.1     96.2
-rsa 1024 bits   0.5968s   0.0352s      1.7     28.4
-rsa 2048 bits   3.8860s   0.1017s      0.3      9.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.1006s   0.1249s      9.9      8.0
-dsa 1024 bits   0.3306s   0.4093s      3.0      2.4
-dsa 2048 bits   0.9454s   1.1707s      1.1      0.9
diff --git a/times/091/586-100.lnx b/times/091/586-100.lnx
deleted file mode 100644
index 92892a6..0000000
--- a/times/091/586-100.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Pentium 100mhz, linux
-
-SSLeay 0.9.0a 14-Apr-1998
-built on Fri Apr 17 08:47:07 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 56.65k      153.88k      208.47k      229.03k      237.57k
-mdc2               189.59k      204.95k      206.93k      208.90k      209.56k
-md5               1019.48k     5882.41k    12085.42k    16376.49k    18295.47k
-hmac(md5)          415.86k     2887.85k     7891.29k    13894.66k    17446.23k
-sha1               540.68k     2791.96k     5289.30k     6813.01k     7432.87k
-rmd160             298.37k     1846.87k     3869.10k     5273.94k     5892.78k
-rc4               7870.87k    10438.10k    10857.13k    10729.47k    10788.86k
-des cbc           1960.60k     2226.37k     2241.88k     2054.83k     2181.80k
-des ede3           734.44k      739.69k      779.43k      750.25k      772.78k
-idea cbc           654.07k      711.00k      716.89k      718.51k      720.90k
-rc2 cbc            648.83k      701.91k      708.61k      708.95k      709.97k
-rc5-32/12 cbc     3504.71k     4054.76k     4131.41k     4105.56k     4134.23k
-blowfish cbc      3762.25k     4313.79k     4460.54k     4356.78k     4317.18k
-cast cbc          2755.01k     3038.91k     3076.44k     3027.63k     2998.27k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0195s   0.0019s     51.4    519.9
-rsa 1024 bits   0.1000s   0.0059s     10.0    168.2
-rsa 2048 bits   0.6406s   0.0209s      1.6     47.8
-rsa 4096 bits   4.6100s   0.0787s      0.2     12.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0188s   0.0360s     53.1     27.8
-dsa 1024 bits   0.0570s   0.1126s     17.5      8.9
-dsa 2048 bits   0.1990s   0.3954s      5.0      2.5
-
diff --git a/times/091/68000.bsd b/times/091/68000.bsd
deleted file mode 100644
index a3a14e8..0000000
--- a/times/091/68000.bsd
+++ /dev/null
@@ -1,32 +0,0 @@
-Motorolla 68020 20mhz, NetBSD
-
-SSLeay 0.9.0t 29-May-1998
-built on Fri Jun  5 12:42:23 EST 1998
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,16,long) idea(int) blowfish(idx) 
-C flags:gcc -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               2176.00      5994.67      8079.73      8845.18      9077.01 
-mdc2              5730.67      6122.67      6167.66      6176.51      6174.87 
-md5                 29.10k      127.31k      209.66k      250.50k      263.99k
-hmac(md5)           12.33k       73.02k      160.17k      228.04k      261.15k
-sha1                11.27k       49.37k       84.31k      102.40k      109.23k
-rmd160              11.69k       48.62k       78.76k       93.15k       98.41k
-rc4                117.96k      148.94k      152.57k      153.09k      152.92k
-des cbc             27.13k       30.06k       30.38k       30.38k       30.53k
-des ede3            10.51k       10.94k       11.01k       11.01k       11.01k
-idea cbc            26.74k       29.23k       29.45k       29.60k       29.74k
-rc2 cbc             34.27k       39.39k       40.03k       40.07k       40.16k
-rc5-32/12 cbc       64.31k       83.18k       85.70k       86.70k       87.09k
-blowfish cbc        48.86k       59.18k       60.07k       60.42k       60.78k
-cast cbc            42.67k       50.01k       50.86k       51.20k       51.37k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.7738s   0.0774s      1.3     12.9
-rsa 1024 bits   4.3967s   0.2615s      0.2      3.8
-rsa 2048 bits  29.5200s   0.9664s      0.0      1.0
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.7862s   0.9709s      1.3      1.0
-dsa 1024 bits   2.5375s   3.1625s      0.4      0.3
-dsa 2048 bits   9.2150s  11.8200s      0.1      0.1
-
-
diff --git a/times/091/686-200.lnx b/times/091/686-200.lnx
deleted file mode 100644
index bb857d4..0000000
--- a/times/091/686-200.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Pentium Pro 200mhz, linux
-
-SSLeay 0.9.0d 26-Apr-1998
-built on Sun Apr 26 10:25:33 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                130.58k      364.54k      499.24k      545.79k      561.66k
-mdc2               526.68k      579.72k      588.37k      588.80k      589.82k
-md5               1917.71k    11434.69k    22512.21k    29495.30k    32677.89k
-hmac(md5)          749.18k     5264.83k    14227.20k    25018.71k    31760.38k
-sha1              1343.83k     6436.29k    11702.78k    14664.70k    15829.67k
-rmd160            1038.05k     5138.77k     8985.51k    10985.13k    11799.21k
-rc4              14891.04k    21334.06k    22376.79k    22579.54k    22574.42k
-des cbc           4131.97k     4568.31k     4645.29k     4631.21k     4572.73k
-des ede3          1567.17k     1631.13k     1657.32k     1653.08k     1643.86k
-idea cbc          2427.23k     2671.21k     2716.67k     2723.84k     2733.40k
-rc2 cbc           1629.90k     1767.38k     1788.50k     1797.12k     1799.51k
-rc5-32/12 cbc    10290.55k    13161.60k    13744.55k    14011.73k    14123.01k
-blowfish cbc      5896.42k     6920.77k     7122.01k     7151.62k     7146.15k
-cast cbc          6037.71k     6935.19k     7101.35k     7145.81k     7116.12k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0070s   0.0007s    142.6   1502.9
-rsa 1024 bits   0.0340s   0.0019s     29.4    513.3
-rsa 2048 bits   0.2087s   0.0066s      4.8    151.3
-rsa 4096 bits   1.4700s   0.0242s      0.7     41.2
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0064s   0.0121s    156.1     82.9
-dsa 1024 bits   0.0184s   0.0363s     54.4     27.5
-dsa 2048 bits   0.0629s   0.1250s     15.9      8.0
-
diff --git a/times/091/alpha064.osf b/times/091/alpha064.osf
deleted file mode 100644
index a8e7fdf..0000000
--- a/times/091/alpha064.osf
+++ /dev/null
@@ -1,32 +0,0 @@
-Alpha EV4.5 (21064) 275mhz, OSF1 V4.0
-SSLeay 0.9.0g 01-May-1998
-built on Mon May  4 17:26:09 CST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx) 
-C flags:cc -tune host -O4 -readonly_strings
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                119.58k      327.48k      443.28k      480.09k      495.16k
-mdc2               436.67k      456.35k      465.42k      466.57k      469.01k
-md5               1459.34k     6566.46k    11111.91k    13375.30k    14072.60k
-hmac(md5)          597.90k     3595.45k     8180.88k    12099.49k    13884.46k
-sha1               707.01k     3253.09k     6131.73k     7798.23k     8439.67k
-rmd160             618.57k     2729.07k     4711.33k     5825.16k     6119.23k
-rc4               8796.43k     9393.62k     9548.88k     9378.77k     9472.57k
-des cbc           2165.97k     2514.90k     2586.27k     2572.93k     2639.08k
-des ede3           945.44k     1004.03k     1005.96k     1017.33k     1020.85k
-idea cbc          1498.81k     1629.11k     1637.28k     1625.50k     1641.11k
-rc2 cbc           1866.00k     2044.92k     2067.12k     2064.00k     2068.96k
-rc5-32/12 cbc     4366.97k     5521.32k     5687.50k     5729.16k     5736.96k
-blowfish cbc      3997.31k     4790.60k     4937.84k     4954.56k     5024.85k
-cast cbc          2900.19k     3673.30k     3803.73k     3823.93k     3890.25k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0069s   0.0006s    144.2   1545.8
-rsa 1024 bits   0.0304s   0.0018s     32.9    552.6
-rsa 2048 bits   0.1887s   0.0062s      5.3    161.4
-rsa 4096 bits   1.3667s   0.0233s      0.7     42.9
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0067s   0.0123s    149.6     81.1
-dsa 1024 bits   0.0177s   0.0332s     56.6     30.1
-dsa 2048 bits   0.0590s   0.1162s     16.9      8.6
-
-
diff --git a/times/091/alpha164.lnx b/times/091/alpha164.lnx
deleted file mode 100644
index c994662..0000000
--- a/times/091/alpha164.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Alpha EV5.6 (21164A) 533mhz, Linux 2.0.32
-
-SSLeay 0.9.0p 22-May-1998
-built on Sun May 27 14:23:38 GMT 2018
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,risc1,16,long) idea(int) blowfish(idx) 
-C flags:gcc -O3
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                295.78k      825.34k     1116.42k     1225.10k     1262.65k
-mdc2               918.16k     1017.55k     1032.18k     1034.24k     1035.60k
-md5               3574.93k    15517.05k    25482.67k    30434.31k    32210.51k
-hmac(md5)         1261.54k     7757.15k    18025.46k    27081.21k    31653.27k
-sha1              2251.89k    10056.84k    16990.19k    20651.04k    21973.29k
-rmd160            1615.49k     7017.13k    11601.11k    13875.62k    14690.31k
-rc4              22435.16k    24476.40k    24349.95k    23042.36k    24581.53k
-des cbc           5198.38k     6559.04k     6775.43k     6827.87k     6875.82k
-des ede3          2257.73k     2602.18k     2645.60k     2657.12k     2670.59k
-idea cbc          3694.42k     4125.61k     4180.74k     4193.28k     4192.94k
-rc2 cbc           4642.47k     5323.85k     5415.42k     5435.86k     5434.03k
-rc5-32/12 cbc     9705.26k    13277.79k    13843.46k    13989.66k    13987.57k
-blowfish cbc      7861.28k    10852.34k    11447.98k    11616.97k    11667.54k
-cast cbc          6718.13k     8599.98k     8967.17k     9070.81k     9099.28k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0018s   0.0002s    555.9   6299.5
-rsa 1024 bits   0.0081s   0.0005s    123.3   2208.7
-rsa 2048 bits   0.0489s   0.0015s     20.4    648.5
-rsa 4096 bits   0.3402s   0.0057s      2.9    174.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0019s   0.0032s    529.0    310.2
-dsa 1024 bits   0.0047s   0.0086s    214.1    115.7
-dsa 2048 bits   0.0150s   0.0289s     66.7     34.6
-
diff --git a/times/091/alpha164.osf b/times/091/alpha164.osf
deleted file mode 100644
index df712c6..0000000
--- a/times/091/alpha164.osf
+++ /dev/null
@@ -1,31 +0,0 @@
-Alpha EV5.6 (21164A) 400mhz, OSF1 V4.0
-
-SSLeay 0.9.0 10-Apr-1998
-built on Sun Apr 19 07:54:37 EST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) idea(int) blowfish(idx) 
-C flags:cc -O4 -tune host -fast
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                276.30k      762.07k     1034.35k     1134.07k     1160.53k
-mdc2               814.99k      845.83k      849.09k      850.33k      849.24k
-md5               2468.43k    10945.27k    17963.48k    21430.89k    22544.38k
-hmac(md5)         1002.48k     6023.98k    13430.99k    19344.17k    22351.80k
-sha1              1984.93k     8882.47k    14856.47k    17878.70k    18955.10k
-rmd160            1286.96k     5595.52k     9167.00k    10957.74k    11582.30k
-rc4              15948.15k    16710.29k    16793.20k    17929.50k    18474.56k
-des cbc           3416.04k     4149.37k     4296.25k     4328.89k     4327.57k
-des ede3          1540.14k     1683.36k     1691.14k     1705.90k     1705.22k
-idea cbc          2795.87k     3192.93k     3238.13k     3238.17k     3256.66k
-rc2 cbc           3529.00k     4069.93k     4135.79k     4135.25k     4160.07k
-rc5-32/12 cbc     7212.35k     9849.71k    10260.91k    10423.38k    10439.99k
-blowfish cbc      6061.75k     8363.50k     8706.80k     8779.40k     8784.55k
-cast cbc          5401.75k     6433.31k     6638.18k     6662.40k     6702.80k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0022s   0.0002s    449.6   4916.2
-rsa 1024 bits   0.0105s   0.0006s     95.3   1661.2
-rsa 2048 bits   0.0637s   0.0020s     15.7    495.6
-rsa 4096 bits   0.4457s   0.0075s      2.2    132.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0028s   0.0048s    362.2    210.4
-dsa 1024 bits   0.0064s   0.0123s    155.2     81.6
-dsa 2048 bits   0.0201s   0.0394s     49.7     25.4
diff --git a/times/091/mips-rel.pl b/times/091/mips-rel.pl
deleted file mode 100644
index 4b25093..0000000
--- a/times/091/mips-rel.pl
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/local/bin/perl
-
-&doit(100,"Pentium   100 32",0.0195,0.1000,0.6406,4.6100);	# pentium-100
-&doit(200,"PPro      200 32",0.0070,0.0340,0.2087,1.4700);	# pentium-100
-&doit( 25,"R3000      25 32",0.0860,0.4825,3.2417,23.8833);	# R3000-25
-&doit(200,"R4400     200 32",0.0137,0.0717,0.4730,3.4367);	# R4400 32bit
-&doit(180,"R10000    180 32",0.0061,0.0311,0.1955,1.3871);	# R10000 32bit
-&doit(180,"R10000    180 64",0.0034,0.0149,0.0880,0.5933);	# R10000 64bit
-&doit(400,"DEC 21164 400 64",0.0022,0.0105,0.0637,0.4457);	# R10000 64bit
-
-sub doit
-	{
-	local($mhz,$label, at data)=@_;
-
-	for ($i=0; $i <= $#data; $i++)
-		{
-		$data[$i]=1/$data[$i]*200/$mhz;
-		}
-	printf("%s %6.1f %6.1f %6.1f %6.1f\n",$label, at data);
-	}
-
diff --git a/times/091/r10000.irx b/times/091/r10000.irx
deleted file mode 100644
index 237ee5d..0000000
--- a/times/091/r10000.irx
+++ /dev/null
@@ -1,37 +0,0 @@
-MIPS R10000 32kI+32kD 180mhz, IRIX 6.4
-
-Using crypto/bn/mips3.s
-
-This is built for n32, which is faster for all benchmarks than the n64
-compilation model
-
-SSLeay 0.9.0b 19-Apr-1998
-built on Sat Apr 25 12:43:14 EST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
-C flags:cc -use_readonly_const -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                126.38k      349.38k      472.67k      517.01k      529.81k
-mdc2               501.64k      545.87k      551.80k      553.64k      554.41k
-md5               1825.77k     7623.64k    12630.47k    15111.74k    16012.09k
-hmac(md5)          780.81k     4472.86k     9667.22k    13802.67k    15777.89k
-sha1              1375.52k     6213.91k    11037.30k    13682.01k    14714.09k
-rmd160             856.72k     3454.40k     5598.33k     6689.94k     7073.48k
-rc4              11260.93k    13311.50k    13360.05k    13322.17k    13364.39k
-des cbc           2770.78k     3055.42k     3095.18k     3092.48k     3103.03k
-des ede3          1023.22k     1060.58k     1063.81k     1070.37k     1064.54k
-idea cbc          3029.09k     3334.30k     3375.29k     3375.65k     3380.64k
-rc2 cbc           2307.45k     2470.72k     2501.25k     2500.68k     2500.55k
-rc5-32/12 cbc     6770.91k     8629.89k     8909.58k     9009.64k     9044.95k
-blowfish cbc      4796.53k     5598.20k     5717.14k     5755.11k     5749.86k
-cast cbc          3986.20k     4426.17k     4465.04k     4476.84k     4475.08k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0034s   0.0003s    296.1   3225.4
-rsa 1024 bits   0.0139s   0.0008s     71.8   1221.8
-rsa 2048 bits   0.0815s   0.0026s     12.3    380.3
-rsa 4096 bits   0.5656s   0.0096s      1.8    103.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0034s   0.0061s    290.8    164.9
-dsa 1024 bits   0.0084s   0.0161s    119.1     62.3
-dsa 2048 bits   0.0260s   0.0515s     38.5     19.4
-
diff --git a/times/091/r3000.ult b/times/091/r3000.ult
deleted file mode 100644
index ecd3390..0000000
--- a/times/091/r3000.ult
+++ /dev/null
@@ -1,32 +0,0 @@
-MIPS R3000 64kI+64kD 25mhz, ultrix 4.3
-
-SSLeay 0.9.0b 19-Apr-1998
-built on Thu Apr 23 07:22:31 EST 1998
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(idx) 
-C flags:cc -O2 -DL_ENDIAN -DNOPROTO -DNOCONST
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 14.63k       40.65k       54.70k       60.07k       61.78k
-mdc2                29.43k       37.27k       38.23k       38.57k       38.60k
-md5                140.04k      676.59k     1283.84k     1654.10k     1802.24k
-hmac(md5)           60.51k      378.90k      937.82k     1470.46k     1766.74k
-sha1                60.77k      296.79k      525.40k      649.90k      699.05k
-rmd160              48.82k      227.16k      417.19k      530.31k      572.05k
-rc4                904.76k      996.20k     1007.53k     1015.65k     1010.35k
-des cbc            178.87k      209.39k      213.42k      215.55k      214.53k
-des ede3            74.25k       79.30k       80.40k       80.21k       80.14k
-idea cbc           181.02k      209.37k      214.44k      214.36k      213.83k
-rc2 cbc            161.52k      184.98k      187.99k      188.76k      189.05k
-rc5-32/12 cbc      398.99k      582.91k      614.66k      626.07k      621.87k
-blowfish cbc       296.38k      387.69k      405.50k      412.57k      410.05k
-cast cbc           214.76k      260.63k      266.92k      268.63k      258.26k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0870s   0.0089s     11.5    112.4
-rsa 1024 bits   0.4881s   0.0295s      2.0     33.9
-rsa 2048 bits   3.2750s   0.1072s      0.3      9.3
-rsa 4096 bits  23.9833s   0.4093s      0.0      2.4
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0898s   0.1706s     11.1      5.9
-dsa 1024 bits   0.2847s   0.5565s      3.5      1.8
-dsa 2048 bits   1.0267s   2.0433s      1.0      0.5
-
diff --git a/times/091/r4400.irx b/times/091/r4400.irx
deleted file mode 100644
index 9b96ca1..0000000
--- a/times/091/r4400.irx
+++ /dev/null
@@ -1,32 +0,0 @@
-R4400 16kI+16kD 200mhz, Irix 5.3
-
-SSLeay 0.9.0e 27-Apr-1998
-built on Sun Apr 26 07:26:05 PDT 1998
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
-C flags:cc -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 79.80k      220.59k      298.01k      327.06k      338.60k
-mdc2               262.74k      285.30k      289.16k      288.36k      288.49k
-md5                930.35k     4167.13k     7167.91k     8678.23k     9235.86k
-hmac(md5)          399.44k     2367.57k     5370.74k     7884.28k     9076.98k
-sha1               550.96k     2488.17k     4342.76k     5362.50k     5745.40k
-rmd160             424.58k     1752.83k     2909.67k     3486.08k     3702.89k
-rc4               6687.79k     7834.63k     7962.61k     8035.65k     7915.28k
-des cbc           1544.20k     1725.94k     1748.35k     1758.17k     1745.61k
-des ede3           587.29k      637.75k      645.93k      643.17k      646.01k
-idea cbc          1575.52k     1719.75k     1732.41k     1736.69k     1740.11k
-rc2 cbc           1496.21k     1629.90k     1643.19k     1652.14k     1646.62k
-rc5-32/12 cbc     3452.48k     4276.47k     4390.74k     4405.25k     4400.12k
-blowfish cbc      2354.58k     3242.36k     3401.11k     3433.65k     3383.65k
-cast cbc          1942.22k     2152.28k     2187.51k     2185.67k     2177.20k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0130s   0.0014s     76.9    729.8
-rsa 1024 bits   0.0697s   0.0043s     14.4    233.9
-rsa 2048 bits   0.4664s   0.0156s      2.1     64.0
-rsa 4096 bits   3.4067s   0.0586s      0.3     17.1
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0140s   0.0261s     71.4     38.4
-dsa 1024 bits   0.0417s   0.0794s     24.0     12.6
-dsa 2048 bits   0.1478s   0.2929s      6.8      3.4
-
diff --git a/times/100.lnx b/times/100.lnx
deleted file mode 100644
index d0f4537..0000000
--- a/times/100.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Nov  4 02:52:29 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                53.27k      155.95k      201.30k      216.41k      236.78k
-mdc2              192.98k      207.98k      206.76k      206.17k      208.87k
-md5               993.15k     5748.27k    11944.70k    16477.53k    18287.27k
-hmac(md5)         404.97k     2787.58k     7690.07k    13744.43k    17601.88k
-sha1              563.24k     2851.67k     5363.71k     6879.23k     7441.07k
-rc4              7876.70k    10400.85k    10825.90k    10943.49k    10745.17k
-des cbc          2047.39k     2188.25k     2188.29k     2239.49k     2233.69k
-des ede3          660.55k      764.01k      773.55k      779.21k      780.97k
-idea cbc          653.93k      708.48k      715.43k      719.87k      720.90k
-rc2 cbc           648.08k      702.23k      708.78k      711.00k      709.97k
-blowfish cbc     3764.39k     4288.66k     4375.04k     4497.07k     4423.68k
-cast cbc         2757.14k     2993.75k     3035.31k     3078.90k     3055.62k
-
-blowfish cbc     3258.81k     3673.47k     3767.30k     3774.12k     3719.17k
-cast cbc         2677.05k     3164.78k     3273.05k     3287.38k     3244.03k
-
-
-                  sign    verify
-rsa  512 bits   0.0213s   0.0020s
-rsa 1024 bits   0.1073s   0.0063s
-rsa 2048 bits   0.6873s   0.0224s
-rsa 4096 bits   4.9333s   0.0845s
-                  sign    verify
-dsa  512 bits   0.0201s   0.0385s
-dsa 1024 bits   0.0604s   0.1190s
-dsa 2048 bits   0.2121s   0.4229s
diff --git a/times/100.nt b/times/100.nt
deleted file mode 100644
index 0dd7cfc..0000000
--- a/times/100.nt
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Aug  3 09:49:58 EST 1999
-options:bn(64,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN
-_ASM -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                93.07k      258.38k      349.03k      382.83k      392.87k
-mdc2              245.80k      259.02k      259.34k      259.16k      260.14k
-md5              1103.42k     6017.65k    12210.49k    16552.11k    18291.77k
-hmac(md5)         520.15k     3394.00k     8761.86k    14593.96k    17742.40k
-sha1              538.06k     2726.76k     5242.22k     6821.12k     7426.18k
-rc4              8283.90k    10513.09k    10886.38k    10929.50k    10816.75k
-des cbc          2073.10k     2232.91k     2251.61k     2256.46k     2232.44k
-des ede3          758.85k      782.46k      786.14k      786.08k      781.24k
-idea cbc          831.02k      892.63k      901.07k      903.48k      901.85k
-rc2 cbc           799.89k      866.09k      873.96k      876.22k      874.03k
-blowfish cbc     3835.32k     4418.78k     4511.94k     4494.54k     4416.92k
-cast cbc         2974.68k     3272.71k     3313.04k     3335.17k     3261.51k
-                  sign    verify
-rsa  512 bits   0.0202s   0.0019s
-rsa 1024 bits   0.1029s   0.0062s
-rsa 2048 bits   0.6770s   0.0220s
-rsa 4096 bits   4.8770s   0.0838s
-                  sign    verify
-dsa  512 bits   0.0191s   0.0364s
-dsa 1024 bits   0.0590s   0.1141s
-dsa 2048 bits   0.2088s   0.4171s
diff --git a/times/200.lnx b/times/200.lnx
deleted file mode 100644
index fd7e7f4..0000000
--- a/times/200.lnx
+++ /dev/null
@@ -1,30 +0,0 @@
-This machine was slightly loaded :-(
-
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Nov  4 02:52:29 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               130.86k      365.31k      499.60k      547.75k      561.41k
-mdc2              526.03k      581.38k      587.12k      586.31k      589.60k
-md5              1919.49k    11173.23k    22387.60k    29553.47k    32587.21k
-hmac(md5)         747.09k     5248.35k    14275.44k    24713.26k    31737.13k
-sha1             1336.63k     6400.50k    11668.67k    14648.83k    15700.85k
-rc4             15002.32k    21327.21k    22301.63k    22503.78k    22549.26k
-des cbc          4115.16k     4521.08k     4632.37k     4607.28k     4570.57k
-des ede3         1540.29k     1609.76k     1623.64k     1620.76k     1624.18k
-idea cbc         2405.08k     2664.78k     2704.22k     2713.95k     2716.29k
-rc2 cbc          1634.07k     1764.30k     1780.23k     1790.27k     1788.12k
-blowfish cbc     5993.98k     6927.27k     7083.61k     7088.40k     7123.72k
-cast cbc         5981.52k     6900.44k     7079.70k     7110.40k     7057.72k
-                  sign    verify
-rsa  512 bits   0.0085s   0.0007s
-rsa 1024 bits   0.0377s   0.0020s
-rsa 2048 bits   0.2176s   0.0067s
-rsa 4096 bits   1.4800s   0.0242s
-sign    verify
-dsa  512 bits   0.0071s   0.0132s
-dsa 1024 bits   0.0192s   0.0376s
-dsa 2048 bits   0.0638s   0.1280s
-
diff --git a/times/486-66.dos b/times/486-66.dos
deleted file mode 100644
index 1644bf8..0000000
--- a/times/486-66.dos
+++ /dev/null
@@ -1,22 +0,0 @@
-MS-dos static libs, 16bit C build, 16bit assember
-
-SSLeay 0.6.1
-options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /f- /Ocgnotb2 /G2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -D
-NO_SOCK
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             18.62k       55.54k       76.88k       85.39k       86.52k
-md5             94.03k      442.06k      794.38k      974.51k     1061.31k
-sha             38.37k      166.23k      272.78k      331.41k      353.77k
-sha1            34.38k      147.77k      244.77k      292.57k      312.08k
-rc4            641.25k      795.34k      817.16k      829.57k      817.16k
-des cfb        111.46k      118.08k      120.69k      119.16k      119.37k
-des cbc        122.96k      135.69k      137.10k      135.69k      135.40k
-des ede3        48.01k       50.92k       50.32k       50.96k       50.96k
-idea cfb        97.09k      100.21k      100.36k      101.14k      100.98k
-idea cbc       102.08k      109.41k      111.46k      111.65k      110.52k
-rc2 cfb        120.47k      125.55k      125.79k      125.55k      125.55k
-rc2 cbc        129.77k      140.33k      143.72k      142.16k      141.85k
-rsa  512 bits   0.264s
-rsa 1024 bits   1.494s
diff --git a/times/486-66.nt b/times/486-66.nt
deleted file mode 100644
index b26a900..0000000
--- a/times/486-66.nt
+++ /dev/null
@@ -1,22 +0,0 @@
-SSLeay 0.6.1 02-Jul-1996
-built on Fri Jul 10 09:53:15 EST 1996
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,long) idea(int)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /nologo -DWIN32 -DL_ENDIAN /MD
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             38.27k      107.28k      145.43k      159.60k      164.15k
-md5            399.00k     1946.13k     3610.80k     4511.94k     4477.27k
-sha            182.04k      851.26k     1470.65k     1799.20k     1876.48k
-sha1           151.83k      756.55k     1289.76k     1567.38k     1625.70k
-rc4           1853.92k     2196.25k     2232.91k     2241.31k     2152.96k
-des cfb        360.58k      382.69k      384.94k      386.07k      377.19k
-des cbc        376.10k      431.87k      436.32k      437.78k      430.45k
-des ede3       152.55k      160.38k      161.51k      161.33k      159.98k
-idea cfb       245.59k      255.60k      256.65k      257.16k      254.61k
-idea cbc       257.16k      276.12k      279.05k      279.11k      276.70k
-rc2 cfb        280.25k      293.49k      294.74k      294.15k      291.47k
-rc2 cbc        295.47k      321.57k      324.76k      324.76k      320.00k
-rsa  512 bits   0.084s
-rsa 1024 bits   0.495s
-rsa 2048 bits   3.435s
-
diff --git a/times/486-66.w31 b/times/486-66.w31
deleted file mode 100644
index 381f149..0000000
--- a/times/486-66.w31
+++ /dev/null
@@ -1,23 +0,0 @@
-Windows 3.1 DLL's, 16 bit C with 32bit assember
-
-SSLeay 0.6.1 02-Jul-1996
-built on Wed Jul 10 09:53:15 EST 1996
-options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             18.94k       54.27k       73.43k       80.91k       83.75k
-md5             78.96k      391.26k      734.30k      919.80k      992.97k
-sha             39.01k      168.04k      280.67k      336.08k      359.10k
-sha1            35.20k      150.14k      247.31k      294.54k      313.94k
-rc4            509.61k      655.36k      678.43k      677.02k      670.10k
-des cfb         97.09k      104.69k      106.56k      105.70k      106.56k
-des cbc        116.82k      129.77k      131.07k      131.07k      131.07k
-des ede3        44.22k       47.90k       48.53k       48.47k       47.86k
-idea cfb        83.49k       87.03k       87.03k       87.15k       87.73k
-idea cbc        89.04k       96.23k       96.95k       97.81k       97.09k
-rc2 cfb        108.32k      113.58k      113.78k      114.57k      114.77k
-rc2 cbc        118.08k      131.07k      134.02k      134.02k      132.66k
-rsa  512 bits   0.181s
-rsa 1024 bits   0.846s
-
diff --git a/times/5.lnx b/times/5.lnx
deleted file mode 100644
index 1c1e392..0000000
--- a/times/5.lnx
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.5g 24-Jan-1998
-built on Tue Jan 27 08:11:42 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 56.55k      156.69k      211.63k      231.77k      238.71k
-mdc2               192.26k      208.09k      210.09k      209.58k      210.26k
-md5                991.04k     5745.51k    11932.67k    16465.24k    18306.39k
-hmac(md5)          333.99k     2383.89k     6890.67k    13133.82k    17397.08k
-sha1               571.68k     2883.88k     5379.07k     6880.26k     7443.80k
-rmd160             409.41k     2212.91k     4225.45k     5456.55k     5928.28k
-rc4               6847.57k     8596.22k     8901.80k     8912.90k     8850.09k
-des cbc           2046.29k     2229.78k     2254.76k     2259.97k     2233.69k
-des ede3           751.11k      779.95k      783.96k      784.38k      780.97k
-idea cbc           653.40k      708.29k      718.42k      720.21k      720.90k
-rc2 cbc            647.19k      702.46k      709.21k      710.66k      709.97k
-rc5-32/12 cbc     3498.18k     4054.12k     4133.46k     4151.64k     4139.69k
-blowfish cbc      3763.95k     4437.74k     4532.74k     4515.50k     4448.26k
-cast cbc          2754.22k     3020.67k     3079.08k     3069.95k     3036.50k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0207s   0.0020s     48.3    511.3
-rsa 1024 bits   0.1018s   0.0059s      9.8    169.6
-rsa 2048 bits   0.6438s   0.0208s      1.6     48.0
-rsa 4096 bits   4.6033s   0.0793s      0.2     12.6
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0190s   0.0359s     52.6     27.8
-dsa 1024 bits   0.0566s   0.1109s     17.7      9.0
-dsa 2048 bits   0.1988s   0.3915s      5.0      2.6
diff --git a/times/586-085i.nt b/times/586-085i.nt
deleted file mode 100644
index 8a57975..0000000
--- a/times/586-085i.nt
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.5i 28-Jan-1998
-built on Wed Jan 28 18:00:07 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 92.74k      257.59k      348.16k      381.79k      392.14k
-mdc2               227.65k      247.82k      249.90k      250.65k      250.20k
-md5               1089.54k     5966.29k    12104.77k    16493.53k    18204.44k
-hmac(md5)          513.53k     3361.36k     8725.41k    14543.36k    17593.56k
-sha1               580.74k     2880.51k     5376.62k     6865.78k     7413.05k
-rmd160             508.06k     2427.96k     4385.51k     5510.84k     5915.80k
-rc4               8004.40k    10408.74k    10794.48k    10884.12k    10728.22k
-des cbc           2057.24k     2222.97k     2246.79k     2209.39k     2223.44k
-des ede3           739.42k      761.99k      765.48k      760.26k      760.97k
-idea cbc           827.08k      889.60k      898.83k      901.15k      897.98k
-rc2 cbc            795.64k      861.04k      871.13k      872.58k      871.13k
-rc5-32/12 cbc     3597.17k     4139.66k     4204.39k     4223.02k     4204.39k
-blowfish cbc      3807.47k     3996.10k     4156.07k     4204.39k     4105.62k
-cast cbc          2777.68k     2814.21k     2892.62k     2916.76k     2868.88k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0178s   0.0018s     56.3    541.6
-rsa 1024 bits   0.0945s   0.0059s     10.6    168.3
-rsa 2048 bits   0.6269s   0.0208s      1.6     48.0
-rsa 4096 bits   4.5560s   0.0784s      0.2     12.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0178s   0.0340s     56.2     29.4
-dsa 1024 bits   0.0552s   0.1077s     18.1      9.3
-dsa 2048 bits   0.1963s   0.3811s      5.1      2.6
diff --git a/times/586-100.LN3 b/times/586-100.LN3
deleted file mode 100644
index a6fa818..0000000
--- a/times/586-100.LN3
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3v 15-Oct-1997
-built on Wed Oct 15 10:05:00 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.27k      156.76k      211.46k      231.77k      238.71k
-mdc2              188.74k      206.12k      207.70k      207.87k      208.18k
-md5               991.56k     5718.31k    11748.61k    16090.79k    17850.37k
-hmac(md5)         387.56k     2636.01k     7327.83k    13340.33k    17091.24k
-sha1              463.55k     2274.18k     4071.17k     5072.90k     5447.68k
-rc4              3673.94k     4314.52k     4402.26k     4427.09k     4407.30k
-des cbc          2023.79k     2209.77k     2233.34k     2220.71k     2222.76k
-des ede3          747.17k      778.54k      781.57k      778.24k      778.24k
-idea cbc          614.64k      678.04k      683.52k      685.06k      685.40k
-rc2 cbc           536.83k      574.10k      578.05k      579.24k      578.90k
-blowfish cbc     3673.39k     4354.58k     4450.22k     4429.48k     4377.26k
-                  sign    verify
-rsa  512 bits   0.0217s   0.0021s
-rsa 1024 bits   0.1083s   0.0064s
-rsa 2048 bits   0.6867s   0.0223s
-rsa 4096 bits   4.9400s   0.0846s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0387s
-dsa 1024 bits   0.0599s   0.1170s
-dsa 2048 bits   0.2115s   0.4242s
diff --git a/times/586-100.NT2 b/times/586-100.NT2
deleted file mode 100644
index 7f8c167..0000000
--- a/times/586-100.NT2
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3e 30-Sep-1997
-built on Tue Sep 30 14:52:58 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DX86_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                92.99k      257.59k      348.16k      381.47k      392.14k
-mdc2              223.77k      235.30k      237.15k      236.77k      237.29k
-md5               862.53k     4222.17k     7842.75k     9925.00k    10392.23k
-sha               491.34k     2338.61k     4062.28k     4986.10k     5307.90k
-sha1              494.38k     2234.94k     3838.83k     4679.58k     4980.18k
-rc4              6338.10k     7489.83k     7676.25k     7698.80k     7631.56k
-des cbc          1654.17k     1917.66k     1961.05k     1968.05k     1960.69k
-des ede3          691.17k      739.42k      744.13k      745.82k      741.40k
-idea cbc          788.46k      870.33k      879.16k      881.38k      879.90k
-rc2 cbc           794.44k      859.63k      868.24k      869.68k      867.45k
-blowfish cbc     2379.88k     3017.48k     3116.12k     3134.76k     3070.50k
-                  sign    verify
-rsa  512 bits   0.0204s   0.0027s
-rsa 1024 bits   0.1074s   0.0032s
-rsa 2048 bits   0.6890s   0.0246s
-rsa 4096 bits   5.0180s   0.0911s
-                  sign    verify
-dsa  512 bits   0.0201s   0.0376s
-dsa 1024 bits   0.0608s   0.1193s
-dsa 2048 bits   0.2133s   0.4294s
diff --git a/times/586-100.dos b/times/586-100.dos
deleted file mode 100644
index 3085c25..0000000
--- a/times/586-100.dos
+++ /dev/null
@@ -1,24 +0,0 @@
-ms-dos static libs, 16 bit C and 16 bit assmber 
-
-SSLeay 0.6.1 02-Jul-1996
-built on Tue Jul  9 22:52:54 EST 1996
-options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -DNO_SOCK
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.99k      130.75k      176.53k      199.35k      203.21k
-md5            236.17k     1072.16k     1839.61k     2221.56k     2383.13k
-sha            107.97k      459.10k      757.64k      908.64k      954.99k
-sha1            96.95k      409.92k      672.16k      788.40k      844.26k
-rc4           1659.14k     1956.30k     2022.72k     2022.72k     2022.72k
-des cfb        313.57k      326.86k      326.86k      331.83k      326.86k
-des cbc        345.84k      378.82k      378.82k      384.38k      378.82k
-des ede3       139.59k      144.66k      144.61k      144.45k      143.29k
-idea cfb       262.67k      274.21k      274.21k      274.21k      274.21k
-idea cbc       284.32k      318.14k      318.14k      318.14k      318.14k
-rc2 cfb        265.33k      274.21k      277.69k      277.11k      277.69k
-rc2 cbc        283.71k      310.60k      309.86k      313.57k      314.32k
-rsa  512 bits   0.104s
-rsa 1024 bits   0.566s
-rsa 2048 bits   3.680s
-rsa 4096 bits  26.740s
diff --git a/times/586-100.ln4 b/times/586-100.ln4
deleted file mode 100644
index 14a9db9..0000000
--- a/times/586-100.ln4
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3aa 24-Oct-1997
-built on Mon Oct 27 10:16:25 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.78k      156.71k      211.46k      231.77k      238.71k
-mdc2              187.45k      200.49k      201.64k      202.75k      202.77k
-md5              1002.51k     5798.66k    11967.15k    16449.19k    18251.78k
-hmac(md5)         468.71k     3173.46k     8386.99k    14305.56k    17607.34k
-sha1              586.98k     2934.87k     5393.58k     6863.19k     7408.30k
-rc4              3675.10k     4314.15k     4402.77k     4427.78k     4404.57k
-des cbc          1902.96k     2202.01k     2242.30k     2252.46k     2236.42k
-des ede3          700.15k      774.23k      783.70k      781.62k      783.70k
-idea cbc          618.46k      677.93k      683.61k      685.40k      685.40k
-rc2 cbc           536.97k      573.87k      577.96k      579.24k      578.90k
-blowfish cbc     3672.66k     4271.89k     4428.80k     4469.76k     4374.53k
-                  sign    verify
-rsa  512 bits   0.0213s   0.0021s
-rsa 1024 bits   0.1075s   0.0063s
-rsa 2048 bits   0.6853s   0.0224s
-rsa 4096 bits   4.9400s   0.0845s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0380s
-dsa 1024 bits   0.0600s   0.1189s
-dsa 2048 bits   0.2110s   0.4250s
diff --git a/times/586-100.lnx b/times/586-100.lnx
deleted file mode 100644
index 0c05173..0000000
--- a/times/586-100.lnx
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 12 04:13:55 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                72.95k      202.77k      274.01k      300.37k      309.23k
-md5               770.57k     4094.02k     7409.41k     9302.36k     9986.05k
-sha               363.05k     1571.07k     2613.85k     3134.81k     3320.49k
-sha1              340.94k     1462.85k     2419.20k     2892.12k     3042.35k
-rc4              3676.91k     4314.94k     4407.47k     4430.51k     4412.76k
-des cbc          1489.95k     1799.08k     1841.66k     1851.73k     1848.66k
-des ede3          621.93k      711.19k      726.10k      729.77k      729.09k
-idea cbc          618.16k      676.99k      683.09k      684.37k      683.59k
-rc2 cbc           537.59k      573.93k      578.56k      579.58k      579.70k
-blowfish cbc     2077.57k     2682.20k     2827.18k     2840.92k     2842.62k
-rsa  512 bits   0.024s   0.003
-rsa 1024 bits   0.120s   0.003
-rsa 2048 bits   0.751s   0.026
-rsa 4096 bits   5.320s   0.096
-dsa  512 bits   0.022s   0.042
-dsa 1024 bits   0.065s   0.126
-dsa 2048 bits   0.227s   0.449
diff --git a/times/586-100.nt b/times/586-100.nt
deleted file mode 100644
index 9adcac3..0000000
--- a/times/586-100.nt
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 19 10:47:38 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                89.57k      245.94k      331.59k      362.95k      373.29k
-md5               858.93k     4175.51k     7700.21k     9715.78k    10369.11k
-sha               466.18k     2103.67k     3607.69k     4399.31k     4669.16k
-sha1              449.59k     2041.02k     3496.13k     4256.45k     4512.92k
-rc4              5862.55k     7447.27k     7698.80k     7768.38k     7653.84k
-des cbc          1562.71k     1879.84k     1928.24k     1938.93k     1911.02k
-des ede3          680.27k      707.97k      728.62k      733.15k      725.98k
-idea cbc          797.46k      885.85k      895.68k      898.06k      896.45k
-rc2 cbc           609.46k      648.75k      654.01k      654.42k      653.60k
-blowfish cbc     2357.94k     3000.22k     3106.89k     3134.76k     3080.42k
-rsa  512 bits   0.022s   0.003
-rsa 1024 bits   0.112s   0.003
-rsa 2048 bits   0.726s   0.026
-rsa 4096 bits   5.268s   0.095
-dsa  512 bits   0.021s   0.039
-dsa 1024 bits   0.063s   0.127
-dsa 2048 bits   0.224s   0.451
diff --git a/times/586-100.ntx b/times/586-100.ntx
deleted file mode 100644
index 35166a5..0000000
--- a/times/586-100.ntx
+++ /dev/null
@@ -1,30 +0,0 @@
-SSLeay 0.8.5f 22-Jan-1998
-built on Wed Jan 21 17:11:53 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
--DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                92.99k      257.43k      347.84k      381.82k      392.14k
-mdc2              232.19k      253.68k      257.57k      258.70k      258.70k
-md5              1094.09k     5974.79k    12139.81k    16487.04k    18291.77k
-hmac(md5)         375.70k     2590.04k     7309.70k    13469.18k    17447.19k
-sha1              613.78k     2982.93k     5446.44k     6889.46k     7424.86k
-rmd160            501.23k     2405.68k     4367.25k     5503.61k     5915.80k
-rc4              8167.75k    10429.44k    10839.12k    10929.50k    10772.30k
-des cbc          2057.24k     2218.27k     2237.20k     2227.69k     2213.59k
-des ede3          719.63k      727.11k      728.77k      719.56k      722.97k
-idea cbc          827.67k      888.85k      898.06k      900.30k      898.75k
-rc2 cbc           797.46k      862.53k      870.33k      872.58k      870.40k
-blowfish cbc     3835.32k     4435.60k     4513.89k     4513.89k     4416.92k
-cast cbc         2785.06k     3052.62k     3088.59k     3034.95k     3034.95k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0202s   0.0020s     49.4    500.2
-rsa 1024 bits   0.1030s   0.0063s      9.7    159.4
-rsa 2048 bits   0.6740s   0.0223s      1.5     44.9
-rsa 4096 bits   4.8970s   0.0844s      0.2     11.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0191s   0.0361s     52.4     27.7
-dsa 1024 bits   0.0587s   0.1167s     17.0      8.6
-dsa 2048 bits   0.2091s   0.4123s      4.8      2.4
diff --git a/times/586-100.w31 b/times/586-100.w31
deleted file mode 100644
index d5b1c10..0000000
--- a/times/586-100.w31
+++ /dev/null
@@ -1,27 +0,0 @@
-Pentium 100, Windows 3.1 DLL's, 16 bit C, 32bit assember.
-
-Running under Windows NT 4.0 Beta 2
-
-SSLeay 0.6.4 20-Aug-1996
-built on Thu Aug 22 08:44:21 EST 1996
-options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.83k      128.82k      180.17k      194.90k      198.59k
-md5            224.82k     1038.19k     1801.68k     2175.47k     2330.17k
-sha            105.11k      448.11k      739.48k      884.13k      944.66k
-sha1            94.71k      402.99k      667.88k      795.58k      844.26k
-rc4           1614.19k     1956.30k     2022.72k     2022.72k     2022.72k
-des cfb        291.27k      318.14k      318.14k      318.14k      322.84k
-des cbc        326.86k      356.17k      362.08k      362.08k      367.15k
-des ede3       132.40k      139.57k      139.53k      139.37k      140.97k
-idea cfb       265.33k      280.67k      280.67k      277.69k      281.27k
-idea cbc       274.21k      302.01k      306.24k      306.24k      305.53k
-rc2 cfb        264.79k      274.21k      274.78k      274.21k      274.21k
-rc2 cbc        281.27k      306.24k      309.86k      305.53k      309.86k
-rsa  512 bits   0.058s
-rsa 1024 bits   0.280s
-rsa 2048 bits   1.430s
-rsa 4096 bits  10.600s
-
diff --git a/times/586-1002.lnx b/times/586-1002.lnx
deleted file mode 100644
index d830bce..0000000
--- a/times/586-1002.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3e 30-Sep-1997
-built on Wed Oct  1 03:01:44 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.21k      156.57k      211.29k      231.77k      237.92k
-mdc2              170.99k      191.70k      193.90k      195.58k      195.95k
-md5               770.50k     3961.96k     7291.22k     9250.82k     9942.36k
-sha               344.93k     1520.77k     2569.81k     3108.52k     3295.91k
-sha1              326.20k     1423.74k     2385.15k     2870.95k     3041.96k
-rc4              3672.88k     4309.65k     4374.41k     4408.66k     4355.41k
-des cbc          1349.73k     1689.05k     1735.34k     1748.99k     1739.43k
-des ede3          638.70k      704.00k      711.85k      714.41k      712.70k
-idea cbc          619.55k      677.33k      683.26k      685.06k      685.40k
-rc2 cbc           521.18k      571.20k      573.46k      578.90k      578.90k
-blowfish cbc     2079.67k     2592.49k     2702.34k     2730.33k     2695.17k
-                  sign    verify
-rsa  512 bits   0.0213s   0.0026s
-rsa 1024 bits   0.1099s   0.0031s
-rsa 2048 bits   0.7007s   0.0248s
-rsa 4096 bits   5.0500s   0.0921s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0389s
-dsa 1024 bits   0.0614s   0.1222s
-dsa 2048 bits   0.2149s   0.4283s
diff --git a/times/586p-100.lnx b/times/586p-100.lnx
deleted file mode 100644
index 561eb31..0000000
--- a/times/586p-100.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-Pentium 100 - Linux 1.2.13 - gcc 2.7.2p
-This is the pentium specific version of gcc
-
-SSLeay 0.6.4 20-Aug-1996
-built on Thu Aug 22 08:27:58 EST 1996
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,long) idea(int)
-C flags:gcc -DL_ENDIAN -DTERMIO -O6 -fomit-frame-pointer -mpentium -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             74.90k      208.43k      282.11k      309.59k      318.43k
-md5            807.08k     4205.67k     7801.51k     9958.06k    10810.71k
-sha            405.98k     1821.55k     3119.10k     3799.04k     4052.31k
-sha1           389.13k     1699.50k     2852.78k     3437.57k     3656.36k
-rc4           3621.15k     4130.07k     4212.74k     4228.44k     4213.42k
-des cfb        794.39k      828.37k      831.74k      832.51k      832.85k
-des cbc        817.68k      886.17k      894.72k      896.00k      892.93k
-des ede3       308.83k      323.29k      324.61k      324.95k      324.95k
-idea cfb       690.41k      715.39k      718.51k      719.19k      718.17k
-idea cbc       696.80k      760.60k      767.32k      768.68k      770.05k
-rc2 cfb        619.91k      639.74k      642.30k      642.73k      641.71k
-rc2 cbc        631.99k      671.42k      676.35k      676.18k      677.21k
-rsa  512 bits   0.025s
-rsa 1024 bits   0.123s
-rsa 2048 bits   0.756s
-rsa 4096 bits   5.365s
-
diff --git a/times/686-200.bsd b/times/686-200.bsd
deleted file mode 100644
