Merge the engine branch into the main trunk. All conflicts resolved.

At the same time, add VMS support for Rijndael.

9 files changed, 146 insertions, 77 deletions

diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 2f80375319..9df1c07fb7 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -32,6 +32,7 @@ B<openssl> B<s_client>
 [B<-no_tls1>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -156,6 +157,13 @@ the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<s_client>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 403c1aa903..fcb52226dd 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -39,6 +39,7 @@ B<openssl> B<s_server>
 [B<-hack>]
 [B<-www>]
 [B<-WWW>]
+[B<-engine id>]
 
 =head1 DESCRIPTION
 
@@ -186,6 +187,13 @@ emulates a simple web server. Pages will be resolved relative to the
 current directory, for example if the URL https://myhost/page.html is
 requested the file ./page.html will be loaded.
 
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<s_server>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
 =back
 
 =head1 CONNECTED COMMANDS
diff --git a/doc/apps/speed.pod b/doc/apps/speed.pod
index 77560f1c3d..8101851ec6 100644
--- a/doc/apps/speed.pod
+++ b/doc/apps/speed.pod
@@ -7,6 +7,7 @@ speed - test library performance
 =head1 SYNOPSIS
 
 B<openssl speed>
+[B<-engine id>]
 [B<md2>]
 [B<mdc2>]
 [B<md5>]
@@ -39,6 +40,17 @@ This command is used to test the performance of cryptographic algorithms.
 
 =head1 OPTIONS
 
+=over 4
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<speed>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=item B<[zero or more test algorithms]>
+
 If any options are given, B<speed> tests those algorithms, otherwise all of
 the above are tested.
 
diff --git a/doc/crypto/DH_set_method.pod b/doc/crypto/DH_set_method.pod
index b9a61d542b..d990bf8786 100644
--- a/doc/crypto/DH_set_method.pod
+++ b/doc/crypto/DH_set_method.pod
@@ -2,20 +2,21 @@
 
 =head1 NAME
 
-DH_set_default_method, DH_get_default_method, DH_set_method,
-DH_new_method, DH_OpenSSL - select DH method
+DH_set_default_openssl_method, DH_get_default_openssl_method,
+DH_set_method, DH_new_method, DH_OpenSSL - select DH method
 
 =head1 SYNOPSIS
 
  #include <openssl/dh.h>
+ #include <openssl/engine.h>
 
- void DH_set_default_method(DH_METHOD *meth);
+ void DH_set_default_openssl_method(DH_METHOD *meth);
 
- DH_METHOD *DH_get_default_method(void);
+ DH_METHOD *DH_get_default_openssl_method(void);
 
- DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
+ int DH_set_method(DH *dh, ENGINE *engine);
 
- DH *DH_new_method(DH_METHOD *meth);
+ DH *DH_new_method(ENGINE *engine);
 
  DH_METHOD *DH_OpenSSL(void);
 
@@ -28,17 +29,26 @@ such as hardware accelerators may be used.
 Initially, the default is to use the OpenSSL internal implementation.
 DH_OpenSSL() returns a pointer to that method.
 
-DH_set_default_method() makes B<meth> the default method for all B<DH>
-structures created later.
+DH_set_default_openssl_method() makes B<meth> the default method for all DH
+structures created later. B<NB:> This is true only whilst the default engine
+for Diffie-Hellman operations remains as "openssl". ENGINEs provide an
+encapsulation for implementations of one or more algorithms, and all the DH
+functions mentioned here operate within the scope of the default
+"openssl" engine.
 
-DH_get_default_method() returns a pointer to the current default
-method.
+DH_get_default_openssl_method() returns a pointer to the current default
+method for the "openssl" engine.
 
-DH_set_method() selects B<meth> for all operations using the structure B<dh>.
+DH_set_method() selects B<engine> as the engine that will be responsible for
+all operations using the structure B<dh>. If this function completes successfully,
+then the B<dh> structure will have its own functional reference of B<engine>, so
+the caller should remember to free their own reference to B<engine> when they are
+finished with it. NB: An ENGINE's DH_METHOD can be retrieved (or set) by
+ENGINE_get_DH() or ENGINE_set_DH().
 
-DH_new_method() allocates and initializes a B<DH> structure so that
-B<method> will be used for the DH operations. If B<method> is B<NULL>,
-the default method is used.
+DH_new_method() allocates and initializes a DH structure so that
+B<engine> will be used for the DH operations. If B<engine> is NULL,
+the default engine for Diffie-Hellman opertaions is used.
 
 =head1 THE DH_METHOD STRUCTURE
 
@@ -72,17 +82,17 @@ the default method is used.
 
