Release OpenSSL 0.9.8g with various fixes to issues introduced with 0.9.8f

http://cvs.openssl.org/chngview?cn=16696
Ensure the ticket expected flag is reset when a stateless resumption is successful.

Submitted by: steve

.codespellrc

@@ -1,452 +0,0 @@
-[codespell]
-ignore-regex = \b[a-zA-Z][a-zA-Z]\b
-
-uri-ignore-words-list =
-    standarts
-
-ignore-words-list =
-    aas,
-    Aas,
-    AAS,
-    abd,
-    ABD,
-    accreting,
-    ADDAD,
-    addin,
-    adin,
-    AFAIR,
-    afile,
-    afterAll,
-    AfterAll,
-    Ake,
-    ALine,
-    allEdges,
-    alloced,
-    alloco,
-    allws,
-    alo,
-    Alo,
-    alow,
-    ALS,
-    alsptd,
-    ang,
-    ans,
-    anS,
-    ANS,
-    aNULL,
-    archType,
-    arithmetics,
-    assertIn,
-    ategory,
-    atLeast,
-    AtLeast,
-    atMost,
-    biom,
-    bion,
-    bootup,
-    BRE,
-    Buda,
-    buildd,
-    bve,
-    CAF,
-    cann,
-    CANN,
-    cant,
-    Chang,
-    checkin,
-    childs,
-    ciph,
-    circularly,
-    Circularly,
-    claus,
-    Claus,
-    clen,
-    CLOS,
-    co-ordinate,
-    co-ordinates,
-    Collet,
-    Collison,
-    compilability,
-    compileTime,
-    CompileTime,
-    complies,
-    COMPLIES,
-    configury,
-    consumation,
-    couldn,
-    crasher,
-    crashers,
-    crate,
-    Crate,
-    CRATE,
-    creat,
-    CREAT,
-    CrOS,
-    crypted,
-    CRYPTED,
-    currentY,
-    DAA,
-    datas,
-    debbugs,
-    Debbugs,
-    DELET,
-    dependancies,
-    dependancy,
-    dependant,
-    deque,
-    Deque,
-    dota,
-    doubleclick,
-    doubleClick,
-    DoubleClick,
-    dout,
-    Dout,
-    DOUT,
-    dum,
-    dur,
-    Dur,
-    Durin,
-    ect,
-    ECT,
-    ede,
-    EDE,
-    endianess,
-    endin,
-    engineerr,
-    ENGINEerr,
-    equest,
-    equests,
-    FileTest,
-    FILETEST,
-    filetests,
-    flate,
-    Flate,
-    FLATE,
-    fpr,
-    FPR,
-    FPT,
-    gord,
-    gost,
-    Gost,
-    GOST,
-    Hart,
-    hasTable,
-    hel,
-    hist,
-    HIST,
-    HSI,
-    htmp,
-    ifset,
-    igest,
-    iif,
-    IIF,
-    implementor,
-    Implementor,
-    implementors,
-    Implementors,
-    inactivate,
-    inbrace,
-    indention,
-    indx,
-    ine,
-    informat,
-    inh,
-    inout,
-    inOut,
-    InOut,
-    INOUT,
-    ISCONNECTION,
-    isnt,
-    ist,
-    IST,
-    keep-alives,
-    keypair,
-    keyPair,
-    Keypair,
-    KeyPair,
-    KEYPAIR,
-    keypairs,
-    keyPairs,
-    Keypairs,
-    KeyPairs,
-    keyserver,
-    LAMDA,
-    larg,
-    leapYear,
-    LOd,
-    LOD,
-    Maked,
-    Manger,
-    Manuel,
-    ment,
-    Merget,
-    minimise,
-    mis,
-    Mis,
-    MIS,
-    mitre,
-    Mitre,
-    MITRE,
-    mmaped,
-    msdos,
-    MSDOS,
-    nam,
-    Nam,
-    NAM,
-    nclusion,
-    Ned,
-    nin,
-    Nin,
-    nmake,
-    NMake,
-    NMAKE,
-    NOo,
-    notin,
-    Notin,
-    NotIn,
-    numer,
-    OCE,
-    offsetp,
-    ois,
-    onText,
-    OnText,
-    openin,
-    OptIn,
-    OPTIO,
-    origN,
-    outin,
-    paeth,
-    Paeth,
-    PAETH,
-    parm,
-    pARM,
-    Parm,
-    PARM,
-    parms,
-    pARMS,
-    Parms,
-    PARMs,
-    PARMS,
-    pass-thru,
-    passin,
-    poping,
-    pres,
-    Pres,
-    prevEnd,
-    pris,
-    PullRequest,
-    que,
-    re-usable,
-    Re-usable,
-    re-use,
-    Re-use,
-    re-used,
-    Re-used,
-    re-uses,
-    Re-uses,
-    re-using,
-    Re-using,
-    readd,
-    Readd,
-    readded,
-    Readded,
-    regArg,
-    regArgs,
-    requestor,
-    Requestor,
-    requestors,
-    rewinded,
-    roperties,
-    sav,
-    SEH,
-    ser,
-    Ser,
-    SER,
-    servent,
-    sHolder,
-    shouldBe,
-    shouldnot,
-    SHS,
-    siz,
-    SIZ,
-    SME,
-    SOM,
-    Sorce,
-    sover,
-    splitted,
-    statics,
-    Statics,
-    strRange,
-    succes,
-    technics,
-    testss,
-    therefor,
-    Therefor,
-    therefrom,
-    Thi,
-    thirdparty,
-    thirdParty,
-    Thirdparty,
-    ThirdParty,
-    THIRDPARTY,
-    thru,
-    Thur,
-    THUR,
-    tmplate,
-    tne,
-    tolen,
-    tthe,
-    ture,
-    uis,
-    UIs,
-    upto,
-    upTo,
-    uptodate,
-    upToDate,
-    UpToDate,
-    useable,
-    Useable,
-    userA,
-    UserA,
-    usign,
-    varN,
-    vertexes,
-    vew,
-    vor,
-    WAN,
-    wasn,
-    Widgits,
-    Wirth,
-    wont,
-    WRONLY,
-    WTH
-
-skip =
-    [cC]hange.[lL]og*,
-    [cC]hange[lL]og*,
-    [cC]hanges,
-    [cC]hanges[._-]*,
-    *__*__*.html,
-    *_8h_source.html,
-    *_8h.html,
-    *.asc,
-    *.bin,
-    *.crt,
-    *.css.map,
-    *.eps,
-    *.fr.utf-8,
-    *.git,
-    *.html.de,
-    *.html.es,
-    *.html.fr,
-    *.html.ko.euc-kr,
-    *.html.pt-br,
-    *.info_[0-9],
-    *.ipynb,
-    *.ja.utf8,
-    *.js.map,
-    *.min.js,
-    *.pdf,
-    *.pem,
-    *.po,
-    *.ppm,
-    *.ps,
-    *.rtf,
-    *.sum,
-    *.svg,
-    *.svn,
-    *.tr.utf8,
-    *.xpm,
-    *.zh-cn.utf8,
-    *.zlib,
-    *[._-][cC]hanges,
-    *[._-]CHANGES,
-    */.mailmap,
-    */.versions/*,
-    */[eE]ncode/*,
-    */[eE]ncodings/*,
-    */[lL]ang/*,
-    */[lL]anguage/*,
-    */[lL]anguages/*,
-    */[lL]ocale,
-    */[mM]ath[jJ]ax/*,
-    */[tT]hird*[pP]arty/*,
-    */[tT]ranslation/*,
-    */[tT]ranslations/*,
-    */*.desktop,
-    */*.desktop.in,
-    */*[^a/]test/*,
-    */*[^a/]tests/*,
-    */*[lL]ocal[ei]*/*,
-    */3rd*[pP]arty/*,
-    */aspell/*,
-    */AUTHORS*,
-    */charsets/*,
-    */chrtrans/*,
-    */codepage/*,
-    */data/*,
-    */deps/*,
-    */dict/*,
-    */dictionaries/*,
-    */doc*/[a-df-z][a-z]/*,
-    */doc*/[a-z][a-z][_-][a-zA-Z][a-zA-Z]/*,
-    */doc*/e[a-mo-z]/*,
-    */extern/*,
-    */external/*,
-    */externals/*,
-    */help/[a-df-z][a-z]/*,
-    */help/[a-z][a-z]_[A-Z][A-Z]/*,
-    */help/es/*,
-    */i18n/*,
-    */icu/*,
-    */info/[a-df-z][a-z]/*,
-    */info/[a-z][a-z]_[A-Z][A-Z]/*,
-    */info/es/*,
-    */intl/*,
-    */l10n/*,
-    */langmap/*,
-    */langs/*,
-    */LICENSE,
-    */man*/[a-df-z][a-z]/*,
-    */man*/[a-z][a-z][_-][a-zA-Z][a-zA-Z]/*,
-    */man*/e[a-mo-z]/*,
-    */messages[_./][a-df-z][a-z][_./]*,
-    */messages[_./][a-z][a-z]_[A-Z][A-Z][_./]*,
-    */messages[_./]es[_./]*,
-    */rfc[1-9]*.txt,
-    */runtime/*,
-    */searchindex.js,
-    */test*/*,
-    */test/danetest.in,
-    */test/data2.bin,
-    */test/recipes/30-test_evp_data/evppkey_kas.txt,
-    */test/recipes/30-test_evp_data/evppkey.txt,
-    */unicode/*,
-    */Unicode/*,
-    */unicore/*,
-    */vendor/*,
-    */vendors/*,
-    */yarn.lock,
-    *codespell-check.sh,
-    *lorem-ipsum*,
-    *man[12345657]/*
-    /fonts/*,
-    ABOUT-NLS,
-    authors.xml,
-    CHANGE.log*,
-    CHANGELOG*,
-    CHANGES,
-    CHANGES[._-]*,
-    CONTRIBUTORS*,
-    CREDITS,
-    CREDITS.TXT,
-    DONATIONS,
-    jquery.js,
-    jquery.min.map,
-    localization*-[a-z][a-z]_[a-zA-Z][a-zA-Z].*,
-    localization*-[a-z][a-z].*,
-    MAINTAINERS,
-    NormalizationTest.txt,
-    package-lock.json,
-    THANKS*,
-    UnicodeData.txt

.ctags.d/add-dir.ctags

@@ -1,11 +0,0 @@
-#
-# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-
-# Allow ctags to load configuration file under the sub directories.
---optlib-dir=+./.ctags.d

.ctags.d/exclude.ctags

@@ -1,13 +0,0 @@
-#
-# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-
-# List file names or patterns you want ctags to ignore.
---exclude=.ctags.d
---exclude=test
---exclude=check-format-test-positives.c

.ctags.d/langmap.ctags

@@ -1,11 +0,0 @@
-#
-# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-
---langmap=C:+.h
---langmap=C:+.inc

.ctags.d/openssl-stage1/10extrac-macrodefs.ctags

@@ -1,18 +0,0 @@
-#
-# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-
-# This file is only for extracting macro definitions.
---langmap=C:+.h
--o -
---sort=no
---languages=C
--R
-
---fields-C=+{macrodef}
---fields=+{signature}

.ctags.d/openssl-stage2/.gitignore

@@ -1 +0,0 @@
-*macro-definitons.ctags

.ctags.d/openssl-stage2/10expand-macros.ctags

@@ -1,9 +0,0 @@
-#
-# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
---param-CPreProcessor._expand=1

.cvsignore

@@ -0,0 +1,18 @@
+openssl.pc
+MINFO
+makefile.one
+tmp
+out
+outinc
+rehash.time
+testlog
+make.log
+maketest.log
+cctest
+cctest.c
+cctest.a
+libcrypto.so.*
+libssl.so.*
+*.flc
+semantic.cache
+Makefile

.git-blame-ignore-revs

@@ -1,4 +0,0 @@
-# Run util/openssl-format-source -v -c .
-0f113f3ee4d629ef9a4a30911b22b224772085e5
-# 4.0-POST-CLANG-FORMAT-WEBKIT
-2fab90bb5e1937f1c2125eab144f7f6c39e70087

.gitattributes

@@ -1,19 +0,0 @@
-*.bin binary
-*.der binary
-/fuzz/corpora/** binary
-*.pfx binary
-test/recipes/15-test_ml_dsa_codecs_data/*.dat   binary
-test/recipes/15-test_ml_kem_codecs_data/*.dat binary
-
-# For git archive
-fuzz/corpora/**                         export-ignore
-Configurations/*.norelease.conf         export-ignore
-# We generally avoid anything with a name starting with a period.
-# However, .ctags.d is precious, so we don't ignore that.
-.*                                      export-ignore
-.ctags.d                                !export-ignore
-util/mktar.sh                           export-ignore
-krb5                                    export-ignore
-pyca-cryptography                       export-ignore
-dev                                     export-ignore
-gost-engine                             export-ignore

.github/CODEOWNERS

@@ -1 +0,0 @@
-/.github/workflows/ @quarckster

.github/FUNDING.yml

@@ -1 +0,0 @@
-github: openssl

.github/ISSUE_TEMPLATE.md

@@ -1,27 +0,0 @@
-<!--
-NOTE:
-
-    If you're asking about how to use OpenSSL, this isn't the right
-    forum.  Please see our User Support resources:
-    https://github.com/openssl/openssl/blob/master/SUPPORT.md
-
-If relevant, please remember to tell us in what OpenSSL version you
-found the issue.
-
-Please remember to put ``` lines before and after any commands plus
-output and code, like this:
-
-    ```
-    $ echo output output output
-    output output output
-    ```
-
-    ```
-    #include <stdio.h>
-
-    int main() {
-        int foo = 1;
-        printf("%d\n", foo);
-    }
-    ```
--->

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,53 +0,0 @@
----
-name: Bug report
-labels: 'issue: bug report'
-about: Report a defect in the software
-
----
-
-<!--
-Thank you for your bug report. If this is your first one,
-please take the time to read the following lines before posting it.
-
-NOTE:
-
-    If you're asking about how to use OpenSSL, this isn't the right
-    forum.  Please see our User Support resources:
-    https://github.com/openssl/openssl/blob/master/SUPPORT.md
-
-Please remember to tell us in what OpenSSL version you found the issue.
-
-For build issues:
-
-    If this is a build issue, please include the configuration output
-    as well as a log of all errors.  Don't forget to include the exact
-    commands you typed.
-
-    With OpenSSL before 1.1.1, the configuration output comes from the
-    configuration command.  With OpenSSL 1.1.1 and on, it's the output
-    of `perl configdata.pm --dump`
-
-For other issues:
-
-    If it isn't a build issue, example code or commands to reproduce
-    the issue is highly appreciated.
-    Also, please remember to tell us if you worked with your own
-    OpenSSL build or if it is system provided.
-
-Please remember to put ``` lines before and after any commands plus
-output and code, like this:
-
-    ```
-    $ echo output output output
-    output output output
-    ```
-
-    ```
-    #include <stdio.h>
-
-    int main() {
-        int foo = 1;
-        printf("%d\n", foo);
-    }
-    ```
--->

.github/ISSUE_TEMPLATE/documentation.md

@@ -1,14 +0,0 @@
----
-name: Documentation
-labels: 'issue: documentation'
-about: Report an error in (or missing) documentation
----
-
-<!--
-Thank you for taking the time to report a documentation issue.
-
-Please remember to tell us which OpenSSL version you are using and then
-briefly describe the documentation error and where you encountered it
-(e.g., in which manual page). If you are missing the documentation for a
-certain command or API function, please tell us its name.
--->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,34 +0,0 @@
----
-name: Feature request
-labels: 'issue: feature request'
-about: Propose a feature you would like to see added in the software
-
----
-
-<!--
-Thank you for your feature request. If this is your first one,
-please take the time to read the following lines before posting it.
-
-NOTE:
-
-    If you're asking about how to use OpenSSL, this isn't the right
-    forum.  Please see our User Support resources:
-    https://github.com/openssl/openssl/blob/master/SUPPORT.md
-
-Please remember to put ``` lines before and after any commands plus
-output and code, like this:
-
-    ```
-    $ echo output output output
-    output output output
-    ```
-
-    ```
-    #include <stdio.h>
-
-    int main() {
-        int foo = 1;
-        printf("%d\n", foo);
-    }
-    ```
--->

.github/ISSUE_TEMPLATE/question.md

@@ -1,10 +0,0 @@
----
-name: Question
-labels: 'issue: question'
-about: Please use Q&A in Discussions instead
----
-
-Please do NOT use issues to ask questions about OpenSSL.
-
-Instead, please use the [Q&A category in Discussions](<https://github.com/openssl/openssl/discussions/new?category=q-a>)
-to ask your question.

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,14 +0,0 @@
-<!--
-Thank you for your pull request. Please review these requirements:
-
-Contributors guide: https://github.com/openssl/openssl/blob/master/CONTRIBUTING.md
-
-Other than that, provide a description above this comment if there isn't one already
-
-If this fixes a GitHub issue, make sure to have a line saying 'Fixes #XXXX' (without quotes) in the commit message.
--->
-
-##### Checklist
-<!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
-- [ ] documentation is added or updated
-- [ ] tests are added or updated

.github/dependabot.yml

@@ -1,17 +0,0 @@
-version: 2
-updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "Dependabot update\n\nCLA: trivial\n\n"
-      include: "scope"
-    labels:
-      - "dependencies"
-      - "cla: trivial"
-      - "approval: review pending"
-    reviewers:
-      - "openssl/committers"
-    cooldown:
-      default-days: 7

.github/workflows/backport.yml

@@ -1,67 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Backports CI
-
-on: [pull_request]
-
-permissions:
-  contents: read
-
-jobs:
-  check_backports:
-    strategy:
-      fail-fast: false
-      matrix:
-        release: [
-          {
-            branch: '3.6',
-            cppflags: ''
-          }, {
-            branch: '3.5',
-            cppflags: 'CPPFLAGS=-ansi'
-          }, {
-            branch: '3.4',
-            cppflags: 'CPPFLAGS=-ansi'
-          }, {
-            branch: '3.3',
-            cppflags: 'CPPFLAGS=-ansi',
-          }, {
-            branch: '3.2',
-            cppflags: 'CPPFLAGS=-ansi'
-          }, {
-            branch: '3.0',
-            cppflags: 'CPPFLAGS=-ansi'
-          }
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
-      with:
-        ref: ${{ github.event.pull_request.head.sha }}
-        fetch-depth: 0
-        persist-credentials: false
-    - name: cherry-pick
-      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
-      run: |
-           REFEND=$(git rev-parse HEAD)
-           REFSTART=$(git rev-parse $REFEND~${{ github.event.pull_request.commits }})
-           git checkout ${{ format('openssl-{0}', matrix.release.branch) }}
-           git config user.name "OpenSSL Machine"
-           git config user.email "openssl-machine@openssl.org"
-           echo Cherry-picking $REFSTART..$REFEND
-           git cherry-pick $REFSTART..$REFEND
-    - name: config
-      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
-      run: ${{ matrix.release.cppflags }} ./config --strict-warnings --banner=Configured no-asm enable-fips --strict-warnings -D_DEFAULT_SOURCE && perl configdata.pm --dump
-    - name: make
-      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
-      run: make -s -j4
-    - name: make test
-      if: ${{ contains(join(github.event.pull_request.labels.*.name,','),matrix.release.branch) }}
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/ci.yml

@@ -1,820 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: GitHub CI
-
-on: [pull_request, push]
-
-# for some reason, this does not work:
-# variables:
-#   BUILDOPTS: "-j4"
-#   HARNESS_JOBS: "${HARNESS_JOBS:-4}"
-
-# for some reason, this does not work:
-# before_script:
-#     - make="make -s"
-
-permissions:
-  contents: read
-
-env:
-  OSSL_RUN_CI_TESTS: 1
-
-jobs:
-  check_update:
-    runs-on: ubuntu-latest
-    steps:
-    - name: install unifdef
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install unifdef
-    - uses: actions/checkout@v5
-      with:
-        fetch-depth: 0
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-fips && perl configdata.pm --dump
-    - name: make build_generated
-      run: make -s build_generated
-    - name: make update
-      run: make update
-    - name: git diff
-      run: git diff --exit-code
-
-  check_docs:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-fips && perl configdata.pm --dump
-    - name: make build_generated
-      run: make -s build_generated
-    - name: make doc-nits
-      run: make doc-nits
-    - name: make help
-      run: make help
-    - name: make md-nits
-      run: |
-          sudo gem install mdl
-          make md-nits
-
-  # This checks that we use ANSI C language syntax and semantics.
-  # We are not as strict with libraries, but rather adapt to what's
-  # expected to be available in a certain version of each platform.
-  check-c99:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: CPPFLAGS='-std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L' ./config --strict-warnings --banner=Configured enable-sslkeylog no-asm no-secure-memory no-makedepend enable-buildtest-c++ enable-fips enable-lms && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-
-  basic_gcc:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: localegen
-      run: sudo locale-gen tr_TR.UTF-8
-    - name: fipsvendor
-      # Make one fips build use a customized FIPS vendor
-      run: echo "FIPS_VENDOR=CI" >> VERSION.dat
-    - name: config
-      # enable-quic is on by default, but we leave it here to check we're testing the explicit enable somewhere
-      run: CC=gcc ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-sslkeylog enable-fips enable-quic enable-lms && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: check fipsvendor
-      run: |
-        util/wrap.pl -fips apps/openssl list -providers | grep 'name: CI FIPS Provider for OpenSSL$'
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@basic-gcc"
-        path: artifacts.tar.gz
-
-  basic_clang:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: CC=clang ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@basic-clang"
-        path: artifacts.tar.gz
-
-  linux-arm64:
-    runs-on: ubuntu-24.04-arm
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings enable-demos enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@linux-arm64"
-        path: artifacts.tar.gz
-
-  linux-x86:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: run container
-      run: |
-        CONTAINER_ID=$(podman run -d -v $(pwd):/mnt -w /mnt --platform=linux/i386 docker.io/i386/debian:13 sleep infinity)
-        echo "CONTAINER_ID=$CONTAINER_ID" >> "$GITHUB_ENV"
-    - name: install dependencies
-      run:
-        podman exec -t $CONTAINER_ID sh -c "apt-get update && apt-get install -y gcc perl make"
-    - name: config
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          "./config --strict-warnings linux-x86 enable-demos enable-fips enable-lms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace"
-    - name: config dump
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          "./configdata.pm --dump"
-    - name: make
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-        "make -j"
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        podman exec -t $CONTAINER_ID sh -c \
-          "./util/opensslwrap.sh version -c"
-    - name: make test
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          ".github/workflows/make-test"
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@linux-x86"
-        path: artifacts.tar.gz
-
-  freebsd-x86_64:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: |
-          sudo pkg install -y gcc perl5
-          ./config --strict-warnings enable-fips enable-lms enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: ./configdata.pm --dump
-    - name: make
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: make -j4
-    - name: make test
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        run: |
-          ./util/opensslwrap.sh version -c
-          .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@BSD-x86_64"
-        path: artifacts.tar.gz
-
-  minimal:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-bulk no-pic no-asm no-lms -DOPENSSL_NO_SECURE_MEMORY -DOPENSSL_SMALL_FOOTPRINT && perl configdata.pm --dump
-    - name: make
-      run: make -j4 # verbose, so no -s here
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@minimal"
-        path: artifacts.tar.gz
-
-  no-deprecated:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-deprecated enable-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@no-deprecated"
-        path: artifacts.tar.gz
-
-  no-shared-ubuntu:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@no-shared-ubuntu"
-        path: artifacts.tar.gz
-
-  no-shared-macos:
-    runs-on: macos-14
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-shared no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        sysctl machdep.cpu
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@no-shared-macos-14"
-        path: artifacts.tar.gz
-
-  non-caching:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan no-cached-fetch no-fips no-dtls no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-async && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="-test_fuzz* -test_ssl_* -test_sslapi -test_evp -test_cmp_http -test_verify -test_cms -test_store -test_enc -[01][0-9]"
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@non-caching"
-        path: artifacts.tar.gz
-
-  address_ub_sanitizer:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-demos enable-h3demo enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-lms && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@address_ub_sanitizer"
-        path: artifacts.tar.gz
-
-  fuzz_tests:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-asan enable-ubsan enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-nextprotoneg && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0 TESTS="test_fuzz*"
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@fuzz_tests"
-        path: artifacts.tar.gz
-        if-no-files-found: ignore
-
-  memory_sanitizer:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
-      run: CC=clang ./config --strict-warnings --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips enable-lms no-slh-dsa && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test OPENSSL_TEST_RAND_ORDER=0
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@memory_sanitizer"
-        path: artifacts.tar.gz
-
-  threads_sanitizer:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: CC=clang ./config --strict-warnings --banner=Configured no-shared no-fips -g -fsanitize=thread && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test V=1 TESTS="test_lhash test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@threads_sanitizer"
-        path: artifacts.tar.gz
-
-  enable_non-default_options:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: modprobe tls
-      run: sudo modprobe tls
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-ec enable-ssl-trace enable-zlib enable-zlib-dynamic enable-crypto-mdebug enable-egd enable-ktls enable-fips enable-lms no-threads && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@enable_non-default_options"
-        path: artifacts.tar.gz
-
-  full_featured:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: modprobe tls
-      run: sudo modprobe tls
-    - name: Enable sctp
-      run: sudo modprobe sctp
-    - name: Enable auth in sctp
-      run: sudo sysctl -w net.sctp.auth_enable=1
-    - name: install extra config support
-      run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo enable-ktls enable-fips enable-lms enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-zlib enable-zstd && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@full_featured"
-        path: artifacts.tar.gz
-
-  no-legacy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-demos enable-h3demo no-legacy enable-fips enable-lms && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@no-legacy"
-        path: artifacts.tar.gz
-
-  legacy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-demos enable-h3demo no-shared enable-crypto-mdebug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@legacy"
-        path: artifacts.tar.gz
-
-  # out-of-source-and-install checks multiple things at the same time:
-  # - That building, testing and installing works from an out-of-source
-  #   build tree
-  # - That building, testing and installing works with a read-only source
-  #   tree
-  out-of-readonly-source-and-install-ubuntu:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        path: ./source
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-      working-directory: ./source
-    - name: make source read-only
-      run: chmod -R a-w ./source
-    - name: create build and install directories
-      run: |
-        mkdir ./build
-        mkdir ./install
-    - name: config
-      run: |
-        ../source/config --banner=Configured enable-demos enable-h3demo enable-fips enable-lms enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
-        perl configdata.pm --dump
-      working-directory: ./build
-    - name: make
-      run: make -s -j4
-      working-directory: ./build
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-      working-directory: ./build
-    - name: make test
-      run: ../source/.github/workflows/make-test
-      working-directory: ./build
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@out-of-readonly-source-and-install-ubuntu"
-        path: build/artifacts.tar.gz
-    - name: make install
-      run: make install
-      working-directory: ./build
-
-  out-of-readonly-source-and-install-macos:
-    runs-on: macos-15
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        path: ./source
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-      working-directory: ./source
-    - name: make source read-only
-      run: chmod -R a-w ./source
-    - name: create build and install directories
-      run: |
-        mkdir ./build
-        mkdir ./install
-    - name: config
-      run: |
-        ../source/config --banner=Configured enable-fips enable-lms enable-demos enable-h3demo enable-quic enable-acvp-tests --strict-warnings --prefix=$(cd ../install; pwd)
-        perl configdata.pm --dump
-      working-directory: ./build
-    - name: make
-      run: make -s -j4
-      working-directory: ./build
-    - name: get cpu info
-      run: |
-        sysctl machdep.cpu
-        ./util/opensslwrap.sh version -c
-      working-directory: ./build
-    - name: make test
-      run: ../source/.github/workflows/make-test
-      working-directory: ./build
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@out-of-readonly-source-and-install-macos-15"
-        path: build/artifacts.tar.gz
-    - name: make install
-      run: make install
-      working-directory: ./build
-
-  external-tests-misc:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        submodules: recursive
-        persist-credentials: false
-    - name: package installs
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy gdb libtls-dev wget gpg
-    - name: install cpanm and Test2::V0 for gost_engine testing
-      uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1.7
-      with:
-        install: Test2::V0
-    - name: setup hostname workaround
-      run: sudo hostname localhost
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-external-tests no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - uses: dtolnay/rust-toolchain@0f44b27771c32bda9f458f75a1e241b09791b331
-      with:
-        toolchain: stable
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: test external gost-engine
-      run: make test TESTS="test_external_gost_engine"
-    - name: test external krb5
-      run: make test TESTS="test_external_krb5"
-    - name: test external tlsfuzzer
-      run: make test TESTS="test_external_tlsfuzzer"
-    - name: test external Cloudflare quiche
-      run: make test TESTS="test_external_cf_quiche" VERBOSE=1
-    - name: test external rpki client
-      run: make test TESTS="test_external_rpki-client-portable"
-    - name: test ability to produce debuginfo files
-      run: |
-        make debuginfo
-        gdb < <(echo -e "file ./libcrypto.so.4\nquit") > ./results
-        grep -q "Reading symbols from.*libcrypto\.so\.4\.debug" results
-
-  external-tests-oqs-provider:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        submodules: recursive
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-external-tests && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: test external oqs-provider
-      run: make test TESTS="test_external_oqsprovider"
-
-  external-tests-pkcs11-provider:
-    runs-on: ubuntu-latest
-    container: fedora:latest
-    steps:
-    - name: package installs
-      run: |
-        dnf install -y perl-FindBin perl-IPC-Cmd perl-File-Compare perl-File-Copy perl-Test-Simple perl-Test-Harness python3 make g++ perl git meson opensc expect kryoptic
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora and pkcs11-provider submodule
-      run: |
-        git config --global --add safe.directory /__w/openssl/openssl
-        git submodule update --init --depth 1 fuzz/corpora
-        git submodule update --init --depth 1 pkcs11-provider
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-external-tests no-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    # Run all tests except external tests to make sure they work fine on Fedora because
-    # this is the only job running on Fedora, only then execute pkcs11-provider external
-    # test.
-    - name: test (except external tests)
-      run: make test TESTS="-test_external_*"
-    - name: test external pkcs11-provider
-      run: make test TESTS="test_external_pkcs11_provider" VERBOSE=1
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-
-  external-tests-pyca:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        PYTHON:
-          - 3.9
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        submodules: recursive
-        persist-credentials: false
-    - name: package installs
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq install pkgconf libssl-dev
-    - name: Configure OpenSSL
-      run: ./config --strict-warnings --banner=Configured --debug enable-external-tests && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: Setup Python
-      uses: actions/setup-python@v6.0.0
-      with:
-        python-version: ${{ matrix.PYTHON }}
-    - uses: dtolnay/rust-toolchain@0f44b27771c32bda9f458f75a1e241b09791b331
-      with:
-        toolchain: stable
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: test external pyca
-      run: make test TESTS="test_external_pyca" VERBOSE=1

.github/workflows/compiler-zoo.yml

@@ -1,82 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Compiler Zoo CI
-
-on: [push]
-
-permissions:
-  contents: read
-
-jobs:
-  gcc:
-    strategy:
-      fail-fast: false
-      matrix:
-        gcc: [gcc-9, gcc-10, gcc-11, gcc-12, gcc-13, gcc-14]
-    runs-on: ubuntu-24.04
-    steps:
-    - name: install packages
-      run: |
-        sudo apt-get update
-        sudo apt-get -y install ${{ matrix.gcc }}
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      env:
-        CC: ${{ matrix.gcc }}
-      run: |
-        ./config --strict-warnings --banner=Configured no-shared enable-fips
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  clang:
-    strategy:
-      fail-fast: false
-      matrix:
-        clang: [clang-11, clang-12, clang-13, clang-14, clang-15, clang-16, clang-17, clang-18, clang-19, clang-20]
-    runs-on: ubuntu-22.04
-    steps:
-    - name: install packages
-      run: |
-        set -euo pipefail
-        VERSION=$(awk -F- '{print $NF}' <<< ${{ matrix.clang }})
-        wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc
-        echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-$VERSION main" | sudo tee -a /etc/apt/sources.list
-        sudo apt-get update || true
-        sudo apt-get -y install ${{ matrix.clang }}
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      env:
-        CC: ${{ matrix.clang }}
-      run: |
-        ./config --strict-warnings --banner=Configured no-shared enable-fips
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/coveralls.yml

@@ -1,135 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Coverage
-
-on:
-  schedule:
-    - cron: '15 02 * * *'
-  workflow_dispatch:
-    inputs:
-      branch:
-        description: Branch to measure coverage
-        required: true
-        default: master
-      extra_config:
-        description: Extra options for configuration script
-        default: ""
-
-permissions:
-  contents: read
-
-jobs:
-  define-matrix:
-    runs-on: ubuntu-latest
-    outputs:
-      branches: ${{ steps.branches.outputs.branches }}
-    steps:
-      - name: Define branches
-        id: branches
-        env:
-          GITHUB_EVENT_INPUTS_BRANCH: ${{ github.event.inputs.branch }}
-          GITHUB_EVENT_INPUTS_EXTRA_CONFIG: ${{ github.event.inputs.extra_config }}
-        run: |
-          if [ "${{ github.event_name}}" = "workflow_dispatch" ]; then
-          MATRIX=$(cat << EOF
-          [{
-            "branch": "${GITHUB_EVENT_INPUTS_BRANCH}",
-            "extra_config": "${GITHUB_EVENT_INPUTS_EXTRA_CONFIG}"
-          }]
-          EOF
-          )
-          else
-          MATRIX=$(cat << EOF
-          [{
-              "branch": "openssl-3.6",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            },{
-              "branch": "openssl-3.5",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            },{
-              "branch": "openssl-3.4",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.3",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.2",
-              "extra_config": "no-afalgeng enable-fips enable-tfo"
-            }, {
-              "branch": "openssl-3.1",
-              "extra_config": "no-afalgeng enable-fips"
-            }, {
-              "branch": "openssl-3.0",
-              "extra_config": "no-afalgeng enable-fips"
-            }, {
-              "branch": "master",
-              "extra_config": "enable-fips enable-tfo enable-lms enable-crypto-mdebug enable-allocfail-tests"
-          }]
-          EOF
-          )
-          fi
-          echo "branches<<EOF"$'\n'"$MATRIX"$'\n'EOF >> "$GITHUB_OUTPUT"
-
-  coverage:
-    if: github.repository == 'openssl/openssl'
-    needs: define-matrix
-    permissions:
-      checks: write     # for coverallsapp/github-action to create new checks
-      contents: read    # for actions/checkout to fetch code
-    strategy:
-      fail-fast: false
-      matrix:
-        branches: ${{ fromJSON(needs.define-matrix.outputs.branches) }}
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        submodules: recursive
-        ref: ${{ matrix.branches.branch }}
-        persist-credentials: false
-    - name: cache commit id
-      run: |
-        echo "githubid=`/usr/bin/git log -1 --format='%H'`" >>$GITHUB_ENV
-    - name: package installs
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq install lcov
-        sudo apt-get -yq install bison gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python3 python3-paste python3-pyrad slapd tcsh python3-virtualenv virtualenv python3-kdcproxy
-    - name: install Test2::V0 for gost_engine testing
-      uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d #v1.7
-      with:
-        install: Test2::V0
-    - name: setup hostname workaround
-      run: sudo hostname localhost
-    - name: config
-      run: CC=gcc ./config --debug --coverage ${{ matrix.branches.extra_config }} no-asm enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 enable-buildtest-c++ enable-ssl-trace enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test TESTS='-test_external_krb5' EVP_TEST_EXTENDED=1
-    - name: generate coverage info
-      run: lcov -d . -c
-             --exclude "${PWD}/test/*"
-             --exclude "${PWD}/fuzz/*"
-             --exclude "/usr/include/*"
-             --ignore-errors mismatch
-             --branch-coverage
-              -o ./lcov.info
-    - name: Coveralls upload
-      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b #v2.3.6
-      with:
-        github-token: ${{ secrets.github_token }}
-        git-branch: ${{ matrix.branches.branch }}
-        git-commit: ${{ env.githubid }}
-        path-to-lcov: ./lcov.info

.github/workflows/cross-compiles.yml

@@ -1,237 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Cross Compile
-
-on: [pull_request, push]
-
-permissions:
-  contents: read
-
-jobs:
-  cross-compilation:
-    strategy:
-      fail-fast: false
-      matrix:
-        # The platform matrix specifies:
-        #   arch: the architecture to build for, this defines the tool-chain
-        #         prefix {arch}- and the Debian compiler package gcc-{arch}
-        #         name.
-        #   libs: the Debian package for the necessary link/runtime libraries.
-        #   target: the OpenSSL configuration target to use, this is passed
-        #           directly to the config command line.
-        #   fips:   set to "no" to disable building FIPS, leave unset to
-        #           build the FIPS provider.
-        #   tests: omit this to run all the tests using QEMU, set it to "none"
-        #          to never run the tests, otherwise its value is passed to
-        #          the "make test" command to allow selective disabling of
-        #          tests.
-        #   qemucpu: optional; string that describes CPU properties.
-        #            The string will be used to set the QEMU_CPU variable.
-        #   opensslcapsname: optional; string that describes the postfix of the
-        #                    OpenSSL environment variable that defines CPU
-        #                    capabilities. E.g. "foo" will result in an
-        #                    environment variable with the name OPENSSL_foo.
-        #   opensslcaps: optional; if opensslcapsname (see above) is set, then
-        #                this string will be used as content for the OpenSSL
-        #                capabilities variable.
-        #   ppa:   Launchpad PPA repository to download packages from.
-        platform: [
-          {
-            arch: i386-pc-msdosdjgpp,
-            libs: libc-djgpp-dev libwatt-djgpp-dev djgpp-utils,
-            target: no-threads 386 DJGPP,
-            tests: none,
-            ppa: jwt27/djgpp-toolchain
-          }, {
-            arch: aarch64-linux-gnu,
-            libs: libc6-dev-arm64-cross,
-            target: linux-aarch64,
-            fips: no
-          }, {
-            arch: alpha-linux-gnu,
-            libs: libc6.1-dev-alpha-cross,
-            target: linux-alpha-gcc,
-            fips: no
-          }, {
-            arch: arm-linux-gnueabi,
-            libs: libc6-dev-armel-cross,
-            target: linux-armv4,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            arch: arm-linux-gnueabihf,
-            libs: libc6-dev-armhf-cross,
-            target: linux-armv4,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            # gcc hppa seems to have some potential compiler issues
-            # with -O2 on this platform, reduce optimization to -01
-            arch: hppa-linux-gnu,
-            libs: libc6-dev-hppa-cross,
-            target: -static -O1 linux-generic32,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            arch: m68k-linux-gnu,
-            libs: libc6-dev-m68k-cross,
-            target: -static -m68040 linux-latomic -Wno-stringop-overflow,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            arch: mips-linux-gnu,
-            libs: libc6-dev-mips-cross,
-            target: -static linux-mips32,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            arch: mips64-linux-gnuabi64,
-            libs: libc6-dev-mips64-cross,
-            target: -static linux64-mips64,
-            fips: no
-          }, {
-            arch: mipsel-linux-gnu,
-            libs: libc6-dev-mipsel-cross,
-            target: linux-mips32,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          }, {
-            arch: powerpc64le-linux-gnu,
-            libs: libc6-dev-ppc64el-cross,
-            target: linux-ppc64le,
-            fips: no
-          }, {
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no
-          }, {
-            arch: s390x-linux-gnu,
-            libs: libc6-dev-s390x-cross,
-            target: linux64-s390x,
-            fips: no
-          }, {
-            arch: sh4-linux-gnu,
-            libs: libc6-dev-sh4-cross,
-            target: no-async linux-latomic,
-            fips: no,
-            tests: -test_includes -test_store -test_x509_store
-          },
-
-          # These build with shared libraries but they crash when run
-          # They mirror static builds above in order to cover more of the
-          # code base.
-          {
-            arch: hppa-linux-gnu,
-            libs: libc6-dev-hppa-cross,
-            target: linux-generic32,
-            tests: none
-          }, {
-            arch: m68k-linux-gnu,
-            libs: libc6-dev-m68k-cross,
-            target: -mcfv4e -mxgot linux-latomic -Wno-stringop-overflow no-quic,
-            tests: none
-          }, {
-            arch: mips-linux-gnu,
-            libs: libc6-dev-mips-cross,
-            target: linux-mips32,
-            tests: none
-          }, {
-            arch: mips64-linux-gnuabi64,
-            libs: libc6-dev-mips64-cross,
-            target: linux64-mips64,
-            tests: none
-          },
-
-          # This build doesn't execute either with or without shared libraries.
-          {
-            arch: sparc64-linux-gnu,
-            libs: libc6-dev-sparc64-cross,
-            target: linux64-sparcv9,
-            tests: none
-          }
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - name: install package repository
-      if: matrix.platform.ppa != ''
-      run: |
-        sudo add-apt-repository ppa:${{ matrix.platform.ppa }}
-    - name: install packages
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install \
-            gcc-${{ matrix.platform.arch }} \
-            ${{ matrix.platform.libs }}
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-
-    - name: config with FIPS
-      if: matrix.platform.fips != 'no'
-      run: |
-        ./config --banner=Configured --strict-warnings enable-fips enable-lms \
-                 --cross-compile-prefix=${{ matrix.platform.arch }}- \
-                 ${{ matrix.platform.target }}
-    - name: config without FIPS
-      if: matrix.platform.fips == 'no'
-      run: |
-        ./config --banner=Configured --strict-warnings enable-lms \
-                 --cross-compile-prefix=${{ matrix.platform.arch }}- \
-                 ${{ matrix.platform.target }}
-    - name: config dump
-      run: ./configdata.pm --dump
-
-    - name: make
-      run: make -s -j4
-
-    - name: install qemu
-      if: matrix.platform.tests != 'none'
-      run: sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install qemu-user
-
-    - name: Set QEMU environment
-      if: matrix.platform.qemucpu != ''
-      run: echo "QEMU_CPU=${{ matrix.platform.qemucpu }}" >> $GITHUB_ENV
-
-    - name: Set OpenSSL caps environment
-      if: matrix.platform.opensslcapsname != ''
-      run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\
-                 ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV
-
-    - name: get cpu info
-      if: matrix.platform.tests != 'none'
-      run: |
-         cat /proc/cpuinfo
-         QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} ./util/opensslwrap.sh version -c
-    - name: make all tests
-      if: github.event_name == 'push' && matrix.platform.tests == ''
-      run: |
-        .github/workflows/make-test \
-                  TESTS="-test_afalg" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: make some tests
-      if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != ''
-      run: |
-        .github/workflows/make-test \
-                  TESTS="${{ matrix.platform.tests }} -test_afalg" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: make evp tests
-      if: github.event_name == 'pull_request' && matrix.platform.tests != 'none'
-      run: |
-        .github/workflows/make-test \
-                  TESTS="test_evp*" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "cross-compiles@${{ matrix.platform.arch }}"
-        path: artifacts.tar.gz
-        if-no-files-found: ignore

.github/workflows/deploy-docs-openssl-org.yml

@@ -1,26 +0,0 @@
-name: "Trigger docs.openssl.org deployment"
-
-on:
-  push:
-    branches:
-      - "openssl-3.[0-9]+"
-      - "master"
-    paths:
-      - "doc/man*/**"
-
-permissions: {}
-
-jobs:
-  trigger:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Trigger deployment workflow"
-        run: |
-          gh workflow run -f branch=${GITHUB_REF_NAME} deploy-site.yaml
-          sleep 3
-          RUN_ID=$(gh run list -w deploy-site.yaml -L 1 --json databaseId -q ".[0].databaseId")
-          gh run watch ${RUN_ID} --exit-status
-        env:
-          GH_REPO: "openssl/openssl-docs"
-          GH_TOKEN: ${{ secrets.OPENSSL_MACHINE_TOKEN }}

.github/workflows/fips-checksums.yml

@@ -1,123 +0,0 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: FIPS Check and ABIDIFF
-on: [pull_request]
-
-permissions:
-  contents: read
-
-jobs:
-  compute-checksums:
-    runs-on: ubuntu-latest
-    steps:
-      - name: install unifdef
-        run: |
-            sudo apt-get update
-            sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install unifdef
-      - name: create build dirs
-        run: |
-          mkdir ./build-pristine
-          mkdir ./source-pristine
-          mkdir ./build
-          mkdir ./source
-          mkdir ./artifact
-      - uses: actions/checkout@v5
-        with:
-          repository: ${{ github.event.pull_request.base.repo.full_name }}
-          ref: ${{ github.event.pull_request.base.ref }}
-          path: source-pristine
-          persist-credentials: false
-      - name: config pristine
-        run: ../source-pristine/config enable-fips
-        working-directory: ./build-pristine
-      - name: config pristine dump
-        run: ./configdata.pm --dump
-        working-directory: ./build-pristine
-      - name: make build_generated pristine
-        run: make -s build_generated
-        working-directory: ./build-pristine
-      - name: make fips-checksums pristine
-        run: make fips-checksums
-        working-directory: ./build-pristine
-      - uses: actions/checkout@v5
-        with:
-          path: source
-          persist-credentials: false
-      - name: config
-        run: ../source/config enable-fips
-        working-directory: ./build
-      - name: config dump
-        run: ./configdata.pm --dump
-        working-directory: ./build
-      - name: make build_generated
-        run: make -s build_generated
-        working-directory: ./build
-      - name: make fips-checksums
-        run: make fips-checksums
-        working-directory: ./build
-      - name: update checksums
-        run: |
-          cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources
-          cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums
-          cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum
-      - name: make diff-fips-checksums
-        run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED )
-        working-directory: ./build
-      - name: save PR number
-        run: echo ${{ github.event.number }} > ./artifact/pr_num
-      - name: save artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: fips_checksum
-          path: artifact/
-
-  compute-abidiff:
-    runs-on: ubuntu-latest
-    env:
-      BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd
-    steps:
-      - name: create build dirs
-        run: |
-          mkdir ./build-pristine
-          mkdir ./source-pristine
-          mkdir ./build
-          mkdir ./source
-          mkdir ./artifact
-      - name: install extra config support
-        run: sudo apt-get -y install libsctp-dev abigail-tools libzstd-dev zstd
-      - uses: actions/checkout@v5
-        with:
-          repository: ${{ github.event.pull_request.base.repo.full_name }}
-          ref: ${{ github.event.pull_request.base.ref }}
-          path: source-pristine
-          persist-credentials: false
-      - name: config pristine
-        run: ../source-pristine/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
-        working-directory: ./build-pristine
-      - name: make pristine
-        run: make -s -j4
-        working-directory: ./build-pristine
-      - uses: actions/checkout@v5
-        with:
-          path: source
-          persist-credentials: false
-      - name: config
-        run: ../source/config --banner=Configured $BUILD_OPTS && perl configdata.pm --dump
-        working-directory: ./build
-      - name: make
-        run: make -s -j4
-        working-directory: ./build
-      - name: abidiff
-        run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED )
-      - name: save PR number
-        run: echo ${{ github.event.number }} > ./artifact/pr_num
-      - name: save artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: abidiff
-          path: artifact/

