2017-05-17  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* Configure:  -march=i386 -mtune=i586 flags added to CFLAGS.
	Added DJGPP_DEBUG flag to CFLAGS.
	Adjust openssldir for DJGPP.

	* crypto/rand/rand_unix.c [OPENSSL_SYS_MSDOS]:  New DJGPP specific
	function RAND_poll to replace the unix version used previously.
	As the unix one it uses /dev/urandom or/dev/random as entropy source.
	If this fails it tries generate psuedo entropy using rand48 and
	rawclock data as seed.
	This code exists only for debugging purposes!!!  It is selected by
	defining the DJGPP_DEBUG macro in the Configure script.

	* demos/bio/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/prime/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/sign/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/state_machine/Makefile:  -march=i386 -mtune=i586 flags added
	to CFLAGS.

	* demos/state_machine/Makefile:  Adjust for use with DJGPP.

	* tools/Makefile:  Add INSTALL_OPENSSLDIR to variable list to pass to
	recursive makefiles.

	* apps/Makefile:  Add INSTALL_OPENSSLDIR to variable list to pass to
	recursive makefiles.

	* Makefile.org:  Use INSTALL_OPENSSLDIR, INSTALL_MANDIR and
	INSTALL_HTMLDIR for installing into DJGPP installation tree.

	* demos/bio/Makefile:  Adjust for use with DJGPP.

	* demos/prime/Makefile:  Adjust for use with DJGPP.

	* demos/sign/Makefile:  Adjust for use with DJGPP.








diff -aprNU5 openssl-1.0.2k.orig/apps/Makefile openssl-1.0.2k/apps/Makefile
--- openssl-1.0.2k.orig/apps/Makefile	2017-01-26 13:22:02 +0000
+++ openssl-1.0.2k/apps/Makefile	2017-05-17 21:12:48 +0000
@@ -110,17 +110,17 @@ install:
 	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	 done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i ); \
 	 done
-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+	@cp openssl.cnf $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf
 
 tags:
 	ctags $(SRC)
 
 tests:
diff -aprNU5 openssl-1.0.2k.orig/Configure openssl-1.0.2k/Configure
--- openssl-1.0.2k.orig/Configure	2017-01-26 13:22:02 +0000
+++ openssl-1.0.2k/Configure	2017-05-17 21:12:48 +0000
@@ -632,11 +632,16 @@ my %table=(
 "netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-bsdsock-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -DNETWARE_BSDSOCK -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIO -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
+# This is for gcc 4.3.0 or higher.
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fgnu89-inline -march=i386 -mtune=i586 -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
+# This is other versions.
+#"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -march=i386 -mtune=i586 -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
+# This is for debugging purposes.
+#"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fgnu89-inline -march=i386 -mtune=i586 -save-temps -O0 -g2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
@@ -1205,12 +1210,17 @@ my $make = $ENV{'MAKE'} || "make";
 $cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
 
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /.\/$/;
 
-$openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+if ($^O eq 'dos') {
+  # For DJGPP.
+  $openssldir=$prefix . "/share/ssl" if $openssldir eq "";
+} else {
+  $openssldir=$prefix . "/ssl" if $openssldir eq "";
+  $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+}
 
 
 print "IsMK1MF=$IsMK1MF\n";
 
