Standardize handling of #ifdef'd options.

Here are the "rules" for handling flags that depend on #ifdef: - Do not ifdef the enum. Only ifdef the OPTIONS table. All ifdef'd entries appear at the end; by convention "engine" is last. This ensures that at run-time, the flag will never be recognized/allowed. The next two bullets entries are for silencing compiler warnings: - In the while/switch parsing statement, use #ifdef for the body to disable it; leave the "case OPT_xxx:" and "break" statements outside the ifdef/ifndef. See ciphers.c for example. - If there are multiple options controlled by a single guard, OPT_FOO, OPT_BAR, etc., put a an #ifdef around the set, and then do "#else" and a series of case labels and a break. See OPENSSL_NO_AES in cms.c for example. Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-15 13:50:38 -04:00
parent 366e2a60b2
commit 9c3bcfa027
22 changed files with 222 additions and 219 deletions
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -64,12 +64,8 @@
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
 #ifndef OPENSSL_NO_SSL_TRACE
    OPT_STDNAME,
 #endif
 #ifndef OPENSSL_NO_SSL3
    OPT_SSL3,
 #endif
    OPT_TLS1,
    OPT_V, OPT_UPPER_V, OPT_S
 } OPTION_CHOICE;
@@ -79,13 +75,13 @@ OPTIONS ciphers_options[] = {
    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
    {"V", OPT_UPPER_V, '-', "Even more verbose"},
    {"s", OPT_S, '-', "Only supported ciphers"},
    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
 #ifndef OPENSSL_NO_SSL_TRACE
    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
 #endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
 #endif
    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
    {NULL}
 };
@@ -125,16 +121,16 @@ int ciphers_main(int argc, char **argv)
        case OPT_S:
            use_supported = 1;
            break;
 #ifndef OPENSSL_NO_SSL_TRACE
        case OPT_STDNAME:
 #ifndef OPENSSL_NO_SSL_TRACE
            stdname = verbose = 1;
            break;
 #endif
-#ifndef OPENSSL_NO_SSL3
+            break;
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_client_method();
            break;
 #endif
            break;
        case OPT_TLS1:
            meth = TLSv1_client_method();
            break;
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -208,6 +208,8 @@ OPTIONS cms_options[] = {
    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
    {"receipt_request_from", OPT_RR_FROM, 's'},
    {"receipt_request_to", OPT_RR_TO, 's'},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
    OPT_V_OPTIONS,
 # ifndef OPENSSL_NO_AES
    {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
    {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
@@ -219,9 +221,7 @@ OPTIONS cms_options[] = {
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
-    {"", OPT_CIPHER, '-', "Any supported cipher"},
+    {NULL}
    OPT_V_OPTIONS,
    {NULL},
 };
 int cms_main(int argc, char **argv)
@@ -588,11 +588,11 @@ int cms_main(int argc, char **argv)
                goto end;
            vpmtouched++;
            break;
 # ifndef OPENSSL_NO_DES
        case OPT_3DES_WRAP:
 # ifndef OPENSSL_NO_DES
            wrap_cipher = EVP_des_ede3_wrap();
            break;
 # endif
            break;
 # ifndef OPENSSL_NO_AES
        case OPT_AES128_WRAP:
            wrap_cipher = EVP_aes_128_wrap();
@@ -603,6 +603,11 @@ int cms_main(int argc, char **argv)
        case OPT_AES256_WRAP:
            wrap_cipher = EVP_aes_256_wrap();
            break;
 # else
        case OPT_AES128_WRAP:
        case OPT_AES192_WRAP:
        case OPT_AES256_WRAP:
            break;
 # endif
        }
    }
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -95,11 +95,11 @@ OPTIONS crl_options[] = {
    {"verify", OPT_VERIFY, '-'},
    {"text", OPT_TEXT, '-', "Print out a text format version"},
    {"hash", OPT_HASH, '-', "Print hash value"},
    {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_MD5
    {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
 #endif
    {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
    {"", OPT_MD, '-', "Any supported digest"},
    {NULL}
 };
@@ -117,11 +117,11 @@ int crl_main(int argc, char **argv)
    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
    char *CAfile = NULL, *CApath = NULL, *prog;
    OPTION_CHOICE o;
-    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
+    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
        0, text = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
-    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber =
+    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