.github/workflows/fips-label.yml

@@ -1,141 +0,0 @@
-# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: FIPS and ABI Changed Label
-on:
-  workflow_run:
-    workflows: ["FIPS Check and ABIDIFF"]
-    types:
-      - completed
-
-permissions:
-  contents: read
-
-jobs:
-  apply-label:
-    permissions:
-      actions: read
-      pull-requests: write
-    runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.event == 'pull_request' }}
-    steps:
-      - name: 'Download fipscheck artifact'
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        uses: actions/github-script@v8
-        with:
-          script: |
-            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "fips_checksum"
-            })[0];
-            var download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
-      - run: unzip artifact.zip
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-      - name: 'Check artifact and apply'
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            var fs = require('fs');
-            var pr_num = Number(fs.readFileSync('./pr_num'));
-            if ( fs.existsSync('./fips_changed') ) {
-              github.rest.issues.addLabels({
-                issue_number: pr_num,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                labels: ['severity: fips change']
-              });
-            } else if ( fs.existsSync('./fips_unchanged') ) {
-              var labels = await github.rest.issues.listLabelsOnIssue({
-                issue_number: pr_num,
-                owner: context.repo.owner,
-                repo: context.repo.repo
-              });
-
-              for ( var label in labels.data ) {
-                if (labels.data[label].name == 'severity: fips change') {
-                  github.rest.issues.removeLabel({
-                    issue_number: pr_num,
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    name: 'severity: fips change'
-                  });
-                }
-              }
-            }
-      - name: 'Cleanup artifact'
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        run: rm artifact.zip pr_num
-
-      - name: 'Download abidiff artifact'
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        uses: actions/github-script@v8
-        with:
-          script: |
-            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{github.event.workflow_run.id }},
-            });
-            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "abidiff"
-            })[0];
-            var download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            var fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data));
-      - run: unzip artifact.zip
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-      - name: 'Check artifact and apply'
-        if: ${{ github.event.workflow_run.conclusion == 'success' }}
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            var fs = require('fs');
-            var pr_num = Number(fs.readFileSync('./pr_num'));
-            if ( fs.existsSync('./abi_changed') ) {
-              github.rest.issues.addLabels({
-                issue_number: pr_num,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                labels: ['severity: ABI change']
-              });
-            } else if ( fs.existsSync('./abi_unchanged') ) {
-              var labels = await github.rest.issues.listLabelsOnIssue({
-                issue_number: pr_num,
-                owner: context.repo.owner,
-                repo: context.repo.repo
-              });
-
-              for ( var label in labels.data ) {
-                if (labels.data[label].name == 'severity: ABI change') {
-                  github.rest.issues.removeLabel({
-                    issue_number: pr_num,
-                    owner: context.repo.owner,
-                    repo: context.repo.repo,
-                    name: 'severity: ABI change'
-                  });
-                }
-              }
-            }

.github/workflows/fuzz-checker.yml

@@ -1,81 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Fuzz-checker CI
-
-on: [push]
-
-permissions:
-  contents: read
-
-jobs:
-  fuzz-checker:
-    strategy:
-      fail-fast: false
-      matrix:
-        fuzzy: [
-          {
-            name: AFL,
-            config: enable-fuzz-afl no-module,
-            install: afl++,
-            cc: afl-clang-fast
-          }, {
-            name: libFuzzer,
-            config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fno-sanitize=function,
-            libs: --with-fuzzer-lib=/usr/lib/llvm-18/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/18/include/fuzzer,
-            install: libfuzzer-18-dev,
-            cc: clang-18,
-            linker: clang++-18,
-            tests: -test_memleak
-          }, {
-            name: libFuzzer+,
-            config: enable-fuzz-libfuzzer enable-asan enable-ubsan -fno-sanitize=function -fsanitize-coverage=trace-cmp -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION,
-            libs: --with-fuzzer-lib=/usr/lib/llvm-18/lib/libFuzzer.a --with-fuzzer-include=/usr/include/clang/18/include/fuzzer,
-            extra: enable-fips enable-lms enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg,
-            install: libfuzzer-18-dev,
-            cc: clang-18,
-            linker: clang++-18,
-            tests: -test_memleak
-          }
-        ]
-    runs-on: ubuntu-24.04
-    steps:
-    - name: install packages
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install ${{ matrix.fuzzy.install }}
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-
-    - name: config
-      run: |
-        CC=${{ matrix.fuzzy.cc }} ./config --banner=Configured no-shared \
-            ${{ matrix.fuzzy.config }} ${{ matrix.fuzzy.libs }} ${{ matrix.fuzzy.extra }}
-
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make with explicit linker
-      if: matrix.fuzzy.linker != ''
-      run: LDCMD=${{ matrix.fuzzy.linker }} make -s -j4
-    - name: make sans explicit linker
-      if: matrix.fuzzy.linker == ''
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test restricted
-      if: matrix.fuzzy.tests != ''
-      run: AFL_MAP_SIZE=300000 make test HARNESS_JOBS=${HARNESS_JOBS:-4} TESTS="${{ matrix.fuzzy.tests }}"
-    - name: make test all
-      if: matrix.fuzzy.tests == ''
-      run: AFL_MAP_SIZE=300000 make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/interop-tests.yml

@@ -1,107 +0,0 @@
-# Notes:
-# /__w/openssl is the path that github bind-mounts into the container so the ci
-# filesystem for this job can be reached.  Please note that any changes made to
-# this job involving file system paths should be made prefixed with, or relative
-# to that directory
-name: Interoperability tests with GnuTLS, NSS and OpenSSH
-on:
-  schedule:
-    - cron: '55 02 * * *'
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  test:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-22.04
-    container:
-      image: docker.io/fedora:40
-      options: --sysctl net.ipv6.conf.lo.disable_ipv6=0
-    timeout-minutes: 90
-    strategy:
-      fail-fast: false
-      matrix:
-        COMPONENT: [gnutls, nss]
-    env:
-      COMPONENT: ${{ matrix.COMPONENT }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Display environment
-        run: export
-      - name : Install needed tools
-        run: |
-          dnf -y install perl gcc rpmdevtools dnf-utils make tmt-all beakerlib \
-                 fips-mode-setup crypto-policies-scripts
-      - name: install interop tests
-        run: |
-          cd ${GITHUB_WORKSPACE}
-          git clone --branch=openssl-v0.1 --depth=1 https://gitlab.com/redhat-crypto/tests/interop.git
-      - name: build openssl as an rpm
-        run: |
-          mkdir -p /build/SPECS && cd /build && echo -e "%_topdir /build\n%_lto_cflags %{nil}" >~/.rpmmacros && rpmdev-setuptree
-          cd /build && cp ${GITHUB_WORKSPACE}/interop/openssl/openssl.spec SPECS/ && \
-          cd SPECS/ && source ${GITHUB_WORKSPACE}/VERSION.dat && \
-          sed -i "s/soversion 3/soversion $SHLIB_VERSION/;s/^Version: .*\$/Version: $MAJOR.$MINOR.$PATCH/" openssl.spec && \
-          sed -i "/^%attr.*_libdir.*engines-/ d" openssl.spec && \
-          sed -i 's/^Release: .*$/Release: dev/' openssl.spec
-          yum-builddep -y /build/SPECS/openssl.spec # just for sure nothing is missing
-          mkdir -p /build/SOURCES
-          tar --transform "s/^__w\/openssl\/openssl/openssl-$MAJOR.$MINOR.$PATCH/" -czf /build/SOURCES/openssl-$MAJOR.$MINOR.$PATCH.tar.gz /__w/openssl/openssl/
-          rpmbuild -bb /build/SPECS/openssl.spec
-          rpm -i --force /build/RPMS/x86_64/openssl-*
-          cp ${GITHUB_WORKSPACE}/interop/openssl/openssl.cnf /etc/pki/tls/openssl.cnf
-      - name: Run interop tests
-        run: |
-          cd interop
-          tmt run -av plans -n interop tests -f "tag: interop-openssl & tag: interop-$COMPONENT" provision -h local --feeling-safe execute -h tmt --interactive
-          openssl version
-          echo "Finished - important to prevent unwanted output truncating"
-  openssh_interop:
-    if: github.repository == 'openssl/openssl'
-    name: "openssh interop ${{ matrix.branch.openssl }}"
-    strategy:
-      fail-fast: false
-      matrix:
-        branch: [
-          { openssl: 'master', openssh: 'openssl-master', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.6', openssh: 'openssl-3.6', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.5', openssh: 'openssl-3.5', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.4', openssh: 'openssl-3.4', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.3', openssh: 'openssl-3.3', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.2', openssh: 'openssl-3.2', openssl_config: 'no-docs'},
-          { openssl: 'openssl-3.0', openssh: 'openssl-3.0', openssl_config: ''}
-        ]
-    runs-on: ubuntu-latest
-    env:
-      EPHEMERAL_VM: yes
-      TEST_SSH_UNSAFE_PERMISSIONS: 1
-      TEST_SSH_HOSTBASED_AUTH: yes
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-        ref: ${{ matrix.branch.openssl }}
-        fetch-depth: 1
-    - name: config
-      run: ./config --banner=Configured -fPIC --prefix=/opt/openssl ${{ matrix.openssl_config }} shared -Wl,-rpath,/opt/openssl/lib64 && perl configdata.pm --dump
-    - name: make
-      run: |
-        make -s -j4
-        make -s -j4 install_sw
-    - name: install dependencies of openssh
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq install autoconf zlib1g-dev
-    - name: run openssh
-      run: |
-        git clone --branch master --depth 1 https://github.com/openssh/openssh-portable.git
-        cd openssh-portable
-        sh ./.github/setup_ci.sh ${{ matrix.branch.openssh }} ubuntu-latest
-        autoreconf
-        sh ./.github/configure.sh ${{ matrix.branch.openssh }}
-        make clean
-        make -s -j4
-        sh ./.github/run_test.sh

.github/workflows/make-release.yml

@@ -1,48 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: "Make release"
-
-on:
-  push:
-    tags:
-      - "openssl-*"
-
-permissions: {}
-
-jobs:
-  release:
-    runs-on: "releaser"
-    steps:
-    - name: "Checkout"
-      uses: "actions/checkout@v5"
-      with:
-        fetch-depth: 1
-        ref: ${{ github.ref_name }}
-        github-server-url: "https://github.openssl.org/"
-        repository: "openssl/openssl"
-        token: ${{ secrets.GHE_TOKEN }}
-        path: ${{ github.ref_name }}
-        persist-credentials: false
-    - name: "Prepare assets"
-      env:
-        SIGNING_KEY_UID: ${{ vars.signing_key_uid }}
-      run: |
-        cd "$GITHUB_REF_NAME"
-        ./util/mktar.sh
-        mkdir -p assets && mv "$GITHUB_REF_NAME.tar.gz" assets/ && cd assets
-        openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
-        openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
-        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
-    - name: "Create release"
-      env:
-        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-      run: |
-        VERSION=$(echo "$GITHUB_REF_NAME" | cut -d "-" -f 2-)
-        PRE_RELEASE=$([[ "$GITHUB_REF_NAME" =~ alpha|beta ]] && echo "-p" || echo "")
-        NOTES=$(curl -s "https://api.openssl.org/release-metadata/news/?version=$VERSION&capture_title=False")
-        gh release create "$GITHUB_REF_NAME" $PRE_RELEASE -t "OpenSSL $VERSION" -d --notes "$NOTES" -R "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME/assets/"*

.github/workflows/make-test

@@ -1,43 +0,0 @@
-#!/usr/bin/env bash
-set -eo pipefail
-
-cleanup() {
-    # Remove if nothing was generated.
-    [ -d artifacts ] && find artifacts -type d -empty -delete
-}
-trap cleanup EXIT
-
-# Make a central directory to store all output artifacts of our test run to
-# avoid having to configure multiple upload-artifacts steps in the workflow
-# file.
-OSSL_CI_ARTIFACTS_PATH="artifacts/"
-if [ -n "${GITHUB_RUN_NUMBER}" ]; then
-    OSSL_CI_ARTIFACTS_PATH="artifacts/github-${GITHUB_JOB}-${GITHUB_RUN_NUMBER}-${GITHUB_RUN_ID}/"
-fi
-mkdir -p "$OSSL_CI_ARTIFACTS_PATH"
-export OSSL_CI_ARTIFACTS_PATH="$(cd "$OSSL_CI_ARTIFACTS_PATH"; pwd)"
-
-# Run the tests. This might fail, but we need to capture artifacts anyway.
-set +e
-make test HARNESS_JOBS=${HARNESS_JOBS:-4} "$@"
-RESULT=$?
-set -e
-
-# Move an interesting subset of the test-runs data we want into the artifacts
-# staging directory.
-for test_name in quic_multistream; do
-    if [ -d "test-runs/test_${test_name}" ]; then
-        mv "test-runs/test_${test_name}" "$OSSL_CI_ARTIFACTS_PATH/"
-    fi
-done
-
-# Log the artifact tree.
-echo "::group::List of artifact files generated"
-echo "Test suite exited with $RESULT, artifacts path is $OSSL_CI_ARTIFACTS_PATH"
-(cd "$OSSL_CI_ARTIFACTS_PATH"; find . -type f | sort)
-echo "::endgroup::"
-
-echo "Archive artifacts"
-tar -czf artifacts.tar.gz $OSSL_CI_ARTIFACTS_PATH
-
-exit $RESULT

.github/workflows/os-zoo.yml

@@ -1,343 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: OS Zoo CI
-
-on:
-  schedule:
-    - cron: '50 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  alpine:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: [edge, latest]
-        cc: [gcc, clang]
-    runs-on: ubuntu-latest
-    container:
-      image: docker.io/library/alpine:${{ matrix.tag }}
-    env:
-      # See https://www.openwall.com/lists/musl/2022/02/16/14
-      # for the reason why -Wno-sign-compare is needed with clang
-      # -Wno-stringop-overflow is needed to silence a bogus
-      # warning on new fortify-headers with gcc
-      EXTRA_CFLAGS: ${{ matrix.cc == 'clang' && '-Wno-sign-compare' || matrix.tag == 'edge' && '-Wno-stringop-overflow' || '' }}
-      CC: ${{ matrix.cc }}
-    steps:
-    - name: install packages
-      run: apk --no-cache add build-base perl linux-headers ${{ matrix.cc }}
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: |
-        ./config --strict-warnings --banner=Configured no-shared enable-fips \
-                 ${EXTRA_CFLAGS}
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  linux:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      fail-fast: false
-      matrix:
-        zoo:
-          - image: docker.io/library/debian:11
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/debian:12
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/debian:trixie
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/ubuntu:20.04
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/ubuntu:22.04
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/ubuntu:24.04
-            install: apt-get update && apt-get install -y gcc make perl
-          - image: docker.io/library/fedora:41
-            install: dnf install -y gcc make perl-core
-          - image: docker.io/library/fedora:42
-            install: dnf install -y gcc make perl-core
-          - image: docker.io/library/centos:8
-            install: |
-              sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \
-              sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* && \
-              dnf install -y gcc make perl-core
-          - image: docker.io/library/rockylinux:8
-            install: dnf install -y gcc make perl-core
-          - image: docker.io/library/rockylinux:9
-            install: dnf install -y gcc make perl-core
-    runs-on: ubuntu-latest
-    container: ${{ matrix.zoo.image }}
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: install packages
-      run: ${{ matrix.zoo.install }}
-    - name: config
-      run: ./config
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  macos:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [macos-14, macos-15, macos-15-intel]
-    runs-on: ${{ matrix.os }}
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured enable-fips enable-demos enable-h3demo
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        sysctl machdep.cpu
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  windows:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - os: windows-2022
-            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
-          - os: windows-2025
-            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
-    runs-on: ${{ matrix.platform.os }}
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: install nasm
-      run: |
-        choco install nasm
-        "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        perl ..\Configure --banner=Configured --strict-warnings no-makedepend enable-fips
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        nmake /S
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: get cpu info
-      working-directory: _build
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        apps/openssl.exe version -c
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
-
-  linux-arm64:
-    runs-on: ubuntu-24.04-arm
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  linux-x86:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: run container
-      run: |
-        CONTAINER_ID=$(podman run -d -v $(pwd):/mnt -w /mnt --platform=linux/i386 docker.io/i386/debian:13 sleep infinity)
-        echo "CONTAINER_ID=$CONTAINER_ID" >> "$GITHUB_ENV"
-    - name: install dependencies
-      run:
-        podman exec -t $CONTAINER_ID sh -c "apt-get update && apt-get install -y gcc perl make"
-    - name: config
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          "./config --strict-warnings linux-x86 enable-demos enable-fips enable-lms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace"
-    - name: config dump
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          "./configdata.pm --dump"
-    - name: make
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-        "make -j"
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        podman exec -t $CONTAINER_ID sh -c \
-          "./util/opensslwrap.sh version -c"
-    - name: make test
-      run: |
-        podman exec -t $CONTAINER_ID sh -c \
-          ".github/workflows/make-test"
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@linux-x86"
-        path: artifacts.tar.gz
-
-  linux-ppc64le:
-    runs-on: linux-ppc64le
-    if: github.repository == 'openssl/openssl'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  linux-s390x:
-    runs-on: linux-s390x
-    if: github.repository == 'openssl/openssl'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --strict-warnings enable-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  linux-riscv64:
-    runs-on: linux-riscv64
-    if: github.repository == 'openssl/openssl'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -j8
-    - name: get cpu info
-      run: ./util/opensslwrap.sh version -c
-    - name: make test
-      env:
-        OPENSSL_riscvcap: RV64GC_ZBA_ZBB_ZBC_ZBS_ZKT_V
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  freebsd-x86_64:
-    runs-on: ubuntu-latest
-    if: github.repository == 'openssl/openssl'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: |
-          sudo pkg install -y gcc perl5
-          ./config --strict-warnings enable-fips enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-trace
-    - name: config dump
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: ./configdata.pm --dump
-    - name: make
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        shutdown_vm: false
-        run: make -j4
-    - name: make test
-      uses: cross-platform-actions/action@46e8d7fb25520a8d6c64fd2b7a1192611da98eda #v0.30.0
-      with:
-        operating_system: freebsd
-        version: "13.4"
-        run: |
-          ./util/opensslwrap.sh version -c
-          .github/workflows/make-test

.github/workflows/oss-fuzz.yml

@@ -1,41 +0,0 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: CIFuzz
-on:
-  schedule:
-    - cron: '50 01 * * *'
-  workflow_dispatch:
-permissions:
-  contents: read
-
-jobs:
-  Fuzzing:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Clear unnecessary files
-      run: |
-        df
-        sudo rm -rf /usr/share/dotnet /usr/share/swift /usr/local/.ghcup /usr/local/share/powershell /usr/local/share/chromium /usr/local/lib/android /usr/local/lib/node_modules
-        df
-    - name: Build Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'openssl'
-        dry-run: false
-    - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'openssl'
-        fuzz-seconds: 600
-        dry-run: false
-    - name: Upload Crash
-      uses: actions/upload-artifact@v5
-      if: failure()
-      with:
-        name: artifacts
-        path: ./out/artifacts

.github/workflows/perl-minimal-checker.yml

@@ -1,53 +0,0 @@
-# Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# Jobs run per pull request submission
-name: Perl-minimal-checker CI
-on: [pull_request, push]
-permissions:
-  contents: read
-
-jobs:
-  perl-minimal-checker:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Install perl 5.10
-      run: |
-        pushd /tmp
-        mkdir perl
-        wget https://www.cpan.org/src/5.0/perl-5.10.1.tar.bz2
-        tar xf perl-5.10.1.tar.bz2
-        cd perl-5.10.1
-        ./Configure -des -Dprefix=/tmp/perl -A ccflags='-Wno-incompatible-pointer-types' -A define:malloctype='void *' -A define:freetype='void' -Dlibs='-ldl -lm -lutil -lc'
-        make -j $(nproc) perl
-        make install
-        popd
-    - name: Install Test::More 0.96
-      run: |
-        pushd /tmp
-        wget https://cpan.metacpan.org/authors/id/M/MS/MSCHWERN/Test-Simple-0.96.tar.gz
-        tar xf Test-Simple-0.96.tar.gz
-        cd Test-Simple-0.96
-        PATH="/tmp/perl/bin:$PATH"
-        perl Makefile.PL
-        make -j$(nproc) && make install
-        perl -MTest::More -e 'print "$Test::More::VERSION\n"'
-        popd
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: Build openssl
-      run: ./config && make -j $(nproc)
-    - name: Install sed
-      run: sudo apt update && sudo apt install sed
-    - name: Check minimal version compliance
-      run: |
-        PM_FILES=($(find . -name "*.pm"))
-        perl -v
-        status=0
-        for p in "${PM_FILES[@]}"; do perl -I"$(pwd)/util/perl" -I"$(pwd)" -I"$(pwd)/external/perl/Text-Template-1.56/lib" -c "$p" | sed -n '/@INC/{p; q1}' || status=1; done;
-        exit $status

.github/workflows/prov-compat-label.yml

@@ -1,278 +0,0 @@
-# Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# This verifies that FIPS and legacy providers built against some earlier
-# released versions continue to run against the current branch.
-
-name: Provider compatibility for PRs
-
-on: [pull_request]
-
-permissions:
-  contents: read
-
-env:
-  opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
-
-jobs:
-  fips-releases:
-    if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }}
-    strategy:
-      matrix:
-        release: [
-          # Formally released versions should be added here.
-          #     `dir' it the directory inside the tarball.
-          #     `tgz' is the name of the tarball.
-          #     `url' is the download URL.
-          {
-            dir: openssl-3.0.0,
-            tgz: openssl-3.0.0.tar.gz,
-            url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
-          },
-          {
-            dir: openssl-3.0.8,
-            tgz: openssl-3.0.8.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
-          },
-          {
-            dir: openssl-3.0.9,
-            tgz: openssl-3.0.9.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
-          },
-          {
-            dir: openssl-3.1.2,
-            tgz: openssl-3.1.2.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz",
-          },
-        ]
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: create download directory
-        run: mkdir downloads
-      - name: download release source
-        run: wget --no-verbose ${{ matrix.release.url }}
-        working-directory: downloads
-      - name: unpack release source
-        run: tar xzf downloads/${{ matrix.release.tgz }}
-
-      - name: localegen
-        run: sudo locale-gen tr_TR.UTF-8
-
-      - name: config release
-        run: |
-          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
-        working-directory: ${{ matrix.release.dir }}
-      - name: config dump release
-        run: ./configdata.pm --dump
-        working-directory: ${{ matrix.release.dir }}
-
-      - name: make release
-        run: make -s -j4
-        working-directory: ${{ matrix.release.dir }}
-
-      - name: create release artifacts
-        run: |
-          tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
-
-      - name: show module versions from release
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.release.dir }}
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: ${{ matrix.release.tgz }}
-          path: ${{ matrix.release.tgz }}
-          retention-days: 7
-
-  development-branches:
-    if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }}
-    strategy:
-      matrix:
-        branch: [
-          # Currently supported FIPS capable branches should be added here.
-          #     `name' is the branch name used to checkout out.
-          #     `dir' directory that will be used to build and test in.
-          #     `tgz' is the name of the tarball use to keep the artifacts of
-          #         the build.
-          {
-            name: '',
-            dir: PR,
-            tgz: PR.tar.gz,
-          }, {
-            name: openssl-3.0,
-            dir: branch-3.0,
-            tgz: branch-3.0.tar.gz,
-          }, {
-            name: openssl-3.3,
-            dir: branch-3.3,
-            tgz: branch-3.3.tar.gz,
-          }, {
-            name: openssl-3.4,
-            dir: branch-3.4,
-            tgz: branch-3.4.tar.gz,
-          }, {
-            name: openssl-3.5,
-            dir: branch-3.5,
-            tgz: branch-3.5.tar.gz,
-          }, {
-            name: openssl-3.6,
-            dir: branch-3.6,
-            tgz: branch-3.6.tar.gz,
-          }, {
-            name: master,
-            dir: branch-master,
-            tgz: branch-master.tar.gz,
-          },
-        ]
-
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          path: ${{ matrix.branch.dir }}
-          repository: openssl/openssl
-          ref: ${{ matrix.branch.name }}
-          persist-credentials: false
-      - name: localegen
-        run: sudo locale-gen tr_TR.UTF-8
-
-      - name: config branch
-        run: |
-          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
-        working-directory: ${{ matrix.branch.dir }}
-      - name: config dump current
-        run: ./configdata.pm --dump
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: make branch
-        run: make -s -j4
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: create branch artifacts
-        run: |
-          tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
-
-      - name: show module versions from branch
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: get cpu info
-        run: |
-          cat /proc/cpuinfo
-          ./util/opensslwrap.sh version -c
-        working-directory: ${{ matrix.branch.dir }}
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: ${{ matrix.branch.tgz }}
-          path: ${{ matrix.branch.tgz }}
-          retention-days: 7
-
-  cross-testing:
-    if: ${{ contains(github.event.pull_request.labels.*.name,'extended tests') }}
-    needs: [fips-releases, development-branches]
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        # These can't be figured out earlier and included here as a variable
-        # substitution.
-        #
-        # Note that releases are not used as a test environment for
-        # later providers.  Problems in these situations ought to be
-        # caught by cross branch testing before the release.
-        tree_a: [ branch-3.6, branch-3.5, branch-3.4, branch-3.3, branch-3.0,
-                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
-        tree_b: [ PR ]
-        include:
-          - tree_a: PR
-            tree_b: branch-master
-          - tree_a: PR
-            tree_b: branch-3.6
-          - tree_a: PR
-            tree_b: branch-3.5
-          - tree_a: PR
-            tree_b: branch-3.4
-          - tree_a: PR
-            tree_b: branch-3.3
-          - tree_a: PR
-            tree_b: branch-3.0
-    steps:
-      - name: early exit checks
-        id: early_exit
-        env:
-          B_BRANCH: ${{ matrix.tree_b }}
-          PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
-        run: |
-          b_ver=${B_BRANCH#branch-}
-          b_label="branch: $b_ver"
-          if [[ "$PR_LABELS" == *"$b_label"* ]]; then
-            echo "Skipping branches modified by the PR"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - uses: actions/download-artifact@v6.0.0
-        if: steps.early_exit.outputs.skip != 'true'
-        with:
-          name: ${{ matrix.tree_a }}.tar.gz
-      - name: unpack first build
-        if: steps.early_exit.outputs.skip != 'true'
-        run: tar xzf "${{ matrix.tree_a }}.tar.gz"
-
-      - uses: actions/download-artifact@v6.0.0
-        if: steps.early_exit.outputs.skip != 'true'
-        with:
-          name: ${{ matrix.tree_b }}.tar.gz
-      - name: unpack second build
-        if: steps.early_exit.outputs.skip != 'true'
-        run: tar xzf "${{ matrix.tree_b }}.tar.gz"
-
-      - name: set up cross validation of FIPS from A with tree from B
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          cp providers/fips.so ../${{ matrix.tree_b }}/providers/
-          cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
-        working-directory: ${{ matrix.tree_a }}
-
-      - name: show module versions from cross validation
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.tree_b }}
-
-      - name: get cpu info
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          cat /proc/cpuinfo
-          ./util/opensslwrap.sh version -c
-        working-directory: ${{ matrix.tree_b }}
-
-      - name: run cross validation tests of FIPS from A with tree from B
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-        working-directory: ${{ matrix.tree_b }}

.github/workflows/provider-compatibility.yml

@@ -1,277 +0,0 @@
-# Copyright 2023-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# This verifies that FIPS and legacy providers built against some earlier
-# released versions continue to run against the current branch.
-
-name: Provider compatibility across versions
-
-# Please note there is no point in running this job on PR as the tests
-# will always run against the tips of the branches in the main repository
-# and not the branch from the PR.
-# Use the `extended tests` label to run provider compatibility checks
-# on PRs.
-on:
-  schedule:
-    - cron: '10 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  opts: enable-rc5 enable-md2 enable-ssl3 enable-weak-ssl-ciphers enable-zlib
-
-jobs:
-  fips-releases:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      matrix:
-        release: [
-          # Formally released versions should be added here.
-          #     `dir' it the directory inside the tarball.
-          #     `tgz' is the name of the tarball.
-          #     `url' is the download URL.
-          {
-            dir: openssl-3.0.0,
-            tgz: openssl-3.0.0.tar.gz,
-            url: "https://www.openssl.org/source/old/3.0/openssl-3.0.0.tar.gz",
-          },
-          {
-            dir: openssl-3.0.8,
-            tgz: openssl-3.0.8.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.0.8.tar.gz",
-          },
-          {
-            dir: openssl-3.0.9,
-            tgz: openssl-3.0.9.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.0.9.tar.gz",
-          },
-          {
-            dir: openssl-3.1.2,
-            tgz: openssl-3.1.2.tar.gz,
-            url: "https://www.openssl.org/source/openssl-3.1.2.tar.gz",
-          },
-        ]
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: create download directory
-        run: mkdir downloads
-      - name: download release source
-        run: wget --no-verbose ${{ matrix.release.url }}
-        working-directory: downloads
-      - name: unpack release source
-        run: tar xzf downloads/${{ matrix.release.tgz }}
-
-      - name: localegen
-        run: sudo locale-gen tr_TR.UTF-8
-
-      - name: config release
-        run: |
-          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }}
-        working-directory: ${{ matrix.release.dir }}
-      - name: config dump release
-        run: ./configdata.pm --dump
-        working-directory: ${{ matrix.release.dir }}
-
-      - name: make release
-        run: make -s -j4
-        working-directory: ${{ matrix.release.dir }}
-
-      - name: create release artifacts
-        run: |
-          tar cz -H posix -f ${{ matrix.release.tgz }} ${{ matrix.release.dir }}
-
-      - name: show module versions from release
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.release.dir }}
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: ${{ matrix.release.tgz }}
-          path: ${{ matrix.release.tgz }}
-          retention-days: 7
-
-  development-branches:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      matrix:
-        branch: [
-          # Currently supported FIPS capable branches should be added here.
-          #     `name' is the branch name used to checkout out.
-          #     `dir' directory that will be used to build and test in.
-          #     `tgz' is the name of the tarball use to keep the artifacts of
-          #         the build.
-          #     `extra_config` adds extra config build option for the branch.
-          {
-            name: openssl-3.0,
-            dir: branch-3.0,
-            tgz: branch-3.0.tar.gz,
-            extra_config: "",
-          }, {
-            name: openssl-3.3,
-            dir: branch-3.3,
-            tgz: branch-3.3.tar.gz,
-            extra_config: "",
-          }, {
-            name: openssl-3.4,
-            dir: branch-3.4,
-            tgz: branch-3.4.tar.gz,
-            extra_config: "",
-          }, {
-            name: openssl-3.5,
-            dir: branch-3.5,
-            tgz: branch-3.5.tar.gz,
-            extra_config: "",
-          }, {
-            name: openssl-3.6,
-            dir: branch-3.6,
-            tgz: branch-3.6.tar.gz,
-            extra_config: "enable-lms",
-          }, {
-            name: master,
-            dir: branch-master,
-            tgz: branch-master.tar.gz,
-            extra_config: "enable-lms",
-          },
-        ]
-
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          path: ${{ matrix.branch.dir }}
-          repository: openssl/openssl
-          ref: ${{ matrix.branch.name }}
-          persist-credentials: false
-      - name: localegen
-        run: sudo locale-gen tr_TR.UTF-8
-
-      - name: config branch
-        run: |
-          ./config --banner=Configured enable-shared enable-fips ${{ env.opts }} ${{ matrix.branch.extra_config }}
-        working-directory: ${{ matrix.branch.dir }}
-      - name: config dump current
-        run: ./configdata.pm --dump
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: make branch
-        run: make -s -j4
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: create branch artifacts
-        run: |
-          tar cz -H posix -f ${{ matrix.branch.tgz }} ${{ matrix.branch.dir }}
-
-      - name: show module versions from branch
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: get cpu info
-        run: |
-          cat /proc/cpuinfo
-          ./util/opensslwrap.sh version -c
-        working-directory: ${{ matrix.branch.dir }}
-
-      - name: make test
-        run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-        working-directory: ${{ matrix.branch.dir }}
-
-      - uses: actions/upload-artifact@v5
-        with:
-          name: ${{ matrix.branch.tgz }}
-          path: ${{ matrix.branch.tgz }}
-          retention-days: 7
-
-  cross-testing:
-    if: github.repository == 'openssl/openssl'
-    needs: [fips-releases, development-branches]
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        # These can't be figured out earlier and included here as a variable
-        # substitution.
-        #
-        # Note that releases are not used as a test environment for
-        # later providers.  Problems in these situations ought to be
-        # caught by cross branch testing before the release.
-        tree_a: [ branch-master, branch-3.6, branch-3.5, branch-3.4, branch-3.3,
-                  branch-3.0,
-                  openssl-3.0.0, openssl-3.0.8, openssl-3.0.9, openssl-3.1.2 ]
-        tree_b: [ branch-master, branch-3.6, branch-3.5, branch-3.4, branch-3.3,
-                  branch-3.0  ]
-    steps:
-      - name: early exit checks
-        id: early_exit
-        run: |
-          if [ "${{ matrix.tree_a }}" = "${{ matrix.tree_b }}" ]; then
-            echo "Skipping because both are the same version"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - uses: actions/download-artifact@v6.0.0
-        if: steps.early_exit.outputs.skip != 'true'
-        with:
-          name: ${{ matrix.tree_a }}.tar.gz
-      - name: unpack first build
-        if: steps.early_exit.outputs.skip != 'true'
-        run: tar xzf "${{ matrix.tree_a }}.tar.gz"
-
-      - uses: actions/download-artifact@v6.0.0
-        if: steps.early_exit.outputs.skip != 'true'
-        with:
-          name: ${{ matrix.tree_b }}.tar.gz
-      - name: unpack second build
-        if: steps.early_exit.outputs.skip != 'true'
-        run: tar xzf "${{ matrix.tree_b }}.tar.gz"
-
-      - name: set up cross validation of FIPS from A with tree from B
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          cp providers/fips.so ../${{ matrix.tree_b }}/providers/
-          cp providers/fipsmodule.cnf ../${{ matrix.tree_b }}/providers/
-        working-directory: ${{ matrix.tree_a }}
-
-      - name: show module versions from cross validation
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          ./util/wrap.pl -fips apps/openssl list -provider-path providers   \
-                                                 -provider base             \
-                                                 -provider default          \
-                                                 -provider fips             \
-                                                 -provider legacy           \
-                                                 -providers
-        working-directory: ${{ matrix.tree_b }}
-
-      - name: get cpu info
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          cat /proc/cpuinfo
-          ./util/opensslwrap.sh version -c
-        working-directory: ${{ matrix.tree_b }}
-
-      - name: run cross validation tests of FIPS from A with tree from B
-        if: steps.early_exit.outputs.skip != 'true'
-        run: |
-          make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-        working-directory: ${{ matrix.tree_b }}

.github/workflows/riscv-more-cross-compiles.yml

@@ -1,265 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Cross Compile for RISC-V Extensions
-
-on:
-  pull_request:
-    types: [opened, reopened, edited, synchronize]
-  push:
-  schedule:
-    - cron: '35 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  cross-compilation-riscv:
-    # pull request title contains 'riscv'
-    # pull request title contains 'RISC-V'
-    # pull request body contains '[riscv ci]'
-    # push event commit message contains '[riscv ci]'
-    # cron job
-    # manual dispatch
-    if: contains(github.event.pull_request.title, 'riscv') || contains(github.event.pull_request.title, 'RISC-V') || contains(github.event.pull_request.body, '[riscv ci]') || contains(github.event.head_commit.message, '[riscv ci]') || (github.event_name == 'schedule' && github.repository == 'openssl/openssl') || github.event_name == 'workflow_dispatch'
-    strategy:
-      fail-fast: false
-      matrix:
-        # The platform matrix specifies:
-        #   arch: the architecture to build for, this defines the tool-chain
-        #         prefix {arch}- and the Debian compiler package gcc-{arch}
-        #         name.
-        #   libs: the Debian package for the necessary link/runtime libraries.
-        #   target: the OpenSSL configuration target to use, this is passed
-        #           directly to the config command line.
-        #   fips:   set to "no" to disable building FIPS, leave unset to
-        #           build the FIPS provider.
-        #   tests: omit this to run all the tests using QEMU, set it to "none"
-        #          to never run the tests, otherwise its value is passed to
-        #          the "make test" command to allow selective disabling of
-        #          tests.
-        #   qemucpu: optional; string that describes CPU properties.
-        #            The string will be used to set the QEMU_CPU variable.
-        #   opensslcapsname: optional; string that describes the postfix of the
-        #                    OpenSSL environment variable that defines CPU
-        #                    capabilities. E.g. "foo" will result in an
-        #                    environment variable with the name OPENSSL_foo.
-        #   opensslcaps: optional; if opensslcapsname (see above) is set, then
-        #                this string will be used as content for the OpenSSL
-        #                capabilities variable.
-        #   ppa:   Launchpad PPA repository to download packages from.
-        platform: [
-          # Scalar Crypto
-          {
-            # RV64GC with bitmanip and scalar crypto extensions
-            #   crypto/aes/asm/aes-riscv64-zkn.pl
-            #   crypto/modes/gcm128.c
-            # The following paths only use ZBB
-            #   crypto/sha/asm/sha256-riscv64-zbb.pl
-            #   crypto/sha/asm/sha512-riscv64-zbb.pl
-            #   crypto/sm3/asm/sm3-riscv64-zbb.pl
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,zbb=true,zbc=true,zbkb=true,zknd=true,zkne=true",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_zbb_zbc_zbkb_zknd_zkne"
-          }, {
-            # RV64GC ZBC ZBB, but without ZBKB
-            #   crypto/modes/gcm128.c
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,zbc=true,zbb=true,zbkb=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_zbc_zbb"
-          }, {
-            # RV64GC ZBC, but without ZBB/ZBKB
-            #   crypto/modes/gcm128.c
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,zbc=true,zbb=false,zbkb=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_zbc"
-          }, {
-          # Vector Crypto
-            # RV64GC V ZBB, but without ZVKB
-            # For chacha20 vector-only path from #24069
-            #   crypto/chacha/asm/chacha-riscv64-v-zbb.pl
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,v=true,vlen=128,zbb=true,zvbb=false,zvkb=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_v_zbb"
-          }, {
-            # RV64GC V ZVKG, but without ZVKB
-            #   crypto/modes/gcm128.c
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            # do not use zvkb flag for qemucpu as ubuntu-latest (24.04) uses QEMU 8.2.2
-            # see https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg02231.html
-            # Should be zvkg=true,zvbb=false,zvkb=false
-            qemucpu: "rv64,v=true,vlen=128,zvkg=true,zvbb=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_v_zvkg"
-          }, {
-            # RV64GC V ZVKB ZVBC, but without ZVKG
-            #   crypto/modes/gcm128.c
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            # do not use zvkb flag for qemucpu as ubuntu-latest (24.04) uses QEMU 8.2.2
-            # see https://lists.nongnu.org/archive/html/qemu-devel/2024-05/msg02231.html
-            # Should be zvkb=true,zvbc=true,zvkg=false
-            qemucpu: "rv64,v=true,vlen=128,zvbb=true,zvbc=true,zvkg=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_v_zvkb_zvbc"
-          }, {
-            # RV64GC V ZVKNED, but without ZVBB/ZVKB/ZVKG
-            #   crypto/aes/asm/aes-riscv64-zvkned.pl
-            #   providers/implementations/ciphers/cipher_aes_xts_hw.c
-            #   providers/implementations/ciphers/cipher_aes_hw_rv64i.inc
-            #   providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i.inc
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,v=true,vlen=128,zvkned=true,zvbb=false,zvkb=false,zvkg=false",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_v_zvkned"
-          }, {
-            # RV64GC with all currently OpenSSL-supported extensions
-            #   crypto/chacha/chacha_riscv.c (with ZVKB)
-            #   crypto/modes/gcm128.c (with ZVKG/ZVKB)
-            #   crypto/sm3/asm/sm3-riscv64-zvksh.pl
-            #   crypto/sm4/asm/sm4-riscv64-zvksed.pl
-            #   crypto/aes/asm/aes-riscv64-zvbb-zvkg-zvkned.pl
-            #   crypto/aes/asm/aes-riscv64-zvkb-zvkned.pl
-            #   crypto/modes/asm/ghash-riscv64-zvkg.pl
-            #   crypto/modes/asm/aes-gcm-riscv64-zvkb-zvkg-zvkned.pl
-            #   crypto/modes/asm/ghash-riscv64-zvkb-zvbc.pl
-            #   crypto/sha/asm/sha256-riscv64-zvkb-zvknha_or_zvknhb.pl
-            #   crypto/sha/asm/sha512-riscv64-zvkb-zvknhb.pl
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,zba=true,zbb=true,zbc=true,zbs=true,zbkb=true,zbkc=true,zbkx=true,zknd=true,zkne=true,zknh=true,zksed=true,zksh=true,zkr=true,zkt=true,v=true,vlen=128,zvbb=true,zvbc=true,zvkb=true,zvkg=true,zvkned=true,zvknha=true,zvknhb=true,zvksed=true,zvksh=true",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_zba_zbb_zbc_zbs_zbkb_zbkc_zbkx_zknd_zkne_zknh_zksed_zksh_zkr_zkt_v_zvbb_zvbc_zvkb_zvkg_zvkned_zvknha_zvknhb_zvksed_zvksh"
-          }, {
-            # Inline asm
-            # zbb/zbkb:
-            #   include/crypto/md32_common.h
-            #   include/crypto/modes.h
-            #   crypto/chacha/chacha_enc.c
-            #   crypto/des/des_local.h
-            # zknh (zbt/zpn not available in QEMU):
-            #   crypto/sha/sha512.c
-            #   crypto/sha/sha256.c
-            # zksh:
-            #   crypto/sm3/sm3_local.h
-            arch: riscv64-linux-gnu,
-            libs: libc6-dev-riscv64-cross,
-            target: -march=rv64gc_zbb_zbkb_zknh_zksh linux64-riscv64,
-            fips: no,
-            qemucpu: "rv64,zbb=true,zbkb=true,zknh=true,zksh=true",
-            opensslcapsname: riscvcap, # OPENSSL_riscvcap
-            opensslcaps: "rv64gc_inlineasm" # for uploading artifact
-          }
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - name: install package repository
-      if: matrix.platform.ppa != ''
-      run: |
-        sudo add-apt-repository ppa:${{ matrix.platform.ppa }}
-    - name: install packages
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install \
-            gcc-${{ matrix.platform.arch }} \
-            ${{ matrix.platform.libs }}
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-
-    - name: config with FIPS
-      if: matrix.platform.fips != 'no'
-      run: |
-        ./config --banner=Configured --strict-warnings enable-fips enable-lms \
-                 --cross-compile-prefix=${{ matrix.platform.arch }}- \
-                 ${{ matrix.platform.target }}
-    - name: config without FIPS
-      if: matrix.platform.fips == 'no'
-      run: |
-        ./config --banner=Configured --strict-warnings enable-lms \
-                 --cross-compile-prefix=${{ matrix.platform.arch }}- \
-                 ${{ matrix.platform.target }}
-    - name: config dump
-      run: ./configdata.pm --dump
-
-    - name: make
-      run: make -s -j4
-
-    - name: install qemu
-      if: matrix.platform.tests != 'none'
-      run: sudo apt-get -yq --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install qemu-user
-
-    - name: Set QEMU environment
-      if: matrix.platform.qemucpu != ''
-      run: echo "QEMU_CPU=${{ matrix.platform.qemucpu }}" >> $GITHUB_ENV
-
-    - name: Set OpenSSL caps environment
-      if: matrix.platform.opensslcapsname != ''
-      run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\
-                 ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV
-
-    - name: get cpu info
-      run: cat /proc/cpuinfo
-
-    - name: get openssl cpu info
-      if: matrix.platform.tests != 'none'
-      run: QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} ./util/opensslwrap.sh info -cpusettings
-
-    - name: make all tests
-      if: github.event_name == 'push' && matrix.platform.tests == ''
-      run: |
-        .github/workflows/make-test \
-                  TESTS="-test_afalg" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: make some tests
-      if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != ''
-      run: |
-        .github/workflows/make-test \
-                  TESTS="${{ matrix.platform.tests }} -test_afalg" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: make evp tests
-      if: github.event_name == 'pull_request' && matrix.platform.tests != 'none'
-      run: |
-        .github/workflows/make-test \
-                  TESTS="test_evp*" \
-                  QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }}
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "cross-compiles-riscv@${{ matrix.platform.opensslcaps }}"
-        path: artifacts.tar.gz
-        if-no-files-found: ignore

.github/workflows/run-checker-ci.yml

@@ -1,67 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# Jobs run per pull request submission
-name: Run-checker CI
-on: [pull_request, push]
-permissions:
-  contents: read
-
-env:
-  OSSL_RUN_CI_TESTS: 1
-
-jobs:
-  run-checker:
-    strategy:
-      fail-fast: false
-      matrix:
-        opt: [
-          no-cmp,
-          no-cms,
-          no-dgram,
-          no-dh,
-          no-dtls,
-          no-ec,
-          no-ecx,
-          no-ml-dsa,
-          no-ml-kem,
-          no-http,
-          no-legacy,
-          no-sock,
-          no-sm2,
-          no-stdio,
-          no-threads,
-          no-thread-pool,
-          no-default-thread-pool,
-          no-tls,
-          no-tls1_2,
-          no-tls1_3,
-          enable-trace enable-fips,
-          no-ui,
-          no-quic
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: CC=clang ./config --banner=Configured --strict-warnings ${{ matrix.opt }}
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi
-    - name: Check platform symbol usage
-      run: ./util/checkplatformsyms.pl ./util/platform_symbols/unix-symbols.txt ./libcrypto.so ./libssl.so
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}

