2016-12-20  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* Configure:  -march=i386 -mtune=i586 flags added to CFLAGS.
	Replaced -DTERMIO by -DTERMIOS in CFLAGS.
	Added DJGPP_DEBUG flag to CFLAGS.
	Adjust openssldir for DJGPP.

	* crypto/rand/rand_unix.c [OPENSSL_SYS_MSDOS]:  New DJGPP specific
	function RAND_poll to replace the unix version used previously.
	As the unix one it uses /dev/urandom or/dev/random as entropy source.
	If this fails it tries generate psuedo entropy using rand48 and
	rawclock data as seed.
	This code exists only for debugging purposes!!!  It is selected by
	defining the DJGPP_DEBUG macro in the Configure script.

	* demos/bio/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/prime/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/sign/Makefile:  -march=i386 -mtune=i586 flags added to CFLAGS.

	* demos/state_machine/Makefile:  -march=i386 -mtune=i586 flags added
	to CFLAGS.

	* demos/state_machine/Makefile:  Adjust for use with DJGPP.

	* tools/Makefile:  Add INSTALL_OPENSSLDIR to variable list to pass to
	recursive makefiles.

	* apps/Makefile:  Add INSTALL_OPENSSLDIR to variable list to pass to
	recursive makefiles.

	* Makefile.org:  Use INSTALL_OPENSSLDIR, INSTALL_MANDIR and
	INSTALL_HTMLDIR for installing into DJGPP installation tree.

	* demos/bio/Makefile:  Adjust for use with DJGPP.

	* demos/prime/Makefile:  Adjust for use with DJGPP.

	* demos/sign/Makefile:  Adjust for use with DJGPP.







diff -aprNU5 openssl-1.0.1u.orig/apps/Makefile openssl-1.0.1u/apps/Makefile
--- openssl-1.0.1u.orig/apps/Makefile	2016-09-22 10:30:26 +0000
+++ openssl-1.0.1u/apps/Makefile	2016-12-20 11:29:28 +0000
@@ -110,17 +110,17 @@ install:
 	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	 done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i ); \
 	 done
-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+	@cp openssl.cnf $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/openssl.cnf
 
 tags:
 	ctags $(SRC)
 
 tests:
diff -aprNU5 openssl-1.0.1u.orig/Configure openssl-1.0.1u/Configure
--- openssl-1.0.1u.orig/Configure	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/Configure	2016-12-20 11:29:28 +0000
@@ -576,11 +576,11 @@ my %table=(
 "netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 "netware-libc-bsdsock-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -DNETWARE_BSDSOCK -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",
 
 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIO -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
@@ -1155,12 +1155,17 @@ my $make = $ENV{'MAKE'} || "make";
 $cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
 
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /.\/$/;
 
-$openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+if ($^O eq 'dos') {
+  # For DJGPP.
+  $openssldir=$prefix . "/share/ssl" if $openssldir eq "";
+} else {
+  $openssldir=$prefix . "/ssl" if $openssldir eq "";
+  $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+}
 
 
 print "IsMK1MF=$IsMK1MF\n";
 
 my @fields = split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
@@ -1467,10 +1472,33 @@ if ($sys_id ne "")
 if ($ranlib eq "")
 	{
 	$ranlib = $default_ranlib;
 	}
 
+# DJGPP specific CFLAG adjustments
+if ($target =~ /^DJGPP/)
+	{
+	my $gccver=0;
+	if (open(FD,"$cc --version |"))
+		{
+		while(<FD>) { $gccver=$1 if (/ (([1-3])\.|4\.([0-1])([.0-9]*))/); }
+		close(FD);
+		}
+	if ($gccver==0)
+		{
+		# For gcc 4.3.0 and above ensure that always old GNU extern inline semantics
+		# are used (aka -fgnu89-inline) even if ISO C99 semantics has been specified.
+		$cflags=~s/-fomit-frame-pointer/-fgnu89-inline -march=i386 -mtune=i586 -fomit-frame-pointer/;
+		}
+	else
+		{
+		$cflags=~s/-fomit-frame-pointer/-march=i386 -mtune=i586 -fomit-frame-pointer/;
+		}
+	# This is for debugging purposes.
+	# $cflags=~s/-fomit-frame-pointer -O2/-save-temps -O0 -g2 -DDJGPP_DEBUG/;
+	}
+
 #my ($bn1)=split(/\s+/,$bn_obj);
 #$bn1 = "" unless defined $bn1;
 #$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
 #$bn_obj="$bn1";
 