 my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
diff -aprNU5 openssl-1.0.2k.orig/crypto/rand/rand_unix.c openssl-1.0.2k/crypto/rand/rand_unix.c
--- openssl-1.0.2k.orig/crypto/rand/rand_unix.c	2017-01-26 13:22:02 +0000
+++ openssl-1.0.2k/crypto/rand/rand_unix.c	2017-05-17 21:12:48 +0000
@@ -220,10 +220,176 @@ int RAND_poll(void)
         RAND_add(&v, sizeof v, 1);
         v = 0;
     }
     return 1;
 }
+# elif defined(DJGPP_DEBUG)
+/*
+# elif defined(OPENSSL_SYS_MSDOS)
+*/
+int RAND_poll(void)
+{
+    unsigned long l;
+    pid_t curr_pid = getpid();
+#  if defined(DEVRANDOM)
+    unsigned char tmpbuf[ENTROPY_NEEDED];
+    int n = 0;
+#  endif
+#  ifdef DEVRANDOM
+    static const char *randomfiles[] = { DEVRANDOM };
+    struct stat randomstats[sizeof(randomfiles) / sizeof(randomfiles[0])];
+    int fd;
+    unsigned int i;
+#  endif
+
+#  ifdef DEVRANDOM
+    memset(randomstats, 0, sizeof(randomstats));
+    /*
+     * Use a random entropy pool device. Linux, FreeBSD and OpenBSD have
+     * this. Use /dev/urandom if you can as /dev/random may block if it runs
+     * out of random entries.
+     */
+
+    for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
+         (n < ENTROPY_NEEDED); i++) {
+        if ((fd = open(randomfiles[i], O_RDONLY
+#   ifdef O_NONBLOCK
+                       | O_NONBLOCK
+#   endif
+#   ifdef O_BINARY
+                       | O_BINARY
+#   endif
+#   ifdef O_NOCTTY              /* If it happens to be a TTY (god forbid), do
+                                 * not make it our controlling tty */
+                       | O_NOCTTY
+#   endif
+             )) >= 0) {
+            int usec = 10 * 1000; /* spend 10ms on each file */
+            int r;
+            unsigned int j;
+            struct stat *st = &randomstats[i];
+
+            /*
+             * Avoid using same input... Used to be O_NOFOLLOW above, but
+             * it's not universally appropriate...
+             */
+            if (fstat(fd, st) != 0) {
+                close(fd);
+                continue;
+            }
+            for (j = 0; j < i; j++) {
+                if (randomstats[j].st_ino == st->st_ino &&
+                    randomstats[j].st_dev == st->st_dev)
+                    break;
+            }
+            if (j < i) {
+                close(fd);
+                continue;
+            }
+
+            do {
+                int try_read = 0;
+
+                /* use select() */
+                fd_set fset;
+                struct timeval t;
+
+                t.tv_sec = 0;
+                t.tv_usec = usec;
+
+                if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) {
+                    /*
+                     * can't use select, so just try to read once anyway
+                     */
+                    try_read = 1;
+                } else {
+                    FD_ZERO(&fset);
+                    FD_SET(fd, &fset);
+
+                    if (select(fd + 1, &fset, NULL, NULL, &t) >= 0) {
+                        usec = t.tv_usec;
+                        if (FD_ISSET(fd, &fset))
+                            try_read = 1;
+                    } else
+                        usec = 0;
+                }
+
+                if (try_read) {
+                    r = read(fd, (unsigned char *)tmpbuf + n,
+                             ENTROPY_NEEDED - n);
+                    if (r > 0)
+                        n += r;
+                } else
+                    r = -1;
+
+                /*
+                 * Some Unixen will update t in select(), some won't.  For
+                 * those who won't, or if we didn't use select() in the first
+                 * place, give up here, otherwise, we will do this once again
+                 * for the remaining time.
+                 */
+                if (usec == 10 * 1000)
+                    usec = 0;
+            }
+            while ((r > 0 ||
+                    (errno == EINTR || errno == EAGAIN)) && usec != 0
+                   && n < ENTROPY_NEEDED);
+
+            close(fd);
+        }
+    }
+#  endif                        /* defined(DEVRANDOM) */
+
+#  if defined(DEVRANDOM)
+    if (n > 0) {
+        RAND_add(tmpbuf, sizeof tmpbuf, (double)n);
+        OPENSSL_cleanse(tmpbuf, n);
+    }
+#  endif
+
+    if (n > 0) {
+        /* put in some default random data, we need more than just this */
+
+        l = curr_pid;
+        RAND_add(&l, sizeof(l), 0.0);
+        l = getuid();
+        RAND_add(&l, sizeof(l), 0.0);
+        l = time(NULL);
+        RAND_add(&l, sizeof(l), 0.0);
+    } else {
+        unsigned char v;
+
+
+        /*
+         * Seed with the gid, pid, and uid, to ensure *some* variation between
+         * different processes.
+         */
+
+        l = curr_pid;
+        RAND_add(&l, sizeof(l), 1);
+        l = getuid();
+        RAND_add(&l, sizeof(l), 1);
+        l = time(NULL);
+        RAND_add(&l, sizeof(l), 1);
+    
+        for (i = 0; i < (ENTROPY_NEEDED * 4); i++) {
+            srand48(rawclock() ^ i ^ l);
+            l = lrand48();
+
+            /* take 8 bits */
+            v = (unsigned char)(l % 256);
+            RAND_add(&v, sizeof v, 1);
+        }
+    }
+
+
+#  if defined(DEVRANDOM)
+    return 1;
+#  else
+    return 0;
+#  endif
+}
 # elif defined __OpenBSD__
 int RAND_poll(void)
 {
     u_int32_t rnd = 0, i;
     unsigned char buf[ENTROPY_NEEDED];
diff -aprNU5 openssl-1.0.2k.orig/demos/bio/Makefile openssl-1.0.2k/demos/bio/Makefile
--- openssl-1.0.2k.orig/demos/bio/Makefile	2017-01-26 13:22:04 +0000
+++ openssl-1.0.2k/demos/bio/Makefile	2017-05-17 21:12:48 +0000
@@ -1,22 +1,23 @@
-CC=cc
-CFLAGS= -g -I../../include
-LIBS= -L../.. ../../libssl.a ../../libcrypto.a -ldl
-EXAMPLES=saccept sconnect client-arg client-conf
+CC=gcc
+CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=saccept$(EXE) sconnect$(EXE) client-arg$(EXE) client-conf$(EXE)
 
 all: $(EXAMPLES) 
 