index f23c580..0000000
--- a/times/686-200.bsd
+++ /dev/null
@@ -1,25 +0,0 @@
-Pentium Pro 200mhz
-FreeBSD 2.1.5
-gcc 2.7.2.2
-
-SSLeay 0.7.0 30-Jan-1997
-built on Tue Apr 22 12:14:36 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DTERMIOS -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               130.99k      367.68k      499.09k      547.04k      566.50k
-md5              1924.98k     8293.50k    13464.41k    16010.39k    16820.68k
-sha              1250.75k     5330.43k     8636.88k    10227.36k    10779.14k
-sha1             1071.55k     4572.50k     7459.98k     8791.96k     9341.61k
-rc4             10724.22k    14546.25k    15240.18k    15259.50k    15265.63k
-des cbc          3309.11k     3883.01k     3968.25k     3971.86k     3979.14k
-des ede3         1442.98k     1548.33k     1562.48k     1562.00k     1563.33k
-idea cbc         2195.69k     2506.39k     2529.59k     2545.66k     2546.54k
-rc2 cbc           806.00k      833.52k      837.58k      838.52k      836.69k
-blowfish cbc     4687.34k     5949.97k     6182.43k     6248.11k     6226.09k
-rsa  512 bits   0.010s
-rsa 1024 bits   0.045s
-rsa 2048 bits   0.260s
-rsa 4096 bits   1.690s
-
diff --git a/times/686-200.lnx b/times/686-200.lnx
deleted file mode 100644
index a10cc2f..0000000
--- a/times/686-200.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.2a 04-Sep-1997
-built on Fri Sep  5 17:37:05 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               131.02k      368.41k      500.57k      549.21k      566.09k
-mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
-md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
-sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
-sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
-rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
-des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
-des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
-idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
-rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
-blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
-                  sign    verify
-rsa  512 bits   0.0100s   0.0011s
-rsa 1024 bits   0.0451s   0.0012s
-rsa 2048 bits   0.2605s   0.0086s
-rsa 4096 bits   1.6883s   0.0302s
-                  sign    verify
-dsa  512 bits   0.0083s   0.0156s
-dsa 1024 bits   0.0228s   0.0454s
-dsa 2048 bits   0.0719s   0.1446s
-
diff --git a/times/686-200.nt b/times/686-200.nt
deleted file mode 100644
index c8cbaa0..0000000
--- a/times/686-200.nt
+++ /dev/null
@@ -1,24 +0,0 @@
-built on Tue May 13 08:24:51 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfi
-sh(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               156.39k      427.99k      576.14k      628.36k      647.27k
-md5              2120.48k    10255.02k    18396.07k    22795.13k    24244.53k
-sha              1468.59k     6388.89k    10686.12k    12826.62k    13640.01k
-sha1             1393.46k     6013.34k     9974.56k    11932.59k    12633.45k
-rc4             13833.46k    19275.29k    20321.24k    20281.93k    20520.08k
-des cbc          3382.50k     4104.02k     4152.78k     4194.30k     4194.30k
-des ede3         1465.51k     1533.00k     1549.96k     1553.29k     1570.29k
-idea cbc         2579.52k     3079.52k     3130.08k     3153.61k     3106.89k
-rc2 cbc          1204.57k     1276.42k     1285.81k     1289.76k     1285.81k
-blowfish cbc     5229.81k     6374.32k     6574.14k     6574.14k     6594.82k
-rsa  512 bits   0.008s   0.001
-rsa 1024 bits   0.038s   0.001
-rsa 2048 bits   0.231s   0.008
-rsa 4096 bits   1.540s   0.027
-dsa  512 bits   0.007s   0.013
-dsa 1024 bits   0.021s   0.040
-dsa 2048 bits   0.066s   0.130
-
diff --git a/times/L1 b/times/L1
deleted file mode 100644
index 09253d7..0000000
--- a/times/L1
+++ /dev/null
@@ -1,27 +0,0 @@
-SSLeay 0.8.3ad 27-Oct-1997
-built on Wed Oct 29 00:36:17 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.16k      156.50k      211.46k      231.77k      238.71k
-mdc2              183.37k      205.21k      205.57k      209.92k      207.53k
-md5              1003.65k     5605.56k    11628.54k    15887.70k    17522.69k
-hmac(md5)         411.24k     2803.46k     7616.94k    13475.84k    16864.60k
-sha1              542.66k     2843.50k     5320.53k     6833.49k     7389.18k
-rc4              3677.15k     4313.73k     4407.89k     4429.82k     4404.57k
-des cbc          1787.94k     2174.51k     2236.76k     2249.73k     2230.95k
-des ede3          719.46k      777.26k      784.81k      780.29k      783.70k
-idea cbc          619.56k      677.89k      684.12k      685.40k      685.40k
-rc2 cbc           537.51k      573.93k      578.47k      579.24k      578.90k
-blowfish cbc     3226.76k     4221.65k     4424.19k     4468.39k     4377.26k
-cast cbc         2866.13k     3165.35k     3263.15k     3287.04k     3233.11k
-                  sign    verify
-rsa  512 bits   0.0212s   0.0021s
-rsa 1024 bits   0.1072s   0.0064s
-rsa 2048 bits   0.6853s   0.0222s
-rsa 4096 bits   4.9300s   0.0848s
-                  sign    verify
-dsa  512 bits   0.0200s   0.0380s
-dsa 1024 bits   0.0600s   0.1180s
-dsa 2048 bits   0.2110s   0.4221s
diff --git a/times/R10000.t b/times/R10000.t
deleted file mode 100644
index 6b3874c..0000000
--- a/times/R10000.t
+++ /dev/null
@@ -1,24 +0,0 @@
-IRIX 6.2 - R10000 195mhz
-SLeay 0.6.5a 06-Dec-1996
-built on Tue Dec 24 03:51:45 EST 1996
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
-C flags:cc -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            156.34k      424.03k      571.88k      628.88k      646.01k
-md5           1885.02k     8181.72k    13440.53k    16020.60k    16947.54k
-sha           1587.12k     7022.05k    11951.24k    14440.12k    15462.74k
-sha1          1413.13k     6215.86k    10571.16k    12736.22k    13628.51k
-rc4          10556.28k    11974.08k    12077.10k    12111.38k    12103.20k
-des cfb       2977.71k     3252.27k     3284.36k     3302.66k     3290.54k
-des cbc       3298.31k     3704.96k     3771.30k     3730.73k     3778.80k
-des ede3      1278.28k     1328.82k     1342.66k     1339.82k     1343.27k
-idea cfb      2843.34k     3138.04k     3180.95k     3176.46k     3188.54k
-idea cbc      3115.21k     3558.03k     3590.61k     3591.24k     3601.18k
-rc2 cfb       2006.66k     2133.33k     2149.03k     2159.36k     2149.71k
-rc2 cbc       2167.07k     2315.30k     2338.05k     2329.34k     2333.90k
-rsa  512 bits   0.008s
-rsa 1024 bits   0.043s
-rsa 2048 bits   0.280s
-rsa 4096 bits   2.064s
-
diff --git a/times/R4400.t b/times/R4400.t
deleted file mode 100644
index af8848f..0000000
--- a/times/R4400.t
+++ /dev/null
@@ -1,26 +0,0 @@
-IRIX 5.3
-R4400 200mhz
-cc -O2
-SSLeay 0.6.5a 06-Dec-1996
-built on Mon Dec 23 11:51:11 EST 1996
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
-C flags:cc -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            100.62k      280.25k      380.15k      416.02k      428.82k
-md5            828.62k     3525.05k     6311.98k     7742.51k     8328.04k
-sha            580.04k     2513.74k     4251.73k     5101.04k     5394.80k
-sha1           520.23k     2382.94k     4107.82k     5024.62k     5362.56k
-rc4           5871.53k     6323.08k     6357.49k     6392.04k     6305.45k
-des cfb       1016.76k     1156.72k     1176.59k     1180.55k     1181.65k
-des cbc       1016.38k     1303.81k     1349.10k     1359.41k     1356.62k
-des ede3       607.39k      650.74k      655.11k      657.52k      654.18k
-idea cfb      1296.10k     1348.66k     1353.80k     1358.75k     1355.40k
-idea cbc      1453.90k     1554.68k     1567.84k     1569.89k     1573.57k
-rc2 cfb       1199.86k     1251.69k     1253.57k     1259.56k     1251.31k
-rc2 cbc       1334.60k     1428.55k     1441.89k     1445.42k     1441.45k
-rsa  512 bits   0.024s
-rsa 1024 bits   0.125s
-rsa 2048 bits   0.806s
-rsa 4096 bits   5.800s
-
diff --git a/times/aix.t b/times/aix.t
deleted file mode 100644
index 4f24e39..0000000
--- a/times/aix.t
+++ /dev/null
@@ -1,34 +0,0 @@
-from Paco Garcia <pgarcia at ctv.es>
-This machine is a Bull Estrella  Minitower Model MT604-100
-Processor        : PPC604 
-P.Speed          : 100Mhz 
-Data/Instr Cache :    16 K
-L2 Cache         :   256 K
-PCI BUS Speed    :    33 Mhz
-TransfRate PCI   :   132 MB/s
-Memory           :    96 MB
-
-AIX 4.1.4
-
-SSLeay 0.6.6 14-Jan-1997
-built on Mon Jan 13 21:36:03 CUT 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish
-(idx)
-C flags:cc -O -DAIX -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                53.83k      147.46k      197.63k      215.72k     221.70k
-md5              1278.13k     5354.77k     8679.60k    10195.09k   10780.56k
-sha              1055.34k     4600.37k     7721.30k     9298.94k    9868.63k
-sha1              276.90k     1270.25k     2187.95k     2666.84k    2850.82k
-rc4              4660.57k     5268.93k     5332.48k     5362.47k    5346.65k
-des cbc          1774.16k     1981.10k     1979.56k     2032.71k    1972.25k
-des ede3          748.81k      781.42k      785.66k      785.75k     780.84k
-idea cbc         2066.19k     2329.58k     2378.91k     2379.86k    2380.89k
-rc2 cbc          1278.53k     1379.69k     1389.99k     1393.66k    1389.91k
-blowfish cbc     2812.91k     3307.90k     3364.91k     3386.37k    3374.32k
-rsa  512 bits   0.019s
-rsa 1024 bits   0.096s
-rsa 2048 bits   0.614s
-rsa 4096 bits   4.433s
-
diff --git a/times/aixold.t b/times/aixold.t
deleted file mode 100644
index 0b51412..0000000
--- a/times/aixold.t
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 04:06:32 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish(idx)
-C flags:cc -O -DAIX -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                19.09k       52.47k       71.23k       77.49k       78.93k
-md5               214.56k      941.21k     1585.43k     1883.12k     1988.70k
-sha               118.35k      521.65k      860.28k     1042.27k     1100.46k
-sha1              109.52k      478.98k      825.90k      995.48k     1049.69k
-rc4              1263.63k     1494.24k     1545.70k     1521.66k     1518.99k
-des cbc           259.62k      286.55k      287.15k      288.15k      289.45k
-des ede3          104.92k      107.88k      109.27k      109.25k      109.96k
-idea cbc          291.63k      320.07k      319.40k      320.51k      318.27k
-rc2 cbc           220.04k      237.76k      241.44k      245.90k      244.08k
-blowfish cbc      407.95k      474.83k      480.99k      485.71k      481.07k
-rsa  512 bits   0.157s   0.019
-rsa 1024 bits   0.908s   0.023
-rsa 2048 bits   6.225s   0.218
-rsa 4096 bits  46.500s   0.830
-dsa  512 bits   0.159s   0.312
-dsa 1024 bits   0.536s   1.057
-dsa 2048 bits   1.970s   3.977
diff --git a/times/alpha.t b/times/alpha.t
deleted file mode 100644
index 3a7c6c4..0000000
--- a/times/alpha.t
+++ /dev/null
@@ -1,81 +0,0 @@
-SSLeay-051 Alpha gcc -O3 64Bit (assember bn_mul)
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             44.40k      121.56k      162.73k      179.20k      185.01k
-md5            780.85k     3278.53k     5281.52k     6327.98k     6684.67k
-sha            501.40k     2249.19k     3855.27k     4801.19k     5160.96k
-sha-1          384.99k     1759.72k     3113.64k     3946.92k     4229.80k
-rc4           3505.05k     3724.54k     3723.78k     3555.33k     3694.68k
-des cfb        946.96k     1015.27k     1021.87k     1033.56k     1037.65k
-des cbc       1001.24k     1220.20k     1243.31k     1272.73k     1265.87k
-des ede3       445.34k      491.65k      500.53k      502.10k      502.44k
-idea cfb       643.53k      667.49k      663.81k      666.28k      664.51k
-idea cbc       650.42k      735.41k      733.27k      742.74k      745.47k
-rsa  512 bits   0.031s
-rsa 1024 bits   0.141s
-rsa 2048 bits   0.844s
-rsa 4096 bits   6.033s
-
-SSLeay-051 Alpha cc -O2 64bit (assember bn_mul)
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.37k      122.86k      165.97k      182.95k      188.42k
-md5            842.42k     3629.93k     5916.76k     7039.17k     7364.61k
-sha            498.93k     2197.23k     3895.60k     4756.48k     5132.13k
-sha-1          382.02k     1757.21k     3112.53k     3865.23k     4128.77k
-rc4           2975.25k     3049.33k     3180.97k     3214.68k     3424.26k
-des cfb        901.55k      990.83k     1006.08k     1011.19k     1004.89k
-des cbc        947.84k     1127.84k     1163.67k     1162.24k     1157.80k
-des ede3       435.62k      485.57k      493.67k      491.52k      491.52k
-idea cfb       629.31k      648.66k      647.77k      648.53k      649.90k
-idea cbc       565.15k      608.00k      613.46k      613.38k      617.13k
-rsa  512 bits   0.030s
-rsa 1024 bits   0.141s
-rsa 2048 bits   0.854s
-rsa 4096 bits   6.067s
-
-des cfb        718.28k      822.64k      833.11k      836.27k      841.05k
-des cbc        806.10k      951.42k      975.83k      983.73k      991.23k
-des ede3       329.50k      379.11k      387.95k      387.41k      388.33k
-
-des cfb        871.62k      948.65k      951.81k      953.00k      955.58k
-des cbc        953.60k     1174.27k     1206.70k     1216.10k     1216.44k
-des ede3       349.34k      418.05k      427.26k      429.74k      431.45k
-
-
-
-
-SSLeay-045c Alpha gcc -O3 64Bit
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             44.95k      122.22k      164.27k      180.62k      184.66k
-md5            808.71k     3371.95k     5415.68k     6385.66k     6684.67k
-sha            493.68k     2162.05k     3725.82k     4552.02k     4838.74k
-rc4           3317.32k     3649.09k     3728.30k     3744.09k     3691.86k
-cfb des        996.45k     1050.77k     1058.30k     1059.16k     1064.96k
-cbc des       1096.52k     1255.49k     1282.13k     1289.90k     1299.80k
-ede3 des       482.14k      513.51k      518.66k      520.19k      521.39k
-cfb idea       519.90k      533.40k      535.21k      535.55k      535.21k
-cbc idea       619.34k      682.21k      688.04k      689.15k      690.86k
-rsa  512 bits   0.050s
-rsa 1024 bits   0.279s
-rsa 2048 bits   1.908s
-rsa 4096 bits  14.750s
-
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             37.31k      102.77k      137.64k      151.55k      155.78k
-md5            516.65k     2535.21k     4655.72k     5859.66k     6343.34k
-rc4           3519.61k     3707.01k     3746.86k     3755.39k     3675.48k
-cfb des        780.27k      894.68k      913.10k      921.26k      922.97k
-cbc des        867.54k     1040.13k     1074.17k     1075.54k     1084.07k
-ede3 des       357.19k      397.36k      398.08k      402.28k      401.41k
-cbc idea       646.53k      686.44k      694.03k      691.20k      693.59k
-rsa  512 bits   0.046s
-rsa 1024 bits   0.270s
-rsa 2048 bits   1.858s
-rsa 4096 bits  14.350s
-
-md2      C      37.83k      103.17k      137.90k      150.87k      155.37k
-md2      L      37.30k      102.04k      139.01k      152.74k      155.78k
-rc4       I   3532.24k     3718.08k     3750.83k     3768.78k     3694.59k
-rc4      CI   2662.97k     2873.26k     2907.22k     2920.63k     2886.31k
-rc4      LI   3514.63k     3738.72k     3747.41k     3752.96k     3708.49k
-cbc idea S     619.01k      658.68k      661.50k      662.53k      663.55k
-cbc idea  L    645.69k      684.22k      694.55k      692.57k      690.86k
diff --git a/times/alpha400.t b/times/alpha400.t
deleted file mode 100644
index 079e0d1..0000000
--- a/times/alpha400.t
+++ /dev/null
@@ -1,25 +0,0 @@
-Alpha EV5.6 (21164A) 400mhz
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 03:39:58 EST 1997
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
-C flags:cc -arch host -tune host -fast -std -O4 -inline speed
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               274.98k      760.96k     1034.27k     1124.69k     1148.69k
-md5              2524.46k    11602.60k    19838.81k    24075.26k    25745.10k
-sha              1848.46k     8335.66k    14232.49k    17247.91k    18530.30k
-sha1             1639.67k     7336.53k    12371.80k    14807.72k    15870.63k
-rc4             17950.93k    19390.66k    19652.44k    19700.39k    19412.31k
-des cbc          4018.59k     4872.06k     4988.76k     5003.26k     4995.73k
-des ede3         1809.11k     1965.67k     1984.26k     1986.90k     1982.46k
-idea cbc         2848.82k     3204.33k     3250.26k     3257.34k     3260.42k
-rc2 cbc          3766.08k     4349.50k     4432.21k     4448.94k     4448.26k
-blowfish cbc     6694.88k     9042.35k     9486.93k     9598.98k     9624.91k
-rsa  512 bits   0.003s   0.000
-rsa 1024 bits   0.013s   0.000
-rsa 2048 bits   0.081s   0.003
-rsa 4096 bits   0.577s   0.011
-dsa  512 bits   0.003s   0.005
-dsa 1024 bits   0.007s   0.014
-dsa 2048 bits   0.025s   0.050
diff --git a/times/cyrix100.lnx b/times/cyrix100.lnx
deleted file mode 100644
index 010a221..0000000
--- a/times/cyrix100.lnx
+++ /dev/null
@@ -1,22 +0,0 @@
-SSLeay 0.6.6 06-Dec-1996
-built on Fri Dec  6 10:05:20 GMT 1996
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,risc,16,long) idea(int)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             36.77k      102.48k      138.00k      151.57k      155.78k
-md5            513.59k     2577.22k     4623.51k     5768.99k     6214.53k
-sha            259.89k     1105.45k     1814.97k     2156.16k     2292.13k
-sha1           242.43k     1040.95k     1719.44k     2049.74k     2164.64k
-rc4           1984.48k     2303.41k     2109.37k     2071.47k     1985.61k
-des cfb        712.08k      758.29k      753.17k      752.06k      748.67k
-des cbc        787.37k      937.64k      956.77k      961.61k      957.54k
-des ede3       353.97k      377.28k      379.99k      379.34k      379.11k
-idea cfb       403.80k      418.50k      416.60k      415.78k      415.03k
-idea cbc       426.54k      466.40k      471.31k      472.67k      473.14k
-rc2 cfb        405.15k      420.05k      418.16k      416.72k      416.36k
-rc2 cbc        428.21k      468.43k      473.09k      472.59k      474.70k
-rsa  512 bits   0.040s
-rsa 1024 bits   0.195s
-rsa 2048 bits   1.201s
-rsa 4096 bits   8.700s
diff --git a/times/dgux-x86.t b/times/dgux-x86.t
deleted file mode 100644
index 70635c5..0000000
--- a/times/dgux-x86.t
+++ /dev/null
@@ -1,23 +0,0 @@
-version:SSLeay 0.5.2c 15-May-1996
-built Fri Jun 14 19:47:04 EST 1996
-options:bn(LLONG,thirty_two) md2(CHAR) rc4(IDX,int) des(ary,long) idea(int)
-C flags:gcc -O3 -fomit-frame-pointer -DL_ENDIAN
-
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            113.86k      316.48k      428.36k      467.63k      481.56k
-md5           1001.99k     5037.99k     9545.94k    12036.95k    11800.38k
-sha            628.77k     2743.48k     5113.42k     6206.99k     6165.42k
-sha1           583.83k     2638.66k     4538.85k     5532.09k     5917.04k
-rc4           5493.27k     6369.39k     6511.30k     6577.83k     6486.73k
-des cfb       1219.01k     1286.06k     1299.33k     1288.87k     1381.72k
-des cbc       1360.58k     1469.04k     1456.96k     1454.08k     1513.57k
-des ede3       544.45k      567.84k      568.99k      570.37k      566.09k
-idea cfb      1012.39k     1056.30k     1063.52k      989.17k      863.24k
-idea cbc       985.36k     1090.44k     1105.92k     1108.65k     1090.17k
-rc2 cfb        963.86k      979.06k      995.30k      937.35k      827.39k
-rc2 cbc        951.72k     1042.11k     1049.60k     1047.21k     1059.11k
-rsa  512 bits   0.032s
-rsa 1024 bits   0.159s
-rsa 2048 bits   1.025s
-rsa 4096 bits   7.270s
-
diff --git a/times/dgux.t b/times/dgux.t
deleted file mode 100644
index c7f7564..0000000
--- a/times/dgux.t
+++ /dev/null
@@ -1,17 +0,0 @@
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             38.54k      106.28k      144.00k      157.46k      161.72k
-md5            323.23k     1471.62k     2546.11k     3100.20k     3309.57k
-rc4        I  1902.74k     2055.20k     2080.42k     2077.88k     2065.46k
-cfb des        456.23k      475.22k      481.79k      488.42k      487.17k
-cbc des        484.30k      537.50k      553.09k      558.08k      558.67k
-ede3 des       199.97k      209.05k      211.03k      211.85k      212.78k
-cbc idea       478.50k      519.33k      523.42k      525.09k      526.44k
-rsa  512 bits   0.159s !RSA_LLONG
-rsa 1024 bits   1.053s
-rsa 2048 bits   7.600s
-rsa 4096 bits  59.760s
-
-md2       C     30.53k       83.58k      112.84k      123.22k      126.24k
-rc4           1844.56k     1975.50k     1997.73k     1994.95k     1984.88k
-rc4       C   1800.09k     1968.85k     1995.20k     1992.36k     1996.80k
-rc4       CI  1830.81k     2035.75k     2067.28k     2070.23k     2062.77k
diff --git a/times/hpux-acc.t b/times/hpux-acc.t
deleted file mode 100644
index 0c0e936..0000000
--- a/times/hpux-acc.t
+++ /dev/null
@@ -1,25 +0,0 @@
-HPUX 887
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:59:45 EST 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
-C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit +O4 -Wl,-a,archive
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                58.99k      166.85k      225.07k      247.21k      253.76k
-md5               639.22k     2726.98k     4477.25k     5312.69k     5605.20k
-sha               381.08k     1661.49k     2793.84k     3368.86k     3581.23k
-sha1              349.54k     1514.56k     2536.63k     3042.59k     3224.39k
-rc4              2891.10k     4238.01k     4464.11k     4532.49k     4545.87k
-des cbc           717.05k      808.76k      820.14k      821.97k      821.96k
-des ede3          288.21k      303.50k      303.69k      305.82k      305.14k
-idea cbc          325.83k      334.36k      335.89k      336.61k      333.43k
-rc2 cbc           793.00k      915.81k      926.69k      933.28k      929.53k
-blowfish cbc     1561.91k     2051.97k     2122.65k     2139.40k     2145.92k
-rsa  512 bits   0.031s   0.004
-rsa 1024 bits   0.164s   0.004
-rsa 2048 bits   1.055s   0.037
-rsa 4096 bits   7.600s   0.137
-dsa  512 bits   0.029s   0.057
-dsa 1024 bits   0.092s   0.177
-dsa 2048 bits   0.325s   0.646
diff --git a/times/hpux-kr.t b/times/hpux-kr.t
deleted file mode 100644
index ad4a0ad..0000000
--- a/times/hpux-kr.t
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:17:35 EST 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,cisc,16,long) idea(int) blowfish(idx)
-C flags:cc -DB_ENDIAN -DNOCONST -DNOPROTO -D_HPUX_SOURCE
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                35.30k       98.36k      133.41k      146.34k      150.69k
-md5               391.20k     1737.31k     2796.65k     3313.75k     3503.74k
-sha               189.55k      848.14k     1436.72k     1735.87k     1848.03k
-sha1              175.30k      781.14k     1310.32k     1575.61k     1675.81k
-rc4              2070.55k     2501.47k     2556.65k     2578.34k     2584.91k
-des cbc           465.13k      536.85k      545.87k      547.86k      548.89k
-des ede3          190.05k      200.99k      202.31k      202.22k      202.75k
-idea cbc          263.44k      277.77k      282.13k      281.51k      283.15k
-rc2 cbc           448.37k      511.39k      519.54k      522.00k      521.31k
-blowfish cbc      839.98k     1097.70k     1131.16k     1145.64k     1144.67k
-rsa  512 bits   0.048s   0.005
-rsa 1024 bits   0.222s   0.006
-rsa 2048 bits   1.272s   0.042
-rsa 4096 bits   8.445s   0.149
-dsa  512 bits   0.041s   0.077
-dsa 1024 bits   0.111s   0.220
-dsa 2048 bits   0.363s   0.726
diff --git a/times/hpux.t b/times/hpux.t
deleted file mode 100644
index dcf7615..0000000
--- a/times/hpux.t
+++ /dev/null
@@ -1,86 +0,0 @@
-HP-UX A.09.05 9000/712
-
-SSLeay 0.6.6 14-Jan-1997
-built on Tue Jan 14 16:36:31 WET 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
-blowfish(idx)
-C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa +ESlit +O2 -Wl,-a,archive
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                66.56k      184.92k      251.82k      259.86k      282.62k
-md5               615.54k     2805.92k     4764.30k     5724.21k     6084.39k
-sha               358.23k     1616.46k     2781.50k     3325.72k     3640.89k
-sha1              327.50k     1497.98k     2619.44k     3220.26k     3460.85k
-rc4              3500.47k     3890.99k     3943.81k     3883.74k     3900.02k
-des cbc           742.65k      871.66k      887.15k      891.21k      895.40k
-des ede3          302.42k      322.50k      324.46k      326.66k      326.05k
-idea cbc          664.41k      755.87k      765.61k      772.70k      773.69k
-rc2 cbc           798.78k      931.04k      947.69k      950.31k      952.04k
-blowfish cbc     1353.32k     1932.29k     2021.93k     2047.02k     2053.66k
-rsa  512 bits   0.059s
-rsa 1024 bits   0.372s
-rsa 2048 bits   2.697s
-rsa 4096 bits  20.790s
-
-SSLeay 0.6.6 14-Jan-1997
-built on Tue Jan 14 15:37:30 WET 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
-blowfish(idx)
-C flags:gcc -DB_ENDIAN -O3
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                44.91k      122.57k      167.71k      183.89k      190.24k
-md5               532.50k     2316.27k     3965.72k     4740.11k     5055.06k
-sha               363.76k     1684.09k     2978.53k     3730.86k     3972.72k
-sha1              385.76k     1743.53k     2997.69k     3650.74k     3899.08k
-rc4              3178.84k     3621.31k     3672.71k     3684.01k     3571.54k
-des cbc           733.00k      844.70k      863.28k      863.72k      868.73k
-des ede3          289.99k      308.94k      310.11k      309.64k      312.08k
-idea cbc          624.07k      713.91k      724.76k      723.35k      725.13k
-rc2 cbc           704.34k      793.39k      804.25k      805.99k      782.63k
-blowfish cbc     1371.24k     1823.66k     1890.05k     1915.51k     1920.12k
-rsa  512 bits   0.030s
-rsa 1024 bits   0.156s
-rsa 2048 bits   1.113s
-rsa 4096 bits   7.480s
-
-
-HPUX B.10.01 V 9000/887 - HP92453-01 A.10.11 HP C Compiler
-SSLeay 0.5.2 - -Aa +ESlit +Oall +O4 -Wl,-a,archive
-
-HPUX A.09.04 B 9000/887
-
-ssleay 0.5.1 gcc v 2.7.0 -O3 -mpa-risc-1-1
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             53.00k      166.81k      205.66k      241.95k      242.20k
-md5            743.22k     3128.44k     6031.85k     6142.07k     7025.26k
-sha            481.30k     2008.24k     3361.31k     3985.07k     4180.74k
-sha-1          463.60k     1916.15k     3139.24k     3786.27k     3997.70k
-rc4           3708.61k     4125.16k     4547.53k     4206.21k     4390.07k
-des cfb        665.91k      705.97k      698.48k      694.25k      666.08k
-des cbc        679.80k      741.90k      769.85k      747.62k      719.47k
-des ede3       264.31k      270.22k      265.63k      273.07k      273.07k
-idea cfb       635.91k      673.40k      605.60k      699.53k      672.36k
-idea cbc       705.85k      774.63k      750.60k      715.83k      721.50k
-rsa  512 bits   0.066s
-rsa 1024 bits   0.372s
-rsa 2048 bits   2.177s
-rsa 4096 bits  16.230s
-
-HP92453-01 A.09.61 HP C Compiler
-ssleay 0.5.1 cc -Ae +ESlit +Oall -Wl,-a,archive
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             58.69k      163.30k      213.57k      230.40k      254.23k
-md5            608.60k     2596.82k     3871.43k     4684.10k     4763.88k
-sha            343.26k     1482.43k     2316.80k     2766.27k     2860.26k
-sha-1          319.15k     1324.13k     2106.03k     2527.82k     2747.95k
-rc4           2467.47k     3374.41k     3265.49k     3354.39k     3368.55k
-des cfb        812.05k      814.90k      851.20k      819.20k      854.56k
-des cbc        836.35k      994.06k      916.02k     1020.01k      988.14k
-des ede3       369.78k      389.15k      401.01k      382.94k      408.03k
-idea cfb       290.40k      298.06k      286.11k      296.92k      299.46k
-idea cbc       301.30k      297.72k      304.34k      300.10k      309.70k
-rsa  512 bits   0.350s
-rsa 1024 bits   2.635s
-rsa 2048 bits  19.930s
-
diff --git a/times/p2.w95 b/times/p2.w95
deleted file mode 100644
index 82d1e55..0000000
--- a/times/p2.w95
+++ /dev/null
@@ -1,22 +0,0 @@
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               235.90k      652.30k      893.36k      985.74k      985.74k
-mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
-md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
-sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
-sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
-rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
-des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
-des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
-idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
-rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
-blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
-                  sign    verify
-rsa  512 bits   0.0062s   0.0008s
-rsa 1024 bits   0.0287s   0.0009s
-rsa 2048 bits   0.1785s   0.0059s
-rsa 4096 bits   1.1300s   0.0205s
-                  sign    verify
-dsa  512 bits   0.0055s   0.0100s
-dsa 1024 bits   0.0154s   0.0299s
-dsa 2048 bits   0.0502s   0.0996s
diff --git a/times/pent2.t b/times/pent2.t
deleted file mode 100644
index b6dc269..0000000
--- a/times/pent2.t
+++ /dev/null
@@ -1,24 +0,0 @@
-pentium 2, 266mhz, Visual C++ 5.0, Windows 95
-
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               235.90k      652.30k      893.36k      985.74k      985.74k
-mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
-md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
-sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
-sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
-rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
-des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
-des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
-idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
-rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
-blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
-                  sign    verify
-rsa  512 bits   0.0062s   0.0008s
-rsa 1024 bits   0.0287s   0.0009s
-rsa 2048 bits   0.1785s   0.0059s
-rsa 4096 bits   1.1300s   0.0205s
-                  sign    verify
-dsa  512 bits   0.0055s   0.0100s
-dsa 1024 bits   0.0154s   0.0299s
-dsa 2048 bits   0.0502s   0.0996s
diff --git a/times/readme b/times/readme
deleted file mode 100644
index 7074f58..0000000
--- a/times/readme
+++ /dev/null
@@ -1,11 +0,0 @@
-The 'times' in this directory are not all for the most recent version of
-the library and it should be noted that on some CPUs (specifically sparc
-and Alpha), the locations of files in the application after linking can
-make upto a %10 speed difference when running benchmarks on things like
-cbc mode DES.  To put it mildly this can be very anoying.
-
-About the only way to get around this would be to compile the library as one
-object file, or to 'include' the source files in a specific order.
-
-The best way to get an idea of the 'raw' DES speed is to build the 
-'speed' program in crypto/des.
diff --git a/times/s586-100.lnx b/times/s586-100.lnx
deleted file mode 100644
index cbc3e3c..0000000
--- a/times/s586-100.lnx
+++ /dev/null
@@ -1,25 +0,0 @@
-Shared library build
-
-SSLeay 0.7.3 30-Apr-1997
-built on Tue May 13 03:43:56 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:-DTERMIO -O3 -DL_ENDIAN -fomit-frame-pointer -m486 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                68.95k      191.40k      258.22k      283.31k      291.21k
-md5               627.37k     3064.75k     5370.15k     6765.91k     7255.38k
-sha               323.35k     1431.32k     2417.07k     2916.69k     3102.04k
-sha1              298.08k     1318.34k     2228.82k     2694.83k     2864.47k
-rc4              3404.13k     4026.33k     4107.43k     4136.28k     4117.85k
-des cbc          1414.60k     1782.53k     1824.24k     1847.64k     1840.47k
-des ede3          588.36k      688.19k      700.33k      702.46k      704.51k
-idea cbc          582.96k      636.71k      641.54k      642.39k      642.30k
-rc2 cbc           569.34k      612.37k      617.64k      617.47k      619.86k
-blowfish cbc     2015.77k     2534.49k     2609.65k     2607.10k     2615.98k
-rsa  512 bits   0.027s   0.003
-rsa 1024 bits   0.128s   0.003
-rsa 2048 bits   0.779s   0.027
-rsa 4096 bits   5.450s   0.098
-dsa  512 bits   0.024s   0.045
-dsa 1024 bits   0.068s   0.132
-dsa 2048 bits   0.231s   0.469
diff --git a/times/s586-100.nt b/times/s586-100.nt
deleted file mode 100644
index 8e3baf6..0000000
--- a/times/s586-100.nt
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 19 10:47:38 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                90.26k      248.57k      335.06k      366.09k      376.64k
-md5               863.95k     4205.24k     7628.78k     9582.60k    10290.25k
-sha               463.93k     2102.51k     3623.28k     4417.85k     4695.29k
-sha1              458.23k     2005.88k     3385.78k     4094.00k     4340.13k
-rc4              5843.60k     7543.71k     7790.31k     7836.89k     7791.47k
-des cbc          1583.95k     1910.67k     1960.69k     1972.12k     1946.13k
-des ede3          654.79k      722.60k      740.97k      745.82k      738.27k
-idea cbc          792.04k      876.96k      887.35k      892.63k      890.36k
-rc2 cbc           603.50k      652.38k      661.85k      662.69k      661.44k
-blowfish cbc     2379.88k     3043.76k     3153.61k     3153.61k     3134.76k
-rsa  512 bits   0.022s   0.003
-rsa 1024 bits   0.111s   0.003
-rsa 2048 bits   0.716s   0.025
-rsa 4096 bits   5.188s   0.094
-dsa  512 bits   0.020s   0.039
-dsa 1024 bits   0.062s   0.124
-dsa 2048 bits   0.221s   0.441
diff --git a/times/sgi.t b/times/sgi.t
deleted file mode 100644
index 7963610..0000000
--- a/times/sgi.t
+++ /dev/null
@@ -1,29 +0,0 @@
-SGI Challenge R4400 200mhz IRIX 5.3 - gcc (2.6.3)
-SSLeay 0.6.1 02-Jul-1996
-built on Tue Jul  2 16:25:30 EST 1996
-options:bn(64,32) md2(char) rc4(idx,char) des(idx,long) idea(int)
-C flags:gcc -O2 -mips2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             96.53k      266.70k      360.09k      393.70k      405.07k
-md5            971.15k     4382.56k     7406.90k     8979.99k     9559.18k
-sha            596.86k     2832.26k     4997.30k     6277.75k     6712.89k
-sha1           578.34k     2630.16k     4632.05k     5684.34k     6083.37k
-rc4           5641.12k     6821.76k     6996.13k     7052.61k     6913.32k
-des cfb       1354.86k     1422.11k     1434.58k     1433.24k     1432.89k
-des cbc       1467.13k     1618.92k     1630.08k     1637.00k     1629.62k
-des ede3       566.13k      591.91k      596.86k      596.18k      592.54k
-idea cfb      1190.60k     1264.49k     1270.38k     1267.84k     1272.37k
-idea cbc      1271.45k     1410.37k     1422.49k     1426.46k     1421.73k
-rc2 cfb       1285.73k     1371.40k     1380.92k     1383.13k     1379.23k
-rc2 cbc       1386.61k     1542.10k     1562.49k     1572.45k     1567.93k
-rsa  512 bits   0.018s
-rsa 1024 bits   0.106s
-rsa 2048 bits   0.738s
-rsa 4096 bits   5.535s
-
-version:SSLeay 0.5.2c 15-May-1996
-rsa  512 bits   0.035s
-rsa 1024 bits   0.204s
-rsa 2048 bits   1.423s
-rsa 4096 bits  10.800s
diff --git a/times/sparc.t b/times/sparc.t
deleted file mode 100644
index 1611f76..0000000
--- a/times/sparc.t
+++ /dev/null
@@ -1,26 +0,0 @@
-gcc 2.7.2
-Sparc 10 - Solaris 2.3 - 50mhz
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 00:55:51 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
-C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                54.88k      154.52k      210.35k      231.08k      237.21k
-md5               550.75k     2460.49k     4116.01k     4988.74k     5159.86k
-sha               340.28k     1461.76k     2430.10k     2879.87k     2999.15k
-sha1              307.27k     1298.41k     2136.26k     2540.07k     2658.28k
-rc4              2652.21k     2805.24k     3301.63k     4003.98k     4071.18k
-des cbc           811.78k      903.93k      914.19k      921.60k      932.29k
-des ede3          328.21k      344.93k      349.64k      351.48k      345.07k
-idea cbc          685.06k      727.42k      734.41k      730.11k      739.21k
-rc2 cbc           718.59k      777.02k      781.96k      784.38k      782.60k
-blowfish cbc     1268.85k     1520.64k     1568.88k     1587.54k     1591.98k
-rsa  512 bits   0.037s   0.005
-rsa 1024 bits   0.213s   0.006
-rsa 2048 bits   1.471s   0.053
-rsa 4096 bits  11.100s   0.202
-dsa  512 bits   0.038s   0.074
-dsa 1024 bits   0.128s   0.248
-dsa 2048 bits   0.473s   0.959
-
diff --git a/times/sparc2 b/times/sparc2
deleted file mode 100644
index 4b0dd80..0000000
--- a/times/sparc2
+++ /dev/null
@@ -1,21 +0,0 @@
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                14.56k       40.25k       54.95k       60.13k       62.18k
-mdc2               53.59k       57.45k       58.11k       58.21k       58.51k
-md5               176.95k      764.75k     1270.36k     1520.14k     1608.36k
-hmac(md5)          55.88k      369.70k      881.15k     1337.05k     1567.40k
-sha1               92.69k      419.75k      723.63k      878.82k      939.35k
-rc4              1247.28k     1414.09k     1434.30k     1434.34k     1441.13k
-des cbc           284.41k      318.58k      323.07k      324.09k      323.87k
-des ede3          109.99k      119.99k      121.60k      121.87k      121.66k
-idea cbc           43.06k       43.68k       43.84k       43.64k       44.07k
-rc2 cbc           278.85k      311.44k      316.50k      316.57k      317.37k
-blowfish cbc      468.89k      569.35k      581.61k      568.34k      559.54k
-cast cbc          285.84k      338.79k      345.71k      346.19k      341.09k
-                  sign    verify
-rsa  512 bits   0.4175s   0.0519s
-rsa 1024 bits   2.9325s   0.1948s
-rsa 2048 bits  22.3600s   0.7669s
-		  sign    verify
-dsa  512 bits   0.5178s   1.0300s
-dsa 1024 bits   1.8780s   3.7167s
-dsa 2048 bits   7.3500s  14.4800s
diff --git a/times/sparcLX.t b/times/sparcLX.t
deleted file mode 100644
index 2fdaed7..0000000
--- a/times/sparcLX.t
+++ /dev/null
@@ -1,22 +0,0 @@
-Sparc Station LX
-SSLeay 0.7.3 30-Apr-1997
-built on Thu May  1 10:44:02 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
-C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                17.60k       48.72k       66.47k       72.70k       74.72k
-md5               226.24k     1082.21k     1982.72k     2594.02k     2717.01k
-sha                71.38k      320.71k      551.08k      677.76k      720.90k
-sha1               63.08k      280.79k      473.86k      576.94k      608.94k
-rc4              1138.30k     1257.67k     1304.49k     1377.78k     1364.42k
-des cbc           265.34k      308.85k      314.28k      315.39k      317.20k
-des ede3           83.23k       93.13k       94.04k       94.50k       94.63k
-idea cbc          254.48k      274.26k      275.88k      274.68k      275.80k
-rc2 cbc           328.27k      375.39k      381.43k      381.61k      380.83k
-blowfish cbc      487.00k      498.02k      510.12k      515.41k      516.10k
-rsa  512 bits   0.093s
-rsa 1024 bits   0.537s
-rsa 2048 bits   3.823s
-rsa 4096 bits  28.650s
-
diff --git a/times/usparc.t b/times/usparc.t
deleted file mode 100644
index 2215624..0000000
--- a/times/usparc.t
+++ /dev/null
@@ -1,25 +0,0 @@
-Sparc 2000? - Solaris 2.5.1 - 167mhz Ultra sparc
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:25:48 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) idea(int) blowfish(ptr)
-C flags:cc cc -xtarget=ultra -xarch=v8plus -Xa -xO5 -Xa -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               135.23k      389.87k      536.66k      591.87k      603.48k
-md5              1534.38k     6160.41k     9842.69k    11446.95k    11993.09k
-sha              1178.30k     5020.74k     8532.22k    10275.50k    11010.05k
-sha1             1114.22k     4703.94k     7703.81k     9236.14k     9756.67k
-rc4             10818.03k    13327.57k    13711.10k    13810.69k    13836.29k
-des cbc          3052.44k     3320.02k     3356.25k     3369.98k     3295.91k
-des ede3         1310.32k     1359.98k     1367.47k     1362.94k     1362.60k
-idea cbc         1749.52k     1833.13k     1844.74k     1848.32k     1848.66k
-rc2 cbc          1950.25k     2053.23k     2064.21k     2072.58k     2072.58k
-blowfish cbc     4927.16k     5659.75k     5762.73k     5797.55k     5805.40k
-rsa  512 bits   0.021s   0.003
-rsa 1024 bits   0.126s   0.003
-rsa 2048 bits   0.888s   0.032
-rsa 4096 bits   6.770s   0.122
-dsa  512 bits   0.022s   0.043
-dsa 1024 bits   0.076s   0.151
-dsa 2048 bits   0.286s   0.574
diff --git a/times/x86/bfs.cpp b/times/x86/bfs.cpp
deleted file mode 100644
index d74c457..0000000
--- a/times/x86/bfs.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/blowfish.h>
-
-void main(int argc,char *argv[])
-	{
-	BF_KEY key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			BF_encrypt(&data[0],&key);
-			GetTSC(s1);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			GetTSC(e1);
-			GetTSC(s2);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			GetTSC(e2);
-			BF_encrypt(&data[0],&key);
-			}
-
-		printf("blowfish %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/casts.cpp b/times/x86/casts.cpp
deleted file mode 100644
index 7661191..0000000
--- a/times/x86/casts.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/cast.h>
-
-void main(int argc,char *argv[])
-	{
-	CAST_KEY key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			CAST_encrypt(&data[0],&key);
-			GetTSC(s1);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			GetTSC(e1);
-			GetTSC(s2);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			GetTSC(e2);
-			CAST_encrypt(&data[0],&key);
-			}
-
-		printf("cast %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/des3s.cpp b/times/x86/des3s.cpp
deleted file mode 100644
index cd2b112..0000000
--- a/times/x86/des3s.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/des.h>
-
-void main(int argc,char *argv[])
-	{
-	des_key_schedule key1,key2,key3;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(s1);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(e1);
-			GetTSC(s2);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(e2);
-			des_encrypt3(&data[0],key1,key2,key3);
-			}
-
-		printf("des3 %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/dess.cpp b/times/x86/dess.cpp
deleted file mode 100644
index 753e67a..0000000
--- a/times/x86/dess.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/des.h>
-
-void main(int argc,char *argv[])
-	{
-	des_key_schedule key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			des_encrypt(&data[0],key,1);
-			GetTSC(s1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			GetTSC(e1);
-			GetTSC(s2);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			GetTSC(e2);
-			des_encrypt(&data[0],key,1);
-			}
-
-		printf("des %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/md4s.cpp b/times/x86/md4s.cpp
deleted file mode 100644
index c0ec97f..0000000
--- a/times/x86/md4s.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/md4.h>
-
-extern "C" {
-void md4_block_x86(MD4_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	MD4_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			md4_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			md4_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			md4_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			md4_block_x86(&ctx,buffer,num);
-			}
-		printf("md4 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-
diff --git a/times/x86/md5s.cpp b/times/x86/md5s.cpp
deleted file mode 100644
index dd343fd..0000000
--- a/times/x86/md5s.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/md5.h>
-
-extern "C" {
-void md5_block_x86(MD5_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	MD5_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			md5_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			md5_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			md5_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			md5_block_x86(&ctx,buffer,num);
-			}
-		printf("md5 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-
diff --git a/times/x86/rc4s.cpp b/times/x86/rc4s.cpp
deleted file mode 100644
index 3814fde..0000000
--- a/times/x86/rc4s.cpp
+++ /dev/null
@@ -1,73 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/rc4.h>
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[1024];
-	RC4_KEY ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=64,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=256;
-	if (num > 1024-16) num=1024-16;
-	numm=num+8;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			RC4(&ctx,numm,buffer,buffer);
-			GetTSC(s1);
-			RC4(&ctx,numm,buffer,buffer);
-			GetTSC(e1);
-			GetTSC(s2);
-			RC4(&ctx,num,buffer,buffer);
-			GetTSC(e2);
-			RC4(&ctx,num,buffer,buffer);
-			}
-
-		printf("RC4 (%d bytes) %d %d (%d) - 8 bytes\n",num,
-			e1-s1,e2-s2,(e1-s1)-(e2-s2));
-		}
-	}
-
diff --git a/times/x86/sha1s.cpp b/times/x86/sha1s.cpp
deleted file mode 100644
index 3103e18..0000000
--- a/times/x86/sha1s.cpp
+++ /dev/null
@@ -1,79 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/sha.h>
-
-extern "C" {
-void sha1_block_x86(SHA_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	SHA_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			sha1_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			sha1_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			sha1_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			sha1_block_x86(&ctx,buffer,num);
-			}
-
-		printf("sha1 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-