.github/workflows/run-checker-daily.yml

@@ -1,440 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Run-checker daily
-# Jobs run daily
-
-on:
-  schedule:
-    - cron: '30 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  run-checker:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      fail-fast: false
-      matrix:
-        opt: [
-          386,
-          no-apps,
-          no-argon2,
-          no-aria,
-          no-asan,
-          no-asm,
-          no-async,
-          no-atexit,
-          no-autoalginit,
-          no-autoerrinit,
-          no-autoload-config,
-          no-bf,
-          no-blake2,
-          no-buildtest-c++,
-          no-bulk,
-          no-cached-fetch,
-          no-camellia,
-          no-cast,
-          no-chacha,
-          no-cmac,
-          no-comp,
-          enable-crypto-mdebug,
-          no-ct,
-          enable-demos,
-          no-deprecated,
-          no-des,
-          no-docs,
-          no-dsa,
-          no-dtls1,
-          no-dtls1_2,
-          no-dtls1_2-method,
-          no-dtls1-method,
-          no-ecdh,
-          no-ecdsa,
-          enable-ec_nistp_64_gcc_128,
-          enable-egd,
-#          enable-external-tests,  # Requires extra setup
-          enable-fips,
-          enable-fips enable-acvp-tests,
-          enable-fips no-tls1_3,
-          enable-fips no-des no-dsa no-ec2m,
-#          enable-fuzz-afl,        # Requires extra setup
-#          enable-fuzz-libfuzzer,  # Requires extra setup
-          no-gost,
-          enable-h3demo,
-          enable-heartbeats,
-          enable-hqinterop,
-          no-hw,
-          no-idea,
-          enable-lms,
-          no-makedepend,
-          enable-md2,
-          no-md4,
-          no-mdc2,
-          no-msan,
-          no-multiblock,
-          no-nextprotoneg,
-          no-ocb,
-          no-pic,
-          no-poly1305,
-          no-posix-io,
-          no-psk,
-          no-rc2,
-          enable-rc5,
-          no-rdrand,
-          no-rfc3779,
-          no-ripemd,
-          no-rmd160,
-          no-scrypt,
-          no-secure-memory,
-          no-seed,
-          no-shared,
-          no-siphash,
-          no-siv,
-          no-sm2-precomp,
-          no-sm3,
-          no-sm4,
-          no-sock,
-          no-sse2,
-          no-ssl,
-          no-ssl-trace,
-          enable-ssl3,
-          enable-ssl3-method,
-          enable-sslkeylog,
-          no-shared,
-          no-tests,
-          enable-tfo,
-          no-tls1,
-          no-tls1_1,
-          no-tls1_1-method,
-          no-tls1_2-method,
-          no-tls1-method,
-          enable-trace,
-          no-ubsan,
-          no-ui-console,
-          enable-unit-test,
-          no-uplink,
-          no-weak-ssl-ciphers,
-          no-whirlpool,
-          enable-zlib-dynamic,
-          -DOPENSSL_PEDANTIC_ZEROIZATION,
-          -DOPENSSL_PEDANTIC_ZEROIZATION enable-fips,
-          -DOPENSSL_NO_BUILTIN_OVERFLOW_CHECKING,
-          -DSSL3_ALIGN_PAYLOAD=4,
-          -DOPENSSL_TLS_SECURITY_LEVEL=0
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: CC=clang ./config --strict-warnings  --banner=Configured --strict-warnings ${{ matrix.opt }}
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  run-checker-sctp:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Install Dependencies for sctp option
-      run:  |
-        sudo apt-get update
-        sudo apt-get -yq install lksctp-tools libsctp-dev
-
-    - name: Check SCTP and enable auth
-      id: sctp_auth
-      continue-on-error: true
-      run:  |
-        checksctp
-        sudo sysctl -w net.sctp.auth_enable=1
-
-    - name: config
-      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
-      run: CC=clang ./config --strict-warnings --banner=Configured enable-sctp
-
-    - name: config dump
-      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
-      run: ./configdata.pm --dump
-
-    - name: make
-      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
-      run: make -s -j4
-
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-
-    - name: make test
-      if: steps.sctp_auth.outcome == 'success' && steps.sctp_auth.conclusion == 'success'
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  enable_brotli_dynamic:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: install brotli
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install brotli libbrotli1 libbrotli-dev
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings enable-comp enable-brotli enable-brotli-dynamic && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  enable_zstd_dynamic:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: install zstd
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings enable-comp enable-zstd enable-zstd-dynamic && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  enable_brotli_and_zstd_dynamic:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: install brotli and zstd
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install brotli libbrotli1 libbrotli-dev
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings enable-comp enable-brotli enable-brotli-dynamic enable-zstd enable-zstd-dynamic && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  malloc_failure_testing:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-asan enable-crypto-mdebug enable-allocfail-tests && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      continue-on-error: true
-      run: |
-        make TESTS="test_memfail" test
-
-  enable_brotli_and_asan_ubsan:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: install brotli
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install brotli libbrotli1 libbrotli-dev
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-brotli -DPEDANTIC && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
-
-  enable_zstd_and_asan_ubsan:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - name: install zstd
-      run: |
-        sudo apt-get update
-        sudo apt-get -yq --no-install-suggests --no-install-recommends --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages install zstd libzstd1 libzstd-dev
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: ./config --strict-warnings --banner=Configured --debug enable-asan enable-ubsan enable-comp enable-zstd -DPEDANTIC && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
-
-  enable_tfo:
-    if: github.repository == 'openssl/openssl'
-    strategy:
-      matrix:
-        os: [ubuntu-latest, macos-15, macos-15-intel]
-    runs-on: ${{matrix.os}}
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: CC=gcc ./config --strict-warnings --banner=Configured enable-tfo && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  enable_buildtest:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --strict-warnings --banner=Configured no-asm no-makedepend enable-buildtest-c++ enable-fips -D_DEFAULT_SOURCE && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  memory_sanitizer_slh_dsa:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      # --debug -O1 is to produce a debug build that runs in a reasonable amount of time
-      run: CC=clang ./config --strict-warnings --banner=Configured --debug no-shared -O1 -fsanitize=memory -DOSSL_SANITIZE_MEMORY -fno-optimize-sibling-calls enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-fips && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} OPENSSL_TEST_RAND_ORDER=0
-
-  bn_debug:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: config
-      run: ./config --debug --strict-warnings -DBN_DEBUG --banner=Configured -DOPENSSL_NO_SECURE_MEMORY && perl configdata.pm --dump
-    - name: make
-      run: make -j4 # verbose, so no -s here
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: .github/workflows/make-test
-    - name: save artifacts
-      if: success() || failure()
-      uses: actions/upload-artifact@v5
-      with:
-        name: "ci@bn_debug"
-        path: artifacts.tar.gz

.github/workflows/run-checker-merge.yml

@@ -1,113 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Run-checker merge
-# Jobs run per merge to master
-
-on: [push]
-permissions:
-  contents: read
-
-jobs:
-  run-checker:
-    strategy:
-      fail-fast: false
-      matrix:
-        opt: [
-          enable-asan enable-ubsan no-shared no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=function,
-          no-dso,
-          no-ec2m enable-fips,
-          no-shared,
-          no-err,
-          no-filenames,
-          enable-ubsan no-asm -DOPENSSL_SMALL_FOOTPRINT -fno-sanitize=function,
-          no-module,
-          no-ocsp,
-          no-pinshared,
-          no-srp,
-          no-srtp,
-          no-ts,
-          no-integrity-only-ciphers,
-          enable-weak-ssl-ciphers,
-          enable-zlib,
-          enable-pie,
-        ]
-    runs-on: ubuntu-latest
-    steps:
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: CC=clang ./config --strict-warnings --banner=Configured ${{ matrix.opt }}
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        if [ -x apps/openssl ] ; then ./util/opensslwrap.sh version -c ; fi
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  jitter:
-    runs-on: ubuntu-latest
-    steps:
-    - name: checkout openssl
-      uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout jitter
-      uses: actions/checkout@v5
-      with:
-        repository: smuellerDD/jitterentropy-library
-        ref: v3.5.0
-        path: jitter
-        persist-credentials: false
-    - name: build jitter
-      run: make -C jitter/
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: config
-      run: ./config --with-rand-seed=none enable-jitter enable-fips-jitter --with-jitter-include=jitter/ --with-jitter-lib=jitter/ -DOPENSSL_DEFAULT_SEED_SRC=JITTER && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
-
-  threads_sanitizer_atomic_fallback:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: Adjust ASLR for sanitizer
-      run: |
-        sudo cat /proc/sys/vm/mmap_rnd_bits
-        sudo sysctl -w vm.mmap_rnd_bits=28
-    - name: config
-      run: CC=clang ./config --strict-warnings --banner=Configured no-shared no-fips -g -fsanitize=thread -DBROKEN_CLANG_ATOMICS && perl configdata.pm --dump
-    - name: make
-      run: make -s -j4
-    - name: get cpu info
-      run: |
-        cat /proc/cpuinfo
-        ./util/opensslwrap.sh version -c
-    - name: make test
-      run: make test V=1 TESTS="test_lhash test_threads test_internal_provider test_provfetch test_provider test_pbe test_evp_kdf test_pkcs12 test_store test_evp test_quic*"

.github/workflows/run_quic_interop.yml

@@ -1,203 +0,0 @@
-name: "Run openssl quic interop testing"
-
-on:
-  schedule:
-    - cron: '40 02 * * *'
-  workflow_dispatch:
-    inputs:
-      only_interop:
-        type: boolean
-        required: false
-        default: false
-        description: "Run only interop jobs (skip building/pushing containers)"
-
-permissions: {}
-
-jobs:
-  update_quay_container:
-    if: ${{ github.repository == 'openssl/openssl' && !inputs.only_interop }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: "log in to quay.io"
-        run: |
-          docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
-      - name: "Build container"
-        run: |
-          cd test/quic-openssl-docker/
-          docker build -t quay.io/openssl-ci/openssl-quic-interop:latest .
-      - name: "Push to quay"
-        run: |
-          docker push quay.io/openssl-ci/openssl-quic-interop:latest
-
-  update_msquic_quay_container:
-    if: ${{ github.repository == 'openssl/openssl' && !inputs.only_interop }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          repository: microsoft/msquic
-          ref: main
-          submodules: recursive
-          persist-credentials: false
-      - name: "log in to quay.io"
-        run: |
-          docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io
-      - name: Patch qns.Dockerfile
-        run: |
-          sed -i 's/RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on ../RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl ../' ./scripts/qns.Dockerfile
-          if grep -q "RUN     cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl .." ./scripts/qns.Dockerfile; then echo "Patched successfully"; else exit 1; fi
-      - name: "Build container"
-        run: |
-          docker build -f ./scripts/qns.Dockerfile -t quay.io/openssl-ci/msquic-openssl:latest .
-      - name: "Push to quay"
-        run: |
-          docker push quay.io/openssl-ci/msquic-openssl:latest
-
-  run_quic_interop_openssl_client:
-    if: ${{ !inputs.only_interop }}
-    needs: [update_quay_container, update_msquic_quay_container]
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
-        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy, msquic-openssl]
-        exclude:
-          - servers: msquic
-            tests: retry
-          - servers: msquic-openssl
-            tests: retry
-      fail-fast: false
-    steps: &client_steps
-      - uses: actions/checkout@v5
-        with:
-          repository: 'quic-interop/quic-interop-runner'
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Install python requirements
-        run: |
-          for i in {1..3}; do pip install -r requirements.txt && break; sleep 10; done
-      - name: Add tshark repo
-        run: |
-          for i in {1..3}; do sudo add-apt-repository ppa:wireshark-dev/stable && break; sleep 10; done
-      - name: Update apt repos
-        run: |
-          for i in {1..3}; do sudo apt-get update && break; sleep 10; done
-      - name: Install tshark
-        run: |
-          for i in {1..3}; do sudo apt-get install -y tshark && break; sleep 10; done
-      - name: Patch implementations file
-        run: |
-          jq '. + {
-            "openssl": { image: "quay.io/openssl-ci/openssl-quic-interop"
-                       , url: "https://github.com/openssl/openssl"
-                       , role: "both"
-                       },
-            "msquic-openssl": { image: "quay.io/openssl-ci/msquic-openssl"
-                              , url: "https://github.com/microsoft/msquic"
-                              , role: "both"
-                              }}' ./implementations.json > ./implementations.tmp
-          mv ./implementations.tmp implementations.json
-      - name: Set up docker
-        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
-        with:
-          version: "28.1.1"
-      - name: Set up docker compose
-        uses: docker/setup-compose-action@364cc21a5de5b1ee4a7f5f9d3fa374ce0ccde746 # v1.2.0
-        with:
-          version: "v2.36.2"
-      - name: Check docker version
-        run: |
-          docker version
-          docker compose version
-      - name: "Run interop with openssl client"
-        run: |
-          python3 ./run.py -c openssl -t ${{ matrix.tests }} -s ${{ matrix.servers }} --log-dir ./logs-client -d
-
-  run_quic_interop_openssl_server:
-    if: ${{ !inputs.only_interop }}
-    needs: [update_quay_container, update_msquic_quay_container]
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome, msquic-openssl]
-        exclude:
-          - clients: mvfst
-            tests: amplificationlimit
-      fail-fast: false
-    steps: &server_steps
-      - uses: actions/checkout@v5
-        with:
-          repository: 'quic-interop/quic-interop-runner'
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Install python requirements
-        run: |
-          for i in {1..3}; do pip install -r requirements.txt && break; done
-      - name: Add tshark repo
-        run: |
-          for i in {1..3}; do sudo add-apt-repository ppa:wireshark-dev/stable && break; done
-      - name: Update apt repos
-        run: |
-          for i in {1..3}; do sudo apt-get update && break; done
-      - name: Install tshark
-        run: |
-          for i in {1..3}; do sudo apt-get install -y tshark && break; done
-      - name: Patch implementations file
-        run: |
-          jq '. + {
-            "openssl": { image: "quay.io/openssl-ci/openssl-quic-interop"
-                       , url: "https://github.com/openssl/openssl"
-                       , role: "both"
-                       },
-            "msquic-openssl": { image: "quay.io/openssl-ci/msquic-openssl"
-                              , url: "https://github.com/microsoft/msquic"
-                              , role: "both"
-                              }}' ./implementations.json > ./implementations.tmp
-          mv ./implementations.tmp implementations.json
-      - name: Set up docker
-        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
-        with:
-          version: "28.1.1"
-      - name: Set up docker compose
-        uses: docker/setup-compose-action@364cc21a5de5b1ee4a7f5f9d3fa374ce0ccde746 # v1.2.0
-        with:
-          version: "v2.36.2"
-      - name: Check docker version
-        run: |
-          docker version
-          docker compose version
-      - name: "Run interop with openssl server"
-        run: |
-          python3 ./run.py -s openssl -t "${{ matrix.tests }}" -c "${{ matrix.clients }}" --log-dir ./logs-server -d
-
-  run_quic_interop_openssl_client_only:
-    if: ${{ inputs.only_interop }}
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6]
-        servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy, msquic-openssl]
-        exclude:
-          - servers: msquic
-            tests: retry
-          - servers: msquic-openssl
-            tests: retry
-      fail-fast: false
-    steps: *client_steps
-
-  run_quic_interop_openssl_server_only:
-    if: ${{ inputs.only_interop }}
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6]
-        clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome, msquic-openssl]
-        exclude:
-          - clients: mvfst
-            tests: amplificationlimit
-      fail-fast: false
-    steps: *server_steps

.github/workflows/static-analysis-on-prem.yml

@@ -1,42 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Static Analysis On Prem
-
-on:
-  schedule:
-    - cron:  '25 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  coverity-analysis:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    container: quay.io/openssl-ci/coverity-analysis:2024.3.1
-    steps:
-    - name: Put license
-      run: echo ${{ secrets.COVERITY_LICENSE }} | base64 -d > /opt/coverity-analysis/bin/license.dat
-    - name: Put auth key file
-      run: |
-        echo ${{ secrets.COVERITY_AUTH_KEY }} | base64 -d > /auth_key_file.txt
-        chmod 0600 /auth_key_file.txt
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: Config
-      run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-lms enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC
-    - name: Config dump
-      run: ./configdata.pm --dump
-    - name: Make
-      run: cov-build --dir cov-int make -s -j4
-    - name: Analyze
-      run: cov-analyze --dir cov-int --strip-path $(pwd)
-    - name: Commit defects
-      run: cov-commit-defects --url https://coverity.openssl.org:443 --stream OpenSSL --dir cov-int --auth-key-file /auth_key_file.txt

.github/workflows/static-analysis.yml

@@ -1,49 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Static Analysis
-
-#Run once a day
-on:
-  schedule:
-    - cron:  '20 02 * * *'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  coverity:
-    if: github.repository == 'openssl/openssl'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: tool download
-      run: |
-        wget https://scan.coverity.com/download/linux64 \
-             --post-data "token=${{ secrets.COVERITY_TOKEN }}&project=openssl%2Fopenssl" \
-             --progress=dot:giga -O coverity_tool.tgz
-    - name: config
-      run: CC=gcc ./config --strict-warnings --banner=Configured --debug enable-lms enable-fips enable-rc5 enable-md2 enable-ssl3 enable-nextprotoneg enable-ssl3-method enable-weak-ssl-ciphers enable-zlib enable-ec_nistp_64_gcc_128 no-shared enable-buildtest-c++ enable-external-tests -DPEDANTIC
-    - name: config dump
-      run: ./configdata.pm --dump
-    - name: tool install
-      run: tar xzf coverity_tool.tgz
-    - name: make
-      run: ./cov-analysis*/bin/cov-build --dir cov-int make -s -j4
-    - name: archive
-      run: tar czvf openssl.tgz cov-int
-    - name: Coverity upload
-      run: |
-        curl --form token="${{ secrets.COVERITY_TOKEN }}" \
-             --form email=openssl-commits@openssl.org \
-             --form file=@openssl.tgz \
-             --form version="`date -u -I` `git rev-parse --short HEAD`" \
-             --form description="analysis of `git branch --show-current`" \
-             https://scan.coverity.com/builds?project=openssl%2Fopenssl

.github/workflows/style-checks.yml

@@ -1,30 +0,0 @@
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Coding style validation 
-
-on: [pull_request]
-
-jobs:
-  check-style:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-python@v6
-      - name: "Get changed files"
-        env:
-          NUMBER: ${{ github.event.pull_request.number }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          {
-            echo 'CHANGED_FILES<<EOF'
-            gh pr view $NUMBER --json files --jq '.files.[].path'
-            echo EOF
-          } >> "$GITHUB_ENV"
-      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd #v3.0.1
-        with:
-          extra_args: "--files $CHANGED_FILES"

.github/workflows/windows.yml

@@ -1,222 +0,0 @@
-# Copyright 2021-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Windows GitHub CI
-
-on: [pull_request, push]
-
-permissions:
-  contents: read
-
-jobs:
-  shared:
-    # Run a job for each of the specified target architectures:
-    strategy:
-      matrix:
-        platform:
-          - arch: amd64
-            os: windows-2022
-            config: enable-lms enable-fips
-            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
-          - arch: amd64
-            os: windows-2025
-            config: enable-lms enable-fips no-thread-pool no-quic
-            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat
-          - arch: x86
-            os: windows-2022
-            config: no-fips enable-lms
-            vcvars: C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars32.bat
-    runs-on: ${{ matrix.platform.os }}
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: install nasm
-      run: |
-        choco install nasm ${{ matrix.platform.arch == 'x86' && '--x86' || '' }}
-        "C:\Program Files${{ matrix.platform.arch == 'x86' && ' (x86)' || '' }}\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        perl ..\Configure --banner=Configured --strict-warnings no-makedepend -DOSSL_WINCTX=openssl ${{ matrix.platform.config }}
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        nmake /S
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
-    - name: get cpu info
-      working-directory: _build
-      continue-on-error: true
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        ./apps/openssl.exe version -c
-    - name: Check platform symbol usage
-      working-directory: _build
-      run: perl ../util/checkplatformsyms.pl ../util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
-    - name: install
-      # Run on 64 bit only as 32 bit is slow enough already
-      if: ${{ matrix.platform.arch == 'amd64' }}
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "${{ matrix.platform.vcvars }}"
-        mkdir _dest
-        nmake install DESTDIR=_dest
-
-  plain:
-    runs-on: windows-2022
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        perl ..\Configure --banner=Configured --strict-warnings enable-demos no-makedepend no-shared no-fips enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-trace enable-crypto-mdebug -DOSSL_WINCTX=openssl VC-WIN64A-masm
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake /S
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: get cpu info
-      working-directory: _build
-      continue-on-error: true
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        ./apps/openssl.exe version -c
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake test VERBOSE_FAILURE=yes HARNESS_JOBS=4
-
-  minimal:
-    runs-on: windows-2022
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        perl ..\Configure --banner=Configured --strict-warnings enable-demos no-makedepend no-bulk no-deprecated no-fips no-asm no-threads -DOPENSSL_SMALL_FOOTPRINT -DOSSL_WINCTX=openssl
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: get cpu info
-      working-directory: _build
-      continue-on-error: true
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        ./apps/openssl.exe version -c
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4
-
-  cygwin:
-    # Run a job for each of the specified target architectures:
-    strategy:
-      matrix:
-        os:
-          - windows-2022
-        platform:
-          - arch: win64
-            config: -DCMAKE_C_COMPILER=gcc --strict-warnings enable-demos no-fips
-# are we really learning sth new from win32? So let's save some CO2 for now disabling this
-#          - arch: win32
-#            config: -DCMAKE_C_COMPILER=gcc --strict-warnings no-fips
-    runs-on: ${{ matrix.os }}
-    env:
-      CYGWIN_NOWINPATH: 1
-      SHELLOPTS: igncr
-# Don't overwhelm github CI VMs:
-      MAKE_PARAMS: -j 4
-    steps:
-# Checkout before cygwin can mess with PATH...
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: cygwin/cygwin-install-action@f2009323764960f80959895c7bc3bb30210afe4d #v6
-      with:
-         packages: perl git make gcc-core
-    - name: Check repo
-      run: cygcheck -V
-    - name: Full cygcheck status
-      run: cygcheck -s -v -r -h
-# Activate this if checkout action fails:
-#    - name: Clone repo
-#      run: bash -c "pwd && git clone --branch ${{ github.ref_name }} --depth 1 https://github.com/${{ github.repository }}.git"
-    - name: Full build
-      run: bash -c "gcc --version && ./config ${{ matrix.platform.config }} && make $MAKE_PARAMS"
-# Disable testing for now. TBD: Need local cygwin installation to debug .
-#    - name: Run openssl tests
-#      run: bash -c "cd openssl && make V=1 test"

.github/workflows/windows_comp.yml

@@ -1,150 +0,0 @@
-# Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-name: Windows Compression GitHub CI
-
-on:
-  pull_request:
-    paths:
-      - 'crypto/comp/*.c'
-      - '.github/workflows/windows_comp.yml'
-  push:
-    paths:
-      - '**.c'
-
-permissions:
-  contents: read
-
-jobs:
-  zstd:
-    runs-on: windows-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: install nasm
-      run: |
-        choco install nasm
-        "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: Get zstd
-      run: |
-        vcpkg install zstd:x64-windows
-        "C:\vcpkg\packages\zstd_x64-windows\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        perl ..\Configure --strict-warnings enable-comp enable-zstd --with-zstd-include=C:\vcpkg\packages\zstd_x64-windows\include --with-zstd-lib=C:\vcpkg\packages\zstd_x64-windows\lib\zstd.lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: get cpu info
-      working-directory: _build
-      continue-on-error: true
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        ./apps/openssl.exe version -c
-    - name: Check platform symbol usage
-      run: |
-        perl ./util/checkplatformsyms.pl ./util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4
-
-  brotli:
-    runs-on: windows-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - name: checkout fuzz/corpora submodule
-      run: git submodule update --init --depth 1 fuzz/corpora
-    - name: install nasm
-      run: |
-        choco install nasm
-        "C:\Program Files\NASM" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: prepare the build directory
-      run: mkdir _build
-    - name: Get brotli
-      run: |
-        vcpkg install brotli:x64-windows
-        "C:\vcpkg\packages\brotli_x64-windows\bin" | Out-File -FilePath "$env:GITHUB_PATH" -Append
-    - name: config
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        perl ..\Configure --strict-warnings enable-comp enable-brotli --with-brotli-include=C:\vcpkg\packages\brotli_x64-windows\include --with-brotli-lib=C:\vcpkg\packages\brotli_x64-windows\lib no-makedepend -DOSSL_WINCTX=openssl VC-WIN64A
-        perl configdata.pm --dump
-    - name: build
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake
-    - name: Gather openssl version info
-      working-directory: _build
-      run: |
-        apps/openssl.exe version -v
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1]}
-        apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'}
-        echo "OSSL_VERSION=$(apps/openssl.exe version -v | %{($_ -split '\s+')[1] -replace '([0-9]+\.[0-9]+)(\..*)','$1'})" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
-    - name: Set registry keys
-      working-directory: _build
-      run: |
-        echo ${Env:OSSL_VERSION}
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe add HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v MODULESDIR /t REG_EXPAND_SZ /d TESTOPENSSLDIR /reg:32
-        reg.exe query HKLM\SOFTWARE\OpenSSL-${Env:OSSL_VERSION}-openssl /v OPENSSLDIR /reg:32
-    - name: download coreinfo
-      run: |
-        mkdir _build\coreinfo
-        Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Coreinfo.zip" -outfile "_build\coreinfo\Coreinfo.zip"
-    - name: get cpu info
-      working-directory: _build
-      continue-on-error: true
-      run: |
-        7z.exe x coreinfo/Coreinfo.zip
-        ./Coreinfo64.exe -accepteula -f
-        ./apps/openssl.exe version -c
-    - name: test
-      working-directory: _build
-      shell: cmd
-      run: |
-        call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
-        nmake test VERBOSE_FAILURE=yes TESTS="-test_fuzz* -test_fipsload" HARNESS_JOBS=4

.gitignore

@@ -1,425 +0,0 @@
-# Ignore editor artefacts
-/.dir-locals.el
-
-# Top level excludes
-/Makefile.in
-/Makefile
-/MINFO
-/TABLE
-/rehash.time
-/inc.*
-/makefile.*
-/out.*
-/tmp.*
-/configdata.pm
-/builddata.pm
-/installdata.pm
-
-# Exporters
-/*.pc
-/OpenSSLConfig*.cmake
-/exporters/*.pc
-/exporters/OpenSSLConfig*.cmake
-
-# Links under apps
-/apps/CA.pl
-/apps/tsget
-/apps/tsget.pl
-/apps/md4.c
-
-# Auto generated headers
-/crypto/buildinf.h
-/include/crypto/*_conf.h
-/include/openssl/asn1.h
-/include/openssl/asn1t.h
-/include/openssl/bio.h
-/include/openssl/cmp.h
-/include/openssl/cms.h
-/include/openssl/comp.h
-/include/openssl/conf.h
-/include/openssl/configuration.h
-/include/openssl/crmf.h
-/include/openssl/crypto.h
-/include/openssl/ct.h
-/include/openssl/err.h
-/include/openssl/ess.h
-/include/openssl/fipskey.h
-/include/openssl/lhash.h
-/include/openssl/ocsp.h
-/include/openssl/opensslv.h
-/include/openssl/pkcs12.h
-/include/openssl/pkcs7.h
-/include/openssl/safestack.h
-/include/openssl/srp.h
-/include/openssl/ssl.h
-/include/openssl/ui.h
-/include/openssl/x509.h
-/include/openssl/x509v3.h
-/include/openssl/x509_acert.h
-/include/openssl/x509_vfy.h
-/include/openssl/core_names.h
-
-# Auto generated parameter name files
-/crypto/params_idx.c
-
-# Auto generated doc files
-doc/man1/openssl-*.pod
-
-# Auto generated der files
-providers/common/der/der_slh_dsa_gen.c
-providers/common/der/der_digests_gen.c
-providers/common/der/der_dsa_gen.c
-providers/common/der/der_ec_gen.c
-providers/common/der/der_ecx_gen.c
-providers/common/der/der_rsa_gen.c
-providers/common/der/der_wrap_gen.c
-providers/common/der/der_sm2_gen.c
-providers/common/der/der_ml_dsa_gen.c
-providers/common/der/der_hkdf_gen.c
-providers/common/include/prov/der_slh_dsa.h
-providers/common/include/prov/der_dsa.h
-providers/common/include/prov/der_ec.h
-providers/common/include/prov/der_ecx.h
-providers/common/include/prov/der_rsa.h
-providers/common/include/prov/der_digests.h
-providers/common/include/prov/der_wrap.h
-providers/common/include/prov/der_sm2.h
-providers/common/include/prov/der_ml_dsa.h
-providers/common/include/prov/der_hkdf.h
-providers/implementations/asymciphers/rsa_enc.inc
-providers/implementations/asymciphers/sm2_enc.inc
-providers/implementations/exchange/dh_exch.inc
-providers/implementations/exchange/ecdh_exch.inc
-providers/implementations/exchange/ecx_exch.inc
-providers/implementations/encode_decode/decode_der2key.inc
-providers/implementations/encode_decode/decode_epki2pki.inc
-providers/implementations/encode_decode/decode_pem2der.inc
-providers/implementations/encode_decode/decode_pvk2key.inc
-providers/implementations/encode_decode/decode_spki2typespki.inc
-providers/implementations/encode_decode/encode_key2any.inc
-providers/implementations/encode_decode/encode_key2ms.inc
-providers/implementations/kdfs/argon2.inc
-providers/implementations/kdfs/hkdf.inc
-providers/implementations/kdfs/hmacdrbg_kdf.inc
-providers/implementations/kdfs/kbkdf.inc
-providers/implementations/kdfs/krb5kdf.inc
-providers/implementations/kdfs/pbkdf1.inc
-providers/implementations/kdfs/pbkdf2.inc
-providers/implementations/kdfs/pkcs12kdf.inc
-providers/implementations/kdfs/pvkkdf.inc
-providers/implementations/kdfs/scrypt.inc
-providers/implementations/kdfs/sshkdf.inc
-providers/implementations/kdfs/sskdf.inc
-providers/implementations/kdfs/tls1_prf.inc
-providers/implementations/kdfs/x942kdf.inc
-providers/implementations/kem/ec_kem.inc
-providers/implementations/kem/ecx_kem.inc
-providers/implementations/kem/ml_kem_kem.inc
-providers/implementations/kem/rsa_kem.inc
-providers/implementations/keymgmt/ml_dsa_kmgmt.inc
-providers/implementations/keymgmt/ml_kem_kmgmt.inc
-providers/implementations/keymgmt/mlx_kmgmt.inc
-providers/implementations/signature/dsa_sig.inc
-providers/implementations/signature/ecdsa_sig.inc
-providers/implementations/keymgmt/dh_kmgmt.inc
-providers/implementations/keymgmt/dsa_kmgmt.inc
-providers/implementations/keymgmt/ecx_kmgmt.inc
-providers/implementations/keymgmt/lms_kmgmt.inc
-providers/implementations/keymgmt/mac_legacy_kmgmt.inc
-providers/implementations/keymgmt/ml_dsa_kmgmt.inc
-providers/implementations/keymgmt/ml_kem_kmgmt.inc
-providers/implementations/keymgmt/mlx_kmgmt.inc
-providers/implementations/keymgmt/slh_dsa_kmgmt.inc
-providers/implementations/keymgmt/template_kmgmt.inc
-providers/implementations/signature/eddsa_sig.inc
-providers/implementations/signature/ml_dsa_sig.inc
-providers/implementations/signature/rsa_sig.inc
-providers/implementations/signature/slh_dsa_sig.inc
-providers/implementations/signature/sm2_sig.inc
-providers/implementations/skeymgmt/generic.inc
-providers/implementations/storemgmt/file_store_any2obj.inc
-providers/implementations/storemgmt/file_store.inc
-providers/implementations/storemgmt/winstore_store.inc
-providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.inc
-providers/implementations/ciphers/cipher_aes_cbc_hmac_sha_etm.inc
-providers/implementations/ciphers/cipher_aes_gcm_siv.inc
-providers/implementations/ciphers/cipher_aes_ocb.inc
-providers/implementations/ciphers/cipher_aes_siv.inc
-providers/implementations/ciphers/cipher_aes_wrp.inc
-providers/implementations/ciphers/cipher_aes_xts.inc
-providers/implementations/ciphers/ciphercommon.inc
-providers/implementations/ciphers/ciphercommon_ccm.inc
-providers/implementations/ciphers/ciphercommon_gcm.inc
-providers/implementations/ciphers/cipher_chacha20.inc
-providers/implementations/ciphers/cipher_chacha20_poly1305.inc
-providers/implementations/ciphers/cipher_null.inc
-providers/implementations/ciphers/cipher_rc4_hmac_md5.inc
-providers/implementations/ciphers/cipher_sm2_xts.c
-providers/implementations/ciphers/cipher_sm4_xts.inc
-providers/implementations/digests/blake2_prov.inc
-providers/implementations/digests/digestcommon.inc
-providers/implementations/digests/mdc2_prov.inc
-providers/implementations/digests/sha2_prov.inc
-providers/implementations/digests/sha3_prov.inc
-providers/implementations/include/prov/blake2_params.inc
-providers/implementations/kdfs/snmpkdf.inc
-providers/implementations/macs/cmac_prov.inc
-providers/implementations/macs/gmac_prov.inc
-providers/implementations/macs/hmac_prov.inc
-providers/implementations/macs/kmac_prov.inc
-providers/implementations/macs/poly1305_prov.inc
-providers/implementations/macs/siphash_prov.inc
-providers/implementations/rands/drbg_ctr.inc
-providers/implementations/rands/drbg_hash.inc
-providers/implementations/rands/drbg_hmac.inc
-providers/implementations/rands/fips_crng_test.inc
-providers/implementations/rands/seed_src.inc
-providers/implementations/rands/seed_src_jitter.inc
-providers/implementations/rands/test_rng.inc
-
-# error code files
-/crypto/err/openssl.txt.old
-/engines/e_afalg.txt.old
-/engines/e_capi.txt.old
-/engines/e_dasync.txt.old
-/engines/e_ossltest.txt.old
-
-# Executables
-/apps/openssl
-/test/sha256t
-/test/sha512t
-/test/gost2814789t
-/test/ssltest_old
-/test/*test
-/test/fips_aesavs
-/test/fips_desmovs
-/test/fips_dhvs
-/test/fips_drbgvs
-/test/fips_dssvs
-/test/fips_ecdhvs
-/test/fips_ecdsavs
-/test/fips_rngvs
-/test/fips_test_suite
-/test/ssltest_old
-/test/x509aux
-/test/v3ext
-/test/versions
-/test/ossl_shim/ossl_shim
-/test/rsa_complex
-/test/confdump
-/test/bio_prefix_text
-/test/evp_extra_test2
-/test/evp_pkey_ctx_new_from_name
-/test/threadstest_fips
-/test/timing_load_creds
-
-# Demo applications
-/demos/bio/client-arg
-/demos/bio/client-conf
-/demos/bio/saccept
-/demos/bio/sconnect
-/demos/bio/server-arg
-/demos/bio/server-cmod
-/demos/bio/server-conf
-/demos/cipher/aesccm
-/demos/cipher/aesgcm
-/demos/cipher/aeskeywrap
-/demos/cipher/ariacbc
-/demos/cms/cms_comp
-/demos/cms/cms_ddec
-/demos/cms/cms_dec
-/demos/cms/cms_denc
-/demos/cms/cms_enc
-/demos/cms/cms_sign
-/demos/cms/cms_sign2
-/demos/cms/cms_uncomp
-/demos/cms/cms_ver
-/demos/digest/BIO_f_md
-/demos/digest/EVP_MD_demo
-/demos/digest/EVP_MD_stdin
-/demos/digest/EVP_MD_xof
-/demos/encode/ec_encode
-/demos/encode/rsa_encode
-/demos/encrypt/rsa_encrypt
-/demos/guide/quic-client-block
-/demos/guide/quic-client-non-block
-/demos/guide/quic-hq-interop
-/demos/guide/quic-multi-stream
-/demos/guide/quic-server-block
-/demos/guide/quic-server-non-block
-/demos/guide/tls-client-block
-/demos/guide/tls-client-non-block
-/demos/http3/libnghttp3.pc
-/demos/http3/nghttp3/
-/demos/http3/ossl-nghttp3-demo
-/demos/http3/ossl-nghttp3-demo-server
-/demos/kdf/argon2
-/demos/kdf/hkdf
-/demos/kdf/pbkdf2
-/demos/kdf/scrypt
-/demos/keyexch/x25519
-/demos/mac/cmac-aes256
-/demos/mac/gmac
-/demos/mac/hmac-sha512
-/demos/mac/poly1305
-/demos/pkey/EVP_PKEY_DSA_keygen
-/demos/pkey/EVP_PKEY_DSA_paramfromdata
-/demos/pkey/EVP_PKEY_DSA_paramgen
-/demos/pkey/EVP_PKEY_DSA_paramvalidate
-/demos/pkey/EVP_PKEY_EC_keygen
-/demos/pkey/EVP_PKEY_RSA_keygen
-/demos/quic/server/server
-/demos/quic/poll-server/quic-server-ssl-poll-http
-/demos/signature/EVP_DSA_Signature_demo
-/demos/signature/EVP_EC_Signature_demo
-/demos/signature/EVP_ED_Signature_demo
-/demos/signature/rsa_pss_direct
-/demos/signature/rsa_pss_hash
-/demos/smime/smdec
-/demos/smime/smenc
-/demos/smime/smsign
-/demos/smime/smsign2
-/demos/smime/smver
-/demos/sslecho/sslecho
-
-# Certain files that get created by tests on the fly
-/test-runs
-/test/buildtest_*
-/test/provider_internal_test.cnf
-/test/fipsmodule.cnf
-/providers/fipsmodule.cnf
-
-# Fuzz stuff.
-# Anything without an extension is an executable on Unix, so we keep files
-# with extensions.  And we keep the corpora subddir versioned as well.
-# Anything more generic with extensions that should be ignored will be taken
-# care of by general ignores for those extensions (*.o, *.obj, *.exe, ...)
-/fuzz/*
-!/fuzz/README*
-!/fuzz/corpora
-!/fuzz/*.*
-
-# Misc auto generated files
-/doc/man7/openssl_user_macros.pod
-/tools/c_rehash
-/tools/c_rehash.pl
-/util/shlib_wrap.sh
-/util/wrap.pl
-/tags
-/TAGS
-*.map
-*.ld
-/apps/progs.c
-/apps/progs.h
-
-# macOS
-.DS_Store
-
-# Windows (legacy)
-/tmp32
-/tmp32.dbg
-/tmp32dll
-/tmp32dll.dbg
-/out32
-/out32.dbg
-/out32dll
-/out32dll.dbg
-/inc32
-/MINFO
-/ms/bcb.mak
-/ms/libeay32.def
-/ms/nt.mak
-/ms/ntdll.mak
-/ms/ssleay32.def
-/ms/version32.rc
-
-# Files created on other branches that are not held in git, and are not
-# needed on this branch
-/include/openssl/des_old.h
-/include/openssl/fips.h
-/include/openssl/fips_rand.h
-/include/openssl/krb5_asn.h
-/include/openssl/kssl.h
-/include/openssl/pq_compat.h
-/include/openssl/ssl23.h
-/include/openssl/tmdiff.h
-/include/openssl/ui_compat.h
-/test/fips_aesavs.c
-/test/fips_desmovs.c
-/test/fips_dsatest.c
-/test/fips_dssvs.c
-/test/fips_hmactest.c
-/test/fips_randtest.c
-/test/fips_rngvs.c
-/test/fips_rsagtest.c
-/test/fips_rsastest.c
-/test/fips_rsavtest.c
-/test/fips_shatest.c
-/test/fips_test_suite.c
-/test/shatest.c
-
-# Generated docs directories
-/doc/html
-/doc/man
-
-##### Generic patterns
-# Auto generated assembly language source files
-*.s
-!/crypto/*/asm/*.s
-/crypto/*.S
-/crypto/*/*.S
-*.asm
-!/crypto/*/asm/*.asm
-
-# Object files
-*.o
-*.obj
-
-# editor artefacts
-*.swp
-.#*
-\#*#
-*~
-
-# Certificate symbolic links
-*.0
-
-# All kinds of libraries and executables
-*.a
-*.so
-*.so.*
-*.dylib
-*.dylib.*
-*.dll
-*.dll.*
-*.exe
-*.pyc
-*.exp
-*.lib
-*.pdb
-*.tds
-*.ilk
-*.def
-*.rc
-*.res
-
-# Misc generated stuff
-Makefile.save
-/crypto/**/lib
-/engines/**/lib
-/ssl/**/lib
-*.bak
-cscope.*
-*.d
-!.ctags.d
-*.d.tmp
-pod2htmd.tmp
-MAKE0[0-9][0-9][0-9].@@@
-
-# Windows manifest files
-*.manifest
-doc-nits
-
-# LSP (Language Server Protocol) support
-.cache/
-compile_commands.json

.gitmodules

@@ -1,37 +0,0 @@
-[submodule "pyca.cryptography"]
-	path = pyca-cryptography
-	url = https://github.com/pyca/cryptography.git
-
-[submodule "krb5"]
-	path = krb5
-	url = https://github.com/krb5/krb5
-
-[submodule "gost-engine"]
-	path = gost-engine
-	url = https://github.com/gost-engine/engine
-	update = rebase
-[submodule "wycheproof"]
-	path = wycheproof
-	url = https://github.com/google/wycheproof
-[submodule "tlsfuzzer"]
-	path = tlsfuzzer
-	url = https://github.com/tlsfuzzer/tlsfuzzer
-[submodule "python-ecdsa"]
-	path = python-ecdsa
-	url = https://github.com/tlsfuzzer/python-ecdsa
-[submodule "tlslite-ng"]
-	path = tlslite-ng
-	url = https://github.com/tlsfuzzer/tlslite-ng
-[submodule "oqs-provider"]
-	path = oqs-provider
-	url = https://github.com/open-quantum-safe/oqs-provider.git
-[submodule "cloudflare-quiche"]
-	path = cloudflare-quiche
-	url = https://github.com/cloudflare/quiche
-[submodule "fuzz/corpora"]
-	path = fuzz/corpora
-	url = https://github.com/openssl/fuzz-corpora
-	branch = main
-[submodule "pkcs11-provider"]
-	path = pkcs11-provider
-	url = https://github.com/latchset/pkcs11-provider.git

.pre-commit-config.yaml

@@ -1,13 +0,0 @@
-repos:
-  - repo: "https://github.com/codespell-project/codespell"
-    rev: "v2.4.1"
-    hooks:
-      - id: "codespell"
-        args: ["--config=.codespellrc"]
-  - repo: "https://github.com/pre-commit/mirrors-clang-format"
-    rev: "v21.1.6"
-    hooks:
-      - id: "clang-format"
-        types_or: []
-        files: '\.c\.in$|\.h\.in$|\.c$|\.h$'
-        args: ["--style=file"]

ACKNOWLEDGEMENTS.md

@@ -1,6 +0,0 @@
-Acknowledgements
-================
-
-Please see our [Thanks!][] page for the current acknowledgements.
-
-[Thanks!]: https://www.openssl.org/community/thanks.html

AUTHORS.md

@@ -1,53 +0,0 @@
-Authors
-=======
-
-This is the list of OpenSSL authors for copyright purposes.
-It does not necessarily list everyone who has contributed code,
-since in some cases, their employer may be the copyright holder.
-To see the full list of contributors, see the revision history in
-source control.
-
-Groups
-------
-
- * OpenSSL Software Services, Inc.
- * OpenSSL Software Foundation, Inc.
- * Google LLC
-
-Individuals
------------
-
- * Andy Polyakov
- * Ben Laurie
- * Ben Kaduk
- * Bernd Edlinger
- * Bodo Möller
- * David Benjamin
- * David von Oheimb
- * Dmitry Belyavskiy (Дмитрий Белявский)
- * Emilia Käsper
- * Eric Young
- * Geoff Thorpe
- * Holger Reif
- * Kurt Roeckx
- * Lutz Jänicke
- * Mark J. Cox
- * Matt Caswell
- * Matthias St. Pierre
- * Nicola Tuveri
- * Nils Larsch
- * Patrick Steuer
- * Paul Dale
- * Paul C. Sutton
- * Paul Yang
- * Ralf S. Engelschall
- * Rich Salz
- * Richard Levitte
- * Shane Lontis
- * Stephen Henson
- * Steve Marquess
- * Tim Hudson
- * Tomáš Mráz
- * Ulf Möller
- * Valerii Krygin
- * Viktor Dukhovni