-saccept: saccept.o
-	$(CC) -o saccept saccept.o $(LIBS)
+saccept$(EXE): saccept.o
+	$(CC) -o saccept$(EXE) saccept.o $(LIBS)
 
-sconnect: sconnect.o
-	$(CC) -o sconnect sconnect.o $(LIBS)
+sconnect$(EXE): sconnect.o
+	$(CC) -o sconnect$(EXE) sconnect.o $(LIBS)
 
-client-arg: client-arg.o
-	$(CC) -o client-arg client-arg.o $(LIBS)
+client-arg$(EXE): client-arg.o
+	$(CC) -o client-arg$(EXE) client-arg.o $(LIBS)
 
-client-conf: client-conf.o
-	$(CC) -o client-conf client-conf.o $(LIBS)
+client-conf$(EXE): client-conf.o
+	$(CC) -o client-conf$(EXE) client-conf.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
diff -aprNU5 openssl-1.0.2k.orig/demos/prime/Makefile openssl-1.0.2k/demos/prime/Makefile
--- openssl-1.0.2k.orig/demos/prime/Makefile	2017-01-26 13:22:04 +0000
+++ openssl-1.0.2k/demos/prime/Makefile	2017-05-17 21:12:48 +0000
@@ -1,14 +1,15 @@
-CC=cc
-CFLAGS= -g -I../../include -Wall
-LIBS=  -L../.. -lcrypto
-EXAMPLES=prime
+CC=gcc
+CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include -Wall
+LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=prime$(EXE)
 
 all: $(EXAMPLES) 
 
-prime: prime.o
-	$(CC) -o prime prime.o $(LIBS)
+prime$(EXE): prime.o
+	$(CC) -o prime$(EXE) prime.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
 test: all
diff -aprNU5 openssl-1.0.2k.orig/demos/sign/Makefile openssl-1.0.2k/demos/sign/Makefile
--- openssl-1.0.2k.orig/demos/sign/Makefile	2017-01-26 13:22:04 +0000
+++ openssl-1.0.2k/demos/sign/Makefile	2017-05-17 21:12:48 +0000
@@ -1,14 +1,15 @@
-CC=cc
-CFLAGS= -g -I../../include -Wall
-LIBS=  -L../.. -lcrypto
-EXAMPLES=sign
+CC=gcc
+CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include -Wall
+LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=sign$(EXE)
 
 all: $(EXAMPLES) 
 
-sign: sign.o
-	$(CC) -o sign sign.o $(LIBS)
+sign$(EXE): sign.o
+	$(CC) -o sign$(EXE) sign.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
 test: all
diff -aprNU5 openssl-1.0.2k.orig/demos/state_machine/Makefile openssl-1.0.2k/demos/state_machine/Makefile
--- openssl-1.0.2k.orig/demos/state_machine/Makefile	2017-01-26 13:22:04 +0000
+++ openssl-1.0.2k/demos/state_machine/Makefile	2017-05-17 21:12:48 +0000
@@ -1,9 +1,10 @@
-CFLAGS=-I../../include -Wall -Werror -g
+CFLAGS=-I../../include -Wall -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586
+EXE=.exe
 
-all: state_machine
+all: state_machine$(EXE)
 
-state_machine: state_machine.o
-	$(CC) -o state_machine state_machine.o -L../.. -lssl -lcrypto
+state_machine$(EXE): state_machine.o
+	$(CC) -o state_machine$(EXE) state_machine.o -L../.. -lssl -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
 
 test: state_machine
 	./state_machine 10000 ../../apps/server.pem ../../apps/server.pem
diff -aprNU5 openssl-1.0.2k.orig/Makefile.org openssl-1.0.2k/Makefile.org
--- openssl-1.0.2k.orig/Makefile.org	2017-01-26 13:22:02 +0000
+++ openssl-1.0.2k/Makefile.org	2017-05-17 21:12:48 +0000
@@ -157,10 +157,13 @@ SDIRS=  \
 # should be performed.
 TESTS = alltests
 
 MAKEFILE= Makefile
 
+INSTALL_OPENSSLDIR=$(INSTALLTOP)/share/ssl
+INSTALL_HTMLDIR=$(INSTALLTOP)/share/ssl/html
+INSTALL_MANDIR=$(INSTALLTOP)/share/ssl/man
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
@@ -214,11 +217,11 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
-		LIBDIR='$(LIBDIR)'				\
+		INSTALL_OPENSSLDIR='$(INSTALL_OPENSSLDIR)' LIBDIR='$(LIBDIR)'	\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
@@ -530,21 +533,22 @@ tar-snap: $(TARFILE).list
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
 