From rsalz at openssl.org  Sun Aug 30 20:41:03 2015
From: rsalz at openssl.org (Rich Salz)
Date: Sun, 30 Aug 2015 20:41:03 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1440967263.032452.3812.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  f21fb858d313909221fdafb26383794bc587f71d (commit)
      from  c8491de393639dbc4508306b7dbedb3872b74293 (commit)


- Log -----------------------------------------------------------------
commit f21fb858d313909221fdafb26383794bc587f71d
Author: Rich Salz <rsalz at akamai.com>
Date:   Fri Aug 28 17:49:30 2015 -0400

    Remove the "times" directory.
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (cherry picked from commit 9db0c91c39fb548c36d6c3c944f50d4c068eefb7)

-----------------------------------------------------------------------

Summary of changes:
 times/090/586-100.nt   | 32 -------------------
 times/091/486-50.nt    | 30 ------------------
 times/091/586-100.lnx  | 32 -------------------
 times/091/68000.bsd    | 32 -------------------
 times/091/686-200.lnx  | 32 -------------------
 times/091/alpha064.osf | 32 -------------------
 times/091/alpha164.lnx | 32 -------------------
 times/091/alpha164.osf | 31 ------------------
 times/091/mips-rel.pl  | 21 ------------
 times/091/r10000.irx   | 37 ----------------------
 times/091/r3000.ult    | 32 -------------------
 times/091/r4400.irx    | 32 -------------------
 times/100.lnx          | 32 -------------------
 times/100.nt           | 29 -----------------
 times/200.lnx          | 30 ------------------
 times/486-66.dos       | 22 -------------
 times/486-66.nt        | 22 -------------
 times/486-66.w31       | 23 --------------
 times/5.lnx            | 29 -----------------
 times/586-085i.nt      | 29 -----------------
 times/586-100.LN3      | 26 ---------------
 times/586-100.NT2      | 26 ---------------
 times/586-100.dos      | 24 --------------
 times/586-100.ln4      | 26 ---------------
 times/586-100.lnx      | 23 --------------
 times/586-100.nt       | 23 --------------
 times/586-100.ntx      | 30 ------------------
 times/586-100.w31      | 27 ----------------
 times/586-1002.lnx     | 26 ---------------
 times/586p-100.lnx     | 26 ---------------
 times/686-200.bsd      | 25 ---------------
 times/686-200.lnx      | 26 ---------------
 times/686-200.nt       | 24 --------------
 times/L1               | 27 ----------------
 times/R10000.t         | 24 --------------
 times/R4400.t          | 26 ---------------
 times/aix.t            | 34 --------------------
 times/aixold.t         | 23 --------------
 times/alpha.t          | 81 -----------------------------------------------
 times/alpha400.t       | 25 ---------------
 times/cyrix100.lnx     | 22 -------------
 times/dgux-x86.t       | 23 --------------
 times/dgux.t           | 17 ----------
 times/hpux-acc.t       | 25 ---------------
 times/hpux-kr.t        | 23 --------------
 times/hpux.t           | 86 --------------------------------------------------
 times/p2.w95           | 22 -------------
 times/pent2.t          | 24 --------------
 times/readme           | 11 -------
 times/s586-100.lnx     | 25 ---------------
 times/s586-100.nt      | 23 --------------
 times/sgi.t            | 29 -----------------
 times/sparc.t          | 26 ---------------
 times/sparc2           | 21 ------------
 times/sparcLX.t        | 22 -------------
 times/usparc.t         | 25 ---------------
 times/x86/bfs.cpp      | 67 ---------------------------------------
 times/x86/casts.cpp    | 67 ---------------------------------------
 times/x86/des3s.cpp    | 67 ---------------------------------------
 times/x86/dess.cpp     | 67 ---------------------------------------
 times/x86/md4s.cpp     | 78 ---------------------------------------------
 times/x86/md5s.cpp     | 78 ---------------------------------------------
 times/x86/rc4s.cpp     | 73 ------------------------------------------
 times/x86/sha1s.cpp    | 79 ----------------------------------------------
 64 files changed, 2163 deletions(-)
 delete mode 100644 times/090/586-100.nt
 delete mode 100644 times/091/486-50.nt
 delete mode 100644 times/091/586-100.lnx
 delete mode 100644 times/091/68000.bsd
 delete mode 100644 times/091/686-200.lnx
 delete mode 100644 times/091/alpha064.osf
 delete mode 100644 times/091/alpha164.lnx
 delete mode 100644 times/091/alpha164.osf
 delete mode 100644 times/091/mips-rel.pl
 delete mode 100644 times/091/r10000.irx
 delete mode 100644 times/091/r3000.ult
 delete mode 100644 times/091/r4400.irx
 delete mode 100644 times/100.lnx
 delete mode 100644 times/100.nt
 delete mode 100644 times/200.lnx
 delete mode 100644 times/486-66.dos
 delete mode 100644 times/486-66.nt
 delete mode 100644 times/486-66.w31
 delete mode 100644 times/5.lnx
 delete mode 100644 times/586-085i.nt
 delete mode 100644 times/586-100.LN3
 delete mode 100644 times/586-100.NT2
 delete mode 100644 times/586-100.dos
 delete mode 100644 times/586-100.ln4
 delete mode 100644 times/586-100.lnx
 delete mode 100644 times/586-100.nt
 delete mode 100644 times/586-100.ntx
 delete mode 100644 times/586-100.w31
 delete mode 100644 times/586-1002.lnx
 delete mode 100644 times/586p-100.lnx
 delete mode 100644 times/686-200.bsd
 delete mode 100644 times/686-200.lnx
 delete mode 100644 times/686-200.nt
 delete mode 100644 times/L1
 delete mode 100644 times/R10000.t
 delete mode 100644 times/R4400.t
 delete mode 100644 times/aix.t
 delete mode 100644 times/aixold.t
 delete mode 100644 times/alpha.t
 delete mode 100644 times/alpha400.t
 delete mode 100644 times/cyrix100.lnx
 delete mode 100644 times/dgux-x86.t
 delete mode 100644 times/dgux.t
 delete mode 100644 times/hpux-acc.t
 delete mode 100644 times/hpux-kr.t
 delete mode 100644 times/hpux.t
 delete mode 100644 times/p2.w95
 delete mode 100644 times/pent2.t
 delete mode 100644 times/readme
 delete mode 100644 times/s586-100.lnx
 delete mode 100644 times/s586-100.nt
 delete mode 100644 times/sgi.t
 delete mode 100644 times/sparc.t
 delete mode 100644 times/sparc2
 delete mode 100644 times/sparcLX.t
 delete mode 100644 times/usparc.t
 delete mode 100644 times/x86/bfs.cpp
 delete mode 100644 times/x86/casts.cpp
 delete mode 100644 times/x86/des3s.cpp
 delete mode 100644 times/x86/dess.cpp
 delete mode 100644 times/x86/md4s.cpp
 delete mode 100644 times/x86/md5s.cpp
 delete mode 100644 times/x86/rc4s.cpp
 delete mode 100644 times/x86/sha1s.cpp

