This commit was manufactured by cvs2svn to create tag 'BEFORE_COMPAQ_PATCH'.

This commit was manufactured by cvs2svn to create branch 'BRANCH_VMS_64BIT'.
accept NULL in 'free' functions
2002-05-21 08:59:59 +00:00 · 2002-05-21 08:59:58 +00:00 · 2002-05-21 08:59:57 +00:00 · 2002-05-19 16:31:10 +00:00 · 2002-05-19 12:03:05 +00:00 · 2002-05-18 23:43:10 +00:00
256 changed files with 9821 additions and 7283 deletions
--- a/3124
+++ b/3124
--- a/32
+++ b/32
@@ -144,6 +144,7 @@ my %table=(
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
@@ -198,7 +199,7 @@ my %table=(
 "linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # !!!Folowing can't be even tested yet!!!
 #    We have to wait till 64-bit glibc for SPARC is operational!!!
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
@@ -373,6 +374,7 @@ my %table=(
 "linux-pentium",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppro",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
@@ -434,7 +436,7 @@ my %table=(
 "aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",

 #
-# Cray T90 (SDSC)
+# Cray T90 and similar (SDSC)
 # It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT
 # defined.  The T90 ints and longs are 8 bytes long, and apparently the
 # B_ENDIAN code assumes 4 byte ints.  Fortunately, the non-B_ENDIAN and
@@ -444,7 +446,10 @@ my %table=(
 #'Taking the address of a bit field is not allowed. '
 #'An expression with bit field exists as the operand of "sizeof" '
 # (written by Wayne Schroeder <schroede@SDSC.EDU>)
-"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",
+#
+# j90 is considered the base machine type for unicos machines,
+# so this configuration is now called "cray-j90" ...
+"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",

 #
 # Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
@@ -514,10 +519,17 @@ my %table=(
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",

 # Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-alpha",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-i386",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-m68k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-m88k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-mips",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-powerpc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
@@ -912,11 +924,11 @@ my $bn_ops = $fields[$idx_bn_ops];
 my $bn_obj = $fields[$idx_bn_obj];
 my $des_obj = $fields[$idx_des_obj];
 my $bf_obj = $fields[$idx_bf_obj];
-my $md5_obj = $fields[$idx_md5_obj];
-my $sha1_obj = $fields[$idx_sha1_obj];
+$md5_obj = $fields[$idx_md5_obj];
+$sha1_obj = $fields[$idx_sha1_obj];
 my $cast_obj = $fields[$idx_cast_obj];
 my $rc4_obj = $fields[$idx_rc4_obj];
-my $rmd160_obj = $fields[$idx_rmd160_obj];
+$rmd160_obj = $fields[$idx_rmd160_obj];
 my $rc5_obj = $fields[$idx_rc5_obj];
 my $dso_scheme = $fields[$idx_dso_scheme];
 my $shared_target = $fields[$idx_shared_target];
--- a/10
+++ b/10
@@ -29,6 +29,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
+* Why is OpenSSL x509 DN output not conformant to RFC2253?

 [BUILD] Questions about building and testing OpenSSL

@@ -59,7 +60,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6c was released on December 21st, 2001.
+OpenSSL 0.9.6d was released on May 9, 2002.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -343,6 +344,13 @@ DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.

+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+
+The ways to print out the oneline format of the DN (Distinguished Name) have
+been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
+interface, the "-nameopt" option could be introduded. See the manual
+page of the "openssl x509" commandline tool for details. The old behaviour
+has however been left as default for the sake of compatibility.

 [BUILD] =======================================================================

--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -6,15 +6,15 @@
 of this is tested on Win32 but it may also work in Win 3.1 with some
 modification.

- You need Perl for Win32.  Unless you will build on CygWin32, you will need
+ You need Perl for Win32.  Unless you will build on Cygwin, you will need
 ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- For CygWin32 users, there's more info in the CygWin32 section.
+ For Cygwin users, there's more info in the Cygwin section.

 and one of the following C compilers:

  * Visual C++
  * Borland C
-  * GNU C (Mingw32 or Cygwin32)
+  * GNU C (Mingw32 or Cygwin)

 If you want to compile in the assembly language routines with Visual C++ then
 you will need an assembler. This is worth doing because it will result in
@@ -81,7 +81,7 @@

 There are various changes you can make to the Win32 compile environment. By
 default the library is not compiled with debugging symbols. If you add 'debug'
- to the mk1mk.pl lines in the do_* batch file then debugging symbols will be
+ to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
 compiled in.

 The default Win32 environment is to leave out any Windows NT specific
@@ -112,10 +112,10 @@
 * Compiler installation:

   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
-   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
-   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
-   C:\egcs-1.1.2\mingw32.bat to set the PATH.
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
+   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
+   the PATH environment variable in "System Properties"; or edit and
+   run C:\gcc-2.95.2\mingw32.bat to set the PATH.

 * Compile OpenSSL:

@@ -137,30 +137,30 @@
   > cd out
   > ..\ms\test

- GNU C (CygWin32)
- ---------------
+ GNU C (Cygwin)
+ --------------

- CygWin32 provides a bash shell and GNU tools environment running on
+ Cygwin provides a bash shell and GNU tools environment running on
 NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
- with CygWin is closer to a GNU bash environment such as Linux rather
+ with Cygwin is closer to a GNU bash environment such as Linux rather
 than other W32 makes that are based on a single makefile approach.
- CygWin32 implements Posix/Unix calls through cygwin1.dll, and is
+ Cygwin implements Posix/Unix calls through cygwin1.dll, and is
 contrasted to Mingw32 which links dynamically to msvcrt.dll or
 crtdll.dll.

- To build OpenSSL using CygWin32:
+ To build OpenSSL using Cygwin:

- * Install CygWin32 (see http://sourceware.cygnus.com/cygwin)
+ * Install Cygwin (see http://sourceware.cygnus.com/cygwin)

 * Install Perl and ensure it is in the path (recent Cygwin perl 
   (version 5.6.1-2 of the latter has been reported to work) or
   ActivePerl)

- * Run the CygWin bash shell
+ * Run the Cygwin bash shell

 * $ tar zxvf openssl-x.x.x.tar.gz
   $ cd openssl-x.x.x
-   $ ./Configure no-threads CygWin32
+   $ ./config
   [...]
   $ make
   [...]
@@ -169,26 +169,26 @@

 This will create a default install in /usr/local/ssl.

- CygWin32 Notes:
+ Cygwin Notes:

 "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to CygWin
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
 stripping of carriage returns. To avoid this ensure that a binary
 mount is used, e.g. mount -b c:\somewhere /home.

- As of version 1.1.1 CygWin32 is relatively unstable in its handling
+ As of version 1.1.1 Cygwin is relatively unstable in its handling
 of cr/lf issues. These make procedures succeeded with versions 1.1 and
 the snapshot 20000524 (Slow!).

- "bc" is not provided in the CygWin32 distribution.  This causes a
+ "bc" is not provided in the Cygwin distribution.  This causes a
 non-fatal error in "make test" but is otherwise harmless.  If
- desired, GNU bc can be built with CygWin32 without change.
+ desired, GNU bc can be built with Cygwin without change.


 Installation
 ------------

- If you used the CygWin procedure above, you have already installed and
+ If you used the Cygwin procedure above, you have already installed and
 can skip this section.  For all other procedures, there's currently no real
 installation procedure for Win32.  There are, however, some suggestions:

--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------

 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/Makefile.org
+++ b/Makefile.org
@@ -266,6 +266,7 @@ do_gnu-shared:
 	( set -x; ${CC} ${SHARED_LDFLAGS} \
 		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
 	libs="$$libs -l$$i"; \
@@ -292,6 +293,7 @@ do_darwin-shared:
 do_cygwin-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	( set -x; ${CC}  -shared -o cyg$$i.dll \
+		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
 		-Wl,--no-whole-archive $$libs ) || exit 1; \
@@ -653,7 +655,7 @@ tar:

 tar-snap:
 	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' | sort` |\
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
@@ -695,8 +697,8 @@ install: all install_docs
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi \
-	done
+		fi; \
+	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -713,7 +715,7 @@ install: all install_docs
 					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
-			fi \
+			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
--- a/39
+++ b/39
@@ -8,11 +8,44 @@
  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:

      o New library section OCSP.
-      o Complete haul-over of the ASN.1 library section.
+      o Complete rewrite of ASN1 code.
+      o CRL checking in verify code and openssl utility.
+      o Extension copying in 'ca' utility.
+      o Flexible display options in 'ca' utility.
+      o Provisional support for international characters with UTF8.
      o Support for external crypto devices ('engine') is no longer
        a separate distribution.
+      o New elliptic curve library section.
+      o New AES (Rijndael) library section.
+      o Change DES API to clean up the namespace (some applications link also
+        against libdes providing similar functions having the same name).
+        Provide macros for backward compatibility (will be removed in the
+        future).
+      o Unifiy handling of cryptographic algorithms (software and
+        engine) to be available via EVP routines for asymmetric and
+        symmetric ciphers.
+      o NCONF: new configuration handling routines.
+      o Change API to use more 'const' modifiers to improve error checking
+        and help optimizers.
+      o Finally remove references to RSAref.
+      o Reworked parts of the BIGNUM code.
+      o Support for new engines: Broadcom ubsec, Accelerated Encryption
+        Processing, IBM 4758.
+      o PRNG: query at more locations for a random device, automatic query for
+        EGD style random sources at several locations.
+      o SSL/TLS: allow optional cipher choice according to server's preference.
+      o SSL/TLS: allow server to explicitly set new session ids.
+      o SSL/TLS: support Kerberos cipher suites (RFC2712).
+      o SSL/TLS: allow more precise control of renegotiations and sessions.
+      o SSL/TLS: add callback to retrieve SSL/TLS messages.
+      o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested).

-  Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+
+      o Various SSL/TLS library bugfixes.
+      o Fix DH parameter generation for 'non-standard' generators.
+
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:

      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@@ -25,7 +58,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].

-  Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:

      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
--- a/2
+++ b/2
@@ -1,5 +1,5 @@

- OpenSSL 0.9.8-dev 24 Sep 2000
+ OpenSSL 0.9.8-dev XX xxx XXXX

 Copyright (c) 1998-2002 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/44
+++ b/44
@@ -1,10 +1,11 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/02/13 10:21:25 $
+  ______________                           $Date: 2002/05/16 10:01:53 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.7:  Under development...
+    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
@@ -17,10 +18,12 @@
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998

+  [See also http://www.openssl.org/support/rt2.html]
+
  RELEASE SHOWSTOPPERS

-    o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
-      - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc
+    o BN_mod_mul verification fails for mips3-sgi-irix
+      unless configured with no-asm

  AVAILABLE PATCHES

@@ -49,28 +52,15 @@

  NEEDS PATCH

-    o  An (optional) countermeasure against the predictable-IV CBC
-       weakness in SSL/TLS should be added; see
-       http://www.openssl.org/~bodo/tls-cbc.txt
-
-    o  All 'openssl' subprograms taking '-des' and '-des3' options should
-       include AES support (0.9.7-dev)
-
-    o  'openssl speed' should include AES support (0.9.7-dev)
-
    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file

-    o  OpenSSL_0_9_6-stable:
-       #include <openssl/e_os.h> in exported header files is illegal since
-       e_os.h is suitable only for library-internal use.
-
-    o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
-       or an error is reported
-
    o  "OpenSSL STATUS" is never up-to-date.

  OPEN ISSUES

+    o  Do we want the EVP API changes in 0.9.7?
+       Can compatibility be improved?
+
    o  The Makefile hierarchy and build mechanism is still not a round thing:

       1. The config vs. Configure scripts
@@ -95,22 +85,6 @@
                    which apparently is not flexible enough to generate
                    libcrypto)

-
-    o  The perl/ stuff needs a major overhaul. Currently it's
-       totally obsolete. Either we clean it up and enhance it to be up-to-date
-       with the C code or we also could replace it with the really nice
-       Net::SSLeay package we can find under
-       http://www.neuronio.pt/SSLeay.pm.html.  Ralf uses this package for a
-       longer time and it works fine and is a nice Perl module. Best would be
-       to convince the author to work for the OpenSSL project and create a
-       Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
-       us.
-
-       Status: Ralf thinks we should both contact the author of Net::SSLeay
-               and look how much effort it is to bring Eric's perl/ stuff up
-               to date.
-               Paul +1
-
  WISHES

    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
--- a/267
+++ b/267
@@ -1,4 +1,3 @@
-Output of `Configure TABLE':

 *** BC-16
 $cc           = bcc
@@ -367,7 +366,7 @@ $unistd       =
 $thread_cflag = (unknown)
 $sys_id       = 
 $lflags       = 
-$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -408,14 +407,62 @@ $shared_ldflag =
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

-*** OpenBSD-mips
+*** OpenBSD-hppa
 $cc           = gcc
-$cflags       = -O2 -DL_ENDIAN
+$cflags       = -DTERMIOS -O3 -fomit-frame-pointer
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
-$lflags       = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR
-$bn_ops       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_extension = 
+$ranlib       = 
+
+*** OpenBSD-i386
+$cc           = gcc
+$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = asm/bn86-out.o asm/co86-out.o
+$des_obj      = asm/dx86-out.o asm/yx86-out.o
+$bf_obj       = asm/bx86-out.o
+$md5_obj      = asm/mx86-out.o
+$sha1_obj     = asm/sx86-out.o
+$cast_obj     = asm/cx86-out.o
+$rc4_obj      = asm/rx86-out.o
+$rmd160_obj   = asm/rm86-out.o
+$rc5_obj      = asm/r586-out.o
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-m68k
+$cc           = gcc
+$cflags       = -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -432,23 +479,143 @@ $shared_ldflag =
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

-*** OpenBSD-x86
+*** OpenBSD-m88k
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486
+$cflags       = -DTERMIOS -O3 -fomit-frame-pointer
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
 $lflags       = 
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$bn_obj       = asm/bn86-out.o asm/co86-out.o
-$des_obj      = asm/dx86-out.o asm/yx86-out.o
-$bf_obj       = asm/bx86-out.o
-$md5_obj      = asm/mx86-out.o
-$sha1_obj     = asm/sx86-out.o
-$cast_obj     = asm/cx86-out.o
-$rc4_obj      = asm/rx86-out.o
-$rmd160_obj   = asm/rm86-out.o
-$rc5_obj      = asm/r586-out.o
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-mips
+$cc           = gcc
+$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-powerpc
+$cc           = gcc
+$cflags       = -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-sparc
+$cc           = gcc
+$cflags       = -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-sparc64
+$cc           = gcc
+$cflags       = -DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** OpenBSD-vax
+$cc           = gcc
+$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
 $shared_cflag = -fPIC
@@ -1056,14 +1223,14 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

-*** cray-t3e
+*** cray-j90
 $cc           = cc
 $cflags       = -DBIT_FIELD_LIMITS -DTERMIOS
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = CRAY
 $lflags       = 
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
+$bn_ops       = SIXTY_FOUR_BIT_LONG DES_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -1080,14 +1247,14 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

-*** cray-t90-cc
+*** cray-t3e
 $cc           = cc
 $cflags       = -DBIT_FIELD_LIMITS -DTERMIOS
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = CRAY
 $lflags       = 
-$bn_ops       = SIXTY_FOUR_BIT_LONG DES_INT
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -1416,6 +1583,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