diff -aprNU5 openssl-1.0.1u.orig/crypto/rand/rand_unix.c openssl-1.0.1u/crypto/rand/rand_unix.c
--- openssl-1.0.1u.orig/crypto/rand/rand_unix.c	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/crypto/rand/rand_unix.c	2016-12-20 11:29:28 +0000
@@ -220,10 +220,176 @@ int RAND_poll(void)
         RAND_add(&v, sizeof v, 1);
         v = 0;
     }
     return 1;
 }
+# elif defined(DJGPP_DEBUG)
+/*
+# elif defined(OPENSSL_SYS_MSDOS)
+*/
+int RAND_poll(void)
+{
+    unsigned long l;
+    pid_t curr_pid = getpid();
+#  if defined(DEVRANDOM)
+    unsigned char tmpbuf[ENTROPY_NEEDED];
+    int n = 0;
+#  endif
+#  ifdef DEVRANDOM
+    static const char *randomfiles[] = { DEVRANDOM };
+    struct stat randomstats[sizeof(randomfiles) / sizeof(randomfiles[0])];
+    int fd;
+    unsigned int i;
+#  endif
+
+#  ifdef DEVRANDOM
+    memset(randomstats, 0, sizeof(randomstats));
+    /*
+     * Use a random entropy pool device. Linux, FreeBSD and OpenBSD have
+     * this. Use /dev/urandom if you can as /dev/random may block if it runs
+     * out of random entries.
+     */
+
+    for (i = 0; (i < sizeof(randomfiles) / sizeof(randomfiles[0])) &&
+         (n < ENTROPY_NEEDED); i++) {
+        if ((fd = open(randomfiles[i], O_RDONLY
+#   ifdef O_NONBLOCK
+                       | O_NONBLOCK
+#   endif
+#   ifdef O_BINARY
+                       | O_BINARY
+#   endif
+#   ifdef O_NOCTTY              /* If it happens to be a TTY (god forbid), do
+                                 * not make it our controlling tty */
+                       | O_NOCTTY
+#   endif
+             )) >= 0) {
+            int usec = 10 * 1000; /* spend 10ms on each file */
+            int r;
+            unsigned int j;
+            struct stat *st = &randomstats[i];
+
+            /*
+             * Avoid using same input... Used to be O_NOFOLLOW above, but
+             * it's not universally appropriate...
+             */
+            if (fstat(fd, st) != 0) {
+                close(fd);
+                continue;
+            }
+            for (j = 0; j < i; j++) {
+                if (randomstats[j].st_ino == st->st_ino &&
+                    randomstats[j].st_dev == st->st_dev)
+                    break;
+            }
+            if (j < i) {
+                close(fd);
+                continue;
+            }
+
+            do {
+                int try_read = 0;
+
+                /* use select() */
+                fd_set fset;
+                struct timeval t;
+
+                t.tv_sec = 0;
+                t.tv_usec = usec;
+
+                if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) {
+                    /*
+                     * can't use select, so just try to read once anyway
+                     */
+                    try_read = 1;
+                } else {
+                    FD_ZERO(&fset);
+                    FD_SET(fd, &fset);
+
+                    if (select(fd + 1, &fset, NULL, NULL, &t) >= 0) {
+                        usec = t.tv_usec;
+                        if (FD_ISSET(fd, &fset))
+                            try_read = 1;
+                    } else
+                        usec = 0;
+                }
+
+                if (try_read) {
+                    r = read(fd, (unsigned char *)tmpbuf + n,
+                             ENTROPY_NEEDED - n);
+                    if (r > 0)
+                        n += r;
+                } else
+                    r = -1;
+
+                /*
+                 * Some Unixen will update t in select(), some won't.  For
+                 * those who won't, or if we didn't use select() in the first
+                 * place, give up here, otherwise, we will do this once again
+                 * for the remaining time.
+                 */
+                if (usec == 10 * 1000)
+                    usec = 0;
+            }
+            while ((r > 0 ||
+                    (errno == EINTR || errno == EAGAIN)) && usec != 0
+                   && n < ENTROPY_NEEDED);
+
+            close(fd);
+        }
+    }
+#  endif                        /* defined(DEVRANDOM) */
+
+#  if defined(DEVRANDOM)
+    if (n > 0) {
+        RAND_add(tmpbuf, sizeof tmpbuf, (double)n);
+        OPENSSL_cleanse(tmpbuf, n);
+    }
+#  endif
+
+    if (n > 0) {
+        /* put in some default random data, we need more than just this */
+
+        l = curr_pid;
+        RAND_add(&l, sizeof(l), 0.0);
+        l = getuid();
+        RAND_add(&l, sizeof(l), 0.0);
+        l = time(NULL);
+        RAND_add(&l, sizeof(l), 0.0);
+    } else {
+        unsigned char v;
+
+
+        /*
+         * Seed with the gid, pid, and uid, to ensure *some* variation between
+         * different processes.
+         */
+
+        l = curr_pid;
+        RAND_add(&l, sizeof(l), 1);
+        l = getuid();
+        RAND_add(&l, sizeof(l), 1);
+        l = time(NULL);
+        RAND_add(&l, sizeof(l), 1);
+    
+        for (i = 0; i < (ENTROPY_NEEDED * 4); i++) {
+            srand48(rawclock() ^ i ^ l);
+            l = lrand48();
+
+            /* take 8 bits */
+            v = (unsigned char)(l % 256);
+            RAND_add(&v, sizeof v, 1);
+        }
+    }
+
+
+#  if defined(DEVRANDOM)
+    return 1;
+#  else
+    return 0;
+#  endif
+}
 # elif defined __OpenBSD__
 int RAND_poll(void)
 {
     u_int32_t rnd = 0, i;
     unsigned char buf[ENTROPY_NEEDED];
diff -aprNU5 openssl-1.0.1u.orig/demos/bio/Makefile openssl-1.0.1u/demos/bio/Makefile
--- openssl-1.0.1u.orig/demos/bio/Makefile	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/demos/bio/Makefile	2016-12-20 11:29:28 +0000
@@ -1,16 +1,23 @@
-CC=cc
-CFLAGS= -g -I../../include
-LIBS= -L../.. ../../libssl.a ../../libcrypto.a
-EXAMPLES=saccept sconnect
+CC=gcc
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
+LIBS= -L../.. ../../libssl.a ../../libcrypto.a /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=saccept$(EXE) sconnect$(EXE)
 