diff --git a/times/090/586-100.nt b/times/090/586-100.nt
deleted file mode 100644
index 297ec3e..0000000
--- a/times/090/586-100.nt
+++ /dev/null
@@ -1,32 +0,0 @@
-SSLeay 0.9.0 08-Apr-1998
-built on Wed Apr  8 12:47:17 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
--DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 92.25k      256.80k      347.01k      380.40k      390.31k
-mdc2               240.72k      251.10k      252.00k      250.80k      251.40k
-md5               1013.61k     5651.94k    11831.61k    16294.89k    17901.43k
-hmac(md5)          419.50k     2828.07k     7770.11k    13824.34k    17091.70k
-sha1               524.31k     2721.45k     5216.15k     6766.10k     7308.42k
-rmd160             462.09k     2288.59k     4260.77k     5446.44k     5841.65k
-rc4               7895.90k    10326.73k    10555.43k    10728.22k    10429.44k
-des cbc           2036.86k     2208.92k     2237.68k     2237.20k     2181.35k
-des ede3           649.92k      739.42k      749.07k      748.86k      738.27k
-idea cbc           823.19k      885.10k      894.92k      896.45k      891.87k
-rc2 cbc            792.63k      859.00k      867.45k      868.96k      865.30k
-rc5-32/12 cbc     3502.26k     4026.79k     4107.23k     4121.76k     4073.72k
-blowfish cbc      3752.96k     4026.79k     4075.31k     3965.87k     3892.26k
-cast cbc          2566.27k     2807.43k     2821.79k     2792.48k     2719.34k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0179s   0.0020s     56.0    501.7
-rsa 1024 bits   0.0950s   0.0060s     10.5    166.6
-rsa 2048 bits   0.6299s   0.0209s      1.6     47.8
-rsa 4096 bits   4.5870s   0.0787s      0.2     12.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0180s   0.0339s     55.6     29.5
-dsa 1024 bits   0.0555s   0.1076s     18.0      9.3
-dsa 2048 bits   0.1971s   0.3918s      5.1      2.6
-
diff --git a/times/091/486-50.nt b/times/091/486-50.nt
deleted file mode 100644
index 84820d9..0000000
--- a/times/091/486-50.nt
+++ /dev/null
@@ -1,30 +0,0 @@
-486-50 NT 4.0
-
-SSLeay 0.9.1a 06-Jul-1998
-built on Sat Jul 18 18:03:20 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 28.77k       80.30k      108.50k      118.98k      122.47k
-mdc2                51.52k       54.06k       54.54k       54.65k       54.62k
-md5                304.39k     1565.04k     3061.54k     3996.10k     4240.10k
-hmac(md5)          119.53k      793.23k     2061.29k     3454.95k     4121.76k
-sha1               127.51k      596.93k     1055.54k     1313.84k     1413.18k
-rmd160             128.50k      572.49k     1001.03k     1248.01k     1323.63k
-rc4               1224.40k     1545.11k     1590.29k     1600.20k     1576.90k
-des cbc            448.19k      503.45k      512.30k      513.30k      508.23k
-des ede3           148.66k      162.48k      163.68k      163.94k      164.24k
-idea cbc           194.18k      211.10k      212.99k      213.18k      212.64k
-rc2 cbc            245.78k      271.01k      274.12k      274.38k      273.52k
-rc5-32/12 cbc     1252.48k     1625.20k     1700.03k     1711.12k     1677.18k
-blowfish cbc       725.16k      828.26k      850.01k      846.99k      833.79k
-cast cbc           643.30k      717.22k      739.48k      741.57k      735.33k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0904s   0.0104s     11.1     96.2
-rsa 1024 bits   0.5968s   0.0352s      1.7     28.4
-rsa 2048 bits   3.8860s   0.1017s      0.3      9.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.1006s   0.1249s      9.9      8.0
-dsa 1024 bits   0.3306s   0.4093s      3.0      2.4
-dsa 2048 bits   0.9454s   1.1707s      1.1      0.9
diff --git a/times/091/586-100.lnx b/times/091/586-100.lnx
deleted file mode 100644
index 92892a6..0000000
--- a/times/091/586-100.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Pentium 100mhz, linux
-
-SSLeay 0.9.0a 14-Apr-1998
-built on Fri Apr 17 08:47:07 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 56.65k      153.88k      208.47k      229.03k      237.57k
-mdc2               189.59k      204.95k      206.93k      208.90k      209.56k
-md5               1019.48k     5882.41k    12085.42k    16376.49k    18295.47k
-hmac(md5)          415.86k     2887.85k     7891.29k    13894.66k    17446.23k
-sha1               540.68k     2791.96k     5289.30k     6813.01k     7432.87k
-rmd160             298.37k     1846.87k     3869.10k     5273.94k     5892.78k
-rc4               7870.87k    10438.10k    10857.13k    10729.47k    10788.86k
-des cbc           1960.60k     2226.37k     2241.88k     2054.83k     2181.80k
-des ede3           734.44k      739.69k      779.43k      750.25k      772.78k
-idea cbc           654.07k      711.00k      716.89k      718.51k      720.90k
-rc2 cbc            648.83k      701.91k      708.61k      708.95k      709.97k
-rc5-32/12 cbc     3504.71k     4054.76k     4131.41k     4105.56k     4134.23k
-blowfish cbc      3762.25k     4313.79k     4460.54k     4356.78k     4317.18k
-cast cbc          2755.01k     3038.91k     3076.44k     3027.63k     2998.27k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0195s   0.0019s     51.4    519.9
-rsa 1024 bits   0.1000s   0.0059s     10.0    168.2
-rsa 2048 bits   0.6406s   0.0209s      1.6     47.8
-rsa 4096 bits   4.6100s   0.0787s      0.2     12.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0188s   0.0360s     53.1     27.8
-dsa 1024 bits   0.0570s   0.1126s     17.5      8.9
-dsa 2048 bits   0.1990s   0.3954s      5.0      2.5
-
diff --git a/times/091/68000.bsd b/times/091/68000.bsd
deleted file mode 100644
index a3a14e8..0000000
--- a/times/091/68000.bsd
+++ /dev/null
@@ -1,32 +0,0 @@
-Motorolla 68020 20mhz, NetBSD
-
-SSLeay 0.9.0t 29-May-1998
-built on Fri Jun  5 12:42:23 EST 1998
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,16,long) idea(int) blowfish(idx) 
-C flags:gcc -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               2176.00      5994.67      8079.73      8845.18      9077.01 
-mdc2              5730.67      6122.67      6167.66      6176.51      6174.87 
-md5                 29.10k      127.31k      209.66k      250.50k      263.99k
-hmac(md5)           12.33k       73.02k      160.17k      228.04k      261.15k
-sha1                11.27k       49.37k       84.31k      102.40k      109.23k
-rmd160              11.69k       48.62k       78.76k       93.15k       98.41k
-rc4                117.96k      148.94k      152.57k      153.09k      152.92k
-des cbc             27.13k       30.06k       30.38k       30.38k       30.53k
-des ede3            10.51k       10.94k       11.01k       11.01k       11.01k
-idea cbc            26.74k       29.23k       29.45k       29.60k       29.74k
-rc2 cbc             34.27k       39.39k       40.03k       40.07k       40.16k
-rc5-32/12 cbc       64.31k       83.18k       85.70k       86.70k       87.09k
-blowfish cbc        48.86k       59.18k       60.07k       60.42k       60.78k
-cast cbc            42.67k       50.01k       50.86k       51.20k       51.37k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.7738s   0.0774s      1.3     12.9
-rsa 1024 bits   4.3967s   0.2615s      0.2      3.8
-rsa 2048 bits  29.5200s   0.9664s      0.0      1.0
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.7862s   0.9709s      1.3      1.0
-dsa 1024 bits   2.5375s   3.1625s      0.4      0.3
-dsa 2048 bits   9.2150s  11.8200s      0.1      0.1
-
-
diff --git a/times/091/686-200.lnx b/times/091/686-200.lnx
deleted file mode 100644
index bb857d4..0000000
--- a/times/091/686-200.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Pentium Pro 200mhz, linux
-
-SSLeay 0.9.0d 26-Apr-1998
-built on Sun Apr 26 10:25:33 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                130.58k      364.54k      499.24k      545.79k      561.66k
-mdc2               526.68k      579.72k      588.37k      588.80k      589.82k
-md5               1917.71k    11434.69k    22512.21k    29495.30k    32677.89k
-hmac(md5)          749.18k     5264.83k    14227.20k    25018.71k    31760.38k
-sha1              1343.83k     6436.29k    11702.78k    14664.70k    15829.67k
-rmd160            1038.05k     5138.77k     8985.51k    10985.13k    11799.21k
-rc4              14891.04k    21334.06k    22376.79k    22579.54k    22574.42k
-des cbc           4131.97k     4568.31k     4645.29k     4631.21k     4572.73k
-des ede3          1567.17k     1631.13k     1657.32k     1653.08k     1643.86k
-idea cbc          2427.23k     2671.21k     2716.67k     2723.84k     2733.40k
-rc2 cbc           1629.90k     1767.38k     1788.50k     1797.12k     1799.51k
-rc5-32/12 cbc    10290.55k    13161.60k    13744.55k    14011.73k    14123.01k
-blowfish cbc      5896.42k     6920.77k     7122.01k     7151.62k     7146.15k
-cast cbc          6037.71k     6935.19k     7101.35k     7145.81k     7116.12k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0070s   0.0007s    142.6   1502.9
-rsa 1024 bits   0.0340s   0.0019s     29.4    513.3
-rsa 2048 bits   0.2087s   0.0066s      4.8    151.3
-rsa 4096 bits   1.4700s   0.0242s      0.7     41.2
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0064s   0.0121s    156.1     82.9
-dsa 1024 bits   0.0184s   0.0363s     54.4     27.5
-dsa 2048 bits   0.0629s   0.1250s     15.9      8.0
-
diff --git a/times/091/alpha064.osf b/times/091/alpha064.osf
deleted file mode 100644
index a8e7fdf..0000000
--- a/times/091/alpha064.osf
+++ /dev/null
@@ -1,32 +0,0 @@
-Alpha EV4.5 (21064) 275mhz, OSF1 V4.0
-SSLeay 0.9.0g 01-May-1998
-built on Mon May  4 17:26:09 CST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx) 
-C flags:cc -tune host -O4 -readonly_strings
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                119.58k      327.48k      443.28k      480.09k      495.16k
-mdc2               436.67k      456.35k      465.42k      466.57k      469.01k
-md5               1459.34k     6566.46k    11111.91k    13375.30k    14072.60k
-hmac(md5)          597.90k     3595.45k     8180.88k    12099.49k    13884.46k
-sha1               707.01k     3253.09k     6131.73k     7798.23k     8439.67k
-rmd160             618.57k     2729.07k     4711.33k     5825.16k     6119.23k
-rc4               8796.43k     9393.62k     9548.88k     9378.77k     9472.57k
-des cbc           2165.97k     2514.90k     2586.27k     2572.93k     2639.08k
-des ede3           945.44k     1004.03k     1005.96k     1017.33k     1020.85k
-idea cbc          1498.81k     1629.11k     1637.28k     1625.50k     1641.11k
-rc2 cbc           1866.00k     2044.92k     2067.12k     2064.00k     2068.96k
-rc5-32/12 cbc     4366.97k     5521.32k     5687.50k     5729.16k     5736.96k
-blowfish cbc      3997.31k     4790.60k     4937.84k     4954.56k     5024.85k
-cast cbc          2900.19k     3673.30k     3803.73k     3823.93k     3890.25k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0069s   0.0006s    144.2   1545.8
-rsa 1024 bits   0.0304s   0.0018s     32.9    552.6
-rsa 2048 bits   0.1887s   0.0062s      5.3    161.4
-rsa 4096 bits   1.3667s   0.0233s      0.7     42.9
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0067s   0.0123s    149.6     81.1
-dsa 1024 bits   0.0177s   0.0332s     56.6     30.1
-dsa 2048 bits   0.0590s   0.1162s     16.9      8.6
-
-
diff --git a/times/091/alpha164.lnx b/times/091/alpha164.lnx
deleted file mode 100644
index c994662..0000000
--- a/times/091/alpha164.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-Alpha EV5.6 (21164A) 533mhz, Linux 2.0.32
-
-SSLeay 0.9.0p 22-May-1998
-built on Sun May 27 14:23:38 GMT 2018
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,risc1,16,long) idea(int) blowfish(idx) 
-C flags:gcc -O3
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                295.78k      825.34k     1116.42k     1225.10k     1262.65k
-mdc2               918.16k     1017.55k     1032.18k     1034.24k     1035.60k
-md5               3574.93k    15517.05k    25482.67k    30434.31k    32210.51k
-hmac(md5)         1261.54k     7757.15k    18025.46k    27081.21k    31653.27k
-sha1              2251.89k    10056.84k    16990.19k    20651.04k    21973.29k
-rmd160            1615.49k     7017.13k    11601.11k    13875.62k    14690.31k
-rc4              22435.16k    24476.40k    24349.95k    23042.36k    24581.53k
-des cbc           5198.38k     6559.04k     6775.43k     6827.87k     6875.82k
-des ede3          2257.73k     2602.18k     2645.60k     2657.12k     2670.59k
-idea cbc          3694.42k     4125.61k     4180.74k     4193.28k     4192.94k
-rc2 cbc           4642.47k     5323.85k     5415.42k     5435.86k     5434.03k
-rc5-32/12 cbc     9705.26k    13277.79k    13843.46k    13989.66k    13987.57k
-blowfish cbc      7861.28k    10852.34k    11447.98k    11616.97k    11667.54k
-cast cbc          6718.13k     8599.98k     8967.17k     9070.81k     9099.28k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0018s   0.0002s    555.9   6299.5
-rsa 1024 bits   0.0081s   0.0005s    123.3   2208.7
-rsa 2048 bits   0.0489s   0.0015s     20.4    648.5
-rsa 4096 bits   0.3402s   0.0057s      2.9    174.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0019s   0.0032s    529.0    310.2
-dsa 1024 bits   0.0047s   0.0086s    214.1    115.7
-dsa 2048 bits   0.0150s   0.0289s     66.7     34.6
-
diff --git a/times/091/alpha164.osf b/times/091/alpha164.osf
deleted file mode 100644
index df712c6..0000000
--- a/times/091/alpha164.osf
+++ /dev/null
@@ -1,31 +0,0 @@
-Alpha EV5.6 (21164A) 400mhz, OSF1 V4.0
-
-SSLeay 0.9.0 10-Apr-1998
-built on Sun Apr 19 07:54:37 EST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) idea(int) blowfish(idx) 
-C flags:cc -O4 -tune host -fast
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                276.30k      762.07k     1034.35k     1134.07k     1160.53k
-mdc2               814.99k      845.83k      849.09k      850.33k      849.24k
-md5               2468.43k    10945.27k    17963.48k    21430.89k    22544.38k
-hmac(md5)         1002.48k     6023.98k    13430.99k    19344.17k    22351.80k
-sha1              1984.93k     8882.47k    14856.47k    17878.70k    18955.10k
-rmd160            1286.96k     5595.52k     9167.00k    10957.74k    11582.30k
-rc4              15948.15k    16710.29k    16793.20k    17929.50k    18474.56k
-des cbc           3416.04k     4149.37k     4296.25k     4328.89k     4327.57k
-des ede3          1540.14k     1683.36k     1691.14k     1705.90k     1705.22k
-idea cbc          2795.87k     3192.93k     3238.13k     3238.17k     3256.66k
-rc2 cbc           3529.00k     4069.93k     4135.79k     4135.25k     4160.07k
-rc5-32/12 cbc     7212.35k     9849.71k    10260.91k    10423.38k    10439.99k
-blowfish cbc      6061.75k     8363.50k     8706.80k     8779.40k     8784.55k
-cast cbc          5401.75k     6433.31k     6638.18k     6662.40k     6702.80k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0022s   0.0002s    449.6   4916.2
-rsa 1024 bits   0.0105s   0.0006s     95.3   1661.2
-rsa 2048 bits   0.0637s   0.0020s     15.7    495.6
-rsa 4096 bits   0.4457s   0.0075s      2.2    132.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0028s   0.0048s    362.2    210.4
-dsa 1024 bits   0.0064s   0.0123s    155.2     81.6
-dsa 2048 bits   0.0201s   0.0394s     49.7     25.4
diff --git a/times/091/mips-rel.pl b/times/091/mips-rel.pl
deleted file mode 100644
index 4b25093..0000000
--- a/times/091/mips-rel.pl
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/local/bin/perl
-
-&doit(100,"Pentium   100 32",0.0195,0.1000,0.6406,4.6100);	# pentium-100
-&doit(200,"PPro      200 32",0.0070,0.0340,0.2087,1.4700);	# pentium-100
-&doit( 25,"R3000      25 32",0.0860,0.4825,3.2417,23.8833);	# R3000-25
-&doit(200,"R4400     200 32",0.0137,0.0717,0.4730,3.4367);	# R4400 32bit
-&doit(180,"R10000    180 32",0.0061,0.0311,0.1955,1.3871);	# R10000 32bit
-&doit(180,"R10000    180 64",0.0034,0.0149,0.0880,0.5933);	# R10000 64bit
-&doit(400,"DEC 21164 400 64",0.0022,0.0105,0.0637,0.4457);	# R10000 64bit
-
-sub doit
-	{
-	local($mhz,$label, at data)=@_;
-
-	for ($i=0; $i <= $#data; $i++)
-		{
-		$data[$i]=1/$data[$i]*200/$mhz;
-		}
-	printf("%s %6.1f %6.1f %6.1f %6.1f\n",$label, at data);
-	}
-
diff --git a/times/091/r10000.irx b/times/091/r10000.irx
deleted file mode 100644
index 237ee5d..0000000
--- a/times/091/r10000.irx
+++ /dev/null
@@ -1,37 +0,0 @@
-MIPS R10000 32kI+32kD 180mhz, IRIX 6.4
-
-Using crypto/bn/mips3.s
-
-This is built for n32, which is faster for all benchmarks than the n64
-compilation model
-
-SSLeay 0.9.0b 19-Apr-1998
-built on Sat Apr 25 12:43:14 EST 1998
-options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
-C flags:cc -use_readonly_const -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                126.38k      349.38k      472.67k      517.01k      529.81k
-mdc2               501.64k      545.87k      551.80k      553.64k      554.41k
-md5               1825.77k     7623.64k    12630.47k    15111.74k    16012.09k
-hmac(md5)          780.81k     4472.86k     9667.22k    13802.67k    15777.89k
-sha1              1375.52k     6213.91k    11037.30k    13682.01k    14714.09k
-rmd160             856.72k     3454.40k     5598.33k     6689.94k     7073.48k
-rc4              11260.93k    13311.50k    13360.05k    13322.17k    13364.39k
-des cbc           2770.78k     3055.42k     3095.18k     3092.48k     3103.03k
-des ede3          1023.22k     1060.58k     1063.81k     1070.37k     1064.54k
-idea cbc          3029.09k     3334.30k     3375.29k     3375.65k     3380.64k
-rc2 cbc           2307.45k     2470.72k     2501.25k     2500.68k     2500.55k
-rc5-32/12 cbc     6770.91k     8629.89k     8909.58k     9009.64k     9044.95k
-blowfish cbc      4796.53k     5598.20k     5717.14k     5755.11k     5749.86k
-cast cbc          3986.20k     4426.17k     4465.04k     4476.84k     4475.08k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0034s   0.0003s    296.1   3225.4
-rsa 1024 bits   0.0139s   0.0008s     71.8   1221.8
-rsa 2048 bits   0.0815s   0.0026s     12.3    380.3
-rsa 4096 bits   0.5656s   0.0096s      1.8    103.7
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0034s   0.0061s    290.8    164.9
-dsa 1024 bits   0.0084s   0.0161s    119.1     62.3
-dsa 2048 bits   0.0260s   0.0515s     38.5     19.4
-
diff --git a/times/091/r3000.ult b/times/091/r3000.ult
deleted file mode 100644
index ecd3390..0000000
--- a/times/091/r3000.ult
+++ /dev/null
@@ -1,32 +0,0 @@
-MIPS R3000 64kI+64kD 25mhz, ultrix 4.3
-
-SSLeay 0.9.0b 19-Apr-1998
-built on Thu Apr 23 07:22:31 EST 1998
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(idx) 
-C flags:cc -O2 -DL_ENDIAN -DNOPROTO -DNOCONST
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 14.63k       40.65k       54.70k       60.07k       61.78k
-mdc2                29.43k       37.27k       38.23k       38.57k       38.60k
-md5                140.04k      676.59k     1283.84k     1654.10k     1802.24k
-hmac(md5)           60.51k      378.90k      937.82k     1470.46k     1766.74k
-sha1                60.77k      296.79k      525.40k      649.90k      699.05k
-rmd160              48.82k      227.16k      417.19k      530.31k      572.05k
-rc4                904.76k      996.20k     1007.53k     1015.65k     1010.35k
-des cbc            178.87k      209.39k      213.42k      215.55k      214.53k
-des ede3            74.25k       79.30k       80.40k       80.21k       80.14k
-idea cbc           181.02k      209.37k      214.44k      214.36k      213.83k
-rc2 cbc            161.52k      184.98k      187.99k      188.76k      189.05k
-rc5-32/12 cbc      398.99k      582.91k      614.66k      626.07k      621.87k
-blowfish cbc       296.38k      387.69k      405.50k      412.57k      410.05k
-cast cbc           214.76k      260.63k      266.92k      268.63k      258.26k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0870s   0.0089s     11.5    112.4
-rsa 1024 bits   0.4881s   0.0295s      2.0     33.9
-rsa 2048 bits   3.2750s   0.1072s      0.3      9.3
-rsa 4096 bits  23.9833s   0.4093s      0.0      2.4
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0898s   0.1706s     11.1      5.9
-dsa 1024 bits   0.2847s   0.5565s      3.5      1.8
-dsa 2048 bits   1.0267s   2.0433s      1.0      0.5
-
diff --git a/times/091/r4400.irx b/times/091/r4400.irx
deleted file mode 100644
index 9b96ca1..0000000
--- a/times/091/r4400.irx
+++ /dev/null
@@ -1,32 +0,0 @@
-R4400 16kI+16kD 200mhz, Irix 5.3
-
-SSLeay 0.9.0e 27-Apr-1998
-built on Sun Apr 26 07:26:05 PDT 1998
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int) blowfish(ptr) 
-C flags:cc -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 79.80k      220.59k      298.01k      327.06k      338.60k
-mdc2               262.74k      285.30k      289.16k      288.36k      288.49k
-md5                930.35k     4167.13k     7167.91k     8678.23k     9235.86k
-hmac(md5)          399.44k     2367.57k     5370.74k     7884.28k     9076.98k
-sha1               550.96k     2488.17k     4342.76k     5362.50k     5745.40k
-rmd160             424.58k     1752.83k     2909.67k     3486.08k     3702.89k
-rc4               6687.79k     7834.63k     7962.61k     8035.65k     7915.28k
-des cbc           1544.20k     1725.94k     1748.35k     1758.17k     1745.61k
-des ede3           587.29k      637.75k      645.93k      643.17k      646.01k
-idea cbc          1575.52k     1719.75k     1732.41k     1736.69k     1740.11k
-rc2 cbc           1496.21k     1629.90k     1643.19k     1652.14k     1646.62k
-rc5-32/12 cbc     3452.48k     4276.47k     4390.74k     4405.25k     4400.12k
-blowfish cbc      2354.58k     3242.36k     3401.11k     3433.65k     3383.65k
-cast cbc          1942.22k     2152.28k     2187.51k     2185.67k     2177.20k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0130s   0.0014s     76.9    729.8
-rsa 1024 bits   0.0697s   0.0043s     14.4    233.9
-rsa 2048 bits   0.4664s   0.0156s      2.1     64.0
-rsa 4096 bits   3.4067s   0.0586s      0.3     17.1
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0140s   0.0261s     71.4     38.4
-dsa 1024 bits   0.0417s   0.0794s     24.0     12.6
-dsa 2048 bits   0.1478s   0.2929s      6.8      3.4
-
diff --git a/times/100.lnx b/times/100.lnx
deleted file mode 100644
index d0f4537..0000000
--- a/times/100.lnx
+++ /dev/null
@@ -1,32 +0,0 @@
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Nov  4 02:52:29 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                53.27k      155.95k      201.30k      216.41k      236.78k
-mdc2              192.98k      207.98k      206.76k      206.17k      208.87k
-md5               993.15k     5748.27k    11944.70k    16477.53k    18287.27k
-hmac(md5)         404.97k     2787.58k     7690.07k    13744.43k    17601.88k
-sha1              563.24k     2851.67k     5363.71k     6879.23k     7441.07k
-rc4              7876.70k    10400.85k    10825.90k    10943.49k    10745.17k
-des cbc          2047.39k     2188.25k     2188.29k     2239.49k     2233.69k
-des ede3          660.55k      764.01k      773.55k      779.21k      780.97k
-idea cbc          653.93k      708.48k      715.43k      719.87k      720.90k
-rc2 cbc           648.08k      702.23k      708.78k      711.00k      709.97k
-blowfish cbc     3764.39k     4288.66k     4375.04k     4497.07k     4423.68k
-cast cbc         2757.14k     2993.75k     3035.31k     3078.90k     3055.62k
-
-blowfish cbc     3258.81k     3673.47k     3767.30k     3774.12k     3719.17k
-cast cbc         2677.05k     3164.78k     3273.05k     3287.38k     3244.03k
-
-
-                  sign    verify
-rsa  512 bits   0.0213s   0.0020s
-rsa 1024 bits   0.1073s   0.0063s
-rsa 2048 bits   0.6873s   0.0224s
-rsa 4096 bits   4.9333s   0.0845s
-                  sign    verify
-dsa  512 bits   0.0201s   0.0385s
-dsa 1024 bits   0.0604s   0.1190s
-dsa 2048 bits   0.2121s   0.4229s
diff --git a/times/100.nt b/times/100.nt
deleted file mode 100644
index 0dd7cfc..0000000
--- a/times/100.nt
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Aug  3 09:49:58 EST 1999
-options:bn(64,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN
-_ASM -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                93.07k      258.38k      349.03k      382.83k      392.87k
-mdc2              245.80k      259.02k      259.34k      259.16k      260.14k
-md5              1103.42k     6017.65k    12210.49k    16552.11k    18291.77k
-hmac(md5)         520.15k     3394.00k     8761.86k    14593.96k    17742.40k
-sha1              538.06k     2726.76k     5242.22k     6821.12k     7426.18k
-rc4              8283.90k    10513.09k    10886.38k    10929.50k    10816.75k
-des cbc          2073.10k     2232.91k     2251.61k     2256.46k     2232.44k
-des ede3          758.85k      782.46k      786.14k      786.08k      781.24k
-idea cbc          831.02k      892.63k      901.07k      903.48k      901.85k
-rc2 cbc           799.89k      866.09k      873.96k      876.22k      874.03k
-blowfish cbc     3835.32k     4418.78k     4511.94k     4494.54k     4416.92k
-cast cbc         2974.68k     3272.71k     3313.04k     3335.17k     3261.51k
-                  sign    verify
-rsa  512 bits   0.0202s   0.0019s
-rsa 1024 bits   0.1029s   0.0062s
-rsa 2048 bits   0.6770s   0.0220s
-rsa 4096 bits   4.8770s   0.0838s
-                  sign    verify
-dsa  512 bits   0.0191s   0.0364s
-dsa 1024 bits   0.0590s   0.1141s
-dsa 2048 bits   0.2088s   0.4171s
diff --git a/times/200.lnx b/times/200.lnx
deleted file mode 100644
index fd7e7f4..0000000
--- a/times/200.lnx
+++ /dev/null
@@ -1,30 +0,0 @@
-This machine was slightly loaded :-(
-
-SSLeay 0.8.4c 03-Aug-1999
-built on Tue Nov  4 02:52:29 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               130.86k      365.31k      499.60k      547.75k      561.41k
-mdc2              526.03k      581.38k      587.12k      586.31k      589.60k
-md5              1919.49k    11173.23k    22387.60k    29553.47k    32587.21k
-hmac(md5)         747.09k     5248.35k    14275.44k    24713.26k    31737.13k
-sha1             1336.63k     6400.50k    11668.67k    14648.83k    15700.85k
-rc4             15002.32k    21327.21k    22301.63k    22503.78k    22549.26k
-des cbc          4115.16k     4521.08k     4632.37k     4607.28k     4570.57k
-des ede3         1540.29k     1609.76k     1623.64k     1620.76k     1624.18k
-idea cbc         2405.08k     2664.78k     2704.22k     2713.95k     2716.29k
-rc2 cbc          1634.07k     1764.30k     1780.23k     1790.27k     1788.12k
-blowfish cbc     5993.98k     6927.27k     7083.61k     7088.40k     7123.72k
-cast cbc         5981.52k     6900.44k     7079.70k     7110.40k     7057.72k
-                  sign    verify
-rsa  512 bits   0.0085s   0.0007s
-rsa 1024 bits   0.0377s   0.0020s
-rsa 2048 bits   0.2176s   0.0067s
-rsa 4096 bits   1.4800s   0.0242s
-sign    verify
-dsa  512 bits   0.0071s   0.0132s
-dsa 1024 bits   0.0192s   0.0376s
-dsa 2048 bits   0.0638s   0.1280s
-
diff --git a/times/486-66.dos b/times/486-66.dos
deleted file mode 100644
index 1644bf8..0000000
--- a/times/486-66.dos
+++ /dev/null
@@ -1,22 +0,0 @@
-MS-dos static libs, 16bit C build, 16bit assember
-
-SSLeay 0.6.1
-options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /f- /Ocgnotb2 /G2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -D
-NO_SOCK
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             18.62k       55.54k       76.88k       85.39k       86.52k
-md5             94.03k      442.06k      794.38k      974.51k     1061.31k
-sha             38.37k      166.23k      272.78k      331.41k      353.77k
-sha1            34.38k      147.77k      244.77k      292.57k      312.08k
-rc4            641.25k      795.34k      817.16k      829.57k      817.16k
-des cfb        111.46k      118.08k      120.69k      119.16k      119.37k
-des cbc        122.96k      135.69k      137.10k      135.69k      135.40k
-des ede3        48.01k       50.92k       50.32k       50.96k       50.96k
-idea cfb        97.09k      100.21k      100.36k      101.14k      100.98k
-idea cbc       102.08k      109.41k      111.46k      111.65k      110.52k
-rc2 cfb        120.47k      125.55k      125.79k      125.55k      125.55k
-rc2 cbc        129.77k      140.33k      143.72k      142.16k      141.85k
-rsa  512 bits   0.264s
-rsa 1024 bits   1.494s
diff --git a/times/486-66.nt b/times/486-66.nt
deleted file mode 100644
index b26a900..0000000
--- a/times/486-66.nt
+++ /dev/null
@@ -1,22 +0,0 @@
-SSLeay 0.6.1 02-Jul-1996
-built on Fri Jul 10 09:53:15 EST 1996
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,long) idea(int)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /nologo -DWIN32 -DL_ENDIAN /MD
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             38.27k      107.28k      145.43k      159.60k      164.15k
-md5            399.00k     1946.13k     3610.80k     4511.94k     4477.27k
-sha            182.04k      851.26k     1470.65k     1799.20k     1876.48k
-sha1           151.83k      756.55k     1289.76k     1567.38k     1625.70k
-rc4           1853.92k     2196.25k     2232.91k     2241.31k     2152.96k
-des cfb        360.58k      382.69k      384.94k      386.07k      377.19k
-des cbc        376.10k      431.87k      436.32k      437.78k      430.45k
-des ede3       152.55k      160.38k      161.51k      161.33k      159.98k
-idea cfb       245.59k      255.60k      256.65k      257.16k      254.61k
-idea cbc       257.16k      276.12k      279.05k      279.11k      276.70k
-rc2 cfb        280.25k      293.49k      294.74k      294.15k      291.47k
-rc2 cbc        295.47k      321.57k      324.76k      324.76k      320.00k
-rsa  512 bits   0.084s
-rsa 1024 bits   0.495s
-rsa 2048 bits   3.435s
-
diff --git a/times/486-66.w31 b/times/486-66.w31
deleted file mode 100644
index 381f149..0000000
--- a/times/486-66.w31
+++ /dev/null
@@ -1,23 +0,0 @@
-Windows 3.1 DLL's, 16 bit C with 32bit assember
-
-SSLeay 0.6.1 02-Jul-1996
-built on Wed Jul 10 09:53:15 EST 1996
-options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             18.94k       54.27k       73.43k       80.91k       83.75k
-md5             78.96k      391.26k      734.30k      919.80k      992.97k
-sha             39.01k      168.04k      280.67k      336.08k      359.10k
-sha1            35.20k      150.14k      247.31k      294.54k      313.94k
-rc4            509.61k      655.36k      678.43k      677.02k      670.10k
-des cfb         97.09k      104.69k      106.56k      105.70k      106.56k
-des cbc        116.82k      129.77k      131.07k      131.07k      131.07k
-des ede3        44.22k       47.90k       48.53k       48.47k       47.86k
-idea cfb        83.49k       87.03k       87.03k       87.15k       87.73k
-idea cbc        89.04k       96.23k       96.95k       97.81k       97.09k
-rc2 cfb        108.32k      113.58k      113.78k      114.57k      114.77k
-rc2 cbc        118.08k      131.07k      134.02k      134.02k      132.66k
-rsa  512 bits   0.181s
-rsa 1024 bits   0.846s
-
diff --git a/times/5.lnx b/times/5.lnx
deleted file mode 100644
index 1c1e392..0000000
--- a/times/5.lnx
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.5g 24-Jan-1998
-built on Tue Jan 27 08:11:42 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 56.55k      156.69k      211.63k      231.77k      238.71k
-mdc2               192.26k      208.09k      210.09k      209.58k      210.26k
-md5                991.04k     5745.51k    11932.67k    16465.24k    18306.39k
-hmac(md5)          333.99k     2383.89k     6890.67k    13133.82k    17397.08k
-sha1               571.68k     2883.88k     5379.07k     6880.26k     7443.80k
-rmd160             409.41k     2212.91k     4225.45k     5456.55k     5928.28k
-rc4               6847.57k     8596.22k     8901.80k     8912.90k     8850.09k
-des cbc           2046.29k     2229.78k     2254.76k     2259.97k     2233.69k
-des ede3           751.11k      779.95k      783.96k      784.38k      780.97k
-idea cbc           653.40k      708.29k      718.42k      720.21k      720.90k
-rc2 cbc            647.19k      702.46k      709.21k      710.66k      709.97k
-rc5-32/12 cbc     3498.18k     4054.12k     4133.46k     4151.64k     4139.69k
-blowfish cbc      3763.95k     4437.74k     4532.74k     4515.50k     4448.26k
-cast cbc          2754.22k     3020.67k     3079.08k     3069.95k     3036.50k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0207s   0.0020s     48.3    511.3
-rsa 1024 bits   0.1018s   0.0059s      9.8    169.6
-rsa 2048 bits   0.6438s   0.0208s      1.6     48.0
-rsa 4096 bits   4.6033s   0.0793s      0.2     12.6
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0190s   0.0359s     52.6     27.8
-dsa 1024 bits   0.0566s   0.1109s     17.7      9.0
-dsa 2048 bits   0.1988s   0.3915s      5.0      2.6
diff --git a/times/586-085i.nt b/times/586-085i.nt
deleted file mode 100644
index 8a57975..0000000
--- a/times/586-085i.nt
+++ /dev/null
@@ -1,29 +0,0 @@
-SSLeay 0.8.5i 28-Jan-1998
-built on Wed Jan 28 18:00:07 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                 92.74k      257.59k      348.16k      381.79k      392.14k
-mdc2               227.65k      247.82k      249.90k      250.65k      250.20k
-md5               1089.54k     5966.29k    12104.77k    16493.53k    18204.44k
-hmac(md5)          513.53k     3361.36k     8725.41k    14543.36k    17593.56k
-sha1               580.74k     2880.51k     5376.62k     6865.78k     7413.05k
-rmd160             508.06k     2427.96k     4385.51k     5510.84k     5915.80k
-rc4               8004.40k    10408.74k    10794.48k    10884.12k    10728.22k
-des cbc           2057.24k     2222.97k     2246.79k     2209.39k     2223.44k
-des ede3           739.42k      761.99k      765.48k      760.26k      760.97k
-idea cbc           827.08k      889.60k      898.83k      901.15k      897.98k
-rc2 cbc            795.64k      861.04k      871.13k      872.58k      871.13k
-rc5-32/12 cbc     3597.17k     4139.66k     4204.39k     4223.02k     4204.39k
-blowfish cbc      3807.47k     3996.10k     4156.07k     4204.39k     4105.62k
-cast cbc          2777.68k     2814.21k     2892.62k     2916.76k     2868.88k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0178s   0.0018s     56.3    541.6
-rsa 1024 bits   0.0945s   0.0059s     10.6    168.3
-rsa 2048 bits   0.6269s   0.0208s      1.6     48.0
-rsa 4096 bits   4.5560s   0.0784s      0.2     12.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0178s   0.0340s     56.2     29.4
-dsa 1024 bits   0.0552s   0.1077s     18.1      9.3
-dsa 2048 bits   0.1963s   0.3811s      5.1      2.6
diff --git a/times/586-100.LN3 b/times/586-100.LN3
deleted file mode 100644
index a6fa818..0000000
--- a/times/586-100.LN3
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3v 15-Oct-1997
-built on Wed Oct 15 10:05:00 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.27k      156.76k      211.46k      231.77k      238.71k
-mdc2              188.74k      206.12k      207.70k      207.87k      208.18k
-md5               991.56k     5718.31k    11748.61k    16090.79k    17850.37k
-hmac(md5)         387.56k     2636.01k     7327.83k    13340.33k    17091.24k
-sha1              463.55k     2274.18k     4071.17k     5072.90k     5447.68k
-rc4              3673.94k     4314.52k     4402.26k     4427.09k     4407.30k
-des cbc          2023.79k     2209.77k     2233.34k     2220.71k     2222.76k
-des ede3          747.17k      778.54k      781.57k      778.24k      778.24k
-idea cbc          614.64k      678.04k      683.52k      685.06k      685.40k
-rc2 cbc           536.83k      574.10k      578.05k      579.24k      578.90k
-blowfish cbc     3673.39k     4354.58k     4450.22k     4429.48k     4377.26k
-                  sign    verify
-rsa  512 bits   0.0217s   0.0021s
-rsa 1024 bits   0.1083s   0.0064s
-rsa 2048 bits   0.6867s   0.0223s
-rsa 4096 bits   4.9400s   0.0846s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0387s
-dsa 1024 bits   0.0599s   0.1170s
-dsa 2048 bits   0.2115s   0.4242s
diff --git a/times/586-100.NT2 b/times/586-100.NT2
deleted file mode 100644
index 7f8c167..0000000
--- a/times/586-100.NT2
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3e 30-Sep-1997
-built on Tue Sep 30 14:52:58 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags:cl /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN -DX86_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                92.99k      257.59k      348.16k      381.47k      392.14k
-mdc2              223.77k      235.30k      237.15k      236.77k      237.29k
-md5               862.53k     4222.17k     7842.75k     9925.00k    10392.23k
-sha               491.34k     2338.61k     4062.28k     4986.10k     5307.90k
-sha1              494.38k     2234.94k     3838.83k     4679.58k     4980.18k
-rc4              6338.10k     7489.83k     7676.25k     7698.80k     7631.56k
-des cbc          1654.17k     1917.66k     1961.05k     1968.05k     1960.69k
-des ede3          691.17k      739.42k      744.13k      745.82k      741.40k
-idea cbc          788.46k      870.33k      879.16k      881.38k      879.90k
-rc2 cbc           794.44k      859.63k      868.24k      869.68k      867.45k
-blowfish cbc     2379.88k     3017.48k     3116.12k     3134.76k     3070.50k
-                  sign    verify
-rsa  512 bits   0.0204s   0.0027s
-rsa 1024 bits   0.1074s   0.0032s
-rsa 2048 bits   0.6890s   0.0246s
-rsa 4096 bits   5.0180s   0.0911s
-                  sign    verify
-dsa  512 bits   0.0201s   0.0376s
-dsa 1024 bits   0.0608s   0.1193s
-dsa 2048 bits   0.2133s   0.4294s
diff --git a/times/586-100.dos b/times/586-100.dos
deleted file mode 100644
index 3085c25..0000000
--- a/times/586-100.dos
+++ /dev/null
@@ -1,24 +0,0 @@
-ms-dos static libs, 16 bit C and 16 bit assmber 
-
-SSLeay 0.6.1 02-Jul-1996
-built on Tue Jul  9 22:52:54 EST 1996
-options:bn(32,16) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DMSDOS -DNO_SOCK
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.99k      130.75k      176.53k      199.35k      203.21k
-md5            236.17k     1072.16k     1839.61k     2221.56k     2383.13k
-sha            107.97k      459.10k      757.64k      908.64k      954.99k
-sha1            96.95k      409.92k      672.16k      788.40k      844.26k
-rc4           1659.14k     1956.30k     2022.72k     2022.72k     2022.72k
-des cfb        313.57k      326.86k      326.86k      331.83k      326.86k
-des cbc        345.84k      378.82k      378.82k      384.38k      378.82k
-des ede3       139.59k      144.66k      144.61k      144.45k      143.29k
-idea cfb       262.67k      274.21k      274.21k      274.21k      274.21k
-idea cbc       284.32k      318.14k      318.14k      318.14k      318.14k
-rc2 cfb        265.33k      274.21k      277.69k      277.11k      277.69k
-rc2 cbc        283.71k      310.60k      309.86k      313.57k      314.32k
-rsa  512 bits   0.104s
-rsa 1024 bits   0.566s
-rsa 2048 bits   3.680s
-rsa 4096 bits  26.740s
diff --git a/times/586-100.ln4 b/times/586-100.ln4
deleted file mode 100644
index 14a9db9..0000000
--- a/times/586-100.ln4
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3aa 24-Oct-1997
-built on Mon Oct 27 10:16:25 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.78k      156.71k      211.46k      231.77k      238.71k
-mdc2              187.45k      200.49k      201.64k      202.75k      202.77k
-md5              1002.51k     5798.66k    11967.15k    16449.19k    18251.78k
-hmac(md5)         468.71k     3173.46k     8386.99k    14305.56k    17607.34k
-sha1              586.98k     2934.87k     5393.58k     6863.19k     7408.30k
-rc4              3675.10k     4314.15k     4402.77k     4427.78k     4404.57k
-des cbc          1902.96k     2202.01k     2242.30k     2252.46k     2236.42k
-des ede3          700.15k      774.23k      783.70k      781.62k      783.70k
-idea cbc          618.46k      677.93k      683.61k      685.40k      685.40k
-rc2 cbc           536.97k      573.87k      577.96k      579.24k      578.90k
-blowfish cbc     3672.66k     4271.89k     4428.80k     4469.76k     4374.53k
-                  sign    verify
-rsa  512 bits   0.0213s   0.0021s
-rsa 1024 bits   0.1075s   0.0063s
-rsa 2048 bits   0.6853s   0.0224s
-rsa 4096 bits   4.9400s   0.0845s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0380s
-dsa 1024 bits   0.0600s   0.1189s
-dsa 2048 bits   0.2110s   0.4250s
diff --git a/times/586-100.lnx b/times/586-100.lnx
deleted file mode 100644
index 0c05173..0000000
--- a/times/586-100.lnx
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 12 04:13:55 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                72.95k      202.77k      274.01k      300.37k      309.23k
-md5               770.57k     4094.02k     7409.41k     9302.36k     9986.05k
-sha               363.05k     1571.07k     2613.85k     3134.81k     3320.49k
-sha1              340.94k     1462.85k     2419.20k     2892.12k     3042.35k
-rc4              3676.91k     4314.94k     4407.47k     4430.51k     4412.76k
-des cbc          1489.95k     1799.08k     1841.66k     1851.73k     1848.66k
-des ede3          621.93k      711.19k      726.10k      729.77k      729.09k
-idea cbc          618.16k      676.99k      683.09k      684.37k      683.59k
-rc2 cbc           537.59k      573.93k      578.56k      579.58k      579.70k
-blowfish cbc     2077.57k     2682.20k     2827.18k     2840.92k     2842.62k
-rsa  512 bits   0.024s   0.003
-rsa 1024 bits   0.120s   0.003
-rsa 2048 bits   0.751s   0.026
-rsa 4096 bits   5.320s   0.096
-dsa  512 bits   0.022s   0.042
-dsa 1024 bits   0.065s   0.126
-dsa 2048 bits   0.227s   0.449
diff --git a/times/586-100.nt b/times/586-100.nt
deleted file mode 100644
index 9adcac3..0000000
--- a/times/586-100.nt
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 19 10:47:38 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                89.57k      245.94k      331.59k      362.95k      373.29k
-md5               858.93k     4175.51k     7700.21k     9715.78k    10369.11k
-sha               466.18k     2103.67k     3607.69k     4399.31k     4669.16k
-sha1              449.59k     2041.02k     3496.13k     4256.45k     4512.92k
-rc4              5862.55k     7447.27k     7698.80k     7768.38k     7653.84k
-des cbc          1562.71k     1879.84k     1928.24k     1938.93k     1911.02k
-des ede3          680.27k      707.97k      728.62k      733.15k      725.98k
-idea cbc          797.46k      885.85k      895.68k      898.06k      896.45k
-rc2 cbc           609.46k      648.75k      654.01k      654.42k      653.60k
-blowfish cbc     2357.94k     3000.22k     3106.89k     3134.76k     3080.42k
-rsa  512 bits   0.022s   0.003
-rsa 1024 bits   0.112s   0.003
-rsa 2048 bits   0.726s   0.026
-rsa 4096 bits   5.268s   0.095
-dsa  512 bits   0.021s   0.039
-dsa 1024 bits   0.063s   0.127
-dsa 2048 bits   0.224s   0.451
diff --git a/times/586-100.ntx b/times/586-100.ntx
deleted file mode 100644
index 35166a5..0000000
--- a/times/586-100.ntx
+++ /dev/null
@@ -1,30 +0,0 @@
-SSLeay 0.8.5f 22-Jan-1998
-built on Wed Jan 21 17:11:53 EST 1998
-options:bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(
-ptr2)
-C flags:cl /MT /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DL_ENDIAN
--DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                92.99k      257.43k      347.84k      381.82k      392.14k
-mdc2              232.19k      253.68k      257.57k      258.70k      258.70k
-md5              1094.09k     5974.79k    12139.81k    16487.04k    18291.77k
-hmac(md5)         375.70k     2590.04k     7309.70k    13469.18k    17447.19k
-sha1              613.78k     2982.93k     5446.44k     6889.46k     7424.86k
-rmd160            501.23k     2405.68k     4367.25k     5503.61k     5915.80k
-rc4              8167.75k    10429.44k    10839.12k    10929.50k    10772.30k
-des cbc          2057.24k     2218.27k     2237.20k     2227.69k     2213.59k
-des ede3          719.63k      727.11k      728.77k      719.56k      722.97k
-idea cbc          827.67k      888.85k      898.06k      900.30k      898.75k
-rc2 cbc           797.46k      862.53k      870.33k      872.58k      870.40k
-blowfish cbc     3835.32k     4435.60k     4513.89k     4513.89k     4416.92k
-cast cbc         2785.06k     3052.62k     3088.59k     3034.95k     3034.95k
-                  sign    verify    sign/s verify/s
-rsa  512 bits   0.0202s   0.0020s     49.4    500.2
-rsa 1024 bits   0.1030s   0.0063s      9.7    159.4
-rsa 2048 bits   0.6740s   0.0223s      1.5     44.9
-rsa 4096 bits   4.8970s   0.0844s      0.2     11.8
-                  sign    verify    sign/s verify/s
-dsa  512 bits   0.0191s   0.0361s     52.4     27.7
-dsa 1024 bits   0.0587s   0.1167s     17.0      8.6
-dsa 2048 bits   0.2091s   0.4123s      4.8      2.4
diff --git a/times/586-100.w31 b/times/586-100.w31
deleted file mode 100644
index d5b1c10..0000000
--- a/times/586-100.w31
+++ /dev/null
@@ -1,27 +0,0 @@
-Pentium 100, Windows 3.1 DLL's, 16 bit C, 32bit assember.
-
-Running under Windows NT 4.0 Beta 2
-
-SSLeay 0.6.4 20-Aug-1996
-built on Thu Aug 22 08:44:21 EST 1996
-options:bn(32,32) md2(char) rc4(idx,int) des(ptr,long) idea(short)
-C flags:cl /ALw /Gx- /Gf /G2 /f- /Ocgnotb2 /W3 /WX -DL_ENDIAN /nologo -DWIN16
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.83k      128.82k      180.17k      194.90k      198.59k
-md5            224.82k     1038.19k     1801.68k     2175.47k     2330.17k
-sha            105.11k      448.11k      739.48k      884.13k      944.66k
-sha1            94.71k      402.99k      667.88k      795.58k      844.26k
-rc4           1614.19k     1956.30k     2022.72k     2022.72k     2022.72k
-des cfb        291.27k      318.14k      318.14k      318.14k      322.84k
-des cbc        326.86k      356.17k      362.08k      362.08k      367.15k
-des ede3       132.40k      139.57k      139.53k      139.37k      140.97k
-idea cfb       265.33k      280.67k      280.67k      277.69k      281.27k
-idea cbc       274.21k      302.01k      306.24k      306.24k      305.53k
-rc2 cfb        264.79k      274.21k      274.78k      274.21k      274.21k
-rc2 cbc        281.27k      306.24k      309.86k      305.53k      309.86k
-rsa  512 bits   0.058s
-rsa 1024 bits   0.280s
-rsa 2048 bits   1.430s
-rsa 4096 bits  10.600s
-
diff --git a/times/586-1002.lnx b/times/586-1002.lnx
deleted file mode 100644
index d830bce..0000000
--- a/times/586-1002.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.3e 30-Sep-1997
-built on Wed Oct  1 03:01:44 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DX86_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.21k      156.57k      211.29k      231.77k      237.92k
-mdc2              170.99k      191.70k      193.90k      195.58k      195.95k
-md5               770.50k     3961.96k     7291.22k     9250.82k     9942.36k
-sha               344.93k     1520.77k     2569.81k     3108.52k     3295.91k
-sha1              326.20k     1423.74k     2385.15k     2870.95k     3041.96k
-rc4              3672.88k     4309.65k     4374.41k     4408.66k     4355.41k
-des cbc          1349.73k     1689.05k     1735.34k     1748.99k     1739.43k
-des ede3          638.70k      704.00k      711.85k      714.41k      712.70k
-idea cbc          619.55k      677.33k      683.26k      685.06k      685.40k
-rc2 cbc           521.18k      571.20k      573.46k      578.90k      578.90k
-blowfish cbc     2079.67k     2592.49k     2702.34k     2730.33k     2695.17k
-                  sign    verify
-rsa  512 bits   0.0213s   0.0026s
-rsa 1024 bits   0.1099s   0.0031s
-rsa 2048 bits   0.7007s   0.0248s
-rsa 4096 bits   5.0500s   0.0921s
-                  sign    verify
-dsa  512 bits   0.0203s   0.0389s
-dsa 1024 bits   0.0614s   0.1222s
-dsa 2048 bits   0.2149s   0.4283s
diff --git a/times/586p-100.lnx b/times/586p-100.lnx
deleted file mode 100644
index 561eb31..0000000
--- a/times/586p-100.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-Pentium 100 - Linux 1.2.13 - gcc 2.7.2p
-This is the pentium specific version of gcc
-
-SSLeay 0.6.4 20-Aug-1996
-built on Thu Aug 22 08:27:58 EST 1996
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,long) idea(int)
-C flags:gcc -DL_ENDIAN -DTERMIO -O6 -fomit-frame-pointer -mpentium -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             74.90k      208.43k      282.11k      309.59k      318.43k
-md5            807.08k     4205.67k     7801.51k     9958.06k    10810.71k
-sha            405.98k     1821.55k     3119.10k     3799.04k     4052.31k
-sha1           389.13k     1699.50k     2852.78k     3437.57k     3656.36k