+*** debug-linux-pentium
+$cc           = gcc
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = asm/bn86-elf.o asm/co86-elf.o
+$des_obj      = asm/dx86-elf.o asm/yx86-elf.o
+$bf_obj       = asm/bx86-elf.o
+$md5_obj      = asm/mx86-elf.o
+$sha1_obj     = asm/sx86-elf.o
+$cast_obj     = asm/cx86-elf.o
+$rc4_obj      = asm/rx86-elf.o
+$rmd160_obj   = asm/rm86-elf.o
+$rc5_obj      = asm/r586-elf.o
+$dso_scheme   = dlfcn
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+
 *** debug-linux-ppro
 $cc           = gcc
 $cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall
@@ -2825,10 +3016,10 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $shared_extension = 
 $ranlib       = 

@@ -3695,3 +3886,27 @@ $shared_cflag = -Kpic
 $shared_ldflag = 
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
+
+*** vxworks-ppc405
+$cc           = ccppc
+$cflags       = -g -msoft-float -mlongcall -DCPU=PPC405 -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -147,7 +147,7 @@ static UI_METHOD *ui_method = NULL;
 static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
 static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);

-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 /* Looks like this stuff is worth moving into separate function */
 static EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
@@ -333,16 +333,13 @@ void program_name(char *in, char *out, int size)
 #ifdef OPENSSL_SYS_WIN32
 int WIN32_rename(char *from, char *to)
 	{
-#ifdef OPENSSL_SYS_WINNT
-	int ret;
-/* Note: MoveFileEx() doesn't work under Win95, Win98 */
-
-	ret=MoveFileEx(from,to,MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED);
-	return(ret?0:-1);
-#else
-	unlink(to);
-	return MoveFile(from, to);
-#endif
+	/* Windows rename gives an error if 'to' exists, so delete it
+	 * first and ignore file not found errror
+	 */
+	if((remove(to) != 0) && (errno != ENOENT))
+		return -1;
+#undef rename
+	return rename(from, to);
 	}
 #endif

@@ -835,7 +832,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 		pkey=PEM_read_bio_PrivateKey(key,NULL,
 			(pem_password_cb *)password_callback, &cb_data);
 		}
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
 		pkey = load_netscape_key(err, key, file, key_descrip, format);
 #endif
@@ -904,7 +901,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 		pkey=PEM_read_bio_PUBKEY(key,NULL,
 			(pem_password_cb *)password_callback, &cb_data);
 		}
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
 		pkey = load_netscape_key(err, key, file, key_descrip, format);
 #endif
@@ -920,7 +917,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	return(pkey);
 	}

-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
 		const char *key_descrip, int format)
@@ -1314,3 +1311,21 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
 		}
        return e;
        }
+
+int load_config(BIO *err, CONF *cnf)
+	{
+	if (!cnf)
+		cnf = config;
+	if (!cnf)
+		return 1;
+
+	OPENSSL_load_builtin_modules();
+
+	if (CONF_modules_load(cnf, NULL, 0) <= 0)
+		{
+		BIO_printf(err, "Error configuring OpenSSL\n");
+		ERR_print_errors(err);
+		return 0;
+		}
+	return 1;
+	}
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -121,6 +121,7 @@
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/txt_db.h>
+#include <openssl/engine.h>
 #include <openssl/ossl_typ.h>

 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
@@ -194,9 +195,10 @@ extern BIO *bio_err;
 		setup_ui_method(); } while(0)
 #  endif
 #  define apps_shutdown() \
-		do { destroy_ui_method(); EVP_cleanup(); \
-		ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); \
-		ERR_remove_state(0); ERR_free_strings(); } while(0)
+		do { CONF_modules_unload(1); destroy_ui_method(); \
+		EVP_cleanup(); ENGINE_cleanup(); \
+		CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
+		ERR_free_strings(); } while(0)
 #endif

 typedef struct args_st
@@ -244,11 +246,15 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
 ENGINE *setup_engine(BIO *err, const char *engine, int debug);

+int load_config(BIO *err, CONF *cnf);
+
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 			ASN1_GENERALIZEDTIME **pinvtm, char *str);
 int make_serial_index(TXT_DB *db);

+X509_NAME *do_subject(char *str, long chtype);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -103,6 +103,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	prog=argv[0];
 	argc--;
 	argv++;
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -238,7 +238,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
 	int ext_copy);
-static X509_NAME *do_subject(char *subject);
 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, TXT_DB *db);
 static int do_updatedb(TXT_DB *db);
@@ -571,6 +570,7 @@ bad:
 #else
 		strncpy(buf[0],X509_get_default_cert_area(),
 			sizeof(buf[0])-2-sizeof(CONFIG_FILE));
+		buf[0][sizeof(buf[0])-2-sizeof(CONFIG_FILE)]='\0';
 		strcat(buf[0],"/");
 #endif
 		strcat(buf[0],CONFIG_FILE);
@@ -590,6 +590,9 @@ bad:
 		goto err;
 		}

+	if (!load_config(bio_err, conf))
+		goto err;
+
 	/* Lets get the config section we are using */
 	if (section == NULL)
 		{
@@ -1274,6 +1277,7 @@ bad:
 			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));

 			strncpy(buf[0],serialfile,BSIZE-4);
+			buf[0][BSIZE-4]='\0';

 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[0],"-new");
@@ -1284,6 +1288,7 @@ bad:
 			if (!save_serial(buf[0],serial)) goto err;

 			strncpy(buf[1],dbfile,BSIZE-4);
+			buf[1][BSIZE-4]='\0';

 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[1],"-new");
@@ -1314,6 +1319,7 @@ bad:
 			p=(char *)x->cert_info->serialNumber->data;
 			
 			strncpy(buf[2],outdir,BSIZE-(j*2)-6);
+			buf[2][BSIZE-(j*2)-6]='\0';

 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[2],"/");
@@ -1351,6 +1357,7 @@ bad:
 			{
 			/* Rename the database and the serial file */
 			strncpy(buf[2],serialfile,BSIZE-4);
+			buf[2][BSIZE-4]='\0';

 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[2],"-old");
@@ -1379,6 +1386,7 @@ bad:
 				}

 			strncpy(buf[2],dbfile,BSIZE-4);
+			buf[2][BSIZE-4]='\0';

 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[2],"-old");
@@ -1551,6 +1559,7 @@ bad:
 			X509_free(revcert);

 			strncpy(buf[0],dbfile,BSIZE-4);
+			buf[0][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[0],".new");
 #else
@@ -1565,11 +1574,16 @@ bad:
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
 			strncpy(buf[1],dbfile,BSIZE-4);
+			buf[1][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[1],".old");
 #else
 			strcat(buf[1],"-old");
 #endif
+			BIO_free(in);
+			in = NULL;
+			BIO_free(out);
+			out = NULL;
 			if (rename(dbfile,buf[1]) < 0)
 				{
 				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
@@ -1864,7 +1878,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,

 	if (subj)
 		{
-		X509_NAME *n = do_subject(subj);
+		X509_NAME *n = do_subject(subj, MBSTRING_ASC);

 		if (!n)
 			{
@@ -3008,65 +3022,124 @@ int make_revoked(X509_REVOKED *rev, char *str)
 	return ret;
 	}

-static X509_NAME *do_subject(char *subject)
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *do_subject(char *subject, long chtype)
 	{
+	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
+	char *buf = OPENSSL_malloc(buflen);
+	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
+	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
+
+	char *sp = subject, *bp = buf;
+	int i, ne_num = 0;
+
 	X509_NAME *n = NULL;
+	int nid;

-	int i, nid, ne_num=0;
+	if (!buf || !ne_types || !ne_values)
+	{
+		BIO_printf(bio_err, "malloc error\n");
+		goto error;
+	}

-	char *ne_name = NULL;
-	char *ne_value = NULL;
+	if (*subject != '/')
+	{
+		BIO_printf(bio_err, "Subject does not start with '/'.\n");
+		goto error;
+	}
+	sp++; /* skip leading / */

-	char *tmp = NULL;
-	char *p[2];
-
-	char *str_list[256];
-       
-	p[0] = ",/";
-	p[1] = "=";
-
-	n = X509_NAME_new();
-
-	tmp = strtok(subject, p[0]);
-	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
+	while (*sp)
+	{
+		/* collect type */
+		ne_types[ne_num] = bp;
+		while (*sp)
 		{
-		char *token = tmp;
-
-		while (token[0] == ' ')
-			token++;
-		str_list[ne_num] = token;
-
-		tmp = strtok(NULL, p[0]);
-		ne_num++;
+			if (*sp == '\\') /* is there anything to escape in the type...? */
+				if (*++sp)
+					*bp++ = *sp++;
+				else
+				{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+				}
+			else if (*sp == '=')
+			{
+				sp++;
+				*bp++ = '\0';
+				break;
+			}
+			else
+				*bp++ = *sp++;
 		}
+		if (!*sp)
+		{
+			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
+			goto error;
+		}
+		ne_values[ne_num] = bp;
+		while (*sp)
+		{
+			if (*sp == '\\')
+				if (*++sp)
+					*bp++ = *sp++;
+				else
+				{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+				}
+			else if (*sp == '/')
+			{
+				sp++;
+				break;
+			}
+			else
+				*bp++ = *sp++;
+		}
+		*bp++ = '\0';
+		ne_num++;
+	}
+
+	if (!(n = X509_NAME_new()))
+		goto error;

 	for (i = 0; i < ne_num; i++)
 		{
-		ne_name  = strtok(str_list[i], p[1]);
-		ne_value = strtok(NULL, p[1]);
-
-		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
+		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
 			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
+			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
 			continue;
 			}

-		if (ne_value == NULL)
+		if (!*ne_values[i])
 			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
+			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
 			continue;
 			}

-		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
-			{
-			X509_NAME_free(n);
-			return NULL;
-			}
+		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
+			goto error;
 		}

+	OPENSSL_free(ne_values);
+	OPENSSL_free(ne_types);
+	OPENSSL_free(buf);
 	return n;
-	}

+error:
+	X509_NAME_free(n);
+	if (ne_values)
+		OPENSSL_free(ne_values);
+	if (ne_types)
+		OPENSSL_free(ne_types);
+	if (buf)
+		OPENSSL_free(buf);
+	return NULL;
+}

 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	{
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -87,6 +87,7 @@ static char *crl_usage[]={
 " -noout          - no CRL output\n",
 " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
 " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
+" -nameopt arg    - various certificate name options\n",
 NULL
 };

@@ -97,6 +98,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	unsigned long nmflag = 0;
 	X509_CRL *x=NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	int ret=1,i,num,badops=0;
@@ -105,7 +107,7 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
-	char **pp,buf[256];
+	char **pp;
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
 	X509_LOOKUP *lookup = NULL;
@@ -120,6 +122,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	if (bio_out == NULL)
 		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 			{
@@ -185,6 +190,11 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
+		else if (strcmp(*argv,"-nameopt") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
+			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
@@ -268,9 +278,7 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_CRL_get_issuer(x),
-								buf,256);
-				BIO_printf(bio_out,"issuer= %s\n",buf);
+				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
 				}

 			if (hash == i)
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -88,8 +88,8 @@ int MAIN(int argc, char **argv)
 	BIO *bmd=NULL;
 	BIO *out = NULL;
 	const char *name;
-#define PROG_NAME_SIZE  16
-	char pname[PROG_NAME_SIZE];
+#define PROG_NAME_SIZE  39
+	char pname[PROG_NAME_SIZE+1];
 	int separator=0;
 	int debug=0;
 	int keyform=FORMAT_PEM;
@@ -112,6 +112,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	/* first check the program name */
 	program_name(argv[0],pname,PROG_NAME_SIZE);

--- a/apps/dh.c
+++ b/apps/dh.c
@@ -100,6 +100,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -166,6 +166,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -487,7 +490,7 @@ bad:
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\t{ DH_free(dh); return(NULL); }\n");
 		if (dh->length)
-			printf("\tdh->length = %d;\n", dh->length);
+			printf("\tdh->length = %ld;\n", dh->length);
 		printf("\treturn(dh);\n\t}\n");
 		OPENSSL_free(data);
 		}
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -79,6 +79,9 @@
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
+ * -aes128	- encrypt output if PEM format
+ * -aes192	- encrypt output if PEM format
+ * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -modulus	- print the DSA public key
 */
@@ -106,6 +109,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
@@ -188,6 +194,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
+		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -106,6 +106,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -183,9 +186,10 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
+		BIO_printf(bio_err," -genkey       generate a DSA key\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
--- a/apps/ecdsa.c
+++ b/apps/ecdsa.c
@@ -132,6 +132,9 @@
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
+ * -aes128	- encrypt output if PEM format
+ * -aes192	- encrypt output if PEM format
+ * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -pub		- print the ECDSA public key
 * -compressed  - print the public key in compressed form ( default )   
@@ -174,6 +177,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	engine = NULL;
 	infile = NULL;
 	outfile = NULL;
@@ -227,12 +233,12 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv, "-pub") == 0)
 		{
 			pub = 1;
-			buffer = (*(argv+1));
-			if (strcmp(buffer, "compressed") == 0)
+			buffer = (unsigned char *)(*(argv+1));
+			if (strcmp((char *)buffer, "compressed") == 0)
 				point_form = POINT_CONVERSION_COMPRESSED;
-			else if (strcmp(buffer, "hybrid") == 0)
+			else if (strcmp((char *)buffer, "hybrid") == 0)
 				point_form = POINT_CONVERSION_HYBRID;
-			else if (strcmp(buffer, "uncompressed") == 0)
+			else if (strcmp((char *)buffer, "uncompressed") == 0)
 				point_form = POINT_CONVERSION_UNCOMPRESSED;
 			if (point_form)
 			{
@@ -270,6 +276,10 @@ bad:
 		BIO_printf(bio_err, " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err, " -idea           encrypt PEM output with cbc idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
+		BIO_printf(bio_err, "                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err, " -text           print the key in text\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
--- a/apps/ecdsaparam.c
+++ b/apps/ecdsaparam.c
@@ -133,15 +133,16 @@
 * -out arg		- output file - default stdout
 * -noout
 * -text
+ * -check               - validate the ec parameters
 * -C
 * -noout
 * -genkey		- generate a private public keypair based on the supplied curve
 * -named_curve		- use the curve oid instead of the parameters
- * -NIST_192		- use the NIST recommeded curve parameters over a 192 bit prime field
- * -NIST_224		- use the NIST recommeded curve parameters over a 224 bit prime field
- * -NIST_256		- use the NIST recommeded curve parameters over a 256 bit prime field
- * -NIST_384		- use the NIST recommeded curve parameters over a 384 bit prime field
- * -NIST_521		- use the NIST recommeded curve parameters over a 521 bit prime field
+ * -NIST_192		- use the NIST recommended curve parameters over a 192 bit prime field
+ * -NIST_224		- use the NIST recommended curve parameters over a 224 bit prime field
+ * -NIST_256		- use the NIST recommended curve parameters over a 256 bit prime field
+ * -NIST_384		- use the NIST recommended curve parameters over a 384 bit prime field
+ * -NIST_521		- use the NIST recommended curve parameters over a 521 bit prime field
 * -X9_62_192v1		- use the X9_62 192v1 example curve over a 192 bit prime field
 * -X9_62_192v2		- use the X9_62 192v2 example curve over a 192 bit prime field
 * -X9_62_192v3		- use the X9_62 192v3 example curve over a 192 bit prime field
@@ -149,6 +150,24 @@
 * -X9_62_239v2		- use the X9_62 239v2 example curve over a 239 bit prime field
 * -X9_62_239v3		- use the X9_62 239v3 example curve over a 239 bit prime field
 * -X9_62_256v1		- use the X9_62 239v1 example curve over a 256 bit prime field
+ * -SECG_PRIME_112R1    - use the SECG 112r1 recommended curve over a 112 bit prime field
+ * -SECG_PRIME_112R2    - use the SECG 112r2 recommended curve over a 112 bit prime field
+ * -SECG_PRIME_128R1    - use the SECG 128r1 recommended curve over a 128 bit prime field
+ * -SECG_PRIME_128R2    - use the SECG 128r2 recommended curve over a 128 bit prime field
+ * -SECG_PRIME_160K1    - use the SECG 160k1 recommended curve over a 160 bit prime field
+ * -SECG_PRIME_160R1    - use the SECG 160r1 recommended curve over a 160 bit prime field
+ * -SECG_PRIME_160R2    - use the SECG 160r2 recommended curve over a 160 bit prime field
+ * -SECG_PRIME_192K1    - use the SECG 192k1 recommended curve over a 192 bit prime field
+ * -SECG_PRIME_192R1    - use the SECG 192r1 recommended curve over a 192 bit prime field
+ * -SECG_PRIME_224K1    - use the SECG 224k1 recommended curve over a 224 bit prime field
+ * -SECG_PRIME_224R1    - use the SECG 224r1 recommended curve over a 224 bit prime field
+ * -SECG_PRIME_256K1    - use the SECG 256k1 recommended curve over a 256 bit prime field
+ * -SECG_PRIME_256R1    - use the SECG 256r1 recommended curve over a 256 bit prime field
+ * -SECG_PRIME_384R1    - use the SECG 384r1 recommended curve over a 384 bit prime field
+ * -SECG_PRIME_521R1    - use the SECG 521r1 recommended curve over a 521 bit prime field
+ * -WTLS_6              - use the WAP/WTLS recommended curve number 6 over a 112 bit field
+ * -WTLS_8              - use the WAP/WTLS recommended curve number 8 over a 112 bit field
+ * -WTLS_9              - use the WAP/WTLS recommended curve number 9 over a 160 bit field
 */