 all: $(EXAMPLES) 
 
-saccept: saccept.o
-	$(CC) -o saccept saccept.o $(LIBS)
+saccept$(EXE): saccept.o
+	$(CC) -o saccept$(EXE) saccept.o $(LIBS)
 
-sconnect: sconnect.o
-	$(CC) -o sconnect sconnect.o $(LIBS)
+sconnect$(EXE): sconnect.o
+	$(CC) -o sconnect$(EXE) sconnect.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
diff -aprNU5 openssl-1.0.1u.orig/demos/prime/Makefile openssl-1.0.1u/demos/prime/Makefile
--- openssl-1.0.1u.orig/demos/prime/Makefile	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/demos/prime/Makefile	2016-12-20 11:29:28 +0000
@@ -1,14 +1,21 @@
-CC=cc
-CFLAGS= -g -I../../include -Wall
-LIBS=  -L../.. -lcrypto
-EXAMPLES=prime
+CC=gcc
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include -Wall
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
+LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=prime$(EXE)
 
 all: $(EXAMPLES) 
 
-prime: prime.o
-	$(CC) -o prime prime.o $(LIBS)
+prime$(EXE): prime.o
+	$(CC) -o prime$(EXE) prime.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
 test: all
diff -aprNU5 openssl-1.0.1u.orig/demos/sign/Makefile openssl-1.0.1u/demos/sign/Makefile
--- openssl-1.0.1u.orig/demos/sign/Makefile	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/demos/sign/Makefile	2016-12-20 11:29:28 +0000
@@ -1,15 +1,22 @@
-CC=cc
-CFLAGS= -g -I../../include -Wall
-LIBS=  -L../.. -lcrypto
-EXAMPLES=sign
+CC=gcc
+CFLAGS= -g2 -O0 -march=i386 -mtune=i586 -I../../include -Wall
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
+LIBS=  -L../.. -lcrypto /dev/env/DJDIR/net/watt/lib/libwatt.a -lz
+EXE=.exe
+EXAMPLES=sign$(EXE)
 
 all: $(EXAMPLES) 
 
-sign: sign.o
-	$(CC) -o sign sign.o $(LIBS)
+sign$(EXE): sign.o
+	$(CC) -o sign$(EXE) sign.o $(LIBS)
 
 clean:	
 	rm -f $(EXAMPLES) *.o
 
 test: all
-	./sign
+	./sign$(EXE)
diff -aprNU5 openssl-1.0.1u.orig/demos/state_machine/Makefile openssl-1.0.1u/demos/state_machine/Makefile
--- openssl-1.0.1u.orig/demos/state_machine/Makefile	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/demos/state_machine/Makefile	2016-12-20 11:29:28 +0000
@@ -1,9 +1,16 @@
-CFLAGS=-I../../include -Wall -Werror -g
+CFLAGS=-I../../include -Wall -g2 -O0 -march=i386 -mtune=i586
+ifeq ($(filter 2 3 4,$(word 3, $(shell true | $(CC) -E -dD -x c - | grep 'define\ *__GNUC__'))),)
+# We have gcc >= 5.x and we must ensure that always traditional
+# GNU extern inline semantics are used (aka -fgnu89-inline) even
+# if ISO C99 semantics have been specified.
+CFLAGS += -fgnu89-inline
+endif
+EXE=.exe
 