-        0, i, do_ver = 0;
+    int text = 0, do_ver = 0;
    int i;
 #ifndef OPENSSL_NO_MD5
    int hash_old = 0;
 #endif
@@ -170,11 +170,11 @@ int crl_main(int argc, char **argv)
            CAfile = opt_arg();
            do_ver = 1;
            break;
 #ifndef OPENSSL_NO_MD5
        case OPT_HASH_OLD:
 #ifndef OPENSSL_NO_MD5
            hash_old = ++num;
            break;
 #endif
            break;
        case OPT_VERIFY:
            do_ver = 1;
            break;
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -111,11 +111,11 @@ OPTIONS dgst_options[] = {
    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
    {"sigop", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
    {"macop", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
    {"", OPT_DIGEST, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
    {"engine_impl", OPT_ENGINE_IMPL, '-'},
 #endif
    {"", OPT_DIGEST, '-', "Any supported digest"},
    {NULL}
 };
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -153,12 +153,12 @@ OPTIONS dhparam_options[] = {
    {"C", OPT_C, '-', "Print C code"},
    {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
    {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
 # ifndef OPENSSL_NO_DSA
    {"dsaparam", OPT_DSAPARAM, '-',
     "Read or generate DSA parameters, convert to DH"},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -82,14 +82,8 @@ OPTIONS dsa_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pvk-strong", OPT_PVK_STRONG, '-'},
    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key in text"},
    {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
@@ -98,6 +92,14 @@ OPTIONS dsa_options[] = {
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_RC4
    {"pvk-strong", OPT_PVK_STRONG, '-'},
    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
@@ -118,11 +120,6 @@ int dsa_main(int argc, char **argv)
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 #ifdef OPENSSL_NO_RC4
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
 #endif
 opthelp:
            ret = 0;
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
@@ -166,6 +163,11 @@ int dsa_main(int argc, char **argv)
        case OPT_PVK_NONE:
            pvk_encr = 0;
            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
        case OPT_NOOUT:
            noout = 1;
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -103,11 +103,11 @@ OPTIONS dsaparam_options[] = {
    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
    {"rand", OPT_RAND, 's', "Files to use for random number input"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
 # ifdef GENCB_TEST
    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -92,9 +92,6 @@ OPTIONS ec_options[] = {
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"out", OPT_OUT, '>', "Output file"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key"},
    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
@@ -106,6 +103,9 @@ OPTIONS ec_options[] = {
     "Specifies the way the ec parameters are encoded"},
    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -92,9 +92,6 @@ OPTIONS enc_options[] = {
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pass", OPT_PASS, 's', "Passphrase source"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {"e", OPT_E, '-', "Encrypt"},
    {"d", OPT_D, '-', "Decrypt"},
    {"p", OPT_P, '-', "Print the iv/key"},
@@ -107,9 +104,6 @@ OPTIONS enc_options[] = {
    {"A", OPT_UPPER_A, '-'},
    {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"},
    {"base64", OPT_A, '-', "Base64 output as a single line"},
 #ifdef ZLIB
    {"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
 #endif
    {"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
    {"k", OPT_K, 's', "Passphrase"},
    {"kfile", OPT_KFILE, '<', "Fead passphrase from file"},
@@ -120,6 +114,12 @@ OPTIONS enc_options[] = {
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"none", OPT_NONE, '-', "Don't encrypt"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 #ifdef ZLIB
    {"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -84,10 +84,10 @@ OPTIONS gendsa_options[] = {
    {"passout", OPT_PASSOUT, 's'},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
    {NULL}
 };
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -89,6 +89,7 @@ OPTIONS genpkey_options[] = {
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    /* This is deliberately last. */
    {OPT_HELP_STR, 1, 1,
     "Order of options may be important!  See the documentation.\n"},
    {NULL}
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -101,6 +101,8 @@ OPTIONS passwd_options[] = {