 int MAIN(int, char **);
@@ -162,6 +181,7 @@ int MAIN(int argc, char **argv)
 	int 	informat, outformat, noout = 0, C = 0, ret = 1;
 	char 	*infile, *outfile, *prog, *inrand = NULL;
 	int 	genkey = 0;
+	int	check = 0;
 	int 	need_rand = 0;
 	char 	*engine=NULL;
 	int	curve_type = EC_GROUP_NO_CURVE;
@@ -178,6 +198,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -217,6 +240,8 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-C") == 0)
 			C = 1;
+		else if (strcmp(*argv,"-check") == 0)
+			check = 1;
 		else if (strcmp(*argv,"-genkey") == 0)
 		{
 			genkey = 1;
@@ -254,6 +279,42 @@ int MAIN(int argc, char **argv)
 			curve_type = EC_GROUP_X9_62_PRIME_239V3;
 		else if (strcmp(*argv, "-X9_62_256v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_256V1;
+		else if (strcmp(*argv, "-SECG_PRIME_112R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_112R1;
+		else if (strcmp(*argv, "-SECG_PRIME_112R2") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_112R2;
+		else if (strcmp(*argv, "-SECG_PRIME_128R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_128R1;
+		else if (strcmp(*argv, "-SECG_PRIME_128R2") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_128R2;
+		else if (strcmp(*argv, "-SECG_PRIME_160K1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_160K1;
+		else if (strcmp(*argv, "-SECG_PRIME_160R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_160R1;
+		else if (strcmp(*argv, "-SECG_PRIME_160R2") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_160R2;
+		else if (strcmp(*argv, "-SECG_PRIME_192K1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_192K1;
+		else if (strcmp(*argv, "-SECG_PRIME_192R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_192R1;
+		else if (strcmp(*argv, "-SECG_PRIME_224K1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_224K1;
+		else if (strcmp(*argv, "-SECG_PRIME_224R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_224R1;
+		else if (strcmp(*argv, "-SECG_PRIME_256K1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_256K1;
+		else if (strcmp(*argv, "-SECG_PRIME_256R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_256R1;
+		else if (strcmp(*argv, "-SECG_PRIME_384R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_384R1;
+		else if (strcmp(*argv, "-SECG_PRIME_521R1") == 0)
+			curve_type = EC_GROUP_SECG_PRIME_521R1;
+		else if (strcmp(*argv, "-WTLS_6") == 0)
+			curve_type = EC_GROUP_WTLS_6;
+		else if (strcmp(*argv, "-WTLS_8") == 0)
+			curve_type = EC_GROUP_WTLS_8;
+		else if (strcmp(*argv, "-WTLS_9") == 0)
+			curve_type = EC_GROUP_WTLS_9;
 		else if (strcmp(*argv, "-noout") == 0)
 			noout=1;
 		else
@@ -271,28 +332,47 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
-		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
-		BIO_printf(bio_err," -in arg       input file\n");
-		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
-		BIO_printf(bio_err," -C            Output C code\n");
-		BIO_printf(bio_err," -noout        no output\n");
-		BIO_printf(bio_err," -rand         files to use for random number input\n");
-		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
-		BIO_printf(bio_err," -named_curve  use the curve oid instead of the parameters\n");
-		BIO_printf(bio_err," -NIST_192     use the NIST recommeded curve parameters over a 192 bit prime field\n");
-		BIO_printf(bio_err," -NIST_224     use the NIST recommeded curve parameters over a 224 bit prime field\n");
-		BIO_printf(bio_err," -NIST_256     use the NIST recommeded curve parameters over a 256 bit prime field\n");
-		BIO_printf(bio_err," -NIST_384     use the NIST recommeded curve parameters over a 384 bit prime field\n");
-		BIO_printf(bio_err," -NIST_521     use the NIST recommeded curve parameters over a 521 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v1  use the X9_62 192v1 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v2  use the X9_62 192v2 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v3  use the X9_62 192v3 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v1  use the X9_62 239v1 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v2  use the X9_62 239v2 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v3  use the X9_62 239v3 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_256v1  use the X9_62 239v1 example curve over a 256 bit prime field\n");
+		BIO_printf(bio_err," -inform arg        input format - DER or PEM\n");
+		BIO_printf(bio_err," -outform arg       output format - DER or PEM\n");
+		BIO_printf(bio_err," -in arg            input file\n");
+		BIO_printf(bio_err," -out arg           output file\n");
+		BIO_printf(bio_err," -text              print as text\n");
+		BIO_printf(bio_err," -C                 Output C code\n");
+		BIO_printf(bio_err," -check             validate the ec parameters\n");
+		BIO_printf(bio_err," -noout             no output\n");
+		BIO_printf(bio_err," -rand              files to use for random number input\n");
+		BIO_printf(bio_err," -engine e          use engine e, possibly a hardware device.\n");
+		BIO_printf(bio_err," -named_curve       use the curve oid instead of the parameters\n");
+		BIO_printf(bio_err," -NIST_192          use the NIST recommended curve parameters over a 192 bit prime field\n");
+		BIO_printf(bio_err," -NIST_224          use the NIST recommended curve parameters over a 224 bit prime field\n");
+		BIO_printf(bio_err," -NIST_256          use the NIST recommended curve parameters over a 256 bit prime field\n");
+		BIO_printf(bio_err," -NIST_384          use the NIST recommended curve parameters over a 384 bit prime field\n");
+		BIO_printf(bio_err," -NIST_521          use the NIST recommended curve parameters over a 521 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_192v1       use the X9_62 192v1 example curve over a 192 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_192v2       use the X9_62 192v2 example curve over a 192 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_192v3       use the X9_62 192v3 example curve over a 192 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_239v1       use the X9_62 239v1 example curve over a 239 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_239v2       use the X9_62 239v2 example curve over a 239 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_239v3       use the X9_62 239v3 example curve over a 239 bit prime field\n");
+		BIO_printf(bio_err," -X9_62_256v1       use the X9_62 239v1 example curve over a 256 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_112R1  use the SECG 112r1 recommended curve over a 112 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_112R2  use the SECG 112r2 recommended curve over a 112 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_128R1  use the SECG 128r1 recommended curve over a 128 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_128R2  use the SECG 128r2 recommended curve over a 128 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_160K1  use the SECG 160k1 recommended curve over a 160 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_160R1  use the SECG 160r1 recommended curve over a 160 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_160R2  use the SECG 160r2 recommended curve over a 160 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_192K1  use the SECG 192k1 recommended curve over a 192 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_192R1  use the SECG 192r1 recommended curve over a 192 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_224K1  use the SECG 224k1 recommended curve over a 224 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_224R1  use the SECG 224r1 recommended curve over a 224 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_256K1  use the SECG 256k1 recommended curve over a 256 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_256R1  use the SECG 256r1 recommended curve over a 256 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_384R1  use the SECG 384r1 recommended curve over a 384 bit prime field\n");
+		BIO_printf(bio_err," -SECG_PRIME_521R1  use the SECG 521r1 recommended curve over a 521 bit prime field\n");
+		BIO_printf(bio_err," -WTLS_6            use the WAP/WTLS recommended curve number 6 over a 112 bit field\n");
+		BIO_printf(bio_err," -WTLS_8            use the WAP/WTLS recommended curve number 8 over a 112 bit field\n");
+		BIO_printf(bio_err," -WTLS_9            use the WAP/WTLS recommended curve number 9 over a 112 bit field\n");
 		goto end;
 	}

@@ -373,9 +453,24 @@ bad:
 	{
 		ECDSAParameters_print(out, ecdsa);
 	}
+
+	if (check)
+	{
+		if (ecdsa == NULL)
+			BIO_printf(bio_err, "no elliptic curve parameters\n");
+		BIO_printf(bio_err, "checking elliptic curve parameters: ");
+		if (!EC_GROUP_check(ecdsa->group, NULL))
+		{
+			BIO_printf(bio_err, "failed\n");
+			ERR_print_errors(bio_err);
+		}
+		else
+			BIO_printf(bio_err, "ok\n");
+			
+	}
 	
 	if (C)
-	{	// TODO : characteristic two
+	{	/* TODO: characteristic two */
 		int 	l, len, bits_p;
 		if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
 		    (tmp_3 = BN_new()) == NULL || (tmp_4 = BN_new()) == NULL ||
@@ -411,7 +506,7 @@ bad:
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
-		printf("\n\t};\n");
+		printf("\n\t};\n\n");

 		l = BN_bn2bin(tmp_2, data);
 		printf("static unsigned char ecdsa%d_a[]={",bits_p);
@@ -431,34 +526,34 @@ bad:
 		}
 		printf("\n\t};\n\n");

-		l = BN_bn2bin(tmp_3, data);
+		l = BN_bn2bin(tmp_4, data);
 		printf("static unsigned char ecdsa%d_x[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
-		printf("\n\t};\n\n");
+		printf("\n\t};\n");

-		l = BN_bn2bin(tmp_3, data);
+		l = BN_bn2bin(tmp_5, data);
 		printf("static unsigned char ecdsa%d_y[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
-		printf("\n\t};\n\n");
+		printf("\n\t};\n");

-		l = BN_bn2bin(tmp_3, data);
+		l = BN_bn2bin(tmp_6, data);
 		printf("static unsigned char ecdsa%d_o[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
-		printf("\n\t};\n\n");
+		printf("\n\t};\n");

-		l = BN_bn2bin(tmp_3, data);
+		l = BN_bn2bin(tmp_7, data);
 		printf("static unsigned char ecdsa%d_c[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
@@ -468,38 +563,41 @@ bad:
 		printf("\n\t};\n\n");

 		/* FIXME:
-		 * the generated code does not make much sense
-		 *
-		 * TODO:
-		 * use EC_GROUP_new_curve_GFp instead of using EC_GFp_mont_method directly
+		 * generated code should check for errors
 		 */
-		
-		printf("ECDSA *get_ecdsa%d()\n\t{\n",bits_p);
-		printf("\tint      ok=1;\n");
+
+		printf("ECDSA *get_ecdsa%d(void)\n\t{\n",bits_p);
+		printf("\tint ok=0;\n");
 		printf("\tECDSA    *ecdsa=NULL;\n");
 		printf("\tEC_POINT *point=NULL;\n");
-		printf("\tBIGNUM   *tmp_1=NULL,*tmp_2=NULL,*tmp_3=NULL;\n");
-		printf("\tBN_CTX   *ctx=NULL;\n\n");
-		printf("\tecdsa=ECDSA_new();\n");
-		printf("\ttmp_1=BN_new();\n");
-		printf("\ttmp_2=BN_new();\n");
-		printf("\ttmp_3=BN_new();\n");
-		printf("\tctx=BN_CTX_new();\n");
-		printf("\tif (!ecdsa || !tmp_1 || !tmp_2 || !tmp_3 || !ctx) ok=0;\n");
-		printf("\tif (ok && !ecdsa->group=EC_GROUP_new(EC_GFp_mont_method())) == NULL) ok=0;");
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_p,sizeof(ecdsa%d_p),tmp_1)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_a,sizeof(ecdsa%d_a),tmp_2)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_b,sizeof(ecdsa%d_b),tmp_3)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !EC_GROUP_set_curve_GFp(ecdsa->group,tmp_1,tmp_2,tmp_3,ctx)) ok=0;\n");
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_x,sizeof(ecdsa%d_p),tmp_1)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_y,sizeof(ecdsa%d_a),tmp_2)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && (point = EC_POINT_new(ecdsa->group)) == NULL) ok=0;\n");
-		printf("\tif (ok && !EC_POINT_set_affine_coordinates_GFp(ecdsa->group,point,tmp_1,tmp_2,ctx)) ok=0:\n");
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_o,sizeof(ecdsa%d_b),tmp_1)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !BN_bin2bn(ecdsa%d_c,sizeof(ecdsa%d_b),tmp_2)) ok=0;\n", bits_p, bits_p);
-		printf("\tif (ok && !EC_GROUP_set_generator(ecdsa->group,point,tmp_1,tmp_2)) ok=0;\n");
-		printf("\tif ((ecdsa->group == NULL) || (ecdsa->pub_key == NULL) || (ecdsa->priv_key == NULL))\n");
-		printf("\t\t{ ECDSA_free(ecdsa); return(NULL); }\n");
+		printf("\tBIGNUM   *tmp_1=NULL,*tmp_2=NULL,*tmp_3=NULL;\n\n");
+		printf("\tif ((ecdsa=ECDSA_new()) == NULL)\n");
+		printf("\t\treturn(NULL);\n\n");
+		printf("\t/* generate EC_GROUP structure */\n");
+		printf("\tif ((tmp_1 = BN_bin2bn(ecdsa%d_p, sizeof(ecdsa%d_p), NULL)) == NULL) goto err;\n", bits_p, bits_p);
+		printf("\tif ((tmp_2 = BN_bin2bn(ecdsa%d_a, sizeof(ecdsa%d_a), NULL)) == NULL) goto err;\n", bits_p, bits_p);
+		printf("\tif ((tmp_3 = BN_bin2bn(ecdsa%d_b, sizeof(ecdsa%d_b), NULL)) == NULL) goto err;\n", bits_p, bits_p);
+		printf("\tif ((ecdsa->group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL) goto err;\n\n");
+		printf("\t/* build generator */\n");
+		printf("\tif (!BN_bin2bn(ecdsa%d_x, sizeof(ecdsa%d_x), tmp_1)) goto err;\n", bits_p, bits_p);
+		printf("\tif (!BN_bin2bn(ecdsa%d_y, sizeof(ecdsa%d_y), tmp_2)) goto err;\n", bits_p, bits_p);
+		printf("\tif ((point = EC_POINT_new(ecdsa->group)) == NULL) goto err;\n");
+		printf("\tif (!EC_POINT_set_affine_coordinates_GFp(ecdsa->group, point, tmp_1, tmp_2, NULL)) goto err;\n");
+		printf("\t/* set generator, order and cofactor */\n");
+		printf("\tif (!BN_bin2bn(ecdsa%d_o, sizeof(ecdsa%d_o), tmp_1)) goto err;\n", bits_p, bits_p);
+		printf("\tif (!BN_bin2bn(ecdsa%d_c, sizeof(ecdsa%d_c), tmp_2)) goto err;\n", bits_p, bits_p);
+		printf("\tif (!EC_GROUP_set_generator(ecdsa->group, point, tmp_1, tmp_2)) goto err;\n");
+		printf("\n\tok=1;\n");
+		printf("err:\n");
+		printf("\tif (tmp_1) BN_free(tmp_1);\n");
+		printf("\tif (tmp_2) BN_free(tmp_2);\n");
+		printf("\tif (tmp_3) BN_free(tmp_3);\n");
+		printf("\tif (point) EC_POINT_free(point);\n");
+		printf("\tif (!ok)\n");
+		printf("\t\t{\n");
+		printf("\t\tECDSA_free(ecdsa);\n");
+		printf("\t\tecdsa = NULL;\n");
+		printf("\t\t}\n");
 		printf("\treturn(ecdsa);\n\t}\n");
 	}

