keks-overlay.git

@@ -0,0 +1,611 @@

+http://rt.openssl.org/Ticket/Display.html?id=2051&user=guest&pass=guest

+

+--- openssl-1.0.2/apps/s_apps.h

++++ openssl-1.0.2/apps/s_apps.h

+@@ -154,7 +154,7 @@

+ int do_server(int port, int type, int *ret,

+               int (*cb) (char *hostname, int s, int stype,

+                          unsigned char *context), unsigned char *context,

+-              int naccept);

++              int naccept, int use_ipv4, int use_ipv6);

+ #ifdef HEADER_X509_H

+ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);

+ #endif

+@@ -167,7 +167,8 @@

+ int ssl_print_curves(BIO *out, SSL *s, int noshared);

+ #endif

+ int ssl_print_tmp_key(BIO *out, SSL *s);

+-int init_client(int *sock, char *server, int port, int type);

++int init_client(int *sock, char *server, int port, int type,

++		int use_ipv4, int use_ipv6);

+ int should_retry(int i);

+ int extract_port(char *str, short *port_ptr);

+ int extract_host_port(char *str, char **host_ptr, unsigned char *ip,

+--- openssl-1.0.2/apps/s_client.c

++++ openssl-1.0.2/apps/s_client.c

+@@ -302,6 +302,10 @@

+ {

+     BIO_printf(bio_err, "usage: s_client args\n");

+     BIO_printf(bio_err, "\n");

++    BIO_printf(bio_err, " -4             - use IPv4 only\n");

++#if OPENSSL_USE_IPV6

++    BIO_printf(bio_err, " -6             - use IPv6 only\n");

++#endif

+     BIO_printf(bio_err, " -host host     - use -connect instead\n");

+     BIO_printf(bio_err, " -port port     - use -connect instead\n");

+     BIO_printf(bio_err,

+@@ -658,6 +662,7 @@

+     int sbuf_len, sbuf_off;

+     fd_set readfds, writefds;

+     short port = PORT;

++    int use_ipv4, use_ipv6;

+     int full_log = 1;

+     char *host = SSL_HOST_NAME;

+     char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;

+@@ -709,7 +714,11 @@

+ #endif

+     char *sess_in = NULL;

+     char *sess_out = NULL;

+-    struct sockaddr peer;

++#if OPENSSL_USE_IPV6

++    struct sockaddr_storage peer;

++#else

++    struct sockaddr_in peer;

++#endif

+     int peerlen = sizeof(peer);

+     int fallback_scsv = 0;

+     int enable_timeouts = 0;

+@@ -737,6 +746,12 @@

+ 

+     meth = SSLv23_client_method();

+ 

++    use_ipv4 = 1;

++#if OPENSSL_USE_IPV6

++    use_ipv6 = 1;

++#else

++    use_ipv6 = 0;

++#endif

+     apps_startup();

+     c_Pause = 0;

+     c_quiet = 0;

+@@ -1096,6 +1111,16 @@

+             jpake_secret = *++argv;

+         }

+ #endif

++	else if (strcmp(*argv,"-4") == 0) {

++	    use_ipv4 = 1;

++	    use_ipv6 = 0;

++	}

++#if OPENSSL_USE_IPV6

++	else if (strcmp(*argv,"-6") == 0) {

++	    use_ipv4 = 0;

++	    use_ipv6 = 1;

++	}

++#endif

+ #ifndef OPENSSL_NO_SRTP

+         else if (strcmp(*argv, "-use_srtp") == 0) {

+             if (--argc < 1)

+@@ -1421,7 +1446,7 @@

+ 

+  re_start:

+ 

+-    if (init_client(&s, host, port, socket_type) == 0) {

++    if (init_client(&s, host, port, socket_type, use_ipv4, use_ipv6) == 0) {

+         BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());

+         SHUTDOWN(s);

+         goto end;

+@@ -1444,7 +1469,7 @@

+     if (socket_type == SOCK_DGRAM) {

+ 

+         sbio = BIO_new_dgram(s, BIO_NOCLOSE);

+-        if (getsockname(s, &peer, (void *)&peerlen) < 0) {

++        if (getsockname(s, (struct sockaddr *)&peer, (void *)&peerlen) < 0) {

+             BIO_printf(bio_err, "getsockname:errno=%d\n",

+                        get_last_socket_error());

+             SHUTDOWN(s);

+--- openssl-1.0.2/apps/s_server.c

++++ openssl-1.0.2/apps/s_server.c

+@@ -643,6 +643,10 @@

+     BIO_printf(bio_err,

+                " -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");

+ #endif

++    BIO_printf(bio_err, " -4            - use IPv4 only\n");