CHANGES.SSLeay

@@ -0,0 +1,968 @@
+This file contains the changes for the SSLeay library up to version
+0.9.0b. For later changes, see the file "CHANGES".
+
+  SSLeay CHANGES
+  ______________
+
+Changes between 0.8.x and 0.9.0b
+
+10-Apr-1998
+
+I said the next version would go out at easter, and so it shall.
+I expect a 0.9.1 will follow with portability fixes in the next few weeks.
+
+This is a quick, meet the deadline.  Look to ssl-users for comments on what
+is new etc.
+
+eric (about to go bushwalking for the 4 day easter break :-)
+
+16-Mar-98
+    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
+    - Lots and lots of changes
+
+29-Jan-98
+    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
+      Goetz Babin-Ebell <babinebell@trustcenter.de>.
+    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
+      TLS1_VERSION.
+
+7-Jan-98
+    - Finally reworked the cipher string to ciphers again, so it
+      works correctly
+    - All the app_data stuff is now ex_data with funcion calls to access.
+      The index is supplied by a function and 'methods' can be setup
+      for the types that are called on XXX_new/XXX_free.  This lets
+      applications get notified on creation and destruction.  Some of
+      the RSA methods could be implemented this way and I may do so.
+    - Oh yes, SSL under perl5 is working at the basic level.
+
+15-Dec-97
+    - Warning - the gethostbyname cache is not fully thread safe,
+      but it should work well enough.
+    - Major internal reworking of the app_data stuff.  More functions
+      but if you were accessing ->app_data directly, things will
+      stop working.
+    - The perlv5 stuff is working.  Currently on message digests,
+      ciphers and the bignum library.
+
+9-Dec-97
+    - Modified re-negotiation so that server initated re-neg
+      will cause a SSL_read() to return -1 should retry.
+      The danger otherwise was that the server and the
+      client could end up both trying to read when using non-blocking
+      sockets.
+
+4-Dec-97
+    - Lots of small changes
+    - Fix for binaray mode in Windows for the FILE BIO, thanks to
+      Bob Denny <rdenny@dc3.com>
+
+17-Nov-97
+    - Quite a few internal cleanups, (removal of errno, and using macros
+      defined in e_os.h).
+    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
+      the automactic naming out output files was being stuffed up.
+
+29-Oct-97
+    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
+      for x86.
+
+21-Oct-97
+    - Fixed a bug in the BIO_gethostbyname() cache.
+
+15-Oct-97
+    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
+      has also been improved.  At this point in time, on the pentium,
+      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
+      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
+      is %62 faster.
+
+12-Oct-97
+    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
+      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
+      way to set the length value correctly.
+
+10-Oct-97
+    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
+      This breaks things again :-(.  This is efficent since I cache
+      the DER encoding of the RDN.
+    - The text DN now puts in the numeric OID instead of UNKNOWN.
+    - req can now process arbitary OIDs in the config file.
+    - I've been implementing md5 in x86 asm, much faster :-).
+    - Started sha1 in x86 asm, needs more work.
+    - Quite a few speedups in the BN stuff.  RSA public operation
+      has been made faster by caching the BN_MONT_CTX structure.
+      The calulating of the Ai where A*Ai === 1 mod m was rather
+      expensive.  Basically a 40-50% speedup on public operations.
+      The RSA speedup is now 15% on pentiums and %20 on pentium
+      pro.
+
+30-Sep-97
+    - After doing some profiling, I added x86 adm for bn_add_words(),
+      which just adds 2 arrays of longs together.  A %10 speedup
+      for 512 and 1024 bit RSA on the pentium pro.
+
+29-Sep-97
+    - Converted the x86 bignum assembler to us the perl scripts
+      for generation.
+
+23-Sep-97
+    - If SSL_set_session() is passed a NULL session, it now clears the
+      current session-id.
+
+22-Sep-97
+    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
+      certificates.
+    - Bug in crypto/evp/encode.c where by decoding of 65 base64
+      encoded lines, one line at a time (via a memory BIO) would report
+      EOF after the first line was decoded.
+    - Fix in X509_find_by_issuer_and_serial() from
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+19-Sep-97
+    - NO_FP_API and NO_STDIO added.
+    - Put in sh config command.  It auto runs Configure with the correct
+      parameters.
+
+18-Sep-97
+    - Fix x509.c so if a DSA cert has different parameters to its parent,
+      they are left in place.  Not tested yet.
+
+16-Sep-97
+    - ssl_create_cipher_list() had some bugs, fixes from
+      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
+    - Fixed a bug in the Base64 BIO, where it would return 1 instead
+      of -1 when end of input was encountered but should retry.
+      Basically a Base64/Memory BIO interaction problem.
+    - Added a HMAC set of functions in preporarion for TLS work.
+
+15-Sep-97
+    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
+    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
+      by using montgomery multiplication in the prime number test.
+
+11-Sep-97
+    - Ugly bug in ssl3_write_bytes().  Basically if application land
+      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
+      did not check the size and tried to copy the entire buffer.
+      This would tend to cause memory overwrites since SSLv3 has
+      a maximum packet size of 16k.  If your program uses
+      buffers <= 16k, you would probably never see this problem.
+    - Fixed a new errors that were cause by malloc() not returning
+      0 initialised memory..
+    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
+      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
+      since this flags stops SSLeay being able to handle client
+      cert requests correctly.
+
+08-Sep-97
+    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
+      on, the SSL server routines will not use a SSL_SESSION that is
+      held in it's cache.  This in intended to be used with the session-id
+      callbacks so that while the session-ids are still stored in the
+      cache, the decision to use them and how to look them up can be
+      done by the callbacks.  The are the 'new', 'get' and 'remove'
+      callbacks.  This can be used to determine the session-id
+      to use depending on information like which port/host the connection
+      is coming from.  Since the are also SSL_SESSION_set_app_data() and
+      SSL_SESSION_get_app_data() functions, the application can hold
+      information against the session-id as well.
+
+03-Sep-97
+    - Added lookup of CRLs to the by_dir method,
+      X509_load_crl_file() also added.  Basically it means you can
+      lookup CRLs via the same system used to lookup certificates.
+    - Changed things so that the X509_NAME structure can contain
+      ASN.1 BIT_STRINGS which is required for the unique
+      identifier OID.
+    - Fixed some problems with the auto flushing of the session-id
+      cache.  It was not occuring on the server side.
+
+02-Sep-97
+    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
+      which is the maximum number of entries allowed in the
+      session-id cache.  This is enforced with a simple FIFO list.
+      The default size is 20*1024 entries which is rather large :-).
+      The Timeout code is still always operating.
+
+01-Sep-97
+    - Added an argument to all the 'generate private key/prime`
+      callbacks.  It is the last parameter so this should not
+      break existing code but it is needed for C++.
+    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
+      BIO.  This lets the BIO read and write base64 encoded data
+      without inserting or looking for '\n' characters.  The '-A'
+      flag turns this on when using apps/enc.c.
+    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
+      very dangerous thing to use, since RSA private key
+      operations without random padding bytes (as PKCS#1 adds) can
+      be attacked such that the private key can be revealed.
+    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
+      Dr Stephen Henson <shenson@bigfoot.com>
+
+31-Aug-97 (stuff added while I was away)    
+    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
+    - RSA_flags() added allowing bypass of pub/priv match check
+      in ssl/ssl_rsa.c - Tim Hudson.
+    - A few minor bugs.
+
+SSLeay 0.8.1 released.
+
+19-Jul-97
+    - Server side initated dynamic renegotiation is broken.  I will fix
+      it when I get back from holidays.
+
+15-Jul-97
+    - Quite a few small changes.
+    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
+
+09-Jul-97
+    - Added 2 new values to the SSL info callback.
+      SSL_CB_START which is passed when the SSL protocol is started
+      and SSL_CB_DONE when it has finished sucsessfully.
+
+08-Jul-97
+    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
+      that related to DSA public/private keys.
+    - Added all the relevent PEM and normal IO functions to support
+      reading and writing RSAPublic keys.
+    - Changed makefiles to use ${AR} instead of 'ar r'
+
+07-Jul-97
+    - Error in ERR_remove_state() that would leave a dangling reference
+      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
+    - s_client now prints the X509_NAMEs passed from the server
+      when requesting a client cert.
+    - Added a ssl->type, which is one of SSL_ST_CONNECT or
+      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
+      a connect or an accept after the handshake had finished.
+    - SSL_get_client_CA_list(SSL *s) now returns the CA names
+      passed by the server if called by a client side SSL.
+
+05-Jul-97
+    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
+      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
+
+04-Jul-97
+    - Fixed some things in X509_NAME_add_entry(), thanks to
+      Matthew Donald <matthew@world.net>.
+    - I had a look at the cipher section and though that it was a
+      bit confused, so I've changed it.
+    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
+      a MS special that appears in exported MS Money.
+    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
+      spec.  I was missing the two byte length header for the
+      ClientDiffieHellmanPublic value.  This is a packet sent from
+      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+      option will enable SSLeay server side SSLv3 accept either
+      the correct or my 080 packet format.
+    - Fixed a few typos in crypto/pem.org.
+
+02-Jul-97
+    - Alias mapping for EVP_get_(digest|cipher)byname is now
+      performed before a lookup for actual cipher.  This means
+      that an alias can be used to 're-direct' a cipher or a
+      digest.
+    - ASN1_read_bio() had a bug that only showed up when using a
+      memory BIO.  When EOF is reached in the memory BIO, it is
+      reported as a -1 with BIO_should_retry() set to true.
+
+01-Jul-97
+    - Fixed an error in X509_verify_cert() caused by my
+      miss-understanding how 'do { contine } while(0);' works.
+      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
+
+30-Jun-97
+    - Base64 decoding error.  If the last data line did not end with
+      a '=', sometimes extra data would be returned.
+    - Another 'cut and paste' bug in x509.c related to setting up the
+      STDout BIO.
+
+27-Jun-97
+    - apps/ciphers.c was not printing due to an editing error.
+    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
+      a library build error in util/mk1mf.pl
+
+26-Jun-97
+    - Still did not have the auto 'experimental' code removal
+      script correct.
+    - A few header tweaks for Watcom 11.0 under Win32 from
+      Rolf Lindemann <Lindemann@maz-hh.de>
+    - 0 length OCTET_STRING bug in asn1_parse
+    - A minor fix with an non-existent function in the MS .def files.
+    - A few changes to the PKCS7 stuff.
+
+25-Jun-97
+    SSLeay 0.8.0 finally it gets released.
+
+24-Jun-97
+    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
+    use a temporary RSA key.  This is experimental and needs some more work.
+    Fixed a few Win16 build problems.
+
+23-Jun-97
+    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
+    correctly. I was taking the SSL->ctx->default_cert when I should
+    have been using SSL->cert. The bug was in ssl/s3_srvr.c
+
+20-Jun-97
+    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
+    rest of the library. Even though I had the code required to do
+    it correctly, apps/req.c was doing the wrong thing.  I have fixed
+    and tested everything.
+
+    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
+
+19-Jun-97
+    Fixed a bug in the SSLv2 server side first packet handling. When
+    using the non-blocking test BIO, the ssl->s2->first_packet flag
+    was being reset when a would-block failure occurred when reading
+    the first 5 bytes of the first packet. This caused the checking
+    logic to run at the wrong time and cause an error.
+
+    Fixed a problem with specifying cipher. If RC4-MD5 were used,
+    only the SSLv3 version would be picked up.  Now this will pick
+    up both SSLv2 and SSLv3 versions. This required changing the
+    SSL_CIPHER->mask values so that they only mask the ciphers,
+    digests, authentication, export type and key-exchange algorithms.
+
+    I found that when a SSLv23 session is established, a reused
+    session, of type SSLv3 was attempting to write the SSLv2 
+    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
+    method has been modified so it will only write out cipher which
+    that method knows about.  
+
+
+ Changes between 0.8.0 and 0.8.1
+
+  *) Mostly bug fixes. 
+     There is an Ephemeral DH cipher problem which is fixed.
+
+ SSLeay 0.8.0
+
+This version of SSLeay has quite a lot of things different from the
+previous version.
+
+Basically check all callback parameters, I will be producing documentation
+about how to use things in th future.  Currently I'm just getting 080 out
+the door.  Please not that there are several ways to do everything, and
+most of the applications in the apps directory are hybrids, some using old
+methods and some using new methods.
+
+Have a look in demos/bio for some very simple programs and
+apps/s_client.c and apps/s_server.c for some more advanced versions.
+Notes are definitly needed but they are a week or so away.
+
+Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
+---
+Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
+get those people that want to move to using the new code base off to
+a quick start.
+
+Note that Eric has tidied up a lot of the areas of the API that were
+less than desirable and renamed quite a few things (as he had to break
+the API in lots of places anyrate). There are a whole pile of additional
+functions for making dealing with (and creating) certificates a lot
+cleaner.
+
+01-Jul-97
+Tim Hudson
+tjh@cryptsoft.com
+
+---8<---
+
+To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
+use something like the following (assuming you #include "crypto.h" which
+is something that you really should be doing).
+
+#if SSLEAY_VERSION_NUMBER >= 0x0800
+#define SSLEAY8
+#endif
+
+buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
+            too if you are working with BIO internal stuff (as distinct
+        from simply using the interface in an opaque manner)
+
+#include "bio.h"    - required along with "buffer.h" if you write
+              your own BIO routines as the buffer and bio
+              stuff that was intermixed has been separated
+              out 
+            
+envelope.h -> evp.h  (which should have been done ages ago)
+
+Initialisation ... don't forget these or you end up with code that
+is missing the bits required to do useful things (like ciphers):
+
+SSLeay_add_ssl_algorithms()
+(probably also want SSL_load_error_strings() too but you should have
+ already had that call in place)
+
+SSL_CTX_new()   - requires an extra method parameter
+              SSL_CTX_new(SSLv23_method()) 
+              SSL_CTX_new(SSLv2_method()) 
+              SSL_CTX_new(SSLv3_method()) 
+
+          OR to only have the server or the client code
+              SSL_CTX_new(SSLv23_server_method()) 
+              SSL_CTX_new(SSLv2_server_method()) 
+              SSL_CTX_new(SSLv3_server_method()) 
+          or  
+              SSL_CTX_new(SSLv23_client_method()) 
+              SSL_CTX_new(SSLv2_client_method()) 
+              SSL_CTX_new(SSLv3_client_method()) 
+
+SSL_set_default_verify_paths() ... renamed to the more appropriate
+SSL_CTX_set_default_verify_paths()
+
+If you want to use client certificates then you have to add in a bit
+of extra stuff in that a SSLv3 server sends a list of those CAs that
+it will accept certificates from ... so you have to provide a list to
+SSLeay otherwise certain browsers will not send client certs.
+
+SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
+
+
+X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
+               or provide a buffer and size to copy the
+               result into
+
+X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
+          notes on X509_NAME structure changes too)
+
+
+VERIFICATION CODE
+=================
+
+The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
+more accurately reflect things.
+
+The verification callback args are now packaged differently so that
+extra fields for verification can be added easily in future without
+having to break things by adding extra parameters each release :-)
+
+X509_cert_verify_error_string -> X509_verify_cert_error_string
+
+
+BIO INTERNALS
+=============
+
+Eric has fixed things so that extra flags can be introduced in
+the BIO layer in future without having to play with all the BIO
+modules by adding in some macros.
+
+The ugly stuff using 
+    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_clear_retry_flags(b)
+
+    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
+becomes
+    BIO_set_retry_read(b)
+
+Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
+
+
+
+OTHER THINGS
+============
+
+X509_NAME has been altered so that it isn't just a STACK ... the STACK
+is now in the "entries" field ... and there are a pile of nice functions
+for getting at the details in a much cleaner manner.
+
+SSL_CTX has been altered ... "cert" is no longer a direct member of this
+structure ... things are now down under "cert_store" (see x509_vfy.h) and
+things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
+If your code "knows" about this level of detail then it will need some 
+surgery.
+
+If you depending on the incorrect spelling of a number of the error codes
+then you will have to change your code as these have been fixed.
+
+ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
+has been all along so this makes things clearer.
+ify_cert_error_string(ctx->error));
+
+SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
+            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
+
+
+
+ Changes between 0.7.x and 0.8.0
+  
+  *) There have been lots of changes, mostly the addition of SSLv3.
+     There have been many additions from people and amongst
+     others, C2Net has assisted greatly.
+ 
+ Changes between 0.7.x and 0.7.x
+
+  *) Internal development version only
+
+SSLeay 0.6.6 13-Jan-1997
+
+The main additions are
+
+- assember for x86 DES improvments.
+  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
+  loop and the IP/FP modifications are from
+  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
+  contribution.
+- The 'DES macros' introduced in 0.6.5 now have 3 types.
+  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
+  is best and there is a summery of mine in crypto/des/options.txt
+- A few bug fixes.
+- Added blowfish.  It is not used by SSL but all the other stuff that
+  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
+  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
+  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
+  the 'Configure' script.
+- There is now a 'get client certificate' callback which can be
+  'non-blocking'.  If more details are required, let me know.  It will
+  documented more in SSLv3 when I finish it.
+- Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
+  now tests the ca program.
+- Lots of little things modified and tweaked.
+
+ SSLeay 0.6.5
+
+After quite some time (3 months), the new release.  I have been very busy
+for the last few months and so this is mostly bug fixes and improvments.
+
+The main additions are
+
+- assember for x86 DES.  For all those gcc based systems, this is a big
+  improvement.  From 117,000 DES operation a second on a pentium 100,
+  I now get 191,000.  I have also reworked the C version so it
+  now gives 148,000 DESs per second.  
+- As mentioned above, the inner DES macros now have some more variant that
+  sometimes help, sometimes hinder performance.  There are now 3 options
+  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
+  and DES_RISC (a more register intensive version of the inner macro).
+  The crypto/des/des_opts.c program, when compiled and run, will give
+  an indication of the correct options to use.
+- The BIO stuff has been improved.  Read doc/bio.doc.  There are now
+  modules for encryption and base64 encoding and a BIO_printf() function.
+- The CA program will accept simple one line X509v3 extensions in the
+  ssleay.cnf file.  Have a look at the example.  Currently this just
+  puts the text into the certificate as an OCTET_STRING so currently
+  the more advanced X509v3 data types are not handled but this is enough
+  for the netscape extensions.
+- There is the start of a nicer higher level interface to the X509
+  strucutre.
+- Quite a lot of bug fixes.
+- CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
+  to define the malloc(), free() and realloc() routines to use
+  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
+  using DLLs and mixing CRT libraries.
+
+In general, read the 'VERSION' file for changes and be aware that some of
+the new stuff may not have been tested quite enough yet, so don't just plonk
+in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
+
+SSLeay 0.6.4 30/08/96 eay
+
+I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
+Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
+
+The main changes in this release
+
+- Thread safe.  have a read of doc/threads.doc and play in the mt directory.
+  For anyone using 0.6.3 with threads, I found 2 major errors so consider
+  moving to 0.6.4.  I have a test program that builds under NT and
+  solaris.
+- The get session-id callback has changed.  Have a read of doc/callback.doc.
+- The X509_cert_verify callback (the SSL_verify callback) now
+  has another argument.  Have a read of doc/callback.doc
+- 'ca -preserve', sign without re-ordering the DN.  Not tested much.
+- VMS support.
+- Compile time memory leak detection can now be built into SSLeay.
+  Read doc/memory.doc
+- CONF routines now understand '\', '\n', '\r' etc.  What this means is that
+  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
+- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
+- RC2 key setup is now compatable with Netscape.
+- Modifed server side of SSL implementation, big performance difference when
+      using session-id reuse.
+
+0.6.3
+
+Bug fixes and the addition of some nice stuff to the 'ca' program.
+Have a read of doc/ns-ca.doc for how hit has been modified so
+it can be driven from a CGI script.  The CGI script is not provided,
+but that is just being left as an excersize for the reader :-).
+
+0.6.2
+
+This is most bug fixes and functionality improvements.
+
+Additions are
+- More thread debugging patches, the thread stuff is still being
+  tested, but for those keep to play with stuff, have a look in
+  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
+  a second) callback that is used to implement locking.  Compiling
+  with LOCK_DEBUG spits out lots of locking crud :-).
+  This is what I'm currently working on.
+- SSL_CTX_set_default_passwd_cb() can be used to define the callback
+  function used in the SSL*_file() functions used to load keys.  I was
+  always of the opinion that people should call
+  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
+  it appears they just want to use the SSL_*_file() function() :-(.
+- 'enc' now has a -kfile so a key can be read from a file.  This is
+  mostly used so that the passwd does not appear when using 'ps',
+  which appears imposible to stop under solaris.
+- X509v3 certificates now work correctly.  I even have more examples
+  in my tests :-).  There is now a X509_EXTENSION type that is used in
+  X509v3 certificates and CRLv2.
+- Fixed that signature type error :-(
+- Fixed quite a few potential memory leaks and problems when reusing
+  X509, CRL and REQ structures.
+- EVP_set_pw_prompt() now sets the library wide default password
+  prompt.
+- The 'pkcs7' command will now, given the -print_certs flag, output in
+  pem format, all certificates and CRL contained within.  This is more
+  of a pre-emtive thing for the new verisign distribution method.  I
+  should also note, that this also gives and example in code, of how
+  to do this :-), or for that matter, what is involved in going the
+  other way (list of certs and crl -> pkcs7).
+- Added RSA's DESX to the DES library.  It is also available via the
+  EVP_desx_cbc() method and via 'enc desx'. 
+
+SSLeay 0.6.1
+
+The main functional changes since 0.6.0 are as follows
+- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
+  that from now on, I'll keep the .def numbers the same so they will be.
+- RSA private key operations are about 2 times faster that 0.6.0
+- The SSL_CTX now has more fields so default values can be put against
+  it.  When an SSL structure is created, these default values are used
+  but can be overwritten.  There are defaults for cipher, certificate,
+  private key, verify mode and callback.  This means SSL session
+  creation can now be
+  ssl=SSL_new()
+  SSL_set_fd(ssl,sock);
+  SSL_accept(ssl)
+  ....
+  All the other uglyness with having to keep a global copy of the
+  private key and certificate/verify mode in the server is now gone.
+- ssl/ssltest.c - one process talking SSL to its self for testing.
+- Storage of Session-id's can be controled via a session_cache_mode
+  flag.  There is also now an automatic default flushing of 
+  old session-id's.
+- The X509_cert_verify() function now has another parameter, this
+  should not effect most people but it now means that the reason for
+  the failure to verify is now available via SSL_get_verify_result(ssl).
+  You don't have to use a global variable.
+- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
+  application data against the SSL structure.  It is upto the application
+  to free the data.  I don't use it, but it is available.
+- SSL_CTX_set_cert_verify_callback() can be used to specify a
+  verify callback function that completly replaces my certificate
+  verification code.  Xcert should be able to use this :-).
+  The callback is of the form int app_verify_callback(arg,ssl,cert).
+  This needs to be documented more.
+- I have started playing with shared library builds, have a look in
+  the shlib directory.  It is very simple.  If you need a numbered
+  list of functions, have a look at misc/crypto.num and misc/ssl.num.
+- There is some stuff to do locking to make the library thread safe.
+  I have only started this stuff and have not finished.  If anyone is
+  keen to do so, please send me the patches when finished.
+
+So I have finally made most of the additions to the SSL interface that
+I thought were needed.
+
+There will probably be a pause before I make any non-bug/documentation
+related changes to SSLeay since I'm feeling like a bit of a break.
+
+eric - 12 Jul 1996
+I saw recently a comment by some-one that we now seem to be entering
+the age of perpetual Beta software.
+Pioneered by packages like linux but refined to an art form by
+netscape.
+
+I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
+
+There are quite a large number of sections that are 'works in
+progress' in this package.  I will also list the major changes and
+what files you should read.
+
+BIO - this is the new IO structure being used everywhere in SSLeay.  I
+started out developing this because of microsoft, I wanted a mechanism
+to callback to the application for all IO, so Windows 3.1 DLL
+perversion could be hidden from me and the 15 different ways to write
+to a file under NT would also not be dictated by me at library build
+time.  What the 'package' is is an API for a data structure containing
+functions.  IO interfaces can be written to conform to the
+specification.  This in not intended to hide the underlying data type
+from the application, but to hide it from SSLeay :-).
+I have only really finished testing the FILE * and socket/fd modules.
+There are also 'filter' BIO's.  Currently I have only implemented
+message digests, and it is in use in the dgst application.  This
+functionality will allow base64/encrypto/buffering modules to be
+'push' into a BIO without it affecting the semantics.  I'm also
+working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
+from an event loop which uses the interface.
+It is also possible to 'attach' callbacks to a BIO so they get called
+before and after each operation, alowing extensive debug output
+to be generated (try running dgst with -d).
+
+Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
+functions that used to take FILE *, now take BIO *.
+The wrappers are easy to write
+
+function_fp(fp,x)
+FILE *fp;
+    {
+    BIO *b;
+    int ret;
+
+    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
+    BIO_set_fp(b,fp,BIO_NOCLOSE);
+    ret=function_bio(b,x);
+    BIO_free(b);
+    return(ret);
+    }
+Remember, there are no functions that take FILE * in SSLeay when
+compiled for Windows 3.1 DLL's.
+
+--
+I have added a general EVP_PKEY type that can hold a public/private
+key.  This is now what is used by the EVP_ functions and is passed
+around internally.  I still have not done the PKCS#8 stuff, but
+X509_PKEY is defined and waiting :-)
+
+--
+For a full function name listings, have a look at ms/crypt32.def and
+ms/ssl32.def.  These are auto-generated but are complete.
+Things like ASN1_INTEGER_get() have been added and are in here if you
+look.  I have renamed a few things, again, have a look through the
+function list and you will probably find what you are after.  I intend
+to at least put a one line descrition for each one.....
+
+--
+Microsoft - thats what this release is about, read the MICROSOFT file.
+
+--
+Multi-threading support.  I have started hunting through the code and
+flaging where things need to be done.  In a state of work but high on
+the list.
+
+--
+For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
+be be you random data device, otherwise 'RFILE' in e_os.h
+will be used, in your home directory.  It will be updated
+periodically.  The environment variable RANDFILE will override this
+choice and read/write to that file instead.  DEVRANDOM is used in
+conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
+number generator, pick on one of these files.
+
+--
+
+The list of things to read and do
+
+dgst -d
+s_client -state (this uses a callback placed in the SSL state loop and
+        will be used else-where to help debug/monitor what
+        is happening.)
+
+doc/why.doc
+doc/bio.doc <- hmmm, needs lots of work.
+doc/bss_file.doc <- one that is working :-)
+doc/session.doc <- it has changed
+doc/speed.doc
+ also play with ssleay version -a.  I have now added a SSLeay()
+ function that returns a version number, eg 0600 for this release
+ which is primarily to be used to check DLL version against the
+ application.
+util/*  Quite a few will not interest people, but some may, like
+ mk1mf.pl, mkdef.pl,
+util/do_ms.sh
+
+try
+cc -Iinclude -Icrypto -c crypto/crypto.c
+cc -Iinclude -Issl -c ssl/ssl.c
+You have just built the SSLeay libraries as 2 object files :-)
+
+Have a general rummage around in the bin stall directory and look at
+what is in there, like CA.sh and c_rehash
+
+There are lots more things but it is 12:30am on a Friday night and I'm
+heading home :-).
+
+eric 22-Jun-1996
+This version has quite a few major bug fixes and improvements.  It DOES NOT
+do SSLv3 yet.
+
+The main things changed
+- A Few days ago I added the s_mult application to ssleay which is
+  a demo of an SSL server running in an event loop type thing.
+  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
+  can operate in non-blocking IO mode, look at the code to see how :-).
+  Have a read of doc/s_mult as well.  This program leaks memory and
+  file descriptors everywhere but I have not cleaned it up yet.
+  This is a demo of how to do non-blocking IO.
+- The SSL session management has been 'worked over' and there is now
+  quite an expansive set of functions to manipulate them.  Have a read of
+  doc/session.doc for some-things I quickly whipped up about how it now works.
+  This assume you know the SSLv2 protocol :-)
+- I can now read/write the netscape certificate format, use the
+  -inform/-outform  'net' options to the x509 command.  I have not put support
+  for this type in the other demo programs, but it would be easy to add.
+- asn1parse and 'enc' have been modified so that when reading base64
+  encoded files (pem format), they do not require '-----BEGIN' header lines.
+  The 'enc' program had a buffering bug fixed, it can be used as a general
+  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
+  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
+  into a form of 'cat'.
+- The 'x509' and 'req' programs have been fixed and modified a little so
+  that they generate self-signed certificates correctly.  The test
+  script actually generates a 'CA' certificate and then 'signs' a
+  'user' certificate.  Have a look at this shell script (test/sstest)
+  to see how things work, it tests most possible combinations of what can
+  be done.
+- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
+  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
+  If this function is used in the client, only the specified ciphers can
+  be used, with preference given to the order the ciphers were listed.
+  For the server, if this is used, only the specified ciphers will be used
+  to accept connections.  If this 'option' is not used, a default set of
+  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
+  list for all ciphers started against the SSL_CTX.  So the order is
+  SSL cipher_list, if not present, SSL_CTX cipher list, if not
+  present, then the library default.
+  What this means is that normally ciphers like
+  NULL-MD5 will never be used.  The only way this cipher can be used
+  for both ends to specify to use it.
+  To enable or disable ciphers in the library at build time, modify the
+  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
+  This file also contains the 'pref_cipher' list which is the default
+  cipher preference order.
+- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
+  options work.  They should, and they enable loading and writing the
+  netscape rsa private key format.  I will be re-working this section of
+  SSLeay for the next version.  What is currently in place is a quick and
+  dirty hack.
+- I've re-written parts of the bignum library.  This gives speedups
+  for all platforms.  I now provide assembler for use under Windows NT.
+  I have not tested the Windows 3.1 assembler but it is quite simple code.
+  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
+  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
+  Basically the times available under linux/solaris x86 can be achieve under
+  Windows NT.  I still don't know how these times compare to RSA's BSAFE
+  library but I have been emailing with people and with their help, I should
+  be able to get my library's quite a bit faster still (more algorithm changes).
+  The object file crypto/bn/asm/x86-32.obj should be used when linking
+  under NT.
+- 'make makefile.one' in the top directory will generate a single makefile
+  called 'makefile.one'  This makefile contains no perl references and
+  will build the SSLeay library into the 'tmp' and 'out' directories.
+  util/mk1mf.pl >makefile.one is how this makefile is
+  generated.  The mk1mf.pl command take several option to generate the
+  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
+  still under development.  I have only build .lib's for NT and MSDOS
+  I will be working on this more.  I still need to play with the
+  correct compiler setups for these compilers and add some more stuff but
+  basically if you just want to compile the library
+  on a 'non-unix' platform, this is a very very good file to start with :-).
+  Have a look in the 'microsoft' directory for my current makefiles.
+  I have not yet modified things to link with sockets under Windows NT.
+  You guys should be able to do this since this is actually outside of the
+  SSLeay scope :-).  I will be doing it for myself soon.
+  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
+  to build without RC2/RC4, to require RSAref for linking, and to
+  build with no socket code.
+
+- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
+  that was posted to sci.crypt has been added to the library and SSL.
+  I take the view that if RC2 is going to be included in a standard,
+  I'll include the cipher to make my package complete.
+  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
+  at compile time.  I have not tested this recently but it should all work
+  and if you are in the USA and don't want RSA threatening to sue you,
+  you could probably remove the RC4/RC2 code inside these sections.
+  I may in the future include a perl script that does this code
+  removal automatically for those in the USA :-).
+- I have removed all references to sed in the makefiles.  So basically,
+  the development environment requires perl and sh.  The build environment
+  does not (use the makefile.one makefile).
+  The Configure script still requires perl, this will probably stay that way
+  since I have perl for Windows NT :-).
+
+eric (03-May-1996)
+
+PS Have a look in the VERSION file for more details on the changes and
+   bug fixes.
+I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
+things up.  This version will be quite stable, mostly because I'm on
+holidays until 10-March-1996.  For any problems in the interum, send email
+to Tim Hudson <tjh@mincom.oz.au>.
+
+SSLeay 0.5.0
+
+12-12-95
+This is going out before it should really be released.
+
+I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
+this for 11 weeks or get things out.  It is still going to change a
+lot in the next week so if you do grab this version, please test and
+give me feed back ASAP, inculuding questions on how to do things with
+the library.  This will prompt me to write documentation so I don't
+have to answer the same question again :-).
+
+This 'pre' release version is for people who are interested in the
+library.  The applications will have to be changed to use
+the new version of the SSL interface.  I intend to finish more
+documentation before I leave but until then, look at the programs in
+the apps directory.  As far as code goes, it is much much nicer than
+the old version.
+
+The current library works, has no memory leaks (as far as I can tell)
+and is far more bug free that 0.4.5d.  There are no global variable of
+consequence (I believe) and I will produce some documentation that
+tell where to look for those people that do want to do multi-threaded
+stuff.
+
+There should be more documentation.  Have a look in the
+doc directory.  I'll be adding more before I leave, it is a start
+by mostly documents the crypto library.  Tim Hudson will update
+the web page ASAP.  The spelling and grammar are crap but
+it is better than nothing :-)
+
+Reasons to start playing with version 0.5.0
+- All the programs in the apps directory build into one ssleay binary.
+- There is a new version of the 'req' program that generates certificate
+  requests, there is even documentation for this one :-)
+- There is a demo certification authorithy program.  Currently it will
+  look at the simple database and update it.  It will generate CRL from
+  the data base.  You need to edit the database by hand to revoke a
+  certificate, it is my aim to use perl5/Tk but I don't have time to do
+  this right now.  It will generate the certificates but the management
+  scripts still need to be written.  This is not a hard task.
+- Things have been cleaned up alot.
+- Have a look at the enc and dgst programs in the apps directory.
+- It supports v3 of x509 certiticates.
+
+
+Major things missing.
+- I have been working on (and thinging about) the distributed x509
+  hierachy problem.  I have not had time to put my solution in place.
+  It will have to wait until I come back.
+- I have not put in CRL checking in the certificate verification but
+  it would not be hard to do.  I was waiting until I could generate my
+  own CRL (which has only been in the last week) and I don't have time
+  to put it in correctly.
+- Montgomery multiplication need to be implemented.  I know the
+  algorithm, just ran out of time.
+- PKCS#7.  I can load and write the DER version.  I need to re-work
+  things to support BER (if that means nothing, read the ASN1 spec :-).
+- Testing of the higher level digital envelope routines.  I have not
+  played with the *_seal() and *_open() type functions.  They are
+  written but need testing.  The *_sign() and *_verify() functions are
+  rock solid. 
+- PEM.  Doing this and PKCS#7 have been dependant on the distributed
+  x509 heirachy problem.  I started implementing my ideas, got
+  distracted writing a CA program and then ran out of time.  I provide
+  the functionality of RSAref at least.
+- Re work the asm. code for the x86.  I've changed by low level bignum
+  interface again, so I really need to tweak the x86 stuff.  gcc is
+  good enough for the other boxes.
+

CODE-OF-CONDUCT.md

@@ -1,6 +0,0 @@
-Code of Conduct
-===============
-
-The OpenSSL [Code of Conduct] is published on the project's website.
-
-[Code of Conduct]: https://www.openssl.org/community/conduct.html

CONTRIBUTING.md

@@ -1,112 +0,0 @@
-HOW TO CONTRIBUTE TO OpenSSL
-============================
-
-Please visit our [Getting Started] page for other ideas about how to contribute.
-
-  [Getting Started]: <https://openssl-library.org/community/getting-started>
-
-Development is done on GitHub in the [openssl/openssl] repository.
-
-  [openssl/openssl]: <https://github.com/openssl/openssl>
-
-To request a new feature, ask a question, or report a bug,
-please open an [issue on GitHub](https://github.com/openssl/openssl/issues).
-
-To submit a patch or implement a new feature, please open a
-[pull request on GitHub](https://github.com/openssl/openssl/pulls).
-If you are thinking of making a large contribution,
-open an issue for it before starting work, to get comments from the community.
-Someone may be already working on the same thing,
-or there may be special reasons why a feature is not implemented.
-
-Similarly, if you plan to submit many pull requests, please start with
-a representative sample (no more than 3 or 4) and open an issue
-explaining your process. The OpenSSL project has limited resources,
-especially when it comes to reviewers, so we appreciate advanced
-communication before submitting many pull requests. In addition,
-contributors should personally evaluate potential patches generated by
-automated tools.
-
-To make it easier to review and accept your pull request, please follow these
-guidelines:
-
- 1. Anything other than a trivial contribution requires a [Contributor
-    License Agreement] (CLA), giving us permission to use your code.
-    If your contribution is too small to require a CLA (e.g., fixing a spelling
-    mistake), then place the text "`CLA: trivial`" on a line by itself below
-    the rest of your commit message separated by an empty line, like this:
-
-    ```
-        One-line summary of trivial change
-
-        Optional main body of commit message. It might contain a sentence
-        or two explaining the trivial change.
-
-        CLA: trivial
-    ```
-
-    It is not sufficient to only place the text "`CLA: trivial`" in the GitHub
-    pull request description.
-
-    [Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
-
-    To amend a missing "`CLA: trivial`" line after submission, do the following:
-
-    ```
-        git commit --amend
-        # add the line, save and quit the editor
-        git push -f [<repository> [<branch>]]
-    ```
-
- 2. All source files should start with the following text (with
-    appropriate comment characters at the start of each line and the
-    year(s) updated):
-
-    ```
-        Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
-
-        Licensed under the Apache License 2.0 (the "License").  You may not use
-        this file except in compliance with the License.  You can obtain a copy
-        in the file LICENSE in the source distribution or at
-        https://www.openssl.org/source/license.html
-    ```
-
- 3. Patches should be as current as possible; expect to have to rebase
-    often. We do not accept merge commits, you will have to remove them
-    (usually by rebasing) before it will be acceptable.
-
- 4. Code provided should follow our [coding style] and [documentation policy]
-    and compile without warnings.
-    There is a [Perl tool](util/check-format.pl) that helps
-    finding code formatting mistakes and other coding style nits.
-    Where `gcc` or `clang` is available, you should use the
-    `--strict-warnings` `Configure` option.  OpenSSL compiles on many varied
-    platforms: try to ensure you only use portable features.
-    Clean builds via GitHub Actions are required. They are started automatically
-    whenever a PR is created or updated by committers.
-
-    [coding style]: https://openssl-library.org/policies/technical/coding-style/
-    [documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
-
- 5. When at all possible, code contributions should include tests. These can
-    either be added to an existing test, or completely new.  Please see
-    [test/README.md](test/README.md) for information on the test framework.
-
- 6. New features or changed functionality must include
-    documentation. Please look at the `.pod` files in `doc/man[1357]` for
-    examples of our style. Run `make doc-nits` to make sure that your
-    documentation changes are clean.
-
- 7. For user visible changes (API changes, behaviour changes, ...),
-    consider adding a note in [CHANGES.md](CHANGES.md).
-    This could be a summarising description of the change, and could
-    explain the grander details.
-    Have a look through existing entries for inspiration.
-    Please note that this is NOT simply a copy of git-log one-liners.
-    Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
-    This file helps users get more in-depth information of what comes
-    with a specific release without having to sift through the higher
-    noise ratio in git-log.
-
- 8. Guidelines on how to integrate error output of new crypto library modules
-    can be found in [crypto/err/README.md](crypto/err/README.md).

ChangeLog.0_9_7-stable_not-in-head

@@ -0,0 +1,163 @@
+This file, together with ChangeLog.0_9_7-stable_not-in-head_FIPS,
+provides a collection of those CVS change log entries for the
+0.9.7 branch (OpenSSL_0_9_7-stable) that do not appear similarly in
+0.9.8-dev (CVS head).
+    
+ChangeLog.0_9_7-stable_not-in-head_FIPS  -  "FIPS" related changes
+ChangeLog.0_9_7-stable_not-in-head       -  everything else
+
+Some obvious false positives have been eliminated: e.g., we do not
+care about a simple "make update"; and we don't care about changes
+identified to the 0.9.7 branch that were explicitly identified as
+backports from head.
+    
+Eliminating all other entries (and finally this file and its
+compantion), either as false positives or as things that should go
+into 0.9.8, remains to be done.  Any additional changes to 0.9.7 that
+are not immediately put into 0.9.8, but belong there as well, should
+be added to the end of this file.
+
+
+2002-11-04 17:33  levitte
+
+	Changed:
+		Configure (1.314.2.38), "Exp", lines: +4 -2
+
+	Return my normal debug targets to something not so extreme, and
+	make the extreme ones special (or 'extreme', if you will :-)).
+
+2002-12-16 19:17  appro
+
+	Changed:
+		crypto/bn/bn_lcl.h (1.23.2.3), "Exp", lines: +3 -0
+		crypto/bn/bn_mul.c (1.28.2.4), "Exp", lines: +84 -445
+
+	This is rollback to 0.9.6h bn_mul.c to address problem reported in
+	RT#272.
+
+2003-07-27 15:46  ben
+
+	Changed:
+		crypto/aes/aes.h (1.1.2.5), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.4), "Exp", lines: +57 -0
+
+	Add untested CFB-r mode. Will be tested soon.
+
+2003-07-28 17:07  ben
+
+	Changed:
+		Makefile.org (1.154.2.69), "Exp", lines: +5 -1
+		crypto/aes/aes.h (1.1.2.6), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.5), "Exp", lines: +19 -0
+		crypto/dsa/Makefile.ssl (1.49.2.6), "Exp", lines: +3 -2
+		crypto/err/Makefile.ssl (1.48.2.4), "Exp", lines: +17 -16
+		crypto/evp/e_aes.c (1.6.2.5), "Exp", lines: +8 -0
+		crypto/evp/e_des.c (1.5.2.2), "Exp", lines: +1 -1
+		crypto/evp/e_des3.c (1.8.2.3), "Exp", lines: +2 -2
+		crypto/evp/evp.h (1.86.2.11), "Exp", lines: +28 -11
+		crypto/evp/evp_locl.h (1.7.2.3), "Exp", lines: +2 -2
+		crypto/objects/obj_dat.h (1.49.2.13), "Exp", lines: +10 -5
+		crypto/objects/obj_mac.h (1.19.2.13), "Exp", lines: +5 -0
+		crypto/objects/obj_mac.num (1.15.2.9), "Exp", lines: +1 -0
+		crypto/objects/objects.txt (1.20.2.14), "Exp", lines: +4 -0
+		fips/Makefile.ssl (1.1.2.3), "Exp", lines: +7 -0
+		fips/aes/Makefile.ssl (1.1.2.2), "Exp", lines: +23 -1
+		fips/aes/fips_aesavs.c (1.1.2.3), "Exp", lines: +9 -1
+		test/Makefile.ssl (1.84.2.30), "Exp", lines: +101 -43
+
+	Add support for partial CFB modes, make tests work, update
+	dependencies.
+
+2003-07-29 12:56  ben
+
+	Changed:
+		crypto/aes/aes_cfb.c (1.1.2.6), "Exp", lines: +9 -6
+		crypto/evp/c_allc.c (1.8.2.3), "Exp", lines: +1 -0
+		crypto/evp/evp_test.c (1.14.2.11), "Exp", lines: +17 -8
+		crypto/evp/evptests.txt (1.9.2.2), "Exp", lines: +48 -1
+
+	Working CFB1 and test vectors.
+
+2003-07-29 15:24  ben
+
+	Changed:
+		crypto/evp/e_aes.c (1.6.2.6), "Exp", lines: +14 -0
+		crypto/objects/obj_dat.h (1.49.2.14), "Exp", lines: +15 -5
+		crypto/objects/obj_mac.h (1.19.2.14), "Exp", lines: +10 -0
+		crypto/objects/obj_mac.num (1.15.2.10), "Exp", lines: +2 -0
+		crypto/objects/objects.txt (1.20.2.15), "Exp", lines: +2 -0
+		fips/aes/Makefile.ssl (1.1.2.3), "Exp", lines: +1 -1
+		fips/aes/fips_aesavs.c (1.1.2.4), "Exp", lines: +34 -19
+
+	The rest of the keysizes for CFB1, working AES AVS test for CFB1.
+
+2003-07-29 19:05  ben
+
+	Changed:
+		crypto/aes/aes.h (1.1.2.7), "Exp", lines: +3 -0
+		crypto/aes/aes_cfb.c (1.1.2.7), "Exp", lines: +14 -0
+		crypto/evp/c_allc.c (1.8.2.4), "Exp", lines: +1 -0
+		crypto/evp/e_aes.c (1.6.2.7), "Exp", lines: +4 -9
+		crypto/evp/evptests.txt (1.9.2.3), "Exp", lines: +48 -0
+		crypto/objects/obj_dat.h (1.49.2.15), "Exp", lines: +20 -5
+		crypto/objects/obj_mac.h (1.19.2.15), "Exp", lines: +15 -0
+		crypto/objects/obj_mac.num (1.15.2.11), "Exp", lines: +3 -0
+		crypto/objects/objects.txt (1.20.2.16), "Exp", lines: +3 -0
+		fips/aes/fips_aesavs.c (1.1.2.7), "Exp", lines: +11 -0
+
+	AES CFB8.
+
+2003-07-30 20:30  ben
+
+	Changed:
+		Makefile.org (1.154.2.70), "Exp", lines: +16 -5
+		crypto/des/cfb_enc.c (1.7.2.1), "Exp", lines: +2 -1
+		crypto/des/des_enc.c (1.11.2.2), "Exp", lines: +4 -0
+		crypto/evp/e_aes.c (1.6.2.8), "Exp", lines: +7 -14
+		crypto/evp/e_des.c (1.5.2.3), "Exp", lines: +37 -1
+		crypto/evp/evp.h (1.86.2.12), "Exp", lines: +6 -0
+		crypto/evp/evp_locl.h (1.7.2.4), "Exp", lines: +9 -0
+		crypto/objects/obj_dat.h (1.49.2.16), "Exp", lines: +48 -23
+		crypto/objects/obj_mac.h (1.19.2.16), "Exp", lines: +31 -6
+		crypto/objects/obj_mac.num (1.15.2.12), "Exp", lines: +5 -0
+		crypto/objects/objects.txt (1.20.2.17), "Exp", lines: +12 -6
+		fips/Makefile.ssl (1.1.2.4), "Exp", lines: +8 -1
+		fips/fips_make_sha1 (1.1.2.3), "Exp", lines: +3 -0
+		fips/aes/Makefile.ssl (1.1.2.4), "Exp", lines: +1 -1
+		fips/des/.cvsignore (1.1.2.1), "Exp", lines: +3 -0
+		fips/des/Makefile.ssl (1.1.2.1), "Exp", lines: +96 -0
+		fips/des/fingerprint.sha1 (1.1.2.1), "Exp", lines: +2 -0
+		fips/des/fips_des_enc.c (1.1.2.1), "Exp", lines: +288 -0
+		fips/des/fips_des_locl.h (1.1.2.1), "Exp", lines: +428 -0
+		fips/des/fips_desmovs.c (1.1.2.1), "Exp", lines: +659 -0
+
+	Whoops, forgot FIPS DES, also add EVPs for DES CFB1 and 8.
+
+2003-08-01 12:25  ben
+
+	Changed:
+		crypto/des/cfb_enc.c (1.7.2.2), "Exp", lines: +45 -36
+		crypto/evp/c_allc.c (1.8.2.5), "Exp", lines: +2 -0
+		crypto/evp/e_des.c (1.5.2.4), "Exp", lines: +8 -3
+		crypto/evp/evptests.txt (1.9.2.4), "Exp", lines: +6 -0
+
+	Fix DES CFB-r.
+
+2003-08-01 12:31  ben
+
+	Changed:
+		crypto/evp/evptests.txt (1.9.2.5), "Exp", lines: +4 -0
+
+	DES CFB8 test.
+
+2005-04-19 16:21  appro
+
+	Changed:
+		Configure (1.314.2.117), "Exp", lines: +24 -21
+		Makefile.org (1.154.2.100), "Exp", lines: +1 -11
+		TABLE (1.99.2.52), "Exp", lines: +20 -20
+		apps/Makefile (1.1.4.15), "Exp", lines: +1 -1
+		test/Makefile (1.1.4.12), "Exp", lines: +1 -1
+
+	Enable shared link on HP-UX.
+

Configurations/00-base-templates.conf

@@ -1,202 +0,0 @@
-# -*- Mode: perl -*-
-my %targets=(
-    DEFAULTS => {
-	template	=> 1,
-
-	cflags		=> "",
-	cppflags	=> "",
-	lflags		=> "",
-	defines		=> [],
-	includes	=> [],
-	lib_cflags	=> "",
-	lib_cppflags	=> "",
-	lib_defines	=> [],
-	thread_scheme	=> "(unknown)", # Assume we don't know
-	thread_defines	=> [],
-
-	unistd		=> "<unistd.h>",
-	shared_target	=> "",
-	shared_cflag	=> "",
-	shared_defines	=> [],
-	shared_ldflag	=> "",
-	shared_rcflag	=> "",
-
-	#### Defaults for the benefit of the config targets who don't inherit
-	#### a BASE and assume Unix defaults
-	#### THESE WILL DISAPPEAR IN OpenSSL 1.2
-	build_scheme	=> [ "unified", "unix" ],
-	build_file	=> "Makefile",
-
-	AR		=> "(unused)",
-	ARFLAGS		=> "(unused)",
-	CC		=> "cc",
-	HASHBANGPERL	=> "/usr/bin/env perl",
-	RANLIB		=> sub { which("$config{cross_compile_prefix}ranlib")
-                                     ? "ranlib" : "" },
-	RC		=> "windres",
-
-	#### THESE WILL BE ENABLED IN OpenSSL 1.2
-	#HASHBANGPERL	=> "PERL", # Only Unix actually cares
-    },
-
-    BASE_common => {
-	template	=> 1,
-
-	enable		=> [],
-	disable		=> [],
-
-	defines		=>
-	    sub {
-                my @defs = ( 'OPENSSL_BUILDING_OPENSSL' );
-                push @defs, "BROTLI" unless $disabled{brotli};
-                push @defs, "BROTLI_SHARED" unless $disabled{"brotli-dynamic"};
-                push @defs, "ZLIB" unless $disabled{zlib};
-                push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
-                push @defs, "ZSTD" unless $disabled{zstd};
-                push @defs, "ZSTD_SHARED" unless $disabled{"zstd-dynamic"};
-                return [ @defs ];
-            },
-        includes        =>
-            sub {
-                my @incs = ();
-                push @incs, $withargs{jitter_include}
-                    if !$disabled{jitter} && $withargs{jitter_include};
-                push @incs, $withargs{brotli_include}
-                    if !$disabled{brotli} && $withargs{brotli_include};
-                push @incs, $withargs{zlib_include}
-                    if !$disabled{zlib} && $withargs{zlib_include};
-                push @incs, $withargs{zstd_include}
-                    if !$disabled{zstd} && $withargs{zstd_include};
-                return [ @incs ];
-            },
-    },
-
-    BASE_unix => {
-        inherit_from    => [ "BASE_common" ],
-        template        => 1,
-
-        AR              => "ar",
-        ARFLAGS         => "qc",
-        CC              => "cc",
-        OBJCOPY         => "objcopy",
-        bin_cflags      =>
-            sub {
-                my @flags = ();
-                if (!defined($disabled{pie})) {
-                    push(@flags, "-fPIE");
-                }
-                return join(" ", @flags);
-            },
-        bin_lflags      =>
-            sub {
-                my @flags = ();
-                if (!defined($disabled{pie})) {
-                    push(@flags, "-pie");
-                }
-                return join(" ", @flags);
-            },
-        lflags          =>
-            sub {
-                my @libs = ();
-                push(@libs, "-L".$withargs{jitter_lib}) if $withargs{jitter_lib};
-                push(@libs, "-L".$withargs{zlib_lib}) if $withargs{zlib_lib};
-                push(@libs, "-L".$withargs{brotli_lib}) if $withargs{brotli_lib};
-                push(@libs, "-L".$withargs{zstd_lib}) if $withargs{zstd_lib};
-                return join(" ", @libs);
-            },
-        ex_libs         =>
-            sub {
-                my @libs = ();
-                push(@libs, "-l:libjitterentropy.a") if !defined($disabled{jitter});
-                push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"});
-                if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) {
-                    push(@libs, "-lbrotlienc");
-                    push(@libs, "-lbrotlidec");
-                    push(@libs, "-lbrotlicommon");
-                    push(@libs, "-lm");
-                }
-                push(@libs, "-lzstd") if !defined($disabled{zstd}) && defined($disabled{"zstd-dynamic"});
-                return join(" ", @libs);
-            },
-        HASHBANGPERL    => "/usr/bin/env perl", # Only Unix actually cares
-        RANLIB          => sub { which("$config{cross_compile_prefix}ranlib")
-                                     ? "ranlib" : "" },
-        RC              => "windres",
-
-        build_scheme    => [ "unified", "unix" ],
-        build_file      => "Makefile",
-
-        perl_platform   => 'Unix',
-    },
-
-    BASE_Windows => {
-        inherit_from    => [ "BASE_common" ],
-        template        => 1,
-
-        lib_defines      =>
-            sub {
-                my @defs = ();
-                unless ($disabled{"zlib-dynamic"}) {
-                    my $zlib = $withargs{zlib_lib} // "ZLIB1";
-                    push @defs, 'LIBZ=' . (quotify("perl", $zlib))[0];
-                }
-                return [ @defs ];
-            },
-        ex_libs         =>
-            sub {
-                my @libs = ();
-                unless ($disabled{zlib}) {
-                    if (defined($disabled{"zlib-dynamic"})) {
-                        push(@libs, $withargs{zlib_lib} // "ZLIB1");
-                    }
-                }
-                unless ($disabled{zstd}) {
-                    if (defined($disabled{"zstd-dynamic"})) {
-                        push(@libs, $withargs{zstd_lib} // "libzstd");
-                    }
-                }
-                unless ($disabled{brotli}) {
-                    if (defined($disabled{"brotli-dynamic"})) {
-                        my $path = "";
-                        if (defined($withargs{brotli_lib})) {
-                            $path = $withargs{brotli_lib} . "\\";
-                        }
-                        push(@libs, $path . "brotlicommon.lib");
-                        push(@libs, $path . "brotlidec.lib");
-                        push(@libs, $path . "brotlienc.lib");
-                    }
-                }
-                return join(" ", @libs);
-            },
-
-        MT              => "mt",
-        MTFLAGS         => "-nologo",
-        mtinflag        => "-manifest ",
-        mtoutflag       => "-outputresource:",
-
-        build_file      => "makefile",
-        build_scheme    => [ "unified", "windows" ],
-
-        perl_platform   => 'Windows',
-    },
-
-    BASE_VMS => {
-        inherit_from    => [ "BASE_common" ],
-        template        => 1,
-
-        includes        =>
-            add(sub {
-                    my @incs = ();
-                    # GNV$ZLIB_INCLUDE is the standard logical name for later
-                    # zlib incarnations.
-                    push @incs, 'GNV$ZLIB_INCLUDE:'
-                        if !$disabled{zlib} && !$withargs{zlib_include};
-                    return [ @incs ];
-                }),
-
-        build_file       => "descrip.mms",
-        build_scheme     => [ "unified", "VMS" ],
-
-        perl_platform    => 'VMS',
-    },
-);