--- a/apps/enc.c
+++ b/apps/enc.c
@@ -117,8 +117,8 @@ int MAIN(int argc, char **argv)
 	const EVP_CIPHER *cipher=NULL,*c;
 	char *inf=NULL,*outf=NULL;
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
-#define PROG_NAME_SIZE  16
-	char pname[PROG_NAME_SIZE];
+#define PROG_NAME_SIZE  39
+	char pname[PROG_NAME_SIZE+1];
 	char *engine = NULL;

 	apps_startup();
@@ -127,6 +127,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	/* first check the program name */
 	program_name(argv[0],pname,PROG_NAME_SIZE);
 	if (strcmp(pname,"base64") == 0)
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -356,6 +356,9 @@ int MAIN(int argc, char **argv)

 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
 	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	{
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -96,6 +96,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	argv++;
 	argc--;
 	for (;;)
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -93,6 +93,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	argv++;
 	argc--;
 	for (;;)
@@ -129,6 +132,14 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
+#endif
+#ifndef OPENSSL_NO_AES
+		else if (strcmp(*argv,"-aes128") == 0)
+			enc=EVP_aes_128_cbc();
+		else if (strcmp(*argv,"-aes192") == 0)
+			enc=EVP_aes_192_cbc();
+		else if (strcmp(*argv,"-aes256") == 0)
+			enc=EVP_aes_256_cbc();
 #endif
 		else if (**argv != '-' && dsaparams == NULL)
 			{
@@ -151,6 +162,10 @@ bad:
 #endif
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
+		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -99,6 +99,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (!load_config(bio_err, NULL))
+		goto err;
 	if ((out=BIO_new(BIO_s_file())) == NULL)
 		{
 		BIO_printf(bio_err,"unable to create BIO for output\n");
@@ -138,6 +141,14 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
+#endif
+#ifndef OPENSSL_NO_AES
+		else if (strcmp(*argv,"-aes128") == 0)
+			enc=EVP_aes_128_cbc();
+		else if (strcmp(*argv,"-aes192") == 0)
+			enc=EVP_aes_192_cbc();
+		else if (strcmp(*argv,"-aes256") == 0)
+			enc=EVP_aes_256_cbc();
 #endif
 		else if (strcmp(*argv,"-passout") == 0)
 			{
@@ -157,6 +168,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
+		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -out file       output the key to 'file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -145,6 +145,9 @@ int MAIN(int argc, char **argv)
 	int nmin = 0, ndays = -1;

 	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
 	SSL_load_error_strings();
 	args = argv + 1;
 	reqnames = sk_new_null();
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -215,8 +215,8 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 int main(int Argc, char *Argv[])
 	{
 	ARGS arg;
-#define PROG_NAME_SIZE	16
-	char pname[PROG_NAME_SIZE];
+#define PROG_NAME_SIZE	39
+	char pname[PROG_NAME_SIZE+1];
 	FUNCTION f,*fp;
 	MS_STATIC char *prompt,buf[1024],config_name[256];
 	int n,i,ret=0;
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -16,7 +16,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #ifndef OPENSSL_NO_DES
-# include <openssl/des_old.h>
+# include <openssl/des.h>
 #endif
 #ifndef NO_MD5CRYPT_1
 # include <openssl/evp.h>
@@ -79,6 +79,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (!load_config(bio_err, NULL))
+		goto err;
 	out = BIO_new(BIO_s_file());
 	if (out == NULL)
 		goto err;
@@ -479,7 +482,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	/* now compute password hash */
 #ifndef OPENSSL_NO_DES
 	if (usecrypt)
-		hash = des_crypt(passwd, *salt_p);
+		hash = DES_crypt(passwd, *salt_p);
 #endif
 #ifndef NO_MD5CRYPT_1
 	if (use1 || useapr1)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -127,6 +127,9 @@ int MAIN(int argc, char **argv)
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
    args = argv + 1;


@@ -151,6 +154,11 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
 #endif
 		else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
+#ifndef OPENSSL_NO_AES
+		else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
+		else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
+		else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
+#endif
 		else if (!strcmp (*args, "-noiter")) iter = 1;
 		else if (!strcmp (*args, "-maciter"))
 					 maciter = PKCS12_DEFAULT_ITER;
@@ -279,6 +287,10 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
 #ifndef OPENSSL_NO_IDEA
 	BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+	BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
+	BIO_printf (bio_err, "              encrypt PEM output with cbc aes\n");
 #endif
 	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
 	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
@@ -767,7 +779,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
-		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) {
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return 0;
+		}
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -83,13 +83,16 @@ int MAIN(int argc, char **argv)
 	int nocrypt = 0;
 	X509_SIG *p8;
 	PKCS8_PRIV_KEY_INFO *p8inf;
-	EVP_PKEY *pkey;
+	EVP_PKEY *pkey=NULL;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 	char *engine=NULL;

 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;

@@ -347,6 +350,7 @@ int MAIN(int argc, char **argv)
 			return (1);
 	}

+	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -92,6 +92,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto err;
+
 	badopt = 0;
 	i = 0;
 	while (!badopt && argv[++i] != NULL)
--- a/apps/req.c
+++ b/apps/req.c
@@ -181,6 +181,7 @@ int MAIN(int argc, char **argv)
 	unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
 	MS_STATIC char config_name[256];
+	long errline;
 #endif

 	req_conf = NULL;
@@ -309,7 +310,7 @@ int MAIN(int argc, char **argv)
 						goto end;
 						}

-					dtmp=X509_get_pubkey(xtmp);
+					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
 					if (dtmp->type == EVP_PKEY_DSA)
 						dsa_params=DSAparams_dup(dtmp->pkey.dsa);
 					EVP_PKEY_free(dtmp);
@@ -349,7 +350,7 @@ int MAIN(int argc, char **argv)
 						goto end;
 						}

-					dtmp=X509_get_pubkey(xtmp);
+					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
 					if (dtmp->type == EVP_PKEY_ECDSA)
 						ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
 					EVP_PKEY_free(dtmp);
@@ -504,6 +505,7 @@ bad:
 		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
+		BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
 		goto end;
 		}

@@ -529,7 +531,7 @@ bad:
 		}
 	default_config_file=p;
 	config=NCONF_new(NULL);
-	i=NCONF_load(config, p);
+	i=NCONF_load(config, p, &errline);
 #endif

 	if (template != NULL)
@@ -560,6 +562,8 @@ bad:

 	if (req_conf != NULL)
 		{
+		if (!load_config(bio_err, req_conf))
+			goto end;
 		p=NCONF_get_string(req_conf,NULL,"oid_file");
 		if (p == NULL)
 			ERR_clear_error();
@@ -885,19 +889,20 @@ loop:
 			/* Set version to V3 */
 			if(!X509_set_version(x509ss, 2)) goto end;
 			if (serial)
-				X509_set_serialNumber(x509ss, serial);
+				{
+				if (!X509_set_serialNumber(x509ss, serial)) goto end;
+				}
 			else
-				ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
+				{
+				if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end;
+				}

-			X509_set_issuer_name(x509ss,
-				X509_REQ_get_subject_name(req));
-			X509_gmtime_adj(X509_get_notBefore(x509ss),0);
-			X509_gmtime_adj(X509_get_notAfter(x509ss),
-				(long)60*60*24*days);
-			X509_set_subject_name(x509ss,
-				X509_REQ_get_subject_name(req));
+			if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
+			if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
+			if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
+			if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
 			tmppkey = X509_REQ_get_pubkey(req);
-			X509_set_pubkey(x509ss,tmppkey);
+			if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
 			EVP_PKEY_free(tmppkey);

 			/* Set up V3 context struct */
@@ -1199,71 +1204,29 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
 		}
 	if(!i) goto err;

-	X509_REQ_set_pubkey(req,pkey);
+	if (!X509_REQ_set_pubkey(req,pkey)) goto err;

 	ret=1;
 err:
 	return(ret);
 	}

+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
 	{
-	X509_NAME *n = NULL;
+	X509_NAME *n;

-	int i, nid, ne_num=0;
-
-	char *ne_name = NULL;
-	char *ne_value = NULL;
-
-	char *tmp = NULL;
-	char *p[2];
-
-	char *str_list[256];
-       
-	p[0] = ",/";
-        p[1] = "=";
-
-	n = X509_NAME_new();
-
-	tmp = strtok(subject, p[0]);
-	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
-		{
-		char *token = tmp;
-
-		while (token[0] == ' ')
-			token++;
-		str_list[ne_num] = token;
-
-		tmp = strtok(NULL, p[0]);
-		ne_num++;
-		}
-
-	for(i = 0; i < ne_num; i++)
-		{
-		ne_name  = strtok(str_list[i], p[1]);
-		ne_value = strtok(NULL, p[1]);
-
-		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
-			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
-			continue;
-			}
-
-		if (ne_value == NULL)
-			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
-			continue;
-			}
-
-		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
-			{
-			X509_NAME_free(n);
-			return 0;
-			}
-		}
+	if (!(n = do_subject(subject, chtype)))
+		return 0;

 	if (!X509_REQ_set_subject_name(req, n))
+		{
+		X509_NAME_free(n);
 		return 0;
+		}
 	X509_NAME_free(n);
 	return 1;
 }
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -79,6 +79,9 @@
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
+ * -aes128	- encrypt output if PEM format
+ * -aes192	- encrypt output if PEM format
+ * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -modulus	- print the RSA key modulus
 * -check	- verify key consistency
@@ -110,6 +113,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -195,6 +201,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
+		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -104,6 +104,9 @@ int MAIN(int argc, char **argv)
 	argv++;

 	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	pad = RSA_PKCS1_PADDING;
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -271,6 +271,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -504,6 +504,9 @@ int MAIN(int argc, char *argv[])
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	verify_depth=0;
 #ifdef FIONBIO
 	s_nbio=0;
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -109,6 +109,15 @@ int MAIN(int argc, char **argv)
 	args = argv + 1;
 	ret = 1;

+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	while (!badarg && *args && *args[0] == '-') {
 		if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
 		else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
@@ -128,6 +137,14 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_rc2_cbc();
 		else if (!strcmp (*args, "-rc2-64")) 
 				cipher = EVP_rc2_64_cbc();
+#endif
+#ifndef OPENSSL_NO_AES
+		else if (!strcmp(*args,"-aes128"))
+				cipher = EVP_aes_128_cbc();
+		else if (!strcmp(*args,"-aes192"))
+				cipher = EVP_aes_192_cbc();
+		else if (!strcmp(*args,"-aes256"))
+				cipher = EVP_aes_256_cbc();
 #endif
 		else if (!strcmp (*args, "-text")) 
 				flags |= PKCS7_TEXT;
@@ -283,6 +300,10 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
 		BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
 		BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
+#endif
+#ifndef OPENSSL_NO_AES
+		BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
+		BIO_printf (bio_err, "               encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
 		BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
@@ -450,7 +471,10 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 	} else if(operation == SMIME_SIGN) {
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		BIO_reset(in);
+		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
+		  BIO_printf(bio_err, "Can't rewind input file\n");
+		  goto end;
+		}
 	} else {
 		if(informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
@@ -490,9 +514,9 @@ int MAIN(int argc, char **argv)
 	} else if(operation == SMIME_VERIFY) {
 		STACK_OF(X509) *signers;
 		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
-			BIO_printf(bio_err, "Verification Successful\n");
+			BIO_printf(bio_err, "Verification successful\n");
 		} else {
-			BIO_printf(bio_err, "Verification Failure\n");
+			BIO_printf(bio_err, "Verification failure\n");
 			goto end;
 		}
 		signers = PKCS7_get0_signers(p7, other, flags);
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -131,7 +131,7 @@
 #endif

 #ifndef OPENSSL_NO_DES
-#include <openssl/des_old.h>
+#include <openssl/des.h>
 #endif
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
@@ -374,9 +374,11 @@ int MAIN(int argc, char **argv)
 	int mret=1;
 	long count=0,save_count=0;
 	int i,j,k;
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
+	long rsa_count;
+#endif
 #ifndef OPENSSL_NO_RSA
 	unsigned rsa_num;
-	long rsa_count;
 #endif
 	unsigned char md[EVP_MAX_MD_SIZE];
 #ifndef OPENSSL_NO_MD2
@@ -437,9 +439,9 @@ int MAIN(int argc, char **argv)
 	unsigned char iv[MAX_BLOCK_SIZE/8];
 #ifndef OPENSSL_NO_DES
 	DES_cblock *buf_as_des_cblock = NULL;
-	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
 	DES_key_schedule sch;
 	DES_key_schedule sch2;
 	DES_key_schedule sch3;
@@ -515,6 +517,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 #ifndef OPENSSL_NO_RSA
 	memset(rsa_key,0,sizeof(rsa_key));
 	for (i=0; i<RSA_NUM; i++)
@@ -527,7 +532,7 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 #ifndef OPENSSL_NO_DES
-	buf_as_des_cblock = (des_cblock *)buf;
+	buf_as_des_cblock = (DES_cblock *)buf;
 #endif
 	if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
@@ -1136,7 +1141,7 @@ int MAIN(int argc, char **argv)