++#if OPENSSL_USE_IPV6

++    BIO_printf(bio_err, " -6            - use IPv6 only\n");

++#endif

+     BIO_printf(bio_err,

+                " -keymatexport label   - Export keying material using label\n");

+     BIO_printf(bio_err,

+@@ -1070,6 +1074,7 @@

+     int state = 0;

+     const SSL_METHOD *meth = NULL;

+     int socket_type = SOCK_STREAM;

++    int use_ipv4, use_ipv6;

+     ENGINE *e = NULL;

+     char *inrand = NULL;

+     int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;

+@@ -1111,6 +1116,12 @@

+ 

+     meth = SSLv23_server_method();

+ 

++    use_ipv4 = 1;

++#if OPENSSL_USE_IPV6

++    use_ipv6 = 1;

++#else

++    use_ipv6 = 0;

++#endif

+     local_argc = argc;

+     local_argv = argv;

+ 

+@@ -1503,6 +1514,16 @@

+             jpake_secret = *(++argv);

+         }

+ #endif

++	else if (strcmp(*argv,"-4") == 0) {

++	    use_ipv4 = 1;

++	    use_ipv6 = 0;

++	}

++#if OPENSSL_USE_IPV6

++	else if (strcmp(*argv,"-6") == 0) {

++	    use_ipv4 = 0;

++	    use_ipv6 = 1;

++	}

++#endif

+ #ifndef OPENSSL_NO_SRTP

+         else if (strcmp(*argv, "-use_srtp") == 0) {

+             if (--argc < 1)

+@@ -2023,13 +2044,13 @@

+     (void)BIO_flush(bio_s_out);

+     if (rev)

+         do_server(port, socket_type, &accept_socket, rev_body, context,

+-                  naccept);

++                  naccept, use_ipv4, use_ipv6);

+     else if (www)

+         do_server(port, socket_type, &accept_socket, www_body, context,

+-                  naccept);

++                  naccept, use_ipv4, use_ipv6);

+     else

+         do_server(port, socket_type, &accept_socket, sv_body, context,

+-                  naccept);

++                  naccept, use_ipv4, use_ipv6);

+     print_stats(bio_s_out, ctx);

+     ret = 0;

+  end:

+--- openssl-1.0.2/apps/s_socket.c

++++ openssl-1.0.2/apps/s_socket.c

+@@ -101,16 +101,16 @@

+ #  include "netdb.h"

+ # endif

+ 

+-static struct hostent *GetHostByName(char *name);

++static struct hostent *GetHostByName(char *name, int domain);

+ # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))

+ static void ssl_sock_cleanup(void);

+ # endif

+ static int ssl_sock_init(void);

+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type);

+-static int init_server(int *sock, int port, int type);

+-static int init_server_long(int *sock, int port, char *ip, int type);

++static int init_client_ip(int *sock, unsigned char *ip, int port, int type, int domain);

++static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6);

++static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6);

+ static int do_accept(int acc_sock, int *sock, char **host);

+-static int host_ip(char *str, unsigned char ip[4]);

++static int host_ip(char *str, unsigned char *ip, int domain);

+ 

+ # ifdef OPENSSL_SYS_WIN16

+ #  define SOCKET_PROTOCOL 0     /* more microsoft stupidity */

+@@ -231,38 +231,68 @@

+     return (1);

+ }

+ 

+-int init_client(int *sock, char *host, int port, int type)

++int init_client(int *sock, char *host, int port, int type, int use_ipv4, int use_ipv6)

+ {

++# if OPENSSL_USE_IPV6

++    unsigned char ip[16];

++# else

+     unsigned char ip[4];

++# endif

+ 

+-    memset(ip, '\0', sizeof ip);

+-    if (!host_ip(host, &(ip[0])))

+-        return 0;

+-    return init_client_ip(sock, ip, port, type);

+-}

+-

+-static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)

+-{

+-    unsigned long addr;

++    if (use_ipv4)

++	if (host_ip(host, ip, AF_INET))

++	    return(init_client_ip(sock, ip, port, type, AF_INET));

++# if OPENSSL_USE_IPV6

++    if (use_ipv6)

++	if (host_ip(host, ip, AF_INET6))

++	    return(init_client_ip(sock, ip, port, type, AF_INET6));

++# endif

++    return 0;

++}

++

++static int init_client_ip(int *sock, unsigned char ip[4], int port, int type, int domain)

++{

++# if OPENSSL_USE_IPV6

++    struct sockaddr_storage them;

++    struct sockaddr_in *them_in = (struct sockaddr_in *)&them;

++    struct sockaddr_in6 *them_in6 = (struct sockaddr_in6 *)&them;