-rc4           3621.15k     4130.07k     4212.74k     4228.44k     4213.42k
-des cfb        794.39k      828.37k      831.74k      832.51k      832.85k
-des cbc        817.68k      886.17k      894.72k      896.00k      892.93k
-des ede3       308.83k      323.29k      324.61k      324.95k      324.95k
-idea cfb       690.41k      715.39k      718.51k      719.19k      718.17k
-idea cbc       696.80k      760.60k      767.32k      768.68k      770.05k
-rc2 cfb        619.91k      639.74k      642.30k      642.73k      641.71k
-rc2 cbc        631.99k      671.42k      676.35k      676.18k      677.21k
-rsa  512 bits   0.025s
-rsa 1024 bits   0.123s
-rsa 2048 bits   0.756s
-rsa 4096 bits   5.365s
-
diff --git a/times/686-200.bsd b/times/686-200.bsd
deleted file mode 100644
index f23c580..0000000
--- a/times/686-200.bsd
+++ /dev/null
@@ -1,25 +0,0 @@
-Pentium Pro 200mhz
-FreeBSD 2.1.5
-gcc 2.7.2.2
-
-SSLeay 0.7.0 30-Jan-1997
-built on Tue Apr 22 12:14:36 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DTERMIOS -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               130.99k      367.68k      499.09k      547.04k      566.50k
-md5              1924.98k     8293.50k    13464.41k    16010.39k    16820.68k
-sha              1250.75k     5330.43k     8636.88k    10227.36k    10779.14k
-sha1             1071.55k     4572.50k     7459.98k     8791.96k     9341.61k
-rc4             10724.22k    14546.25k    15240.18k    15259.50k    15265.63k
-des cbc          3309.11k     3883.01k     3968.25k     3971.86k     3979.14k
-des ede3         1442.98k     1548.33k     1562.48k     1562.00k     1563.33k
-idea cbc         2195.69k     2506.39k     2529.59k     2545.66k     2546.54k
-rc2 cbc           806.00k      833.52k      837.58k      838.52k      836.69k
-blowfish cbc     4687.34k     5949.97k     6182.43k     6248.11k     6226.09k
-rsa  512 bits   0.010s
-rsa 1024 bits   0.045s
-rsa 2048 bits   0.260s
-rsa 4096 bits   1.690s
-
diff --git a/times/686-200.lnx b/times/686-200.lnx
deleted file mode 100644
index a10cc2f..0000000
--- a/times/686-200.lnx
+++ /dev/null
@@ -1,26 +0,0 @@
-SSLeay 0.8.2a 04-Sep-1997
-built on Fri Sep  5 17:37:05 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               131.02k      368.41k      500.57k      549.21k      566.09k
-mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
-md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
-sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
-sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
-rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
-des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
-des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
-idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
-rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
-blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
-                  sign    verify
-rsa  512 bits   0.0100s   0.0011s
-rsa 1024 bits   0.0451s   0.0012s
-rsa 2048 bits   0.2605s   0.0086s
-rsa 4096 bits   1.6883s   0.0302s
-                  sign    verify
-dsa  512 bits   0.0083s   0.0156s
-dsa 1024 bits   0.0228s   0.0454s
-dsa 2048 bits   0.0719s   0.1446s
-
diff --git a/times/686-200.nt b/times/686-200.nt
deleted file mode 100644
index c8cbaa0..0000000
--- a/times/686-200.nt
+++ /dev/null
@@ -1,24 +0,0 @@
-built on Tue May 13 08:24:51 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfi
-sh(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               156.39k      427.99k      576.14k      628.36k      647.27k
-md5              2120.48k    10255.02k    18396.07k    22795.13k    24244.53k
-sha              1468.59k     6388.89k    10686.12k    12826.62k    13640.01k
-sha1             1393.46k     6013.34k     9974.56k    11932.59k    12633.45k
-rc4             13833.46k    19275.29k    20321.24k    20281.93k    20520.08k
-des cbc          3382.50k     4104.02k     4152.78k     4194.30k     4194.30k
-des ede3         1465.51k     1533.00k     1549.96k     1553.29k     1570.29k
-idea cbc         2579.52k     3079.52k     3130.08k     3153.61k     3106.89k
-rc2 cbc          1204.57k     1276.42k     1285.81k     1289.76k     1285.81k
-blowfish cbc     5229.81k     6374.32k     6574.14k     6574.14k     6594.82k
-rsa  512 bits   0.008s   0.001
-rsa 1024 bits   0.038s   0.001
-rsa 2048 bits   0.231s   0.008
-rsa 4096 bits   1.540s   0.027
-dsa  512 bits   0.007s   0.013
-dsa 1024 bits   0.021s   0.040
-dsa 2048 bits   0.066s   0.130
-
diff --git a/times/L1 b/times/L1
deleted file mode 100644
index 09253d7..0000000
--- a/times/L1
+++ /dev/null
@@ -1,27 +0,0 @@
-SSLeay 0.8.3ad 27-Oct-1997
-built on Wed Oct 29 00:36:17 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2) 
-C flags:gcc -DL_ENDIAN -DTERMIO -DBN_ASM -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DMD5_ASM -DSHA1_ASM
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                56.16k      156.50k      211.46k      231.77k      238.71k
-mdc2              183.37k      205.21k      205.57k      209.92k      207.53k
-md5              1003.65k     5605.56k    11628.54k    15887.70k    17522.69k
-hmac(md5)         411.24k     2803.46k     7616.94k    13475.84k    16864.60k
-sha1              542.66k     2843.50k     5320.53k     6833.49k     7389.18k
-rc4              3677.15k     4313.73k     4407.89k     4429.82k     4404.57k
-des cbc          1787.94k     2174.51k     2236.76k     2249.73k     2230.95k
-des ede3          719.46k      777.26k      784.81k      780.29k      783.70k
-idea cbc          619.56k      677.89k      684.12k      685.40k      685.40k
-rc2 cbc           537.51k      573.93k      578.47k      579.24k      578.90k
-blowfish cbc     3226.76k     4221.65k     4424.19k     4468.39k     4377.26k
-cast cbc         2866.13k     3165.35k     3263.15k     3287.04k     3233.11k
-                  sign    verify
-rsa  512 bits   0.0212s   0.0021s
-rsa 1024 bits   0.1072s   0.0064s
-rsa 2048 bits   0.6853s   0.0222s
-rsa 4096 bits   4.9300s   0.0848s
-                  sign    verify
-dsa  512 bits   0.0200s   0.0380s
-dsa 1024 bits   0.0600s   0.1180s
-dsa 2048 bits   0.2110s   0.4221s
diff --git a/times/R10000.t b/times/R10000.t
deleted file mode 100644
index 6b3874c..0000000
--- a/times/R10000.t
+++ /dev/null
@@ -1,24 +0,0 @@
-IRIX 6.2 - R10000 195mhz
-SLeay 0.6.5a 06-Dec-1996
-built on Tue Dec 24 03:51:45 EST 1996
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
-C flags:cc -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            156.34k      424.03k      571.88k      628.88k      646.01k
-md5           1885.02k     8181.72k    13440.53k    16020.60k    16947.54k
-sha           1587.12k     7022.05k    11951.24k    14440.12k    15462.74k
-sha1          1413.13k     6215.86k    10571.16k    12736.22k    13628.51k
-rc4          10556.28k    11974.08k    12077.10k    12111.38k    12103.20k
-des cfb       2977.71k     3252.27k     3284.36k     3302.66k     3290.54k
-des cbc       3298.31k     3704.96k     3771.30k     3730.73k     3778.80k
-des ede3      1278.28k     1328.82k     1342.66k     1339.82k     1343.27k
-idea cfb      2843.34k     3138.04k     3180.95k     3176.46k     3188.54k
-idea cbc      3115.21k     3558.03k     3590.61k     3591.24k     3601.18k
-rc2 cfb       2006.66k     2133.33k     2149.03k     2159.36k     2149.71k
-rc2 cbc       2167.07k     2315.30k     2338.05k     2329.34k     2333.90k
-rsa  512 bits   0.008s
-rsa 1024 bits   0.043s
-rsa 2048 bits   0.280s
-rsa 4096 bits   2.064s
-
diff --git a/times/R4400.t b/times/R4400.t
deleted file mode 100644
index af8848f..0000000
--- a/times/R4400.t
+++ /dev/null
@@ -1,26 +0,0 @@
-IRIX 5.3
-R4400 200mhz
-cc -O2
-SSLeay 0.6.5a 06-Dec-1996
-built on Mon Dec 23 11:51:11 EST 1996
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc2,16,long) idea(int)
-C flags:cc -O2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            100.62k      280.25k      380.15k      416.02k      428.82k
-md5            828.62k     3525.05k     6311.98k     7742.51k     8328.04k
-sha            580.04k     2513.74k     4251.73k     5101.04k     5394.80k
-sha1           520.23k     2382.94k     4107.82k     5024.62k     5362.56k
-rc4           5871.53k     6323.08k     6357.49k     6392.04k     6305.45k
-des cfb       1016.76k     1156.72k     1176.59k     1180.55k     1181.65k
-des cbc       1016.38k     1303.81k     1349.10k     1359.41k     1356.62k
-des ede3       607.39k      650.74k      655.11k      657.52k      654.18k
-idea cfb      1296.10k     1348.66k     1353.80k     1358.75k     1355.40k
-idea cbc      1453.90k     1554.68k     1567.84k     1569.89k     1573.57k
-rc2 cfb       1199.86k     1251.69k     1253.57k     1259.56k     1251.31k
-rc2 cbc       1334.60k     1428.55k     1441.89k     1445.42k     1441.45k
-rsa  512 bits   0.024s
-rsa 1024 bits   0.125s
-rsa 2048 bits   0.806s
-rsa 4096 bits   5.800s
-
diff --git a/times/aix.t b/times/aix.t
deleted file mode 100644
index 4f24e39..0000000
--- a/times/aix.t
+++ /dev/null
@@ -1,34 +0,0 @@
-from Paco Garcia <pgarcia at ctv.es>
-This machine is a Bull Estrella  Minitower Model MT604-100
-Processor        : PPC604 
-P.Speed          : 100Mhz 
-Data/Instr Cache :    16 K
-L2 Cache         :   256 K
-PCI BUS Speed    :    33 Mhz
-TransfRate PCI   :   132 MB/s
-Memory           :    96 MB
-
-AIX 4.1.4
-
-SSLeay 0.6.6 14-Jan-1997
-built on Mon Jan 13 21:36:03 CUT 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish
-(idx)
-C flags:cc -O -DAIX -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                53.83k      147.46k      197.63k      215.72k     221.70k
-md5              1278.13k     5354.77k     8679.60k    10195.09k   10780.56k
-sha              1055.34k     4600.37k     7721.30k     9298.94k    9868.63k
-sha1              276.90k     1270.25k     2187.95k     2666.84k    2850.82k
-rc4              4660.57k     5268.93k     5332.48k     5362.47k    5346.65k
-des cbc          1774.16k     1981.10k     1979.56k     2032.71k    1972.25k
-des ede3          748.81k      781.42k      785.66k      785.75k     780.84k
-idea cbc         2066.19k     2329.58k     2378.91k     2379.86k    2380.89k
-rc2 cbc          1278.53k     1379.69k     1389.99k     1393.66k    1389.91k
-blowfish cbc     2812.91k     3307.90k     3364.91k     3386.37k    3374.32k
-rsa  512 bits   0.019s
-rsa 1024 bits   0.096s
-rsa 2048 bits   0.614s
-rsa 4096 bits   4.433s
-
diff --git a/times/aixold.t b/times/aixold.t
deleted file mode 100644
index 0b51412..0000000
--- a/times/aixold.t
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 04:06:32 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,4,long) idea(int) blowfish(idx)
-C flags:cc -O -DAIX -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                19.09k       52.47k       71.23k       77.49k       78.93k
-md5               214.56k      941.21k     1585.43k     1883.12k     1988.70k
-sha               118.35k      521.65k      860.28k     1042.27k     1100.46k
-sha1              109.52k      478.98k      825.90k      995.48k     1049.69k
-rc4              1263.63k     1494.24k     1545.70k     1521.66k     1518.99k
-des cbc           259.62k      286.55k      287.15k      288.15k      289.45k
-des ede3          104.92k      107.88k      109.27k      109.25k      109.96k
-idea cbc          291.63k      320.07k      319.40k      320.51k      318.27k
-rc2 cbc           220.04k      237.76k      241.44k      245.90k      244.08k
-blowfish cbc      407.95k      474.83k      480.99k      485.71k      481.07k
-rsa  512 bits   0.157s   0.019
-rsa 1024 bits   0.908s   0.023
-rsa 2048 bits   6.225s   0.218
-rsa 4096 bits  46.500s   0.830
-dsa  512 bits   0.159s   0.312
-dsa 1024 bits   0.536s   1.057
-dsa 2048 bits   1.970s   3.977
diff --git a/times/alpha.t b/times/alpha.t
deleted file mode 100644
index 3a7c6c4..0000000
--- a/times/alpha.t
+++ /dev/null
@@ -1,81 +0,0 @@
-SSLeay-051 Alpha gcc -O3 64Bit (assember bn_mul)
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             44.40k      121.56k      162.73k      179.20k      185.01k
-md5            780.85k     3278.53k     5281.52k     6327.98k     6684.67k
-sha            501.40k     2249.19k     3855.27k     4801.19k     5160.96k
-sha-1          384.99k     1759.72k     3113.64k     3946.92k     4229.80k
-rc4           3505.05k     3724.54k     3723.78k     3555.33k     3694.68k
-des cfb        946.96k     1015.27k     1021.87k     1033.56k     1037.65k
-des cbc       1001.24k     1220.20k     1243.31k     1272.73k     1265.87k
-des ede3       445.34k      491.65k      500.53k      502.10k      502.44k
-idea cfb       643.53k      667.49k      663.81k      666.28k      664.51k
-idea cbc       650.42k      735.41k      733.27k      742.74k      745.47k
-rsa  512 bits   0.031s
-rsa 1024 bits   0.141s
-rsa 2048 bits   0.844s
-rsa 4096 bits   6.033s
-
-SSLeay-051 Alpha cc -O2 64bit (assember bn_mul)
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             45.37k      122.86k      165.97k      182.95k      188.42k
-md5            842.42k     3629.93k     5916.76k     7039.17k     7364.61k
-sha            498.93k     2197.23k     3895.60k     4756.48k     5132.13k
-sha-1          382.02k     1757.21k     3112.53k     3865.23k     4128.77k
-rc4           2975.25k     3049.33k     3180.97k     3214.68k     3424.26k
-des cfb        901.55k      990.83k     1006.08k     1011.19k     1004.89k
-des cbc        947.84k     1127.84k     1163.67k     1162.24k     1157.80k
-des ede3       435.62k      485.57k      493.67k      491.52k      491.52k
-idea cfb       629.31k      648.66k      647.77k      648.53k      649.90k
-idea cbc       565.15k      608.00k      613.46k      613.38k      617.13k
-rsa  512 bits   0.030s
-rsa 1024 bits   0.141s
-rsa 2048 bits   0.854s
-rsa 4096 bits   6.067s
-
-des cfb        718.28k      822.64k      833.11k      836.27k      841.05k
-des cbc        806.10k      951.42k      975.83k      983.73k      991.23k
-des ede3       329.50k      379.11k      387.95k      387.41k      388.33k
-
-des cfb        871.62k      948.65k      951.81k      953.00k      955.58k
-des cbc        953.60k     1174.27k     1206.70k     1216.10k     1216.44k
-des ede3       349.34k      418.05k      427.26k      429.74k      431.45k
-
-
-
-
-SSLeay-045c Alpha gcc -O3 64Bit
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             44.95k      122.22k      164.27k      180.62k      184.66k
-md5            808.71k     3371.95k     5415.68k     6385.66k     6684.67k
-sha            493.68k     2162.05k     3725.82k     4552.02k     4838.74k
-rc4           3317.32k     3649.09k     3728.30k     3744.09k     3691.86k
-cfb des        996.45k     1050.77k     1058.30k     1059.16k     1064.96k
-cbc des       1096.52k     1255.49k     1282.13k     1289.90k     1299.80k
-ede3 des       482.14k      513.51k      518.66k      520.19k      521.39k
-cfb idea       519.90k      533.40k      535.21k      535.55k      535.21k
-cbc idea       619.34k      682.21k      688.04k      689.15k      690.86k
-rsa  512 bits   0.050s
-rsa 1024 bits   0.279s
-rsa 2048 bits   1.908s
-rsa 4096 bits  14.750s
-
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             37.31k      102.77k      137.64k      151.55k      155.78k
-md5            516.65k     2535.21k     4655.72k     5859.66k     6343.34k
-rc4           3519.61k     3707.01k     3746.86k     3755.39k     3675.48k
-cfb des        780.27k      894.68k      913.10k      921.26k      922.97k
-cbc des        867.54k     1040.13k     1074.17k     1075.54k     1084.07k
-ede3 des       357.19k      397.36k      398.08k      402.28k      401.41k
-cbc idea       646.53k      686.44k      694.03k      691.20k      693.59k
-rsa  512 bits   0.046s
-rsa 1024 bits   0.270s
-rsa 2048 bits   1.858s
-rsa 4096 bits  14.350s
-
-md2      C      37.83k      103.17k      137.90k      150.87k      155.37k
-md2      L      37.30k      102.04k      139.01k      152.74k      155.78k
-rc4       I   3532.24k     3718.08k     3750.83k     3768.78k     3694.59k
-rc4      CI   2662.97k     2873.26k     2907.22k     2920.63k     2886.31k
-rc4      LI   3514.63k     3738.72k     3747.41k     3752.96k     3708.49k
-cbc idea S     619.01k      658.68k      661.50k      662.53k      663.55k
-cbc idea  L    645.69k      684.22k      694.55k      692.57k      690.86k
diff --git a/times/alpha400.t b/times/alpha400.t
deleted file mode 100644
index 079e0d1..0000000
--- a/times/alpha400.t
+++ /dev/null
@@ -1,25 +0,0 @@
-Alpha EV5.6 (21164A) 400mhz
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 03:39:58 EST 1997
-options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
-C flags:cc -arch host -tune host -fast -std -O4 -inline speed
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               274.98k      760.96k     1034.27k     1124.69k     1148.69k
-md5              2524.46k    11602.60k    19838.81k    24075.26k    25745.10k
-sha              1848.46k     8335.66k    14232.49k    17247.91k    18530.30k
-sha1             1639.67k     7336.53k    12371.80k    14807.72k    15870.63k
-rc4             17950.93k    19390.66k    19652.44k    19700.39k    19412.31k
-des cbc          4018.59k     4872.06k     4988.76k     5003.26k     4995.73k
-des ede3         1809.11k     1965.67k     1984.26k     1986.90k     1982.46k
-idea cbc         2848.82k     3204.33k     3250.26k     3257.34k     3260.42k
-rc2 cbc          3766.08k     4349.50k     4432.21k     4448.94k     4448.26k
-blowfish cbc     6694.88k     9042.35k     9486.93k     9598.98k     9624.91k
-rsa  512 bits   0.003s   0.000
-rsa 1024 bits   0.013s   0.000
-rsa 2048 bits   0.081s   0.003
-rsa 4096 bits   0.577s   0.011
-dsa  512 bits   0.003s   0.005
-dsa 1024 bits   0.007s   0.014
-dsa 2048 bits   0.025s   0.050
diff --git a/times/cyrix100.lnx b/times/cyrix100.lnx
deleted file mode 100644
index 010a221..0000000
--- a/times/cyrix100.lnx
+++ /dev/null
@@ -1,22 +0,0 @@
-SSLeay 0.6.6 06-Dec-1996
-built on Fri Dec  6 10:05:20 GMT 1996
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,risc,16,long) idea(int)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             36.77k      102.48k      138.00k      151.57k      155.78k
-md5            513.59k     2577.22k     4623.51k     5768.99k     6214.53k
-sha            259.89k     1105.45k     1814.97k     2156.16k     2292.13k
-sha1           242.43k     1040.95k     1719.44k     2049.74k     2164.64k
-rc4           1984.48k     2303.41k     2109.37k     2071.47k     1985.61k
-des cfb        712.08k      758.29k      753.17k      752.06k      748.67k
-des cbc        787.37k      937.64k      956.77k      961.61k      957.54k
-des ede3       353.97k      377.28k      379.99k      379.34k      379.11k
-idea cfb       403.80k      418.50k      416.60k      415.78k      415.03k
-idea cbc       426.54k      466.40k      471.31k      472.67k      473.14k
-rc2 cfb        405.15k      420.05k      418.16k      416.72k      416.36k
-rc2 cbc        428.21k      468.43k      473.09k      472.59k      474.70k
-rsa  512 bits   0.040s
-rsa 1024 bits   0.195s
-rsa 2048 bits   1.201s
-rsa 4096 bits   8.700s
diff --git a/times/dgux-x86.t b/times/dgux-x86.t
deleted file mode 100644
index 70635c5..0000000
--- a/times/dgux-x86.t
+++ /dev/null
@@ -1,23 +0,0 @@
-version:SSLeay 0.5.2c 15-May-1996
-built Fri Jun 14 19:47:04 EST 1996
-options:bn(LLONG,thirty_two) md2(CHAR) rc4(IDX,int) des(ary,long) idea(int)
-C flags:gcc -O3 -fomit-frame-pointer -DL_ENDIAN
-
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2            113.86k      316.48k      428.36k      467.63k      481.56k
-md5           1001.99k     5037.99k     9545.94k    12036.95k    11800.38k
-sha            628.77k     2743.48k     5113.42k     6206.99k     6165.42k
-sha1           583.83k     2638.66k     4538.85k     5532.09k     5917.04k
-rc4           5493.27k     6369.39k     6511.30k     6577.83k     6486.73k
-des cfb       1219.01k     1286.06k     1299.33k     1288.87k     1381.72k
-des cbc       1360.58k     1469.04k     1456.96k     1454.08k     1513.57k
-des ede3       544.45k      567.84k      568.99k      570.37k      566.09k
-idea cfb      1012.39k     1056.30k     1063.52k      989.17k      863.24k
-idea cbc       985.36k     1090.44k     1105.92k     1108.65k     1090.17k
-rc2 cfb        963.86k      979.06k      995.30k      937.35k      827.39k
-rc2 cbc        951.72k     1042.11k     1049.60k     1047.21k     1059.11k
-rsa  512 bits   0.032s
-rsa 1024 bits   0.159s
-rsa 2048 bits   1.025s
-rsa 4096 bits   7.270s
-
diff --git a/times/dgux.t b/times/dgux.t
deleted file mode 100644
index c7f7564..0000000
--- a/times/dgux.t
+++ /dev/null
@@ -1,17 +0,0 @@
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             38.54k      106.28k      144.00k      157.46k      161.72k
-md5            323.23k     1471.62k     2546.11k     3100.20k     3309.57k
-rc4        I  1902.74k     2055.20k     2080.42k     2077.88k     2065.46k
-cfb des        456.23k      475.22k      481.79k      488.42k      487.17k
-cbc des        484.30k      537.50k      553.09k      558.08k      558.67k
-ede3 des       199.97k      209.05k      211.03k      211.85k      212.78k
-cbc idea       478.50k      519.33k      523.42k      525.09k      526.44k
-rsa  512 bits   0.159s !RSA_LLONG
-rsa 1024 bits   1.053s
-rsa 2048 bits   7.600s
-rsa 4096 bits  59.760s
-
-md2       C     30.53k       83.58k      112.84k      123.22k      126.24k
-rc4           1844.56k     1975.50k     1997.73k     1994.95k     1984.88k
-rc4       C   1800.09k     1968.85k     1995.20k     1992.36k     1996.80k
-rc4       CI  1830.81k     2035.75k     2067.28k     2070.23k     2062.77k
diff --git a/times/hpux-acc.t b/times/hpux-acc.t
deleted file mode 100644
index 0c0e936..0000000
--- a/times/hpux-acc.t
+++ /dev/null
@@ -1,25 +0,0 @@
-HPUX 887
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:59:45 EST 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
-C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit +O4 -Wl,-a,archive
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                58.99k      166.85k      225.07k      247.21k      253.76k
-md5               639.22k     2726.98k     4477.25k     5312.69k     5605.20k
-sha               381.08k     1661.49k     2793.84k     3368.86k     3581.23k
-sha1              349.54k     1514.56k     2536.63k     3042.59k     3224.39k
-rc4              2891.10k     4238.01k     4464.11k     4532.49k     4545.87k
-des cbc           717.05k      808.76k      820.14k      821.97k      821.96k
-des ede3          288.21k      303.50k      303.69k      305.82k      305.14k
-idea cbc          325.83k      334.36k      335.89k      336.61k      333.43k
-rc2 cbc           793.00k      915.81k      926.69k      933.28k      929.53k
-blowfish cbc     1561.91k     2051.97k     2122.65k     2139.40k     2145.92k
-rsa  512 bits   0.031s   0.004
-rsa 1024 bits   0.164s   0.004
-rsa 2048 bits   1.055s   0.037
-rsa 4096 bits   7.600s   0.137
-dsa  512 bits   0.029s   0.057
-dsa 1024 bits   0.092s   0.177
-dsa 2048 bits   0.325s   0.646
diff --git a/times/hpux-kr.t b/times/hpux-kr.t
deleted file mode 100644
index ad4a0ad..0000000
--- a/times/hpux-kr.t
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:17:35 EST 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,cisc,16,long) idea(int) blowfish(idx)
-C flags:cc -DB_ENDIAN -DNOCONST -DNOPROTO -D_HPUX_SOURCE
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                35.30k       98.36k      133.41k      146.34k      150.69k
-md5               391.20k     1737.31k     2796.65k     3313.75k     3503.74k
-sha               189.55k      848.14k     1436.72k     1735.87k     1848.03k
-sha1              175.30k      781.14k     1310.32k     1575.61k     1675.81k
-rc4              2070.55k     2501.47k     2556.65k     2578.34k     2584.91k
-des cbc           465.13k      536.85k      545.87k      547.86k      548.89k
-des ede3          190.05k      200.99k      202.31k      202.22k      202.75k
-idea cbc          263.44k      277.77k      282.13k      281.51k      283.15k
-rc2 cbc           448.37k      511.39k      519.54k      522.00k      521.31k
-blowfish cbc      839.98k     1097.70k     1131.16k     1145.64k     1144.67k
-rsa  512 bits   0.048s   0.005
-rsa 1024 bits   0.222s   0.006
-rsa 2048 bits   1.272s   0.042
-rsa 4096 bits   8.445s   0.149
-dsa  512 bits   0.041s   0.077
-dsa 1024 bits   0.111s   0.220
-dsa 2048 bits   0.363s   0.726
diff --git a/times/hpux.t b/times/hpux.t
deleted file mode 100644
index dcf7615..0000000
--- a/times/hpux.t
+++ /dev/null
@@ -1,86 +0,0 @@
-HP-UX A.09.05 9000/712
-
-SSLeay 0.6.6 14-Jan-1997
-built on Tue Jan 14 16:36:31 WET 1997
-options:bn(32,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
-blowfish(idx)
-C flags:cc -DB_ENDIAN -D_HPUX_SOURCE -Aa +ESlit +O2 -Wl,-a,archive
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                66.56k      184.92k      251.82k      259.86k      282.62k
-md5               615.54k     2805.92k     4764.30k     5724.21k     6084.39k
-sha               358.23k     1616.46k     2781.50k     3325.72k     3640.89k
-sha1              327.50k     1497.98k     2619.44k     3220.26k     3460.85k
-rc4              3500.47k     3890.99k     3943.81k     3883.74k     3900.02k
-des cbc           742.65k      871.66k      887.15k      891.21k      895.40k
-des ede3          302.42k      322.50k      324.46k      326.66k      326.05k
-idea cbc          664.41k      755.87k      765.61k      772.70k      773.69k
-rc2 cbc           798.78k      931.04k      947.69k      950.31k      952.04k
-blowfish cbc     1353.32k     1932.29k     2021.93k     2047.02k     2053.66k
-rsa  512 bits   0.059s
-rsa 1024 bits   0.372s
-rsa 2048 bits   2.697s
-rsa 4096 bits  20.790s
-
-SSLeay 0.6.6 14-Jan-1997
-built on Tue Jan 14 15:37:30 WET 1997
-options:bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) idea(int) 
-blowfish(idx)
-C flags:gcc -DB_ENDIAN -O3
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                44.91k      122.57k      167.71k      183.89k      190.24k
-md5               532.50k     2316.27k     3965.72k     4740.11k     5055.06k
-sha               363.76k     1684.09k     2978.53k     3730.86k     3972.72k
-sha1              385.76k     1743.53k     2997.69k     3650.74k     3899.08k
-rc4              3178.84k     3621.31k     3672.71k     3684.01k     3571.54k
-des cbc           733.00k      844.70k      863.28k      863.72k      868.73k
-des ede3          289.99k      308.94k      310.11k      309.64k      312.08k
-idea cbc          624.07k      713.91k      724.76k      723.35k      725.13k
-rc2 cbc           704.34k      793.39k      804.25k      805.99k      782.63k
-blowfish cbc     1371.24k     1823.66k     1890.05k     1915.51k     1920.12k
-rsa  512 bits   0.030s
-rsa 1024 bits   0.156s
-rsa 2048 bits   1.113s
-rsa 4096 bits   7.480s
-
-
-HPUX B.10.01 V 9000/887 - HP92453-01 A.10.11 HP C Compiler
-SSLeay 0.5.2 - -Aa +ESlit +Oall +O4 -Wl,-a,archive
-
-HPUX A.09.04 B 9000/887
-
-ssleay 0.5.1 gcc v 2.7.0 -O3 -mpa-risc-1-1
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             53.00k      166.81k      205.66k      241.95k      242.20k
-md5            743.22k     3128.44k     6031.85k     6142.07k     7025.26k
-sha            481.30k     2008.24k     3361.31k     3985.07k     4180.74k
-sha-1          463.60k     1916.15k     3139.24k     3786.27k     3997.70k
-rc4           3708.61k     4125.16k     4547.53k     4206.21k     4390.07k
-des cfb        665.91k      705.97k      698.48k      694.25k      666.08k
-des cbc        679.80k      741.90k      769.85k      747.62k      719.47k
-des ede3       264.31k      270.22k      265.63k      273.07k      273.07k
-idea cfb       635.91k      673.40k      605.60k      699.53k      672.36k
-idea cbc       705.85k      774.63k      750.60k      715.83k      721.50k
-rsa  512 bits   0.066s
-rsa 1024 bits   0.372s
-rsa 2048 bits   2.177s
-rsa 4096 bits  16.230s
-
-HP92453-01 A.09.61 HP C Compiler
-ssleay 0.5.1 cc -Ae +ESlit +Oall -Wl,-a,archive
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             58.69k      163.30k      213.57k      230.40k      254.23k
-md5            608.60k     2596.82k     3871.43k     4684.10k     4763.88k
-sha            343.26k     1482.43k     2316.80k     2766.27k     2860.26k
-sha-1          319.15k     1324.13k     2106.03k     2527.82k     2747.95k
-rc4           2467.47k     3374.41k     3265.49k     3354.39k     3368.55k
-des cfb        812.05k      814.90k      851.20k      819.20k      854.56k
-des cbc        836.35k      994.06k      916.02k     1020.01k      988.14k
-des ede3       369.78k      389.15k      401.01k      382.94k      408.03k
-idea cfb       290.40k      298.06k      286.11k      296.92k      299.46k
-idea cbc       301.30k      297.72k      304.34k      300.10k      309.70k
-rsa  512 bits   0.350s
-rsa 1024 bits   2.635s
-rsa 2048 bits  19.930s
-
diff --git a/times/p2.w95 b/times/p2.w95
deleted file mode 100644
index 82d1e55..0000000
--- a/times/p2.w95
+++ /dev/null
@@ -1,22 +0,0 @@
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               235.90k      652.30k      893.36k      985.74k      985.74k
-mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
-md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
-sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
-sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
-rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
-des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
-des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
-idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
-rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
-blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
-                  sign    verify
-rsa  512 bits   0.0062s   0.0008s
-rsa 1024 bits   0.0287s   0.0009s
-rsa 2048 bits   0.1785s   0.0059s
-rsa 4096 bits   1.1300s   0.0205s
-                  sign    verify
-dsa  512 bits   0.0055s   0.0100s
-dsa 1024 bits   0.0154s   0.0299s
-dsa 2048 bits   0.0502s   0.0996s
diff --git a/times/pent2.t b/times/pent2.t
deleted file mode 100644
index b6dc269..0000000
--- a/times/pent2.t
+++ /dev/null
@@ -1,24 +0,0 @@
-pentium 2, 266mhz, Visual C++ 5.0, Windows 95
-
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               235.90k      652.30k      893.36k      985.74k      985.74k
-mdc2              779.61k      816.81k      825.65k      816.01k      825.65k
-md5              2788.77k    13508.23k    24672.38k    30504.03k    33156.55k
-sha              1938.22k     8397.01k    14122.24k    16980.99k    18196.55k
-sha1             1817.29k     7832.50k    13168.93k    15738.48k    16810.84k
-rc4             15887.52k    21709.65k    22745.68k    22995.09k    22995.09k
-des cbc          4599.02k     5377.31k     5377.31k     5533.38k     5533.38k
-des ede3         1899.59k     2086.71k     2086.67k     2086.51k     2085.90k
-idea cbc         3350.08k     3934.62k     3979.42k     4017.53k     4017.53k
-rc2 cbc          1534.13k     1630.76k     1625.70k     1644.83k     1653.91k
-blowfish cbc     6678.83k     8490.49k     8701.88k     8848.74k     8886.24k
-                  sign    verify
-rsa  512 bits   0.0062s   0.0008s
-rsa 1024 bits   0.0287s   0.0009s
-rsa 2048 bits   0.1785s   0.0059s
-rsa 4096 bits   1.1300s   0.0205s
-                  sign    verify
-dsa  512 bits   0.0055s   0.0100s
-dsa 1024 bits   0.0154s   0.0299s
-dsa 2048 bits   0.0502s   0.0996s
diff --git a/times/readme b/times/readme
deleted file mode 100644
index 7074f58..0000000
--- a/times/readme
+++ /dev/null
@@ -1,11 +0,0 @@
-The 'times' in this directory are not all for the most recent version of
-the library and it should be noted that on some CPUs (specifically sparc
-and Alpha), the locations of files in the application after linking can
-make upto a %10 speed difference when running benchmarks on things like
-cbc mode DES.  To put it mildly this can be very anoying.
-
-About the only way to get around this would be to compile the library as one
-object file, or to 'include' the source files in a specific order.
-
-The best way to get an idea of the 'raw' DES speed is to build the 
-'speed' program in crypto/des.
diff --git a/times/s586-100.lnx b/times/s586-100.lnx
deleted file mode 100644
index cbc3e3c..0000000
--- a/times/s586-100.lnx
+++ /dev/null
@@ -1,25 +0,0 @@
-Shared library build
-
-SSLeay 0.7.3 30-Apr-1997
-built on Tue May 13 03:43:56 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:-DTERMIO -O3 -DL_ENDIAN -fomit-frame-pointer -m486 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                68.95k      191.40k      258.22k      283.31k      291.21k
-md5               627.37k     3064.75k     5370.15k     6765.91k     7255.38k
-sha               323.35k     1431.32k     2417.07k     2916.69k     3102.04k
-sha1              298.08k     1318.34k     2228.82k     2694.83k     2864.47k
-rc4              3404.13k     4026.33k     4107.43k     4136.28k     4117.85k
-des cbc          1414.60k     1782.53k     1824.24k     1847.64k     1840.47k
-des ede3          588.36k      688.19k      700.33k      702.46k      704.51k
-idea cbc          582.96k      636.71k      641.54k      642.39k      642.30k
-rc2 cbc           569.34k      612.37k      617.64k      617.47k      619.86k
-blowfish cbc     2015.77k     2534.49k     2609.65k     2607.10k     2615.98k
-rsa  512 bits   0.027s   0.003
-rsa 1024 bits   0.128s   0.003
-rsa 2048 bits   0.779s   0.027
-rsa 4096 bits   5.450s   0.098
-dsa  512 bits   0.024s   0.045
-dsa 1024 bits   0.068s   0.132
-dsa 2048 bits   0.231s   0.469
diff --git a/times/s586-100.nt b/times/s586-100.nt
deleted file mode 100644
index 8e3baf6..0000000
--- a/times/s586-100.nt
+++ /dev/null
@@ -1,23 +0,0 @@
-SSLeay 0.7.3 30-Apr-1997
-built on Mon May 19 10:47:38 EST 1997
-options:bn(64,32) md2(char) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(ptr2)
-C flags not available
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                90.26k      248.57k      335.06k      366.09k      376.64k
-md5               863.95k     4205.24k     7628.78k     9582.60k    10290.25k
-sha               463.93k     2102.51k     3623.28k     4417.85k     4695.29k
-sha1              458.23k     2005.88k     3385.78k     4094.00k     4340.13k
-rc4              5843.60k     7543.71k     7790.31k     7836.89k     7791.47k
-des cbc          1583.95k     1910.67k     1960.69k     1972.12k     1946.13k
-des ede3          654.79k      722.60k      740.97k      745.82k      738.27k
-idea cbc          792.04k      876.96k      887.35k      892.63k      890.36k
-rc2 cbc           603.50k      652.38k      661.85k      662.69k      661.44k
-blowfish cbc     2379.88k     3043.76k     3153.61k     3153.61k     3134.76k
-rsa  512 bits   0.022s   0.003
-rsa 1024 bits   0.111s   0.003
-rsa 2048 bits   0.716s   0.025
-rsa 4096 bits   5.188s   0.094
-dsa  512 bits   0.020s   0.039
-dsa 1024 bits   0.062s   0.124
-dsa 2048 bits   0.221s   0.441
diff --git a/times/sgi.t b/times/sgi.t
deleted file mode 100644
index 7963610..0000000
--- a/times/sgi.t
+++ /dev/null
@@ -1,29 +0,0 @@
-SGI Challenge R4400 200mhz IRIX 5.3 - gcc (2.6.3)
-SSLeay 0.6.1 02-Jul-1996
-built on Tue Jul  2 16:25:30 EST 1996
-options:bn(64,32) md2(char) rc4(idx,char) des(idx,long) idea(int)
-C flags:gcc -O2 -mips2 -DTERMIOS -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type           8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2             96.53k      266.70k      360.09k      393.70k      405.07k
-md5            971.15k     4382.56k     7406.90k     8979.99k     9559.18k
-sha            596.86k     2832.26k     4997.30k     6277.75k     6712.89k
-sha1           578.34k     2630.16k     4632.05k     5684.34k     6083.37k
-rc4           5641.12k     6821.76k     6996.13k     7052.61k     6913.32k
-des cfb       1354.86k     1422.11k     1434.58k     1433.24k     1432.89k
-des cbc       1467.13k     1618.92k     1630.08k     1637.00k     1629.62k
-des ede3       566.13k      591.91k      596.86k      596.18k      592.54k
-idea cfb      1190.60k     1264.49k     1270.38k     1267.84k     1272.37k
-idea cbc      1271.45k     1410.37k     1422.49k     1426.46k     1421.73k
-rc2 cfb       1285.73k     1371.40k     1380.92k     1383.13k     1379.23k
-rc2 cbc       1386.61k     1542.10k     1562.49k     1572.45k     1567.93k
-rsa  512 bits   0.018s
-rsa 1024 bits   0.106s
-rsa 2048 bits   0.738s
-rsa 4096 bits   5.535s
-
-version:SSLeay 0.5.2c 15-May-1996
-rsa  512 bits   0.035s
-rsa 1024 bits   0.204s
-rsa 2048 bits   1.423s
-rsa 4096 bits  10.800s
diff --git a/times/sparc.t b/times/sparc.t
deleted file mode 100644
index 1611f76..0000000
--- a/times/sparc.t
+++ /dev/null
@@ -1,26 +0,0 @@
-gcc 2.7.2
-Sparc 10 - Solaris 2.3 - 50mhz
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 00:55:51 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
-C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                54.88k      154.52k      210.35k      231.08k      237.21k
-md5               550.75k     2460.49k     4116.01k     4988.74k     5159.86k
-sha               340.28k     1461.76k     2430.10k     2879.87k     2999.15k
-sha1              307.27k     1298.41k     2136.26k     2540.07k     2658.28k
-rc4              2652.21k     2805.24k     3301.63k     4003.98k     4071.18k
-des cbc           811.78k      903.93k      914.19k      921.60k      932.29k
-des ede3          328.21k      344.93k      349.64k      351.48k      345.07k
-idea cbc          685.06k      727.42k      734.41k      730.11k      739.21k
-rc2 cbc           718.59k      777.02k      781.96k      784.38k      782.60k
-blowfish cbc     1268.85k     1520.64k     1568.88k     1587.54k     1591.98k
-rsa  512 bits   0.037s   0.005
-rsa 1024 bits   0.213s   0.006
-rsa 2048 bits   1.471s   0.053
-rsa 4096 bits  11.100s   0.202
-dsa  512 bits   0.038s   0.074
-dsa 1024 bits   0.128s   0.248
-dsa 2048 bits   0.473s   0.959
-
diff --git a/times/sparc2 b/times/sparc2
deleted file mode 100644
index 4b0dd80..0000000
--- a/times/sparc2
+++ /dev/null
@@ -1,21 +0,0 @@
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                14.56k       40.25k       54.95k       60.13k       62.18k
-mdc2               53.59k       57.45k       58.11k       58.21k       58.51k
-md5               176.95k      764.75k     1270.36k     1520.14k     1608.36k
-hmac(md5)          55.88k      369.70k      881.15k     1337.05k     1567.40k
-sha1               92.69k      419.75k      723.63k      878.82k      939.35k
-rc4              1247.28k     1414.09k     1434.30k     1434.34k     1441.13k
-des cbc           284.41k      318.58k      323.07k      324.09k      323.87k
-des ede3          109.99k      119.99k      121.60k      121.87k      121.66k
-idea cbc           43.06k       43.68k       43.84k       43.64k       44.07k
-rc2 cbc           278.85k      311.44k      316.50k      316.57k      317.37k
-blowfish cbc      468.89k      569.35k      581.61k      568.34k      559.54k
-cast cbc          285.84k      338.79k      345.71k      346.19k      341.09k
-                  sign    verify
-rsa  512 bits   0.4175s   0.0519s
-rsa 1024 bits   2.9325s   0.1948s
-rsa 2048 bits  22.3600s   0.7669s
-		  sign    verify
-dsa  512 bits   0.5178s   1.0300s
-dsa 1024 bits   1.8780s   3.7167s
-dsa 2048 bits   7.3500s  14.4800s
diff --git a/times/sparcLX.t b/times/sparcLX.t
deleted file mode 100644
index 2fdaed7..0000000
--- a/times/sparcLX.t
+++ /dev/null
@@ -1,22 +0,0 @@
-Sparc Station LX
-SSLeay 0.7.3 30-Apr-1997
-built on Thu May  1 10:44:02 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr)
-C flags:gcc -O3 -fomit-frame-pointer -mv8 -Wall
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2                17.60k       48.72k       66.47k       72.70k       74.72k
-md5               226.24k     1082.21k     1982.72k     2594.02k     2717.01k
-sha                71.38k      320.71k      551.08k      677.76k      720.90k
-sha1               63.08k      280.79k      473.86k      576.94k      608.94k
-rc4              1138.30k     1257.67k     1304.49k     1377.78k     1364.42k
-des cbc           265.34k      308.85k      314.28k      315.39k      317.20k
-des ede3           83.23k       93.13k       94.04k       94.50k       94.63k
-idea cbc          254.48k      274.26k      275.88k      274.68k      275.80k
-rc2 cbc           328.27k      375.39k      381.43k      381.61k      380.83k
-blowfish cbc      487.00k      498.02k      510.12k      515.41k      516.10k
-rsa  512 bits   0.093s
-rsa 1024 bits   0.537s
-rsa 2048 bits   3.823s
-rsa 4096 bits  28.650s
-
diff --git a/times/usparc.t b/times/usparc.t
deleted file mode 100644
index 2215624..0000000
--- a/times/usparc.t
+++ /dev/null
@@ -1,25 +0,0 @@
-Sparc 2000? - Solaris 2.5.1 - 167mhz Ultra sparc
-
-SSLeay 0.7.3r 20-May-1997
-built on Mon Jun  2 02:25:48 EST 1997
-options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) idea(int) blowfish(ptr)
-C flags:cc cc -xtarget=ultra -xarch=v8plus -Xa -xO5 -Xa -DB_ENDIAN
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               135.23k      389.87k      536.66k      591.87k      603.48k
-md5              1534.38k     6160.41k     9842.69k    11446.95k    11993.09k
-sha              1178.30k     5020.74k     8532.22k    10275.50k    11010.05k
-sha1             1114.22k     4703.94k     7703.81k     9236.14k     9756.67k
-rc4             10818.03k    13327.57k    13711.10k    13810.69k    13836.29k
-des cbc          3052.44k     3320.02k     3356.25k     3369.98k     3295.91k
-des ede3         1310.32k     1359.98k     1367.47k     1362.94k     1362.60k
-idea cbc         1749.52k     1833.13k     1844.74k     1848.32k     1848.66k
-rc2 cbc          1950.25k     2053.23k     2064.21k     2072.58k     2072.58k
-blowfish cbc     4927.16k     5659.75k     5762.73k     5797.55k     5805.40k
-rsa  512 bits   0.021s   0.003
-rsa 1024 bits   0.126s   0.003
-rsa 2048 bits   0.888s   0.032
-rsa 4096 bits   6.770s   0.122
-dsa  512 bits   0.022s   0.043
-dsa 1024 bits   0.076s   0.151
-dsa 2048 bits   0.286s   0.574
diff --git a/times/x86/bfs.cpp b/times/x86/bfs.cpp
deleted file mode 100644
index d74c457..0000000
--- a/times/x86/bfs.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/blowfish.h>
-
-void main(int argc,char *argv[])
-	{
-	BF_KEY key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			BF_encrypt(&data[0],&key);
-			GetTSC(s1);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			GetTSC(e1);
-			GetTSC(s2);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			BF_encrypt(&data[0],&key);
-			GetTSC(e2);
-			BF_encrypt(&data[0],&key);
-			}
-
-		printf("blowfish %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/casts.cpp b/times/x86/casts.cpp
deleted file mode 100644
index 7661191..0000000
--- a/times/x86/casts.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/cast.h>
-
-void main(int argc,char *argv[])
-	{
-	CAST_KEY key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			CAST_encrypt(&data[0],&key);
-			GetTSC(s1);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			GetTSC(e1);
-			GetTSC(s2);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			CAST_encrypt(&data[0],&key);
-			GetTSC(e2);
-			CAST_encrypt(&data[0],&key);
-			}
-
-		printf("cast %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/des3s.cpp b/times/x86/des3s.cpp
deleted file mode 100644
index cd2b112..0000000
--- a/times/x86/des3s.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/des.h>
-
-void main(int argc,char *argv[])
-	{
-	des_key_schedule key1,key2,key3;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(s1);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(e1);
-			GetTSC(s2);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			des_encrypt3(&data[0],key1,key2,key3);
-			GetTSC(e2);
-			des_encrypt3(&data[0],key1,key2,key3);
-			}
-
-		printf("des3 %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/dess.cpp b/times/x86/dess.cpp
deleted file mode 100644
index 753e67a..0000000
--- a/times/x86/dess.cpp
+++ /dev/null
@@ -1,67 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/des.h>
-
-void main(int argc,char *argv[])
-	{
-	des_key_schedule key;
-	unsigned long s1,s2,e1,e2;
-	unsigned long data[2];
-	int i,j;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<1000; i++) /**/
-			{
-			des_encrypt(&data[0],key,1);
-			GetTSC(s1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			GetTSC(e1);
-			GetTSC(s2);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			des_encrypt(&data[0],key,1);
-			GetTSC(e2);
-			des_encrypt(&data[0],key,1);
-			}
-
-		printf("des %d %d (%d)\n",
-			e1-s1,e2-s2,((e2-s2)-(e1-s1)));
-		}
-	}
-
diff --git a/times/x86/md4s.cpp b/times/x86/md4s.cpp
deleted file mode 100644
index c0ec97f..0000000
--- a/times/x86/md4s.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/md4.h>
-
-extern "C" {
-void md4_block_x86(MD4_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	MD4_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			md4_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			md4_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			md4_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			md4_block_x86(&ctx,buffer,num);
-			}
-		printf("md4 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-
diff --git a/times/x86/md5s.cpp b/times/x86/md5s.cpp
deleted file mode 100644
index dd343fd..0000000
--- a/times/x86/md5s.cpp
+++ /dev/null
@@ -1,78 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/md5.h>
-
-extern "C" {
-void md5_block_x86(MD5_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	MD5_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			md5_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			md5_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			md5_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			md5_block_x86(&ctx,buffer,num);
-			}
-		printf("md5 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-
diff --git a/times/x86/rc4s.cpp b/times/x86/rc4s.cpp
deleted file mode 100644
index 3814fde..0000000
--- a/times/x86/rc4s.cpp
+++ /dev/null
@@ -1,73 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/rc4.h>
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[1024];
-	RC4_KEY ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=64,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=256;
-	if (num > 1024-16) num=1024-16;
-	numm=num+8;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			RC4(&ctx,numm,buffer,buffer);
-			GetTSC(s1);
-			RC4(&ctx,numm,buffer,buffer);
-			GetTSC(e1);
-			GetTSC(s2);
-			RC4(&ctx,num,buffer,buffer);
-			GetTSC(e2);
-			RC4(&ctx,num,buffer,buffer);
-			}
-
-		printf("RC4 (%d bytes) %d %d (%d) - 8 bytes\n",num,
-			e1-s1,e2-s2,(e1-s1)-(e2-s2));
-		}
-	}
-
diff --git a/times/x86/sha1s.cpp b/times/x86/sha1s.cpp
deleted file mode 100644
index 3103e18..0000000
--- a/times/x86/sha1s.cpp
+++ /dev/null
@@ -1,79 +0,0 @@
-//
-// gettsc.inl
-//
-// gives access to the Pentium's (secret) cycle counter
-//
-// This software was written by Leonard Janke (janke at unixg.ubc.ca)
-// in 1996-7 and is entered, by him, into the public domain.
-
-#if defined(__WATCOMC__)
-void GetTSC(unsigned long&);
-#pragma aux GetTSC = 0x0f 0x31 "mov [edi], eax" parm [edi] modify [edx eax];
-#elif defined(__GNUC__)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  asm volatile(".byte 15, 49\n\t"
-	       : "=eax" (tsc)
-	       :
-	       : "%edx", "%eax");
-}
-#elif defined(_MSC_VER)
-inline
-void GetTSC(unsigned long& tsc)
-{
-  unsigned long a;
-  __asm _emit 0fh
-  __asm _emit 31h
-  __asm mov a, eax;
-  tsc=a;
-}
-#endif      
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/sha.h>
-
-extern "C" {
-void sha1_block_x86(SHA_CTX *ctx, unsigned char *buffer,int num);
-}
-
-void main(int argc,char *argv[])
-	{
-	unsigned char buffer[64*256];
-	SHA_CTX ctx;
-	unsigned long s1,s2,e1,e2;
-	unsigned char k[16];
-	unsigned long data[2];
-	unsigned char iv[8];
-	int i,num=0,numm;
-	int j=0;
-
-	if (argc >= 2)
-		num=atoi(argv[1]);
-
-	if (num == 0) num=16;
-	if (num > 250) num=16;
-	numm=num+2;
-	num*=64;
-	numm*=64;
-
-	for (j=0; j<6; j++)
-		{
-		for (i=0; i<10; i++) /**/
-			{
-			sha1_block_x86(&ctx,buffer,numm);
-			GetTSC(s1);
-			sha1_block_x86(&ctx,buffer,numm);
-			GetTSC(e1);
-			GetTSC(s2);
-			sha1_block_x86(&ctx,buffer,num);
-			GetTSC(e2);
-			sha1_block_x86(&ctx,buffer,num);
-			}
-
-		printf("sha1 (%d bytes) %d %d (%.2f)\n",num,
-			e1-s1,e2-s2,(double)((e1-s1)-(e2-s2))/2);
-		}
-	}
-