-install: all install_docs install_sw
+# install: all install_docs install_sw
+install: install_html_docs install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc \
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/certs \
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/private
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
@@ -612,34 +616,34 @@ install_html_docs:
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
-		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		mkdir -p $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
 			cat $$i \
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
 			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
-			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			> $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
-				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+				(cd $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir; \
 				 while read n; do \
 					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
 				 done); \
 		done; \
 	done
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
-		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-		$(INSTALL_PREFIX)$(MANDIR)/man7
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man1 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man3 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man5 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man7
 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
@@ -650,15 +654,15 @@ install_docs:
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
 	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
@@ -667,15 +671,15 @@ install_docs:
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done
 
diff -aprNU5 openssl-1.0.2k.orig/tools/Makefile openssl-1.0.2k/tools/Makefile
--- openssl-1.0.2k.orig/tools/Makefile	2017-01-26 13:22:04 +0000
+++ openssl-1.0.2k/tools/Makefile	2017-05-17 21:12:48 +0000
@@ -26,13 +26,13 @@ install:
 	chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	done;
 	@for i in $(MISC_APPS) ; \
 	do  \
-	(cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	chmod 755 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	mv -f $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i ); \
 	done;
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 








This is the patch submitted to the OpenSSL maintainers to fix and improve
certain DJGPP specific issues and to support the upcomming Watt-32 version.
The maintainers have committed these changes into the 1.1.0 version but they
will not be committed into any of the maintenance 1.0.N versions.




2017-05-17  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* Configure:  Replaced -DTERMIO by -DTERMIOS in CFLAGS.

	* crypto/bio/bss_dgram.c [WATT32]:  Remove obsolete redefinition of
	function names: sock_write, sock_read and sock_puts.

	* crypto/bio/bss_sock.c [WATT32]:  For Watt-32 2.2.11 sock_write,
	sock_read and sock_puts are redefined to their private names so their
	names must be undefined first before they can be redefined again.

	* crypto/bio/bss_file.c (file_fopen) [OPENSSL_SYS_MSDOS]:  Call
	dosify_filename to replace leading dot if file system does not support
	it.
	(dosify_filename):  Replace leading dot in passed file name if file
	system does not support LFN.  Replace all leading dots in the dirname
	part and the basname part of the file name.

	* e_os.h [__DJGPP__]:  Undefine macro DEVRANDOM_EGD.  Neither MS-DOS
	nor FreeDOS provide 'egd' sockets.
	New macro HAS_LFN_SUPPORT checks if underlying file system supports
	long file names or not.

	* util/mklink.pl:  Do not use symlinks for DJGPP.

	* INSTALL.DJGPP:  Update URL of WATT-32 library.

	* Configure:  -fgnu89-inline flag added to CFLAGS depending on compiler
	version used.

	* demos/bio/Makefile:  -fgnu89-inline flag added to CFLAGS depending on
	compiler version used.

	* demos/prime/Makefile:  -fgnu89-inline flag added to CFLAGS depending
	on compiler version used.

	* demos/sign/Makefile:  -fgnu89-inline flag added to CFLAGS depending
	on compiler version used.

	* demos/state_machine/Makefile:  -fgnu89-inline flag added to CFLAGS
	depending on compiler version used.










diff -aprNU5 openssl-1.0.2k.orig/Configure openssl-1.0.2k/Configure
--- openssl-1.0.2k.orig/Configure	2017-05-17 21:12:48 +0000
+++ openssl-1.0.2k/Configure	2017-05-17 21:48:40 +0000
@@ -632,16 +632,11 @@ my %table=(
 "netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-bsdsock-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -DNETWARE_BSDSOCK -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 
 # DJGPP
-# This is for gcc 4.3.0 or higher.
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fgnu89-inline -march=i386 -mtune=i586 -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
-# This is other versions.
-#"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -march=i386 -mtune=i586 -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
-# This is for debugging purposes.
-#"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fgnu89-inline -march=i386 -mtune=i586 -save-temps -O0 -g2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
@@ -1542,10 +1537,33 @@ if ($sys_id ne "")
 if ($ranlib eq "")
 	{
 	$ranlib = $default_ranlib;
 	}
 