++# else

+     struct sockaddr_in them;

++    struct sockaddr_in *them_in = &them;

++# endif

++    socklen_t addr_len;

+     int s, i;

+ 

+     if (!ssl_sock_init())

+         return (0);

+ 

+     memset((char *)&them, 0, sizeof(them));

+-    them.sin_family = AF_INET;

+-    them.sin_port = htons((unsigned short)port);

+-    addr = (unsigned long)

+-        ((unsigned long)ip[0] << 24L) |

+-        ((unsigned long)ip[1] << 16L) |

+-        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);

+-    them.sin_addr.s_addr = htonl(addr);

++    if (domain == AF_INET) {

++	addr_len = (socklen_t)sizeof(struct sockaddr_in);

++	them_in->sin_family=AF_INET;

++	them_in->sin_port=htons((unsigned short)port);

++# ifndef BIT_FIELD_LIMITS

++	memcpy(&them_in->sin_addr.s_addr, ip, 4);

++# else

++	memcpy(&them_in->sin_addr, ip, 4);

++# endif

++    }

++    else

++# if OPENSSL_USE_IPV6

++    {

++	addr_len = (socklen_t)sizeof(struct sockaddr_in6);

++	them_in6->sin6_family=AF_INET6;

++	them_in6->sin6_port=htons((unsigned short)port);

++	memcpy(&(them_in6->sin6_addr), ip, sizeof(struct in6_addr));

++    }

++# else

++	return(0);

++# endif

+ 

+     if (type == SOCK_STREAM)

+-        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);

++        s = socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);

+     else                        /* ( type == SOCK_DGRAM) */

+-        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

++        s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);

+ 

+     if (s == INVALID_SOCKET) {

+         perror("socket");

+@@ -280,7 +310,7 @@

+     }

+ # endif

+ 

+-    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {

++    if (connect(s, (struct sockaddr *)&them, addr_len) == -1) {

+         closesocket(s);

+         perror("connect");

+         return (0);

+@@ -292,14 +322,14 @@

+ int do_server(int port, int type, int *ret,

+               int (*cb) (char *hostname, int s, int stype,

+                          unsigned char *context), unsigned char *context,

+-              int naccept)

++              int naccept, int use_ipv4, int use_ipv6)

+ {

+     int sock;

+     char *name = NULL;

+     int accept_socket = 0;

+     int i;

+ 

+-    if (!init_server(&accept_socket, port, type))

++    if (!init_server(&accept_socket, port, type, use_ipv4, use_ipv6))

+         return (0);

+ 

+     if (ret != NULL) {

+@@ -328,32 +358,41 @@

+     }

+ }

+ 

+-static int init_server_long(int *sock, int port, char *ip, int type)

++static int init_server_long(int *sock, int port, char *ip, int type, int use_ipv4, int use_ipv6)

+ {

+     int ret = 0;

++    int domain;

++# if OPENSSL_USE_IPV6

++    struct sockaddr_storage server;

++    struct sockaddr_in *server_in = (struct sockaddr_in *)&server;

++    struct sockaddr_in6 *server_in6 = (struct sockaddr_in6 *)&server;

++# else

+     struct sockaddr_in server;

++    struct sockaddr_in *server_in = &server;

++# endif

++    socklen_t addr_len;

+     int s = -1;

+ 

++    if (!use_ipv4 && !use_ipv6)

++	goto err;

++# if OPENSSL_USE_IPV6

++    /* we are fine here */

++# else

++    if (use_ipv6)

++	goto err;

++# endif

+     if (!ssl_sock_init())

+         return (0);

+ 

+-    memset((char *)&server, 0, sizeof(server));

+-    server.sin_family = AF_INET;

+-    server.sin_port = htons((unsigned short)port);

+-    if (ip == NULL)

+-        server.sin_addr.s_addr = INADDR_ANY;

+-    else

+-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */

+-# ifndef BIT_FIELD_LIMITS

+-        memcpy(&server.sin_addr.s_addr, ip, 4);

++#if OPENSSL_USE_IPV6

++    domain = use_ipv6 ? AF_INET6 : AF_INET;

+ # else

+-        memcpy(&server.sin_addr, ip, 4);

++    domain = AF_INET;

+ # endif

+-

+     if (type == SOCK_STREAM)

+-        s = socket(AF_INET, SOCK_STREAM, SOCKET_PROTOCOL);

+-    else                        /* type == SOCK_DGRAM */

+-        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);

++	s=socket(domain, SOCK_STREAM, SOCKET_PROTOCOL);

++    else /* type == SOCK_DGRAM */

++	s=socket(domain, SOCK_DGRAM, IPPROTO_UDP);