Configurations/15-android.conf

@@ -1,300 +0,0 @@
-#### Android...
-#
-# See NOTES-Android.md for details, and don't miss platform-specific
-# comments below...
-
-{
-    use File::Spec::Functions;
-
-    my $android_ndk = {};
-    my %triplet = (
-        arm    => "arm-linux-androideabi",
-        arm64  => "aarch64-linux-android",
-        mips   => "mipsel-linux-android",
-        mips64 => "mips64el-linux-android",
-        riscv64 => "riscv64-linux-android",
-        x86    => "i686-linux-android",
-        x86_64 => "x86_64-linux-android",
-    );
-
-    sub android_ndk {
-        unless (%$android_ndk) {
-            if ($now_printing =~ m|^android|) {
-                return $android_ndk = { bn_ops => "BN_AUTO" };
-            }
-
-            my $ndk_var;
-            my $ndk;
-            foreach (qw(ANDROID_NDK_ROOT ANDROID_NDK)) {
-                $ndk_var = $_;
-                $ndk = $ENV{$ndk_var};
-                last if defined $ndk;
-            }
-            die "\$ANDROID_NDK_ROOT is not defined"  if (!$ndk);
-            my $is_standalone_toolchain = -f "$ndk/AndroidVersion.txt";
-            my $ndk_src_props = "$ndk/source.properties";
-            my $is_ndk = -f $ndk_src_props;
-            if ($is_ndk == $is_standalone_toolchain) {
-                die "\$ANDROID_NDK_ROOT=$ndk is invalid";
-            }
-            $ndk = canonpath($ndk);
-
-            my $ndkver = undef;
-
-            if (open my $fh, "<$ndk_src_props") {
-                local $_;
-                while(<$fh>) {
-                    if (m|Pkg\.Revision\s*=\s*([0-9]+)|) {
-                        $ndkver = $1;
-                        last;
-                    }
-                }
-                close $fh;
-            }
-
-            my ($sysroot, $api, $arch);
-
-            $config{target} =~ m|[^-]+-([^-]+)$|;	# split on dash
-            $arch = $1;
-
-            if ($sysroot = $ENV{CROSS_SYSROOT}) {
-                $sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|;
-                ($api, $arch) = ($1, $2);
-            } elsif ($is_standalone_toolchain) {
-                $sysroot = "$ndk/sysroot";
-            } else {
-                $api = "*";
-
-                # see if user passed -D__ANDROID_API__=N
-                foreach (@{$useradd{CPPDEFINES}}, @{$user{CPPFLAGS}}) {
-                    if (m|__ANDROID_API__=([0-9]+)|) {
-                        $api = $1;
-                        last;
-                    }
-                }
-
-                if (-d "$ndk/platforms") {
-                    # list available platforms (numerically)
-                    my @platforms = sort { $a =~ m/-([0-9]+)$/; my $aa = $1;
-                                           $b =~ m/-([0-9]+)$/; $aa <=> $1;
-                                         } glob("$ndk/platforms/android-$api");
-                    die "no $ndk/platforms/android-$api" if ($#platforms < 0);
-
-                    $sysroot = "@platforms[$#platforms]/arch-$arch";
-                    $sysroot =~ m|/android-([0-9]+)/arch-$arch|;
-                    $api = $1;
-                } elsif ($api eq "*") {
-                    # r22 Removed platforms dir, use this JSON file
-                    my $path = "$ndk/meta/platforms.json";
-                    open my $fh, $path or die "Could not open '$path' $!";
-                    while (<$fh>) {
-                        if (/"max": (\d+),/) {
-                            $api = $1;
-                            last;
-                        }
-                    }
-                    close $fh;
-                }
-                die "Could not get default API Level" if ($api eq "*");
-            }
-            die "no sysroot=$sysroot" if (length $sysroot && !-d $sysroot);
-
-            my $triarch = $triplet{$arch};
-            my $cflags;
-            my $cppflags;
-
-            # see if there is NDK clang on $PATH, "universal" or "standalone"
-            if (which("clang") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
-                my $host=$1;
-                # harmonize with gcc default
-                my $arm = $ndkver > 16 ? "armv7a" : "armv5te";
-                (my $tridefault = $triarch) =~ s/^arm-/$arm-/;
-                (my $tritools   = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/;
-                if (length $sysroot) {
-                    $cflags .= " -target $tridefault "
-                            .  "-gcc-toolchain \$($ndk_var)/toolchains"
-                            .  "/$tritools-4.9/prebuilt/$host";
-                    $user{CC} = "clang" if ($user{CC} !~ m|clang|);
-                } else {
-                    $user{CC} = "$tridefault$api-clang";
-                }
-                $user{CROSS_COMPILE} = undef;
-                if (which("llvm-ar") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
-                    $user{AR} = "llvm-ar";
-                    $user{ARFLAGS} = [ "rs" ];
-                    $user{RANLIB} = ":";
-                }
-            } elsif ($is_standalone_toolchain) {
-                my $cc = $user{CC} // "clang";
-                # One can probably argue that both clang and gcc should be
-                # probed, but support for "standalone toolchain" was added
-                # *after* announcement that gcc is being phased out, so
-                # favouring clang is considered adequate. Those who insist
-                # have option to enforce test for gcc with CC=gcc.
-                if (which("$triarch-$cc") !~ m|^$ndk|) {
-                    die "no NDK $triarch-$cc on \$PATH";
-                }
-                $user{CC} = $cc;
-                $user{CROSS_COMPILE} = "$triarch-";
-            } elsif ($user{CC} eq "clang") {
-                die "no NDK clang on \$PATH";
-            } else {
-                if (which("$triarch-gcc") !~ m|^$ndk/.*/prebuilt/([^/]+)/|) {
-                    die "no NDK $triarch-gcc on \$PATH";
-                }
-                $cflags .= " -mandroid";
-                $user{CROSS_COMPILE} = "$triarch-";
-            }
-
-            if (length $sysroot) {
-                if (!-d "$sysroot/usr/include") {
-                    my $incroot = "$ndk/sysroot/usr/include";
-                    die "no $incroot"          if (!-d $incroot);
-                    die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
-                    $incroot =~ s|^$ndk/||;
-                    $cppflags  = "-D__ANDROID_API__=$api";
-                    $cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
-                    $cppflags .= " -isystem \$($ndk_var)/$incroot";
-                }
-                $sysroot =~ s|^$ndk/||;
-                $sysroot = " --sysroot=\$($ndk_var)/$sysroot";
-            }
-            $android_ndk = {
-                cflags   => $cflags . $sysroot,
-                cppflags => $cppflags,
-                bn_ops   => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG"
-                                            : "BN_LLONG",
-            };
-        }
-
-        return $android_ndk;
-    }
-}
-
-my %targets = (
-    "android" => {
-        inherit_from     => [ "linux-generic32" ],
-        template         => 1,
-        ################################################################
-        # Special note about -pie. The underlying reason is that
-        # Lollipop refuses to run non-PIE. But what about older systems
-        # and NDKs? -fPIC was never problem, so the only concern is -pie.
-        # Older toolchains, e.g. r4, appear to handle it and binaries
-        # turn out mostly functional. "Mostly" means that oldest
-        # Androids, such as Froyo, fail to handle executable, but newer
-        # systems are perfectly capable of executing binaries targeting
-        # Froyo. Keep in mind that in the nutshell Android builds are
-        # about JNI, i.e. shared libraries, not applications.
-        cflags           => add(sub { android_ndk()->{cflags} }),
-        cppflags         => add(sub { android_ndk()->{cppflags} }),
-        cxxflags         => add(sub { android_ndk()->{cflags} }),
-        bn_ops           => sub { android_ndk()->{bn_ops} },
-        bin_cflags       => "-fPIE",
-        bin_lflags       => "-pie",
-        enable           => [ ],
-        shared_extension => ".so",
-    },
-    "android-arm" => {
-        ################################################################
-        # Contemporary Android applications can provide multiple JNI
-        # providers in .apk, targeting multiple architectures. Among
-        # them there is "place" for two ARM flavours: generic eabi and
-        # armv7-a/hard-float. However, it should be noted that OpenSSL's
-        # ability to engage NEON is not constrained by ABI choice, nor
-        # is your ability to call OpenSSL from your application code
-        # compiled with floating-point ABI other than default 'soft'.
-        # (Latter thanks to __attribute__((pcs("aapcs"))) declaration.)
-        # This means that choice of ARM libraries you provide in .apk
-        # is driven by application needs. For example if application
-        # itself benefits from NEON or is floating-point intensive, then
-        # it might be appropriate to provide both libraries. Otherwise
-        # just generic eabi would do. But in latter case it would be
-        # appropriate to
-        #
-        #   ./Configure android-arm -D__ARM_MAX_ARCH__=8
-        #
-        # in order to build "universal" binary and allow OpenSSL take
-        # advantage of NEON when it's available.
-        #
-        # Keep in mind that (just like with linux-armv4) we rely on
-        # compiler defaults, which is not necessarily what you had
-        # in mind, in which case you would have to pass additional
-        # -march and/or -mfloat-abi flags. NDK defaults to armv5te.
-        # Newer NDK versions reportedly require additional -latomic.
-        #
-        inherit_from     => [ "android" ],
-        bn_ops           => add("RC4_CHAR"),
-        asm_arch         => 'armv4',
-        perlasm_scheme   => "void",
-    },
-    "android-arm64" => {
-        inherit_from     => [ "android" ],
-        bn_ops           => add("RC4_CHAR"),
-        asm_arch         => 'aarch64',
-        perlasm_scheme   => "linux64",
-        shared_ldflag    => add("-Wl,-z,max-page-size=16384"),
-    },
-
-    "android-mips" => {
-        inherit_from     => [ "android" ],
-        bn_ops           => add("RC4_CHAR"),
-        asm_arch         => 'mips32',
-        perlasm_scheme   => "o32",
-    },
-    "android-mips64" => {
-        ################################################################
-        # You are more than likely have to specify target processor
-        # on ./Configure command line. Trouble is that toolchain's
-        # default is MIPS64r6 (at least in r10d), but there are no
-        # such processors around (or they are too rare to spot one).
-        # Actual problem is that MIPS64r6 is binary incompatible
-        # with previous MIPS ISA versions, in sense that unlike
-        # prior versions original MIPS binary code will fail.
-        #
-        inherit_from     => [ "android" ],
-        bn_ops           => add("RC4_CHAR"),
-        asm_arch         => 'mips64',
-        perlasm_scheme   => "64",
-    },
-
-    "android-x86" => {
-        inherit_from     => [ "android" ],
-        CFLAGS           => add(picker(release => "-fomit-frame-pointer")),
-        bn_ops           => add("RC4_INT"),
-        asm_arch         => 'x86',
-        perlasm_scheme   => "android",
-        ex_libs          => add(threads("-latomic")),
-    },
-    "android-x86_64" => {
-        inherit_from     => [ "android" ],
-        bn_ops           => add("RC4_INT"),
-        asm_arch         => 'x86_64',
-        perlasm_scheme   => "elf",
-        shared_ldflag    => add("-Wl,-z,max-page-size=16384"),
-    },
-
-    "android-riscv64" => {
-        inherit_from     => [ "android" ],
-        asm_arch         => 'riscv64',
-        perlasm_scheme   => "linux64",
-    },
-
-    ####################################################################
-    # Backward compatible targets, (might) require $CROSS_SYSROOT
-    #
-    "android-armeabi" => {
-        inherit_from     => [ "android-arm" ],
-    },
-    "android64" => {
-        inherit_from     => [ "android" ],
-    },
-    "android64-aarch64" => {
-        inherit_from     => [ "android-arm64" ],
-    },
-    "android64-x86_64" => {
-        inherit_from     => [ "android-x86_64" ],
-    },
-    "android64-mips64" => {
-        inherit_from     => [ "android-mips64" ],
-    },
-);

Configurations/15-ios.conf

@@ -1,89 +0,0 @@
-#### iPhoneOS/iOS
-#
-# `xcrun` targets require an Xcode that can determine the correct C compiler via
-# `xcrun -sdk iphoneos`. This has been standard in Xcode for a while now - any recent
-# Xcode should do.  If the Xcode on the build machine doesn't support this then use
-# the legacy targets at the end of this file. These require manual definition of
-# environment variables.
-#
-my %targets = (
-    "ios-common" => {
-        template         => 1,
-        inherit_from     => [ "darwin-common" ],
-        sys_id           => "iOS",
-        disable          => [ "async" ],
-    },
-    "ios-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        # It should be possible to go below iOS 6 and even add -arch armv6,
-        # thus targeting iPhone pre-3GS, but it's assumed to be irrelevant
-        # at this point.
-        CC               => "xcrun -sdk iphoneos cc",
-        cflags           => add("-arch armv7 -fno-common"),
-        asm_arch         => 'armv4',
-        perlasm_scheme   => "ios32",
-    },
-    "ios64-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        CC               => "xcrun -sdk iphoneos cc",
-        cflags           => add("-arch arm64 -fno-common"),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
-        asm_arch         => 'aarch64',
-        perlasm_scheme   => "ios64",
-    },
-    "iossimulator-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        CC               => "xcrun -sdk iphonesimulator cc",
-    },
-    "iossimulator-arm64-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        CC               => "xcrun -sdk iphonesimulator cc",
-        cflags           => add("-arch arm64 -fno-common"),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-        asm_arch         => 'aarch64',
-        perlasm_scheme   => "ios64",
-    },
-    "iossimulator-i386-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        CC               => "xcrun -sdk iphonesimulator cc",
-        cflags           => add("-arch i386 -fno-common"),
-        bn_ops           => "BN_LLONG",
-        asm_arch         => 'x86',
-        perlasm_scheme   => "macosx",
-    },
-    "iossimulator-x86_64-xcrun" => {
-        inherit_from     => [ "ios-common" ],
-        CC               => "xcrun -sdk iphonesimulator cc",
-        cflags           => add("-arch x86_64 -fno-common"),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-        asm_arch         => 'x86_64',
-        perlasm_scheme   => "macosx",
-    },
-# It takes three prior-set environment variables to make it work:
-#
-# CROSS_COMPILE=/where/toolchain/is/usr/bin/ [note ending slash]
-# CROSS_TOP=/where/SDKs/are
-# CROSS_SDK=iPhoneOSx.y.sdk
-#
-# Exact paths vary with Xcode releases, but for couple of last ones
-# they would look like this:
-#
-# CROSS_COMPILE=`xcode-select --print-path`/Toolchains/XcodeDefault.xctoolchain/usr/bin/
-# CROSS_TOP=`xcode-select --print-path`/Platforms/iPhoneOS.platform/Developer
-# CROSS_SDK=iPhoneOS.sdk
-#
-    "iphoneos-cross" => {
-        inherit_from     => [ "ios-common" ],
-        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\" -fno-common"),
-    },
-    "ios-cross" => {
-        inherit_from     => [ "ios-xcrun" ],
-        CC               => "cc",
-        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
-    },
-    "ios64-cross" => {
-        inherit_from     => [ "ios64-xcrun" ],
-        CC               => "cc",
-        cflags           => add("-isysroot \"\$(CROSS_TOP)/SDKs/\$(CROSS_SDK)\""),
-    },
-);

Configurations/50-cppbuilder.conf

@@ -1,121 +0,0 @@
-my %targets = (
-    "BC-32" => {
-        inherit_from     => [ "BASE_Windows" ],
-        sys_id           => "WIN32",
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "winthreads",
-        cc               => "bcc32c",
-        CPP              => "cpp32 -oCON -Sc -Sr",
-        defines          => add("WIN32_LEAN_AND_MEAN", "OPENSSL_SYS_WIN32",
-                                "L_ENDIAN", "DSO_WIN32", "_stricmp=stricmp",
-                                "_strnicmp=strnicmp", "_malloca=malloc",
-                                "_freea=free", "_setmode=setmode"),
-        cflags           => picker(default => add("-q -c",
-                                                  threads("-tM"),
-                                                  shared("-tR")),
-                                   debug   => "-Od -v -vi- -D_DEBUG",
-                                   release => "-O2"),
-        bin_cflags       => "-tWC",
-        lib_cflags       => shared("-tWD -D_WINDLL -D_DLL"),
-        coutflag         => "-o",
-
-        # -Sx isn't documented, but 'cpp32 -H -S' explains it:
-        #
-        # -Sx     Omit preprocessed text in output
-        makedepcmd       => "cpp32 -oCON -Sx -Hp",
-        makedep_scheme   => "embarcadero",
-
-        LD               => "ilink32",
-        LDFLAGS          => picker(default => "-x -Gn -q -w-dup",
-                                   debug   => '-j"$(BDS)\lib\win32c\debug" ' .
-                                              '-L"$(BDS)\lib\win32c\debug" -v',
-                                   release => '-j"$(BDS)\lib\win32c\release" ' .
-                                              '-L"$(BDS)\lib\win32c\release"'),
-        bin_lflags       => "-ap -Tpe c0x32.obj wildargs.obj",
-        ldoutflag        => ",",
-        ldpostoutflag    => ",,",
-        ld_resp_delim    => " +\n",
-        ex_libs          => add(sub {
-            my @ex_libs = ("import32.lib",
-                           ($disabled{shared}
-                            ? ($disabled{threads} ? "cw32.lib" : "cw32mt.lib")
-                            : ($disabled{threads} ? "cw32i.lib" : "cw32mti.lib")));
-            push @ex_libs, "ws2_32.lib" unless $disabled{sock};
-            return join(" ", @ex_libs);
-        }),
-        AR               => "tlib",
-        ARFLAGS          => "/P256 /N /u",
-        ar_resp_delim    => " &\n",
-        RC               => "brcc32",
-        RCFLAGS          => '-i"$(BDS)\include\windows\sdk"',
-        rcoutflag        => "-fo",
-        shared_target    => "win-shared",
-        shared_ldflag    => "-aa -Tpd c0d32.obj",
-        lddefflag        => ",",
-        ldresflag        => ",",
-        ld_implib_rule   => 'implib -a $< $**',
-        dso_scheme       => "win32",
-        shared_defflag   => '',
-        perl_platform    => 'Windows::cppbuilder',
-        uplink_arch      => 'common',
-    },
-    "BC-64" => {
-        inherit_from     => [ "BASE_Windows" ],
-        sys_id           => "WIN64",
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "winthreads",
-        cc               => "bcc64",
-        CPP              => "cpp64 -oCON -Sc -Sr",
-        defines          => add("WIN32_LEAN_AND_MEAN", "OPENSSL_SYS_WIN64",
-                                "L_ENDIAN", "DSO_WIN32", "_stricmp=stricmp",
-                                "_strnicmp=strnicmp", "_setmode=setmode"),
-        cflags           => picker(default => add("-q -c",
-                                                  threads("-tM"),
-                                                  shared("-tR")),
-                                   debug   => "-Od -v -vi- -D_DEBUG",
-                                   release => "-O2"),
-        bin_cflags       => "-tWC",
-        lib_cflags       => shared("-tWD -D_WINDLL -D_DLL"),
-        coutflag         => "-o",
-
-        # -Sx isn't documented, but 'cpp64 -H -S' explains it:
-        #
-        # -Sx     Omit preprocessed text in output
-        makedepcmd       => "cpp64 -oCON -Sx -Hp",
-        makedep_scheme   => "embarcadero",
-
-        LD               => "ilink64",
-        LDFLAGS          => picker(default => "-x -Gn -q -w-dup",
-                                   debug   => '-j"$(BDS)\lib\win64\debug" ' .
-                                              '-L"$(BDS)\lib\win64\debug" -v',
-                                   release => '-j"$(BDS)\lib\win64\release" ' .
-                                              '-L"$(BDS)\lib\win64\release"'),
-        bin_lflags       => "-ap -Tpe c0x64.o wildargs.o",
-        ldoutflag        => ",",
-        ldpostoutflag    => ",,",
-        ld_resp_delim    => " +\n",
-        ex_libs          => add(sub {
-            my @ex_libs = ("import64.a",
-                           ($disabled{shared}
-                            ? ($disabled{threads} ? "cw64.a" : "cw64mt.a")
-                            : ($disabled{threads} ? "cw64i.a" : "cw64mti.a")));
-            push @ex_libs, "ws2_32.a" unless $disabled{sock};
-            return join(" ", @ex_libs);
-        }),
-        AR               => "tlib",
-        ARFLAGS          => "/P256 /N /u",
-        ar_resp_delim    => " &\n",
-        RC               => "brcc32",
-        RCFLAGS          => '-i"$(BDS)\include\windows\sdk"',
-        rcoutflag        => "-fo",
-        shared_target    => "win-shared",
-        shared_ldflag    => "-aa -Tpd c0d64.o",
-        lddefflag        => ",",
-        ldresflag        => ",",
-        ld_implib_rule   => 'implib -a $< $**',
-        dso_scheme       => "win64",
-        shared_defflag   => '',
-        perl_platform    => 'Windows::cppbuilder',
-        uplink_arch      => 'common',
-    }
-);

Configurations/50-djgpp.conf

@@ -1,18 +0,0 @@
-# We can't make any commitment to support the DJGPP platform,
-# and rely entirely on the OpenSSL community to help is fine
-# tune and test.
-
-my %targets = (
-    "DJGPP" => {
-        inherit_from     => [ "BASE_unix" ],
-        CC               => "gcc",
-        CFLAGS           => "-fomit-frame-pointer -O2 -Wall",
-        cflags           => "-I\$(WATT_ROOT)/inc -DTERMIOS -DL_ENDIAN",
-        sys_id           => "MSDOS",
-        lflags           => add("-L\$(WATT_ROOT)/lib"),
-        ex_libs          => add("-lwatt"),
-        bn_ops           => "BN_LLONG",
-        asm_arch         => 'x86',
-        perlasm_scheme   => "a.out",
-    },
-);

Configurations/50-haiku.conf

@@ -1,35 +0,0 @@
-my %targets = (
-    "haiku-common" => {
-        template         => 1,
-        CC               => "cc",
-        CFLAGS           => add_before(picker(default => "-Wall",
-                                              debug   => "-g -O0",
-                                              release => "-O2")),
-        cflags           => add_before("-DL_ENDIAN -include \$(SRCDIR)/os-dep/haiku.h",
-                                       threads("-D_REENTRANT")),
-        AR              => "ar",
-        ARFLAGS         => "qc",
-        HASHBANGPERL    => "/bin/env perl",
-        sys_id           => "HAIKU",
-        ex_libs          => "-lnetwork",
-        perlasm_scheme   => "elf",
-        thread_scheme    => "pthreads",
-        dso_scheme       => "dlfcn",
-        shared_target    => "gnu-shared",
-        shared_cflag     => "-fPIC",
-        shared_ldflag    => "-shared",
-        perl_platform    => 'Unix',
-    },
-    "haiku-x86" => {
-        inherit_from     => [ "haiku-common" ],
-        CFLAGS           => add(picker(release => "-fomit-frame-pointer")),
-        bn_ops           => "BN_LLONG",
-        asm_arch         => 'x86',
-        perlasm_scheme   => 'elf',
-    },
-    "haiku-x86_64" => {
-        inherit_from     => [ "haiku-common" ],
-        cflags           => add("-m64"),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-    },
-);

Configurations/50-masm.conf

@@ -1,23 +0,0 @@
-# We can't make commitment to supporting Microsoft assembler,
-# because it would mean supporting all masm versions. This in
-# in turn is because masm is not really an interchangeable option,
-# while users tend to have reasons to stick with specific Visual
-# Studio versions. It's usually lesser hassle to make it work
-# with latest assembler, but tweaking for older versions had
-# proven to be daunting task. This is experimental target, for
-# production builds stick with [up-to-date version of] nasm.
-
-my %targets = (
-    "VC-WIN64A-masm" => {
-        inherit_from    => [ "VC-WIN64-common" ],
-        AS              => "ml64",
-        ASFLAGS         => "/nologo /Zi",
-        asoutflag       => "/Fo",
-        asflags         => "/c /Cp /Cx",
-        sys_id          => "WIN64A",
-        uplink_arch      => 'x86_64',
-        asm_arch         => 'x86_64',
-        perlasm_scheme   => "masm",
-        multilib         => "-x64",
-    },
-);

Configurations/50-nonstop.conf

@@ -1,285 +0,0 @@
-#### Nonstop configurations
-    # Common for all
-    'nonstop-common' => {
-        inherit_from     => [ 'BASE_unix' ],
-        template         => 1,
-        cc               => 'c99',
-        cflags           => add_before(picker(debug   => '-g -O0',
-                                              release => '-g -O2'),
-                                       '-Wextensions',
-                                       '-Wnowarn=203,220,272,734,770,1506',
-                                       '-Wbuild_neutral_library',
-                                       '-Wverbose'),
-        defines          => add('OPENSSL_VPROC=$(OPENSSL_VPROC)',
-                                '_XOPEN_SOURCE',
-                                '_XOPEN_SOURCE_EXTENDED=1',
-                                '_TANDEM_SOURCE',
-                                '__NSK_OPTIONAL_TYPES__',
-                                'B_ENDIAN'),
-        perl             => '/usr/bin/perl',
-        shared_target    => 'nonstop-shared',
-        shared_extension => ".so",
-        ex_libs          => add('-lrld'),
-        enable           => ['egd'],
-	# Not currently inherited
-        disable          => ['atexit'],
-        dso_scheme       => 'DLFCN',
-        sys_id           => 'TANDEM',
-    },
-
-    ######################################################################
-    # Additional variant settings, to be combined with nonstop-common
-    # Note that these do not inherit anything.  However, the diverse values
-    # are merged with other entries in an 'inherit_from'.
-    #
-    # These combine:
-    # - System architecture (MIPS, Itanium, or x86)
-    # - Execution environment (oss [default] or guardian)
-    #
-    # Unfortunately, they can't be separated into independent templates, because
-    # a number of the above are encoded as different linkers, and by consequence,
-    # different c99 linker flags (-Wld, -Weld, and -Wxld)
-    #
-    # In addition, the are modifiers for:
-    # - Size of long + pointer (ilp32 [default] and lp64)
-    # - Float type (neutral and tandem)
-    #
-    # Unfortunately, because the float types affect the linker settings, those
-    # are divided per system architecture
-    #
-    # MIPS + guardian (unused but present for convenience):
-    'nonstop-archenv-mips-guardian' => {
-        template         => 1,
-        defines          => ['NO_GETPID'],
-        cflags           => '-Wtarget=tns/r -Wsystype=guardian',
-        lflags           => '-Wld="-set systype guardian"',
-        shared_ldflag    => '-Wshared -Wld="-soname $(@:lib%.so=%)"',
-        shared_defflag   => '-Wld_obey=',
-        shared_argfileflag => '-Wld_obey=',
-    },
-
-    # Itanium + guardian:
-    'nonstop-archenv-itanium-guardian' => {
-        template         => 1,
-        defines          => ['NO_GETPID'],
-        cflags           => '-Wtarget=tns/e -Wsystype=guardian',
-        lflags           => '-Weld="-set systype guardian"',
-        shared_ldflag    => '-Wshared -Weld="-soname $(@:lib%.so=%)"',
-        shared_defflag   => '-Weld_obey=',
-        shared_argfileflag => '-Weld_obey=',
-    },
-
-    # x86 + guardian:
-    'nonstop-archenv-x86_64-guardian' => {
-        template         => 1,
-        defines          => ['NO_GETPID'],
-        cflags           => '-Wtarget=tns/x -Wsystype=guardian',
-        lflags           => '-Wxld="-set systype guardian"',
-        shared_ldflag    => '-Wshared -Wxld="-soname $(@:lib%.so=%)"',
-        shared_defflag   => '-Wxld_obey=',
-        shared_argfileflag => '-Wxld_obey=',
-    },
-
-    # MIPS + oss (unused but present for convenience):
-    'nonstop-archenv-mips-oss' => {
-        template         => 1,
-        cflags           => '-Wtarget=tns/r -Wsystype=oss',
-        lflags           => '-Wld="-set systype oss"',
-        shared_ldflag    => '-Wshared',
-        shared_defflag   => '-Wld_obey=',
-        shared_argfileflag => '-Wld_obey=',
-    },
-    # Itanium + oss:
-    'nonstop-archenv-itanium-oss' => {
-        template         => 1,
-        cflags           => '-Wtarget=tns/e -Wsystype=oss',
-        lflags           => '-Weld="-set systype oss"',
-        shared_ldflag    => '-Wshared',
-        shared_defflag   => '-Weld_obey=',
-        shared_argfileflag => '-Weld_obey=',
-    },
-    # x86_64 + oss:
-    'nonstop-archenv-x86_64-oss' => {
-        template         => 1,
-        cflags           => '-Wtarget=tns/x -Wsystype=oss',
-        lflags           => '-Wxld="-set systype oss"',
-        shared_ldflag    => '-Wshared',
-        shared_defflag   => '-Wxld_obey=',
-        shared_argfileflag => '-Wxld_obey=',
-    },
-
-    # Size variants
-    'nonstop-ilp32' => {
-        template         => 1,
-        cflags           => '-Wilp32',
-        bn_ops           => 'THIRTY_TWO_BIT',
-    },
-    'nonstop-lp64-itanium' => {
-        template         => 1,
-        cflags           => '-Wlp64',
-        bn_ops           => 'SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR',
-    },
-    'nonstop-lp64-x86_64' => {
-        template         => 1,
-        cflags           => '-Wlp64',
-        lflags           => '-Wxld="-set data_model lp64"',
-        bn_ops           => 'SIXTY_FOUR_BIT',
-    },
-
-    # Float variants
-    'nonstop-nfloat-mips' => {
-        template         => 1,
-        lflags           => '-Wld="-set floattype neutral_float"',
-    },
-    'nonstop-tfloat-mips' => {
-        template         => 1,
-        lflags           => '-Wld="-set floattype tandem_float"',
-    },
-    'nonstop-efloat-itanium' => {
-        template         => 1,
-        cflags           => '-WIEEE_float',
-        lflags           => '-Weld="-set floattype ieee_float"',
-    },
-    'nonstop-nfloat-itanium' => {
-        template         => 1,
-        lflags           => '-Weld="-set floattype neutral_float"',
-    },
-    'nonstop-tfloat-itanium' => {
-        template         => 1,
-        cflags           => '-WTandem_float',
-        lflags           => '-Weld="-set floattype tandem_float"',
-    },
-    'nonstop-efloat-x86_64' => {
-        template         => 1,
-        cflags           => '-WIEEE_float',
-        lflags           => '-Wxld="-set floattype ieee_float"',
-    },
-    'nonstop-nfloat-x86_64' => {
-        template         => 1,
-        lflags           => '-Wxld="-set floattype neutral_float"',
-    },
-    'nonstop-tfloat-x86_64' => {
-        template         => 1,
-        cflags           => '-WTandem_float',
-        lflags           => '-Wxld="-set floattype tandem_float"',
-    },
-
-    ######################################################################
-    # Build models
-    'nonstop-model-put' => {
-        template         => 1,
-        disable          => ['secure-memory'],
-        defines          => ['_PUT_MODEL_',
-                             '_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
-        ex_libs          => '-lput',
-    },
-
-    ######################################################################
-    # Build models
-    'nonstop-model-klt' => {
-        template         => 1,
-        disable          => ['secure-memory'],
-        defines          => ['_KLT_MODEL_',
-                             '_REENTRANT', '_THREAD_SUPPORT_FUNCTIONS'],
-        ex_libs          => '-lklt',
-    },
-
-    ######################################################################
-    # Now for the entries themselves, let's combine things!
-    'nonstop-nsx' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-ilp32',
-                              'nonstop-efloat-x86_64' ],
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nsx_put' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-ilp32',
-                              'nonstop-efloat-x86_64',
-                              'nonstop-model-put' ],
-        multilib         => '-put',
-        multibin         => '-put',
-        disable          => ['atexit'],
-    },
-    'nonstop-nsx_64' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-lp64-x86_64',
-                              'nonstop-efloat-x86_64' ],
-        multilib         => '64',
-        multibin         => '64',
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nsx_64_put' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-lp64-x86_64',
-                              'nonstop-efloat-x86_64',
-                              'nonstop-model-put' ],
-        multilib         => '64-put',
-        multibin         => '64-put',
-        disable          => ['atexit'],
-    },
-    'nonstop-nsx_64_klt' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-oss',
-                              'nonstop-lp64-x86_64',
-                              'nonstop-efloat-x86_64',
-                              'nonstop-model-klt' ],
-        multilib         => '64-klt',
-        multibin         => '64-klt',
-        disable          => ['atexit'],
-    },
-    'nonstop-nsx_g' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-guardian',
-                              'nonstop-ilp32', 'nonstop-nfloat-x86_64' ],
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nsx_g_tandem' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-x86_64-guardian',
-                              'nonstop-ilp32', 'nonstop-tfloat-x86_64' ],
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nsv' => {
-        inherit_from     => [ 'nonstop-nsx' ],
-    },
-    'nonstop-nse' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-itanium-oss',
-                              'nonstop-ilp32',
-                              'nonstop-efloat-itanium' ],
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nse_put' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-itanium-oss',
-                              'nonstop-ilp32',
-                              'nonstop-efloat-itanium',
-                              'nonstop-model-put' ],
-        multilib         => '-put',
-        multibin         => '-put',
-        disable          => ['atexit'],
-    },
-    'nonstop-nse_64' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-itanium-oss',
-                              'nonstop-lp64-itanium',
-                              'nonstop-efloat-itanium' ],
-        multilib         => '64',
-        multibin         => '64',
-        disable          => ['threads','atexit'],
-    },
-    'nonstop-nse_64_put' => {
-        inherit_from     => [ 'nonstop-common',
-                              'nonstop-archenv-itanium-oss',
-                              'nonstop-lp64-itanium',
-                              'nonstop-efloat-itanium',
-                              'nonstop-model-put' ],
-        multilib         => '64-put',
-        multibin         => '64-put',
-        disable          => ['atexit'],
-    },

Configurations/50-os390.conf

@@ -1,11 +0,0 @@
-## -*- mode: perl; -*-
-(
-# OS/390 Unix an EBCDIC-based Unix system on IBM mainframe
-    "OS390-Unix" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "cc",
-        cflags           => "-O -DB_ENDIAN -DCHARSET_EBCDIC",
-        bn_ops           => "THIRTY_TWO_BIT RC4_CHAR",
-        thread_scheme    => "(unknown)",
-    }
-);

Configurations/50-vms-x86_64.conf

@@ -1,14 +0,0 @@
-## -*- mode: perl; -*-
-
-# OpenVMS cross compilation of x86_64 binaries on Itanium.  This doesn't
-# fit the usual cross compilation parameters that are used on Unixly machines
-
-(
- 'vms-x86_64-cross-ia64' => {
-     inherit_from   => [ 'vms-generic' ],
-     CC             => 'XCC',
-     bn_ops         => 'SIXTY_FOUR_BIT',
-     pointer_size   => '',
-     setup_commands => [ '@SYS$MANAGER:X86_XTOOLS$SYLOGIN.COM' ],
- }
-);

Configurations/50-win-clang-cl.conf

@@ -1,36 +0,0 @@
-## -*- mode: perl; -*-
-# Windows on Arm clang-cl targets.
-#
-
-my %targets = (
-    "VC-WIN64-CLANGASM-ARM" => {
-        inherit_from    => [ "VC-noCE-common" ],
-        defines         => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE",
-                               "OPENSSL_SYS_WIN_CORE"),
-        bn_ops          => "SIXTY_FOUR_BIT RC4_CHAR",
-        multilib        => "-arm64",
-        asm_arch        => "aarch64",
-        AS        => "clang-cl.exe",
-        ASFLAGS   => "/nologo /Zi --target=arm64-pc-windows-msvc",
-        asflags   => "/c",
-        asoutflag => "/Fo",
-        perlasm_scheme => "win64",
-        uplink_arch      => 'armv8',
-    },
-    "VC-CLANG-WIN64-CLANGASM-ARM" => {
-        CC => "clang-cl",
-        inherit_from    => [ "VC-noCE-common" ],
-        defines         => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE",
-                               "OPENSSL_SYS_WIN_CORE"),
-        bn_ops          => "SIXTY_FOUR_BIT RC4_CHAR",
-        multilib        => "-arm64",
-        asm_arch        => "aarch64",
-        CFLAGS        => add("--target=arm64-pc-windows-msvc"),
-        AS        => "clang-cl.exe",
-        ASFLAGS   => "/nologo /Zi --target=arm64-pc-windows-msvc",
-        asflags   => "/c",
-        asoutflag => "/Fo",
-        perlasm_scheme => "win64",
-        uplink_arch      => 'armv8',
-    },
-);

Configurations/50-win-hybridcrt.conf

@@ -1,37 +0,0 @@
-## -*- mode: perl; -*-
-# Windows HybridCRT targets.
-# 
-# https://github.com/microsoft/WindowsAppSDK/blob/77761e244289fda6b3d5f14c7bded189fed4fb89/docs/Coding-Guidelines/HybridCRT.md
-# Link statically against the runtime and STL, but link dynamically against the CRT by ignoring the static CRT
-# lib and instead linking against the Universal CRT DLL import library. This "Hybrid" linking mechanism is
-# supported according to the CRT maintainer. Dynamic linking against the CRT makes the binaries a bit smaller
-# than they would otherwise be if the CRT, runtime, and STL were all statically linked in.
-
-
-sub remove_from_flags {
-    my ($toRemove, $flags) = @_;
-    
-    $flags =~ s/$toRemove//;
-    return $flags;
-}
-
-my %targets = (
-    "VC-WIN32-HYBRIDCRT" => {
-        inherit_from    => [ "VC-WIN32" ],
-        cflags          => sub {
-            remove_from_flags(qr/\/MDd?\s/, add(picker(debug   => "/MTd",
-                                                       release => "/MT"))->(@_))
-        },
-        lflags          => add(picker(debug   => "/NODEFAULTLIB:libucrtd.lib /DEFAULTLIB:ucrtd.lib",
-                                      release => "/NODEFAULTLIB:libucrt.lib /DEFAULTLIB:ucrt.lib")),
-    },
-    "VC-WIN64A-HYBRIDCRT" => {
-        inherit_from    => [ "VC-WIN64A" ],
-        cflags          => sub {
-            remove_from_flags(qr/\/MDd?\s/, add(picker(debug   => "/MTd",
-                                                       release => "/MT"))->(@_))
-        },
-        lflags          => add(picker(debug   => "/NODEFAULTLIB:libucrtd.lib /DEFAULTLIB:ucrtd.lib",
-                                      release => "/NODEFAULTLIB:libucrt.lib /DEFAULTLIB:ucrt.lib")),
-    },
-);

Configurations/50-win-onecore.conf

@@ -1,137 +0,0 @@
-## -*- mode: perl; -*-
-# Windows OneCore targets.
-#
-# OneCore is new API stability "contract" that transcends Desktop, IoT and
-# Mobile[?] Windows editions. It's a set up "umbrella" libraries that
-# export subset of Win32 API that are common to all Windows 10 devices.
-#
-# OneCore Configuration temporarily dedicated for console applications
-# due to disabled event logging, which is incompatible with one core.
-# Error messages are provided via standard error only.
-# TODO: extend error handling to use ETW based eventing
-# (Or rework whole error messaging)
-
-my $UWP_info = {};
-sub UWP_info {
-    unless (%$UWP_info) {
-        my $SDKver = `powershell -Command  \"& {\$(Get-Item \\\"hklm:\\SOFTWARE\\WOW6432Node\\Microsoft\\Microsoft SDKs\\Windows\\\").GetValue(\\\"CurrentVersion\\\")}\"`;
-        $SDKver =~ s|\R$||;
-        my @SDKver_split = split(/\./, $SDKver);
-        # SDK version older than 10.0.17763 don't support our ASM builds
-        if ($SDKver_split[0] < 10
-            || ($SDKver_split[0] == 10
-                && $SDKver_split[1] == 0
-                && $SDKver_split[2] < 17763)) {
-            $UWP_info->{disable} = [ 'asm' ];
-        } else {
-            $UWP_info->{disable} = [ ];
-        }
-    }
-    return $UWP_info;
-}
-
-my %targets = (
-    "VC-WIN32-ONECORE" => {
-        inherit_from    => [ "VC-WIN32" ],
-        # /NODEFAULTLIB:kernel32.lib is needed, because MSVCRT.LIB has
-        # hidden reference to kernel32.lib, but we don't actually want
-        # it in "onecore" build.
-        lflags          => add("/NODEFAULTLIB:kernel32.lib"),
-        defines         => add("OPENSSL_SYS_WIN_CORE"),
-        ex_libs         => "onecore.lib",
-    },
-    "VC-WIN64A-ONECORE" => {
-        inherit_from    => [ "VC-WIN64A" ],
-        lflags          => add("/NODEFAULTLIB:kernel32.lib"),
-        defines         => add("OPENSSL_SYS_WIN_CORE"),
-        ex_libs         => "onecore.lib",
-    },
-
-    # Windows on ARM targets. ARM compilers are additional components in
-    # VS2017, i.e. they are not installed by default. And when installed,
-    # there are no "ARM Tool Command Prompt"s on Start menu, you have
-    # to locate vcvarsall.bat and act accordingly. VC-WIN32-ARM has
-    # received limited testing with evp_test.exe on Windows 10 IoT Core,
-    # but not VC-WIN64-ARM, no hardware... In other words they are not
-    # actually supported...
-    #
-    # Another thing to keep in mind [in cross-compilation scenario such
-    # as this one] is that target's file system has nothing to do with
-    # compilation system's one. This means that you're are likely to use
-    # --prefix and --openssldir with target-specific values. 'nmake install'
-    # step is effectively meaningless in cross-compilation case, though
-    # it might be useful to 'nmake install DESTDIR=S:\ome\where' where you
-    # can point Visual Studio to when compiling custom application code.
-
-    "VC-WIN32-ARM" => {
-        inherit_from    => [ "VC-noCE-common" ],
-        defines         => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE",
-                               "OPENSSL_SYS_WIN_CORE"),
-        bn_ops          => "BN_LLONG RC4_CHAR",
-        lflags          => add("/NODEFAULTLIB:kernel32.lib"),
-        ex_libs         => "onecore.lib",
-        multilib        => "-arm",
-    },
-    "VC-WIN64-ARM" => {
-        inherit_from    => [ "VC-noCE-common" ],
-        defines         => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE",
-                               "OPENSSL_SYS_WIN_CORE"),
-        bn_ops          => "SIXTY_FOUR_BIT RC4_CHAR",
-        lflags          => add("/NODEFAULTLIB:kernel32.lib"),
-        ex_libs         => "onecore.lib",
-        multilib        => "-arm64",
-    },
-
-    # Universal Windows Platform (UWP) App Support
-
-    # TODO
-    #
-    # The 'disable' attribute should have 'uplink'.
-    # however, these are checked in some 'inherit_from', which is processed
-    # very early, before the 'disable' attributes are seen.
-    # This is a problem that needs to be resolved in Configure first.
-    #
-    # But if you want to build library with Windows 10 Version 1809 SDK or
-    # earlier, the 'disable' attribute should also have 'asm'.
-
-    "VC-WIN32-UWP" => {
-        inherit_from    => [ "VC-WIN32-ONECORE" ],
-        lflags          => add("/APPCONTAINER"),
-        defines         => add("WINAPI_FAMILY=WINAPI_FAMILY_APP",
-                               "_WIN32_WINNT=0x0A00"),
-        dso_scheme      => "",
-        disable         => sub { [ 'ui-console', 'stdio', 'async', 'uplink',
-                                   @{ UWP_info()->{disable} } ] },
-        ex_libs         => "WindowsApp.lib",
-    },
-     "VC-WIN64A-UWP" => {
-        inherit_from    => [ "VC-WIN64A-ONECORE" ],
-        lflags          => add("/APPCONTAINER"),
-        defines         => add("WINAPI_FAMILY=WINAPI_FAMILY_APP",
-                               "_WIN32_WINNT=0x0A00"),
-        dso_scheme      => "",
-        disable         => sub { [ 'ui-console', 'stdio', 'async', 'uplink',
-                                   @{ UWP_info()->{disable} } ] },
-        ex_libs         => "WindowsApp.lib",
-    },
-    "VC-WIN32-ARM-UWP" => {
-        inherit_from    => [ "VC-WIN32-ARM" ],
-        lflags          => add("/APPCONTAINER"),
-        defines         => add("WINAPI_FAMILY=WINAPI_FAMILY_APP",
-                               "_WIN32_WINNT=0x0A00"),
-        dso_scheme      => "",
-        disable         => sub { [ 'ui-console', 'stdio', 'async', 'uplink',
-                                   @{ UWP_info()->{disable} } ] },
-        ex_libs         => "WindowsApp.lib",
-    },
-     "VC-WIN64-ARM-UWP" => {
-        inherit_from    => [ "VC-WIN64-ARM" ],
-        lflags          => add("/APPCONTAINER"),
-        defines         => add("WINAPI_FAMILY=WINAPI_FAMILY_APP",
-                               "_WIN32_WINNT=0x0A00"),
-        dso_scheme      => "",
-        disable         => sub { [ 'ui-console', 'stdio', 'async', 'uplink',
-                                   @{ UWP_info()->{disable} } ] },
-        ex_libs         => "WindowsApp.lib",
-    },
-);