-all: state_machine
+all: state_machine$(EXE)
 
-state_machine: state_machine.o
-	$(CC) -o state_machine state_machine.o -L../.. -lssl -lcrypto
+state_machine$(EXE): state_machine.o
+	$(CC) -o state_machine$(EXE) state_machine.o -L../.. -lssl -lcrypto
 
-test: state_machine
-	./state_machine 10000 ../../apps/server.pem ../../apps/server.pem
+test: state_machine$(EXE)
+	./state_machine$(EXE) 10000 ../../apps/server.pem ../../apps/server.pem
diff -aprNU5 openssl-1.0.1u.orig/Makefile.org openssl-1.0.1u/Makefile.org
--- openssl-1.0.1u.orig/Makefile.org	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/Makefile.org	2016-12-20 11:29:28 +0000
@@ -155,10 +155,13 @@ SDIRS=  \
 # should be performed.
 TESTS = alltests
 
 MAKEFILE= Makefile
 
+INSTALL_OPENSSLDIR=$(INSTALLTOP)/share/ssl
+INSTALL_HTMLDIR=$(INSTALLTOP)/share/ssl/html
+INSTALL_MANDIR=$(INSTALLTOP)/share/ssl/man
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
@@ -208,11 +211,11 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESS
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
-		LIBDIR='$(LIBDIR)'				\
+		INSTALL_OPENSSLDIR='$(INSTALL_OPENSSLDIR)' LIBDIR='$(LIBDIR)'	\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
@@ -526,21 +529,22 @@ tar-snap: $(TARFILE).list
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
 
-install: all install_docs install_sw
+# install: all install_docs install_sw
+install: install_html_docs install_docs install_sw
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc \
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/certs \
+		$(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/private
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
@@ -604,34 +608,34 @@ install_sw:
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 
 install_html_docs:
 	here="`pwd`"; \
 	for subdir in apps crypto ssl; do \
-		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		mkdir -p $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
 			cat $$i \
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
 			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
-			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			> $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
-				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+				(cd $(INSTALL_PREFIX)$(INSTALL_HTMLDIR)/$$subdir; \
 				 while read n; do \
 					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
 				 done); \
 		done; \
 	done
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
-		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-		$(INSTALL_PREFIX)$(MANDIR)/man7
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man1 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man3 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man5 \
+		$(INSTALL_PREFIX)$(INSTALL_MANDIR)/man7
 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
@@ -642,15 +646,15 @@ install_docs:
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
 	set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
@@ -659,15 +663,15 @@ install_docs:
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(INSTALL_PREFIX)$(INSTALL_MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done
 
diff -aprNU5 openssl-1.0.1u.orig/tools/Makefile openssl-1.0.1u/tools/Makefile
--- openssl-1.0.1u.orig/tools/Makefile	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/tools/Makefile	2016-12-20 11:29:28 +0000
@@ -26,13 +26,13 @@ install:
 	chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	done;
 	@for i in $(MISC_APPS) ; \
 	do  \
-	(cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	chmod 755 $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new; \
+	mv -f $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(INSTALL_OPENSSLDIR)/misc/$$i ); \
 	done;
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 







This is the patch submitted to the OpenSSL maintainers to fix and improve
certain DJGPP specific issues and to support the upcomming Watt-32 version.
The maintainers have committed these changes into the 1.1.0 version but they
will not be committed into any of the maintenance 1.0.N versions.




2016-12-20  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* Configure:  Replaced -DTERMIO by -DTERMIOS in CFLAGS.

	* crypto/bio/bss_dgram.c [WATT32]:  Remove obsolete redefinition of
	function names: sock_write, sock_read and sock_puts.

	* crypto/bio/bss_sock.c [WATT32]:  For Watt-32 2.2.11 sock_write,
	sock_read and sock_puts are redefined to their private names so their
	names must be undefined first before they can be redefined again.

	* crypto/bio/bss_file.c (file_fopen) [OPENSSL_SYS_MSDOS]:  Call
	dosify_filename to replace leading dot if file system does not support
	it.
	(dosify_filename):  Replace leading dot in passed file name if file
	system does not support LFN.  Replace all leading dots in the dirname
	part and the basname part of the file name.