+# DJGPP specific CFLAG adjustments
+if ($target =~ /^DJGPP/)
+	{
+	my $gccver=0;
+	if (open(FD,"$cc --version |"))
+		{
+		while(<FD>) { $gccver=$1 if (/ (([1-3])\.|4\.([0-1])([.0-9]*))/); }
+		close(FD);
+		}
+	if ($gccver==0)
+		{
+		# For gcc 4.3.0 and above ensure that always old GNU extern inline semantics
+		# are used (aka -fgnu89-inline) even if ISO C99 semantics has been specified.
+		$cflags=~s/-fomit-frame-pointer/-fgnu89-inline -march=i386 -mtune=i586 -fomit-frame-pointer/;
+		}
+	else
+		{
+		$cflags=~s/-fomit-frame-pointer/-march=i386 -mtune=i586 -fomit-frame-pointer/;
+		}
+	# This is for debugging purposes.
+	# $cflags=~s/-fomit-frame-pointer -O2/-save-temps -O0 -g2 -DDJGPP_DEBUG/;
+	}
+
 #my ($bn1)=split(/\s+/,$bn_obj);
 #$bn1 = "" unless defined $bn1;
 #$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
 #$bn_obj="$bn1";
 
diff -aprNU5 openssl-1.0.2k.orig/crypto/bio/bss_dgram.c openssl-1.0.2k/crypto/bio/bss_dgram.c
--- openssl-1.0.2k.orig/crypto/bio/bss_dgram.c	2017-01-26 13:21:58 +0000
+++ openssl-1.0.2k/crypto/bio/bss_dgram.c	2017-05-17 21:48:40 +0000
@@ -92,16 +92,10 @@
         (((a)->s6_addr32[0] == 0) &&          \
          ((a)->s6_addr32[1] == 0) &&          \
          ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 # endif
 
-# ifdef WATT32
-#  define sock_write SockWrite  /* Watt-32 uses same names */
-#  define sock_read  SockRead
-#  define sock_puts  SockPuts
-# endif
-
 static int dgram_write(BIO *h, const char *buf, int num);
 static int dgram_read(BIO *h, char *buf, int size);
 static int dgram_puts(BIO *h, const char *str);
 static long dgram_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int dgram_new(BIO *h);
diff -aprNU5 openssl-1.0.2k.orig/crypto/bio/bss_file.c openssl-1.0.2k/crypto/bio/bss_file.c
--- openssl-1.0.2k.orig/crypto/bio/bss_file.c	2017-01-26 13:21:58 +0000
+++ openssl-1.0.2k/crypto/bio/bss_file.c	2017-05-17 21:48:42 +0000
@@ -93,10 +93,14 @@
 #  include <nwfileio.h>
 # endif
 
 # if !defined(OPENSSL_NO_STDIO)
 
+#ifdef OPENSSL_SYS_MSDOS
+# include <libc/unconst.h>
+static void dosify_filename(const char *filename);
+#endif
 static int MS_CALLBACK file_write(BIO *h, const char *buf, int num);
 static int MS_CALLBACK file_read(BIO *h, char *buf, int size);
 static int MS_CALLBACK file_puts(BIO *h, const char *str);
 static int MS_CALLBACK file_gets(BIO *h, char *str, int size);
 static long MS_CALLBACK file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
@@ -159,10 +163,13 @@ static FILE *file_fopen(const char *file
         }
     } else if (GetLastError() == ERROR_NO_UNICODE_TRANSLATION) {
         file = fopen(filename, mode);
     }
 #  else
+#   ifdef OPENSSL_SYS_MSDOS
+    dosify_filename(filename);
+#   endif
     file = fopen(filename, mode);
 #  endif
     return (file);
 }
 
@@ -469,8 +476,25 @@ static int MS_CALLBACK file_puts(BIO *bp
     n = strlen(str);
     ret = file_write(bp, str, n);
     return (ret);
 }
 
+#  ifdef OPENSSL_SYS_MSDOS
+static void dosify_filename(const char *filename)
+{
+    if (filename && *filename && !HAS_LFN_SUPPORT(filename)) {
+        char *nextchar = unconst(filename, char *);
+
+        do {
+            if (nextchar[0] == '/' && nextchar[2] != '.' && nextchar[2] != '/') {
+
+                /* Leading dot not allowed on plain DOS.  */
+                if (nextchar[1] == '.')
+                    *++nextchar = '_';
+            }
+        } while (*++nextchar);
+    }
+}
+#  endif
 # endif                         /* OPENSSL_NO_STDIO */
 
 #endif                          /* HEADER_BSS_FILE_C */
diff -aprNU5 openssl-1.0.2k.orig/crypto/bio/bss_sock.c openssl-1.0.2k/crypto/bio/bss_sock.c
--- openssl-1.0.2k.orig/crypto/bio/bss_sock.c	2017-01-26 13:21:58 +0000
+++ openssl-1.0.2k/crypto/bio/bss_sock.c	2017-05-17 21:48:42 +0000
@@ -64,11 +64,15 @@
 #ifndef OPENSSL_NO_SOCK
 