+ 

+     if (s == INVALID_SOCKET)

+         goto err;

+@@ -363,7 +402,42 @@

+         setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);

+     }

+ # endif

+-    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {

++# if OPENSSL_USE_IPV6

++    if ((use_ipv4 == 0) && (use_ipv6 == 1)) {

++	const int on = 1;

++

++	setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,

++		    (const void *) &on, sizeof(int));

++    }

++# endif

++    if (domain == AF_INET) {

++	addr_len = (socklen_t)sizeof(struct sockaddr_in);

++	memset(server_in, 0, sizeof(struct sockaddr_in));

++	server_in->sin_family=AF_INET;

++	server_in->sin_port = htons((unsigned short)port);

++	if (ip == NULL)

++	    server_in->sin_addr.s_addr = htonl(INADDR_ANY);

++	else

++/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */

++# ifndef BIT_FIELD_LIMITS

++	    memcpy(&server_in->sin_addr.s_addr, ip, 4);

++# else

++	    memcpy(&server_in->sin_addr, ip, 4);

++# endif

++    }

++# if OPENSSL_USE_IPV6

++    else {

++	addr_len = (socklen_t)sizeof(struct sockaddr_in6);

++	memset(server_in6, 0, sizeof(struct sockaddr_in6));

++	server_in6->sin6_family = AF_INET6;

++	server_in6->sin6_port = htons((unsigned short)port);

++	if (ip == NULL)

++	    server_in6->sin6_addr = in6addr_any;

++	else

++	    memcpy(&server_in6->sin6_addr, ip, sizeof(struct in6_addr));

++    }

++# endif

++    if (bind(s, (struct sockaddr *)&server, addr_len) == -1) {

+ # ifndef OPENSSL_SYS_WINDOWS

+         perror("bind");

+ # endif

+@@ -381,16 +455,23 @@

+     return (ret);

+ }

+ 

+-static int init_server(int *sock, int port, int type)

++static int init_server(int *sock, int port, int type, int use_ipv4, int use_ipv6)

+ {

+-    return (init_server_long(sock, port, NULL, type));

++    return (init_server_long(sock, port, NULL, type, use_ipv4, use_ipv6));

+ }

+ 

+ static int do_accept(int acc_sock, int *sock, char **host)

+ {

+     int ret;

+     struct hostent *h1, *h2;

+-    static struct sockaddr_in from;

++#if OPENSSL_USE_IPV6

++    struct sockaddr_storage from;

++    struct sockaddr_in *from_in = (struct sockaddr_in *)&from;

++    struct sockaddr_in6 *from_in6 = (struct sockaddr_in6 *)&from;

++#else

++    struct sockaddr_in from;

++    struct sockaddr_in *from_in = &from;

++#endif

+     int len;

+ /*      struct linger ling; */

+ 

+@@ -440,14 +521,25 @@

+ 

+     if (host == NULL)

+         goto end;

++# if OPENSSL_USE_IPV6

++    if (from.ss_family == AF_INET)

++# else

++    if (from.sin_family == AF_INET)

++# endif

+ # ifndef BIT_FIELD_LIMITS

+-    /* I should use WSAAsyncGetHostByName() under windows */

+-    h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,

+-                       sizeof(from.sin_addr.s_addr), AF_INET);

++	/* I should use WSAAsyncGetHostByName() under windows */

++	h1 = gethostbyaddr((char *)&from_in->sin_addr.s_addr,

++                	    sizeof(from_in->sin_addr.s_addr), AF_INET);

+ # else

+-    h1 = gethostbyaddr((char *)&from.sin_addr,

+-                       sizeof(struct in_addr), AF_INET);

++	h1 = gethostbyaddr((char *)&from_in->sin_addr,

++            		    sizeof(struct in_addr), AF_INET);

++# endif

++# if OPENSSL_USE_IPV6

++    else

++	h1 = gethostbyaddr((char *)&from_in6->sin6_addr,

++			    sizeof(struct in6_addr), AF_INET6);

+ # endif

++	    

+     if (h1 == NULL) {

+         BIO_printf(bio_err, "bad gethostbyaddr\n");

+         *host = NULL;

+@@ -460,14 +552,22 @@

+         }

+         BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);

+ 

+-        h2 = GetHostByName(*host);

++# if OPENSSL_USE_IPV6

++	h2=GetHostByName(*host, from.ss_family);

++# else

++	h2=GetHostByName(*host, from.sin_family);

++# endif

+         if (h2 == NULL) {

+             BIO_printf(bio_err, "gethostbyname failure\n");

+             closesocket(ret);

+             return (0);

+         }

+-        if (h2->h_addrtype != AF_INET) {

+-            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");