    {"quiet", OPT_QUIET, '-', "No warnings"},
    {"table", OPT_TABLE, '-', "Format output as table"},
    {"reverse", OPT_REVERSE, '-', "Switch table columns"},
    {"salt", OPT_SALT, 's', "Use provided salt"},
    {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
 # ifndef NO_MD5CRYPT_1
    {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
    {"1", OPT_1, '-', "MD5-based password algorithm"},
@@ -108,8 +110,6 @@ OPTIONS passwd_options[] = {
 # ifndef OPENSSL_NO_DES
    {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
 # endif
    {"salt", OPT_SALT, 's', "Use provided salt"},
    {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
    {NULL}
 };
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -149,10 +149,10 @@ OPTIONS pkcs12_options[] = {
    {"password", OPT_PASSWORD, 's', "Set import/export password source"},
    {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
    {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {"", OPT_CIPHER, '-', "Any supported cipher"},
    {NULL}
 };
--- a/apps/req.c
+++ b/apps/req.c
@@ -176,11 +176,11 @@ OPTIONS req_options[] = {
     "Cert extension section (override value in config file)"},
    {"reqexts", OPT_REQEXTS, 's',
     "Request extension section (override value in config file)"},
    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    {"keygen_engine", OPT_KEYGEN_ENGINE, 's'},
 #endif
    {"", OPT_MD, '-', "Any supported digest"},
    {NULL}
 };
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -138,14 +138,16 @@ OPTIONS rsa_options[] = {
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
    {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
    {"pvk-strong", OPT_PVK_STRONG, '-'},
    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key in text"},
    {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
    {"check", OPT_CHECK, '-', "Verify key consistency"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifdef OPENSSL_NO_RC4
    {"pvk-strong", OPT_PVK_STRONG, '-'},
    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
@@ -170,11 +172,6 @@ int rsa_main(int argc, char **argv)
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 #ifdef OPENSSL_NO_RC4
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
 #endif
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
@@ -227,6 +224,11 @@ int rsa_main(int argc, char **argv)
        case OPT_PVK_NONE:
            pvk_encr = 0;
            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
        case OPT_NOOUT:
            noout = 1;
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -509,17 +509,9 @@ OPTIONS s_client_options[] = {
    {"quiet", OPT_QUIET, '-', "No s_client output"},
    {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"},
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
 #endif
    {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
    {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
    {"tls1", OPT_TLS1, '-', "Just use TLSv1"},
    {"dtls", OPT_DTLS, '-'},
    {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
    {"dtls1_2", OPT_DTLS1_2, '-'},
    {"timeout", OPT_TIMEOUT, '-'},
    {"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
    {"starttls", OPT_STARTTLS, 's',
     "Use the STARTTLS command before starting TLS"},
    {"xmpphost", OPT_XMPPHOST, 's', "Host to use with \"-starttls xmpp\""},
@@ -534,6 +526,48 @@ OPTIONS s_client_options[] = {
    {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
     "Export len bytes of keying material (default 20)"},
    {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
    {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
    {"CRL", OPT_CRL, '<'},
    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
    {"CRLform", OPT_CRLFORM, 'F'},
    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'},
    {"verify_quiet", OPT_VERIFY_QUIET, '-'},
    {"brief", OPT_BRIEF, '-'},
    {"prexit", OPT_PREXIT, '-'},
    {"security_debug", OPT_SECURITY_DEBUG, '-'},
    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
    {"cert_chain", OPT_CERT_CHAIN, '<'},
    {"chainCApath", OPT_CHAINCAPATH, '/'},
    {"verifyCApath", OPT_VERIFYCAPATH, '/'},
    {"build_chain", OPT_BUILD_CHAIN, '-'},
    {"chainCAfile", OPT_CHAINCAFILE, '<'},
    {"verifyCAfile", OPT_VERIFYCAFILE, '<'},
    {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
    {"servername", OPT_SERVERNAME, 's',
     "Set TLS extension servername in ClientHello"},
    {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
     "Hex dump of all TLS extensions received"},