Configurations/INTERNALS.Configure

@@ -1,136 +0,0 @@
-Configure Internals
-===================
-
-[ note: this file uses markdown for formatting ]
-
-Intro
------
-
-This is a collection of notes that are hopefully of interest to those
-who decide to dive into Configure and what it does.  This is a living
-document and anyone is encouraged to add to it and submit changes.
-There's no claim for this document to be complete at any time, but it
-will hopefully reach such a point in time.
-
-
-----------------------------------------------------------------------
-
-Parsing build.info files, processing conditions
------------------------------------------------
-
-Processing conditions in build.info files is done with the help of a
-condition stack that tell if a build.info should be processed or if it
-should just be skipped over.  The possible states of the stack top are
-expressed in the following comment from Configure:
-
-    # The top item of this stack has the following values
-    # -2 positive already run and we found ELSE (following ELSIF should fail)
-    # -1 positive already run (skip until ENDIF)
-    # 0 negatives so far (if we're at a condition, check it)
-    # 1 last was positive (don't skip lines until next ELSE, ELSIF or ENDIF)
-    # 2 positive ELSE (following ELSIF should fail)
-
-Ground rule is that non-condition lines are skipped over if the
-stack top is > 0.  Condition lines (IF, ELSIF, ELSE and ENDIF
-statements) need to be processed either way to keep track of the skip
-stack states, so they are a little more intricate.
-
-Instead of trying to describe in words, here are some example of what
-the skip stack should look like after each line is processed:
-
-Example 1:
-
-| IF[1]                     |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-|   IF[1]                   |  1  1     |                               |
-|     ... whatever ...      |           | this line is processed        |
-|   ELSIF[1]                |  1 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  1 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-| ELSIF[1]                  | -1        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-|   IF[1]                   | -1 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[1]                | -1 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    | -1 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   | -1        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-| ENDIF                     |           |                               |
-
-Example 2:
-
-| IF[0]                     |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-|   IF[1]                   |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[1]                |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  0 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-| ELSIF[1]                  |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-|   IF[1]                   |  1  1     |                               |
-|     ... whatever ...      |           | this line is processed        |
-|   ELSIF[1]                |  1 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  1 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-| ENDIF                     |           |                               |
-
-Example 3:
-
-| IF[0]                     |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-|   IF[0]                   |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[1]                |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  0 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-| ELSIF[1]                  |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-|   IF[0]                   |  1  0     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[1]                |  1  1     |                               |
-|     ... whatever ...      |           | this line is processed        |
-|   ELSE                    |  1 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-| ENDIF                     |           |                               |
-
-Example 4:
-
-| IF[0]                     |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-|   IF[0]                   |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[0]                |  0 -1     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  0 -2     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ENDIF                   |  0        |                               |
-|   ... whatever ...        |           | this line is skipped over     |
-| ELSIF[1]                  |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-|   IF[0]                   |  1  0     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSIF[0]                |  1  0     |                               |
-|     ... whatever ...      |           | this line is skipped over     |
-|   ELSE                    |  1  2     |                               |
-|     ... whatever ...      |           | this line is processed        |
-|   ENDIF                   |  1        |                               |
-|   ... whatever ...        |           | this line is processed        |
-| ENDIF                     |           |                               |
-

Configurations/README-design.md

@@ -1,604 +0,0 @@
-Design document for the unified scheme data
-===========================================
-
-How are things connected?
--------------------------
-
-The unified scheme takes all its data from the `build.info` files seen
-throughout the source tree.  These files hold the minimum information
-needed to build end product files from diverse sources.  See the
-section on `build.info` files below.
-
-From the information in `build.info` files, `Configure` builds up an
-information database as a hash table called `%unified_info`, which is
-stored in configdata.pm, found at the top of the build tree (which may
-or may not be the same as the source tree).
-
-[`Configurations/common.tmpl`](common.tmpl) uses the data from `%unified_info` to
-generate the rules for building end product files as well as
-intermediary files with the help of a few functions found in the
-build-file templates.  See the section on build-file templates further
-down for more information.
-
-build.info files
-----------------
-
-As mentioned earlier, `build.info` files are meant to hold the minimum
-information needed to build output files, and therefore only (with a
-few possible exceptions [1]) have information about end products (such
-as scripts, library files and programs) and source files (such as C
-files, C header files, assembler files, etc).  Intermediate files such
-as object files are rarely directly referred to in `build.info` files (and
-when they are, it's always with the file name extension `.o`), they are
-inferred by `Configure`.  By the same rule of minimalism, end product
-file name extensions (such as `.so`, `.a`, `.exe`, etc) are never mentioned
-in `build.info`.  Their file name extensions will be inferred by the
-build-file templates, adapted for the platform they are meant for (see
-sections on `%unified_info` and build-file templates further down).
-
-The variables `PROGRAMS`, `LIBS`, `MODULES` and `SCRIPTS` are used to declare
-end products.  There are variants for them with `_NO_INST` as suffix
-(`PROGRAM_NO_INST` etc) to specify end products that shouldn't get installed.
-
-The variables `SOURCE`, `DEPEND`, `INCLUDE` and `DEFINE` are indexed by a
-produced file, and their values are the source used to produce that
-particular produced file, extra dependencies, include directories
-needed, or C macros to be defined.
-
-All their values in all the `build.info` throughout the source tree are
-collected together and form a set of programs, libraries, modules and
-scripts to be produced, source files, dependencies, etc etc etc.
-
-Let's have a pretend example, a very limited contraption of OpenSSL,
-composed of the program `apps/openssl`, the libraries `libssl` and
-`libcrypto`, an module `engines/ossltest` and their sources and
-dependencies.
-
-    # build.info
-    LIBS=libcrypto libssl
-    INCLUDE[libcrypto]=include
-    INCLUDE[libssl]=include
-    DEPEND[libssl]=libcrypto
-
-This is the top directory `build.info` file, and it tells us that two
-libraries are to be built, the include directory `include/` shall be
-used throughout when building anything that will end up in each
-library, and that the library `libssl` depend on the library
-`libcrypto` to function properly.
-
-    # apps/build.info
-    PROGRAMS=openssl
-    SOURCE[openssl]=openssl.c
-    INCLUDE[openssl]=.. ../include
-    DEPEND[openssl]=../libssl
-
-This is the `build.info` file in `apps/`, one may notice that all file
-paths mentioned are relative to the directory the `build.info` file is
-located in.  This one tells us that there's a program to be built
-called `apps/openss` (the file name extension will depend on the
-platform and is therefore not mentioned in the `build.info` file).  It's
-built from one source file, `apps/openssl.c`, and building it requires
-the use of `.` and `include/` include directories (both are declared
-from the point of view of the `apps/` directory), and that the program
-depends on the library `libssl` to function properly.
-
-    # crypto/build.info
-    LIBS=../libcrypto
-    SOURCE[../libcrypto]=aes.c evp.c cversion.c
-    DEPEND[cversion.o]=buildinf.h
-
-    GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
-    DEPEND[buildinf.h]=../Makefile
-    DEPEND[../util/mkbuildinf.pl]=../util/Foo.pm
-
-This is the `build.info` file in `crypto/`, and it tells us a little more
-about what's needed to produce `libcrypto`.  LIBS is used again to
-declare that `libcrypto` is to be produced.  This declaration is
-really unnecessary as it's already mentioned in the top `build.info`
-file, but can make the info file easier to understand.  This is to
-show that duplicate information isn't an issue.
-
-This `build.info` file informs us that `libcrypto` is built from a few
-source files, `crypto/aes.c`, `crypto/evp.c` and `crypto/cversion.c`.
-It also shows us that building the object file inferred from
-`crypto/cversion.c` depends on `crypto/buildinf.h`.  Finally, it
-also shows the possibility to declare how some files are generated
-using some script, in this case a perl script, and how such scripts
-can be declared to depend on other files, in this case a perl module.
-
-Two things are worth an extra note:
-
-`DEPEND[cversion.o]` mentions an object file.  DEPEND indexes is the
-only location where it's valid to mention them
-
-    # ssl/build.info
-    LIBS=../libssl
-    SOURCE[../libssl]=tls.c
-
-This is the build.info file in `ssl/`, and it tells us that the
-library `libssl` is built from the source file `ssl/tls.c`.
-
-    # engines/build.info
-    MODULES=dasync
-    SOURCE[dasync]=e_dasync.c
-    DEPEND[dasync]=../libcrypto
-    INCLUDE[dasync]=../include
-
-    MODULES_NO_INST=ossltest
-    SOURCE[ossltest]=e_ossltest.c
-    DEPEND[ossltest]=../libcrypto.a
-    INCLUDE[ossltest]=../include
-
-This is the `build.info` file in `engines/`, telling us that two modules
-called `engines/dasync` and `engines/ossltest` shall be built, that
-`dasync`'s source is `engines/e_dasync.c` and `ossltest`'s source is
-`engines/e_ossltest.c` and that the include directory `include/` may
-be used when building anything that will be part of these modules.
-Also, both modules depend on the library `libcrypto` to function
-properly.  `ossltest` is explicitly linked with the static variant of
-the library `libcrypto`.  Finally, only `dasync` is being installed, as
-`ossltest` is only for internal testing.
-
-When `Configure` digests these `build.info` files, the accumulated
-information comes down to this:
-
-    LIBS=libcrypto libssl
-    SOURCE[libcrypto]=crypto/aes.c crypto/evp.c crypto/cversion.c
-    DEPEND[crypto/cversion.o]=crypto/buildinf.h
-    INCLUDE[libcrypto]=include
-    SOURCE[libssl]=ssl/tls.c
-    INCLUDE[libssl]=include
-    DEPEND[libssl]=libcrypto
-
-    PROGRAMS=apps/openssl
-    SOURCE[apps/openssl]=apps/openssl.c
-    INCLUDE[apps/openssl]=. include
-    DEPEND[apps/openssl]=libssl
-
-    MODULES=engines/dasync
-    SOURCE[engines/dasync]=engines/e_dasync.c
-    DEPEND[engines/dasync]=libcrypto
-    INCLUDE[engines/dasync]=include
-
-    MODULES_NO_INST=engines/ossltest
-    SOURCE[engines/ossltest]=engines/e_ossltest.c
-    DEPEND[engines/ossltest]=libcrypto.a
-    INCLUDE[engines/ossltest]=include
-
-    GENERATE[crypto/buildinf.h]=util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
-    DEPEND[crypto/buildinf.h]=Makefile
-    DEPEND[util/mkbuildinf.pl]=util/Foo.pm
-
-A few notes worth mentioning:
-
-`LIBS` may be used to declare routine libraries only.
-
-`PROGRAMS` may be used to declare programs only.
-
-`MODULES` may be used to declare modules only.
-
-The indexes for `SOURCE` must only be end product files, such as
-libraries, programs or modules.  The values of `SOURCE` variables must
-only be source files (possibly generated).
-
-`INCLUDE` and `DEPEND` shows a relationship between different files
-(usually produced files) or between files and directories, such as a
-program depending on a library, or between an object file and some
-extra source file.
-
-When `Configure` processes the `build.info` files, it will take it as
-truth without question, and will therefore perform very few checks.
-If the build tree is separate from the source tree, it will assume
-that all built files and up in the build directory and that all source
-files are to be found in the source tree, if they can be found there.
-`Configure` will assume that source files that can't be found in the
-source tree (such as `crypto/bildinf.h` in the example above) are
-generated and will be found in the build tree.
-
-The `%unified_info` database
-----------------------------
-
-The information in all the `build.info` get digested by `Configure` and
-collected into the `%unified_info` database, divided into the following
-indexes:
-
-    depends   => a hash table containing 'file' => [ 'dependency' ... ]
-                 pairs.  These are directly inferred from the DEPEND
-                 variables in build.info files.
-
-    modules   => a list of modules.  These are directly inferred from
-                 the MODULES variable in build.info files.
-
-    generate  => a hash table containing 'file' => [ 'generator' ... ]
-                 pairs.  These are directly inferred from the GENERATE
-                 variables in build.info files.
-
-    includes  => a hash table containing 'file' => [ 'include' ... ]
-                 pairs.  These are directly inferred from the INCLUDE
-                 variables in build.info files.
-
-    install   => a hash table containing 'type' => [ 'file' ... ] pairs.
-                 The types are 'programs', 'libraries', 'modules' and
-                 'scripts', and the array of files list the files of
-                 that type that should be installed.
-
-    libraries => a list of libraries.  These are directly inferred from
-                 the LIBS variable in build.info files.
-
-    programs  => a list of programs.  These are directly inferred from
-                 the PROGRAMS variable in build.info files.
-
-    scripts   => a list of scripts.  There are directly inferred from
-                 the SCRIPTS variable in build.info files.
-
-    sources   => a hash table containing 'file' => [ 'sourcefile' ... ]
-                 pairs.  These are indirectly inferred from the SOURCE
-                 variables in build.info files.  Object files are
-                 mentioned in this hash table, with source files from
-                 SOURCE variables, and AS source files for programs and
-                 libraries.
-
-    shared_sources =>
-                 a hash table just like 'sources', but only as source
-                 files (object files) for building shared libraries.
-
-As an example, here is how the `build.info` files example from the
-section above would be digested into a `%unified_info` table:
-
-    our %unified_info = (
-        "depends" =>
-            {
-                "apps/openssl" =>
-                    [
-                        "libssl",
-                    ],
-                "crypto/buildinf.h" =>
-                    [
-                        "Makefile",
-                    ],
-                "crypto/cversion.o" =>
-                    [
-                        "crypto/buildinf.h",
-                    ],
-                "engines/dasync" =>
-                    [
-                        "libcrypto",
-                    ],
-                "engines/ossltest" =>
-                    [
-                        "libcrypto.a",
-                    ],
-                "libssl" =>
-                    [
-                        "libcrypto",
-                    ],
-                "util/mkbuildinf.pl" =>
-                    [
-                        "util/Foo.pm",
-                    ],
-            },
-        "modules" =>
-            [
-                "engines/dasync",
-                "engines/ossltest",
-            ],
-        "generate" =>
-            {
-                "crypto/buildinf.h" =>
-                    [
-                        "util/mkbuildinf.pl",
-                        "\"\$(CC)",
-                        "\$(CFLAGS)\"",
-                        "\"$(PLATFORM)\"",
-                    ],
-            },
-        "includes" =>
-            {
-                "apps/openssl" =>
-                    [
-                        ".",
-                        "include",
-                    ],
-                "engines/ossltest" =>
-                    [
-                        "include"
-                    ],
-                "libcrypto" =>
-                    [
-                        "include",
-                    ],
-                "libssl" =>
-                    [
-                        "include",
-                    ],
-                "util/mkbuildinf.pl" =>
-                    [
-                        "util",
-                    ],
-            }
-        "install" =>
-            {
-                "modules" =>
-                    [
-                        "engines/dasync",
-                    ],
-                "libraries" =>
-                    [
-                        "libcrypto",
-                        "libssl",
-                    ],
-                "programs" =>
-                    [
-                        "apps/openssl",
-                    ],
-           },
-        "libraries" =>
-            [
-                "libcrypto",
-                "libssl",
-            ],
-        "programs" =>
-            [
-                "apps/openssl",
-            ],
-        "sources" =>
-            {
-                "apps/openssl" =>
-                    [
-                        "apps/openssl.o",
-                    ],
-                "apps/openssl.o" =>
-                    [
-                        "apps/openssl.c",
-                    ],
-                "crypto/aes.o" =>
-                    [
-                        "crypto/aes.c",
-                    ],
-                "crypto/cversion.o" =>
-                    [
-                        "crypto/cversion.c",
-                    ],
-                "crypto/evp.o" =>
-                    [
-                        "crypto/evp.c",
-                    ],
-                "engines/e_dasync.o" =>
-                    [
-                        "engines/e_dasync.c",
-                    ],
-                "engines/dasync" =>
-                    [
-                        "engines/e_dasync.o",
-                    ],
-                "engines/e_ossltest.o" =>
-                    [
-                        "engines/e_ossltest.c",
-                    ],
-                "engines/ossltest" =>
-                    [
-                        "engines/e_ossltest.o",
-                    ],
-                "libcrypto" =>
-                    [
-                        "crypto/aes.c",
-                        "crypto/cversion.c",
-                        "crypto/evp.c",
-                    ],
-                "libssl" =>
-                    [
-                        "ssl/tls.c",
-                    ],
-                "ssl/tls.o" =>
-                    [
-                        "ssl/tls.c",
-                    ],
-            },
-    );
-
-As can be seen, everything in `%unified_info` is fairly simple suggest
-of information.  Still, it tells us that to build all programs, we
-must build `apps/openssl`, and to build the latter, we will need to
-build all its sources (`apps/openssl.o` in this case) and all the
-other things it depends on (such as `libssl`).  All those dependencies
-need to be built as well, using the same logic, so to build `libssl`,
-we need to build `ssl/tls.o` as well as `libcrypto`, and to build the
-latter...
-
-Build-file templates
---------------------
-
-Build-file templates are essentially build-files (such as `Makefile` on
-Unix) with perl code fragments mixed in.  Those perl code fragment
-will generate all the configuration dependent data, including all the
-rules needed to build end product files and intermediary files alike.
-At a minimum, there must be a perl code fragment that defines a set of
-functions that are used to generates specific build-file rules, to
-build static libraries from object files, to build shared libraries
-from static libraries, to programs from object files and libraries,
-etc.
-
-    generatesrc - function that produces build file lines to generate
-                  a source file from some input.
-
-                  It's called like this:
-
-                        generatesrc(src => "PATH/TO/tobegenerated",
-                                    generator => [ "generatingfile", ... ]
-                                    generator_incs => [ "INCL/PATH", ... ]
-                                    generator_deps => [ "dep1", ... ]
-                                    incs => [ "INCL/PATH", ... ],
-                                    deps => [ "dep1", ... ],
-                                    intent => one of "libs", "dso", "bin" );
-
-                  'src' has the name of the file to be generated.
-                  'generator' is the command or part of command to
-                  generate the file, of which the first item is
-                  expected to be the file to generate from.
-                  generatesrc() is expected to analyse and figure out
-                  exactly how to apply that file and how to capture
-                  the result.  'generator_incs' and 'generator_deps'
-                  are include directories and files that the generator
-                  file itself depends on.  'incs' and 'deps' are
-                  include directories and files that are used if $(CC)
-                  is used as an intermediary step when generating the
-                  end product (the file indicated by 'src').  'intent'
-                  indicates what the generated file is going to be
-                  used for.
-
-    src2obj     - function that produces build file lines to build an
-                  object file from source files and associated data.
-
-                  It's called like this:
-
-                        src2obj(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]
-                                intent => one of "lib", "dso", "bin" );
-
-                  'obj' has the intended object file with `.o`
-                  extension, src2obj() is expected to change it to
-                  something more suitable for the platform.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.  Finally,
-                  'intent' indicates what this object file is going
-                  to be used for.
-
-    obj2lib     - function that produces build file lines to build a
-                  static library file ("libfoo.a" in Unix terms) from
-                  object files.
-
-                  called like this:
-
-                        obj2lib(lib => "PATH/TO/libfile",
-                                objs => [ "PATH/TO/objectfile", ... ]);
-
-                  'lib' has the intended library file name *without*
-                  extension, obj2lib is expected to add that.  'objs'
-                  has the list of object files to build this library.
-
-    libobj2shlib - backward compatibility function that's used the
-                  same way as obj2shlib (described next), and was
-                  expected to build the shared library from the
-                  corresponding static library when that was suitable.
-                  NOTE: building a shared library from a static
-                  library is now DEPRECATED, as they no longer share
-                  object files.  Attempting to do this will fail.
-
-    obj2shlib   - function that produces build file lines to build a
-                  shareable object library file ("libfoo.so" in Unix
-                  terms) from the corresponding object files.
-
-                  called like this:
-
-                        obj2shlib(shlib => "PATH/TO/shlibfile",
-                                  lib => "PATH/TO/libfile",
-                                  objs => [ "PATH/TO/objectfile", ... ],
-                                  deps => [ "PATH/TO/otherlibfile", ... ]);
-
-                  'lib' has the base (static) library file name
-                  *without* extension.  This is useful in case
-                  supporting files are needed (such as import
-                  libraries on Windows).
-                  'shlib' has the corresponding shared library name
-                  *without* extension.  'deps' has the list of other
-                  libraries (also *without* extension) this library
-                  needs to be linked with.  'objs' has the list of
-                  object files to build this library.
-
-    obj2dso     - function that produces build file lines to build a
-                  dynamic shared object file from object files.
-
-                  called like this:
-
-                        obj2dso(lib => "PATH/TO/libfile",
-                                objs => [ "PATH/TO/objectfile", ... ],
-                                deps => [ "PATH/TO/otherlibfile",
-                                ... ]);
-
-                  This is almost the same as obj2shlib, but the
-                  intent is to build a shareable library that can be
-                  loaded in runtime (a "plugin"...).
-
-    obj2bin     - function that produces build file lines to build an
-                  executable file from object files.
-
-                  called like this:
-
-                        obj2bin(bin => "PATH/TO/binfile",
-                                objs => [ "PATH/TO/objectfile", ... ],
-                                deps => [ "PATH/TO/libfile", ... ]);
-
-                  'bin' has the intended executable file name
-                  *without* extension, obj2bin is expected to add
-                  that.  'objs' has the list of object files to build
-                  this library.  'deps' has the list of library files
-                  (also *without* extension) that the programs needs
-                  to be linked with.
-
-    in2script   - function that produces build file lines to build a
-                  script file from some input.
-
-                  called like this:
-
-                        in2script(script => "PATH/TO/scriptfile",
-                                  sources => [ "PATH/TO/infile", ... ]);
-
-                  'script' has the intended script file name.
-                  'sources' has the list of source files to build the
-                  resulting script from.
-
-Along with the build-file templates is the driving template
-[`Configurations/common.tmpl`](common.tmpl), which looks through all the
-information in `%unified_info` and generates all the rulesets to build libraries,
-programs and all intermediate files, using the rule generating
-functions defined in the build-file template.
-
-As an example with the smaller `build.info` set we've seen as an
-example, producing the rules to build `libcrypto` would result in the
-following calls:
-
-    # Note: obj2shlib will only be called if shared libraries are
-    # to be produced.
-    # Note 2: obj2shlib must convert the '.o' extension to whatever
-    # is suitable on the local platform.
-    obj2shlib(shlib => "libcrypto",
-              objs => [ "crypto/aes.o", "crypto/evp.o", "crypto/cversion.o" ],
-              deps => [  ]);
-
-    obj2lib(lib => "libcrypto"
-            objs => [ "crypto/aes.o", "crypto/evp.o", "crypto/cversion.o" ]);
-
-    src2obj(obj => "crypto/aes.o"
-            srcs => [ "crypto/aes.c" ],
-            deps => [ ],
-            incs => [ "include" ],
-            intent => "lib");
-
-    src2obj(obj => "crypto/evp.o"
-            srcs => [ "crypto/evp.c" ],
-            deps => [ ],
-            incs => [ "include" ],
-            intent => "lib");
-
-    src2obj(obj => "crypto/cversion.o"
-            srcs => [ "crypto/cversion.c" ],
-            deps => [ "crypto/buildinf.h" ],
-            incs => [ "include" ],
-            intent => "lib");
-
-    generatesrc(src => "crypto/buildinf.h",
-                generator => [ "util/mkbuildinf.pl", "\"$(CC)",
-                               "$(CFLAGS)\"", "\"$(PLATFORM)\"" ],
-                generator_incs => [ "util" ],
-                generator_deps => [ "util/Foo.pm" ],
-                incs => [ ],
-                deps => [ ],
-                intent => "lib");
-
-The returned strings from all those calls are then concatenated
-together and written to the resulting build-file.

Configurations/README.md

@@ -1,674 +0,0 @@
-Intro
-=====
-
-This directory contains a few sets of files that are used for
-configuration in diverse ways:
-
-    *.conf      Target platform configurations, please read
-                'Configurations of OpenSSL target platforms' for more
-                information.
-    *.tmpl      Build file templates, please read 'Build-file
-                programming with the "unified" build system' as well
-                as 'Build info files' for more information.
-    *.pm        Helper scripts / modules for the main `Configure`
-                script.  See 'Configure helper scripts for more
-                information.
-
-Configurations of OpenSSL target platforms
-==========================================
-
-Configuration targets are a collection of facts that we know about
-different platforms and their capabilities.  We organise them in a
-hash table, where each entry represent a specific target.
-
-Note that configuration target names must be unique across all config
-files.  The Configure script does check that a config file doesn't
-have config targets that shadow config targets from other files.
-
-In each table entry, the following keys are significant:
-
-        inherit_from    => Other targets to inherit values from.
-                           Explained further below. [1]
-        template        => Set to 1 if this isn't really a platform
-                           target.  Instead, this target is a template
-                           upon which other targets can be built.
-                           Explained further below.  [1]
-
-        sys_id          => System identity for systems where that
-                           is difficult to determine automatically.
-
-        enable          => Enable specific configuration features.
-                           This MUST be an array of words.
-        disable         => Disable specific configuration features.
-                           This MUST be an array of words.
-                           Note: if the same feature is both enabled
-                           and disabled, disable wins.
-
-        as              => The assembler command.  This is not always
-                           used (for example on Unix, where the C
-                           compiler is used instead).
-        asflags         => Default assembler command flags [4].
-        cpp             => The C preprocessor command, normally not
-                           given, as the build file defaults are
-                           usually good enough.
-        cppflags        => Default C preprocessor flags [4].
-        defines         => As an alternative, macro definitions may be
-                           given here instead of in 'cppflags' [4].
-                           If given here, they MUST be as an array of
-                           the string such as "MACRO=value", or just
-                           "MACRO" for definitions without value.
-        includes        => As an alternative, inclusion directories
-                           may be given here instead of in 'cppflags'
-                           [4].  If given here, the MUST be an array
-                           of strings, one directory specification
-                           each.
-        cc              => The C compiler command, usually one of "cc",
-                           "gcc" or "clang".  This command is normally
-                           also used to link object files and
-                           libraries into the final program.
-        cxx             => The C++ compiler command, usually one of
-                           "c++", "g++" or "clang++".  This command is
-                           also used when linking a program where at
-                           least one of the object file is made from
-                           C++ source.
-        cflags          => Defaults C compiler flags [4].
-        cxxflags        => Default  C++ compiler flags [4].  If unset,
-                           it gets the same value as cflags.
-
-        (linking is a complex thing, see [3] below)
-        ld              => Linker command, usually not defined
-                           (meaning the compiler command is used
-                           instead).
-                           (NOTE: this is here for future use, it's
-                           not implemented yet)
-        lflags          => Default flags used when linking apps,
-                           shared libraries or DSOs [4].
-        ex_libs         => Extra libraries that are needed when
-                           linking shared libraries, DSOs or programs.
-                           The value is also assigned to Libs.private
-                           in $(libdir)/pkgconfig/libcrypto.pc.
-
-        shared_cppflags => Extra C preprocessor flags used when
-                           processing C files for shared libraries.
-        shared_cflag    => Extra C compiler flags used when compiling
-                           for shared libraries, typically something
-                           like "-fPIC".
-        shared_ldflag   => Extra linking flags used when linking
-                           shared libraries.
-        module_cppflags
-        module_cflags
-        module_ldflags  => Has the same function as the corresponding
-                           'shared_' attributes, but for building DSOs.
-                           When unset, they get the same values as the
-                           corresponding 'shared_' attributes.
-
-        ar              => The library archive command, the default is
-                           "ar".
-                           (NOTE: this is here for future use, it's
-                           not implemented yet)
-        arflags         => Flags to be used with the library archive
-                           command.  On Unix, this includes the
-                           command letter, 'r' by default.
-
-        ranlib          => The library archive indexing command, the
-                           default is 'ranlib' it it exists.
-
-        unistd          => An alternative header to the typical
-                           '<unistd.h>'.  This is very rarely needed.
-
-        shared_extension => File name extension used for shared
-                            libraries.
-        obj_extension   => File name extension used for object files.
-                           On unix, this defaults to ".o" (NOTE: this
-                           is here for future use, it's not
-                           implemented yet)
-        exe_extension   => File name extension used for executable
-                           files.  On unix, this defaults to "" (NOTE:
-                           this is here for future use, it's not
-                           implemented yet)
-        shlib_variant   => A "variant" identifier inserted between the base
-                           shared library name and the extension.  On "unixy"
-                           platforms (BSD, Linux, Solaris, MacOS/X, ...) this
-                           supports installation of custom OpenSSL libraries
-                           that don't conflict with other builds of OpenSSL
-                           installed on the system.  The variant identifier
-                           becomes part of the SONAME of the library and also
-                           any symbol versions (symbol versions are not used or
-                           needed with MacOS/X).  For example, on a system
-                           where a default build would normally create the SSL
-                           shared library as 'libssl.so -> libssl.so.1.1' with
-                           the value of the symlink as the SONAME, a target
-                           definition that sets 'shlib_variant => "-abc"' will
-                           create 'libssl.so -> libssl-abc.so.1.1', again with
-                           an SONAME equal to the value of the symlink.  The
-                           symbol versions associated with the variant library
-                           would then be 'OPENSSL_ABC_<version>' rather than
-                           the default 'OPENSSL_<version>'. The string inserted
-                           into symbol versions is obtained by mapping all
-                           letters in the "variant" identifier to uppercase
-                           and all non-alphanumeric characters to '_'.
-
-        thread_scheme   => The type of threads is used on the
-                           configured platform.  Currently known
-                           values are "(unknown)", "pthreads",
-                           "uithreads" (a.k.a solaris threads) and
-                           "winthreads".  Except for "(unknown)", the
-                           actual value is currently ignored but may
-                           be used in the future.  See further notes
-                           below [2].
-        dso_scheme      => The type of dynamic shared objects to build
-                           for.  This mostly comes into play with
-                           modules, but can be used for other purposes
-                           as well.  Valid values are "DLFCN"
-                           (dlopen() et al), "DLFCN_NO_H" (for systems
-                           that use dlopen() et al but do not have
-                           fcntl.h), "DL" (shl_load() et al), "WIN32"
-                           and "VMS".
-        asm_arch        => The architecture to be used for compiling assembly
-                           source.  This acts as a selector in build.info files.
-        uplink_arch     => The architecture to be used for compiling uplink
-                           source.  This acts as a selector in build.info files.
-                           This is separate from asm_arch because it's compiled
-                           even when 'no-asm' is given, even though it contains
-                           assembler source.
-        perlasm_scheme  => The perlasm method used to create the
-                           assembler files used when compiling with
-                           assembler implementations.
-        shared_target   => The shared library building method used.
-                           This serves multiple purposes:
-                           - as index for targets found in shared_info.pl.
-                           - as linker script generation selector.
-                           To serve both purposes, the index for shared_info.pl
-                           should end with '-shared', and this suffix will be
-                           removed for use as a linker script generation
-                           selector.  Note that the latter is only used if
-                           'shared_defflag' is defined.
-        build_scheme    => The scheme used to build up a Makefile.
-                           In its simplest form, the value is a string
-                           with the name of the build scheme.
-                           The value may also take the form of a list
-                           of strings, if the build_scheme is to have
-                           some options.  In this case, the first
-                           string in the list is the name of the build
-                           scheme.
-                           Currently recognised build scheme is "unified".
-                           For the "unified" build scheme, this item
-                           *must* be an array with the first being the
-                           word "unified" and the second being a word
-                           to identify the platform family.
-
-        multilib        => On systems that support having multiple
-                           implementations of a library (typically a
-                           32-bit and a 64-bit variant), this is used
-                           to have the different variants in different
-                           directories.
-
-        multibin        => On systems that support having multiple
-                           implementations of a library and binaries
-                           (typically a 32-bit and a 64-bit variant),
-                           this is used to have the different variants
-                           in different binary directories. This setting
-                           works in conjunction with multilib.
-
-        bn_ops          => Building options (was just bignum options in
-                           the earlier history of this option, hence the
-                           name). This is a string of words that describe
-                           algorithms' implementation parameters that
-                           are optimal for the designated target platform,
-                           such as the type of integers used to build up
-                           the bignum, different ways to implement certain
-                           ciphers and so on. To fully comprehend the
-                           meaning, the best is to read the affected
-                           source.
-                           The valid words are:
-
-                           THIRTY_TWO_BIT       bignum limbs are 32 bits,
-                                                this is default if no
-                                                option is specified, it
-                                                works on any supported
-                                                system [unless "wider"
-                                                limb size is implied in
-                                                assembly code];
-                           BN_LLONG             bignum limbs are 32 bits,
-                                                but 64-bit 'unsigned long
-                                                long' is used internally
-                                                in calculations;
-                           SIXTY_FOUR_BIT_LONG  bignum limbs are 64 bits
-                                                and sizeof(long) is 8;
-                           SIXTY_FOUR_BIT       bignums limbs are 64 bits,
-                                                but execution environment
-                                                is ILP32;
-                           RC4_CHAR             RC4 key schedule is made
-                                                up of 'unsigned char's;
-                                                Note: should not be used
-                                                for new configuration
-                                                targets
-                           RC4_INT              RC4 key schedule is made
-                                                up of 'unsigned int's;
-                                                Note: should not be used
-                                                for new configuration
-                                                targets
-
-[1] as part of the target configuration, one can have a key called
-  `inherit_from` that indicates what other configurations to inherit
-  data from.  These are resolved recursively.
-
-  Inheritance works as a set of default values that can be overridden
-  by corresponding key values in the inheriting configuration.
-
-  Note 1: any configuration table can be used as a template.
-  Note 2: pure templates have the attribute `template => 1` and
-          cannot be used as build targets.
-
-  If several configurations are given in the `inherit_from` array,
-  the values of same attribute are concatenated with space
-  separation.  With this, it's possible to have several smaller
-  templates for different configuration aspects that can be combined
-  into a complete configuration.
-
-  Instead of a scalar value or an array, a value can be a code block
-  of the form `sub { /* your code here */ }`.  This code block will
-  be called with the list of inherited values for that key as
-  arguments.  In fact, the concatenation of strings is really done
-  by using `sub { join(" ",@_) }` on the list of inherited values.
-
-  An example:
-
-        "foo" => {
-                template => 1,
-                haha => "ha ha",
-                hoho => "ho",
-                ignored => "This should not appear in the end result",
-        },
-        "bar" => {
-                template => 1,
-                haha => "ah",
-                hoho => "haho",
-                hehe => "hehe"
-        },
-        "laughter" => {
-                inherit_from => [ "foo", "bar" ],
-                hehe => sub { join(" ",(@_,"!!!")) },
-                ignored => "",
-        }
-
-        The entry for "laughter" will become as follows after processing:
-
-        "laughter" => {
-                haha => "ha ha ah",
-                hoho => "ho haho",
-                hehe => "hehe !!!",
-                ignored => ""
-        }
-
-[2] OpenSSL is built with threading capabilities unless the user
-  specifies `no-threads`.  The value of the key `thread_scheme` may
-  be `(unknown)`, in which case the user MUST give some compilation
-  flags to `Configure`.
-
-[3] OpenSSL has three types of things to link from object files or
-  static libraries:
-
-  - shared libraries; that would be libcrypto and libssl.
-  - shared objects (sometimes called dynamic libraries);  that would
-    be the modules.
-  - applications; those are apps/openssl and all the test apps.
-
-  Very roughly speaking, linking is done like this (words in braces
-  represent the configuration settings documented at the beginning
-  of this file):
-
-    shared libraries:
-        {ld} $(CFLAGS) {lflags} {shared_ldflag} -o libfoo.so \
-            foo/something.o foo/somethingelse.o {ex_libs}
-
-    shared objects:
-        {ld} $(CFLAGS) {lflags} {module_ldflags} -o libeng.so \
-            blah1.o blah2.o -lcrypto {ex_libs}
-
-    applications:
-        {ld} $(CFLAGS) {lflags} -o app \
-            app1.o utils.o -lssl -lcrypto {ex_libs}
-
-[4] There are variants of these attribute, prefixed with `lib_`,
-  `dso_` or `bin_`.  Those variants replace the unprefixed attribute
-  when building library, DSO or program modules specifically.
-
-Historically, the target configurations came in form of a string with
-values separated by colons.  This use is deprecated.  The string form
-looked like this:
-
-    "target" => "{cc}:{cflags}:{unistd}:{thread_cflag}:{sys_id}:{lflags}:
-                 {bn_ops}:{cpuid_obj}:{bn_obj}:{ec_obj}:{des_obj}:{aes_obj}:
-                 {bf_obj}:{md5_obj}:{sha1_obj}:{cast_obj}:{rc4_obj}:
-                 {rmd160_obj}:{rc5_obj}:{wp_obj}:{cmll_obj}:{modes_obj}:
-                 {padlock_obj}:{perlasm_scheme}:{dso_scheme}:{shared_target}:
-                 {shared_cflag}:{shared_ldflag}:{shared_extension}:{ranlib}:
-                 {arflags}:{multilib}"
-
-Build info files
-================
-
-The `build.info` files that are spread over the source tree contain the
-minimum information needed to build and distribute OpenSSL.  It uses a
-simple and yet fairly powerful language to determine what needs to be
-built, from what sources, and other relationships between files.
-
-For every `build.info` file, all file references are relative to the
-directory of the `build.info` file for source files, and the
-corresponding build directory for built files if the build tree
-differs from the source tree.
-
-When processed, every line is processed with the perl module
-Text::Template, using the delimiters `{-` and `-}`.  The hashes
-`%config` and `%target` are passed to the perl fragments, along with
-$sourcedir and $builddir, which are the locations of the source
-directory for the current `build.info` file and the corresponding build
-directory, all relative to the top of the build tree.
-
-`Configure` only knows inherently about the top `build.info` file.  For
-any other directory that has one, further directories to look into
-must be indicated like this:
-
-    SUBDIRS=something someelse
-
-On to things to be built; they are declared by setting specific
-variables:
-
-    PROGRAMS=foo bar
-    LIBS=libsomething
-    MODULES=libeng
-    SCRIPTS=myhack
-
-Note that the files mentioned for PROGRAMS, LIBS and MODULES *must* be
-without extensions.  The build file templates will figure them out.
-
-For each thing to be built, it is then possible to say what sources
-they are built from:
-
-    PROGRAMS=foo bar
-    SOURCE[foo]=foo.c common.c
-    SOURCE[bar]=bar.c extra.c common.c
-
-It's also possible to tell some other dependencies:
-
-    DEPEND[foo]=libsomething
-    DEPEND[libbar]=libsomethingelse
-
-(it could be argued that 'libsomething' and 'libsomethingelse' are
-source as well.  However, the files given through SOURCE are expected
-to be located in the source tree while files given through DEPEND are
-expected to be located in the build tree)
-
-It's also possible to depend on static libraries explicitly:
-
-    DEPEND[foo]=libsomething.a
-    DEPEND[libbar]=libsomethingelse.a
-
-This should be rarely used, and care should be taken to make sure it's
-only used when supported.  For example, native Windows build doesn't
-support building static libraries and DLLs at the same time, so using
-static libraries on Windows can only be done when configured
-`no-shared`.
-
-In some cases, it's desirable to include some source files in the
-shared form of a library only:
-
-    SHARED_SOURCE[libfoo]=dllmain.c
-
-For any file to be built, it's also possible to tell what extra
-include paths the build of their source files should use:
-
-    INCLUDE[foo]=include
-
-It's also possible to specify C macros that should be defined:
-
-    DEFINE[foo]=FOO BAR=1
-
-In some cases, one might want to generate some source files from
-others, that's done as follows:
-
-    GENERATE[foo.s]=asm/something.pl $(CFLAGS)
-    GENERATE[bar.s]=asm/bar.S
-
-The value of each GENERATE line is a command line or part of it.
-Configure places no rules on the command line, except that the first
-item must be the generator file.  It is, however, entirely up to the
-build file template to define exactly how those command lines should
-be handled, how the output is captured and so on.
-
-Sometimes, the generator file itself depends on other files, for
-example if it is a perl script that depends on other perl modules.
-This can be expressed using DEPEND like this:
-
-    DEPEND[asm/something.pl]=../perlasm/Foo.pm
-
-There may also be cases where the exact file isn't easily specified,
-but an inclusion directory still needs to be specified.  INCLUDE can
-be used in that case:
-
-    INCLUDE[asm/something.pl]=../perlasm
-
-NOTE: GENERATE lines are limited to one command only per GENERATE.
-
-Finally, you can have some simple conditional use of the `build.info`
-information, looking like this:
-
-    IF[1]
-     something
-    ELSIF[2]
-     something other
-    ELSE
-     something else
-    ENDIF
-
-The expression in square brackets is interpreted as a string in perl,
-and will be seen as true if perl thinks it is, otherwise false.  For
-example, the above would have "something" used, since 1 is true.
-
-Together with the use of Text::Template, this can be used as
-conditions based on something in the passed variables, for example:
-
-    IF[{- $disabled{shared} -}]
-      LIBS=libcrypto
-      SOURCE[libcrypto]=...
-    ELSE
-      LIBS=libfoo
-      SOURCE[libfoo]=...
-    ENDIF
-
-Build-file programming with the "unified" build system
-======================================================
-
-"Build files" are called `Makefile` on Unix-like operating systems,
-`descrip.mms` for MMS on VMS, `makefile` for `nmake` on Windows, etc.
-
-To use the "unified" build system, the target configuration needs to
-set the three items `build_scheme`, `build_file` and `build_command`.
-In the rest of this section, we will assume that `build_scheme` is set
-to "unified" (see the configurations documentation above for the
-details).
-
-For any name given by `build_file`, the "unified" system expects a
-template file in `Configurations/` named like the build file, with
-`.tmpl` appended, or in case of possible ambiguity, a combination of
-the second `build_scheme` list item and the `build_file` name.  For
-example, if `build_file` is set to `Makefile`, the template could be
-`Configurations/Makefile.tmpl` or `Configurations/unix-Makefile.tmpl`.
-In case both `Configurations/unix-Makefile.tmpl` and
-`Configurations/Makefile.tmpl` are present, the former takes precedence.
-
-The build-file template is processed with the perl module
-Text::Template, using `{-` and `-}` as delimiters that enclose the
-perl code fragments that generate configuration-dependent content.
-Those perl fragments have access to all the hash variables from
-configdata.pem.
-
-The build-file template is expected to define at least the following
-perl functions in a perl code fragment enclosed with `{-` and `-}`.
-They are all expected to return a string with the lines they produce.
-
-    generatesrc - function that produces build file lines to generate
-                  a source file from some input.
-
-                  It's called like this:
-
-                        generatesrc(src => "PATH/TO/tobegenerated",
-                                    generator => [ "generatingfile", ... ]
-                                    generator_incs => [ "INCL/PATH", ... ]
-                                    generator_deps => [ "dep1", ... ]
-                                    generator => [ "generatingfile", ... ]
-                                    incs => [ "INCL/PATH", ... ],
-                                    deps => [ "dep1", ... ],
-                                    intent => one of "libs", "dso", "bin" );
-
-                  'src' has the name of the file to be generated.
-                  'generator' is the command or part of command to
-                  generate the file, of which the first item is
-                  expected to be the file to generate from.
-                  generatesrc() is expected to analyse and figure out
-                  exactly how to apply that file and how to capture
-                  the result.  'generator_incs' and 'generator_deps'
-                  are include directories and files that the generator
-                  file itself depends on.  'incs' and 'deps' are
-                  include directories and files that are used if $(CC)
-                  is used as an intermediary step when generating the
-                  end product (the file indicated by 'src').  'intent'
-                  indicates what the generated file is going to be
-                  used for.
-
-    src2obj     - function that produces build file lines to build an
-                  object file from source files and associated data.
-
-                  It's called like this:
-
-                        src2obj(obj => "PATH/TO/objectfile",
-                                srcs => [ "PATH/TO/sourcefile", ... ],
-                                deps => [ "dep1", ... ],
-                                incs => [ "INCL/PATH", ... ]
-                                intent => one of "lib", "dso", "bin" );
-
-                  'obj' has the intended object file with '.o'
-                  extension, src2obj() is expected to change it to
-                  something more suitable for the platform.
-                  'srcs' has the list of source files to build the
-                  object file, with the first item being the source
-                  file that directly corresponds to the object file.
-                  'deps' is a list of explicit dependencies.  'incs'
-                  is a list of include file directories.  Finally,
-                  'intent' indicates what this object file is going
-                  to be used for.
-
-    obj2lib     - function that produces build file lines to build a
-                  static library file ("libfoo.a" in Unix terms) from
-                  object files.
-
-                  called like this:
-
-                        obj2lib(lib => "PATH/TO/libfile",
-                                objs => [ "PATH/TO/objectfile", ... ]);
-
-                  'lib' has the intended library filename *without*
-                  extension, obj2lib is expected to add that.  'objs'
-                  has the list of object files to build this library.
-
-    libobj2shlib - backward compatibility function that's used the
-                  same way as obj2shlib (described next), and was
-                  expected to build the shared library from the
-                  corresponding static library when that was suitable.
-                  NOTE: building a shared library from a static
-                  library is now DEPRECATED, as they no longer share
-                  object files.  Attempting to do this will fail.
-
-    obj2shlib   - function that produces build file lines to build a
-                  shareable object library file ("libfoo.so" in Unix
-                  terms) from the corresponding object files.
-
-                  called like this:
-
-                        obj2shlib(shlib => "PATH/TO/shlibfile",
-                                  lib => "PATH/TO/libfile",
-                                  objs => [ "PATH/TO/objectfile", ... ],
-                                  deps => [ "PATH/TO/otherlibfile", ... ]);
-
-                  'lib' has the base (static) library filename
-                  *without* extension.  This is useful in case
-                  supporting files are needed (such as import
-                  libraries on Windows).
-                  'shlib' has the corresponding shared library name
-                  *without* extension.  'deps' has the list of other
-                  libraries (also *without* extension) this library
-                  needs to be linked with.  'objs' has the list of
-                  object files to build this library.
-
-    obj2dso     - function that produces build file lines to build a
-                  dynamic shared object file from object files.
-
-                  called like this:
-
-                        obj2dso(lib => "PATH/TO/libfile",
-                                objs => [ "PATH/TO/objectfile", ... ],
-                                deps => [ "PATH/TO/otherlibfile",
-                                ... ]);
-
-                  This is almost the same as obj2shlib, but the
-                  intent is to build a shareable library that can be
-                  loaded in runtime (a "plugin"...).
-
-    obj2bin     - function that produces build file lines to build an
-                  executable file from object files.
-
-                  called like this:
-
-                        obj2bin(bin => "PATH/TO/binfile",
-                                objs => [ "PATH/TO/objectfile", ... ],
-                                deps => [ "PATH/TO/libfile", ... ]);
-
-                  'bin' has the intended executable filename
-                  *without* extension, obj2bin is expected to add
-                  that.  'objs' has the list of object files to build
-                  this library.  'deps' has the list of library files
-                  (also *without* extension) that the programs needs
-                  to be linked with.
-
-    in2script   - function that produces build file lines to build a
-                  script file from some input.
-
-                  called like this:
-
-                        in2script(script => "PATH/TO/scriptfile",
-                                  sources => [ "PATH/TO/infile", ... ]);
-
-                  'script' has the intended script filename.
-                  'sources' has the list of source files to build the
-                  resulting script from.
-
-In all cases, file file paths are relative to the build tree top, and
-the build file actions run with the build tree top as current working
-directory.
-
-Make sure to end the section with these functions with a string that
-you thing is appropriate for the resulting build file.  If nothing
-else, end it like this:
-
-      "";       # Make sure no lingering values end up in the Makefile
-    -}
-
-Configure helper scripts
-========================
-
-Configure uses helper scripts in this directory:
-
-Checker scripts
----------------
-
-These scripts are per platform family, to check the integrity of the
-tools used for configuration and building.  The checker script used is
-either `{build_platform}-{build_file}-checker.pm` or
-`{build_platform}-checker.pm`, where `{build_platform}` is the second
-`build_scheme` list element from the configuration target data, and
-`{build_file}` is `build_file` from the same target data.
-
-If the check succeeds, the script is expected to end with a non-zero
-expression.  If the check fails, the script can end with a zero, or
-with a `die`.