	* e_os.h [__DJGPP__]:  Undefine macro DEVRANDOM_EGD.  Neither MS-DOS
	nor FreeDOS provide 'egd' sockets.
	New macro HAS_LFN_SUPPORT checks if underlying file system supports
	long file names or not.

	* util/mklink.pl:  Do not use symlinks for DJGPP.

	* INSTALL.DJGPP:  Update URL of WATT-32 library.









diff -aprNU5 openssl-1.0.1u.orig/crypto/bio/bss_dgram.c openssl-1.0.1u/crypto/bio/bss_dgram.c
--- openssl-1.0.1u.orig/crypto/bio/bss_dgram.c	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/crypto/bio/bss_dgram.c	2016-12-20 11:40:44 +0000
@@ -88,16 +88,10 @@
         (((a)->s6_addr32[0] == 0) &&          \
          ((a)->s6_addr32[1] == 0) &&          \
          ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 # endif
 
-# ifdef WATT32
-#  define sock_write SockWrite  /* Watt-32 uses same names */
-#  define sock_read  SockRead
-#  define sock_puts  SockPuts
-# endif
-
 static int dgram_write(BIO *h, const char *buf, int num);
 static int dgram_read(BIO *h, char *buf, int size);
 static int dgram_puts(BIO *h, const char *str);
 static long dgram_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int dgram_new(BIO *h);
diff -aprNU5 openssl-1.0.1u.orig/crypto/bio/bss_file.c openssl-1.0.1u/crypto/bio/bss_file.c
--- openssl-1.0.1u.orig/crypto/bio/bss_file.c	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/crypto/bio/bss_file.c	2016-12-20 11:40:44 +0000
@@ -93,10 +93,14 @@
 #  include <nwfileio.h>
 # endif
 
 # if !defined(OPENSSL_NO_STDIO)
 
+#ifdef OPENSSL_SYS_MSDOS
+# include <libc/unconst.h>
+static void dosify_filename(const char *filename);
+#endif
 static int MS_CALLBACK file_write(BIO *h, const char *buf, int num);
 static int MS_CALLBACK file_read(BIO *h, char *buf, int size);
 static int MS_CALLBACK file_puts(BIO *h, const char *str);
 static int MS_CALLBACK file_gets(BIO *h, char *str, int size);
 static long MS_CALLBACK file_ctrl(BIO *h, int cmd, long arg1, void *arg2);
@@ -159,10 +163,13 @@ static FILE *file_fopen(const char *file
         }
     } else if (GetLastError() == ERROR_NO_UNICODE_TRANSLATION) {
         file = fopen(filename, mode);
     }
 #  else
+#   ifdef OPENSSL_SYS_MSDOS
+    dosify_filename(filename);
+#   endif
     file = fopen(filename, mode);
 #  endif
     return (file);
 }
 
@@ -465,8 +472,25 @@ static int MS_CALLBACK file_puts(BIO *bp
     n = strlen(str);
     ret = file_write(bp, str, n);
     return (ret);
 }
 
+#  ifdef OPENSSL_SYS_MSDOS
+static void dosify_filename(const char *filename)
+{
+    if (filename && *filename && !HAS_LFN_SUPPORT(filename)) {
+        char *namestart = unconst(filename, char *);
+
+        do {
+            if (namestart[0] == '/' && namestart[2] != '.' && namestart[2] != '/') {
+
+                /* Leading dot not allowed on plain DOS.  */
+                if (namestart[1] == '.')
+                    *++namestart = '_';
+            }
+        } while (*++namestart);
+    }
+}
+#  endif
 # endif                         /* OPENSSL_NO_STDIO */
 
 #endif                          /* HEADER_BSS_FILE_C */
diff -aprNU5 openssl-1.0.1u.orig/crypto/bio/bss_sock.c openssl-1.0.1u/crypto/bio/bss_sock.c
--- openssl-1.0.1u.orig/crypto/bio/bss_sock.c	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/crypto/bio/bss_sock.c	2016-12-20 11:40:44 +0000
@@ -64,11 +64,15 @@
 #ifndef OPENSSL_NO_SOCK
 