    {"status", OPT_STATUS, '-', "Request certificate status from server"},
    {"serverinfo", OPT_SERVERINFO, 's',
     "types  Send empty ClientHello extensions (comma-separated numbers)"},
    {"alpn", OPT_ALPN, 's',
     "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
    OPT_S_OPTIONS,
    OPT_V_OPTIONS,
    OPT_X_OPTIONS,
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
 #endif
 #ifndef OPENSSL_NO_DTLS1
    {"dtls", OPT_DTLS, '-'},
    {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
    {"dtls1_2", OPT_DTLS1_2, '-'},
    {"timeout", OPT_TIMEOUT, '-'},
    {"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
 #endif
 #ifndef OPENSSL_NO_SSL_TRACE
    {"trace", OPT_TRACE, '-'},
 #endif
 #ifdef WATT32
    {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
 #endif
@@ -556,44 +590,14 @@ OPTIONS s_client_options[] = {
     "Tolerate other than the known g N values."},
    {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"},
 #endif
    {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
    {"servername", OPT_SERVERNAME, 's',
     "Set TLS extension servername in ClientHello"},
    {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
     "Hex dump of all TLS extensions received"},
    {"status", OPT_STATUS, '-', "Request certificate status from server"},
    {"serverinfo", OPT_SERVERINFO, 's',
     "types  Send empty ClientHello extensions (comma-separated numbers)"},
    {"alpn", OPT_ALPN, 's',
     "Enable ALPN extension, considering named protocols supported (comma-separated list)"},
 #ifndef OPENSSL_NO_NEXTPROTONEG
    {"nextprotoneg", OPT_NEXTPROTONEG, 's',
     "Enable NPN extension, considering named protocols supported (comma-separated list)"},
 #endif
    {"CRL", OPT_CRL, '<'},
    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
    {"CRLform", OPT_CRLFORM, 'F'},
    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'},
    {"verify_quiet", OPT_VERIFY_QUIET, '-'},
    {"brief", OPT_BRIEF, '-'},
    {"prexit", OPT_PREXIT, '-'},
    {"trace", OPT_TRACE, '-'},
    {"security_debug", OPT_SECURITY_DEBUG, '-'},
    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
    {"cert_chain", OPT_CERT_CHAIN, '<'},
    {"chainCApath", OPT_CHAINCAPATH, '/'},
    {"verifyCApath", OPT_VERIFYCAPATH, '/'},
    {"build_chain", OPT_BUILD_CHAIN, '-'},
    {"chainCAfile", OPT_CHAINCAFILE, '<'},
    {"verifyCAfile", OPT_VERIFYCAFILE, '<'},
    {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'},
 #endif
    OPT_S_OPTIONS,
    OPT_V_OPTIONS,
    OPT_X_OPTIONS,
    {NULL}
 };
@@ -706,29 +710,6 @@ int s_client_main(int argc, char **argv)
    prog = opt_init(argc, argv, s_client_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
 #ifndef WATT32
        case OPT_WDEBUG:
 #endif
 #ifdef OPENSSL_NO_JPAKE
        case OPT_JPAKE:
 #endif
 #ifdef OPENSSL_NO_SSL_TRACE
        case OPT_TRACE:
 #endif
 #ifdef OPENSSL_NO_PSK
        case OPT_PSK_IDENTITY:
        case OPT_PSK:
 #endif
 #ifdef OPENSSL_NO_SSL3
        case OPT_SSL3:
 #endif
 #ifdef OPENSSL_NO_DTLS1
        case OPT_DTLS:
        case OPT_DTLS1:
        case OPT_DTLS1_2:
        case OPT_TIMEOUT:
        case OPT_MTU:
 #endif
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
@@ -866,22 +847,22 @@ int s_client_main(int argc, char **argv)
        case OPT_STATUS:
            c_status_req = 1;
            break;
 #ifdef WATT32
        case OPT_WDEBUG:
 #ifdef WATT32
            dbug_init();
            break;
 #endif
            break;
        case OPT_MSG:
            c_msg = 1;
            break;
        case OPT_MSGFILE:
            bio_c_msg = BIO_new_file(opt_arg(), "w");
            break;
 #ifndef OPENSSL_NO_SSL_TRACE
        case OPT_TRACE:
 #ifndef OPENSSL_NO_SSL_TRACE
            c_msg = 2;
            break;
 #endif
            break;
        case OPT_SECURITY_DEBUG:
            sdebug = 1;
            break;
@@ -908,6 +889,9 @@ int s_client_main(int argc, char **argv)
                BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
                goto end;
            }
 #else
        case OPT_PSK_IDENTITY:
        case OPT_PSK:
            break;
 #endif
 #ifndef OPENSSL_NO_SRP
@@ -941,11 +925,11 @@ int s_client_main(int argc, char **argv)
        case OPT_SRP_MOREGROUPS:
            break;
 #endif
 #ifndef OPENSSL_NO_SSL3
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_client_method();
            break;
 #endif
            break;
        case OPT_TLS1_2:
            meth = TLSv1_2_client_method();
            break;
@@ -974,6 +958,13 @@ int s_client_main(int argc, char **argv)
        case OPT_MTU:
            socket_mtu = atol(opt_arg());