From emilia at openssl.org  Mon Aug 31 14:41:30 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 14:41:30 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441032090.166889.701.nullmailer@dev.openssl.org>

The branch master has been updated
       via  4d04226c2ec7e7f69f6234def63631648e35e828 (commit)
      from  9db0c91c39fb548c36d6c3c944f50d4c068eefb7 (commit)


- Log -----------------------------------------------------------------
commit 4d04226c2ec7e7f69f6234def63631648e35e828
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 13:57:44 2015 +0200

    Fix spurious bntest failures.
    
    BN_bntest_rand generates a single-word zero BIGNUM with quite a large probability.
    
    A zero BIGNUM in turn will end up having a NULL |d|-buffer, which we shouldn't dereference without checking.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/bntest.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/bntest.c b/test/bntest.c
index cf4d2ab..430d2a0 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -526,9 +526,9 @@ int test_div_word(BIO *bp)
         do {
             BN_bntest_rand(a, 512, -1, 0);
             BN_bntest_rand(b, BN_BITS2, -1, 0);
-            s = b->d[0];
-        } while (!s);
+        } while (BN_is_zero(b));
 
+        s = b->d[0];
         BN_copy(b, a);
         r = BN_div_word(b, s);
 

From emilia at openssl.org  Mon Aug 31 14:55:28 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 14:55:28 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441032928.921805.3016.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  cb5320014d18633dcb444d09948f5bdac8f48c0d (commit)
      from  9a9744646805bcf5d25af990be0533f71bf5edd5 (commit)


- Log -----------------------------------------------------------------
commit cb5320014d18633dcb444d09948f5bdac8f48c0d
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 13:57:44 2015 +0200

    bntest: don't dereference the |d| array for a zero BIGNUM.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 4d04226c2ec7e7f69f6234def63631648e35e828)
    (cherry picked from commit 9c989aaa749d88b63bef5d5beeb3046eae62d836)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bntest.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 06662c5..9f888f9 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -516,9 +516,9 @@ int test_div_word(BIO *bp)
         do {
             BN_bntest_rand(&a, 512, -1, 0);
             BN_bntest_rand(&b, BN_BITS2, -1, 0);
-            s = b.d[0];
-        } while (!s);
+        } while (BN_is_zero(&b));
 
+        s = b.d[0];
         BN_copy(&b, &a);
         r = BN_div_word(&b, s);
 

From emilia at openssl.org  Mon Aug 31 14:55:29 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 14:55:29 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441032929.011152.3044.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  9c989aaa749d88b63bef5d5beeb3046eae62d836 (commit)
      from  f21fb858d313909221fdafb26383794bc587f71d (commit)


- Log -----------------------------------------------------------------
commit 9c989aaa749d88b63bef5d5beeb3046eae62d836
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 13:57:44 2015 +0200

    bntest: don't dereference the |d| array for a zero BIGNUM.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 4d04226c2ec7e7f69f6234def63631648e35e828)

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bntest.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 470d5da..0f8e18f 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -516,9 +516,9 @@ int test_div_word(BIO *bp)
         do {
             BN_bntest_rand(&a, 512, -1, 0);
             BN_bntest_rand(&b, BN_BITS2, -1, 0);
-            s = b.d[0];
-        } while (!s);
+        } while (BN_is_zero(&b));
 
+        s = b.d[0];
         BN_copy(&b, &a);
         r = BN_div_word(&b, s);
 

From levitte at openssl.org  Mon Aug 31 16:15:57 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 16:15:57 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441037757.585875.11702.nullmailer@dev.openssl.org>

The branch master has been updated
       via  6dc08048d93ff35de882878f190ae49aa698b5d2 (commit)
       via  0927f0d822b1e0f55cb7d8bacf9004ad3495514b (commit)
       via  d9b3554b2d9724bc2d1621a026ddaf0223e2d191 (commit)
      from  4d04226c2ec7e7f69f6234def63631648e35e828 (commit)


- Log -----------------------------------------------------------------
commit 6dc08048d93ff35de882878f190ae49aa698b5d2
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:58:53 2015 +0200

    Remove auto-fill-mode
    
    Apparently, emacs sees changes to auto-fill-mode as insecure
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:25:17 2015 +0200

    Add an example .dir-locals.el
    
    This file, when copied to .dir-locals.el in the OpenSSL source top,
    will make sure that the CC mode style "OpenSSL-II" will be used for
    all C files.
    