 		HMAC_CTX_init(&hctx);
 		HMAC_Init_ex(&hctx,(unsigned char *)"This is a key...",
-			16,EVP_md5());
+			16,EVP_md5(), NULL);

 		for (j=0; j<SIZE_NUM; j++)
 			{
@@ -1144,9 +1149,9 @@ int MAIN(int argc, char **argv)
 			Time_F(START);
 			for (count=0,run=1; COND(c[D_HMAC][j]); count++)
 				{
-				HMAC_Init_ex(&hctx,NULL,0,NULL);
-                                HMAC_Update(&hctx,buf,lengths[j]);
-                                HMAC_Final(&hctx,&(hmac[0]),NULL);
+				HMAC_Init_ex(&hctx,NULL,0,NULL,NULL);
+				HMAC_Update(&hctx,buf,lengths[j]);
+				HMAC_Final(&hctx,&(hmac[0]),NULL);
 				}
 			d=Time_F(STOP);
 			print_result(D_HMAC,j,count,d);
@@ -1598,7 +1603,7 @@ show_res:
 		printf("%s ",RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES
-		printf("%s ",des_options());
+		printf("%s ",DES_options());
 #endif
 #ifndef OPENSSL_NO_AES
 		printf("%s ",AES_options());
@@ -1622,7 +1627,7 @@ show_res:
 #endif
 #ifdef HZ
 #define as_string(s) (#s)
-		printf("HZ=%g", HZ);
+		printf("HZ=%g", (double)HZ);
 # ifdef _SC_CLK_TCK
 		printf(" [sysconf value]");
 # endif
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -98,6 +98,9 @@ int MAIN(int argc, char **argv)

 	if (!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	prog=argv[0];
 	argc--;
 	argv++;
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -100,6 +100,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	argc--;
 	argv++;
 	for (;;)
--- a/apps/version.c
+++ b/apps/version.c
@@ -122,7 +122,7 @@
 # include <openssl/rc4.h>
 #endif
 #ifndef OPENSSL_NO_DES
-# include <openssl/des_old.h>
+# include <openssl/des.h>
 #endif
 #ifndef OPENSSL_NO_IDEA
 # include <openssl/idea.h>
@@ -186,7 +186,7 @@ int MAIN(int argc, char **argv)
 		printf("%s ",RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES
-		printf("%s ",des_options());
+		printf("%s ",DES_options());
 #endif
 #ifndef OPENSSL_NO_IDEA
 		printf("%s ",idea_options());
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -191,6 +191,9 @@ int MAIN(int argc, char **argv)

 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+	if (!load_config(bio_err, NULL))
+		goto end;
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	{
--- a/23
+++ b/23
@@ -344,6 +344,13 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	exit 0
 	;;

+    *"CRAY T3E")
+       echo "t3e-cray-unicosmk"; exit 0;
+       ;;
+
+    *CRAY*)
+       echo "j90-cray-unicos"; exit 0;
+       ;;
 esac

 #
@@ -510,6 +517,10 @@ EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
+  ppc64-*-linux2)
+	#Use the standard target for PPC architecture until we create a
+	#special one for the 64bit architecture.
+	OUT="linux-ppc" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -613,9 +624,17 @@ EOF
  *86*-*-netbsd) OUT="NetBSD-x86" ;;
  sun3*-*-netbsd) OUT="NetBSD-m68" ;;
  *-*-netbsd) OUT="NetBSD-sparc" ;;
-  *86*-*-openbsd) OUT="OpenBSD-x86" ;;
  alpha*-*-openbsd) OUT="OpenBSD-alpha" ;;
+  *86*-*-openbsd) OUT="OpenBSD-i386" ;;
+  m68k*-*-openbsd) OUT="OpenBSD-m68k" ;;
+  m88k*-*-openbsd) OUT="OpenBSD-m88k" ;;
+  mips*-*-openbsd) OUT="OpenBSD-mips" ;;
  pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
+  powerpc*-*-openbsd) OUT="OpenBSD-powerpc" ;;
+  sparc64*-*-openbsd) OUT="OpenBSD-sparc64" ;;
+  sparc*-*-openbsd) OUT="OpenBSD-sparc" ;;
+  vax*-*-openbsd) OUT="OpenBSD-vax" ;;
+  hppa*-*-openbsd) OUT="OpenBSD-hppa" ;;
  *-*-openbsd) OUT="OpenBSD" ;;
  *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
  *-*-osf) OUT="alphaold-cc" ;;
@@ -680,6 +699,8 @@ EOF
  mips-sony-newsos4) OUT="newsos4-gcc" ;;
  *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
  *-*-cygwin) OUT="Cygwin" ;;
+  t3e-cray-unicosmk) OUT="cray-t3e" ;;
+  j90-cray-unicos) OUT="cray-j90" ;;
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac

--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -57,7 +57,7 @@ buildinf.h: ../Makefile.ssl
 	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
 	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
 	echo "  #define PLATFORM \"$(PLATFORM)\""; \
-	echo "  #define DATE \"`date`\""; \
+	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
 	echo "#endif" ) >buildinf.h

 testapps:
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -26,8 +26,8 @@ TEST=
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c
-LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o
+LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c aes_ctr.c
+LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o aes_cfb.o aes_ofb.o aes_ctr.o

 SRC= $(LIBSRC)

@@ -54,7 +54,7 @@ files:
 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@#$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

 install: installs
@@ -88,10 +88,16 @@ clean:

 aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
+aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
 aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
+aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h
 aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h
 aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_misc.o: ../../include/openssl/opensslconf.h
 aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c
+aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ofb.o: ../../include/openssl/opensslconf.h aes_locl.h aes_ofb.c
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@@ -1,6 +1,6 @@
 /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -58,8 +58,10 @@

 static const int AES_DECRYPT = 0;
 static const int AES_ENCRYPT = 1;
-#define AES_MAXNR 14 /* array size can't be a const in C */
-static const int AES_BLOCK_SIZE = 16; /* bytes */
+/* Because array size can't be a const in C, the following two are macros.
+   Both sizes are in bytes. */
+#define AES_MAXNR 14
+#define AES_BLOCK_SIZE 16

 #ifdef  __cplusplus
 extern "C" {
@@ -74,17 +76,31 @@ typedef struct aes_key_st AES_KEY;

 const char *AES_options(void);

-int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key);
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key);
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+	AES_KEY *key);
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+	AES_KEY *key);

-void AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key);
-void AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key);
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+	const AES_KEY *key);
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+	const AES_KEY *key);

 void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
-	       	     const AES_KEY *key, const int enc);
+	const AES_KEY *key, const int enc);
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
-	       	     const unsigned long length, const AES_KEY *key,
-		     unsigned char *ivec, const int enc);
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, const int enc);
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num, const int enc);
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num);
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *counter, unsigned int *num);
+

 #ifdef  __cplusplus
 }
--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -0,0 +1,151 @@
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num, const int enc) {
+
+	unsigned int n;
+	unsigned long l = length;
+	unsigned char c;
+
+	assert(in && out && key && ivec && num);
+
+	n = *num;
+
+	if (enc) {
+		while (l--) {
+			if (n == 0) {
+				AES_encrypt(ivec, ivec, key);
+			}
+			ivec[n] = *(out++) = *(in++) ^ ivec[n];
+			n = (n+1) % AES_BLOCK_SIZE;
+		}
+	} else {
+		while (l--) {
+			if (n == 0) {
+				AES_decrypt(ivec, ivec, key);
+			}
+			c = *(in);
+			*(out++) = *(in++) ^ ivec[n];
+			ivec[n] = c;
+			n = (n+1) % AES_BLOCK_SIZE;
+		}
+	}
+
+	*num=n;
+}
+
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -715,16 +715,6 @@ static const u32 rcon[] = {
 	0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
 };

-#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-
-#ifdef _MSC_VER
-#define GETU32(p) SWAP(*((u32 *)(p)))
-#define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
-#else
-#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
-#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
-#endif
-
 /**
 * Expand the cipher key into the encryption key schedule.
 */
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -0,0 +1,117 @@
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* NOTE: CTR mode is big-endian.  The rest of the AES code
+ * is endian-neutral. */
+
+/* increment counter (128-bit int) by 2^64 */
+static void AES_ctr128_inc(unsigned char *counter) {
+	unsigned long c;
+
+	/* Grab 3rd dword of counter and increment */
+#ifdef L_ENDIAN
+	c = GETU32(counter + 8);
+	c++;
+	PUTU32(counter + 8, c);
+#else
+	c = GETU32(counter + 4);
+	c++;
+	PUTU32(counter + 4, c);
+#endif
+
+	/* if no overflow, we're done */
+	if (c)
+		return;
+
+	/* Grab top dword of counter and increment */
+#ifdef L_ENDIAN
+	c = GETU32(counter + 12);
+	c++;
+	PUTU32(counter + 12, c);
+#else
+	c = GETU32(counter +  0);
+	c++;
+	PUTU32(counter +  0, c);
+#endif
+
+}
+
+/* The input encrypted as though 128bit counter mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *counter, unsigned int *num) {
+
+	unsigned int n;
+	unsigned long l=length;
+	unsigned char tmp[AES_BLOCK_SIZE];
+
+	assert(in && out && key && counter && num);
+
+	n = *num;
+
+	while (l--) {
+		if (n == 0) {
+			AES_ctr128_inc(counter);
+			AES_encrypt(counter, tmp, key);
+		}
+		*(out++) = *(in++) ^ tmp[n];
+		n = (n+1) % AES_BLOCK_SIZE;
+	}
+
+	*num=n;
+}
--- a/crypto/aes/aes_ecb.c
+++ b/crypto/aes/aes_ecb.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -1,6 +1,6 @@
 /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -65,6 +65,15 @@
 #include <string.h>
 #endif

+#ifdef _MSC_VER
+# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+# define GETU32(p) SWAP(*((u32 *)(p)))
+# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
+#else
+# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
+# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
+#endif
+
 typedef unsigned long u32;
 typedef unsigned short u16;
 typedef unsigned char u8;
--- a/crypto/aes/aes_misc.c
+++ b/crypto/aes/aes_misc.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/crypto/aes/aes_ofb.c
+++ b/crypto/aes/aes_ofb.c
@@ -1,3 +1,53 @@
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -55,42 +105,32 @@
 * [including the GNU Public Licence.]
 */

-#ifdef __cplusplus
-extern "C" {
-#endif
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"

-#include "EXTERN.h"
-#include "perl.h"
-#include "XSUB.h"
+/* The input and output encrypted as though 128bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num) {

-#ifdef __cplusplus
+	unsigned int n;
+	unsigned long l=length;
+
+	assert(in && out && key && ivec && num);
+
+	n = *num;
+
+	while (l--) {
+		if (n == 0) {
+			AES_encrypt(ivec, ivec, key);
+		}
+		*(out++) = *(in++) ^ ivec[n];
+		n = (n+1) % AES_BLOCK_SIZE;
+	}
+
+	*num=n;
 }
-#endif
-
-typedef struct datum_st {
-    char *dptr;
-    int dsize;
-} datum;
-
-#include <openssl/crypto.h>
-#include <openssl/buffer.h>
-#include <openssl/bio.h>
-#include <openssl/evp.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-#include <openssl/ssl.h>
-
-#ifdef DEBUG
-#define pr_name(name)           printf("%s\n",name)
-#define pr_name_d(name,p2)      printf("%s %d\n",name,p2)
-#define pr_name_dd(name,p2,p3)  printf("%s %d %d\n",name,p2,p3)
-#else
-#define pr_name(name)
-#define pr_name_d(name,p2)
-#define pr_name_dd(name,p2,p3)
-#endif
-
-SV *new_ref(char *type, char *obj, int mort);
-int ex_new(char *obj, SV *data, CRYPTO_EX_DATA *ad, int idx, long argl, char *argp);
-void ex_cleanup(char *obj, SV *data, CRYPTO_EX_DATA *ad, int idx, long argl, char *argp);
-
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */

 #include <stdio.h>
 #include <time.h>
@@ -90,7 +143,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+			{
+			/* special case: RFC 2459 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 */
+			ASN1_TYPE_free(a->parameter);
+			a->parameter = NULL;
+			}
+		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
@@ -169,7 +229,14 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+			{
+			/* special case: RFC 2459 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 */
+			ASN1_TYPE_free(a->parameter);
+			a->parameter = NULL;
+			}
+		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -440,6 +440,8 @@ typedef const ASN1_ITEM * ASN1_ITEM_EXP(void);
 DECLARE_STACK_OF(ASN1_INTEGER)
 DECLARE_ASN1_SET_OF(ASN1_INTEGER)

+DECLARE_STACK_OF(ASN1_GENERALSTRING)
+
 typedef struct asn1_type_st
 	{
 	int type;
@@ -1012,6 +1014,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_I2D_PUBLICKEY				 164
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
+#define ASN1_F_OID_MODULE_INIT				 175
 #define ASN1_F_PKCS5_PBE2_SET				 167
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
@@ -1021,6 +1024,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_X509_PKEY_NEW				 173

 /* Reason codes. */
+#define ASN1_R_ADDING_OBJECT				 171
 #define ASN1_R_AUX_ERROR				 100
 #define ASN1_R_BAD_CLASS				 101
 #define ASN1_R_BAD_OBJECT_HEADER			 102
@@ -1034,6 +1038,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DECODE_ERROR				 110
 #define ASN1_R_DECODING_ERROR				 111
 #define ASN1_R_ENCODE_ERROR				 112
+#define ASN1_R_ERROR_LOADING_SECTION			 172
 #define ASN1_R_ERROR_PARSING_SET_ELEMENT		 113
 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS		 114
 #define ASN1_R_EXPECTING_AN_INTEGER			 115
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -134,6 +134,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
 {ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_LONG_C2I,0),	"LONG_C2I"},
+{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),	"OID_MODULE_INIT"},
 {ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),	"PKCS5_pbe2_set"},
 {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_NEW"},
 {ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),	"X509_CRL_add0_revoked"},
@@ -146,6 +147,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=

 static ERR_STRING_DATA ASN1_str_reasons[]=
 	{
+{ASN1_R_ADDING_OBJECT                    ,"adding object"},
 {ASN1_R_AUX_ERROR                        ,"aux error"},
 {ASN1_R_BAD_CLASS                        ,"bad class"},
 {ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
@@ -159,6 +161,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
+{ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
 {ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
--- a/crypto/asn1/asn_moid.c
+++ b/crypto/asn1/asn_moid.c
@@ -65,21 +65,31 @@

 /* Simple ASN1 OID module: add all objects in a given section */

-/* NOTE: doesn't do anything other than print debug messages yet... */
 static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 	{
-	fprintf(stderr, "Called oid_module_init: name %s, value %s\n",
-			CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+	int i;
+	const char *oid_section;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *oval;
+	oid_section = CONF_imodule_get_value(md);
+	if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+		{
+		ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
+		return 0;
+		}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+		{
+		oval = sk_CONF_VALUE_value(sktmp, i);
+		if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
+			{
+			ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
+			return 0;
+			}
+		}
 	return 1;
-	}
-
-static void oid_module_finish(CONF_IMODULE *md)
-	{
-	fprintf(stderr, "Called oid_module_finish: name %s, value %s\n",
-			CONF_imodule_get_name(md), CONF_imodule_get_value(md));
-	}
+}

 void ASN1_add_oid_module(void)
 	{
-	CONF_module_add("oid_section", oid_module_init, oid_module_finish);
+	CONF_module_add("oid_section", oid_module_init, 0);
 	}
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -113,7 +113,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
-		if ((ret->pkey.ecdsa = d2i_ECDSAPublicKey(&(ret->pkey.ecdsa), 
+		if ((ret->pkey.ecdsa = ECDSAPublicKey_set_octet_string(&(ret->pkey.ecdsa), 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -85,7 +85,7 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
-		return(i2d_ECDSAPublicKey(a->pkey.ecdsa, pp));
+		return(ECDSAPublicKey_get_octet_string(a->pkey.ecdsa, pp));
 #endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -116,6 +116,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
 		goto err;