            break;
 #else
        case OPT_DTLS:
        case OPT_DTLS1:
        case OPT_DTLS1_2:
        case OPT_TIMEOUT:
        case OPT_MTU:
            break;
 #endif
        case OPT_FALLBACKSCSV:
            fallback_scsv = 1;
@@ -1038,13 +1029,12 @@ int s_client_main(int argc, char **argv)
                goto end;
        case OPT_SERVERNAME:
            servername = opt_arg();
            /* meth=TLSv1_client_method(); */
            break;
 #ifndef OPENSSL_NO_JPAKE
        case OPT_JPAKE:
 #ifndef OPENSSL_NO_JPAKE
            jpake_secret = opt_arg();
            break;
 #endif
            break;
        case OPT_USE_SRTP:
            srtp_profiles = opt_arg();
            break;
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -806,9 +806,7 @@ typedef enum OPTION_choice {
    OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
    OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
    OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP,
 #ifndef OPENSSL_NO_SSL3
    OPT_SSL3,
 #endif
    OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
    OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN,
    OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
@@ -821,7 +819,6 @@ typedef enum OPTION_choice {
 OPTIONS s_server_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"port", OPT_PORT, 'p'},
    {"accept", OPT_PORT, 'p',
     "TCP/IP port to accept on (default is " PORT_STR ")"},
@@ -851,9 +848,6 @@ OPTIONS s_server_options[] = {
    {"dkeyform", OPT_DKEYFORM, 'F',
     "Second key format (PEM, DER or ENGINE) PEM default"},
    {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
 #ifdef FIONBIO
    {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
 #endif
    {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
    {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
    {"debug", OPT_DEBUG, '-', "Print more output"},
@@ -865,47 +859,13 @@ OPTIONS s_server_options[] = {
    {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
    {"quiet", OPT_QUIET, '-', "No server output"},
    {"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"},
 #ifndef OPENSSL_NO_PSK
    {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
    {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
 # ifndef OPENSSL_NO_JPAKE
    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
 # endif
 #endif
 #ifndef OPENSSL_NO_SRP
    {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
    {"srpuserseed", OPT_SRPUSERSEED, 's',
     "A seed string for a default user salt"},
 #endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
 #endif
    {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
    {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
    {"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
 #ifndef OPENSSL_NO_DTLS1
    {"dtls", OPT_DTLS, '-'},
    {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
    {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
    {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
    {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
 #endif
 #ifndef OPENSSL_NO_DH
    {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
 #endif
 #ifndef OPENSSL_NO_EC
    {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
 #endif
    {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
     "Disable caching and tickets if ephemeral (EC)DH is used"},
    {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
    {"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
    {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path incluedes HTTP headers"},
    {"id_prefix", OPT_ID_PREFIX, 's',
     "Generate SSL/TLS session IDs prefixed by arg"},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"servername", OPT_SERVERNAME, 's',
     "Servername for HostName TLS extension"},
    {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
@@ -916,14 +876,11 @@ OPTIONS s_server_options[] = {
     "-Private Key file to use for servername if not in -cert2"},
    {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
     "Hex dump of all TLS extensions received"},
-#ifndef OPENSSL_NO_NEXTPROTONEG
+    {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path incluedes HTTP headers"},
-    {"nextprotoneg", OPT_NEXTPROTONEG, 's',
+    {"id_prefix", OPT_ID_PREFIX, 's',
-     "Set the advertised protocols for the NPN extension (comma-separated list)"},
+     "Generate SSL/TLS session IDs prefixed by arg"},
-#endif
+    {"rand", OPT_RAND, 's',
-    {"use_srtp", OPT_SRTP_PROFILES, '<',
+     "Load the file(s) into the random number generator"},