 # include <openssl/bio.h>
 
 # ifdef WATT32
-#  define sock_write SockWrite  /* Watt-32 uses same names */
+/* Watt-32 uses same names */
+#  undef sock_write
+#  undef sock_read
+#  undef sock_puts
+#  define sock_write SockWrite
 #  define sock_read  SockRead
 #  define sock_puts  SockPuts
 # endif
 
 static int sock_write(BIO *h, const char *buf, int num);
diff -aprNU5 openssl-1.0.2k.orig/demos/bio/Makefile openssl-1.0.2k/demos/bio/Makefile
--- openssl-1.0.2k.orig/demos/bio/Makefile	2017-05-17 21:12:48 +0000
+++ openssl-1.0.2k/demos/bio/Makefile	2017-05-17 21:48:42 +0000
@@ -1,10 +1,16 @@
 CC=gcc
-CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
 LIBS= -L../.. ../../libssl.a ../../libcrypto.a /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
 EXE=.exe
-EXAMPLES=saccept$(EXE) sconnect$(EXE) client-arg$(EXE) client-conf$(EXE)
+EXAMPLES=saccept$(EXE) sconnect$(EXE)
 
 all: $(EXAMPLES) 
 
 saccept$(EXE): saccept.o
 	$(CC) -o saccept$(EXE) saccept.o $(LIBS)
diff -aprNU5 openssl-1.0.2k.orig/demos/prime/Makefile openssl-1.0.2k/demos/prime/Makefile
--- openssl-1.0.2k.orig/demos/prime/Makefile	2017-05-17 21:12:48 +0000
+++ openssl-1.0.2k/demos/prime/Makefile	2017-05-17 21:48:42 +0000
@@ -1,7 +1,13 @@
 CC=gcc
-CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include -Wall
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include -Wall
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
 LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
 EXE=.exe
 EXAMPLES=prime$(EXE)
 
 all: $(EXAMPLES) 
diff -aprNU5 openssl-1.0.2k.orig/demos/sign/Makefile openssl-1.0.2k/demos/sign/Makefile
--- openssl-1.0.2k.orig/demos/sign/Makefile	2017-05-17 21:12:48 +0000
+++ openssl-1.0.2k/demos/sign/Makefile	2017-05-17 21:48:42 +0000
@@ -1,7 +1,13 @@
 CC=gcc
-CFLAGS= -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586 -I../../include -Wall
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include -Wall
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
 LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
 EXE=.exe
 EXAMPLES=sign$(EXE)
 
 all: $(EXAMPLES) 
diff -aprNU5 openssl-1.0.2k.orig/demos/state_machine/Makefile openssl-1.0.2k/demos/state_machine/Makefile
--- openssl-1.0.2k.orig/demos/state_machine/Makefile	2017-05-17 21:12:48 +0000
+++ openssl-1.0.2k/demos/state_machine/Makefile	2017-05-17 21:48:42 +0000
@@ -1,10 +1,16 @@
-CFLAGS=-I../../include -Wall -g2 -O0 -fgnu89-inline -march=i386 -mtune=i586
+CFLAGS=-I../../include -Wall -g2 -O0 -march=i386 -mtune=i586
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
 EXE=.exe
 
 all: state_machine$(EXE)
 
 state_machine$(EXE): state_machine.o
 	$(CC) -o state_machine$(EXE) state_machine.o -L../.. -lssl -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
 
-test: state_machine
-	./state_machine 10000 ../../apps/server.pem ../../apps/server.pem
+test: state_machine$(EXE)
+	./state_machine$(EXE) 10000 ../../apps/server.pem ../../apps/server.pem
diff -aprNU5 openssl-1.0.2k.orig/e_os.h openssl-1.0.2k/e_os.h
--- openssl-1.0.2k.orig/e_os.h	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/e_os.h	2017-05-17 21:48:42 +0000
@@ -240,10 +240,12 @@ extern "C" {
 #   include <tcp.h>
 #   include <netdb.h>
 #   define _setmode setmode
 #   define _O_TEXT O_TEXT
 #   define _O_BINARY O_BINARY
+#   define HAS_LFN_SUPPORT(name)  (pathconf((name), _PC_NAME_MAX) > 12)
+#   undef DEVRANDOM_EGD  /*  Neither MS-DOS nor FreeDOS provide 'egd' sockets.  */
 #   undef DEVRANDOM
 #   define DEVRANDOM "/dev/urandom\x24"
 #  endif                        /* __DJGPP__ */
 