Configurations/common0.tmpl

@@ -1,31 +0,0 @@
-{- # -*- Mode: perl -*-
-
- # Commonly used list of generated files
- # The reason for the complexity is that the build.info files provide
- # GENERATE rules for *all* platforms without discrimination, while the
- # build files only want those for a particular build.  Therefore, we
- # need to extrapolate exactly what we need to generate.  The way to do
- # that is to extract all possible source files from diverse tables and
- # filter out all that are not generated
- my %generatables =
-     map { $_ => 1 }
-     ( # The sources of stuff may be generated
-         ( map { @{$unified_info{sources}->{$_}} }
-               keys %{$unified_info{sources}} ),
-         $disabled{shared}
-             ? ()
-             : ( map { @{$unified_info{shared_sources}->{$_}} }
-                 keys %{$unified_info{shared_sources}} ),
-         # Things we explicitly depend on are usually generated
-         ( map { $_ eq "" ? () : @{$unified_info{depends}->{$_}} }
-               keys %{$unified_info{depends}} ));
- our @generated =
-     sort ( ( grep { defined $unified_info{generate}->{$_} }
-              sort keys %generatables ),
-            # Scripts are assumed to be generated, so add them too
-            ( grep { defined $unified_info{sources}->{$_} }
-              @{$unified_info{scripts}} ) );
-
- # Avoid strange output
- "";
--}

Configurations/gentemplate.pm

@@ -1,556 +0,0 @@
-package gentemplate;
-
-use strict;
-use warnings;
-use Carp;
-
-use Exporter;
-use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
-@ISA = qw(Exporter);
-@EXPORT = qw(gentemplate);
-
-use File::Basename;
-
-sub gentemplate {
-    my %opts = @_;
-
-    my $generator = OpenSSL::GenTemplate->new(%opts);
-
-    # Build mandatory header file generators
-    foreach (@{$generator->{info}->{depends}->{""}}) { $generator->dogenerate($_); }
-
-    # Build all known targets, libraries, modules, programs and scripts.
-    # Everything else will be handled as a consequence.
-    foreach (@{$generator->{info}->{targets}})   { $generator->dotarget($_); }
-    foreach (@{$generator->{info}->{libraries}}) { $generator->dolib($_);    }
-    foreach (@{$generator->{info}->{modules}})   { $generator->domodule($_); }
-    foreach (@{$generator->{info}->{programs}})  { $generator->dobin($_);    }
-    foreach (@{$generator->{info}->{scripts}})   { $generator->doscript($_); }
-    foreach (sort keys %{$generator->{info}->{htmldocs}}) { $generator->dodocs('html', $_); }
-    foreach (sort keys %{$generator->{info}->{mandocs}})  { $generator->dodocs('man', $_); }
-    foreach (sort keys %{$generator->{info}->{dirinfo}})  { $generator->dodir($_); }
-}
-
-package OpenSSL::GenTemplate;
-
-use OpenSSL::Util;
-
-sub new {
-    my $class = shift;
-    my %opts = @_;
-
-    my $data = {
-        output   => $opts{output},
-        config   => $opts{config} // {},
-        disabled => $opts{disabled} // {},
-        info     => $opts{unified_info} // {},
-    };
-
-    return bless $data, $class;
-};
-
-sub emit {
-    my $self = shift;
-    my $name = shift;
-    my %opts = @_;
-    my $fh = $self->{output};
-
-    die "No name?" unless $name;
-    print $fh "{-\n ", $name, '(', dump_data(\%opts), ');', " \n-}"
-        unless defined $opts{attrs}->{skip};
-}
-
-my $debug_resolvedepends = $ENV{BUILDFILE_DEBUG_DEPENDS};
-my $debug_rules = $ENV{BUILDFILE_DEBUG_RULES};
-
-# A cache of objects for which a recipe has already been generated
-our %cache;
-
-# collectdepends, expanddepends and reducedepends work together to make
-# sure there are no duplicate or weak dependencies and that they are in
-# the right order.  This is used to sort the list of libraries  that a
-# build depends on.
-sub extensionlesslib {
-    my @result = map { $_ =~ /(\.a)?$/; $` } @_;
-    return @result if wantarray;
-    return $result[0];
-}
-
-# collectdepends dives into the tree of dependencies and returns
-# a list of all the non-weak ones.
-sub collectdepends {
-    my $self = shift;
-    return () unless @_;
-
-    my $thing = shift;
-    my $extensionlessthing = extensionlesslib($thing);
-    my @listsofar = @_;    # to check if we're looping
-    my @list = @{ $self->{info}->{depends}->{$thing} //
-                  $self->{info}->{depends}->{$extensionlessthing}
-                  // [] };
-    my @newlist = ();
-
-    print STDERR "DEBUG[collectdepends] $thing > ", join(' ', @listsofar), "\n"
-        if $debug_resolvedepends;
-    foreach my $item (@list) {
-        my $extensionlessitem = extensionlesslib($item);
-        # It's time to break off when the dependency list starts looping
-        next if grep { extensionlesslib($_) eq $extensionlessitem } @listsofar;
-        # Don't add anything here if the dependency is weak
-        next if defined $self->{info}->{attributes}->{depends}->{$thing}->{$item}->{'weak'};
-        my @resolved = $self->collectdepends($item, @listsofar, $item);
-        push @newlist, $item, @resolved;
-    }
-    print STDERR "DEBUG[collectdepends] $thing < ", join(' ', @newlist), "\n"
-        if $debug_resolvedepends;
-    @newlist;
-}
-
-# expanddepends goes through a list of stuff, checks if they have any
-# dependencies, and adds them at the end of the current position if
-# they aren't already present later on.
-sub expanddepends {
-    my $self = shift;
-    my @after = ( @_ );
-    print STDERR "DEBUG[expanddepends]> ", join(' ', @after), "\n"
-        if $debug_resolvedepends;
-    my @before = ();
-    while (@after) {
-        my $item = shift @after;
-        print STDERR "DEBUG[expanddepends]\\  ", join(' ', @before), "\n"
-            if $debug_resolvedepends;
-        print STDERR "DEBUG[expanddepends] - ", $item, "\n"
-            if $debug_resolvedepends;
-        my @middle = (
-            $item,
-            map {
-                my $x = $_;
-                my $extlessx = extensionlesslib($x);
-                if (grep { $extlessx eq extensionlesslib($_) } @before
-                    and
-                    !grep { $extlessx eq extensionlesslib($_) } @after) {
-                    print STDERR "DEBUG[expanddepends] + ", $x, "\n"
-                        if $debug_resolvedepends;
-                    ( $x )
-                } else {
-                    print STDERR "DEBUG[expanddepends] ! ", $x, "\n"
-                        if $debug_resolvedepends;
-                    ()
-                }
-            } @{$self->{info}->{depends}->{$item} // []}
-            );
-        print STDERR "DEBUG[expanddepends] = ", join(' ', @middle), "\n"
-            if $debug_resolvedepends;
-        print STDERR "DEBUG[expanddepends]/  ", join(' ', @after), "\n"
-            if $debug_resolvedepends;
-        push @before, @middle;
-    }
-    print STDERR "DEBUG[expanddepends]< ", join(' ', @before), "\n"
-        if $debug_resolvedepends;
-    @before;
-}
-
-# reducedepends looks through a list, and checks if each item is
-# repeated later on.  If it is, the earlier copy is dropped.
-sub reducedepends {
-    my @list = @_;
-    print STDERR "DEBUG[reducedepends]> ", join(' ', @list), "\n"
-        if $debug_resolvedepends;
-    my @newlist = ();
-    my %replace = ();
-    while (@list) {
-        my $item = shift @list;
-        my $extensionlessitem = extensionlesslib($item);
-        if (grep { $extensionlessitem eq extensionlesslib($_) } @list) {
-            if ($item ne $extensionlessitem) {
-                # If this instance of the library is explicitly static, we
-                # prefer that to any shared library name, since it must have
-                # been done on purpose.
-                $replace{$extensionlessitem} = $item;
-            }
-        } else {
-            push @newlist, $item;
-        }
-    }
-    @newlist = map { $replace{$_} // $_; } @newlist;
-    print STDERR "DEBUG[reducedepends]< ", join(' ', @newlist), "\n"
-        if $debug_resolvedepends;
-    @newlist;
-}
-
-# Do it all
-# This takes multiple inputs and combine them into a single list of
-# interdependent things.  The returned value will include all the input.
-# Callers are responsible for taking away the things they are building.
-sub resolvedepends {
-    my $self = shift;
-    print STDERR "DEBUG[resolvedepends] START (", join(', ', @_), ")\n"
-        if $debug_resolvedepends;
-    my @all =
-        reducedepends($self->expanddepends(map { ( $_, $self->collectdepends($_) ) } @_));
-    print STDERR "DEBUG[resolvedepends] END (", join(', ', @_), ") : ",
-        join(',', map { "\n    $_" } @all), "\n"
-        if $debug_resolvedepends;
-    @all;
-}
-
-# dogenerate is responsible for producing all the recipes that build
-# generated source files.  It recurses in case a dependency is also a
-# generated source file.
-sub dogenerate {
-    my $self = shift;
-    my $src = shift;
-    # Safety measure
-    return "" unless defined $self->{info}->{generate}->{$src};
-    return "" if $cache{$src};
-    my $obj = shift;
-    my $bin = shift;
-    my %opts = @_;
-    if ($self->{info}->{generate}->{$src}) {
-        die "$src is generated by Configure, should not appear in build file\n"
-            if ref $self->{info}->{generate}->{$src} eq "";
-        my $script = $self->{info}->{generate}->{$src}->[0];
-        my %attrs = %{$self->{info}->{attributes}->{generate}->{$src} // {}};
-        $self->emit('generatesrc',
-             src => $src,
-             product => $bin,
-             generator => $self->{info}->{generate}->{$src},
-             generator_incs => $self->{info}->{includes}->{$script} // [],
-             generator_deps => $self->{info}->{depends}->{$script} // [],
-             deps => $self->{info}->{depends}->{$src} // [],
-             incs => [ defined $obj ? @{$self->{info}->{includes}->{$obj} // []} : (),
-                       defined $bin ? @{$self->{info}->{includes}->{$bin} // []} : () ],
-             defs => [ defined $obj ? @{$self->{info}->{defines}->{$obj} // []} : (),
-                       defined $bin ? @{$self->{info}->{defines}->{$bin} // []} : () ],
-             attrs => { %attrs },
-             %opts);
-        foreach (@{$self->{info}->{depends}->{$src} // []}) {
-            $self->dogenerate($_, $obj, $bin, %opts);
-        }
-        # The generator itself may be is generated
-        if ($self->{info}->{generate}->{$script}) {
-            $self->dogenerate($script, $obj, $bin, %opts);
-        }
-    }
-    $cache{$src} = 1;
-}
-
-sub dotarget {
-    my $self = shift;
-    my $target = shift;
-    return "" if $cache{$target};
-    $self->emit('generatetarget',
-         target => $target,
-         deps => $self->{info}->{depends}->{$target} // []);
-    foreach (@{$self->{info}->{depends}->{$target} // []}) {
-        $self->dogenerate($_);
-    }
-    $cache{$target} = 1;
-}
-
-# doobj is responsible for producing all the recipes that build
-# object files as well as dependency files.
-sub doobj {
-    my $self = shift;
-    my $obj = shift;
-    return "" if $cache{$obj};
-    my $bin = shift;
-    my %opts = @_;
-    if (@{$self->{info}->{sources}->{$obj} // []}) {
-        my @srcs = @{$self->{info}->{sources}->{$obj}};
-        my @deps = @{$self->{info}->{depends}->{$obj} // []};
-        my @incs = ( @{$self->{info}->{includes}->{$obj} // []},
-                     @{$self->{info}->{includes}->{$bin} // []} );
-        my @defs = ( @{$self->{info}->{defines}->{$obj} // []},
-                     @{$self->{info}->{defines}->{$bin} // []} );
-        print STDERR "DEBUG[doobj] \@srcs for $obj ($bin) : ",
-            join(",", map { "\n    $_" } @srcs), "\n"
-            if $debug_rules;
-        print STDERR "DEBUG[doobj] \@deps for $obj ($bin) : ",
-            join(",", map { "\n    $_" } @deps), "\n"
-            if $debug_rules;
-        print STDERR "DEBUG[doobj] \@incs for $obj ($bin) : ",
-            join(",", map { "\n    $_" } @incs), "\n"
-            if $debug_rules;
-        print STDERR "DEBUG[doobj] \@defs for $obj ($bin) : ",
-            join(",", map { "\n    $_" } @defs), "\n"
-            if $debug_rules;
-        print STDERR "DEBUG[doobj] \%opts for $obj ($bin) : ", ,
-            join(",", map { "\n    $_ = $opts{$_}" } sort keys %opts), "\n"
-            if $debug_rules;
-        $self->emit('src2obj',
-             obj => $obj, product => $bin,
-             srcs => [ @srcs ], deps => [ @deps ],
-             incs => [ @incs ], defs => [ @defs ],
-             %opts);
-        foreach ((@{$self->{info}->{sources}->{$obj}},
-                  @{$self->{info}->{depends}->{$obj} // []})) {
-            $self->dogenerate($_, $obj, $bin, %opts);
-        }
-    }
-    $cache{$obj} = 1;
-}
-
-# Helper functions to grab all applicable intermediary files.
-# This is particularly useful when a library is given as source
-# rather than a dependency.  In that case, we consider it to be a
-# container with object file references, or possibly references
-# to further libraries to pilfer in the same way.
-sub getsrclibs {
-    my $self = shift;
-    my $section = shift;
-
-    # For all input, see if it sources static libraries.  If it does,
-    # return them together with the result of a recursive call.
-    map { ( $_, getsrclibs($section, $_) ) }
-    grep { $_ =~ m|\.a$| }
-    map { @{$self->{info}->{$section}->{$_} // []} }
-    @_;
-}
-
-sub getlibobjs {
-    my $self = shift;
-    my $section = shift;
-
-    # For all input, see if it's an intermediary file (library or object).
-    # If it is, collect the result of a recursive call, or if that returns
-    # an empty list, the element itself.  Return the result.
-    map {
-        my @x = $self->getlibobjs($section, @{$self->{info}->{$section}->{$_}});
-        @x ? @x : ( $_ );
-    }
-    grep { defined $self->{info}->{$section}->{$_} }
-    @_;
-}
-
-# dolib is responsible for building libraries.  It will call
-# obj2shlib if shared libraries are produced, and obj2lib in all
-# cases.  It also makes sure all object files for the library are
-# built.
-sub dolib {
-    my $self = shift;
-    my $lib = shift;
-    return "" if $cache{$lib};
-
-    my %attrs = %{$self->{info}->{attributes}->{libraries}->{$lib} // {}};
-
-    my @deps = ( $self->resolvedepends(getsrclibs('sources', $lib)) );
-
-    # We support two types of objs, those who are specific to this library
-    # (they end up in @objs) and those that we get indirectly, via other
-    # libraries (they end up in @foreign_objs).  We get the latter any time
-    # someone has done something like this in build.info:
-    #     SOURCE[libfoo.a]=libbar.a
-    # The indirect object files must be kept in a separate array so they
-    # don't get rebuilt unnecessarily (and with incorrect auxiliary
-    # information).
-    #
-    # Object files can't be collected commonly for shared and static
-    # libraries, because we contain their respective object files in
-    # {shared_sources} and {sources}, and because the implications are
-    # slightly different for each library form.
-    #
-    # We grab all these "foreign" object files recursively with getlibobjs().
-
-    unless ($self->{disabled}->{shared} || $lib =~ /\.a$/) {
-        # If this library sources other static libraries and those
-        # libraries are marked {noinst}, there's no need to include
-        # all of their object files.  Instead, we treat those static
-        # libraries as dependents alongside any other library this
-        # one depends on, and let symbol resolution do its job.
-        my @sourced_libs = ();
-        my @objs = ();
-        my @foreign_objs = ();
-        my @deps = ();
-        foreach (@{$self->{info}->{shared_sources}->{$lib} // []}) {
-            if ($_ !~ m|\.a$|) {
-                push @objs, $_;
-            } elsif ($self->{info}->{attributes}->{libraries}->{$_}->{noinst}) {
-                push @deps, $_;
-            } else {
-                push @deps, $self->getsrclibs('sources', $_);
-                push @foreign_objs, $self->getlibobjs('sources', $_);
-            }
-        }
-        @deps = ( grep { $_ ne $lib } $self->resolvedepends($lib, @deps) );
-        print STDERR "DEBUG[dolib:shlib] \%attrs for $lib : ", ,
-            join(",", map { "\n    $_ = $attrs{$_}" } sort keys %attrs), "\n"
-            if %attrs && $debug_rules;
-        print STDERR "DEBUG[dolib:shlib] \@deps for $lib : ",
-            join(",", map { "\n    $_" } @deps), "\n"
-            if @deps && $debug_rules;
-        print STDERR "DEBUG[dolib:shlib] \@objs for $lib : ",
-            join(",", map { "\n    $_" } @objs), "\n"
-            if @objs && $debug_rules;
-        print STDERR "DEBUG[dolib:shlib] \@foreign_objs for $lib : ",
-            join(",", map { "\n    $_" } @foreign_objs), "\n"
-            if @foreign_objs && $debug_rules;
-        $self->emit('obj2shlib',
-             lib => $lib,
-             attrs => { %attrs },
-             objs => [ @objs, @foreign_objs ],
-             deps => [ @deps ]);
-        foreach (@objs) {
-            # If this is somehow a compiled object, take care of it that way
-            # Otherwise, it might simply be generated
-            if (defined $self->{info}->{sources}->{$_}) {
-                if($_ =~ /\.a$/) {
-                    $self->dolib($_);
-                } else {
-                    $self->doobj($_, $lib, intent => "shlib", attrs => { %attrs });
-                }
-            } else {
-                $self->dogenerate($_, undef, undef, intent => "lib");
-            }
-        }
-    }
-    {
-        # When putting static libraries together, we cannot rely on any
-        # symbol resolution, so for all static libraries used as source for
-        # this one, as well as other libraries they depend on, we simply
-        # grab all their object files unconditionally,
-        # Symbol resolution will happen when any program, module or shared
-        # library is linked with this one.
-        my @objs = ();
-        my @sourcedeps = ();
-        my @foreign_objs = ();
-        foreach (@{$self->{info}->{sources}->{$lib}}) {
-            if ($_ !~ m|\.a$|) {
-                push @objs, $_;
-            } else {
-                push @sourcedeps, $_;
-            }
-        }
-        @sourcedeps = ( grep { $_ ne $lib } $self->resolvedepends(@sourcedeps) );
-        print STDERR "DEBUG[dolib:lib] : \@sourcedeps for $_ : ",
-            join(",", map { "\n    $_" } @sourcedeps), "\n"
-            if @sourcedeps && $debug_rules;
-        @foreign_objs = $self->getlibobjs('sources', @sourcedeps);
-        print STDERR "DEBUG[dolib:lib] \%attrs for $lib : ", ,
-            join(",", map { "\n    $_ = $attrs{$_}" } sort keys %attrs), "\n"
-            if %attrs && $debug_rules;
-        print STDERR "DEBUG[dolib:lib] \@objs for $lib : ",
-            join(",", map { "\n    $_" } @objs), "\n"
-            if @objs && $debug_rules;
-        print STDERR "DEBUG[dolib:lib] \@foreign_objs for $lib : ",
-            join(",", map { "\n    $_" } @foreign_objs), "\n"
-            if @foreign_objs && $debug_rules;
-        $self->emit('obj2lib',
-             lib => $lib, attrs => { %attrs },
-             objs => [ @objs, @foreign_objs ]);
-        foreach (@objs) {
-            $self->doobj($_, $lib, intent => "lib", attrs => { %attrs });
-        }
-    }
-    $cache{$lib} = 1;
-}
-
-# domodule is responsible for building modules.  It will call
-# obj2dso, and also makes sure all object files for the library
-# are built.
-sub domodule {
-    my $self = shift;
-    my $module = shift;
-    return "" if $cache{$module};
-    my %attrs = %{$self->{info}->{attributes}->{modules}->{$module} // {}};
-    my @objs = @{$self->{info}->{sources}->{$module}};
-    my @deps = ( grep { $_ ne $module }
-                 $self->resolvedepends($module) );
-    print STDERR "DEBUG[domodule] \%attrs for $module :",
-        join(",", map { "\n    $_ = $attrs{$_}" } sort keys %attrs), "\n"
-        if $debug_rules;
-    print STDERR "DEBUG[domodule] \@objs for $module : ",
-        join(",", map { "\n    $_" } @objs), "\n"
-        if $debug_rules;
-    print STDERR "DEBUG[domodule] \@deps for $module : ",
-        join(",", map { "\n    $_" } @deps), "\n"
-        if $debug_rules;
-    $self->emit('obj2dso',
-         module => $module,
-         attrs => { %attrs },
-         objs => [ @objs ],
-         deps => [ @deps ]);
-    foreach (@{$self->{info}->{sources}->{$module}}) {
-        # If this is somehow a compiled object, take care of it that way
-        # Otherwise, it might simply be generated
-        if (defined $self->{info}->{sources}->{$_}) {
-            $self->doobj($_, $module, intent => "dso", attrs => { %attrs });
-        } else {
-            $self->dogenerate($_, undef, $module, intent => "dso");
-        }
-    }
-    $cache{$module} = 1;
-}
-
-# dobin is responsible for building programs.  It will call obj2bin,
-# and also makes sure all object files for the library are built.
-sub dobin {
-    my $self = shift;
-    my $bin = shift;
-    return "" if $cache{$bin};
-    my %attrs = %{$self->{info}->{attributes}->{programs}->{$bin} // {}};
-    my @objs = @{$self->{info}->{sources}->{$bin}};
-    my @deps = ( grep { $_ ne $bin } $self->resolvedepends($bin) );
-    print STDERR "DEBUG[dobin] \%attrs for $bin : ",
-        join(",", map { "\n    $_ = $attrs{$_}" } sort keys %attrs), "\n"
-        if %attrs && $debug_rules;
-    print STDERR "DEBUG[dobin] \@objs for $bin : ",
-        join(",", map { "\n    $_" } @objs), "\n"
-        if @objs && $debug_rules;
-    print STDERR "DEBUG[dobin] \@deps for $bin : ",
-        join(",", map { "\n    $_" } @deps), "\n"
-        if @deps && $debug_rules;
-    $self->emit('obj2bin',
-         bin => $bin,
-         attrs => { %attrs },
-         objs => [ @objs ],
-         deps => [ @deps ]);
-    foreach (@objs) {
-        $self->doobj($_, $bin, intent => "bin", attrs => { %attrs });
-    }
-    $cache{$bin} = 1;
-}
-
-# doscript is responsible for building scripts from templates.  It will
-# call in2script.
-sub doscript {
-    my $self = shift;
-    my $script = shift;
-    return "" if $cache{$script};
-    $self->emit('in2script',
-         script => $script,
-         attrs => $self->{info}->{attributes}->{scripts}->{$script} // {},
-         sources => $self->{info}->{sources}->{$script});
-    $cache{$script} = 1;
-}
-
-sub dodir {
-    my $self = shift;
-    my $dir = shift;
-    return "" if !exists(&generatedir) or $cache{$dir};
-    $self->emit('generatedir',
-         dir => $dir,
-         deps => $self->{info}->{dirinfo}->{$dir}->{deps} // [],
-         %{$self->{info}->{dirinfo}->{$_}->{products}});
-    $cache{$dir} = 1;
-}
-
-# dodocs is responsible for building documentation from .pods.
-# It will call generatesrc.
-sub dodocs {
-    my $self = shift;
-    my $type = shift;
-    my $section = shift;
-    foreach my $doc (@{$self->{info}->{"${type}docs"}->{$section}}) {
-        next if $cache{$doc};
-        $self->emit('generatesrc',
-             src => $doc,
-             generator => $self->{info}->{generate}->{$doc});
-        foreach ((@{$self->{info}->{depends}->{$doc} // []})) {
-            $self->dogenerate($_, undef, undef);
-        }
-        $cache{$doc} = 1;
-    }
-}
-
-1;

Configurations/platform.pm

@@ -1,18 +0,0 @@
-package platform;
-
-use strict;
-use warnings;
-use vars qw(@ISA);
-
-# Callers must make sure @INC has the build directory
-use configdata;
-
-my $module = $target{perl_platform} || 'Unix';
-(my $module_path = $module) =~ s|::|/|g;
-
-require "platform/$module_path.pm";
-@ISA = ("platform::$module");
-
-1;
-
-__END__

Configurations/platform/AIX.pm

@@ -1,47 +0,0 @@
-package platform::AIX;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::Unix;
-@ISA = qw(platform::Unix);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub dsoext              { '.so' }
-sub shlibextsimple      { return '.so' if $target{shared_target} eq "aix-solib";
-			  '.a'}
-
-# In shared mode, the default static library names clashes with the final
-# "simple" full shared library name, so we add '_a' to the basename of the
-# static libraries in that case, unless in solib mode (using only .so
-# files for shared libraries, and not packaging them inside archives)
-sub staticname {
-    return platform::Unix->staticname($_[1]) if $target{shared_target} eq "aix-solib";
-
-    # Non-installed libraries are *always* static, and their names remain
-    # the same, except for the mandatory extension
-    my $in_libname = platform::BASE->staticname($_[1]);
-    return $in_libname
-        if $unified_info{attributes}->{libraries}->{$_[1]}->{noinst};
-
-    return platform::BASE->staticname($_[1]) . ($disabled{shared} ? '' : '_a');
-}
-
-# In solib mode, we do not install the simple symlink (we install the import
-# library).  In regular mode, we install the symlink.
-sub sharedlib_simple {
-    return undef if $target{shared_target} eq "aix-solib";
-    return platform::Unix->sharedlib_simple($_[1], $_[0]->shlibextsimple());
-}
-
-# In solib mode, we install the import library.  In regular mode, we have
-# no import library.
-sub sharedlib_import {
-    return platform::Unix->sharedlib_simple($_[1]) if $target{shared_target} eq "aix-solib";
-    return undef;
-}

Configurations/platform/BASE.pm

@@ -1,99 +0,0 @@
-package platform::BASE;
-
-use strict;
-use warnings;
-use Carp;
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-# Globally defined "platform specific" extensions, available for uniformity
-sub depext      { '.d' }
-
-# Functions to convert internal file representations to platform specific
-# ones.  Note that these all depend on extension functions that MUST be
-# defined per platform.
-#
-# Currently known internal or semi-internal extensions are:
-#
-# .a            For libraries that are made static only.
-#               Internal libraries only.
-# .o            For object files.
-# .s, .S        Assembler files.  This is an actual extension on Unix
-# .res          Resource file.  This is an actual extension on Windows
-
-sub binname     { return $_[1] } # Name of executable binary
-sub dsoname     { return $_[1] } # Name of dynamic shared object (DSO)
-sub sharedname  { return __isshared($_[1]) ? $_[1] : undef } # Name of shared lib
-sub staticname  { return __base($_[1], '.a') } # Name of static lib
-
-# Convenience function to convert the shlib version to an acceptable part
-# of a file or directory name.  By default, we consider it acceptable as is.
-sub shlib_version_as_filename { return $config{shlib_version} }
-
-# Convenience functions to convert the possible extension of an input file name
-sub bin         { return $_[0]->binname($_[1]) . $_[0]->binext() }
-sub dso         { return $_[0]->dsoname($_[1]) . $_[0]->dsoext() }
-sub sharedlib   { return __concat($_[0]->sharedname($_[1]), $_[0]->shlibext()) }
-sub staticlib   { return $_[0]->staticname($_[1]) . $_[0]->libext() }
-
-# More convenience functions for intermediary files
-sub def         { return __base($_[1], '.ld') . $_[0]->defext() }
-sub obj         { return __base($_[1], '.o') . $_[0]->objext() }
-sub res         { return __base($_[1], '.res') . $_[0]->resext() }
-sub dep         { return __base($_[1], '.o') . $_[0]->depext() } # <- objname
-sub asm         { return __base($_[1], '.s') . $_[0]->asmext() }
-
-# Another set of convenience functions for standard checks of certain
-# internal extensions and conversion from internal to platform specific
-# extension.  Note that the latter doesn't deal with libraries because
-# of ambivalence
-sub isdef       { return $_[1] =~ m|\.ld$|;   }
-sub isobj       { return $_[1] =~ m|\.o$|;    }
-sub isres       { return $_[1] =~ m|\.res$|;  }
-sub isasm       { return $_[1] =~ m|\.s$|;    }
-sub iscppasm    { return $_[1] =~ m|\.S$|;    }
-sub isstaticlib { return $_[1] =~ m|\.a$|;    }
-sub convertext {
-    if ($_[0]->isdef($_[1]))        { return $_[0]->def($_[1]); }
-    if ($_[0]->isobj($_[1]))        { return $_[0]->obj($_[1]); }
-    if ($_[0]->isres($_[1]))        { return $_[0]->res($_[1]); }
-    if ($_[0]->isasm($_[1]))        { return $_[0]->asm($_[1]); }
-    if ($_[0]->isstaticlib($_[1]))  { return $_[0]->staticlib($_[1]); }
-    return $_[1];
-}
-
-# Helpers ############################################################
-
-# __base EXPR, LIST
-# This returns the given path (EXPR) with the matching suffix from LIST stripped
-sub __base {
-    my $path = shift;
-    foreach (@_) {
-        if ($path =~ m|\Q${_}\E$|) {
-            return $`;
-        }
-    }
-    return $path;
-}
-
-# __isshared EXPR
-# EXPR is supposed to be a library name.  This will return true if that library
-# can be assumed to be a shared library, otherwise false
-sub __isshared {
-    return !($disabled{shared} || $_[0] =~ /\.a$/);
-}
-
-# __concat LIST
-# Returns the concatenation of all elements of LIST if none of them is
-# undefined.  If one of them is undefined, returns undef instead.
-sub __concat {
-    my $result = '';
-    foreach (@_) {
-        return undef unless defined $_;
-        $result .= $_;
-    }
-    return $result;
-}
-
-1;

Configurations/platform/Cygwin.pm

@@ -1,22 +0,0 @@
-package platform::Cygwin;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::mingw;
-@ISA = qw(platform::mingw);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub sharedname {
-    my $class = shift;
-    my $lib = platform::mingw->sharedname(@_);
-    $lib =~ s|^lib|cyg| if defined $lib;
-    return $lib;
-}
-
-1;

Configurations/platform/Unix.pm

@@ -1,89 +0,0 @@
-package platform::Unix;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::BASE;
-@ISA = qw(platform::BASE);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub binext              { $target{exe_extension} || '' }
-sub dsoext              { $target{dso_extension} || platform->shlibextsimple()
-                              || '.so' }
-# Because these are also used in scripts and not just Makefile, we must
-# convert $(SHLIB_VERSION_NUMBER) to the actual number.
-sub shlibext            { (my $x = $target{shared_extension}
-                               || '.so.$(SHLIB_VERSION_NUMBER)')
-                              =~ s|\.\$\(SHLIB_VERSION_NUMBER\)
-                                  |.$config{shlib_version}|x;
-                          $x; }
-sub libext              { $target{lib_extension} || '.a' }
-sub defext              { $target{def_extension} || '.ld' }
-sub objext              { $target{obj_extension} || '.o' }
-sub depext              { $target{obj_extension} || '.d' }
-
-# Other extra that aren't defined in platform::BASE
-sub shlibextsimple      { (my $x = $target{shared_extension} || '.so')
-                              =~ s|\.\$\(SHLIB_VERSION_NUMBER\)||;
-                          $x; }
-sub shlibvariant        { $target{shlib_variant} || "" }
-sub makedepcmd          { $disabled{makedepend} ? undef : $config{makedepcmd} }
-
-# No conversion of assembler extension on Unix
-sub asm {
-    return $_[1];
-}
-
-# At some point, we might decide that static libraries are called something
-# other than the default...
-sub staticname {
-    # Non-installed libraries are *always* static, and their names remain
-    # the same, except for the mandatory extension
-    my $in_libname = platform::BASE->staticname($_[1]);
-    return $in_libname
-        if $unified_info{attributes}->{libraries}->{$_[1]}->{noinst};
-
-    # We currently return the same name anyway...  but we might choose to
-    # append '_static' or '_a' some time in the future.
-    return platform::BASE->staticname($_[1]);
-}
-
-sub sharedname {
-    return platform::BASE::__concat(platform::BASE->sharedname($_[1]),
-                                    ($_[0]->shlibvariant() // ''));
-}
-
-sub sharedname_simple {
-    return platform::BASE::__isshared($_[1]) ? $_[1] : undef;
-}
-
-sub sharedlib_simple {
-    # This function returns the simplified shared library name (no version
-    # or variant in the shared library file name) if the simple variants of
-    # the base name or the suffix differ from the full variants of the same.
-
-    # Note: if $_[1] isn't a shared library name, then $_[0]->sharedname()
-    # and $_[0]->sharedname_simple() will return undef.  This needs being
-    # accounted for.
-    my $name = $_[0]->sharedname($_[1]);
-    my $simplename = $_[0]->sharedname_simple($_[1]);
-    my $ext = $_[0]->shlibext();
-    # Allow override of the extension passed in as parameter
-    my $simpleext = $_[2];
-    $simpleext = $_[0]->shlibextsimple() unless defined $simpleext;
-
-    return undef unless defined $simplename && defined $name;
-    return undef if ($name eq $simplename && $ext eq $simpleext);
-    return platform::BASE::__concat($simplename, $simpleext);
-}
-
-sub sharedlib_import {
-    return undef;
-}
-
-1;

Configurations/platform/VMS.pm

@@ -1,65 +0,0 @@
-package platform::VMS;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::BASE;
-@ISA = qw(platform::BASE);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-# VMS has a cultural standard where all installed libraries are prefixed.
-# For OpenSSL, the choice is 'ossl$' (this prefix was claimed in a
-# conversation with VSI, Tuesday January 26 2016)
-sub osslprefix          { 'OSSL$' }
-
-sub binext              { '.EXE' }
-sub dsoext              { '.EXE' }
-sub shlibext            { '.EXE' }
-sub libext              { '.OLB' }
-sub defext              { '.OPT' }
-sub objext              { '.OBJ' }
-sub depext              { '.D' }
-sub asmext              { '.ASM' }
-
-# Other extra that aren't defined in platform::BASE
-sub shlibvariant        { $target{shlib_variant} || '' }
-
-sub optext              { '.OPT' }
-sub optname             { return $_[1] }
-sub opt                 { return $_[0]->optname($_[1]) . $_[0]->optext() }
-
-# Other projects include the pointer size in the name of installed libraries,
-# so we do too.
-sub staticname {
-    # Non-installed libraries are *always* static, and their names remain
-    # the same, except for the mandatory extension
-    my $in_libname = platform::BASE->staticname($_[1]);
-    return $in_libname
-        if $unified_info{attributes}->{libraries}->{$_[1]}->{noinst};
-
-    return platform::BASE::__concat($_[0]->osslprefix(),
-                                    platform::BASE->staticname($_[1]),
-                                    $target{pointer_size});
-}
-
-# To enable installation of multiple major OpenSSL releases, we include the
-# version number in installed shared library names.
-my $sover_filename =
-    join('', map { sprintf "%02d", $_ } split(m|\.|, $config{shlib_version}));
-sub shlib_version_as_filename {
-    return $sover_filename;
-}
-sub sharedname {
-    return platform::BASE::__concat($_[0]->osslprefix(),
-                                    platform::BASE->sharedname($_[1]),
-                                    $_[0]->shlib_version_as_filename(),
-                                    ($_[0]->shlibvariant() // ''),
-                                    "_shr$target{pointer_size}");
-}
-
-1;

Configurations/platform/Windows.pm

@@ -1,64 +0,0 @@
-package platform::Windows;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::BASE;
-@ISA = qw(platform::BASE);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub binext              { '.exe' }
-sub dsoext              { '.dll' }
-sub shlibext            { '.dll' }
-sub libext              { '.lib' }
-sub defext              { '.def' }
-sub objext              { '.obj' }
-sub depext              { '.d' }
-sub asmext              { '.asm' }
-
-# Other extra that aren't defined in platform::BASE
-sub resext              { '.res' }
-sub shlibextimport      { '.lib' }
-sub shlibvariant        { $target{shlib_variant} || '' }
-
-sub staticname {
-    # Non-installed libraries are *always* static, and their names remain
-    # the same, except for the mandatory extension
-    my $in_libname = platform::BASE->staticname($_[1]);
-    return $in_libname
-        if $unified_info{attributes}->{libraries}->{$_[1]}->{noinst};
-
-    # To make sure not to clash with an import library, we make the static
-    # variant of our installed libraries get '_static' added to their names.
-    return platform::BASE->staticname($_[1])
-        . ($disabled{shared} ? '' : '_static');
-}
-
-# To mark forward compatibility, we include the OpenSSL major release version
-# number in the installed shared library names.
-(my $sover_filename = $config{shlib_version}) =~ s|\.|_|g;
-sub shlib_version_as_filename {
-    return $sover_filename
-}
-sub sharedname {
-    return platform::BASE::__concat(platform::BASE->sharedname($_[1]),
-                                    "-",
-                                    $_[0]->shlib_version_as_filename(),
-                                    ($_[0]->shlibvariant() // ''));
-}
-
-sub sharedname_import {
-    return platform::BASE::__isshared($_[1]) ? $_[1] : undef;
-}
-
-sub sharedlib_import {
-    return platform::BASE::__concat($_[0]->sharedname_import($_[1]),
-                                    $_[0]->shlibextimport());
-}
-
-1;

Configurations/platform/Windows/MSVC.pm

@@ -1,44 +0,0 @@
-package platform::Windows::MSVC;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::Windows;
-@ISA = qw(platform::Windows);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub pdbext              { '.pdb' }
-
-# It's possible that this variant of |sharedname| should be in Windows.pm.
-# However, this variant was VC only in 1.1.1, so we maintain that here until
-# further notice.
-sub sharedname {
-    return platform::BASE::__concat(platform::BASE->sharedname($_[1]),
-                                    "-",
-                                    $_[0]->shlib_version_as_filename(),
-                                    ($target{multilib} // '' ),
-                                    ($_[0]->shlibvariant() // ''));
-}
-
-sub staticlibpdb {
-    return platform::BASE::__concat($_[0]->staticname($_[1]), $_[0]->pdbext());
-}
-
-sub sharedlibpdb {
-    return platform::BASE::__concat($_[0]->sharedname($_[1]), $_[0]->pdbext());
-}
-
-sub dsopdb {
-    return platform::BASE::__concat($_[0]->dsoname($_[1]), $_[0]->pdbext());
-}
-
-sub binpdb {
-    return platform::BASE::__concat($_[0]->binname($_[1]), $_[0]->pdbext());
-}
-
-1;

Configurations/platform/Windows/cppbuilder.pm

@@ -1,16 +0,0 @@
-package platform::Windows::cppbuilder;
-
-use vars qw(@ISA);
-
-require platform::Windows::MSVC;
-@ISA = qw(platform::Windows::MSVC);
-
-sub pdbext              { '.tds' }
-
-# C++Builder's Clang-based compilers prepend an underscore to __cdecl-convention
-# C functions, and the linker needs those as the InternalName in the .def file.
-sub export2internal {
-    return "_$_[1]";
-}
-
-1;

Configurations/platform/mingw.pm

@@ -1,51 +0,0 @@
-package platform::mingw;
-
-use strict;
-use warnings;
-use Carp;
-
-use vars qw(@ISA);
-
-require platform::Unix;
-@ISA = qw(platform::Unix);
-
-# Assume someone set @INC right before loading this module
-use configdata;
-
-sub binext              { '.exe' }
-sub objext              { '.obj' }
-sub libext              { '.a' }
-sub dsoext              { '.dll' }
-sub defext              { '.def' }
-
-# Other extra that aren't defined in platform::BASE
-sub resext              { '.res.obj' }
-sub shlibext            { '.dll' }
-sub shlibextimport      { $target{shared_import_extension} || '.dll.a' }
-sub shlibextsimple      { undef }
-sub makedepcmd          { $disabled{makedepend} ? undef : $config{makedepcmd} }
-
-(my $sover_filename = $config{shlib_version}) =~ s|\.|_|g;
-sub shlib_version_as_filename {
-    return $sover_filename;
-}
-sub sharedname {
-    return platform::BASE::__concat(platform::BASE->sharedname($_[1]),
-                                    "-",
-                                    $_[0]->shlib_version_as_filename(),
-                                    ($config{target} eq "mingw64"
-                                         ? "-x64" : ""));
-}
-
-# With Mingw and other DLL producers, there isn't any "simpler" shared
-# library name.  However, there is a static import library.
-sub sharedlib_simple {
-    return undef;
-}
-
-sub sharedlib_import {
-    return platform::BASE::__concat(platform::BASE->sharedname($_[1]),
-                                    $_[0]->shlibextimport());
-}
-
-1;

Configurations/shared-info.pl

@@ -1,100 +0,0 @@
-#! /usr/bin/env perl
-# -*- mode: perl; -*-
-# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# This is a collection of extra attributes to be used as input for creating
-# shared libraries, currently on any Unix variant, including Unix like
-# environments on Windows.
-
-sub detect_gnu_ld {
-    my @lines =
-        `$config{CROSS_COMPILE}$config{CC} -Wl,-V /dev/null 2>&1`;
-    return grep /^GNU ld/, @lines;
-}
-sub detect_gnu_cc {
-    my @lines =
-        `$config{CROSS_COMPILE}$config{CC} -v 2>&1`;
-    return grep /gcc/, @lines;
-}
-
-my %shared_info;
-%shared_info = (
-    'gnu-shared' => {
-        shared_ldflag         => '-shared -Wl,-Bsymbolic',
-        shared_sonameflag     => '-Wl,-soname=',
-    },
-    'linux-shared' => sub {
-        return {
-            %{$shared_info{'gnu-shared'}},
-            shared_defflag    => '-Wl,--version-script=',
-            dso_ldflags       =>
-                (grep /(?:^|\s)-fsanitize/,
-                 @{$config{CFLAGS}}, @{$config{cflags}})
-                ? ''
-                : '-Wl,-z,defs',
-        };
-    },
-    'bsd-gcc-shared' => sub { return $shared_info{'linux-shared'}; },
-    'bsd-gcc-nodef-shared' => sub { 
-        return {
-            %{$shared_info{'gnu-shared'}},
-            shared_defflags     => '-Wl,--version-script=',
-        };
-    },
-    'darwin-shared' => {
-        module_ldflags        => '-bundle',
-        shared_ldflag         => '-dynamiclib -current_version $(SHLIB_VERSION_NUMBER) -compatibility_version $(SHLIB_VERSION_NUMBER)',
-        shared_sonameflag     => '-install_name $(libdir)/',
-    },
-    'cygwin-shared' => {
-        shared_ldflag         => '-shared -Wl,--enable-auto-image-base',
-        shared_impflag        => '-Wl,--out-implib=',
-    },
-    'mingw-shared' => sub {
-        return {
-            %{$shared_info{'cygwin-shared'}},
-            # def_flag made to empty string so it still generates
-            # something
-            shared_defflag    => '',
-            shared_argfileflag => '@',
-        };
-    },
-    'alpha-osf1-shared' => sub {
-        return $shared_info{'gnu-shared'} if detect_gnu_ld();
-        return {
-            module_ldflags    => '-shared -Wl,-Bsymbolic',
-            shared_ldflag     => '-shared -Wl,-Bsymbolic -set_version $(SHLIB_VERSION_NUMBER)',
-        };
-    },
-    'svr3-shared' => sub {
-        return $shared_info{'gnu-shared'} if detect_gnu_ld();
-        return {
-            shared_ldflag     => '-G',
-            shared_sonameflag => '-h ',
-        };
-    },
-    'svr5-shared' => sub {
-        return $shared_info{'gnu-shared'} if detect_gnu_ld();
-        return {
-            shared_ldflag     => detect_gnu_cc() ? '-shared' : '-G',
-            shared_sonameflag => '-h ',
-        };
-    },
-    'solaris-gcc-shared' => sub {
-        return $shared_info{'linux-shared'} if detect_gnu_ld();
-        return {
-            # Note: we should also have -shared here, but because some
-            # config targets define it with an added -static-libgcc
-            # following it, we don't want to change the order.  This
-            # forces all solaris gcc config targets to define shared_ldflag
-            shared_ldflag     => '-Wl,-Bsymbolic',
-            shared_defflag    => "-Wl,-M,",
-            shared_sonameflag => "-Wl,-h,",
-        };
-    },
-);

Configurations/unix-checker.pm

@@ -1,22 +0,0 @@
-#! /usr/bin/env perl
-
-use Config;
-
-# Check that the perl implementation file modules generate paths that
-# we expect for the platform
-use File::Spec::Functions qw(:DEFAULT rel2abs);
-
-if (rel2abs('.') !~ m|/|) {
-    die <<EOF;
-
-******************************************************************************
-This perl implementation doesn't produce Unix like paths (with forward slash
-directory separators).  Please use an implementation that matches your
-building platform.
-
-This Perl version: $Config{version} for $Config{archname}
-******************************************************************************
-EOF
-}
-
-1;

Configurations/windows-checker.pm

@@ -1,22 +0,0 @@
-#! /usr/bin/env perl
-
-use Config;
-
-# Check that the perl implementation file modules generate paths that
-# we expect for the platform
-use File::Spec::Functions qw(:DEFAULT rel2abs);
-
-if (!$ENV{CONFIGURE_INSIST} && rel2abs('.') !~ m|\\|) {
-    die <<EOF;
-
-******************************************************************************
-This perl implementation doesn't produce Windows like paths (with backward
-slash directory separators).  Please use an implementation that matches your
-building platform.
-
-This Perl version: $Config{version} for $Config{archname}
-******************************************************************************
-EOF
-}
-
-1;