+	EVP_CIPHER_CTX_init(&ctx);
+
 	/* Dummy cipherinit to just setup the IV */
 	EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
 	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -237,7 +237,8 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 	unsigned char *buffer=NULL;
 	int     i, buf_len=0, ret=0, reason=ERR_R_BIO_LIB;
 	BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL,
-		*tmp_4=NULL, *tmp_5=NULL;
+		*tmp_4=NULL, *tmp_5=NULL, *tmp_6=NULL,
+		*tmp_7=NULL;
 	BN_CTX  *ctx=NULL;
 	EC_POINT *point=NULL;
 
@@ -249,7 +250,8 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 		goto err;
 		}
 	if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
-		(tmp_3 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
+		(tmp_3 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL ||
+		(tmp_6 = BN_new()) == NULL || (tmp_7 = BN_new()) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
@@ -264,7 +266,12 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
-	if ((buf_len = EC_POINT_point2oct(x->group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, ctx)) == 0)
+	if (!EC_GROUP_get_order(x->group, tmp_6, NULL) || !EC_GROUP_get_cofactor(x->group, tmp_7, NULL))
+		{
+		reason = ERR_R_EC_LIB;
+		goto err;
+		}
+	if ((buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
 		{
 		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
 		goto err;
@@ -274,14 +281,14 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
-	if (!EC_POINT_point2oct(x->group, point, POINT_CONVERSION_COMPRESSED, 
+	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), 
 				buffer, buf_len, ctx)) goto err;
 	if ((tmp_4 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
 		{
 		reason = ERR_R_BN_LIB;
 		goto err;
 		}
-	if ((i = EC_POINT_point2oct(x->group, x->pub_key, POINT_CONVERSION_COMPRESSED, NULL, 0, ctx)) == 0)
+	if ((i = EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
 		{
 		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
 		goto err;
@@ -292,7 +299,7 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 		buf_len = i;
 		goto err;
 		}
-	if (!EC_POINT_point2oct(x->group, x->pub_key, POINT_CONVERSION_COMPRESSED, 
+	if (!EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), 
 				buffer, buf_len, ctx))
 		{
 		reason = ERR_R_EC_LIB;
@@ -330,6 +337,8 @@ int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 	if ((tmp_2 != NULL) && !print(bp, "A:   ", tmp_2, buffer, off)) goto err;
 	if ((tmp_3 != NULL) && !print(bp, "B:   ", tmp_3, buffer, off)) goto err;
 	if ((tmp_4 != NULL) && !print(bp, "Gen: ", tmp_4, buffer, off)) goto err;
+	if ((tmp_6 != NULL) && !print(bp, "Order: ", tmp_6, buffer, off)) goto err;
+	if ((tmp_7 != NULL) && !print(bp, "Cofactor: ", tmp_7, buffer, off)) goto err;
 	ret=1;
 err:
 	if (!ret)
@@ -339,6 +348,8 @@ err:
 	if (tmp_3) BN_free(tmp_3);
 	if (tmp_4) BN_free(tmp_4);
 	if (tmp_5) BN_free(tmp_5);
+	if (tmp_6) BN_free(tmp_6);
+	if (tmp_7) BN_free(tmp_7);
 	if (ctx)   BN_CTX_free(ctx);
 	if (buffer != NULL) OPENSSL_free(buffer);
 	return(ret);
@@ -519,7 +530,8 @@ int ECDSAParameters_print(BIO *bp, const ECDSA *x)
       unsigned char *buffer=NULL;
       int     buf_len;
       int     reason=ERR_R_EC_LIB, i, ret=0;
-       BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL, *tmp_4=NULL;
+       BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL, *tmp_4=NULL,
+               *tmp_5=NULL, *tmp_6=NULL;
       BN_CTX  *ctx=NULL;
       EC_POINT *point=NULL;
 
@@ -530,20 +542,23 @@ int ECDSAParameters_print(BIO *bp, const ECDSA *x)
 		goto err;
       }
       if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
-	   (tmp_3 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
+	   (tmp_3 = BN_new()) == NULL || (tmp_5 = BN_new()) == NULL ||
+           (tmp_6 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
       {
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 	}
 	if (!EC_GROUP_get_curve_GFp(x->group, tmp_1, tmp_2, tmp_3, ctx)) goto err;
 	if ((point = EC_GROUP_get0_generator(x->group)) == NULL) goto err;
-	buf_len = EC_POINT_point2oct(x->group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, ctx);
+	if (!EC_GROUP_get_order(x->group, tmp_5, ctx)) goto err;
+	if (!EC_GROUP_get_cofactor(x->group, tmp_6, ctx)) goto err;	
+	buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx);
 	if (!buf_len || (buffer = OPENSSL_malloc(buf_len)) == NULL)
 	{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 	}
-	if (!EC_POINT_point2oct(x->group, point, POINT_CONVERSION_COMPRESSED, buffer, buf_len, ctx))
+	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), buffer, buf_len, ctx))
 	{
 		reason = ERR_R_EC_LIB;
 		goto err;
@@ -565,13 +580,17 @@ int ECDSAParameters_print(BIO *bp, const ECDSA *x)
 	if (!print(bp, "Prime p:", tmp_1, buffer, 4)) goto err;
 	if (!print(bp, "Curve a:", tmp_2, buffer, 4)) goto err;
 	if (!print(bp, "Curve b:", tmp_3, buffer, 4)) goto err;
-	if (!print(bp, "Generator ( compressed ) :", tmp_4, buffer, 4)) goto err; 
+	if (!print(bp, "Generator (compressed):", tmp_4, buffer, 4)) goto err; 
+	if (!print(bp, "Order:", tmp_5, buffer, 4)) goto err;
+	if (!print(bp, "Cofactor:", tmp_6, buffer, 4)) goto err;
 	ret=1;
 err:
 	if (tmp_1)  BN_free(tmp_1);
 	if (tmp_2)  BN_free(tmp_2);
 	if (tmp_3)  BN_free(tmp_3);
 	if (tmp_4)  BN_free(tmp_4);
+	if (tmp_5)  BN_free(tmp_5);
+	if (tmp_6)  BN_free(tmp_6);
 	if (ctx)    BN_CTX_free(ctx);
 	if (buffer) OPENSSL_free(buffer);
 	ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT, reason);
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -85,7 +85,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 	X509_PUBKEY *pk;
 	X509_ALGOR *a;
 	ASN1_OBJECT *o;
-	unsigned char *s,*p;
+	unsigned char *s,*p = NULL;
 	int i;

 	if (x == NULL) return(0);
@@ -132,44 +132,54 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 #ifndef OPENSSL_NO_ECDSA
 	else if (pkey->type == EVP_PKEY_ECDSA)
 		{
+		int nid=0;
 		unsigned char *pp;
 		ECDSA *ecdsa;
 		
 		ecdsa = pkey->pkey.ecdsa;
-		ecdsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
-		if ((i = i2d_ECDSAParameters(ecdsa, NULL)) == 0)
-			{
-			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
-			goto err;
-			}
-		if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
-			{
-			X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
-			goto err;
-			}	
-		pp = p;
-		if (!i2d_ECDSAParameters(ecdsa, &pp))
-			{
-			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
-			OPENSSL_free(p);
-			goto err;
-			}
+
 		if ((a->parameter = ASN1_TYPE_new()) == NULL)
 			{
 			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
-			OPENSSL_free(p);
 			goto err;
 			}
-		a->parameter->type = V_ASN1_SEQUENCE;
-		if ((a->parameter->value.sequence = ASN1_STRING_new()) == NULL)
+
+		if ((ECDSA_get_parameter_flags(ecdsa) & ECDSA_FLAG_NAMED_CURVE) && (nid = EC_GROUP_get_nid(ecdsa->group)))
 			{
-			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
-			OPENSSL_free(p);
-			goto err;
+			/* just set the OID */
+			a->parameter->type = V_ASN1_OBJECT;
+			a->parameter->value.object = OBJ_nid2obj(nid);
+			}
+		else /* explicit parameters */
+			{
+			if ((i = i2d_ECDSAParameters(ecdsa, NULL)) == 0)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
+				goto err;
+				}
+			if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
+				goto err;
+				}	
+			pp = p;
+			if (!i2d_ECDSAParameters(ecdsa, &pp))
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
+				OPENSSL_free(p);
+				goto err;
+				}
+			a->parameter->type = V_ASN1_SEQUENCE;
+			if ((a->parameter->value.sequence = ASN1_STRING_new()) == NULL)
+				{
+				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
+				OPENSSL_free(p);
+				goto err;
+				}
+			ASN1_STRING_set(a->parameter->value.sequence, p, i);
+			OPENSSL_free(p);
 			}
-		ASN1_STRING_set(a->parameter->value.sequence, p, i);
-		OPENSSL_free(p);
 		}
 #endif
 	else if (1)
@@ -212,7 +222,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	long j;
 	int type;
 	unsigned char *p;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	const unsigned char *cp;
 	X509_ALGOR *a;
 #endif
@@ -237,7 +247,9 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)

 	/* the parameters must be extracted before the public key (ECDSA!) */
 	
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	a=key->algor;
+#endif

 	if (0)
 		;
@@ -265,12 +277,14 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 		{
 		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
 			{
+			/* type == V_ASN1_SEQUENCE => we have explicit parameters
+                         * (e.g. parameters in the X9_62_EC_PARAMETERS-structure )
+			 */
 			if ((ret->pkey.ecdsa= ECDSA_new()) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
-			ret->pkey.ecdsa->write_params = 0;
 			cp = p = a->parameter->value.sequence->data;
 			j = a->parameter->value.sequence->length;
 			if (!d2i_ECDSAParameters(&ret->pkey.ecdsa, &cp, (long)j))
@@ -279,6 +293,20 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 				goto err;
 				}
 			}
+		else if (a->parameter && (a->parameter->type == V_ASN1_OBJECT))
+			{
+			/* type == V_ASN1_OBJECT => the parameters are given
+			 * by an asn1 OID
+			 */
+			if (ret->pkey.ecdsa == NULL)
+				ret->pkey.ecdsa = ECDSA_new();
+			if (ret->pkey.ecdsa->group)
+				EC_GROUP_free(ret->pkey.ecdsa->group);
+			ret->pkey.ecdsa->parameter_flags |= ECDSA_FLAG_NAMED_CURVE;
+			if ((ret->pkey.ecdsa->group = EC_GROUP_new_by_name(OBJ_obj2nid(a->parameter->value.object))) == NULL)
+				goto err;
+			}
+			/* the case implicitlyCA is currently not implemented */
 		ret->save_parameters = 1;
 		}
 #endif
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -56,6 +56,13 @@
 * [including the GNU Public Licence.]
 */

+/* disable assert() unless BIO_DEBUG has been defined */
+#ifndef BIO_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
 /* 
 * Stolen from tjh's ssl/ssl_trc.c stuff.
 */
@@ -716,12 +723,13 @@ doapr_outch(
    if (buffer) {
 	while (*currlen >= *maxlen) {
 	    if (*buffer == NULL) {
-		assert(*sbuffer != NULL);
 		if (*maxlen == 0)
 		    *maxlen = 1024;
 		*buffer = OPENSSL_malloc(*maxlen);
-		if (*currlen > 0)
+		if (*currlen > 0) {
+		    assert(*sbuffer != NULL);
 		    memcpy(*buffer, *sbuffer, *currlen);
+		}
 		*sbuffer = NULL;
 	    } else {
 		*maxlen += 1024;
@@ -761,7 +769,9 @@ int BIO_vprintf (BIO *bio, const char *format, va_list args)
 	{
 	int ret;
 	size_t retlen;
-	MS_STATIC char hugebuf[1024*10];
+	char hugebuf[1024*2];	/* Was previously 10k, which is unreasonable
+				   in small-stack environments, like threads
+				   or DOS programs. */
 	char *hugebufp = hugebuf;
 	size_t hugebufsize = sizeof(hugebuf);
 	char *dynbuf = NULL;
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -72,9 +72,9 @@
 #endif

 #ifdef SO_MAXCONN
-#define MAX_LISTEN  SOMAXCONN
-#elif defined(SO_MAXCONN)
 #define MAX_LISTEN  SO_MAXCONN
+#elif defined(SOMAXCONN)
+#define MAX_LISTEN  SOMAXCONN
 #else
 #define MAX_LISTEN  32
 #endif
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -200,7 +200,7 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
 					}
 				}

-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, "<*<", 3);
 #endif
 			i=BIO_write(b->next_bio,
@@ -210,13 +210,13 @@ BIO_write(b->next_bio, "<*<", 3);
 				ctx->obuf_len = orig_olen;
 				BIO_copy_next_retry(b);

-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
 				if (i < 0) return((num > 0)?num:i);
 				if (i == 0) return(num);
 				}
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
 			if (i < ctx->obuf_len)
@@ -229,20 +229,20 @@ BIO_write(b->next_bio, ">*>", 3);
 		   buffer if a NL was found and there is anything to write. */
 		if ((foundnl || p - in > ctx->obuf_size) && p - in > 0)
 			{
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, "<*<", 3);
 #endif
 			i=BIO_write(b->next_bio,in,p - in);
 			if (i <= 0)
 				{
 				BIO_copy_next_retry(b);
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
 				if (i < 0) return((num > 0)?num:i);
 				if (i == 0) return(num);
 				}
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
 			num+=i;
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -7,9 +7,18 @@
 * for which no specific BIO method is available.
 * See ssl/ssltest.c for some hints on how this can be used. */

+/* BIO_DEBUG implies BIO_PAIR_DEBUG */
+#ifdef BIO_DEBUG
+# ifndef BIO_PAIR_DEBUG
+#  define BIO_PAIR_DEBUG
+# endif
+#endif
+
+/* disable assert() unless BIO_PAIR_DEBUG has been defined */
 #ifndef BIO_PAIR_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
 #endif

 #include <assert.h>
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -136,7 +136,7 @@ extern "C" {
 #define BN_MASK2h	(0xffffffff00000000LL)
 #define BN_MASK2h1	(0xffffffff80000000LL)
 #define BN_TBIT		(0x8000000000000000LL)
-#define BN_DEC_CONV	(10000000000000000000LL)
+#define BN_DEC_CONV	(10000000000000000000ULL)
 #define BN_DEC_FMT1	"%llu"
 #define BN_DEC_FMT2	"%019llu"
 #define BN_DEC_NUM	19
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -428,6 +428,8 @@ void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
 	BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
 	BN_ULONG *t);
+BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+	int cl, int dl);
 BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 	int cl, int dl);

--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -408,16 +408,22 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		return;
 		}
 #  endif
-	if (n2 == 8)
+	/* Only call bn_mul_comba 8 if n2 == 8 and the
+	 * two arrays are complete [steve]
+	 */
+	if (n2 == 8 && dna == 0 && dnb == 0)
 		{
 		bn_mul_comba8(r,a,b);
 		return; 
 		}
 # endif /* BN_MUL_COMBA */
+	/* Else do normal multiply */
 	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
 		{
-		/* This should not happen */
-		bn_mul_normal(r,a,n2,b,n2);
+		bn_mul_normal(r,a,n2+dna,b,n2+dnb);
+		if ((dna + dnb) < 0)
+			memset(&r[2*n2 + dna + dnb], 0,
+				sizeof(BN_ULONG) * -(dna + dnb));
 		return;
 		}
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -23,9 +23,11 @@ TEST=
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC= conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c conf_mall.c
+LIBSRC= conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
+	 conf_mall.c conf_sap.c