 #  ifndef S_IFDIR
diff -aprNU5 openssl-1.0.2k.orig/util/mklink.pl openssl-1.0.2k/util/mklink.pl
--- openssl-1.0.2k.orig/util/mklink.pl	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/util/mklink.pl	2017-05-17 21:48:42 +0000
@@ -49,11 +49,11 @@ foreach $dirname (@from_path) {
 
 my $to = join('/', @to_path);
 
 my $file;
 $symlink_exists=eval {symlink("",""); 1};
-if ($^O eq "msys") { $symlink_exists=0 };
+if ($^O eq "msys" || $^O eq 'dos') { $symlink_exists=0 };
 foreach $file (@files) {
     my $err = "";
     if ($symlink_exists) {
         if (!-l "$from/$file") {
 	    unlink "$from/$file";








2017-05-17  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	Applied some patches taken from openssl_1.0.2k-1~bpo8+1.debian.tar.xz
	available at:
	  http://ftp.de.debian.org/debian/pool/main/o/openssl/.
	The applied patches are:
	  block_digicert_malaysia.patch
	  block_diginotar.patch
	  c_rehash-compat.patch
	  disable_freelist.patch
	  disable_sslv3_test.patch
	  libdoc-manpgs-pod-spell.patch
	  stddef.patch






diff -aprNU5 openssl-1.0.2k.orig/crypto/sha/sha.h openssl-1.0.2k/crypto/sha/sha.h
--- openssl-1.0.2k.orig/crypto/sha/sha.h	2017-01-26 13:21:58 +0000
+++ openssl-1.0.2k/crypto/sha/sha.h	2017-05-17 22:11:20 +0000
@@ -57,12 +57,12 @@
  */
 
 #ifndef HEADER_SHA_H
 # define HEADER_SHA_H
 
-# include <openssl/e_os2.h>
 # include <stddef.h>
+# include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
diff -aprNU5 openssl-1.0.2k.orig/crypto/x509/x509_vfy.c openssl-1.0.2k/crypto/x509/x509_vfy.c
--- openssl-1.0.2k.orig/crypto/x509/x509_vfy.c	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/crypto/x509/x509_vfy.c	2017-05-17 22:09:24 +0000
@@ -117,10 +117,11 @@ static int check_name_constraints(X509_S
 static int check_id(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
                          unsigned int *preasons, X509_CRL *crl, X509 *x);
 static int get_crl_delta(X509_STORE_CTX *ctx,
                          X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
@@ -499,10 +500,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx
     else
         ok = internal_verify(ctx);
     if (!ok)
         goto err;
 
+	ok = check_ca_blacklist(ctx);
+	if(!ok) goto err;
+
 #ifndef OPENSSL_NO_RFC3779
     /* RFC 3779 path validation, now that CRL check has been done */
     ok = v3_asid_validate_path(ctx);
     if (!ok)
         goto err;
@@ -1108,10 +1112,34 @@ static int check_crl_time(X509_STORE_CTX
         ctx->current_crl = NULL;
 
     return 1;
 }
 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+	{
+	X509 *x;
+	int i;
+	/* Check all certificates against the blacklist */
+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+		{
+		x = sk_X509_value(ctx->chain, i);
+		/* Mark certificates containing the following names as
+		 * revoked, no matter where in the chain they are.
+		 */
+		if (x->name && (strstr(x->name, "DigiNotar") ||
+			strstr(x->name, "Digicert Sdn. Bhd.")))
+			{
+			ctx->error = X509_V_ERR_CERT_REVOKED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			if (!ctx->verify_cb(0,ctx))
+				return 0;
+			}
+		}
+	return 1;
+	}
+
 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
                       X509 **pissuer, int *pscore, unsigned int *preasons,
                       STACK_OF(X509_CRL) *crls)
 {
     int i, crl_score, best_score = *pscore;
diff -aprNU5 openssl-1.0.2k.orig/doc/crypto/EVP_PKEY_cmp.pod openssl-1.0.2k/doc/crypto/EVP_PKEY_cmp.pod
--- openssl-1.0.2k.orig/doc/crypto/EVP_PKEY_cmp.pod	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/doc/crypto/EVP_PKEY_cmp.pod	2017-05-17 22:09:24 +0000
@@ -26,11 +26,11 @@ B<from> or present in both B<from> and B
 in B<from> and B<to> are both present and match this function has no effect.
 
 The function EVP_PKEY_cmp_parameters() compares the parameters of keys
 B<a> and B<b>.
 
-The function EVP_PKEY_cmp() compares the public key components and paramters
+The function EVP_PKEY_cmp() compares the public key components and parameters
 (if present) of keys B<a> and B<b>.
 