     "Offer SRTP key management with a colon-separated profile list"},
    {"alpn", OPT_ALPN, 's',
     "Set the advertised protocols for the ALPN extension (comma-separated list)"},
    {"keymatexport", OPT_KEYMATEXPORT, 's',
     "Export keying material using label"},
    {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
@@ -953,12 +910,54 @@ OPTIONS s_server_options[] = {
    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
    {"brief", OPT_BRIEF, '-'},
    {"rev", OPT_REV, '-'},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's'},
 #endif
    OPT_S_OPTIONS,
    OPT_V_OPTIONS,
    OPT_X_OPTIONS,
 #ifdef FIONBIO
    {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
 #endif
 #ifndef OPENSSL_NO_PSK
    {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
    {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
 # ifndef OPENSSL_NO_JPAKE
    {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
 # endif
 #endif
 #ifndef OPENSSL_NO_SRP
    {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
    {"srpuserseed", OPT_SRPUSERSEED, 's',
     "A seed string for a default user salt"},
 #endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
 #endif
 #ifndef OPENSSL_NO_DTLS1
    {"dtls", OPT_DTLS, '-'},
    {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
    {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
    {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
    {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
 #endif
 #ifndef OPENSSL_NO_DH
    {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
 #endif
 #ifndef OPENSSL_NO_EC
    {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
    {"nextprotoneg", OPT_NEXTPROTONEG, 's',
     "Set the advertised protocols for the NPN extension (comma-separated list)"},
 #endif
 #ifndef OPENSSL_NO_SRTP
    {"use_srtp", OPT_SRTP_PROFILES, '<',
     "Offer SRTP key management with a colon-separated profile list"},
    {"alpn", OPT_ALPN, 's',
     "Set the advertised protocols for the ALPN extension (comma-separated list)"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's'},
 #endif
    {NULL}
 };
@@ -1246,13 +1245,11 @@ int s_server_main(int argc, char *argv[])
        case OPT_MSGFILE:
            bio_s_msg = BIO_new_file(opt_arg(), "w");
            break;
        case OPT_TRACE:
 #ifndef OPENSSL_NO_SSL_TRACE
        case OPT_TRACE:
            s_msg = 2;
            break;
 #else
-        case OPT_TRACE:
+            break;
            goto opthelp;
 #endif
        case OPT_SECURITY_DEBUG:
            sdebug = 1;
@@ -1296,6 +1293,10 @@ int s_server_main(int argc, char *argv[])
                goto end;
            }
            break;
 #else
        case OPT_PSK_HINT:
        case OPT_PSK:
            break;
 #endif
 #ifndef OPENSSL_NO_SRP
        case OPT_SRPVFILE:
@@ -1323,11 +1324,11 @@ int s_server_main(int argc, char *argv[])
        case OPT_HTTP:
            www = 3;
            break;
 #ifndef OPENSSL_NO_SSL3
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_server_method();
            break;
 #endif
            break;
        case OPT_TLS1_2:
            meth = TLSv1_2_server_method();
            break;
@@ -1359,6 +1360,14 @@ int s_server_main(int argc, char *argv[])
        case OPT_CHAIN:
            cert_chain = 1;
            break;
 #else
        case OPT_DTLS:
        case OPT_DTLS1:
        case OPT_DTLS1_2:
        case OPT_TIMEOUT:
        case OPT_MTU:
        case OPT_CHAIN:
            break;
 #endif
        case OPT_ID_PREFIX:
            session_id_prefix = opt_arg();
@@ -1381,11 +1390,11 @@ int s_server_main(int argc, char *argv[])
        case OPT_KEY2:
            s_key_file2 = opt_arg();
            break;
 #ifndef OPENSSL_NO_NEXTPROTONEG
        case OPT_NEXTPROTONEG:
 # ifndef OPENSSL_NO_NEXTPROTONEG
            next_proto_neg_in = opt_arg();
            break;
 #endif
            break;
        case OPT_ALPN:
            alpn_in = opt_arg();
            break;
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -114,9 +114,7 @@ typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH,
    OPT_CAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME,
 #ifndef OPENSSL_NO_SSL3
    OPT_SSL3,
 #endif
    OPT_WWW
 } OPTION_CHOICE;
@@ -227,11 +225,11 @@ int s_time_main(int argc, char **argv)
                goto end;
            }
            break;
 #ifndef OPENSSL_NO_SSL3
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_client_method();
            break;
 #endif
            break;
        }
    }
    argc = opt_num_rest();