    Additionally, I makes sure that tabs are never used as indentation
    character, regardless of the emacs mode, and that the fill column is
    78.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:12:37 2015 +0200

    Add emacs CC mode style for OpenSSL
    
    This hopefully conforms closely enough to the current code style.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/dir-locals.example.el | 15 ++++++++++++
 doc/openssl-c-indent.el   | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 doc/dir-locals.example.el
 create mode 100644 doc/openssl-c-indent.el

diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el
new file mode 100644
index 0000000..79d0b01
--- /dev/null
+++ b/doc/dir-locals.example.el
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+  (indent-tabs-mode . nil)
+  (fill-column . 78)
+  )
+ (c-mode
+  (c-file-style . "OpenSSL-II")))
diff --git a/doc/openssl-c-indent.el b/doc/openssl-c-indent.el
new file mode 100644
index 0000000..144a915
--- /dev/null
+++ b/doc/openssl-c-indent.el
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;;   (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory.  To have that, please perform this:
+;;;
+;;;    M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;;    "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear.  Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style...  however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment.                // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+             '((c-basic-offset . 4)
+               (indent-tabs-mode . nil)
+               (fill-column . 78)
+               (comment-column . 33)
+               (c-comment-only-line-offset 0 . 0)            ; From "gnu" style
+               (c-hanging-braces-alist                       ; From "gnu" style
+                (substatement-open before after)             ; From "gnu" style
+                (arglist-cont-nonempty))                     ; From "gnu" style
+               (c-offsets-alist
+                (statement-block-intro . +)                  ; From "gnu" style
+                (knr-argdecl-intro . 0)
+                (knr-argdecl . 0)
+                (substatement-open . +)                      ; From "gnu" style
+                (substatement-label . 0)                     ; From "gnu" style
+                (label . 1)
+                (statement-case-open . +)                    ; From "gnu" style
+                (statement-cont . +)                         ; From "gnu" style
+                (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+                (arglist-close . c-lineup-arglist)           ; From "gnu" style
+                (inline-open . 0)                            ; From "gnu" style
+                (brace-list-open . +)                        ; From "gnu" style
+                (topmost-intro-cont first c-lineup-topmost-intro-cont
+                                    c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+                )
+               (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+               (c-block-comment-prefix . "* ")
+               ))

From levitte at openssl.org  Mon Aug 31 16:21:18 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 16:21:18 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441038078.967756.13428.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  732a6b55224c6c7b525b2cde4320312356304227 (commit)
       via  43613c0a0230f73fa4d9eb667c468087750fc68e (commit)
       via  254b259ef0575e235991e12bc261b4b46a6c3c90 (commit)
      from  9c989aaa749d88b63bef5d5beeb3046eae62d836 (commit)


- Log -----------------------------------------------------------------
commit 732a6b55224c6c7b525b2cde4320312356304227
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:58:53 2015 +0200

    Remove auto-fill-mode
    
    Apparently, emacs sees changes to auto-fill-mode as insecure
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)

commit 43613c0a0230f73fa4d9eb667c468087750fc68e
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:25:17 2015 +0200

    Add an example .dir-locals.el
    
    This file, when copied to .dir-locals.el in the OpenSSL source top,
    will make sure that the CC mode style "OpenSSL-II" will be used for
    all C files.
    
    Additionally, I makes sure that tabs are never used as indentation
    character, regardless of the emacs mode, and that the fill column is
    78.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)

commit 254b259ef0575e235991e12bc261b4b46a6c3c90
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:12:37 2015 +0200

    Add emacs CC mode style for OpenSSL
    
    This hopefully conforms closely enough to the current code style.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)

-----------------------------------------------------------------------

Summary of changes:
 doc/dir-locals.example.el | 15 ++++++++++++
 doc/openssl-c-indent.el   | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 doc/dir-locals.example.el
 create mode 100644 doc/openssl-c-indent.el

diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el
new file mode 100644
index 0000000..79d0b01
--- /dev/null
+++ b/doc/dir-locals.example.el
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+  (indent-tabs-mode . nil)
+  (fill-column . 78)
+  )
+ (c-mode
+  (c-file-style . "OpenSSL-II")))
diff --git a/doc/openssl-c-indent.el b/doc/openssl-c-indent.el
new file mode 100644
index 0000000..144a915
--- /dev/null
+++ b/doc/openssl-c-indent.el
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;;   (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory.  To have that, please perform this:
+;;;
+;;;    M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;;    "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear.  Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style...  however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment.                // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+             '((c-basic-offset . 4)
+               (indent-tabs-mode . nil)
+               (fill-column . 78)
+               (comment-column . 33)
+               (c-comment-only-line-offset 0 . 0)            ; From "gnu" style
+               (c-hanging-braces-alist                       ; From "gnu" style
+                (substatement-open before after)             ; From "gnu" style
+                (arglist-cont-nonempty))                     ; From "gnu" style
+               (c-offsets-alist
+                (statement-block-intro . +)                  ; From "gnu" style
+                (knr-argdecl-intro . 0)
+                (knr-argdecl . 0)
+                (substatement-open . +)                      ; From "gnu" style
+                (substatement-label . 0)                     ; From "gnu" style
+                (label . 1)
+                (statement-case-open . +)                    ; From "gnu" style
+                (statement-cont . +)                         ; From "gnu" style
+                (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+                (arglist-close . c-lineup-arglist)           ; From "gnu" style
+                (inline-open . 0)                            ; From "gnu" style
+                (brace-list-open . +)                        ; From "gnu" style
+                (topmost-intro-cont first c-lineup-topmost-intro-cont
+                                    c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+                )
+               (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+               (c-block-comment-prefix . "* ")
+               ))

From levitte at openssl.org  Mon Aug 31 16:21:26 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 16:21:26 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441038086.694296.13670.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  c88f65f5b5cdc01fc16ca38084aebfc141dcba03 (commit)
       via  fc90ab42db6de59f2d1d9ea35141963c9db98083 (commit)
       via  8d677c10f91af886b229207dbc1119a1e98da619 (commit)
      from  cb5320014d18633dcb444d09948f5bdac8f48c0d (commit)


- Log -----------------------------------------------------------------
commit c88f65f5b5cdc01fc16ca38084aebfc141dcba03
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:58:53 2015 +0200

    Remove auto-fill-mode
    
    Apparently, emacs sees changes to auto-fill-mode as insecure
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)

commit fc90ab42db6de59f2d1d9ea35141963c9db98083
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:25:17 2015 +0200

    Add an example .dir-locals.el
    
    This file, when copied to .dir-locals.el in the OpenSSL source top,
    will make sure that the CC mode style "OpenSSL-II" will be used for
    all C files.
    
    Additionally, I makes sure that tabs are never used as indentation
    character, regardless of the emacs mode, and that the fill column is
    78.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)

commit 8d677c10f91af886b229207dbc1119a1e98da619
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:12:37 2015 +0200

    Add emacs CC mode style for OpenSSL
    
    This hopefully conforms closely enough to the current code style.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)

-----------------------------------------------------------------------

Summary of changes:
 doc/dir-locals.example.el | 15 ++++++++++++
 doc/openssl-c-indent.el   | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 doc/dir-locals.example.el
 create mode 100644 doc/openssl-c-indent.el

diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el
new file mode 100644
index 0000000..79d0b01
--- /dev/null
+++ b/doc/dir-locals.example.el
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+  (indent-tabs-mode . nil)
+  (fill-column . 78)
+  )
+ (c-mode
+  (c-file-style . "OpenSSL-II")))
diff --git a/doc/openssl-c-indent.el b/doc/openssl-c-indent.el
new file mode 100644
index 0000000..144a915
--- /dev/null
+++ b/doc/openssl-c-indent.el
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;;   (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory.  To have that, please perform this:
+;;;
+;;;    M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;;    "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear.  Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style...  however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment.                // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+             '((c-basic-offset . 4)
+               (indent-tabs-mode . nil)
+               (fill-column . 78)
+               (comment-column . 33)
+               (c-comment-only-line-offset 0 . 0)            ; From "gnu" style
+               (c-hanging-braces-alist                       ; From "gnu" style
+                (substatement-open before after)             ; From "gnu" style
+                (arglist-cont-nonempty))                     ; From "gnu" style
+               (c-offsets-alist
+                (statement-block-intro . +)                  ; From "gnu" style
+                (knr-argdecl-intro . 0)
+                (knr-argdecl . 0)
+                (substatement-open . +)                      ; From "gnu" style
+                (substatement-label . 0)                     ; From "gnu" style
+                (label . 1)
+                (statement-case-open . +)                    ; From "gnu" style
+                (statement-cont . +)                         ; From "gnu" style
+                (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+                (arglist-close . c-lineup-arglist)           ; From "gnu" style
+                (inline-open . 0)                            ; From "gnu" style
+                (brace-list-open . +)                        ; From "gnu" style
+                (topmost-intro-cont first c-lineup-topmost-intro-cont
+                                    c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+                )
+               (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+               (c-block-comment-prefix . "* ")
+               ))

From levitte at openssl.org  Mon Aug 31 16:21:34 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 16:21:34 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_0-stable update
Message-ID: <1441038094.658556.13911.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_0-stable has been updated
       via  c223cc0a035fd6cb900a366511cebf88569bb95e (commit)
       via  82f42f525bcdaa2d615fb46f6140865b814e9523 (commit)
       via  ab3f51f4b031c98a916969bafd59d663efa8c57b (commit)
      from  9604f87590f3f1925f895b1934846cb7c7dd5eba (commit)


- Log -----------------------------------------------------------------
commit c223cc0a035fd6cb900a366511cebf88569bb95e
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:58:53 2015 +0200

    Remove auto-fill-mode
    
    Apparently, emacs sees changes to auto-fill-mode as insecure
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)

commit 82f42f525bcdaa2d615fb46f6140865b814e9523
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:25:17 2015 +0200

    Add an example .dir-locals.el
    
    This file, when copied to .dir-locals.el in the OpenSSL source top,
    will make sure that the CC mode style "OpenSSL-II" will be used for
    all C files.
    
    Additionally, I makes sure that tabs are never used as indentation
    character, regardless of the emacs mode, and that the fill column is
    78.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)

commit ab3f51f4b031c98a916969bafd59d663efa8c57b
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:12:37 2015 +0200

    Add emacs CC mode style for OpenSSL
    
    This hopefully conforms closely enough to the current code style.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)

-----------------------------------------------------------------------

Summary of changes:
 doc/dir-locals.example.el | 15 ++++++++++++
 doc/openssl-c-indent.el   | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 doc/dir-locals.example.el
 create mode 100644 doc/openssl-c-indent.el

diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el
new file mode 100644
index 0000000..79d0b01
--- /dev/null
+++ b/doc/dir-locals.example.el
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+  (indent-tabs-mode . nil)
+  (fill-column . 78)
+  )
+ (c-mode
+  (c-file-style . "OpenSSL-II")))
diff --git a/doc/openssl-c-indent.el b/doc/openssl-c-indent.el
new file mode 100644
index 0000000..144a915
--- /dev/null
+++ b/doc/openssl-c-indent.el
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;;   (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory.  To have that, please perform this:
+;;;
+;;;    M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;;    "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear.  Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style...  however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment.                // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+             '((c-basic-offset . 4)
+               (indent-tabs-mode . nil)
+               (fill-column . 78)
+               (comment-column . 33)
+               (c-comment-only-line-offset 0 . 0)            ; From "gnu" style
+               (c-hanging-braces-alist                       ; From "gnu" style
+                (substatement-open before after)             ; From "gnu" style
+                (arglist-cont-nonempty))                     ; From "gnu" style
+               (c-offsets-alist
+                (statement-block-intro . +)                  ; From "gnu" style
+                (knr-argdecl-intro . 0)
+                (knr-argdecl . 0)
+                (substatement-open . +)                      ; From "gnu" style
+                (substatement-label . 0)                     ; From "gnu" style
+                (label . 1)
+                (statement-case-open . +)                    ; From "gnu" style
+                (statement-cont . +)                         ; From "gnu" style
+                (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+                (arglist-close . c-lineup-arglist)           ; From "gnu" style
+                (inline-open . 0)                            ; From "gnu" style
+                (brace-list-open . +)                        ; From "gnu" style
+                (topmost-intro-cont first c-lineup-topmost-intro-cont
+                                    c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+                )
+               (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+               (c-block-comment-prefix . "* ")
+               ))

From levitte at openssl.org  Mon Aug 31 16:21:41 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 16:21:41 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_0_9_8-stable update
Message-ID: <1441038101.441072.14161.nullmailer@dev.openssl.org>

The branch OpenSSL_0_9_8-stable has been updated
       via  0d6ebdf48658f8fb0d170e5aff895f534a749c0c (commit)
       via  92d0e6aa94797092eb316550b2229a3bcb6988d9 (commit)
       via  13338918303b92d905706382c7df3a1a09c699fd (commit)
      from  ab69c5a3795e09fa0d655ec696ba86ae70a362d7 (commit)


- Log -----------------------------------------------------------------
commit 0d6ebdf48658f8fb0d170e5aff895f534a749c0c
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:58:53 2015 +0200

    Remove auto-fill-mode
    
    Apparently, emacs sees changes to auto-fill-mode as insecure
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)

commit 92d0e6aa94797092eb316550b2229a3bcb6988d9
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:25:17 2015 +0200

    Add an example .dir-locals.el
    
    This file, when copied to .dir-locals.el in the OpenSSL source top,
    will make sure that the CC mode style "OpenSSL-II" will be used for
    all C files.
    
    Additionally, I makes sure that tabs are never used as indentation
    character, regardless of the emacs mode, and that the fill column is
    78.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)

commit 13338918303b92d905706382c7df3a1a09c699fd
Author: Richard Levitte <richard at levitte.org>
Date:   Mon Aug 31 17:12:37 2015 +0200

    Add emacs CC mode style for OpenSSL
    
    This hopefully conforms closely enough to the current code style.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)

-----------------------------------------------------------------------

Summary of changes:
 doc/dir-locals.example.el | 15 ++++++++++++
 doc/openssl-c-indent.el   | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 doc/dir-locals.example.el
 create mode 100644 doc/openssl-c-indent.el

diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el
new file mode 100644
index 0000000..79d0b01
--- /dev/null
+++ b/doc/dir-locals.example.el
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+  (indent-tabs-mode . nil)
+  (fill-column . 78)
+  )
+ (c-mode
+  (c-file-style . "OpenSSL-II")))
diff --git a/doc/openssl-c-indent.el b/doc/openssl-c-indent.el
new file mode 100644
index 0000000..144a915
--- /dev/null
+++ b/doc/openssl-c-indent.el
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;;   (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory.  To have that, please perform this:
+;;;
+;;;    M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;;    "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear.  Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style...  however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment.                // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+             '((c-basic-offset . 4)
+               (indent-tabs-mode . nil)
+               (fill-column . 78)
+               (comment-column . 33)
+               (c-comment-only-line-offset 0 . 0)            ; From "gnu" style
+               (c-hanging-braces-alist                       ; From "gnu" style
+                (substatement-open before after)             ; From "gnu" style
+                (arglist-cont-nonempty))                     ; From "gnu" style
+               (c-offsets-alist
+                (statement-block-intro . +)                  ; From "gnu" style
+                (knr-argdecl-intro . 0)
+                (knr-argdecl . 0)
+                (substatement-open . +)                      ; From "gnu" style
+                (substatement-label . 0)                     ; From "gnu" style
+                (label . 1)
+                (statement-case-open . +)                    ; From "gnu" style
+                (statement-cont . +)                         ; From "gnu" style
+                (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+                (arglist-close . c-lineup-arglist)           ; From "gnu" style
+                (inline-open . 0)                            ; From "gnu" style
+                (brace-list-open . +)                        ; From "gnu" style
+                (topmost-intro-cont first c-lineup-topmost-intro-cont
+                                    c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+                )
+               (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+               (c-block-comment-prefix . "* ")
+               ))

From emilia at openssl.org  Mon Aug 31 17:27:43 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 17:27:43 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441042063.795219.23531.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a9009e518ca03f35a1e1a0858faf81865f8eff1e (commit)
      from  6dc08048d93ff35de882878f190ae49aa698b5d2 (commit)


- Log -----------------------------------------------------------------
commit a9009e518ca03f35a1e1a0858faf81865f8eff1e
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 15:51:27 2015 +0200

    BN_mod_exp_mont_consttime: check for zero modulus.
    
    Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.
    
    Follow-up to b11980d79a52ec08844f08bea0e66c04b691840b
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_exp.c |  7 ++++---
 test/bntest.c      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 10dc3eb..66feddc 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -662,12 +662,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     bn_check_top(p);
     bn_check_top(m);
 
-    top = m->top;
-
-    if (!(m->d[0] & 1)) {
+    if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
         return (0);
     }
+
+    top = m->top;
+
     bits = BN_num_bits(p);
     if (bits == 0) {
         ret = BN_one(rr);
diff --git a/test/bntest.c b/test/bntest.c
index 430d2a0..effbd75 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -451,6 +451,14 @@ int test_div(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_zero(b);
+
+    if (BN_div(d, c, a, b, ctx)) {
+        fprintf(stderr, "Division by zero succeeded!\n");
+        return 0;
+    }
+
     for (i = 0; i < num0 + num1; i++) {
         if (i < num1) {
             BN_bntest_rand(a, 400, 0, 0);
@@ -787,6 +795,18 @@ int test_mont(BIO *bp, BN_CTX *ctx)
     if (mont == NULL)
         return 0;
 
+    BN_zero(n);
+    if (BN_MONT_CTX_set(mont, n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
+        return 0;
+    }
+
+    BN_set_word(n, 16);
+    if (BN_MONT_CTX_set(mont, n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
+        return 0;
+    }
+
     BN_bntest_rand(a, 100, 0, 0);
     BN_bntest_rand(b, 100, 0, 0);
     for (i = 0; i < num2; i++) {
@@ -888,6 +908,14 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_mul(e, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
+        return 0;
+    }
+
     for (j = 0; j < 3; j++) {
         BN_bntest_rand(c, 1024, 0, 0);
         for (i = 0; i < num0; i++) {
@@ -953,6 +981,14 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp(d, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);
@@ -1000,6 +1036,22 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
+                "succeeded\n");
+        return 0;
+    }
+
+    BN_set_word(c, 16);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
+                "succeeded\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);

From emilia at openssl.org  Mon Aug 31 17:36:38 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 17:36:38 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441042598.786770.25151.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  d46e946d2603c64df6e1e4f9db0c70baaf1c4c03 (commit)
      from  c88f65f5b5cdc01fc16ca38084aebfc141dcba03 (commit)


- Log -----------------------------------------------------------------
commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 15:51:27 2015 +0200

    BN_mod_exp_mont_consttime: check for zero modulus.
    
    Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.
    
    Follow-up to b11980d79a52ec08844f08bea0e66c04b691840b
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_exp.c |  7 ++++---
 crypto/bn/bntest.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 27146c8..7e33ba9 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -599,12 +599,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     bn_check_top(p);
     bn_check_top(m);
 
-    top = m->top;
-
-    if (!(m->d[0] & 1)) {
+    if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
         return (0);
     }
+
+    top = m->top;
+
     bits = BN_num_bits(p);
     if (bits == 0) {
         ret = BN_one(rr);
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 9f888f9..6d55049 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -441,6 +441,14 @@ int test_div(BIO *bp, BN_CTX *ctx)
     BN_init(&d);
     BN_init(&e);
 
+    BN_one(&a);
+    BN_zero(&b);
+
+    if (BN_div(&d, &c, &a, &b, ctx)) {
+        fprintf(stderr, "Division by zero succeeded!\n");
+        return 0;
+    }
+
     for (i = 0; i < num0 + num1; i++) {
         if (i < num1) {
             BN_bntest_rand(&a, 400, 0, 0);
@@ -781,6 +789,18 @@ int test_mont(BIO *bp, BN_CTX *ctx)
     if (mont == NULL)
         return 0;
 
+    BN_zero(&n);
+    if (BN_MONT_CTX_set(mont, &n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
+        return 0;
+    }
+
+    BN_set_word(&n, 16);
+    if (BN_MONT_CTX_set(mont, &n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
+        return 0;
+    }
+
     BN_bntest_rand(&a, 100, 0, 0);
     BN_bntest_rand(&b, 100, 0, 0);
     for (i = 0; i < num2; i++) {
@@ -887,6 +907,14 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_mul(e, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
+        return 0;
+    }
+
     for (j = 0; j < 3; j++) {
         BN_bntest_rand(c, 1024, 0, 0);
         for (i = 0; i < num0; i++) {
@@ -952,6 +980,14 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp(d, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);
@@ -999,6 +1035,22 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
+                "succeeded\n");
+        return 0;
+    }
+
+    BN_set_word(c, 16);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
+                "succeeded\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);

From emilia at openssl.org  Mon Aug 31 17:36:38 2015
From: emilia at openssl.org (Emilia Kasper)
Date: Mon, 31 Aug 2015 17:36:38 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441042598.867150.25173.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  cf633fa00244e39eea2f2c0b623f7d5bbefa904e (commit)
      from  732a6b55224c6c7b525b2cde4320312356304227 (commit)


- Log -----------------------------------------------------------------
commit cf633fa00244e39eea2f2c0b623f7d5bbefa904e
Author: Emilia Kasper <emilia at openssl.org>
Date:   Mon Aug 31 15:51:27 2015 +0200

    BN_mod_exp_mont_consttime: check for zero modulus.
    
    Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.
    
    Follow-up to b11980d79a52ec08844f08bea0e66c04b691840b
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/bn/bn_exp.c |  7 ++++---
 crypto/bn/bntest.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 24afdd6..50cf323 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -662,12 +662,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     bn_check_top(p);
     bn_check_top(m);
 
-    top = m->top;
-
-    if (!(m->d[0] & 1)) {
+    if (!BN_is_odd(m)) {
         BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
         return (0);
     }
+
+    top = m->top;
+
     bits = BN_num_bits(p);
     if (bits == 0) {
         ret = BN_one(rr);
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 0f8e18f..8b8a152 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -441,6 +441,14 @@ int test_div(BIO *bp, BN_CTX *ctx)
     BN_init(&d);
     BN_init(&e);
 
+    BN_one(&a);
+    BN_zero(&b);
+
+    if (BN_div(&d, &c, &a, &b, ctx)) {
+        fprintf(stderr, "Division by zero succeeded!\n");
+        return 0;
+    }
+
     for (i = 0; i < num0 + num1; i++) {
         if (i < num1) {
             BN_bntest_rand(&a, 400, 0, 0);
@@ -781,6 +789,18 @@ int test_mont(BIO *bp, BN_CTX *ctx)
     if (mont == NULL)
         return 0;
 
+    BN_zero(&n);
+    if (BN_MONT_CTX_set(mont, &n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
+        return 0;
+    }
+
+    BN_set_word(&n, 16);
+    if (BN_MONT_CTX_set(mont, &n, ctx)) {
+        fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
+        return 0;
+    }
+
     BN_bntest_rand(&a, 100, 0, 0);
     BN_bntest_rand(&b, 100, 0, 0);
     for (i = 0; i < num2; i++) {
@@ -887,6 +907,14 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_mul(e, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
+        return 0;
+    }
+
     for (j = 0; j < 3; j++) {
         BN_bntest_rand(c, 1024, 0, 0);
         for (i = 0; i < num0; i++) {
@@ -952,6 +980,14 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp(d, a, b, c, ctx)) {
+        fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);
@@ -999,6 +1035,22 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
     d = BN_new();
     e = BN_new();
 
+    BN_one(a);
+    BN_one(b);
+    BN_zero(c);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
+                "succeeded\n");
+        return 0;
+    }
+
+    BN_set_word(c, 16);
+    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+        fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
+                "succeeded\n");
+        return 0;
+    }
+
     BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
     for (i = 0; i < num2; i++) {
         BN_bntest_rand(a, 20 + i * 5, 0, 0);

From rsalz at openssl.org  Mon Aug 31 17:46:22 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 17:46:22 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441043182.750424.26412.nullmailer@dev.openssl.org>

The branch master has been updated
       via  36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e (commit)
      from  a9009e518ca03f35a1e1a0858faf81865f8eff1e (commit)


- Log -----------------------------------------------------------------
commit 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e
Author: Ben Kaduk <bkaduk at akamai.com>
Date:   Fri Aug 28 12:41:50 2015 -0400

    GH367 follow-up, for more clarity
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_gen.c                   | 8 ++++----
 doc/crypto/DSA_generate_parameters.pod | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index a4fae17..97110ef 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -136,7 +136,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
         if (seed_len < (size_t)qsize)
             return 0;
         if (seed_len > (size_t)qsize) {
-            /* Don't overflow seed local variable. */
+            /* Only consume as much seed as is expected. */
             seed_len = qsize;
         }
         memcpy(seed, seed_in, seed_len);
@@ -163,13 +163,13 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random = seed_in == NULL;
+            int use_random_seed = (seed_in == NULL);
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (seed_is_random) {
+            if (use_random_seed) {
                 if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
             } else {
@@ -201,7 +201,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
             /* step 4 */
             r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
-                                        seed_is_random, cb);
+                                        use_random_seed, cb);
             if (r > 0)
                 break;
             if (r != 0)
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index 92c89a0..ae13023 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -25,7 +25,7 @@ for use in the DSA and stores the result in B<dsa>.
 
 B<bits> is the length of the prime p to be generated.
 For lengths under 2048 bits, the length of q is 160 bits; for lengths
-at least 2048, it is set to 256 bits.
+greater than or equal to 2048 bits, the length of q is set to 256 bits.
 
 If B<seed> is NULL, the primes will be generated at random.
 If B<seed_len> is less than the length of q, an error is returned.

From rsalz at openssl.org  Mon Aug 31 17:46:42 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 17:46:42 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441043202.872587.27302.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  df1565ed9cebb6933ee7c6e762abcfefd1cd3846 (commit)
      from  cf633fa00244e39eea2f2c0b623f7d5bbefa904e (commit)


- Log -----------------------------------------------------------------
commit df1565ed9cebb6933ee7c6e762abcfefd1cd3846
Author: Ben Kaduk <bkaduk at akamai.com>
Date:   Fri Aug 28 12:41:50 2015 -0400

    GH367 follow-up, for more clarity
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_gen.c                   | 8 ++++----
 doc/crypto/DSA_generate_parameters.pod | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 847c874..f65790c 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -167,7 +167,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
         if (seed_len < (size_t)qsize)
             return 0;
         if (seed_len > (size_t)qsize) {
-            /* Don't overflow seed local variable. */
+            /* Only consume as much seed as is expected. */
             seed_len = qsize;
         }
         memcpy(seed, seed_in, seed_len);
@@ -194,13 +194,13 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random = seed_in == NULL;
+            int use_random_seed = (seed_in == NULL);
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (seed_is_random) {
+            if (use_random_seed) {
                 if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
             } else {
@@ -232,7 +232,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
             /* step 4 */
             r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
-                                        seed_is_random, cb);
+                                        use_random_seed, cb);
             if (r > 0)
                 break;
             if (r != 0)
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index 7db1522..116ff09 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -25,7 +25,7 @@ for use in the DSA and stores the result in B<dsa>.
 
 B<bits> is the length of the prime p to be generated.
 For lengths under 2048 bits, the length of q is 160 bits; for lengths
-at least 2048, it is set to 256 bits.
+greater than or equal to 2048 bits, the length of q is set to 256 bits.
 
 If B<seed> is NULL, the primes will be generated at random.
 If B<seed_len> is less than the length of q, an error is returned.

From rsalz at openssl.org  Mon Aug 31 17:47:17 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 17:47:17 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441043237.980642.27582.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  a6ce498b2a00ea7bdca0730064d7ee62b77d87cb (commit)
      from  d46e946d2603c64df6e1e4f9db0c70baaf1c4c03 (commit)


- Log -----------------------------------------------------------------
commit a6ce498b2a00ea7bdca0730064d7ee62b77d87cb
Author: Ben Kaduk <bkaduk at akamai.com>
Date:   Fri Aug 28 12:41:50 2015 -0400

    GH367 follow-up, for more clarity
    
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Emilia K?sper <emilia at openssl.org>
    (cherry picked from commit 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_gen.c                   | 8 ++++----
 doc/crypto/DSA_generate_parameters.pod | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 44c47a3..1f12d6b 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -165,7 +165,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
         if (seed_len < (size_t)qsize)
             return 0;
         if (seed_len > (size_t)qsize) {
-            /* Don't overflow seed local variable. */
+            /* Only consume as much seed as is expected. */
             seed_len = qsize;
         }
         memcpy(seed, seed_in, seed_len);
@@ -192,13 +192,13 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
     for (;;) {
         for (;;) {              /* find q */
-            int seed_is_random = seed_in == NULL;
+            int use_random_seed = (seed_in == NULL);
 
             /* step 1 */
             if (!BN_GENCB_call(cb, 0, m++))
                 goto err;
 
-            if (seed_is_random) {
+            if (use_random_seed) {
                 if (RAND_bytes(seed, qsize) <= 0)
                     goto err;
             } else {
@@ -230,7 +230,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 
             /* step 4 */
             r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
-                                        seed_is_random, cb);
+                                        use_random_seed, cb);
             if (r > 0)
                 break;
             if (r != 0)
diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod
index ae30824..b64a276 100644
--- a/doc/crypto/DSA_generate_parameters.pod
+++ b/doc/crypto/DSA_generate_parameters.pod
@@ -19,7 +19,7 @@ for use in the DSA.
 
 B<bits> is the length of the prime p to be generated.
 For lengths under 2048 bits, the length of q is 160 bits; for lengths
-at least 2048, it is set to 256 bits.
+greater than or equal to 2048 bits, the length of q is set to 256 bits.
 
 If B<seed> is NULL, the primes will be generated at random.
 If B<seed_len> is less than the length of q, an error is returned.

From steve at openssl.org  Mon Aug 31 20:00:14 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Mon, 31 Aug 2015 20:00:14 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441051214.815532.30345.nullmailer@dev.openssl.org>

The branch master has been updated
       via  124055a96e8533735b32e6af0fa7913c100ffad2 (commit)
       via  bc3686dfb031445c5af9a256a46a57dc1277a190 (commit)
       via  d8c054f2dafbcc22dd8c38cd48ae45bb96dbd475 (commit)
      from  36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e (commit)


- Log -----------------------------------------------------------------
commit 124055a96e8533735b32e6af0fa7913c100ffad2
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 12:58:07 2015 +0100

    make X509_REQ opaque
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit bc3686dfb031445c5af9a256a46a57dc1277a190
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 12:16:52 2015 +0100

    make X509_CERT_AUX opaque
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit d8c054f2dafbcc22dd8c38cd48ae45bb96dbd475
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 18:27:57 2015 +0100

    Remove asn1-kludge option.
    