 =head1 NOTES
 
 The main purpose of the functions EVP_PKEY_missing_parameters() and
diff -aprNU5 openssl-1.0.2k.orig/ssl/s3_both.c openssl-1.0.2k/ssl/s3_both.c
--- openssl-1.0.2k.orig/ssl/s3_both.c	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/ssl/s3_both.c	2017-05-17 22:09:24 +0000
@@ -582,10 +582,11 @@ int ssl_verify_alarm_type(long type)
         break;
     }
     return (al);
 }
 
+#define OPENSSL_NO_BUF_FREELISTS
 #ifndef OPENSSL_NO_BUF_FREELISTS
 /*-
  * On some platforms, malloc() performance is bad enough that you can't just
  * free() and malloc() buffers all the time, so we need to use freelists from
  * unused buffers.  Currently, each freelist holds memory chunks of only a
diff -aprNU5 openssl-1.0.2k.orig/ssl/ssl_lib.c openssl-1.0.2k/ssl/ssl_lib.c
--- openssl-1.0.2k.orig/ssl/ssl_lib.c	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/ssl/ssl_lib.c	2017-05-17 22:09:24 +0000
@@ -160,10 +160,12 @@
 # include <openssl/engine.h>
 #endif
 
 const char *SSL_version_str = OPENSSL_VERSION_TEXT;
 
+#define OPENSSL_NO_BUF_FREELISTS
+
 SSL3_ENC_METHOD ssl3_undef_enc_method = {
     /*
      * evil casts, but these functions are only called if there's a library
      * bug
      */
diff -aprNU5 openssl-1.0.2k.orig/test/testssl openssl-1.0.2k/test/testssl
--- openssl-1.0.2k.orig/test/testssl	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/test/testssl	2017-05-17 22:09:24 +0000
@@ -158,11 +158,11 @@ test_cipher() {
 	  exit 1
     fi
 }
 
 echo "Testing ciphersuites"
-for protocol in TLSv1.2 SSLv3; do
+for protocol in TLSv1.2; do
   echo "Testing ciphersuites for $protocol"
   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
     test_cipher $cipher $protocol
   done
   if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
diff -aprNU5 openssl-1.0.2k.orig/tools/c_rehash.in openssl-1.0.2k/tools/c_rehash.in
--- openssl-1.0.2k.orig/tools/c_rehash.in	2017-01-26 13:22:00 +0000
+++ openssl-1.0.2k/tools/c_rehash.in	2017-05-17 22:09:24 +0000
@@ -6,24 +6,19 @@
 my $dir;
 my $prefix;
 
 my $openssl = $ENV{OPENSSL} || "openssl";
 my $pwd;
-my $x509hash = "-subject_hash";
-my $crlhash = "-hash";
 my $verbose = 0;
 my $symlink_exists=eval {symlink("",""); 1};
 my $removelinks = 1;
 
 ##  Parse flags.
 while ( $ARGV[0] =~ /^-/ ) {
     my $flag = shift @ARGV;
     last if ( $flag eq '--');
-    if ( $flag eq '-old') {
-	    $x509hash = "-subject_hash_old";
-	    $crlhash = "-hash_old";
-    } elsif ( $flag eq '-h') {
+    if ( $flag eq '-h') {
 	    help();
     } elsif ( $flag eq '-n' ) {
 	    $removelinks = 0;
     } elsif ( $flag eq '-v' ) {
 	    $verbose++;
@@ -111,11 +106,13 @@ sub hash_dir {
 		if(!$cert && !$crl) {
 			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
 			next;
 		}
 		link_hash_cert($fname) if($cert);
+		link_hash_cert_old($fname) if($cert);
 		link_hash_crl($fname) if($crl);
+		link_hash_crl_old($fname) if($crl);
 	}
 }
 
 sub check_file {
 	my ($is_cert, $is_crl) = (0,0);
@@ -144,10 +141,11 @@ sub check_file {
 # case we skip the link. We check for duplicates by comparing the
 # certificate fingerprints
 
 sub link_hash_cert {
 		my $fname = $_[0];
+		my $x509hash = $_[1] || '-subject_hash';
 		$fname =~ s/'/'\\''/g;
 		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
 		chomp $hash;
 		chomp $fprint;
 		$fprint =~ s/^.*=//;
@@ -175,14 +173,24 @@ sub link_hash_cert {
 			print "copy $fname -> $hash\n" if $verbose;
 		}
 		$hashlist{$hash} = $fprint;
 }
 
+sub link_hash_cert_old {
+		link_hash_cert($_[0], '-subject_hash_old');
+}
+
+sub link_hash_crl_old {
+		link_hash_crl($_[0], '-hash_old');
+}
+
+
 # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
 
 sub link_hash_crl {
 		my $fname = $_[0];
+		my $crlhash = $_[1] || "-hash";
 		$fname =~ s/'/'\\''/g;
 		my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
 		chomp $hash;
 		chomp $fprint;
 		$fprint =~ s/^.*=//;