 # include <openssl/bio.h>
 
 # ifdef WATT32
-#  define sock_write SockWrite  /* Watt-32 uses same names */
+/* Watt-32 uses same names */
+#  undef sock_write
+#  undef sock_read
+#  undef sock_puts
+#  define sock_write SockWrite
 #  define sock_read  SockRead
 #  define sock_puts  SockPuts
 # endif
 
 static int sock_write(BIO *h, const char *buf, int num);
diff -aprNU5 openssl-1.0.1u.orig/e_os.h openssl-1.0.1u/e_os.h
--- openssl-1.0.1u.orig/e_os.h	2016-09-22 10:29:26 +0000
+++ openssl-1.0.1u/e_os.h	2016-12-20 11:40:44 +0000
@@ -240,10 +240,12 @@ extern "C" {
 #   include <tcp.h>
 #   include <netdb.h>
 #   define _setmode setmode
 #   define _O_TEXT O_TEXT
 #   define _O_BINARY O_BINARY
+#   define HAS_LFN_SUPPORT(name)  (pathconf((name), _PC_NAME_MAX) > 12)
+#   undef DEVRANDOM_EGD  /*  Neither MS-DOS nor FreeDOS provide 'egd' sockets.  */
 #   undef DEVRANDOM
 #   define DEVRANDOM "/dev/urandom\x24"
 #  endif                        /* __DJGPP__ */
 
 #  ifndef S_IFDIR
diff -aprNU5 openssl-1.0.1u.orig/util/mklink.pl openssl-1.0.1u/util/mklink.pl
--- openssl-1.0.1u.orig/util/mklink.pl	2016-09-22 10:23:06 +0000
+++ openssl-1.0.1u/util/mklink.pl	2016-12-20 11:40:44 +0000
@@ -49,11 +49,11 @@ foreach $dirname (@from_path) {
 
 my $to = join('/', @to_path);
 
 my $file;
 $symlink_exists=eval {symlink("",""); 1};
-if ($^O eq "msys") { $symlink_exists=0 };
+if ($^O eq "msys" || $^O eq 'dos') { $symlink_exists=0 };
 foreach $file (@files) {
     my $err = "";
     if ($symlink_exists) {
 	unlink "$from/$file";
 	symlink("$to/$file", "$from/$file") or $err = " [$!]";







2016-12-20  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	Applied some patches taken from openssl_1.0.1t-1+deb8u5.debian.tar.xz
	available at:
	  http://ftp.de.debian.org/debian/pool/main/o/openssl/.
	The applied patches are:
	  block_digicert_malaysia.patch
	  block_diginotar.patch
	  ca.patch
	  c_rehash-compat.patch
	  defaults.patch
	  openssl_fix_for_x32.patch
	  padlock_conf.patch
	  rehash-crt.patch
	  stddef.patch






diff -aprNU5 openssl-1.0.1u.orig/apps/CA.pl.in openssl-1.0.1u/apps/CA.pl.in
--- openssl-1.0.1u.orig/apps/CA.pl.in	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/apps/CA.pl.in	2016-12-21 12:56:52 +0000
@@ -63,10 +63,11 @@ $DIRMODE = 0777;
 $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
 	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
@@ -163,10 +164,11 @@ foreach (@ARGV) {
 	    	    exit 0;
 	    }
 	} else {
 	    print STDERR "Unknown arg $_\n";
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
 	    exit 1;
 	}
 }
 
 exit $RET;
diff -aprNU5 openssl-1.0.1u.orig/apps/genrsa.c openssl-1.0.1u/apps/genrsa.c
--- openssl-1.0.1u.orig/apps/genrsa.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/apps/genrsa.c	2016-12-21 12:56:52 +0000
@@ -78,11 +78,11 @@
 # include <openssl/evp.h>
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 # include <openssl/rand.h>
 
-# define DEFBITS 1024
+# define DEFBITS 2048
 # undef PROG
 # define PROG genrsa_main
 
 static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
 
diff -aprNU5 openssl-1.0.1u.orig/apps/openssl.cnf openssl-1.0.1u/apps/openssl.cnf
--- openssl-1.0.1u.orig/apps/openssl.cnf	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/apps/openssl.cnf	2016-12-21 12:56:52 +0000
@@ -17,10 +17,12 @@ oid_section		= new_oids
 # X.509v3 extensions to use:
 # extensions		= 
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 
+openssl_conf = openssl_def
+
 [ new_oids ]
 
 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
@@ -101,11 +103,11 @@ organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
 
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
@@ -346,5 +348,18 @@ ordering		= yes	# Is ordering defined fo
 				# (optional, default: no)
 tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+padlock = padlock_section
+
+[padlock_section]
+soft_load=1
+init=1
+default_algorithms = ALL
+dynamic_path=padlock
+
diff -aprNU5 openssl-1.0.1u.orig/crypto/bn/asm/x86_64-gcc.c openssl-1.0.1u/crypto/bn/asm/x86_64-gcc.c
--- openssl-1.0.1u.orig/crypto/bn/asm/x86_64-gcc.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/bn/asm/x86_64-gcc.c	2016-12-21 12:56:52 +0000
@@ -53,11 +53,11 @@
  *    For the reference. IA-32 assembler implementation performs
  *    very much like 64-bit code compiled with no-asm on the same
  *    machine.
  */
 