++# if OPENSSL_USE_IPV6

++	if (h2->h_addrtype != from.ss_family) {

++# else

++	if (h2->h_addrtype != from.sin_family) {

++# endif

++            BIO_printf(bio_err, "gethostbyname addr is not correct\n");

+             closesocket(ret);

+             return (0);

+         }

+@@ -483,14 +583,14 @@

+     char *h, *p;

+ 

+     h = str;

+-    p = strchr(str, ':');

++    p = strrchr(str, ':');

+     if (p == NULL) {

+         BIO_printf(bio_err, "no port defined\n");

+         return (0);

+     }

+     *(p++) = '\0';

+ 

+-    if ((ip != NULL) && !host_ip(str, ip))

++    if ((ip != NULL) && !host_ip(str, ip, AF_INET))

+         goto err;

+     if (host_ptr != NULL)

+         *host_ptr = h;

+@@ -502,44 +602,51 @@

+     return (0);

+ }

+ 

+-static int host_ip(char *str, unsigned char ip[4])

++static int host_ip(char *str, unsigned char *ip, int domain)

+ {

+     unsigned int in[4];

++    unsigned long l;

+     int i;

+ 

+-    if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==

+-        4) {

++    if ((domain == AF_INET) && (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) == 4)) {

+         for (i = 0; i < 4; i++)

+             if (in[i] > 255) {

+                 BIO_printf(bio_err, "invalid IP address\n");

+                 goto err;

+             }

+-        ip[0] = in[0];

+-        ip[1] = in[1];

+-        ip[2] = in[2];

+-        ip[3] = in[3];

+-    } else {                    /* do a gethostbyname */

++	l=htonl((in[0]<<24L)|(in[1]<<16L)|(in[2]<<8L)|in[3]);

++	memcpy(ip, &l, 4);

++	return 1;

++    }

++# if OPENSSL_USE_IPV6

++    else if ((domain == AF_INET6) && (inet_pton(AF_INET6, str, ip) == 1))

++	return 1;

++# endif

++    else {                    /* do a gethostbyname */

+         struct hostent *he;

+ 

+         if (!ssl_sock_init())

+             return (0);

+ 

+-        he = GetHostByName(str);

++        he = GetHostByName(str, domain);

+         if (he == NULL) {

+             BIO_printf(bio_err, "gethostbyname failure\n");

+             goto err;

+         }

+         /* cast to short because of win16 winsock definition */

+-        if ((short)he->h_addrtype != AF_INET) {

+-            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");

++        if ((short)he->h_addrtype != domain) {

++            BIO_printf(bio_err, "gethostbyname addr is not correct\n");

+             return (0);

+         }

+-        ip[0] = he->h_addr_list[0][0];

+-        ip[1] = he->h_addr_list[0][1];

+-        ip[2] = he->h_addr_list[0][2];

+-        ip[3] = he->h_addr_list[0][3];

++	if (domain == AF_INET)

++	    memset(ip, 0, 4);

++# if OPENSSL_USE_IPV6

++	else

++	    memset(ip, 0, 16);

++# endif

++	memcpy(ip, he->h_addr_list[0], he->h_length);

++	return 1;

+     }

+-    return (1);

+  err:

+     return (0);

+ }

+@@ -573,7 +680,7 @@

+ static unsigned long ghbn_hits = 0L;

+ static unsigned long ghbn_miss = 0L;

+ 

+-static struct hostent *GetHostByName(char *name)

++static struct hostent *GetHostByName(char *name, int domain)

+ {

+     struct hostent *ret;

+     int i, lowi = 0;

+@@ -585,13 +692,18 @@

+             lowi = i;

+         }

+         if (ghbn_cache[i].order > 0) {

+-            if (strncmp(name, ghbn_cache[i].name, 128) == 0)

++            if ((strncmp(name, ghbn_cache[i].name, 128) == 0) && (ghbn_cache[i].ent.h_addrtype == domain))

+                 break;

+         }

+     }

+     if (i == GHBN_NUM) {        /* no hit */

+         ghbn_miss++;

+-        ret = gethostbyname(name);

++        if (domain == AF_INET)

++    	    ret = gethostbyname(name);

++# if OPENSSL_USE_IPV6

++	else

++	    ret = gethostbyname2(name, AF_INET6);

++# endif

+         if (ret == NULL)

+             return (NULL);

+         /* else add to cache */

@@ -0,0 +1,354 @@

+http://rt.openssl.org/Ticket/Display.html?id=2084&user=guest&pass=guest

+

+--- a/Makefile.org

++++ b/Makefile.org

+@@ -247,17 +247,17 @@

+ build_libs: build_crypto build_ssl build_engines

+ 

+ build_crypto:

+-	@dir=crypto; target=all; $(BUILD_ONE_CMD)

++	+@dir=crypto; target=all; $(BUILD_ONE_CMD)

+-build_ssl:

++build_ssl: build_crypto

+-	@dir=ssl; target=all; $(BUILD_ONE_CMD)

++	+@dir=ssl; target=all; $(BUILD_ONE_CMD)

+-build_engines:

++build_engines: build_crypto

+-	@dir=engines; target=all; $(BUILD_ONE_CMD)

++	+@dir=engines; target=all; $(BUILD_ONE_CMD)

+-build_apps:

++build_apps: build_libs

+-	@dir=apps; target=all; $(BUILD_ONE_CMD)

++	+@dir=apps; target=all; $(BUILD_ONE_CMD)

+-build_tests:

++build_tests: build_libs

+-	@dir=test; target=all; $(BUILD_ONE_CMD)

++	+@dir=test; target=all; $(BUILD_ONE_CMD)

+-build_tools:

++build_tools: build_libs

+-	@dir=tools; target=all; $(BUILD_ONE_CMD)

++	+@dir=tools; target=all; $(BUILD_ONE_CMD)

+ 

+ all_testapps: build_libs build_testapps

+ build_testapps:

+@@ -497,9 +497,9 @@

+ dist_pem_h:

+ 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)

+ 

+-install: all install_docs install_sw

++install: install_docs install_sw

+ 

+-install_sw:

++install_dirs:

+ 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \

+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \

+ 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \

+@@ -508,6 +508,13 @@

+ 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \

+ 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \

+ 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private

++	@$(PERL) $(TOP)/util/mkdir-p.pl \

++		$(INSTALL_PREFIX)$(MANDIR)/man1 \

++		$(INSTALL_PREFIX)$(MANDIR)/man3 \

++		$(INSTALL_PREFIX)$(MANDIR)/man5 \

++		$(INSTALL_PREFIX)$(MANDIR)/man7

++

++install_sw: install_dirs

+ 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\

+ 	do \

+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \

+@@ -511,7 +511,7 @@

+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \

+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

+ 	done;

+-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)

++	+@set -e; target=install; $(RECURSIVE_BUILD_CMD)

+ 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\

+ 	do \

+ 		if [ -f "$$i" ]; then \

+@@ -593,12 +600,7 @@

+ 		done; \

+ 	done

+ 

+-install_docs:

+-	@$(PERL) $(TOP)/util/mkdir-p.pl \

+-		$(INSTALL_PREFIX)$(MANDIR)/man1 \

+-		$(INSTALL_PREFIX)$(MANDIR)/man3 \

+-		$(INSTALL_PREFIX)$(MANDIR)/man5 \

+-		$(INSTALL_PREFIX)$(MANDIR)/man7

++install_docs: install_dirs

+ 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \

+ 	here="`pwd`"; \

+ 	filecase=; \

+--- a/Makefile.shared

++++ b/Makefile.shared

+@@ -105,6 +105,7 @@ LINK_SO=	\

+     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \

+     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \

+     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \

++    [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \

+     LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \

+     $${SHAREDCMD} $${SHAREDFLAGS} \

+ 	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \

+@@ -122,6 +124,7 @@ SYMLINK_SO=	\

+ 			done; \

+ 		fi; \

+ 		if [ -n "$$SHLIB_SOVER" ]; then \

++			[ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \

+ 			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \

+ 			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \

+ 		fi; \

+--- a/crypto/Makefile

++++ b/crypto/Makefile

+@@ -85,11 +85,11 @@

+ 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi

+ 

+ subdirs:

+-	@target=all; $(RECURSIVE_MAKE)

++	+@target=all; $(RECURSIVE_MAKE)

+ 

+ files:

+ 	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO

+-	@target=files; $(RECURSIVE_MAKE)

++	+@target=files; $(RECURSIVE_MAKE)

+ 

+ links:

+ 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)

+@@ -100,7 +100,7 @@

+ # lib: $(LIB): are splitted to avoid end-less loop

+ lib:	$(LIB)

+ 	@touch lib

+-$(LIB):	$(LIBOBJ)

++$(LIB):	$(LIBOBJ) | subdirs

+ 	$(AR) $(LIB) $(LIBOBJ)

+ 	$(RANLIB) $(LIB) || echo Never mind.

+ 

+@@ -110,7 +110,7 @@

+ 	fi

+ 

+ libs:

+-	@target=lib; $(RECURSIVE_MAKE)

++	+@target=lib; $(RECURSIVE_MAKE)

+ 

+ install:

+ 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...