FAQ

@@ -0,0 +1,909 @@
+OpenSSL  -  Frequently Asked Questions
+--------------------------------------
+
+[MISC] Miscellaneous questions
+
+* Which is the current version of OpenSSL?
+* Where is the documentation?
+* How can I contact the OpenSSL developers?
+* Where can I get a compiled version of OpenSSL?
+* Why aren't tools like 'autoconf' and 'libtool' used?
+* What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
+
+[LEGAL] Legal questions
+
+* Do I need patent licenses to use OpenSSL?
+* Can I use OpenSSL with GPL software? 
+
+[USER] Questions on using the OpenSSL applications
+
+* Why do I get a "PRNG not seeded" error message?
+* Why do I get an "unable to write 'random state'" error message?
+* How do I create certificates or certificate requests?
+* Why can't I create certificate requests?
+* Why does <SSL program> fail with a certificate verify error?
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+* How can I create DSA certificates?
+* Why can't I make an SSL connection using a DSA certificate?
+* How can I remove the passphrase on a private key?
+* Why can't I use OpenSSL certificates with SSL client authentication?
+* Why does my browser give a warning about a mismatched hostname?
+* How do I install a CA certificate into a browser?
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+
+[BUILD] Questions about building and testing OpenSSL
+
+* Why does the linker complain about undefined symbols?
+* Why does the OpenSSL test fail with "bc: command not found"?
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL test fail with "bc: stack empty"?
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
+* Why does the OpenSSL compilation fail with "ar: command not found"?
+* Why does the OpenSSL compilation fail on Win32 with VC++?
+* What is special about OpenSSL on Redhat?
+* Why does the OpenSSL compilation fail on MacOS X?
+* Why does the OpenSSL test suite fail on MacOS X?
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+* Why does compiler fail to compile sha512.c?
+* Test suite still fails, what to do?
+
+[PROG] Questions about programming with OpenSSL
+
+* Is OpenSSL thread-safe?
+* I've compiled a program under Windows and it crashes: why?
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+* I've called <some function> and it fails, why?
+* I just get a load of numbers for the error output, what do they mean?
+* Why do I get errors about unknown algorithms?
+* Why can't the OpenSSH configure script detect OpenSSL?
+* Can I use OpenSSL's SSL library with non-blocking I/O?
+* Why doesn't my server application receive a client certificate?
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+* I think I've detected a memory leak, is this a bug?
+* Why does Valgrind complain about the use of uninitialized data?
+
+===============================================================================
+
+[MISC] ========================================================================
+
+* Which is the current version of OpenSSL?
+
+The current version is available from <URL: http://www.openssl.org>.
+OpenSSL 0.9.8g was released on October 19th, 2007.
+
+In addition to the current stable release, you can also access daily
+snapshots of the OpenSSL development version at <URL:
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+
+
+* Where is the documentation?
+
+OpenSSL is a library that provides cryptographic functionality to
+applications such as secure web servers.  Be sure to read the
+documentation of the application you want to use.  The INSTALL file
+explains how to install this library.
+
+OpenSSL includes a command line utility that can be used to perform a
+variety of cryptographic functions.  It is described in the openssl(1)
+manpage.  Documentation for developers is currently being written.  A
+few manual pages already are available; overviews over libcrypto and
+libssl are given in the crypto(3) and ssl(3) manpages.
+
+The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
+different directory if you specified one as described in INSTALL).
+In addition, you can read the most current versions at
+<URL: http://www.openssl.org/docs/>.
+
+For information on parts of libcrypto that are not yet documented, you
+might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
+predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
+of this still applies to OpenSSL.
+
+There is some documentation about certificate extensions and PKCS#12
+in doc/openssl.txt
+
+The original SSLeay documentation is included in OpenSSL as
+doc/ssleay.txt.  It may be useful when none of the other resources
+help, but please note that it reflects the obsolete version SSLeay
+0.6.6.
+
+
+* How can I contact the OpenSSL developers?
+
+The README file describes how to submit bug reports and patches to
+OpenSSL.  Information on the OpenSSL mailing lists is available from
+<URL: http://www.openssl.org>.
+
+
+* Where can I get a compiled version of OpenSSL?
+
+You can finder pointers to binary distributions in
+http://www.openssl.org/related/binaries.html .
+
+Some applications that use OpenSSL are distributed in binary form.
+When using such an application, you don't need to install OpenSSL
+yourself; the application will include the required parts (e.g. DLLs).
+
+If you want to build OpenSSL on a Windows system and you don't have
+a C compiler, read the "Mingw32" section of INSTALL.W32 for information
+on how to obtain and install the free GNU C compiler.
+
+A number of Linux and *BSD distributions include OpenSSL.
+
+
+* Why aren't tools like 'autoconf' and 'libtool' used?
+
+autoconf will probably be used in future OpenSSL versions. If it was
+less Unix-centric, it might have been used much earlier.
+
+* What is an 'engine' version?
+
+With version 0.9.6 OpenSSL was extended to interface to external crypto
+hardware. This was realized in a special release '0.9.6-engine'. With
+version 0.9.7 the changes were merged into the main development line,
+so that the special release is no longer necessary.
+
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server, see a
+list of keys at <URL: http://www.openssl.org/about/>). Then
+just do:
+
+   pgp TARBALL.asc
+
+[LEGAL] =======================================================================
+
+* Do I need patent licenses to use OpenSSL?
+
+The patents section of the README file lists patents that may apply to
+you if you want to use OpenSSL.  For information on intellectual
+property rights, please consult a lawyer.  The OpenSSL team does not
+offer legal advice.
+
+You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
+ ./config no-idea no-mdc2 no-rc5
+
+
+* Can I use OpenSSL with GPL software?
+
+On many systems including the major Linux and BSD distributions, yes (the
+GPL does not place restrictions on using libraries that are part of the
+normal operating system distribution).
+
+On other systems, the situation is less clear. Some GPL software copyright
+holders claim that you infringe on their rights if you use OpenSSL with
+their software on operating systems that don't normally include OpenSSL.
+
+If you develop open source software that uses OpenSSL, you may find it
+useful to choose an other license than the GPL, or state explicitly that
+"This program is released under the GPL with the additional exemption that
+compiling, linking, and/or using OpenSSL is allowed."  If you are using
+GPL software developed by others, you may want to ask the copyright holder
+for permission to use their software with OpenSSL.
+
+
+[USER] ========================================================================
+
+* Why do I get a "PRNG not seeded" error message?
+
+Cryptographic software needs a source of unpredictable data to work
+correctly.  Many open source operating systems provide a "randomness
+device" (/dev/urandom or /dev/random) that serves this purpose.
+All OpenSSL versions try to use /dev/urandom by default; starting with
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
+available.
+
+On other systems, applications have to call the RAND_add() or
+RAND_seed() function with appropriate data before generating keys or
+performing public key encryption. (These functions initialize the
+pseudo-random number generator, PRNG.)  Some broken applications do
+not do this.  As of version 0.9.5, the OpenSSL functions that need
+randomness report an error if the random number generator has not been
+seeded with at least 128 bits of randomness.  If this error occurs and
+is not discussed in the documentation of the application you are
+using, please contact the author of that application; it is likely
+that it never worked correctly.  OpenSSL 0.9.5 and later make the
+error visible by refusing to perform potentially insecure encryption.
+
+If you are using Solaris 8, you can add /dev/urandom and /dev/random
+devices by installing patch 112438 (Sparc) or 112439 (x86), which are
+available via the Patchfinder at <URL: http://sunsolve.sun.com>
+(Solaris 9 includes these devices by default). For /dev/random support
+for earlier Solaris versions, see Sun's statement at
+<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
+(the SUNWski package is available in patch 105710).
+
+On systems without /dev/urandom and /dev/random, it is a good idea to
+use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
+details.  Starting with version 0.9.7, OpenSSL will automatically look
+for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
+/etc/entropy.
+
+Most components of the openssl command line utility automatically try
+to seed the random number generator from a file.  The name of the
+default seeding file is determined as follows: If environment variable
+RANDFILE is set, then it names the seeding file.  Otherwise if
+environment variable HOME is set, then the seeding file is $HOME/.rnd.
+If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
+use file .rnd in the current directory while OpenSSL 0.9.6a uses no
+default seeding file at all.  OpenSSL 0.9.6b and later will behave
+similarly to 0.9.6a, but will use a default of "C:\" for HOME on
+Windows systems if the environment variable has not been set.
+
+If the default seeding file does not exist or is too short, the "PRNG
+not seeded" error message may occur.
+
+The openssl command line utility will write back a new state to the
+default seeding file (and create this file if necessary) unless
+there was no sufficient seeding.
+
+Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
+Use the "-rand" option of the OpenSSL command line tools instead.
+The $RANDFILE environment variable and $HOME/.rnd are only used by the
+OpenSSL command line tools. Applications using the OpenSSL library
+provide their own configuration options to specify the entropy source,
+please check out the documentation coming the with application.
+
+
+* Why do I get an "unable to write 'random state'" error message?
+
+
+Sometimes the openssl command line utility does not abort with
+a "PRNG not seeded" error message, but complains that it is
+"unable to write 'random state'".  This message refers to the
+default seeding file (see previous answer).  A possible reason
+is that no default filename is known because neither RANDFILE
+nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
+current directory in this case, but this has changed with 0.9.6a.)
+
+
+* How do I create certificates or certificate requests?
+
+Check out the CA.pl(1) manual page. This provides a simple wrapper round
+the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
+out the manual pages for the individual utilities and the certificate
+extensions documentation (currently in doc/openssl.txt).
+
+
+* Why can't I create certificate requests?
+
+You typically get the error:
+
+	unable to find 'distinguished_name' in config
+	problems making Certificate Request
+
+This is because it can't find the configuration file. Check out the
+DIAGNOSTICS section of req(1) for more information.
+
+
+* Why does <SSL program> fail with a certificate verify error?
+
+This problem is usually indicated by log messages saying something like
+"unable to get local issuer certificate" or "self signed certificate".
+When a certificate is verified its root CA must be "trusted" by OpenSSL
+this typically means that the CA certificate must be placed in a directory
+or file and the relevant program configured to read it. The OpenSSL program
+'verify' behaves in a similar way and issues similar error messages: check
+the verify(1) program manual page for more information.
+
+
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+
+This is almost certainly because you are using an old "export grade" browser
+which only supports weak encryption. Upgrade your browser to support 128 bit
+ciphers.
+
+
+* How can I create DSA certificates?
+
+Check the CA.pl(1) manual page for a DSA certificate example.
+
+
+* Why can't I make an SSL connection to a server using a DSA certificate?
+
+Typically you'll see a message saying there are no shared ciphers when
+the same setup works fine with an RSA certificate. There are two possible
+causes. The client may not support connections to DSA servers most web
+browsers (including Netscape and MSIE) only support connections to servers
+supporting RSA cipher suites. The other cause is that a set of DH parameters
+has not been supplied to the server. DH parameters can be created with the
+dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
+check the source to s_server in apps/s_server.c for an example.
+
+
+* How can I remove the passphrase on a private key?
+
+Firstly you should be really *really* sure you want to do this. Leaving
+a private key unencrypted is a major security risk. If you decide that
+you do have to do this check the EXAMPLES sections of the rsa(1) and
+dsa(1) manual pages.
+
+
+* Why can't I use OpenSSL certificates with SSL client authentication?
+
+What will typically happen is that when a server requests authentication
+it will either not include your certificate or tell you that you have
+no client certificates (Netscape) or present you with an empty list box
+(MSIE). The reason for this is that when a server requests a client
+certificate it includes a list of CAs names which it will accept. Browsers
+will only let you select certificates from the list on the grounds that
+there is little point presenting a certificate which the server will
+reject.
+
+The solution is to add the relevant CA certificate to your servers "trusted
+CA list". How you do this depends on the server software in uses. You can
+print out the servers list of acceptable CAs using the OpenSSL s_client tool:
+
+openssl s_client -connect www.some.host:443 -prexit
+
+If your server only requests certificates on certain URLs then you may need
+to manually issue an HTTP GET command to get the list when s_client connects:
+
+GET /some/page/needing/a/certificate.html
+
+If your CA does not appear in the list then this confirms the problem.
+
+
+* Why does my browser give a warning about a mismatched hostname?
+
+Browsers expect the server's hostname to match the value in the commonName
+(CN) field of the certificate. If it does not then you get a warning.
+
+
+* How do I install a CA certificate into a browser?
+
+The usual way is to send the DER encoded certificate to the browser as
+MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
+link. On MSIE certain extensions such as .der or .cacert may also work, or you
+can import the certificate using the certificate import wizard.
+
+You can convert a certificate to DER form using the command:
+
+openssl x509 -in ca.pem -outform DER -out ca.der
+
+Occasionally someone suggests using a command such as:
+
+openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
+
+DO NOT DO THIS! This command will give away your CAs private key and
+reduces its security to zero: allowing anyone to forge certificates in
+whatever name they choose.
+
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+
+The ways to print out the oneline format of the DN (Distinguished Name) have
+been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
+interface, the "-nameopt" option could be introduded. See the manual
+page of the "openssl x509" commandline tool for details. The old behaviour
+has however been left as default for the sake of compatibility.
+
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+
+The term "128 bit certificate" is a highly misleading marketing term. It does
+*not* refer to the size of the public key in the certificate! A certificate
+containing a 128 bit RSA key would have negligible security.
+
+There were various other names such as "magic certificates", "SGC
+certificates", "step up certificates" etc.
+
+You can't generally create such a certificate using OpenSSL but there is no
+need to any more. Nowadays web browsers using unrestricted strong encryption
+are generally available.
+
+When there were tight export restrictions on the export of strong encryption
+software from the US only weak encryption algorithms could be freely exported
+(initially 40 bit and then 56 bit). It was widely recognised that this was
+inadequate. A relaxation the rules allowed the use of strong encryption but
+only to an authorised server.
+
+Two slighly different techniques were developed to support this, one used by
+Netscape was called "step up", the other used by MSIE was called "Server Gated
+Cryptography" (SGC). When a browser initially connected to a server it would
+check to see if the certificate contained certain extensions and was issued by
+an authorised authority. If these test succeeded it would reconnect using
+strong encryption.
+
+Only certain (initially one) certificate authorities could issue the
+certificates and they generally cost more than ordinary certificates.
+
+Although OpenSSL can create certificates containing the appropriate extensions
+the certificate would not come from a permitted authority and so would not
+be recognized.
+
+The export laws were later changed to allow almost unrestricted use of strong
+encryption so these certificates are now obsolete.
+
+
+[BUILD] =======================================================================
+
+* Why does the linker complain about undefined symbols?
+
+Maybe the compilation was interrupted, and make doesn't notice that
+something is missing.  Run "make clean; make".
+
+If you used ./Configure instead of ./config, make sure that you
+selected the right target.  File formats may differ slightly between
+OS versions (for example sparcv8/sparcv9, or a.out/elf).
+
+In case you get errors about the following symbols, use the config
+option "no-asm", as described in INSTALL:
+
+ BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
+ CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
+ RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
+ bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
+ bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
+ des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
+ des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
+
+If none of these helps, you may want to try using the current snapshot.
+If the problem persists, please submit a bug report.
+
+
+* Why does the OpenSSL test fail with "bc: command not found"?
+
+You didn't install "bc", the Unix calculator.  If you want to run the
+tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
+
+
+* Why does the OpenSSL test fail with "bc: 1 no implemented"?
+
+On some SCO installations or versions, bc has a bug that gets triggered
+when you run the test suite (using "make test").  The message returned is
+"bc: 1 not implemented".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+for download instructions) can be safely used, for example.
+
+
+* Why does the OpenSSL test fail with "bc: stack empty"?
+
+On some DG/ux versions, bc seems to have a too small stack for calculations
+that the OpenSSL bntest throws at it.  This gets triggered when you run the
+test suite (using "make test").  The message returned is "bc: stack empty".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+for download instructions) can be safely used, for example.
+
+
+* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
+
+On some Alpha installations running Tru64 Unix and Compaq C, the compilation
+of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
+memory to continue compilation.'  As far as the tests have shown, this may be
+a compiler bug.  What happens is that it eats up a lot of resident memory
+to build something, probably a table.  The problem is clearly in the
+optimization code, because if one eliminates optimization completely (-O0),
+the compilation goes through (and the compiler consumes about 2MB of resident
+memory instead of 240MB or whatever one's limit is currently).
+
+There are three options to solve this problem:
+
+1. set your current data segment size soft limit higher.  Experience shows
+that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
+this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
+kbytes to set the limit to.
+
+2. If you have a hard limit that is lower than what you need and you can't
+get it changed, you can compile all of OpenSSL with -O0 as optimization
+level.  This is however not a very nice thing to do for those who expect to
+get the best result from OpenSSL.  A bit more complicated solution is the
+following:
+
+----- snip:start -----
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
+       sed -e 's/ -O[0-9] / -O0 /'`"
+  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
+  make
+----- snip:end -----
+
+This will only compile sha_dgst.c with -O0, the rest with the optimization
+level chosen by the configuration process.  When the above is done, do the
+test and installation and you're set.
+
+3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 
+should not be used and is not used in SSL/TLS nor any other recognized
+protocol in either case.
+
+
+* Why does the OpenSSL compilation fail with "ar: command not found"?
+
+Getting this message is quite usual on Solaris 2, because Sun has hidden
+away 'ar' and other development commands in directories that aren't in
+$PATH by default.  One of those directories is '/usr/ccs/bin'.  The
+quickest way to fix this is to do the following (it assumes you use sh
+or any sh-compatible shell):
+
+----- snip:start -----
+  PATH=${PATH}:/usr/ccs/bin; export PATH
+----- snip:end -----
+
+and then redo the compilation.  What you should really do is make sure
+'/usr/ccs/bin' is permanently in your $PATH, for example through your
+'.profile' (again, assuming you use a sh-compatible shell).
+
+
+* Why does the OpenSSL compilation fail on Win32 with VC++?
+
+Sometimes, you may get reports from VC++ command line (cl) that it
+can't find standard include files like stdio.h and other weirdnesses.
+One possible cause is that the environment isn't correctly set up.
+To solve that problem for VC++ versions up to 6, one should run
+VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
+installation directory (somewhere under 'Program Files').  For VC++
+version 7 (and up?), which is also called VS.NET, the file is called
+VSVARS32.BAT instead.
+This needs to be done prior to running NMAKE, and the changes are only
+valid for the current DOS session.
+
+
+* What is special about OpenSSL on Redhat?
+
+Red Hat Linux (release 7.0 and later) include a preinstalled limited
+version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
+is disabled in this version. The same may apply to other Linux distributions.
+Users may therefore wish to install more or all of the features left out.
+
+To do this you MUST ensure that you do not overwrite the openssl that is in
+/usr/bin on your Red Hat machine. Several packages depend on this file,
+including sendmail and ssh. /usr/local/bin is a good alternative choice. The
+libraries that come with Red Hat 7.0 onwards have different names and so are
+not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
+/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
+/lib/libcrypto.so.2 respectively).
+
+Please note that we have been advised by Red Hat attempting to recompile the
+openssl rpm with all the cryptography enabled will not work. All other
+packages depend on the original Red Hat supplied openssl package. It is also
+worth noting that due to the way Red Hat supplies its packages, updates to
+openssl on each distribution never change the package version, only the
+build number. For example, on Red Hat 7.1, the latest openssl package has
+version number 0.9.6 and build number 9 even though it contains all the
+relevant updates in packages up to and including 0.9.6b.
+
+A possible way around this is to persuade Red Hat to produce a non-US
+version of Red Hat Linux.
+
+FYI: Patent numbers and expiry dates of US patents:
+MDC-2: 4,908,861 13/03/2007
+IDEA:  5,214,703 25/05/2010
+RC5:   5,724,428 03/03/2015
+
+
+* Why does the OpenSSL compilation fail on MacOS X?
+
+If the failure happens when trying to build the "openssl" binary, with
+a large number of undefined symbols, it's very probable that you have
+OpenSSL 0.9.6b delivered with the operating system (you can find out by
+running '/usr/bin/openssl version') and that you were trying to build
+OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
+MacOS X has a misfeature that's quite difficult to go around.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+
+* Why does the OpenSSL test suite fail on MacOS X?
+
+If the failure happens when running 'make test' and the RC4 test fails,
+it's very probable that you have OpenSSL 0.9.6b delivered with the
+operating system (you can find out by running '/usr/bin/openssl version')
+and that you were trying to build OpenSSL 0.9.6d.  The problem is that
+the loader ('ld') in MacOS X has a misfeature that's quite difficult to
+go around and has linked the programs "openssl" and the test programs
+with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
+libraries you just built.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+
+Failure in BN_sqr test is most likely caused by a failure to configure the
+toolkit for current platform or lack of support for the platform in question.
+Run './config -t' and './apps/openssl version -p'. Do these platform
+identifiers match? If they don't, then you most likely failed to run
+./config and you're hereby advised to do so before filing a bug report.
+If ./config itself fails to run, then it's most likely problem with your
+local environment and you should turn to your system administrator (or
+similar). If identifiers match (and/or no alternative identifier is
+suggested by ./config script), then the platform is unsupported. There might
+or might not be a workaround. Most notably on SPARC64 platforms with GNU
+C compiler you should be able to produce a working build by running
+'./config -m32'. I understand that -m32 might not be what you want/need,
+but the build should be operational. For further details turn to
+<openssl-dev@openssl.org>.
+
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+
+As of 0.9.7 assembler routines were overhauled for position independence
+of the machine code, which is essential for shared library support. For
+some reason OpenBSD is equipped with an out-of-date GNU assembler which
+finds the new code offensive. To work around the problem, configure with
+no-asm (and sacrifice a great deal of performance) or patch your assembler
+according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
+For your convenience a pre-compiled replacement binary is provided at
+<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
+Reportedly elder *BSD a.out platforms also suffer from this problem and
+remedy should be same. Provided binary is statically linked and should be
+working across wider range of *BSD branches, not just OpenBSD.
+
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+
+If the test program in question fails withs SIGILL, Illegal Instruction
+exception, then you more than likely to run SSE2-capable CPU, such as
+Intel P4, under control of kernel which does not support SSE2
+instruction extentions. See accompanying INSTALL file and
+OPENSSL_ia32cap(3) documentation page for further information.
+
+* Why does compiler fail to compile sha512.c?
+
+OpenSSL SHA-512 implementation depends on compiler support for 64-bit
+integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
+couple] lack support for this and therefore are incapable of compiling
+the module in question. The recommendation is to disable SHA-512 by
+adding no-sha512 to ./config [or ./Configure] command line. Another
+possible alternative might be to switch to GCC.
+
+* Test suite still fails, what to do?
+
+Another common reason for failure to complete some particular test is
+simply bad code generated by a buggy component in toolchain or deficiency
+in run-time environment. There are few cases documented in PROBLEMS file,
+consult it for possible workaround before you beat the drum. Even if you
+don't find solution or even mention there, do reserve for possibility of
+a compiler bug. Compiler bugs might appear in rather bizarre ways, they
+never make sense, and tend to emerge when you least expect them. In order
+to identify one, drop optimization level, e.g. by editing CFLAG line in
+top-level Makefile, recompile and re-run the test.
+
+[PROG] ========================================================================
+
+* Is OpenSSL thread-safe?
+
+Yes (with limitations: an SSL connection may not concurrently be used
+by multiple threads).  On Windows and many Unix systems, OpenSSL
+automatically uses the multi-threaded versions of the standard
+libraries.  If your platform is not one of these, consult the INSTALL
+file.
+
+Multi-threaded applications must provide two callback functions to
+OpenSSL by calling CRYPTO_set_locking_callback() and
+CRYPTO_set_id_callback().  This is described in the threads(3)
+manpage.
+
+* I've compiled a program under Windows and it crashes: why?
+
+This is usually because you've missed the comment in INSTALL.W32.
+Your application must link against the same version of the Win32
+C-Runtime against which your openssl libraries were linked.  The
+default version for OpenSSL is /MD - "Multithreaded DLL".
+
+If you are using Microsoft Visual C++'s IDE (Visual Studio), in
+many cases, your new project most likely defaulted to "Debug
+Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
+program will crash, typically on the first BIO related read or write
+operation.
+
+For each of the six possible link stage configurations within Win32,
+your application must link  against the same by which OpenSSL was
+built.  If you are using MS Visual C++ (Studio) this can be changed
+by:
+
+ 1. Select Settings... from the Project Menu.
+ 2. Select the C/C++ Tab.
+ 3. Select "Code Generation from the "Category" drop down list box
+ 4. Select the Appropriate library (see table below) from the "Use
+    run-time library" drop down list box.  Perform this step for both
+    your debug and release versions of your application (look at the
+    top left of the settings panel to change between the two)
+
+    Single Threaded           /ML        -  MS VC++ often defaults to
+                                            this for the release
+                                            version of a new project.
+    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
+                                            this for the debug version
+                                            of a new project.
+    Multithreaded             /MT
+    Debug Multithreaded       /MTd
+    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
+    Debug Multithreaded DLL   /MDd
+
+Note that debug and release libraries are NOT interchangeable.  If you
+built OpenSSL with /MD your application must use /MD and cannot use /MDd.
+
+As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
+.DLLs compiled with some specific run-time option [we insist on the
+default /MD] can be deployed with application compiled with different
+option or even different compiler. But there is a catch! Instead of
+re-compiling OpenSSL toolkit, as you would have to with prior versions,
+you have to compile small C snippet with compiler and/or options of
+your choice. The snippet gets installed as
+<install-root>/include/openssl/applink.c and should be either added to
+your application project or simply #include-d in one [and only one]
+of your application source files. Failure to link this shim module
+into your application manifests itself as fatal "no OPENSSL_Applink"
+run-time error. An explicit reminder is due that in this situation
+[mixing compiler options] it is as important to add CRYPTO_malloc_init
+prior first call to OpenSSL.
+
+* How do I read or write a DER encoded buffer using the ASN1 functions?
+
+You have two options. You can either use a memory BIO in conjunction
+with the i2d_*_bio() or d2i_*_bio() functions or you can use the
+i2d_*(), d2i_*() functions directly. Since these are often the
+cause of grief here are some code fragments using PKCS7 as an example:
+
+ unsigned char *buf, *p;
+ int len;
+
+ len = i2d_PKCS7(p7, NULL);
+ buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
+ p = buf;
+ i2d_PKCS7(p7, &p);
+
+At this point buf contains the len bytes of the DER encoding of
+p7.
+
+The opposite assumes we already have len bytes in buf:
+
+ unsigned char *p;
+ p = buf;
+ p7 = d2i_PKCS7(NULL, &p, len);
+
+At this point p7 contains a valid PKCS7 structure of NULL if an error
+occurred. If an error occurred ERR_print_errors(bio) should give more
+information.
+
+The reason for the temporary variable 'p' is that the ASN1 functions
+increment the passed pointer so it is ready to read or write the next
+structure. This is often a cause of problems: without the temporary
+variable the buffer pointer is changed to point just after the data
+that has been read or written. This may well be uninitialized data
+and attempts to free the buffer will have unpredictable results
+because it no longer points to the same address.
+
+
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+
+The short answer is yes, because DER is a special case of BER and OpenSSL
+ASN1 decoders can process BER.
+
+The longer answer is that ASN1 structures can be encoded in a number of
+different ways. One set of ways is the Basic Encoding Rules (BER) with various
+permissible encodings. A restriction of BER is the Distinguished Encoding
+Rules (DER): these uniquely specify how a given structure is encoded.
+
+Therefore, because DER is a special case of BER, DER is an acceptable encoding
+for BER.
+
+
+* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
+
+This usually happens when you try compiling something using the PKCS#12
+macros with a C++ compiler. There is hardly ever any need to use the
+PKCS#12 macros in a program, it is much easier to parse and create
+PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
+documented in doc/openssl.txt and with examples in demos/pkcs12. The
+'pkcs12' application has to use the macros because it prints out 
+debugging information.
+
+
+* I've called <some function> and it fails, why?
+
+Before submitting a report or asking in one of the mailing lists, you
+should try to determine the cause. In particular, you should call
+ERR_print_errors() or ERR_print_errors_fp() after the failed call
+and see if the message helps. Note that the problem may occur earlier
+than you think -- you should check for errors after every call where
+it is possible, otherwise the actual problem may be hidden because
+some OpenSSL functions clear the error state.
+
+
+* I just get a load of numbers for the error output, what do they mean?
+
+The actual format is described in the ERR_print_errors() manual page.
+You should call the function ERR_load_crypto_strings() before hand and
+the message will be output in text form. If you can't do this (for example
+it is a pre-compiled binary) you can use the errstr utility on the error
+code itself (the hex digits after the second colon).
+
+
+* Why do I get errors about unknown algorithms?
+
+This can happen under several circumstances such as reading in an
+encrypted private key or attempting to decrypt a PKCS#12 file. The cause
+is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information.
+
+
+* Why can't the OpenSSH configure script detect OpenSSL?
+
+Several reasons for problems with the automatic detection exist.
+OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
+Sometimes the distribution has installed an older version in the system
+locations that is detected instead of a new one installed. The OpenSSL
+library might have been compiled for another CPU or another mode (32/64 bits).
+Permissions might be wrong.
+
+The general answer is to check the config.log file generated when running
+the OpenSSH configure script. It should contain the detailed information
+on why the OpenSSL library was not detected or considered incompatible.
+
+
+* Can I use OpenSSL's SSL library with non-blocking I/O?
+
+Yes; make sure to read the SSL_get_error(3) manual page!
+
+A pitfall to avoid: Don't assume that SSL_read() will just read from
+the underlying transport or that SSL_write() will just write to it --
+it is also possible that SSL_write() cannot do any useful work until
+there is data to read, or that SSL_read() cannot do anything until it
+is possible to send data.  One reason for this is that the peer may
+request a new TLS/SSL handshake at any time during the protocol,
+requiring a bi-directional message exchange; both SSL_read() and
+SSL_write() will try to continue any pending handshake.
+
+
+* Why doesn't my server application receive a client certificate?
+
+Due to the TLS protocol definition, a client will only send a certificate,
+if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
+SSL_CTX_set_verify() function to enable the use of client certificates.
+
+
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+
+For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
+versions, uniqueIdentifier was incorrectly used for X.509 certificates.
+The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
+Change your code to use the new name when compiling against OpenSSL 0.9.7.
+
+
+* I think I've detected a memory leak, is this a bug?
+
+In most cases the cause of an apparent memory leak is an OpenSSL internal table
+that is allocated when an application starts up. Since such tables do not grow
+in size over time they are harmless.
+
+These internal tables can be freed up when an application closes using various
+functions.  Currently these include following:
+
+Thread-local cleanup functions:
+
+  ERR_remove_state()
+
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+
+  ENGINE_cleanup() and CONF_modules_unload()
+
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
+
+
+* Why does Valgrind complain about the use of uninitialized data?
+
+When OpenSSL's PRNG routines are called to generate random numbers the supplied
+buffer contents are mixed into the entropy pool: so it technically does not
+matter whether the buffer is initialized at this point or not.  Valgrind (and
+other test tools) will complain about this. When using Valgrind, make sure the
+OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
+to get rid of these warnings.
+
+
+===============================================================================
+

HACKING.md

@@ -1,80 +0,0 @@
-MODIFYING OPENSSL SOURCE
-========================
-
-This document describes the way to add custom modifications to OpenSSL
-sources.
-
-If you are adding new C source files
-------------------------------------
-
-Please update the `build.info` files in the directories where you placed the
-C source files, to include a line like this for each new C source file:
-
--   In `crypto/` or any of its subdirectories (intended for `libcrypto`):
-
-        SOURCE[../libcrypto]={name-of-C-source-file}
-
--   In `ssl/` or any of its subdirectories (intended for `libssl`):
-
-        SOURCE[../libssl]={name-of-C-source-file}
-
-Do note that the path given as the `SOURCE` attribute must be adapted
-appropriately for the location of the `build.info` file, as it's a relative
-path to where the library itself is built, for example:
-
--   For `crypto/build.info`, the library path should be `../libcrypto`
--   For `crypto/evp/build.info`, the library path should be
-    `../../libcrypto`
--   For `ssl/build.info`, the library path should be `../libssl`
--   For `ssl/quic/build.info`, the library path should be `../../libssl`
-
-To know more about `build.info` files, please read [doc/internal/man7/build.info.pod].
-For better viewing, consider converting it to HTML or PDF using `pod2html`
-or `pod2pdf`.
-
-Adding new public functions
----------------------------
-
-If you are adding new public functions to the custom library build, you need to
-either add a prototype in one of the existing OpenSSL header files, or
-provide a new header file and edit.
-
-Only headers in the `include/openssl` subdirectory are considered for public
-functions.  If you're creating a new header file, it must be located in that
-directory.
-
-Functions declared in `include/openssl` header files are assumed to be part
-of the `libcrypto` library unless specified otherwise.  *If your new
-functions are meant for the `libssl` library*, you will need to edit
-[Configurations/unix-Makefile.tmpl] and add the header file name in the
-array `my @sslheaders_tmpl`.
-
-Updating OpenSSL's bookkeeping files
-------------------------------------
-
-OpenSSL has a few bookkeeping files to keep track of exposed functions, most
-importantly `util/libcrypto.num` and `util/libssl.num`.  Any time a new
-public function - as defined above - is added, these files must be updated.
-
-To make such an update, please do the following:
-
-    ./Configure -Werror --strict-warnings [your-options]
-    make update
-
-If you plan to submit the changes you made to OpenSSL (see
-[CONTRIBUTING.md]), it's also worth running the following after running
-`make update`, to ensure that documentation has correct format.
-
-    make doc-nits
-
-Do note that `make update` also generates files related to OIDs (in the
-`crypto/objects/`  folder) and errors messages.
-
-If a git merge error occurs in one of these generated files, then the
-generated files need to be removed and regenerated using `make update`.
-To aid in this process, the generated files can be committed separately
-so they can be removed easily by reverting that commit.
-
-[doc/internal/man7/build.info.pod]: ./doc/internal/man7/build.info.pod
-[Configurations/unix-Makefile.tmpl]: ./Configurations/unix-Makefile.tmpl
-[CONTRIBUTING.md]: ./CONTRIBUTING.md

INSTALL

@@ -0,0 +1,350 @@
+
+ INSTALLATION ON THE UNIX PLATFORM
+ ---------------------------------
+
+ [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
+  and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
+  INSTALL.MacOS and INSTALL.NW.
+  
+  This document describes installation on operating systems in the Unix
+  family.]
+
+ To install OpenSSL, you will need:
+
+  * make
+  * Perl 5
+  * an ANSI C compiler
+  * a development environment in form of development libraries and C
+    header files
+  * a supported Unix operating system
+
+ Quick Start
+ -----------
+
+ If you want to just get on with it, do:
+
+  $ ./config
+  $ make
+  $ make test
+  $ make install
+
+ [If any of these steps fails, see section Installation in Detail below.]
+
+ This will build and install OpenSSL in the default location, which is (for
+ historical reasons) /usr/local/ssl. If you want to install it anywhere else,
+ run config like this:
+
+  $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
+
+
+ Configuration Options
+ ---------------------
+
+ There are several options to ./config (or ./Configure) to customize
+ the build:
+
+  --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
+	        Configuration files used by OpenSSL will be in DIR/ssl
+                or the directory specified by --openssldir.
+
+  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
+                the library files and binaries are also installed there.
+
+  no-threads    Don't try to build with support for multi-threaded
+                applications.
+
+  threads       Build with support for multi-threaded applications.
+                This will usually require additional system-dependent options!
+                See "Note on multi-threading" below.
+
+  no-zlib       Don't try to build with support for zlib compression and
+                decompression.
+
+  zlib          Build with support for zlib compression/decompression.
+
+  zlib-dynamic  Like "zlib", but has OpenSSL load the zlib library dynamically
+                when needed.  This is only supported on systems where loading
+                of shared libraries is supported.  This is the default choice.
+
+  no-shared     Don't try to create shared libraries.
+
+  shared        In addition to the usual static libraries, create shared
+                libraries on platforms where it's supported.  See "Note on
+                shared libraries" below.
+
+  no-asm        Do not use assembler code.
+
+  386           Use the 80386 instruction set only (the default x86 code is
+                more efficient, but requires at least a 486). Note: Use
+                compiler flags for any other CPU specific configuration,
+                e.g. "-m32" to build x86 code on an x64 system.
+
+  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is
+		detected at run-time, but the decision whether or not the
+		machine code will be executed is taken solely on CPU
+		capability vector. This means that if you happen to run OS
+		kernel which does not support SSE2 extension on Intel P4
+		processor, then your application might be exposed to
+		"illegal instruction" exception. There might be a way
+		to enable support in kernel, e.g. FreeBSD kernel can be
+		compiled with CPU_ENABLE_SSE, and there is a way to
+		disengage SSE2 code pathes upon application start-up,
+		but if you aim for wider "audience" running such kernel,
+		consider no-sse2. Both 386 and no-asm options above imply
+		no-sse2.
+
+  no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
+                hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
+                The crypto/<cipher> directory can be removed after running
+                "make depend".
+
+  -Dxxx, -lxxx, -Lxxx, -fxxx, -mxxx, -Kxxx These system specific options will
+                be passed through to the compiler to allow you to
+                define preprocessor symbols, specify additional libraries,
+                library directories or other compiler options.
+
+
+ Installation in Detail
+ ----------------------
+
+ 1a. Configure OpenSSL for your operation system automatically:
+
+       $ ./config [options]
+
+     This guesses at your operating system (and compiler, if necessary) and
+     configures OpenSSL based on this guess. Run ./config -t to see
+     if it guessed correctly. If you want to use a different compiler, you
+     are cross-compiling for another platform, or the ./config guess was
+     wrong for other reasons, go to step 1b. Otherwise go to step 2.
+
+     On some systems, you can include debugging information as follows:
+
+       $ ./config -d [options]
+
+ 1b. Configure OpenSSL for your operating system manually
+
+     OpenSSL knows about a range of different operating system, hardware and
+     compiler combinations. To see the ones it knows about, run
+
+       $ ./Configure
+
+     Pick a suitable name from the list that matches your system. For most
+     operating systems there is a choice between using "cc" or "gcc".  When
+     you have identified your system (and if necessary compiler) use this name
+     as the argument to ./Configure. For example, a "linux-elf" user would
+     run:
+
+       $ ./Configure linux-elf [options]
+
+     If your system is not available, you will have to edit the Configure
+     program and add the correct configuration for your system. The
+     generic configurations "cc" or "gcc" should usually work on 32 bit
+     systems.
+
+     Configure creates the file Makefile.ssl from Makefile.org and
+     defines various macros in crypto/opensslconf.h (generated from
+     crypto/opensslconf.h.in).
+
+  2. Build OpenSSL by running:
+
+       $ make
+
+     This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
+     OpenSSL binary ("openssl"). The libraries will be built in the top-level
+     directory, and the binary will be in the "apps" directory.
+
+     If "make" fails, look at the output.  There may be reasons for
+     the failure that aren't problems in OpenSSL itself (like missing
+     standard headers).  If it is a problem with OpenSSL itself, please
+     report the problem to <openssl-bugs@openssl.org> (note that your
+     message will be recorded in the request tracker publicly readable
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
+     public mailing list). Include the output of "make report" in your message.
+     Please check out the request tracker. Maybe the bug was already
+     reported or has already been fixed.
+
+     [If you encounter assembler error messages, try the "no-asm"
+     configuration option as an immediate fix.]
+
+     Compiling parts of OpenSSL with gcc and others with the system
+     compiler will result in unresolved symbols on some systems.
+
+  3. After a successful build, the libraries should be tested. Run:
+
+       $ make test
+
+     If a test fails, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like a missing
+     or malfunctioning bc).  If it is a problem with OpenSSL itself,
+     try removing any compiler optimization flags from the CFLAG line
+     in Makefile.ssl and run "make clean; make". Please send a bug
+     report to <openssl-bugs@openssl.org>, including the output of
+     "make report" in order to be added to the request tracker at
+     http://www.openssl.org/support/rt2.html.
+
+  4. If everything tests ok, install OpenSSL with
+
+       $ make install
+
+     This will create the installation directory (if it does not exist) and
+     then the following subdirectories:
+
+       certs           Initially empty, this is the default location
+                       for certificate files.
+       man/man1        Manual pages for the 'openssl' command line tool
+       man/man3        Manual pages for the libraries (very incomplete)
+       misc            Various scripts.
+       private         Initially empty, this is the default location
+                       for private key files.
+
+     If you didn't choose a different installation prefix, the
+     following additional subdirectories will be created:
+
+       bin             Contains the openssl binary and a few other 
+                       utility programs. 
+       include/openssl Contains the header files needed if you want to
+                       compile programs with libcrypto or libssl.
+       lib             Contains the OpenSSL library files themselves.
+
+     Package builders who want to configure the library for standard
+     locations, but have the package installed somewhere else so that
+     it can easily be packaged, can use
+
+       $ make INSTALL_PREFIX=/tmp/package-root install
+
+     (or specify "--install_prefix=/tmp/package-root" as a configure
+     option).  The specified prefix will be prepended to all
+     installation target filenames.
+
+
+  NOTE: The header files used to reside directly in the include
+  directory, but have now been moved to include/openssl so that
+  OpenSSL can co-exist with other libraries which use some of the
+  same filenames.  This means that applications that use OpenSSL
+  should now use C preprocessor directives of the form
+
+       #include <openssl/ssl.h>
+
+  instead of "#include <ssl.h>", which was used with library versions
+  up to OpenSSL 0.9.2b.
+
+  If you install a new version of OpenSSL over an old library version,
+  you should delete the old header files in the include directory.
+
+  Compatibility issues:
+
+  *  COMPILING existing applications
+
+     To compile an application that uses old filenames -- e.g.
+     "#include <ssl.h>" --, it will usually be enough to find
+     the CFLAGS definition in the application's Makefile and
+     add a C option such as
+
+          -I/usr/local/ssl/include/openssl
+
+     to it.
+
+     But don't delete the existing -I option that points to
+     the ..../include directory!  Otherwise, OpenSSL header files
+     could not #include each other.
+
+  *  WRITING applications
+
+     To write an application that is able to handle both the new
+     and the old directory layout, so that it can still be compiled
+     with library versions up to OpenSSL 0.9.2b without bothering
+     the user, you can proceed as follows:
+
+     -  Always use the new filename of OpenSSL header files,
+        e.g. #include <openssl/ssl.h>.
+
+     -  Create a directory "incl" that contains only a symbolic
+        link named "openssl", which points to the "include" directory
+        of OpenSSL.
+        For example, your application's Makefile might contain the
+        following rule, if OPENSSLDIR is a pathname (absolute or
+        relative) of the directory where OpenSSL resides:
+
+        incl/openssl:
+        	-mkdir incl
+        	cd $(OPENSSLDIR) # Check whether the directory really exists
+        	-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
+
+        You will have to add "incl/openssl" to the dependencies
+        of those C files that include some OpenSSL header file.
+
+     -  Add "-Iincl" to your CFLAGS.
+
+     With these additions, the OpenSSL header files will be available
+     under both name variants if an old library version is used:
+     Your application can reach them under names like <openssl/foo.h>,
+     while the header files still are able to #include each other
+     with names of the form <foo.h>.
+
+
+ Note on multi-threading
+ -----------------------
+
+ For some systems, the OpenSSL Configure script knows what compiler options
+ are needed to generate a library that is suitable for multi-threaded
+ applications.  On these systems, support for multi-threading is enabled
+ by default; use the "no-threads" option to disable (this should never be
+ necessary).
+
+ On other systems, to enable support for multi-threading, you will have
+ to specify at least two options: "threads", and a system-dependent option.
+ (The latter is "-D_REENTRANT" on various systems.)  The default in this
+ case, obviously, is not to include support for multi-threading (but
+ you can still use "no-threads" to suppress an annoying warning message
+ from the Configure script.)
+
+
+ Note on shared libraries
+ ------------------------
+
+ Shared libraries have certain caveats.  Binary backward compatibility
+ can't be guaranteed before OpenSSL version 1.0.  The only reason to
+ use them would be to conserve memory on systems where several programs
+ are using OpenSSL.
+
+ For some systems, the OpenSSL Configure script knows what is needed to
+ build shared libraries for libcrypto and libssl.  On these systems,
+ the shared libraries are currently not created by default, but giving
+ the option "shared" will get them created.  This method supports Makefile
+ targets for shared library creation, like linux-shared.  Those targets
+ can currently be used on their own just as well, but this is expected
+ to change in future versions of OpenSSL.
+
+ Note on random number generation
+ --------------------------------
+
+ Availability of cryptographically secure random numbers is required for
+ secret key generation. OpenSSL provides several options to seed the
+ internal PRNG. If not properly seeded, the internal PRNG will refuse
+ to deliver random bytes and a "PRNG not seeded error" will occur.
+ On systems without /dev/urandom (or similar) device, it may be necessary
+ to install additional support software to obtain random seed.
+ Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
+ and the FAQ for more information.
+
+ Note on support for multiple builds
+ -----------------------------------
+
+ OpenSSL is usually built in its source tree.  Unfortunately, this doesn't
+ support building for multiple platforms from the same source tree very well.
+ It is however possible to build in a separate tree through the use of lots
+ of symbolic links, which should be prepared like this:
+
+	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
+		mkdir -p `dirname $F`
+		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
+		echo $F '->' $OPENSSL_SOURCE/$F
+	done
+	make -f Makefile.org clean
+
+ OPENSSL_SOURCE is an environment variable that contains the absolute (this
+ is important!) path to the OpenSSL source tree.
+
+ Also, operations like 'make update' should still be made in the source tree.

INSTALL.DJGPP

@@ -0,0 +1,47 @@
+
+ 
+ INSTALLATION ON THE DOS PLATFORM WITH DJGPP
+ -------------------------------------------
+
+ OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time
+ environment for 16-bit DOS, but only with long filename support.
+ If you wish to compile on native DOS with 8+3 filenames, you will
+ have to tweak the installation yourself, including renaming files
+ with illegal or duplicate names.
+
+ You should have a full DJGPP environment installed, including the
+ latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
+ requires that PERL and BC also be installed.
+
+ All of these can be obtained from the usual DJGPP mirror sites or
+ directly at "http://www.delorie.com/pub/djgpp". For help on which
+ files to download, see the DJGPP "ZIP PICKER" page at
+ "http://www.delorie.com/djgpp/zip-picker.html". You also need to have
+ the WATT-32 networking package installed before you try to compile
+ OpenSSL. This can be obtained from "http://www.bgnett.no/~giva/".
+ The Makefile assumes that the WATT-32 code is in the directory
+ specified by the environment variable WATT_ROOT. If you have watt-32
+ in directory "watt32" under your main DJGPP directory, specify
+ WATT_ROOT="/dev/env/DJDIR/watt32".
+
+ To compile OpenSSL, start your BASH shell, then configure for DJGPP by
+ running "./Configure" with appropriate arguments:
+
+	./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
+ 
+ And finally fire up "make". You may run out of DPMI selectors when
+ running in a DOS box under Windows. If so, just close the BASH
+ shell, go back to Windows, and restart BASH. Then run "make" again.
+
+ RUN-TIME CAVEAT LECTOR
+ --------------
+
+ Quoting FAQ:
+
+  "Cryptographic software needs a source of unpredictable data to work
+   correctly.  Many open source operating systems provide a "randomness
+   device" (/dev/urandom or /dev/random) that serves this purpose."
+
+ As of version 0.9.7f DJGPP port checks upon /dev/urandom$ for a 3rd
+ party "randomness" DOS driver. One such driver, NOISE.SYS, can be
+ obtained from "http://www.rahul.net/dkaufman/index.html".

INSTALL.MacOS

@@ -0,0 +1,72 @@
+OpenSSL - Port To The Macintosh OS 9 or Earlier
+===============================================
+
+Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
+X) is now provided. "Initial" means that unlike other platforms where you
+get an SDK and a "swiss army" openssl application, on Macintosh you only
+get one sample application which fetches a page over HTTPS(*) and dumps it
+in a window. We don't even build the test applications so that we can't
+guarantee that all algorithms are operational.
+
+Required software:
+
+- StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
+- Scriptable Finder;
+- CodeWarrior Pro 5;
+
+Installation procedure:
+
+- fetch the source at ftp://ftp.openssl.org/ (well, you probably already
+  did, huh?)
+- unpack the .tar.gz file:
+	- if you have StuffIt Expander then just drag it over it;
+	- otherwise uncompress it with MacGzip and then unpack with SUNtar;
+- locate MacOS folder in OpenSSL source tree and open it;
+- unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
+  "in-place", i.e. unpacked files should end-up in the very same folder;
+- execute mklinks.as;
+- open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
+- that's it for now;
+
+(*)	URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
+        to 42, change appropriately.
+(**)	If you use SUNtar, then it might have already unbinhexed the files
+	in question.
+(***)	The project file was saved with CW Pro 5.3. If you have an earlier
+	version and it refuses to open it, then download
+	http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
+	overwriting the original OpenSSL.mcp.
+(****)	Other targets are works in progress. If you feel like giving 'em a
+	shot, then you should know that OpenSSL* and Lib* targets are
+	supposed to be built with the GUSI, MacOS library which mimics
+	BSD sockets and some other POSIX APIs. The GUSI distribution is
+	expected to be found in the same directory as the openssl source tree,
+	i.e., in the parent directory to the one where this very file,
+	namely INSTALL.MacOS, resides. For more information about GUSI, see
+	http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
+
+Finally some essential comments from our generous contributor:-)
+
+"I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
+hack, but it works for what I'm doing. If you don't like the way I've done
+it, then feel free to change what I've done. I freely admit that I've done
+some less-than-ideal things in my port, and if you don't like the way I've
+done something, then feel free to change it-- I won't be offended!
+
+... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
+library I wrote. My MacSocket library is a wrapper around OpenTransport,
+handling stuff like endpoint creation, reading, writing, etc. It is not
+designed as a high-performance package such as you'd use in a webserver,
+but is fine for lots of other applications. MacSocket also uses some other
+code libraries I've written to deal with string manipulations and error
+handling. Feel free to use these things in your own code, but give me
+credit and/or send me free stuff in appreciation! :-)
+
+...
+
+If you have any questions, feel free to email me as the following:
+
+roy@centricsystems.ca
+
+-Roy Wood"
+