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -358,19 +358,19 @@ OPTIONS speed_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] ciphers...\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"evp", OPT_EVP, 's', "Use specified EVP cipher"},
    {"decrypt", OPT_DECRYPT, '-',
     "Time decryption instead of encryption (only EVP)"},
    {"mr", OPT_MR, '-', "Produce machine readable output"},
    {"mb", OPT_MB, '-'},
    {"misalign", OPT_MISALIGN, 'n', "Amount to mis-align buffers"},
 #if defined(TIMES) || defined(USE_TOD)
    {"elapsed", OPT_ELAPSED, '-',
     "Measure time in real time instead of CPU user time"},
 #endif
    {"evp", OPT_EVP, 's', "Use specified EVP cipher"},
    {"decrypt", OPT_DECRYPT, '-',
     "Time decryption instead of encryption (only EVP)"},
 #ifndef NO_FORK
    {"multi", OPT_MULTI, 'p', "Run benchmarks in parallel"},
 #endif
    {"mr", OPT_MR, '-', "Produce machine readable output"},
    {"mb", OPT_MB, '-'},
    {"misalign", OPT_MISALIGN, 'n', "Amount to mis-align buffers"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -829,11 +829,11 @@ int speed_main(int argc, char **argv)
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
 #ifndef NO_FORK
        case OPT_MULTI:
 #ifndef NO_FORK
            multi = atoi(opt_arg());
            break;
 #endif
            break;
        case OPT_MISALIGN:
            if (!opt_int(opt_arg(), &misalign))
                goto end;
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -151,10 +151,10 @@ OPTIONS ts_options[] = {
    {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
    {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
    {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {"", OPT_MD, '-', "Any supported digest"},
    {NULL}
 };
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -91,10 +91,10 @@ OPTIONS verify_options[] = {
    {"CRLfile", OPT_CRLFILE, '<'},
    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
    {"show_chain", OPT_SHOW_CHAIN, '-'},
    OPT_V_OPTIONS,
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    OPT_V_OPTIONS,
    {NULL}
 };
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -107,13 +107,9 @@ typedef enum OPTION_choice {
    OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
    OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
    OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
 #ifndef OPENSSL_NO_MD5
    OPT_SUBJECT_HASH_OLD,
    OPT_ISSUER_HASH_OLD,
 #endif
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
    OPT_FORCE_VERSION,
 #endif
    OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
 } OPTION_CHOICE;
@@ -130,12 +126,6 @@ OPTIONS x509_options[] = {
    {"serial", OPT_SERIAL, '-', "Print serial number value"},
    {"subject_hash", OPT_HASH, '-', "Print subject hash value"},
    {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
 #ifndef OPENSSL_NO_MD5
    {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
     "Print old-style (MD5) issuer hash value"},
    {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
     "Print old-style (MD5) subject hash value"},
 #endif
    {"hash", OPT_HASH, '-', "Synonym for -subject_hash"},
    {"subject", OPT_SUBJECT, '-', "Print subject DN"},
    {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
@@ -194,11 +184,17 @@ OPTIONS x509_options[] = {
    {"clrreject", OPT_CLRREJECT, '-'},
    {"badsig", OPT_BADSIG, '-'},
    {"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_MD5
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+    {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
     "Print old-style (MD5) issuer hash value"},
    {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
     "Print old-style (MD5) subject hash value"},
 #endif
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
    {"force_version", OPT_FORCE_VERSION, 'p'},
 #endif
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
@@ -291,11 +287,11 @@ int x509_main(int argc, char **argv)
            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
                goto opthelp;
            break;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
        case OPT_FORCE_VERSION:
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
            force_version = atoi(opt_arg()) - 1;
            break;
 #endif
            break;
        case OPT_DAYS:
            days = atoi(opt_arg());
            break;
@@ -459,6 +455,10 @@ int x509_main(int argc, char **argv)
        case OPT_ISSUER_HASH_OLD:
            issuer_hash_old = ++num;
            break;
 #else
        case OPT_SUBJECT_HASH_OLD:
        case OPT_ISSUER_HASH_OLD:
            break;
 #endif
        case OPT_DATES:
            startdate = ++num;