+@@ -119,7 +119,7 @@

+ 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \

+ 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \

+ 	done;

+-	@target=install; $(RECURSIVE_MAKE)

++	+@target=install; $(RECURSIVE_MAKE)

+ 

+ lint:

+ 	@target=lint; $(RECURSIVE_MAKE)

+--- a/engines/Makefile

++++ b/engines/Makefile

+@@ -72,7 +72,7 @@

+ 

+ all:	lib subdirs

+ 

+-lib:	$(LIBOBJ)

++lib:	$(LIBOBJ) | subdirs

+ 	@if [ -n "$(SHARED_LIBS)" ]; then \

+ 		set -e; \

+ 		for l in $(LIBNAMES); do \

+@@ -89,7 +89,7 @@

+ 

+ subdirs:

+ 	echo $(EDIRS)

+-	@target=all; $(RECURSIVE_MAKE)

++	+@target=all; $(RECURSIVE_MAKE)

+ 

+ files:

+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

+@@ -128,7 +128,7 @@

+ 			  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \

+ 		done; \

+ 	fi

+-	@target=install; $(RECURSIVE_MAKE)

++	+@target=install; $(RECURSIVE_MAKE)

+ 

+ tags:

+ 	ctags $(SRC)

+--- a/test/Makefile

++++ b/test/Makefile

+@@ -123,7 +123,7 @@

+ tags:

+ 	ctags $(SRC)

+ 

+-tests:	exe apps $(TESTS)

++tests:	exe $(TESTS)

+ 

+ apps:

+ 	@(cd ..; $(MAKE) DIRS=apps all)

+@@ -365,109 +365,109 @@

+ 		link_app.$${shlib_target}

+ 

+ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)

+-	@target=$(RSATEST); $(BUILD_CMD)

++	+@target=$(RSATEST); $(BUILD_CMD)

+ 

+ $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)

+-	@target=$(BNTEST); $(BUILD_CMD)

++	+@target=$(BNTEST); $(BUILD_CMD)

+ 

+ $(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)

+-	@target=$(ECTEST); $(BUILD_CMD)

++	+@target=$(ECTEST); $(BUILD_CMD)

+ 

+ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)

+-	@target=$(EXPTEST); $(BUILD_CMD)

++	+@target=$(EXPTEST); $(BUILD_CMD)

+ 

+ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)

+-	@target=$(IDEATEST); $(BUILD_CMD)

++	+@target=$(IDEATEST); $(BUILD_CMD)

+ 

+ $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)

+-	@target=$(MD2TEST); $(BUILD_CMD)

++	+@target=$(MD2TEST); $(BUILD_CMD)

+ 

+ $(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)

+-	@target=$(SHATEST); $(BUILD_CMD)

++	+@target=$(SHATEST); $(BUILD_CMD)

+ 

+ $(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)

+-	@target=$(SHA1TEST); $(BUILD_CMD)

++	+@target=$(SHA1TEST); $(BUILD_CMD)

+ 

+ $(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)

+-	@target=$(SHA256TEST); $(BUILD_CMD)

++	+@target=$(SHA256TEST); $(BUILD_CMD)

+ 

+ $(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)

+-	@target=$(SHA512TEST); $(BUILD_CMD)

++	+@target=$(SHA512TEST); $(BUILD_CMD)

+ 

+ $(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)

+-	@target=$(RMDTEST); $(BUILD_CMD)

++	+@target=$(RMDTEST); $(BUILD_CMD)

+ 

+ $(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)

+-	@target=$(MDC2TEST); $(BUILD_CMD)

++	+@target=$(MDC2TEST); $(BUILD_CMD)

+ 

+ $(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)

+-	@target=$(MD4TEST); $(BUILD_CMD)

++	+@target=$(MD4TEST); $(BUILD_CMD)

+ 

+ $(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)

+-	@target=$(MD5TEST); $(BUILD_CMD)

++	+@target=$(MD5TEST); $(BUILD_CMD)

+ 

+ $(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)

+-	@target=$(HMACTEST); $(BUILD_CMD)

++	+@target=$(HMACTEST); $(BUILD_CMD)

+ 

+ $(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)

+-	@target=$(WPTEST); $(BUILD_CMD)

++	+@target=$(WPTEST); $(BUILD_CMD)

+ 

+ $(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)

+-	@target=$(RC2TEST); $(BUILD_CMD)

++	+@target=$(RC2TEST); $(BUILD_CMD)

+ 

+ $(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)

+-	@target=$(BFTEST); $(BUILD_CMD)

++	+@target=$(BFTEST); $(BUILD_CMD)

+ 

+ $(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)

+-	@target=$(CASTTEST); $(BUILD_CMD)