-# ifdef _WIN64
+#if defined _WIN64 || !defined __LP64__
 #  define BN_ULONG unsigned long long
 # else
 #  define BN_ULONG unsigned long
 # endif
 
@@ -209,13 +209,13 @@ BN_ULONG bn_add_words(BN_ULONG *rp, cons
     if (n <= 0)
         return 0;
 
     asm volatile ("       subq    %2,%2           \n"
                   ".p2align 4                     \n"
-                  "1:     movq    (%4,%2,8),%0    \n"
-                  "       adcq    (%5,%2,8),%0    \n"
-                  "       movq    %0,(%3,%2,8)    \n"
+                  "1:     movq    (%q4,%2,8),%0   \n"
+                  "       adcq    (%q5,%2,8),%0   \n"
+                  "       movq    %0,(%q3,%2,8)   \n"
                   "       leaq    1(%2),%2        \n"
                   "       loop    1b              \n"
                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n),
                   "=&r"(i)
                   :"r"(rp), "r"(ap), "r"(bp)
@@ -233,13 +233,13 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, cons
     if (n <= 0)
         return 0;
 
     asm volatile ("       subq    %2,%2           \n"
                   ".p2align 4                     \n"
-                  "1:     movq    (%4,%2,8),%0    \n"
-                  "       sbbq    (%5,%2,8),%0    \n"
-                  "       movq    %0,(%3,%2,8)    \n"
+                  "1:     movq    (%q4,%2,8),%0   \n"
+                  "       sbbq    (%q5,%2,8),%0   \n"
+                  "       movq    %0,(%q3,%2,8)   \n"
                   "       leaq    1(%2),%2        \n"
                   "       loop    1b              \n"
                   "       sbbq    %0,%0           \n":"=&a" (ret), "+c"(n),
                   "=&r"(i)
                   :"r"(rp), "r"(ap), "r"(bp)
diff -aprNU5 openssl-1.0.1u.orig/crypto/dsa/dsa_ameth.c openssl-1.0.1u/crypto/dsa/dsa_ameth.c
--- openssl-1.0.1u.orig/crypto/dsa/dsa_ameth.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/dsa/dsa_ameth.c	2016-12-21 12:56:52 +0000
@@ -603,11 +603,11 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
         }
         return 1;
 #endif
 
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-        *(int *)arg2 = NID_sha1;
+        *(int *)arg2 = NID_sha256;
         return 2;
 
     default:
         return -2;
 
diff -aprNU5 openssl-1.0.1u.orig/crypto/ec/ec_ameth.c openssl-1.0.1u/crypto/ec/ec_ameth.c
--- openssl-1.0.1u.orig/crypto/ec/ec_ameth.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/ec/ec_ameth.c	2016-12-21 12:56:52 +0000
@@ -581,11 +581,11 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
         }
         return 1;
 #endif
 
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-        *(int *)arg2 = NID_sha1;
+        *(int *)arg2 = NID_sha256;
         return 2;
 
     default:
         return -2;
 
diff -aprNU5 openssl-1.0.1u.orig/crypto/hmac/hm_ameth.c openssl-1.0.1u/crypto/hmac/hm_ameth.c
--- openssl-1.0.1u.orig/crypto/hmac/hm_ameth.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/hmac/hm_ameth.c	2016-12-21 12:56:52 +0000
@@ -85,11 +85,11 @@ static void hmac_key_free(EVP_PKEY *pkey
 
 static int hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
 {
     switch (op) {
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-        *(int *)arg2 = NID_sha1;
+        *(int *)arg2 = NID_sha256;
         return 1;
 
     default:
         return -2;
     }
diff -aprNU5 openssl-1.0.1u.orig/crypto/rsa/rsa_ameth.c openssl-1.0.1u/crypto/rsa/rsa_ameth.c
--- openssl-1.0.1u.orig/crypto/rsa/rsa_ameth.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/rsa/rsa_ameth.c	2016-12-21 12:56:52 +0000
@@ -409,11 +409,11 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey,
             CMS_RecipientInfo_ktri_get0_algs(arg2, NULL, NULL, &alg);
         break;
 #endif
 
     case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-        *(int *)arg2 = NID_sha1;
+        *(int *)arg2 = NID_sha256;
         return 1;
 
     default:
         return -2;
 
diff -aprNU5 openssl-1.0.1u.orig/crypto/sha/sha.h openssl-1.0.1u/crypto/sha/sha.h
--- openssl-1.0.1u.orig/crypto/sha/sha.h	2016-09-22 10:23:02 +0000
+++ openssl-1.0.1u/crypto/sha/sha.h	2016-12-21 12:56:52 +0000
@@ -57,12 +57,12 @@
  */
 