 =head1 RETURN VALUES
 
-DH_OpenSSL() and DH_get_default_method() return pointers to the respective
-B<DH_METHOD>s.
+DH_OpenSSL() and DH_get_default_openssl_method() return pointers to the
+respective B<DH_METHOD>s.
 
-DH_set_default_method() returns no value.
+DH_set_default_openssl_method() returns no value.
 
-DH_set_method() returns a pointer to the B<DH_METHOD> previously
-associated with B<dh>.
+DH_set_method() returns non-zero if the ENGINE associated with B<dh>
+was successfully changed to B<engine>.
 
-DH_new_method() returns B<NULL> and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
-returns a pointer to the newly allocated structure.
+DH_new_method() returns NULL and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails.
+Otherwise it returns a pointer to the newly allocated structure.
 
 =head1 SEE ALSO
 
@@ -93,4 +103,9 @@ L<dh(3)|dh(3)>, L<DH_new(3)|DH_new(3)>
 DH_set_default_method(), DH_get_default_method(), DH_set_method(),
 DH_new_method() and DH_OpenSSL() were added in OpenSSL 0.9.4.
 
+DH_set_default_openssl_method() and DH_get_default_openssl_method()
+replaced DH_set_default_method() and DH_get_default_method() respectively,
+and DH_set_method() and DH_new_method() were altered to use B<ENGINE>s
+rather than B<DH_METHOD>s during development of OpenSSL 0.9.6.
+
 =cut
diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod
index cabc3c004a..36a1052d27 100644
--- a/doc/crypto/DSA_set_method.pod
+++ b/doc/crypto/DSA_set_method.pod
@@ -2,20 +2,21 @@
 
 =head1 NAME
 
-DSA_set_default_method, DSA_get_default_method, DSA_set_method,
-DSA_new_method, DSA_OpenSSL - select DSA method
+DSA_set_default_openssl_method, DSA_get_default_openssl_method,
+DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
 
 =head1 SYNOPSIS
 
  #include <openssl/dsa.h>
+ #include <openssl/engine.h>
 
- void DSA_set_default_method(DSA_METHOD *meth);
+ void DSA_set_default_openssl_method(DSA_METHOD *meth);
 
- DSA_METHOD *DSA_get_default_method(void);
+ DSA_METHOD *DSA_get_default_openssl_method(void);
 
- DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
+ int DSA_set_method(DSA *dsa, ENGINE *engine);
 
- DSA *DSA_new_method(DSA_METHOD *meth);
+ DSA *DSA_new_method(ENGINE *engine);
 
  DSA_METHOD *DSA_OpenSSL(void);
 
@@ -28,17 +29,21 @@ such as hardware accelerators may be used.
 Initially, the default is to use the OpenSSL internal implementation.
 DSA_OpenSSL() returns a pointer to that method.
 
-DSA_set_default_method() makes B<meth> the default method for all B<DSA>
-structures created later.
+DSA_set_default_openssl_method() makes B<meth> the default method for
+all DSA structures created later. B<NB:> This is true only whilst the
+default engine for DSA operations remains as "openssl". ENGINEs
+provide an encapsulation for implementations of one or more algorithms at a
+time, and all the DSA functions mentioned here operate within the scope
+of the default "openssl" engine.
 
-DSA_get_default_method() returns a pointer to the current default
-method.
+DSA_get_default_openssl_method() returns a pointer to the current default
+method for the "openssl" engine.
 
-DSA_set_method() selects B<meth> for all operations using the structure B<dsa>.
+DSA_set_method() selects B<engine> for all operations using the structure B<dsa>.
 
-DSA_new_method() allocates and initializes a B<DSA> structure so that
-B<method> will be used for the DSA operations. If B<method> is B<NULL>,
-the default method is used.
+DSA_new_method() allocates and initializes a DSA structure so that
+B<engine> will be used for the DSA operations. If B<engine> is NULL,
+the default engine for DSA operations is used.
 
 =head1 THE DSA_METHOD STRUCTURE
 
@@ -84,18 +89,17 @@ struct
 
 =head1 RETURN VALUES
 
-DSA_OpenSSL() and DSA_get_default_method() return pointers to the
+DSA_OpenSSL() and DSA_get_default_openssl_method() return pointers to the
 respective B<DSA_METHOD>s.
 
-DSA_set_default_method() returns no value.
+DSA_set_default_openssl_method() returns no value.
 
-DSA_set_method() returns a pointer to the B<DSA_METHOD> previously
-associated with B<dsa>.
+DSA_set_method() returns non-zero if the ENGINE associated with B<dsa>
+was successfully changed to B<engine>.
 
-DSA_new_method() returns B<NULL> and sets an error code that can be
+DSA_new_method() returns NULL and sets an error code that can be
 obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation
-fails. Otherwise it returns a pointer to the newly allocated
-structure.
+fails. Otherwise it returns a pointer to the newly allocated structure.
 