    Remove asn1-kludge option from the req utility. It was a decade old
    workaround for CAs and software which required an invalid encoding
    of PKCS#10 certificate requests: omitting the attributes field even
    though it is not OPTIONAL.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                          |  5 +----
 apps/req.c                         | 27 +++------------------------
 apps/x509.c                        | 13 ++-----------
 crypto/asn1/t_req.c                |  1 +
 crypto/asn1/t_x509a.c              |  1 +
 crypto/asn1/x_req.c                |  1 +
 crypto/asn1/x_x509a.c              |  1 +
 crypto/include/internal/x509_int.h | 30 ++++++++++++++++++++++++++++++
 crypto/x509/x509_r2x.c             |  1 +
 crypto/x509/x509_req.c             | 11 +++++++++++
 crypto/x509/x509_trs.c             |  1 +
 crypto/x509/x509rset.c             |  4 ++++
 crypto/x509/x_all.c                |  1 +
 crypto/x509v3/v3_skey.c            |  1 +
 crypto/x509v3/v3_utl.c             |  1 +
 doc/apps/req.pod                   | 22 ----------------------
 include/openssl/x509.h             | 34 +++++-----------------------------
 17 files changed, 65 insertions(+), 90 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index 0a8d7b7..b93cff5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1479,7 +1479,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
             goto end;
         }
         X509_REQ_set_subject_name(req, n);
-        req->req_info->enc.modified = 1;
         X509_NAME_free(n);
     }
 
@@ -1993,7 +1992,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
     X509_REQ *req = NULL;
     CONF_VALUE *cv = NULL;
     NETSCAPE_SPKI *spki = NULL;
-    X509_REQ_INFO *ri;
     char *type, *buf;
     EVP_PKEY *pktmp = NULL;
     X509_NAME *n = NULL;
@@ -2037,8 +2035,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
     /*
      * Build up the subject name set.
      */
-    ri = req->req_info;
-    n = ri->subject;
+    n = X509_REQ_get_subject_name(req);
 
     for (i = 0;; i++) {
         if (sk_CONF_VALUE_num(sk) <= i)
diff --git a/apps/req.c b/apps/req.c
index a16febd..59cc6b4 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -126,8 +126,8 @@ typedef enum OPTION_choice {
     OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
     OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
-    OPT_ASN1_KLUDGE, OPT_NO_ASN1_KLUDGE, OPT_MULTIVALUE_RDN,
-    OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, OPT_REQEXTS, OPT_MD
+    OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
+    OPT_REQEXTS, OPT_MD
 } OPTION_CHOICE;
 
 OPTIONS req_options[] = {
@@ -163,10 +163,7 @@ OPTIONS req_options[] = {
     {"text", OPT_TEXT, '-', "Text form of request"},
     {"x509", OPT_X509, '-',
      "Output a x509 structure instead of a cert request"},
-    {"asn1-kludge", OPT_ASN1_KLUDGE, '-',
-     "Output the request in a format that is wrong"},
     {OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
-    {"no-asn1-kludge", OPT_NO_ASN1_KLUDGE, '-'},
     {"subj", OPT_SUBJ, 's', "Set or modify request subject"},
     {"subject", OPT_SUBJECT, '-', "Output the request's subject"},
     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
@@ -208,7 +205,7 @@ int req_main(int argc, char **argv)
     int pkey_type = -1, private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
-    int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
+    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
     long newkey = -1;
     unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
     char nmflag_set = 0;
@@ -338,12 +335,6 @@ int req_main(int argc, char **argv)
         case OPT_X509:
             x509 = 1;
             break;
-        case OPT_ASN1_KLUDGE:
-            kludge = 1;
-            break;
-        case OPT_NO_ASN1_KLUDGE:
-            kludge = 0;
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
             break;
@@ -610,11 +601,6 @@ int req_main(int argc, char **argv)
     }
 
     if (!newreq) {
-        /*
-         * Since we are using a pre-existing certificate request, the kludge
-         * 'format' info should not be changed.
-         */
-        kludge = -1;
         in = bio_open_default(infile, RB(informat));
         if (in == NULL)
             goto end;
@@ -643,11 +629,6 @@ int req_main(int argc, char **argv)
 
             i = make_REQ(req, pkey, subj, multirdn, !x509, chtype);
             subj = NULL;        /* done processing '-subj' option */
-            if ((kludge > 0)
-                && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) {
-                sk_X509_ATTRIBUTE_free(req->req_info->attributes);
-                req->req_info->attributes = NULL;
-            }
             if (!i) {
                 BIO_printf(bio_err, "problems making Certificate Request\n");
                 goto end;
@@ -745,8 +726,6 @@ int req_main(int argc, char **argv)
             goto end;
         }
 
-        req->req_info->enc.modified = 1;
-
         if (verbose) {
             print_name(bio_err, "new subject=",
                        X509_REQ_get_subject_name(req), nmflag);
diff --git a/apps/x509.c b/apps/x509.c
index 2fd92f4..6b41a75 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -567,15 +567,6 @@ int x509_main(int argc, char **argv)
             goto end;
         }
 
-        if ((req->req_info == NULL) ||
-            (req->req_info->pubkey == NULL) ||
-            (req->req_info->pubkey->public_key == NULL) ||
-            (req->req_info->pubkey->public_key->data == NULL)) {
-            BIO_printf(bio_err,
-                       "The certificate request appears to corrupted\n");
-            BIO_printf(bio_err, "It does not contain a public key\n");
-            goto end;
-        }
         if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
             BIO_printf(bio_err, "error unpacking public key\n");
             goto end;
@@ -611,9 +602,9 @@ int x509_main(int argc, char **argv)
         } else if (!X509_set_serialNumber(x, sno))
             goto end;
 
-        if (!X509_set_issuer_name(x, req->req_info->subject))
+        if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
             goto end;
-        if (!X509_set_subject_name(x, req->req_info->subject))
+        if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
             goto end;
 
         X509_gmtime_adj(X509_get_notBefore(x), 0);
diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c
index fd83023..7d72e0a 100644
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -62,6 +62,7 @@
 #include <openssl/bn.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 #include <openssl/x509v3.h>
 #ifndef OPENSSL_NO_RSA
 # include <openssl/rsa.h>
diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c
index 12fedb8..06b227e 100644
--- a/crypto/asn1/t_x509a.c
+++ b/crypto/asn1/t_x509a.c
@@ -62,6 +62,7 @@
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 
 /*
  * X509_CERT_AUX and string set routines
diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c
index 1679a56..102b1f6 100644
--- a/crypto/asn1/x_req.c
+++ b/crypto/asn1/x_req.c
@@ -60,6 +60,7 @@
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 
 /*-
  * X509_REQ_INFO is handled in an unusual way to get round
diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c
index e299b1f..76608b6 100644
--- a/crypto/asn1/x_x509a.c
+++ b/crypto/asn1/x_x509a.c
@@ -62,6 +62,7 @@
 #include <openssl/evp.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 
 /*
  * X509_CERT_AUX routines. These are used to encode additional user
diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h
index 761f702..70abb2c 100644
--- a/crypto/include/internal/x509_int.h
+++ b/crypto/include/internal/x509_int.h
@@ -75,3 +75,33 @@ struct X509_name_st {
     unsigned char *canon_enc;
     int canon_enclen;
 } /* X509_NAME */ ;
+
+/*
+ * This stuff is certificate "auxiliary info" it contains details which are
+ * useful in certificate stores and databases. When used this is tagged onto
+ * the end of the certificate itself
+ */
+
+struct x509_cert_aux_st {
+    STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
+    STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
+    ASN1_UTF8STRING *alias;     /* "friendly name" */
+    ASN1_OCTET_STRING *keyid;   /* key id of private key */
+    STACK_OF(X509_ALGOR) *other; /* other unspecified info */
+};
+
+struct X509_req_info_st {
+    ASN1_ENCODING enc;
+    ASN1_INTEGER *version;
+    X509_NAME *subject;
+    X509_PUBKEY *pubkey;
+    /*  d=2 hl=2 l=  0 cons: cont: 00 */
+    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+};
+
+struct X509_req_st {
+    X509_REQ_INFO *req_info;
+    X509_ALGOR *sig_alg;
+    ASN1_BIT_STRING *signature;
+    int references;
+};
diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c
index d9c3cfd..abf75cd 100644
--- a/crypto/x509/x509_r2x.c
+++ b/crypto/x509/x509_r2x.c
@@ -62,6 +62,7 @@
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index b6c4698..70e27b8 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/pem.h>
@@ -303,3 +304,13 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
         return 1;
     return 0;
 }
+
+long X509_REQ_get_version(X509_REQ *req)
+{
+    return ASN1_INTEGER_get(req->req_info->version);
+}
+
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *req)
+{
+    return req->req_info->subject;
+}
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 1912c96..6e3616e 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/x509v3.h>
+#include "internal/x509_int.h"
 
 static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b);
 static void trtable_free(X509_TRUST *p);
diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index cafaf75..cf9bdfb 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -62,11 +62,13 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 
 int X509_REQ_set_version(X509_REQ *x, long version)
 {
     if (x == NULL)
         return (0);
+    x->req_info->enc.modified = 1;
     return (ASN1_INTEGER_set(x->req_info->version, version));
 }
 
@@ -74,6 +76,7 @@ int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name)
 {
     if ((x == NULL) || (x->req_info == NULL))
         return (0);
+    x->req_info->enc.modified = 1;
     return (X509_NAME_set(&x->req_info->subject, name));
 }
 
@@ -81,5 +84,6 @@ int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey)
 {
     if ((x == NULL) || (x->req_info == NULL))
         return (0);
+    x->req_info->enc.modified = 1;
     return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));
 }
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index a7ad148..591a951 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include "internal/x509_int.h"
 #include <openssl/ocsp.h>
 #ifndef OPENSSL_NO_RSA
 # include <openssl/rsa.h>
diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c
index c0c71c0..a1167cc 100644
--- a/crypto/x509v3/v3_skey.c
+++ b/crypto/x509v3/v3_skey.c
@@ -60,6 +60,7 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/x509v3.h>
+#include "internal/x509_int.h"
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
                                       X509V3_CTX *ctx, char *str);
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index cd8aff2..15029f9 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -63,6 +63,7 @@
 #include "internal/cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#include "internal/x509_int.h"
 #include <openssl/bn.h>
 
 static char *strip_spaces(char *name);
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 46bbfe6..ec19192 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -34,8 +34,6 @@ B<openssl> B<req>
 [B<-x509>]
 [B<-days n>]
 [B<-set_serial n>]
-[B<-asn1-kludge>]
-[B<-no-asn1-kludge>]
 [B<-newhdr>]
 [B<-extensions section>]
 [B<-reqexts section>]
@@ -274,26 +272,6 @@ a single option or multiple options separated by commas.
 See discussion of the  B<-certopt> parameter in the L<x509(1)>
 command.
 
-
-=item B<-asn1-kludge>
-
-by default the B<req> command outputs certificate requests containing
-no attributes in the correct PKCS#10 format. However certain CAs will only
-accept requests containing no attributes in an invalid form: this
-option produces this invalid format.
-
-More precisely the B<Attributes> in a PKCS#10 certificate request
-are defined as a B<SET OF Attribute>. They are B<not OPTIONAL> so
-if no attributes are present then they should be encoded as an
-empty B<SET OF>. The invalid form does not include the empty
-B<SET OF> whereas the correct form does.
-
-It should be noted that very few CAs still require the use of this option.
-
-=item B<-no-asn1-kludge>
-
-Reverses effect of B<-asn1-kludge>
-
 =item B<-newhdr>
 
 Adds the word B<NEW> to the PEM file header and footer lines on the outputted
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 0c2d19a..dc96a2b 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -166,21 +166,9 @@ typedef struct x509_attributes_st X509_ATTRIBUTE;
 
 DECLARE_STACK_OF(X509_ATTRIBUTE)
 
-typedef struct X509_req_info_st {
-    ASN1_ENCODING enc;
-    ASN1_INTEGER *version;
-    X509_NAME *subject;
-    X509_PUBKEY *pubkey;
-    /*  d=2 hl=2 l=  0 cons: cont: 00 */
-    STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-} X509_REQ_INFO;
+typedef struct X509_req_info_st X509_REQ_INFO;
 
-typedef struct X509_req_st {
-    X509_REQ_INFO *req_info;
-    X509_ALGOR *sig_alg;
-    ASN1_BIT_STRING *signature;
-    int references;
-} X509_REQ;
+typedef struct X509_req_st X509_REQ;
 
 typedef struct x509_cinf_st {
     ASN1_INTEGER *version;      /* [ 0 ] default of v1 */
@@ -196,19 +184,7 @@ typedef struct x509_cinf_st {
     ASN1_ENCODING enc;
 } X509_CINF;
 
-/*
- * This stuff is certificate "auxiliary info" it contains details which are
- * useful in certificate stores and databases. When used this is tagged onto
- * the end of the certificate itself
- */
-
-typedef struct x509_cert_aux_st {
-    STACK_OF(ASN1_OBJECT) *trust; /* trusted uses */
-    STACK_OF(ASN1_OBJECT) *reject; /* rejected uses */
-    ASN1_UTF8STRING *alias;     /* "friendly name" */
-    ASN1_OCTET_STRING *keyid;   /* key id of private key */
-    STACK_OF(X509_ALGOR) *other; /* other unspecified info */
-} X509_CERT_AUX;
+typedef struct x509_cert_aux_st X509_CERT_AUX;
 
 struct x509_st {
     X509_CINF *cert_info;
@@ -520,8 +496,6 @@ extern "C" {
 # define         X509_get_notBefore(x) ((x)->cert_info->validity->notBefore)
 # define         X509_get_notAfter(x) ((x)->cert_info->validity->notAfter)
 # define         X509_extract_key(x)     X509_get_pubkey(x)/*****/
-# define         X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version)
-# define         X509_REQ_get_subject_name(x) ((x)->req_info->subject)
 # define         X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
 # define         X509_name_cmp(a,b)      X509_NAME_cmp((a),(b))
 # define         X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm))
@@ -828,7 +802,9 @@ EVP_PKEY *X509_get_pubkey(X509 *x);
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
 int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
 
+long X509_REQ_get_version(X509_REQ *req);
 int X509_REQ_set_version(X509_REQ *x, long version);
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *req);
 int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
 int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
 EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);

From rsalz at openssl.org  Mon Aug 31 20:03:38 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 20:03:38 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441051418.519874.31792.nullmailer@dev.openssl.org>

The branch master has been updated
       via  a7e974c7be90e2c9673e2ce6215a70f734eb8ad4 (commit)
      from  124055a96e8533735b32e6af0fa7913c100ffad2 (commit)


- Log -----------------------------------------------------------------
commit a7e974c7be90e2c9673e2ce6215a70f734eb8ad4
Author: mrpre <mrpre at 163.com>
Date:   Fri Aug 28 16:12:51 2015 +0800

    check bn_new return value
    
    Slightly modified from the original PR.
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_bignum.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c
index 66ce000..d2666e1 100644
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@@ -163,8 +163,8 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 {
     BIGNUM *bn;
 
-    if (!*pval)
-        bn_new(pval, it);
+    if (*pval == NULL && !bn_new(pval, it))
+        return 0;
     bn = (BIGNUM *)*pval;
     if (!BN_bin2bn(cont, len, bn)) {
         bn_free(pval, it);

From rsalz at openssl.org  Mon Aug 31 20:04:46 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 20:04:46 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441051486.089511.32701.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  cae70cfd46d9b266c9e4a32c8a588235663ce091 (commit)
      from  df1565ed9cebb6933ee7c6e762abcfefd1cd3846 (commit)


- Log -----------------------------------------------------------------
commit cae70cfd46d9b266c9e4a32c8a588235663ce091
Author: mrpre <mrpre at 163.com>
Date:   Fri Aug 28 16:12:51 2015 +0800

    check bn_new return value
    
    Slightly modified from the original PR.
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    
    (cherry picked from commit a7e974c7be90e2c9673e2ce6215a70f734eb8ad4)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_bignum.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c
index a5a403c..eaf0466 100644
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@@ -141,8 +141,9 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                   int utype, char *free_cont, const ASN1_ITEM *it)
 {
     BIGNUM *bn;
-    if (!*pval)
-        bn_new(pval, it);
+
+    if (*pval == NULL && !bn_new(pval, it))
+        return 0;
     bn = (BIGNUM *)*pval;
     if (!BN_bin2bn(cont, len, bn)) {
         bn_free(pval, it);

From rsalz at openssl.org  Mon Aug 31 20:06:35 2015
From: rsalz at openssl.org (Rich Salz)
Date: Mon, 31 Aug 2015 20:06:35 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441051595.747527.614.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  1915a22184f879f8008e2447214f515a20045314 (commit)
      from  a6ce498b2a00ea7bdca0730064d7ee62b77d87cb (commit)


- Log -----------------------------------------------------------------
commit 1915a22184f879f8008e2447214f515a20045314
Author: mrpre <mrpre at 163.com>
Date:   Fri Aug 28 16:12:51 2015 +0800

    check bn_new return value
    
    Slightly modified from the original PR.
    Signed-off-by: Rich Salz <rsalz at akamai.com>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    
    (cherry picked from commit a7e974c7be90e2c9673e2ce6215a70f734eb8ad4)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/x_bignum.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c
index a5a403c..eaf0466 100644
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@@ -141,8 +141,9 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                   int utype, char *free_cont, const ASN1_ITEM *it)
 {
     BIGNUM *bn;
-    if (!*pval)
-        bn_new(pval, it);
+
+    if (*pval == NULL && !bn_new(pval, it))
+        return 0;
     bn = (BIGNUM *)*pval;
     if (!BN_bin2bn(cont, len, bn)) {
         bn_free(pval, it);

From steve at openssl.org  Mon Aug 31 22:19:44 2015
From: steve at openssl.org (Dr. Stephen Henson)
Date: Mon, 31 Aug 2015 22:19:44 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441059584.265741.17307.nullmailer@dev.openssl.org>

The branch master has been updated
       via  25a5d1b8c425d9434ed8b2bec53d20ab8c14f886 (commit)
       via  05f0fb9f6acc34c82a082d7668572828925694e7 (commit)
       via  65cbf983ca4f69b8954f949c2edaaa48824481b3 (commit)
      from  a7e974c7be90e2c9673e2ce6215a70f734eb8ad4 (commit)


- Log -----------------------------------------------------------------
commit 25a5d1b8c425d9434ed8b2bec53d20ab8c14f886
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 21:02:06 2015 +0100

    make update
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 05f0fb9f6acc34c82a082d7668572828925694e7
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 20:29:57 2015 +0100

    Add X509_up_ref function.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 65cbf983ca4f69b8954f949c2edaaa48824481b3
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 31 20:30:20 2015 +0100

    Add X509_CRL_up_ref function
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/Makefile      |  9 +++++----
 crypto/cms/cms_env.c      |  2 +-
 crypto/cms/cms_lib.c      |  8 ++++----
 crypto/cms/cms_sd.c       |  4 ++--
 crypto/ocsp/ocsp_cl.c     |  2 +-
 crypto/ocsp/ocsp_srv.c    |  2 +-
 crypto/pkcs7/pk7_lib.c    |  6 +++---
 crypto/store/str_lib.c    | 16 +++++++---------
 crypto/ts/ts_rsp_sign.c   |  2 +-
 crypto/ts/ts_rsp_verify.c |  2 +-
 crypto/x509/Makefile      | 11 ++++++-----
 crypto/x509/x509_cmp.c    |  2 +-
 crypto/x509/x509_lu.c     | 10 +++++-----
 crypto/x509/x509_set.c    |  5 +++++
 crypto/x509/x509_vfy.c    | 12 ++++++------
 crypto/x509/x509cset.c    |  5 +++++
 crypto/x509v3/Makefile    |  6 ++++--
 crypto/x509v3/pcy_tree.c  |  2 +-
 include/openssl/x509.h    |  2 ++
 ssl/s3_clnt.c             |  2 +-
 ssl/ssl_cert.c            |  4 ++--
 ssl/ssl_lib.c             |  2 +-
 ssl/ssl_rsa.c             |  2 +-
 ssl/ssl_sess.c            |  2 +-
 util/libeay.num           |  4 ++++
 25 files changed, 71 insertions(+), 53 deletions(-)

diff --git a/crypto/asn1/Makefile b/crypto/asn1/Makefile
index a566dfa..ffee97b 100644
--- a/crypto/asn1/Makefile
+++ b/crypto/asn1/Makefile
@@ -611,7 +611,7 @@ t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 t_req.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-t_req.o: ../include/internal/cryptlib.h t_req.c
+t_req.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h t_req.c
 t_spki.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_spki.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
@@ -654,7 +654,8 @@ t_x509a.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 t_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 t_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 t_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_x509a.o: ../include/internal/cryptlib.h t_x509a.c
+t_x509a.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+t_x509a.o: t_x509a.c
 tasn_dec.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
 tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tasn_dec.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -835,7 +836,7 @@ x_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_req.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x_req.o: x_req.c
+x_req.o: ../include/internal/x509_int.h x_req.c
 x_sig.o: ../../e_os.h ../../include/openssl/asn1.h
 x_sig.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_sig.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -906,4 +907,4 @@ x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_x509a.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x_x509a.o: x_x509a.c
+x_x509a.o: ../include/internal/x509_int.h x_x509a.c
diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
index 5c86dd9..f677a9b 100644
--- a/crypto/cms/cms_env.c
+++ b/crypto/cms/cms_env.c
@@ -206,7 +206,7 @@ static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
     if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype))
         return 0;
 
-    CRYPTO_add(&recip->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(recip);
     CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
     ktri->pkey = pk;
     ktri->recip = recip;
diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c
index 8525ff8..0bfad69 100644
--- a/crypto/cms/cms_lib.c
+++ b/crypto/cms/cms_lib.c
@@ -457,7 +457,7 @@ int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert)
     int r;
     r = CMS_add0_cert(cms, cert);
     if (r > 0)
-        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(cert);
     return r;
 }
 
@@ -517,7 +517,7 @@ int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl)
     int r;
     r = CMS_add0_crl(cms, crl);
     if (r > 0)
-        CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+        X509_CRL_up_ref(crl);
     return r;
 }
 
@@ -542,7 +542,7 @@ STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
                 sk_X509_pop_free(certs, X509_free);
                 return NULL;
             }
-            CRYPTO_add(&cch->d.certificate->references, 1, CRYPTO_LOCK_X509);
+            X509_up_ref(cch->d.certificate);
         }
     }
     return certs;
@@ -570,7 +570,7 @@ STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms)
                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
                 return NULL;
             }
-            CRYPTO_add(&rch->d.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+            X509_CRL_up_ref(rch->d.crl);
         }
     }
     return crls;
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index ab574fc..338e515 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -285,7 +285,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
     X509_check_purpose(signer, -1, -1);
 
     CRYPTO_add(&pk->references, 1, CRYPTO_LOCK_EVP_PKEY);
-    CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(signer);
 
     si->pkey = pk;
     si->signer = signer;
@@ -485,7 +485,7 @@ STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms)
 void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer)
 {
     if (signer) {
-        CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(signer);
         EVP_PKEY_free(si->pkey);
         si->pkey = X509_get_pubkey(signer);
     }
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index ef8ff30..8143389 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -138,7 +138,7 @@ int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
 
     if (!sk_X509_push(sig->certs, cert))
         return 0;
-    CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(cert);
     return 1;
 }
 
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 740b11c..948eff9 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -213,7 +213,7 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
 
     if (!sk_X509_push(resp->certs, cert))
         return 0;
-    CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(cert);
     return 1;
 }
 
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 5d321f8..b116f5a 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -308,7 +308,7 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
         PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x509);
     if (!sk_X509_push(*sk, x509)) {
         X509_free(x509);
         return 0;
@@ -341,7 +341,7 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
         return 0;
     }
 
-    CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(crl);
     if (!sk_X509_CRL_push(*sk, crl)) {
         X509_CRL_free(crl);
         return 0;
@@ -545,7 +545,7 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
 
     EVP_PKEY_free(pkey);
 
-    CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x509);
     p7i->cert = x509;
 
     return 1;
diff --git a/crypto/store/str_lib.c b/crypto/store/str_lib.c
index fef7111..3201da9 100644
--- a/crypto/store/str_lib.c
+++ b/crypto/store/str_lib.c
@@ -251,8 +251,7 @@ X509 *STORE_get_certificate(STORE *s, OPENSSL_ITEM attributes[],
                  STORE_R_FAILED_GETTING_CERTIFICATE);
         return 0;
     }
-    CRYPTO_add(&object->data.x509.certificate->references, 1,
-               CRYPTO_LOCK_X509);
+    X509_up_ref(object->data.x509.certificate);
 #ifdef REF_PRINT
     REF_PRINT("X509", data);
 #endif
@@ -276,7 +275,7 @@ int STORE_store_certificate(STORE *s, X509 *data, OPENSSL_ITEM attributes[],
         return 0;
     }
 
-    CRYPTO_add(&data->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(data);
 #ifdef REF_PRINT
     REF_PRINT("X509", data);
 #endif
@@ -378,8 +377,7 @@ X509 *STORE_list_certificate_next(STORE *s, void *handle)
                  STORE_R_FAILED_LISTING_CERTIFICATES);
         return 0;
     }
-    CRYPTO_add(&object->data.x509.certificate->references, 1,
-               CRYPTO_LOCK_X509);
+    X509_up_ref(object->data.x509.certificate);
 #ifdef REF_PRINT
     REF_PRINT("X509", data);
 #endif
@@ -821,7 +819,7 @@ X509_CRL *STORE_generate_crl(STORE *s, OPENSSL_ITEM attributes[],
         STOREerr(STORE_F_STORE_GENERATE_CRL, STORE_R_FAILED_GENERATING_CRL);
         return 0;
     }
-    CRYPTO_add(&object->data.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(object->data.crl);
 #ifdef REF_PRINT
     REF_PRINT("X509_CRL", data);
 #endif
@@ -845,7 +843,7 @@ X509_CRL *STORE_get_crl(STORE *s, OPENSSL_ITEM attributes[],
         STOREerr(STORE_F_STORE_GET_CRL, STORE_R_FAILED_GETTING_KEY);
         return 0;
     }
-    CRYPTO_add(&object->data.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(object->data.crl);
 #ifdef REF_PRINT
     REF_PRINT("X509_CRL", data);
 #endif
@@ -869,7 +867,7 @@ int STORE_store_crl(STORE *s, X509_CRL *data, OPENSSL_ITEM attributes[],
         return 0;
     }
 
-    CRYPTO_add(&data->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(data);
 #ifdef REF_PRINT
     REF_PRINT("X509_CRL", data);
 #endif
@@ -950,7 +948,7 @@ X509_CRL *STORE_list_crl_next(STORE *s, void *handle)
         STOREerr(STORE_F_STORE_LIST_CRL_NEXT, STORE_R_FAILED_LISTING_KEYS);
         return 0;
     }
-    CRYPTO_add(&object->data.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+    X509_CRL_up_ref(object->data.crl);
 #ifdef REF_PRINT
     REF_PRINT("X509_CRL", data);
 #endif
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index d90d33f..f0fc503 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -209,7 +209,7 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
     }
     X509_free(ctx->signer_cert);
     ctx->signer_cert = signer;
-    CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509);
+    X509_up_ref(ctx->signer_cert);
     return 1;
 }
 
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 342c524..5784e3d 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -212,7 +212,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
     /* Return the signer certificate if needed. */
     if (signer_out) {
         *signer_out = signer;
-        CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(signer);
     }
 
     ret = 1;
diff --git a/crypto/x509/Makefile b/crypto/x509/Makefile
index 7e0e594..4127646 100644
--- a/crypto/x509/Makefile
+++ b/crypto/x509/Makefile
@@ -222,7 +222,7 @@ x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x509_r2x.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x509_r2x.o: x509_r2x.c
+x509_r2x.o: ../include/internal/x509_int.h x509_r2x.c
 x509_req.o: ../../e_os.h ../../include/openssl/asn1.h
 x509_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x509_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -238,7 +238,7 @@ x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x509_req.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x509_req.o: x509_req.c
+x509_req.o: ../include/internal/x509_int.h x509_req.c
 x509_set.o: ../../e_os.h ../../include/openssl/asn1.h
 x509_set.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -266,7 +266,8 @@ x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_trs.o: ../include/internal/cryptlib.h x509_trs.c
+x509_trs.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+x509_trs.o: x509_trs.c
 x509_txt.o: ../../e_os.h ../../include/openssl/asn1.h
 x509_txt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -364,7 +365,7 @@ x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x509rset.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h
-x509rset.o: x509rset.c
+x509rset.o: ../include/internal/x509_int.h x509rset.c
 x509spki.o: ../../e_os.h ../../include/openssl/asn1.h
 x509spki.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 x509spki.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@@ -407,7 +408,7 @@ x_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x_all.o: ../include/internal/cryptlib.h x_all.c
+x_all.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h x_all.c
 x_attrib.o: ../../e_os.h ../../include/openssl/asn1.h
 x_attrib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_attrib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 9308249..47791c7 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -487,7 +487,7 @@ STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
     ret = sk_X509_dup(chain);
     for (i = 0; i < sk_X509_num(ret); i++) {
         X509 *x = sk_X509_value(ret, i);
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(x);
     }
     return ret;
 }
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index ae46df8..3dae7fa 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -406,10 +406,10 @@ void X509_OBJECT_up_ref_count(X509_OBJECT *a)
     default:
         break;
     case X509_LU_X509:
-        CRYPTO_add(&a->data.x509->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(a->data.x509);
         break;
     case X509_LU_CRL:
-        CRYPTO_add(&a->data.crl->references, 1, CRYPTO_LOCK_X509_CRL);
+        X509_CRL_up_ref(a->data.crl);
         break;
     }
 }
@@ -521,7 +521,7 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
     for (i = 0; i < cnt; i++, idx++) {
         obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
         x = obj->data.x509;
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(x);
         if (!sk_X509_push(sk, x)) {
             CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
             X509_free(x);
@@ -565,7 +565,7 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
     for (i = 0; i < cnt; i++, idx++) {
         obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);
         x = obj->data.crl;
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
+        X509_CRL_up_ref(x);
         if (!sk_X509_CRL_push(sk, x)) {
             CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
             X509_CRL_free(x);
@@ -676,7 +676,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
     }
     CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
     if (*issuer)
-        CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(*issuer);
     return ret;
 }
 
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 486e90a..1ccfdb9 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -150,3 +150,8 @@ int X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
         return (0);
     return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
 }
+
+void X509_up_ref(X509 *x)
+{
+    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+}
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a3077b5..7d770c5 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -172,7 +172,7 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
             break;
     }
     if (i < sk_X509_num(certs))
-        CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(xtmp);
     else
         xtmp = NULL;
     sk_X509_pop_free(certs, X509_free);
@@ -212,7 +212,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
         goto end;
     }
-    CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(ctx->cert);
     ctx->last_untrusted = 1;
 
     /* We use a temporary STACK so we can chop and hack at it */
@@ -262,7 +262,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                     X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
                     goto end;
                 }
-                CRYPTO_add(&xtmp->references, 1, CRYPTO_LOCK_X509);
+                X509_up_ref(xtmp);
                 (void)sk_X509_delete_ptr(sktmp, xtmp);
                 ctx->last_untrusted++;
                 x = xtmp;
@@ -566,7 +566,7 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 {
     *issuer = find_issuer(ctx, ctx->other_ctx, x);
     if (*issuer) {
-        CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(*issuer);
         return 1;
     } else
         return 0;
@@ -1025,7 +1025,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
         *pissuer = best_crl_issuer;
         *pscore = best_score;
         *preasons = best_reasons;
-        CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
+        X509_CRL_up_ref(best_crl);
         X509_CRL_free(*pdcrl);
         *pdcrl = NULL;
         get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
@@ -1123,7 +1123,7 @@ static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
         if (check_delta_base(delta, base)) {
             if (check_crl_time(ctx, delta, 0))
                 *pscore |= CRL_SCORE_TIME_DELTA;
-            CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
+            X509_CRL_up_ref(delta);
             *dcrl = delta;
             return;
         }
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index 925ba69..c687324 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -132,6 +132,11 @@ int X509_CRL_sort(X509_CRL *c)
     return 1;
 }
 
+void X509_CRL_up_ref(X509_CRL *crl)
+{
+    CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL);
+}
+
 int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
 {
     ASN1_TIME *in;
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
index fb1085b..57d7e1a 100644
--- a/crypto/x509v3/Makefile
+++ b/crypto/x509v3/Makefile
@@ -545,7 +545,8 @@ v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_skey.o: ../include/internal/cryptlib.h v3_skey.c
+v3_skey.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+v3_skey.o: v3_skey.c
 v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
 v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
@@ -574,7 +575,8 @@ v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_utl.o: ../include/internal/cryptlib.h v3_utl.c
+v3_utl.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h
+v3_utl.o: v3_utl.c
 v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 v3err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
 v3err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index e7ab7cd..4b0ea15 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -249,7 +249,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
         level++;
         x = sk_X509_value(certs, i);
         cache = policy_cache_set(x);
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(x);
         level->cert = x;
 
         if (!cache->anyPolicy)
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index dc96a2b..4e816ea 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -798,6 +798,7 @@ X509_NAME *X509_get_subject_name(X509 *a);
 int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
 int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
+void X509_up_ref(X509 *x);
 EVP_PKEY *X509_get_pubkey(X509 *x);
 ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
 int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ );
@@ -837,6 +838,7 @@ int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
 int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
 int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
 int X509_CRL_sort(X509_CRL *crl);
+void X509_CRL_up_ref(X509_CRL *crl);
 
 int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
 int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e7bbfc9..ba35fb9 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1359,7 +1359,7 @@ int ssl3_get_server_certificate(SSL *s)
     s->session->peer_type = i;
 
     X509_free(s->session->peer);
-    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x);
     s->session->peer = x;
     s->session->verify_result = s->verify_result;
 
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 5e9b8ff..1183961 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -250,7 +250,7 @@ CERT *ssl_cert_dup(CERT *cert)
         CERT_PKEY *rpk = ret->pkeys + i;
         if (cpk->x509 != NULL) {
             rpk->x509 = cpk->x509;
-            CRYPTO_add(&rpk->x509->references, 1, CRYPTO_LOCK_X509);
+            X509_up_ref(rpk->x509);
         }
 
         if (cpk->privatekey != NULL) {
@@ -463,7 +463,7 @@ int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x)
 {
     if (!ssl_cert_add0_chain_cert(s, ctx, x))
         return 0;
-    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x);
     return 1;
 }
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2a2eb78..fd1561e 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -825,7 +825,7 @@ X509 *SSL_get_peer_certificate(const SSL *s)
     if (r == NULL)
         return (r);
 
-    CRYPTO_add(&r->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(r);
 
     return (r);
 }
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index f485126..6772441 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -415,7 +415,7 @@ static int ssl_set_cert(CERT *c, X509 *x)
     EVP_PKEY_free(pkey);
 
     X509_free(c->pkeys[i].x509);
-    CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+    X509_up_ref(x);
     c->pkeys[i].x509 = x;
     c->key = &(c->pkeys[i]);
 
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 26a3c43..69e6d7f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -266,7 +266,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     dest->references = 1;
 
     if (src->peer != NULL)
-        CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
+        X509_up_ref(src->peer);
 
     if (src->peer_chain != NULL) {
         dest->peer_chain = X509_chain_up_ref(src->peer_chain);
diff --git a/util/libeay.num b/util/libeay.num
index bb78665..1e3671f 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4588,3 +4588,7 @@ BIO_s_secmem                            4946	EXIST::FUNCTION:
 CRYPTO_get_secure_mem_ex_functions      4947	EXIST::FUNCTION:
 CRYPTO_set_secure_mem_functions         4948	EXIST::FUNCTION:
 X509_STORE_CTX_get_num_untrusted        4949	EXIST::FUNCTION:
+X509_up_ref                             4950	EXIST::FUNCTION:
+X509_REQ_get_version                    4951	EXIST::FUNCTION:
+X509_REQ_get_subject_name               4952	EXIST::FUNCTION:
+X509_CRL_up_ref                         4953	EXIST::FUNCTION:

From levitte at openssl.org  Mon Aug 31 23:18:45 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 23:18:45 +0000
Subject: [openssl-commits] [openssl]  master update
Message-ID: <1441063125.522938.26846.nullmailer@dev.openssl.org>

The branch master has been updated
       via  d7c02691a5e6f2716759eacb6f48c39f15ee57c8 (commit)
      from  25a5d1b8c425d9434ed8b2bec53d20ab8c14f886 (commit)


- Log -----------------------------------------------------------------
commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 31 21:45:56 2015 +0200

    Ignore .dir-locals.el
    
    Because we recently encourage people to have a .dir-locals.el, it's a good
    idea to ignore it on a git level.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index ac1c4c6..3292837 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .#*
 \#*#
 *~
+/.dir-locals.el
 
 # Top level excludes
 /Makefile.bak

From levitte at openssl.org  Mon Aug 31 23:20:07 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 23:20:07 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_2-stable update
Message-ID: <1441063207.389239.28605.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_2-stable has been updated
       via  542591740667b17642ad300c357b5d8045c8ccda (commit)
      from  cae70cfd46d9b266c9e4a32c8a588235663ce091 (commit)


- Log -----------------------------------------------------------------
commit 542591740667b17642ad300c357b5d8045c8ccda
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 31 21:45:56 2015 +0200

    Ignore .dir-locals.el
    
    Because we recently encourage people to have a .dir-locals.el, it's a good
    idea to ignore it on a git level.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index bb3feab..36c3a37 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .#*
 #*#
 *~
+/.dir-locals.el
 
 # Top level excludes
 /Makefile.bak

From levitte at openssl.org  Mon Aug 31 23:20:16 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 23:20:16 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_1-stable update
Message-ID: <1441063216.879616.28916.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_1-stable has been updated
       via  246a010b781444d8c216851d2ae34a42ade91f38 (commit)
      from  1915a22184f879f8008e2447214f515a20045314 (commit)


- Log -----------------------------------------------------------------
commit 246a010b781444d8c216851d2ae34a42ade91f38
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 31 21:45:56 2015 +0200

    Ignore .dir-locals.el
    
    Because we recently encourage people to have a .dir-locals.el, it's a good
    idea to ignore it on a git level.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 9a0d846..4661b19 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .#*
 #*#
 *~
+/.dir-locals.el
 
 # Top level excludes
 /Makefile.bak

From levitte at openssl.org  Mon Aug 31 23:20:21 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 23:20:21 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_1_0_0-stable update
Message-ID: <1441063221.170935.29168.nullmailer@dev.openssl.org>

The branch OpenSSL_1_0_0-stable has been updated
       via  b4a99d8ad728f5a592bacae565d1c3cf50982731 (commit)
      from  c223cc0a035fd6cb900a366511cebf88569bb95e (commit)


- Log -----------------------------------------------------------------
commit b4a99d8ad728f5a592bacae565d1c3cf50982731
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 31 21:45:56 2015 +0200

    Ignore .dir-locals.el
    
    Because we recently encourage people to have a .dir-locals.el, it's a good
    idea to ignore it on a git level.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index fc1e643..a2c95a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .#*
 #*#
 *~
+/.dir-locals.el
 
 # Top level excludes
 /Makefile.bak

From levitte at openssl.org  Mon Aug 31 23:20:28 2015
From: levitte at openssl.org (Richard Levitte)
Date: Mon, 31 Aug 2015 23:20:28 +0000
Subject: [openssl-commits] [openssl]  OpenSSL_0_9_8-stable update
Message-ID: <1441063228.052933.29437.nullmailer@dev.openssl.org>

The branch OpenSSL_0_9_8-stable has been updated
       via  1cbe0ff56900126fbf67ff03b1fd2e84c2a61f69 (commit)
      from  0d6ebdf48658f8fb0d170e5aff895f534a749c0c (commit)


- Log -----------------------------------------------------------------
commit 1cbe0ff56900126fbf67ff03b1fd2e84c2a61f69
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 31 21:45:56 2015 +0200

    Ignore .dir-locals.el
    
    Because we recently encourage people to have a .dir-locals.el, it's a good
    idea to ignore it on a git level.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)

-----------------------------------------------------------------------

Summary of changes:
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index eca3192..a62e586 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 .#*
 #*#
 *~
+/.dir-locals.el
 
 # Top level excludes
 /Makefile.bak