 #ifndef HEADER_SHA_H
 # define HEADER_SHA_H
 
-# include <openssl/e_os2.h>
 # include <stddef.h>
+# include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
diff -aprNU5 openssl-1.0.1u.orig/crypto/x509/x509_vfy.c openssl-1.0.1u/crypto/x509/x509_vfy.c
--- openssl-1.0.1u.orig/crypto/x509/x509_vfy.c	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/crypto/x509/x509_vfy.c	2016-12-21 12:56:54 +0000
@@ -115,10 +115,11 @@ static int check_chain_extensions(X509_S
 static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
 static int check_revocation(X509_STORE_CTX *ctx);
 static int check_cert(X509_STORE_CTX *ctx);
 static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
 
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
                          unsigned int *preasons, X509_CRL *crl, X509 *x);
 static int get_crl_delta(X509_STORE_CTX *ctx,
                          X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
@@ -421,10 +422,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
     else
         ok = internal_verify(ctx);
     if (!ok)
         goto end;
 
+    ok = check_ca_blacklist(ctx);
+    if(!ok)
+	    goto end;
+
 #ifndef OPENSSL_NO_RFC3779
     /* RFC 3779 path validation, now that CRL check has been done */
     ok = v3_asid_validate_path(ctx);
     if (!ok)
         goto end;
@@ -955,10 +960,32 @@ static int check_crl_time(X509_STORE_CTX
         ctx->current_crl = NULL;
 
     return 1;
 }
 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+{
+	X509 *x;
+	int i;
+	/* Check all certificates against the blacklist */
+	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
+		x = sk_X509_value(ctx->chain, i);
+		/* Mark certificates containing the following names as
+		 * revoked, no matter where in the chain they are.
+		 */
+		if (x->name && (strstr(x->name, "DigiNotar") ||
+				strstr(x->name, "Digicert Sdn. Bhd."))) {
+			ctx->error = X509_V_ERR_CERT_REVOKED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			if (!ctx->verify_cb(0,ctx))
+				return 0;
+		}
+	}
+	return 1;
+}
+
 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
                       X509 **pissuer, int *pscore, unsigned int *preasons,
                       STACK_OF(X509_CRL) *crls)
 {
     int i, crl_score, best_score = *pscore;
diff -aprNU5 openssl-1.0.1u.orig/tools/c_rehash.in openssl-1.0.1u/tools/c_rehash.in
--- openssl-1.0.1u.orig/tools/c_rehash.in	2016-09-22 10:29:22 +0000
+++ openssl-1.0.1u/tools/c_rehash.in	2016-12-21 12:56:52 +0000
@@ -73,18 +73,22 @@ sub hash_dir {
 		if(-l $_) {
 			unlink $_;
 		}
 	}
 	closedir DIR;
-	FILE: foreach $fname (grep {/\.pem$/} @flist) {
+	FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
 		# Check to see if certificates and/or CRLs present.
 		my ($cert, $crl) = check_file($fname);
 		if(!$cert && !$crl) {
-			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-			next;
+			($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der  -outform pem | ");
+			if(!$cert && !$crl) {
+				print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+				next;
+			}
 		}
 		link_hash_cert($fname) if($cert);
+		link_hash_cert_old($fname) if($cert);
 		link_hash_crl($fname) if($crl);
 	}
 }
 
 sub check_file {
@@ -114,12 +118,13 @@ sub check_file {
 # case we skip the link. We check for duplicates by comparing the
 # certificate fingerprints
 
 sub link_hash_cert {
 		my $fname = $_[0];
+		my $hashopt = $_[1] || '-subject_hash';
 		$fname =~ s/'/'\\''/g;
-		my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`;
+		my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
 		chomp $hash;
 		chomp $fprint;
 		$fprint =~ s/^.*=//;
 		$fprint =~ tr/://d;
 		my $suffix = 0;
@@ -145,16 +150,23 @@ sub link_hash_cert {
 			close IN;
 		}
 		$hashlist{$hash} = $fprint;
 }
 
+sub link_hash_cert_old {
+		link_hash_cert($_[0], '-subject_hash_old');
+}
+
 # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
 
 sub link_hash_crl {
 		my $fname = $_[0];
 		$fname =~ s/'/'\\''/g;
 		my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
+		if(!$hash || !fprint) {
+			($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
+		}
 		chomp $hash;
 		chomp $fprint;
 		$fprint =~ s/^.*=//;
 		$fprint =~ tr/://d;
 		my $suffix = 0;