 =head1 SEE ALSO
 
@@ -106,4 +110,9 @@ L<dsa(3)|dsa(3)>, L<DSA_new(3)|DSA_new(3)>
 DSA_set_default_method(), DSA_get_default_method(), DSA_set_method(),
 DSA_new_method() and DSA_OpenSSL() were added in OpenSSL 0.9.4.
 
+DSA_set_default_openssl_method() and DSA_get_default_openssl_method()
+replaced DSA_set_default_method() and DSA_get_default_method() respectively,
+and DSA_set_method() and DSA_new_method() were altered to use B<ENGINE>s
+rather than B<DSA_METHOD>s during development of OpenSSL 0.9.6.
+
 =cut
diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod
index c1a5b39c84..bc0891a445 100644
--- a/doc/crypto/RSA_set_method.pod
+++ b/doc/crypto/RSA_set_method.pod
@@ -9,12 +9,13 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 =head1 SYNOPSIS
 
  #include <openssl/rsa.h>
+ #include <openssl/engine.h>
 
- void RSA_set_default_method(RSA_METHOD *meth);
+ void RSA_set_default_openssl_method(RSA_METHOD *meth);
 
- RSA_METHOD *RSA_get_default_method(void);
+ RSA_METHOD *RSA_get_default_openssl_method(void);
 
- RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+ int RSA_set_method(RSA *rsa, ENGINE *engine);
 
  RSA_METHOD *RSA_get_method(RSA *rsa);
 
@@ -26,7 +27,7 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 
  int RSA_flags(RSA *rsa);
 
- RSA *RSA_new_method(RSA_METHOD *method);
+ RSA *RSA_new_method(ENGINE *engine);
 
 =head1 DESCRIPTION
 
@@ -46,23 +47,27 @@ the RSA transformation. It is the default if OpenSSL is compiled with
 C<-DRSA_NULL>. These methods may be useful in the USA because of a
 patent on the RSA cryptosystem.
 
-RSA_set_default_method() makes B<meth> the default method for all B<RSA>
-structures created later.
+RSA_set_default_openssl_method() makes B<meth> the default method for all B<RSA>
+structures created later. B<NB:> This is true only whilst the default engine
+for RSA operations remains as "openssl". ENGINEs provide an
+encapsulation for implementations of one or more algorithms at a time, and all
+the RSA functions mentioned here operate within the scope of the default
+"openssl" engine.
 
-RSA_get_default_method() returns a pointer to the current default
-method.
+RSA_get_default_openssl_method() returns a pointer to the current default
+method for the "openssl" engine.
 
-RSA_set_method() selects B<meth> for all operations using the key
+RSA_set_method() selects B<engine> for all operations using the key
 B<rsa>.
 
-RSA_get_method() returns a pointer to the method currently selected
-for B<rsa>.
+RSA_get_method() returns a pointer to the RSA_METHOD from the currently
+selected ENGINE for B<rsa>.
 
 RSA_flags() returns the B<flags> that are set for B<rsa>'s current method.
 
-RSA_new_method() allocates and initializes an B<RSA> structure so that
-B<method> will be used for the RSA operations. If B<method> is B<NULL>,
-the default method is used.
+RSA_new_method() allocates and initializes an RSA structure so that
+B<engine> will be used for the RSA operations. If B<engine> is NULL,
+the default engine for RSA operations is used.
 
 =head1 THE RSA_METHOD STRUCTURE
 
@@ -128,17 +133,21 @@ the default method is used.
 =head1 RETURN VALUES
 
 RSA_PKCS1_SSLeay(), RSA_PKCS1_RSAref(), RSA_PKCS1_null_method(),
-RSA_get_default_method() and RSA_get_method() return pointers to the
-respective B<RSA_METHOD>s.
+RSA_get_default_openssl_method() and RSA_get_method() return pointers to
+the respective RSA_METHODs.
 
-RSA_set_default_method() returns no value.
+RSA_set_default_openssl_method() returns no value.
 
-RSA_set_method() returns a pointer to the B<RSA_METHOD> previously
-associated with B<rsa>.
+RSA_set_method() selects B<engine> as the engine that will be responsible for
+all operations using the structure B<rsa>. If this function completes successfully,
+then the B<rsa> structure will have its own functional reference of B<engine>, so
+the caller should remember to free their own reference to B<engine> when they are
+finished with it. NB: An ENGINE's RSA_METHOD can be retrieved (or set) by
+ENGINE_get_RSA() or ENGINE_set_RSA().
 
-RSA_new_method() returns B<NULL> and sets an error code that can be
-obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise it
-returns a pointer to the newly allocated structure.
+RSA_new_method() returns NULL and sets an error code that can be
+obtained by L<ERR_get_error(3)|ERR_get_error(3)> if the allocation fails. Otherwise
+it returns a pointer to the newly allocated structure.
 