-LIBOBJ=	conf_err.o conf_lib.o conf_api.o conf_def.o conf_mod.o conf_mall.o
+LIBOBJ=	conf_err.o conf_lib.o conf_api.o conf_def.o conf_mod.o \
+	conf_mall.o conf_sap.o

 SRC= $(LIBSRC)

@@ -143,3 +145,21 @@ conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 conf_mod.o: ../cryptlib.h conf_mod.c
+conf_sap.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_sap.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+conf_sap.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_sap.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf_sap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+conf_sap.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+conf_sap.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
+conf_sap.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+conf_sap.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_sap.o: ../../include/openssl/opensslconf.h
+conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+conf_sap.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_sap.o: ../cryptlib.h conf_sap.c
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -112,6 +112,7 @@ typedef void conf_finish_func(CONF_IMODULE *md);
 #define CONF_MFLAGS_IGNORE_RETURN_CODES	0x2
 #define CONF_MFLAGS_SILENT		0x4
 #define CONF_MFLAGS_NO_DSO		0x8
+#define CONF_MFLAGS_IGNORE_MISSING_FILE	0x10

 int CONF_set_default_method(CONF_METHOD *meth);
 void CONF_set_nconf(CONF *conf,LHASH *hash);
@@ -127,7 +128,7 @@ void CONF_free(LHASH *conf);
 int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);

-void OPENSSL_config(void);
+void OPENSSL_config(const char *config_name);

 /* New conf code.  The semantics are different from the functions above.
   If that wasn't the case, the above functions would have been replaced */
@@ -193,6 +194,8 @@ char *CONF_get1_default_config_file(void);
 int CONF_parse_list(const char *list, int sep, int nospc,
 	int (*list_cb)(const char *elem, int len, void *usr), void *arg);

+void OPENSSL_load_builtin_modules(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -65,6 +65,8 @@
 #include <openssl/asn1.h>
 #include <openssl/engine.h>

+/* Load all OpenSSL builtin modules */
+
 void OPENSSL_load_builtin_modules(void)
 	{
 	/* Add builtin modules here */
@@ -72,55 +74,3 @@ void OPENSSL_load_builtin_modules(void)
 	ENGINE_add_conf_module();
 	}

-#if 0 /* not yet */
-/* This is the automatic configuration loader: it is called automatically by
- * OpenSSL when any of a number of standard initialisation functions are called,
- * unless this is overridden by calling OPENSSL_no_config()
- */
-#endif
-
-static int openssl_configured = 0;
-
-void OPENSSL_config(void)
-	{
-	int err_exit = 0;
-	char *file;
-	if (openssl_configured)
-		return;
-
-	OPENSSL_load_builtin_modules();
-
-	file = CONF_get1_default_config_file();
-	if (!file)
-		return;
-
-	ERR_clear_error();
-	if (CONF_modules_load_file(file, "openssl_config", 0) <= 0)
-		{
-		if (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE)
-			ERR_clear_error();
-		else
-			err_exit = 1;
-		}
-
-	OPENSSL_free(file);
-	if (err_exit)
-		{
-		BIO *bio_err;
-		ERR_load_crypto_strings();
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-			{
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-			BIO_printf(bio_err,"Auto configuration failed\n");
-			ERR_print_errors(bio_err);
-			}
-		exit(1);
-		}
-
-	return;
-	}
-
-void OPENSSL_no_config()
-	{
-	openssl_configured = 1;
-	}
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -130,9 +130,11 @@ int CONF_modules_load(const CONF *cnf, const char *appname,

 	int ret, i;

-	if (!cnf || !appname)
+	if (!cnf)
 		return 1;

+	if (appname == NULL)
+		appname = "openssl_conf";

 	vsection = NCONF_get_string(cnf, NULL, appname); 

@@ -163,18 +165,38 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
 int CONF_modules_load_file(const char *filename, const char *appname,
 			   unsigned long flags)
 	{
+	char *file = NULL;
 	CONF *conf = NULL;
 	int ret = 0;
 	conf = NCONF_new(NULL);
 	if (!conf)
 		goto err;

-	if (NCONF_load(conf, filename, NULL) <= 0)
+	if (filename == NULL)
+		{
+		file = CONF_get1_default_config_file();
+		if (!file)
+			goto err;
+		}
+	else
+		file = (char *)filename;
+
+	if (NCONF_load(conf, file, NULL) <= 0)
+		{
+		if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) &&
+		  (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE))
+			{
+			ERR_clear_error();
+			ret = 1;
+			}
 		goto err;
+		}

 	ret = CONF_modules_load(conf, appname, flags);

 	err:
+	if (filename == NULL)
+		OPENSSL_free(file);
 	NCONF_free(conf);

 	return ret;
@@ -189,7 +211,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
 	md = module_find(name);

 	/* Module not found: try to load DSO */
-	if (!md)
+	if (!md && !(flags & CONF_MFLAGS_NO_DSO))
 		md = module_load_dso(cnf, name, value, flags);

 	if (!md)
@@ -248,11 +270,6 @@ static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
 		goto err;
 		}
        ffunc = (conf_finish_func *)DSO_bind_func(dso, DSO_mod_finish_name);
-	if (!ffunc)
-		{
-		errcode = CONF_R_MISSING_FINISH_FUNCTION;
-		goto err;
-		}
 	/* All OK, add module */
 	md = module_add(dso, name, ifunc, ffunc);

@@ -405,6 +422,7 @@ void CONF_modules_unload(int all)
 	{
 	int i;
 	CONF_MODULE *md;
+	CONF_modules_finish();
 	/* unload modules in reverse order */
 	for (i = sk_CONF_MODULE_num(supported_modules) - 1; i >= 0; i--)
 		{
@@ -450,7 +468,8 @@ void CONF_modules_finish(void)

 static void module_finish(CONF_IMODULE *imod)
 	{
-	imod->pmod->finish(imod);
+	if (imod->pmod->finish)
+		imod->pmod->finish(imod);
 	imod->pmod->links--;
 	OPENSSL_free(imod->name);
 	OPENSSL_free(imod->value);
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c
@@ -0,0 +1,107 @@
+/* conf_sap.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* This is the automatic configuration loader: it is called automatically by
+ * OpenSSL when any of a number of standard initialisation functions are called,
+ * unless this is overridden by calling OPENSSL_no_config()
+ */
+
+static int openssl_configured = 0;
+
+void OPENSSL_config(const char *config_name)
+	{
+	if (openssl_configured)
+		return;
+
+	OPENSSL_load_builtin_modules();
+	/* Need to load ENGINEs */
+	ENGINE_load_builtin_engines();
+	/* Add others here? */
+
+
+	ERR_clear_error();
+	if (CONF_modules_load_file(NULL, NULL,
+					CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
+		{
+		BIO *bio_err;
+		ERR_load_crypto_strings();
+		if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
+			{
+			BIO_printf(bio_err,"Auto configuration failed\n");
+			ERR_print_errors(bio_err);
+			BIO_free(bio_err);
+			}
+		exit(1);
+		}
+
+	return;
+	}
+
+void OPENSSL_no_config()
+	{
+	openssl_configured = 1;
+	}
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -187,7 +187,8 @@ $ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
 	"enc_read,enc_writ,ofb64enc,"+ -
 	"ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
 	"des_enc,fcrypt_b,"+ -
-	"fcrypt,xcbc_enc,rpc_enc,cbc_cksm,ede_cbcm_enc,des_old"
+	"fcrypt,xcbc_enc,rpc_enc,cbc_cksm,"+ -
+	"ede_cbcm_enc,des_old,des_old2,read2pwd"
 $ LIB_RC2 = "rc2_ecb,rc2_skey,rc2_cbc,rc2cfb64,rc2ofb64"
 $ LIB_RC4 = "rc4_skey,rc4_enc"
 $ LIB_RC5 = "rc5_skey,rc5_ecb,rc5_enc,rc5cfb64,rc5ofb64"
@@ -214,8 +215,8 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
 	"tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ -
 	"eng_openssl,eng_dyn,eng_cnf,"+ -
 	"hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ -
-	"hw_openbsd_dev_crypto"
-$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc"
+	"hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca"
+$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
 	"bss_mem,bss_null,bss_fd,"+ -
@@ -274,8 +275,8 @@ $ LIB_COMP = "comp_lib,"+ -
 	"c_rle,c_zlib"
 $ LIB_OCSP = "ocsp_asn,ocsp_ext,ocsp_ht,ocsp_lib,ocsp_cl,"+ -
 	"ocsp_srv,ocsp_prn,ocsp_vfy,ocsp_err"
-$ LIB_UI_COMPAT = "ui_compat"
-$ LIB_UI = "ui_err,ui_lib,ui_openssl,"+LIB_UI_COMPAT
+$ LIB_UI_COMPAT = ",ui_compat"
+$ LIB_UI = "ui_err,ui_lib,ui_openssl,ui_util"+LIB_UI_COMPAT
 $ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
--- a/crypto/des/Makefile.ssl
+++ b/crypto/des/Makefile.ssl
@@ -34,7 +34,8 @@ LIBSRC=	cbc_cksm.c cbc_enc.c  cfb64enc.c cfb_enc.c  \
 	qud_cksm.c rand_key.c rpc_enc.c  set_key.c  \
 	des_enc.c fcrypt_b.c \
 	xcbc_enc.c \
-	str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c des_old.c read2pwd.c
+	str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c des_old.c des_old2.c \
+	read2pwd.c

 LIBOBJ= set_key.o  ecb_enc.o  cbc_enc.o \
 	ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o  ofb64ede.o \
@@ -42,7 +43,7 @@ LIBOBJ= set_key.o  ecb_enc.o  cbc_enc.o \
 	ofb_enc.o  str2key.o  pcbc_enc.o qud_cksm.o rand_key.o \
 	${DES_ENC} \
 	fcrypt.o xcbc_enc.o rpc_enc.o  cbc_cksm.o \
-	ede_cbcm_enc.o des_old.o read2pwd.o
+	ede_cbcm_enc.o des_old.o des_old2.o read2pwd.o

 SRC= $(LIBSRC)

@@ -187,6 +188,14 @@ des_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 des_old.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 des_old.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 des_old.o: ../../include/openssl/ui_compat.h des_old.c
+des_old2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+des_old2.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+des_old2.o: ../../include/openssl/opensslconf.h
+des_old2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+des_old2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+des_old2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+des_old2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+des_old2.o: des_old2.c
 ecb3_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 ecb3_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 ecb3_enc.o: ../../include/openssl/opensslconf.h
--- a/crypto/des/asm/crypt586.pl
+++ b/crypto/des/asm/crypt586.pl
@@ -14,7 +14,7 @@ require "x86asm.pl";
 $L="edi";
 $R="esi";

-&external_label("des_SPtrans");
+&external_label("DES_SPtrans");
 &fcrypt_body("fcrypt_body");
 &asm_finish();

@@ -22,7 +22,7 @@ sub fcrypt_body
 	{
 	local($name,$do_ip)=@_;

-	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+	&function_begin($name,"EXTRN   _DES_SPtrans:DWORD");

 	&comment("");
 	&comment("Load the 2 words");
@@ -39,11 +39,11 @@ sub fcrypt_body
 		{
 		&comment("");
 		&comment("Round $i");
-		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");

 		&comment("");
 		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 		}
 	 &mov("ebx",	&swtmp(0));
 	&mov("eax",	$L);
--- a/crypto/des/asm/des-586.pl
+++ b/crypto/des/asm/des-586.pl
@@ -19,7 +19,7 @@ require "desboth.pl";
 $L="edi";
 $R="esi";

-&external_label("des_SPtrans");
+&external_label("DES_SPtrans");
 &DES_encrypt("DES_encrypt1",1);
 &DES_encrypt("DES_encrypt2",0);
 &DES_encrypt3("DES_encrypt3",1);
@@ -33,7 +33,7 @@ sub DES_encrypt
 	{
 	local($name,$do_ip)=@_;

-	&function_begin_B($name,"EXTRN   _des_SPtrans:DWORD");
+	&function_begin_B($name,"EXTRN   _DES_SPtrans:DWORD");

 	&push("esi");
 	&push("edi");
@@ -80,11 +80,11 @@ sub DES_encrypt
 		{
 		&comment("");
 		&comment("Round $i");
-		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");

 		&comment("");
 		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 		}
 	&jmp(&label("end"));

@@ -94,10 +94,10 @@ sub DES_encrypt
 		{
 		&comment("");
 		&comment("Round $i");
-		&D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 		&comment("");
 		&comment("Round ".sprintf("%d",$i-1));
-		&D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+		&D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 		}

 	&set_label("end");
--- a/crypto/des/asm/des686.pl
+++ b/crypto/des/asm/des686.pl
@@ -58,7 +58,7 @@ sub DES_encrypt
 	{
 	local($name,$do_ip)=@_;

-	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+	&function_begin($name,"EXTRN   _DES_SPtrans:DWORD");

 	&comment("");
 	&comment("Load the 2 words");
@@ -94,11 +94,11 @@ sub DES_encrypt
 		{
 		&comment("");
 		&comment("Round $i");
-		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");

 		&comment("");
 		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&D_ENCRYPT($R,$L,($i+1)*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
 		}
 	&jmp(&label("end"));

@@ -108,10 +108,10 @@ sub DES_encrypt
 		{
 		&comment("");
 		&comment("Round $i");
-		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&D_ENCRYPT($L,$R,$i*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
 		&comment("");
 		&comment("Round ".sprintf("%d",$i-1));
-		&D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+		&D_ENCRYPT($R,$L,($i-1)*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
 		}

 	&set_label("end");
--- a/crypto/des/des.c
+++ b/crypto/des/des.c
@@ -153,12 +153,14 @@ int main(int argc, char **argv)
 				case 'c':
 					cflag=1;
 					strncpy(cksumname,p,200);
+					cksumname[sizeof(cksumname)-1]='\0';
 					p+=strlen(cksumname);
 					break;
 				case 'C':
 					cflag=1;
 					longk=1;
 					strncpy(cksumname,p,200);
+					cksumname[sizeof(cksumname)-1]='\0';
 					p+=strlen(cksumname);
 					break;
 				case 'e':
@@ -190,6 +192,7 @@ int main(int argc, char **argv)
 				case 'u':
 					uflag=1;
 					strncpy(uuname,p,200);
+					uuname[sizeof(uuname)-1]='\0';
 					p+=strlen(uuname);
 					break;
 				case 'h':
--- a/crypto/des/des.h
+++ b/crypto/des/des.h
@@ -66,10 +66,6 @@
 #include <openssl/opensslconf.h> /* DES_LONG */
 #include <openssl/e_os2.h>	/* OPENSSL_EXTERN */

-#ifndef OPENSSL_DISABLE_OLD_DES_SUPPORT
-# include <openssl/des_old.h>
-#endif
-
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
 # undef OPENSSL_EXTERN
 # define OPENSSL_EXTERN OPENSSL_EXPORT
@@ -95,6 +91,16 @@ typedef struct DES_ks
 	} ks[16];
    } DES_key_schedule;