++	+@target=$(CASTTEST); $(BUILD_CMD)

+ 

+ $(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)

+-	@target=$(RC4TEST); $(BUILD_CMD)

++	+@target=$(RC4TEST); $(BUILD_CMD)

+ 

+ $(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)

+-	@target=$(RC5TEST); $(BUILD_CMD)

++	+@target=$(RC5TEST); $(BUILD_CMD)

+ 

+ $(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)

+-	@target=$(DESTEST); $(BUILD_CMD)

++	+@target=$(DESTEST); $(BUILD_CMD)

+ 

+ $(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)

+-	@target=$(RANDTEST); $(BUILD_CMD)

++	+@target=$(RANDTEST); $(BUILD_CMD)

+ 

+ $(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)

+-	@target=$(DHTEST); $(BUILD_CMD)

++	+@target=$(DHTEST); $(BUILD_CMD)

+ 

+ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)

+-	@target=$(DSATEST); $(BUILD_CMD)

++	+@target=$(DSATEST); $(BUILD_CMD)

+ 

+ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)

+-	@target=$(METHTEST); $(BUILD_CMD)

++	+@target=$(METHTEST); $(BUILD_CMD)

+ 

+ $(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)

+-	@target=$(SSLTEST); $(FIPS_BUILD_CMD)

++	+@target=$(SSLTEST); $(FIPS_BUILD_CMD)

+ 

+ $(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)

+-	@target=$(ENGINETEST); $(BUILD_CMD)

++	+@target=$(ENGINETEST); $(BUILD_CMD)

+ 

+ $(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)

+-	@target=$(EVPTEST); $(BUILD_CMD)

++	+@target=$(EVPTEST); $(BUILD_CMD)

+ 

+ $(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)

+-	@target=$(ECDSATEST); $(BUILD_CMD)

++	+@target=$(ECDSATEST); $(BUILD_CMD)

+ 

+ $(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)

+-	@target=$(ECDHTEST); $(BUILD_CMD)

++	+@target=$(ECDHTEST); $(BUILD_CMD)

+ 

+ $(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)

+-	@target=$(IGETEST); $(BUILD_CMD)

++	+@target=$(IGETEST); $(BUILD_CMD)

+ 

+ $(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)

+-	@target=$(JPAKETEST); $(BUILD_CMD)

++	+@target=$(JPAKETEST); $(BUILD_CMD)

+ 

+ $(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)

+-	@target=$(ASN1TEST); $(BUILD_CMD)

++	+@target=$(ASN1TEST); $(BUILD_CMD)

+ 

+ $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)

+-	@target=$(SRPTEST); $(BUILD_CMD)

++	+@target=$(SRPTEST); $(BUILD_CMD)

+ 

+ #$(AESTEST).o: $(AESTEST).c

+ #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c

+@@ -480,7 +480,7 @@

+ #	fi

+ 

+ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)

+-	@target=dummytest; $(BUILD_CMD)

++	+@target=dummytest; $(BUILD_CMD)

+ 

+ # DO NOT DELETE THIS LINE -- make depend depends on it.

+ 

+--- a/crypto/objects/Makefile

++++ b/crypto/objects/Makefile

+@@ -44,11 +44,11 @@ obj_dat.h: obj_dat.pl obj_mac.h

+ # objects.pl both reads and writes obj_mac.num

+ obj_mac.h: objects.pl objects.txt obj_mac.num

+ 	$(PERL) objects.pl objects.txt obj_mac.num obj_mac.h

+-	@sleep 1; touch obj_mac.h; sleep 1

+ 

+-obj_xref.h: objxref.pl obj_xref.txt obj_mac.num

++# This doesn't really need obj_mac.h, but since that rule reads & writes

++# obj_mac.num, we can't run in parallel with it.

++obj_xref.h: objxref.pl obj_xref.txt obj_mac.num obj_mac.h

+ 	$(PERL) objxref.pl obj_mac.num obj_xref.txt > obj_xref.h

+-	@sleep 1; touch obj_xref.h; sleep 1

+ 

+ files:

+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

@@ -0,0 +1,17 @@

+https://bugs.gentoo.org/472584

+http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest

+

+fix verification handling in s_client.  when loading paths, make sure

+we properly fallback to setting the default paths.

+

+--- openssl-1.0.2/apps/s_client.c

++++ openssl-1.0.2/apps/s_client.c

+@@ -1337,7 +1337,7 @@

+ 

+     SSL_CTX_set_verify(ctx, verify, verify_callback);

+ 

+-    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||

++    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) &&

+         (!SSL_CTX_set_default_verify_paths(ctx))) {

+         /*

+          * BIO_printf(bio_err,"error setting default verify locations\n");