 =head1 SEE ALSO
 
@@ -151,4 +160,9 @@ RSA_get_default_method(), RSA_set_method() and RSA_get_method() as
 well as the rsa_sign and rsa_verify components of RSA_METHOD were
 added in OpenSSL 0.9.4.
 
+RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
+replaced RSA_set_default_method() and RSA_get_default_method() respectively,
+and RSA_set_method() and RSA_new_method() were altered to use B<ENGINE>s
+rather than B<DH_METHOD>s during development of OpenSSL 0.9.6.
+
 =cut
diff --git a/doc/crypto/dh.pod b/doc/crypto/dh.pod
index 0a9b7c03a2..b4be4be405 100644
--- a/doc/crypto/dh.pod
+++ b/doc/crypto/dh.pod
@@ -7,6 +7,7 @@ dh - Diffie-Hellman key agreement
 =head1 SYNOPSIS
 
  #include <openssl/dh.h>
+ #include <openssl/engine.h>
 
  DH *	DH_new(void);
  void	DH_free(DH *dh);
@@ -20,10 +21,10 @@ dh - Diffie-Hellman key agreement
  int	DH_generate_key(DH *dh);
  int	DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
 
- void DH_set_default_method(DH_METHOD *meth);
- DH_METHOD *DH_get_default_method(void);
- DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
- DH *DH_new_method(DH_METHOD *meth);
+ void DH_set_default_openssl_method(DH_METHOD *meth);
+ DH_METHOD *DH_get_default_openssl_method(void);
+ int DH_set_method(DH *dh, ENGINE *engine);
+ DH *DH_new_method(ENGINE *engine);
  DH_METHOD *DH_OpenSSL(void);
 
  int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(),
diff --git a/doc/crypto/dsa.pod b/doc/crypto/dsa.pod
index 2c09244899..82d7fb77cd 100644
--- a/doc/crypto/dsa.pod
+++ b/doc/crypto/dsa.pod
@@ -7,6 +7,7 @@ dsa - Digital Signature Algorithm
 =head1 SYNOPSIS
 
  #include <openssl/dsa.h>
+ #include <openssl/engine.h>
 
  DSA *	DSA_new(void);
  void	DSA_free(DSA *dsa);
@@ -28,10 +29,10 @@ dsa - Digital Signature Algorithm
  int	DSA_verify(int dummy, const unsigned char *dgst, int len,
 		unsigned char *sigbuf, int siglen, DSA *dsa);
 
- void DSA_set_default_method(DSA_METHOD *meth);
- DSA_METHOD *DSA_get_default_method(void);
- DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth);
- DSA *DSA_new_method(DSA_METHOD *meth);
+ void DSA_set_default_openssl_method(DSA_METHOD *meth);
+ DSA_METHOD *DSA_get_default_openssl_method(void);
+ int DSA_set_method(DSA *dsa, ENGINE *engine);
+ DSA *DSA_new_method(ENGINE *engine);
  DSA_METHOD *DSA_OpenSSL(void);
 
  int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(),
diff --git a/doc/crypto/rsa.pod b/doc/crypto/rsa.pod
index 1633840d4c..ef0d4df205 100644
--- a/doc/crypto/rsa.pod
+++ b/doc/crypto/rsa.pod
@@ -7,6 +7,7 @@ rsa - RSA public key cryptosystem
 =head1 SYNOPSIS
 
  #include <openssl/rsa.h>
+ #include <openssl/engine.h>
 
  RSA * RSA_new(void);
  void RSA_free(RSA *rsa);
@@ -31,15 +32,15 @@ rsa - RSA public key cryptosystem
  int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
  void RSA_blinding_off(RSA *rsa);
 
- void RSA_set_default_method(RSA_METHOD *meth);
- RSA_METHOD *RSA_get_default_method(void);
- RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
+ void RSA_set_default_openssl_method(RSA_METHOD *meth);
+ RSA_METHOD *RSA_get_default_openssl_method(void);
+ int RSA_set_method(RSA *rsa, ENGINE *engine);
  RSA_METHOD *RSA_get_method(RSA *rsa);
  RSA_METHOD *RSA_PKCS1_SSLeay(void);
  RSA_METHOD *RSA_PKCS1_RSAref(void);
  RSA_METHOD *RSA_null_method(void);
  int RSA_flags(RSA *rsa);
- RSA *RSA_new_method(RSA_METHOD *method);
+ RSA *RSA_new_method(ENGINE *engine);
 
  int RSA_print(BIO *bp, RSA *x, int offset);
  int RSA_print_fp(FILE *fp, RSA *x, int offset);