+#ifndef OPENSSL_DISABLE_OLD_DES_SUPPORT
+# ifndef OPENSSL_ENABLE_OLD_DES_SUPPORT
+#  define OPENSSL_ENABLE_OLD_DES_SUPPORT
+# endif
+#endif
+
+#ifdef OPENSSL_ENABLE_OLD_DES_SUPPORT
+# include <openssl/des_old.h>
+#endif
+
 #define DES_KEY_SZ 	(sizeof(DES_cblock))
 #define DES_SCHEDULE_SZ (sizeof(DES_key_schedule))

--- a/crypto/des/des_enc.c
+++ b/crypto/des/des_enc.c
@@ -62,7 +62,7 @@ void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 	{
 	register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+	register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
 #ifndef DES_UNROLL
 	register int i;
@@ -75,7 +75,7 @@ void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 	IP(r,l);
 	/* Things have been modified so that the initial rotate is
 	 * done outside the loop.  This required the
-	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * DES_SPtrans values in sp.h to be rotated 1 bit to the right.
 	 * One perl script later and things have a 5% speed up on a sparc2.
 	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
 	 * for pointing this out. */
@@ -160,7 +160,7 @@ void DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
 	{
 	register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+	register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
 #ifndef DES_UNROLL
 	register int i;
@@ -172,7 +172,7 @@ void DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)

 	/* Things have been modified so that the initial rotate is
 	 * done outside the loop.  This required the
-	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * DES_SPtrans values in sp.h to be rotated 1 bit to the right.
 	 * One perl script later and things have a 5% speed up on a sparc2.
 	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
 	 * for pointing this out. */
--- a/crypto/des/des_locl.h
+++ b/crypto/des/des_locl.h
@@ -283,24 +283,24 @@
 	u1=(int)u&0x3f; \
 	u2&=0x3f; \
 	u>>=16L; \
-	LL^=des_SPtrans[0][u1]; \
-	LL^=des_SPtrans[2][u2]; \
+	LL^=DES_SPtrans[0][u1]; \
+	LL^=DES_SPtrans[2][u2]; \
 	u3=(int)u>>8L; \
 	u1=(int)u&0x3f; \
 	u3&=0x3f; \
-	LL^=des_SPtrans[4][u1]; \
-	LL^=des_SPtrans[6][u3]; \
+	LL^=DES_SPtrans[4][u1]; \
+	LL^=DES_SPtrans[6][u3]; \
 	u2=(int)t>>8L; \
 	u1=(int)t&0x3f; \
 	u2&=0x3f; \
 	t>>=16L; \
-	LL^=des_SPtrans[1][u1]; \
-	LL^=des_SPtrans[3][u2]; \
+	LL^=DES_SPtrans[1][u1]; \
+	LL^=DES_SPtrans[3][u2]; \
 	u3=(int)t>>8L; \
 	u1=(int)t&0x3f; \
 	u3&=0x3f; \
-	LL^=des_SPtrans[5][u1]; \
-	LL^=des_SPtrans[7][u3]; }
+	LL^=DES_SPtrans[5][u1]; \
+	LL^=DES_SPtrans[7][u3]; }
 #endif
 #ifdef DES_RISC2
 #define D_ENCRYPT(LL,R,S) {\
@@ -311,25 +311,25 @@
 	u2=(int)u>>8L; \
 	u1=(int)u&0x3f; \
 	u2&=0x3f; \
-	LL^=des_SPtrans[0][u1]; \
-	LL^=des_SPtrans[2][u2]; \
+	LL^=DES_SPtrans[0][u1]; \
+	LL^=DES_SPtrans[2][u2]; \
 	s1=(int)u>>16L; \
 	s2=(int)u>>24L; \
 	s1&=0x3f; \
 	s2&=0x3f; \
-	LL^=des_SPtrans[4][s1]; \
-	LL^=des_SPtrans[6][s2]; \
+	LL^=DES_SPtrans[4][s1]; \
+	LL^=DES_SPtrans[6][s2]; \
 	u2=(int)t>>8L; \
 	u1=(int)t&0x3f; \
 	u2&=0x3f; \
-	LL^=des_SPtrans[1][u1]; \
-	LL^=des_SPtrans[3][u2]; \
+	LL^=DES_SPtrans[1][u1]; \
+	LL^=DES_SPtrans[3][u2]; \
 	s1=(int)t>>16; \
 	s2=(int)t>>24L; \
 	s1&=0x3f; \
 	s2&=0x3f; \
-	LL^=des_SPtrans[5][s1]; \
-	LL^=des_SPtrans[7][s2]; }
+	LL^=DES_SPtrans[5][s1]; \
+	LL^=DES_SPtrans[7][s2]; }
 #endif

 #else
@@ -338,14 +338,14 @@
 	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
 	t=ROTATE(t,4); \
 	LL^=\
-		des_SPtrans[0][(u>> 2L)&0x3f]^ \
-		des_SPtrans[2][(u>>10L)&0x3f]^ \
-		des_SPtrans[4][(u>>18L)&0x3f]^ \
-		des_SPtrans[6][(u>>26L)&0x3f]^ \
-		des_SPtrans[1][(t>> 2L)&0x3f]^ \
-		des_SPtrans[3][(t>>10L)&0x3f]^ \
-		des_SPtrans[5][(t>>18L)&0x3f]^ \
-		des_SPtrans[7][(t>>26L)&0x3f]; }
+		DES_SPtrans[0][(u>> 2L)&0x3f]^ \
+		DES_SPtrans[2][(u>>10L)&0x3f]^ \
+		DES_SPtrans[4][(u>>18L)&0x3f]^ \
+		DES_SPtrans[6][(u>>26L)&0x3f]^ \
+		DES_SPtrans[1][(t>> 2L)&0x3f]^ \
+		DES_SPtrans[3][(t>>10L)&0x3f]^ \
+		DES_SPtrans[5][(t>>18L)&0x3f]^ \
+		DES_SPtrans[7][(t>>26L)&0x3f]; }
 #endif
 #endif

@@ -410,7 +410,7 @@
 	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
 	}

-OPENSSL_EXTERN const DES_LONG des_SPtrans[8][64];
+OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64];

 void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
 		 DES_LONG Eswap0, DES_LONG Eswap1);
--- a/crypto/des/des_old.c
+++ b/crypto/des/des_old.c
@@ -72,7 +72,7 @@
 *
 */

-#include <openssl/des_old.h>
+#define OPENSSL_DES_LIBDES_COMPATIBILITY
 #include <openssl/des.h>
 #include <openssl/rand.h>

@@ -80,7 +80,7 @@ const char *_ossl_old_des_options(void)
 	{
 	return DES_options();
 	}
-void _ossl_old_des_ecb3_encrypt(des_cblock *input,des_cblock *output,
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
 	des_key_schedule ks1,des_key_schedule ks2,
 	des_key_schedule ks3, int enc)
 	{
@@ -88,38 +88,38 @@ void _ossl_old_des_ecb3_encrypt(des_cblock *input,des_cblock *output,
 		(DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
 		(DES_key_schedule *)ks3, enc);
 	}
-DES_LONG _ossl_old_des_cbc_cksum(des_cblock *input,des_cblock *output,
-	long length,des_key_schedule schedule,des_cblock *ivec)
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
 	{
 	return DES_cbc_cksum((unsigned char *)input, output, length,
 		(DES_key_schedule *)schedule, ivec);
 	}
-void _ossl_old_des_cbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc)
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
 	{
 	DES_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
 		length, (DES_key_schedule *)schedule, ivec, enc);
 	}
-void _ossl_old_des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc)
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
 	{
 	DES_ncbc_encrypt((unsigned char *)input, (unsigned char *)output,
 		length, (DES_key_schedule *)schedule, ivec, enc);
 	}
-void _ossl_old_des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,
-	des_cblock *inw,des_cblock *outw,int enc)
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+	_ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc)
 	{
 	DES_xcbc_encrypt((unsigned char *)input, (unsigned char *)output,
 		length, (DES_key_schedule *)schedule, ivec, inw, outw, enc);
 	}
 void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
-	long length,des_key_schedule schedule,des_cblock *ivec,int enc)
+	long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
 	{
 	DES_cfb_encrypt(in, out, numbits, length,
 		(DES_key_schedule *)schedule, ivec, enc);
 	}
-void _ossl_old_des_ecb_encrypt(des_cblock *input,des_cblock *output,
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
 	des_key_schedule ks,int enc)
 	{
 	DES_ecb_encrypt(input, output, (DES_key_schedule *)ks, enc);
@@ -144,9 +144,9 @@ void _ossl_old_des_decrypt3(DES_LONG *data, des_key_schedule ks1,
 	DES_decrypt3(data, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
 		(DES_key_schedule *)ks3);
 	}
-void _ossl_old_des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, 
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
 	long length, des_key_schedule ks1, des_key_schedule ks2, 
-	des_key_schedule ks3, des_cblock *ivec, int enc)
+	des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc)
 	{
 	DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
 		length, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
@@ -154,7 +154,7 @@ void _ossl_old_des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output,
 	}
 void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
 	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num, int enc)
+	des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc)
 	{
 	DES_ede3_cfb64_encrypt(in, out, length,
 		(DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
@@ -162,26 +162,26 @@ void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
 	}
 void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
 	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num)
+	des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num)
 	{
 	DES_ede3_ofb64_encrypt(in, out, length,
 		(DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
 		(DES_key_schedule *)ks3, ivec, num);
 	}

-void _ossl_old_des_xwhite_in2out(des_cblock (*des_key), des_cblock (*in_white),
-	des_cblock (*out_white))
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+	_ossl_old_des_cblock (*out_white))
 	{
 	DES_xwhite_in2out(des_key, in_white, out_white);
 	}

 int _ossl_old_des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv)
+	_ossl_old_des_cblock *iv)
 	{
 	return DES_enc_read(fd, buf, len, (DES_key_schedule *)sched, iv);
 	}
 int _ossl_old_des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv)
+	_ossl_old_des_cblock *iv)
 	{
 	return DES_enc_write(fd, buf, len, (DES_key_schedule *)sched, iv);
 	}
@@ -198,73 +198,73 @@ char *_ossl_old_crypt(const char *buf,const char *salt)
 	return DES_crypt(buf, salt);
 	}
 void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
-	int numbits,long length,des_key_schedule schedule,des_cblock *ivec)
+	int numbits,long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
 	{
 	DES_ofb_encrypt(in, out, numbits, length, (DES_key_schedule *)schedule,
 		ivec);
 	}
-void _ossl_old_des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc)
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
 	{
 	DES_pcbc_encrypt((unsigned char *)input, (unsigned char *)output,
 		length, (DES_key_schedule *)schedule, ivec, enc);
 	}
-DES_LONG _ossl_old_des_quad_cksum(des_cblock *input,des_cblock *output,
-	long length,int out_count,des_cblock *seed)
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	long length,int out_count,_ossl_old_des_cblock *seed)
 	{
 	return DES_quad_cksum((unsigned char *)input, output, length,
 		out_count, seed);
 	}
-void _ossl_old_des_random_seed(des_cblock key)
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key)
 	{
-	RAND_seed(key, sizeof(des_cblock));
+	RAND_seed(key, sizeof(_ossl_old_des_cblock));
 	}
-void _ossl_old_des_random_key(des_cblock ret)
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret)
 	{
 	DES_random_key((DES_cblock *)ret);
 	}
-int _ossl_old_des_read_password(des_cblock *key, const char *prompt,
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key, const char *prompt,
 				int verify)
 	{
 	return DES_read_password(key, prompt, verify);
 	}
-int _ossl_old_des_read_2passwords(des_cblock *key1, des_cblock *key2,
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1, _ossl_old_des_cblock *key2,
 	const char *prompt, int verify)
 	{
 	return DES_read_2passwords(key1, key2, prompt, verify);
 	}
-void _ossl_old_des_set_odd_parity(des_cblock *key)
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key)
 	{
 	DES_set_odd_parity(key);
 	}
-int _ossl_old_des_is_weak_key(des_cblock *key)
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key)
 	{
 	return DES_is_weak_key(key);
 	}
-int _ossl_old_des_set_key(des_cblock *key,des_key_schedule schedule)
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,des_key_schedule schedule)
 	{
 	return DES_set_key(key, (DES_key_schedule *)schedule);
 	}
-int _ossl_old_des_key_sched(des_cblock *key,des_key_schedule schedule)
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,des_key_schedule schedule)
 	{
 	return DES_key_sched(key, (DES_key_schedule *)schedule);
 	}
-void _ossl_old_des_string_to_key(char *str,des_cblock *key)
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key)
 	{
 	DES_string_to_key(str, key);
 	}
-void _ossl_old_des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2)
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2)
 	{
 	DES_string_to_2keys(str, key1, key2);
 	}
 void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num, int enc)
+	des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc)
 	{
 	DES_cfb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
 		ivec, num, enc);
 	}
 void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num)
+	des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num)
 	{
 	DES_ofb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
 		ivec, num);
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -3,13 +3,29 @@
 /* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 *
 * The function names in here are deprecated and are only present to
- * provide an interface compatible with libdes.  OpenSSL now provides
- * functions where "des_" has been replaced with "DES_" in the names,
- * to make it possible to make incompatible changes that are needed
- * for C type security and other stuff.
+ * provide an interface compatible with openssl 0.9.6 and older as
+ * well as libdes.  OpenSSL now provides functions where "des_" has
+ * been replaced with "DES_" in the names, to make it possible to
+ * make incompatible changes that are needed for C type security and
+ * other stuff.
+ *
+ * This include files has two compatibility modes:
+ *
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API
+ *     that is compatible with libdes and SSLeay.
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an
+ *     API that is compatible with OpenSSL 0.9.5x to 0.9.6x.
+ *
+ * Note that these modes break earlier snapshots of OpenSSL, where
+ * libdes compatibility was the only available mode or (later on) the
+ * prefered compatibility mode.  However, after much consideration
+ * (and more or less violent discussions with external parties), it
+ * was concluded that OpenSSL should be compatible with earlier versions
+ * of itself before anything else.  Also, in all honesty, libdes is
+ * an old beast that shouldn't really be used any more.
 *
 * Please consider starting to use the DES_ functions rather than the
- * des_ ones.  The des_ functions will dissapear completely before
+ * des_ ones.  The des_ functions will disappear completely before
 * OpenSSL 1.0!
 *
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
@@ -19,7 +35,7 @@
 * project 2001.
 */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -79,6 +95,10 @@
 #error DES is disabled.
 #endif

+#ifndef HEADER_DES_H
+#error You must include des.h, not des_old.h directly.
+#endif
+
 #ifdef _KERBEROS_DES_H
 #error <openssl/des_old.h> replaces <kerberos/des.h>.
 #endif
@@ -96,25 +116,130 @@
 extern "C" {
 #endif

-typedef unsigned char des_cblock[8];
-typedef struct des_ks_struct
+typedef unsigned char _ossl_old_des_cblock[8];
+typedef struct _ossl_old_des_ks_struct
 	{
 	union	{
-		des_cblock _;
+		_ossl_old_des_cblock _;
 		/* make sure things are correct size on machines with
 		 * 8 byte longs */
 		DES_LONG pad[2];
 		} ks;
-	} des_key_schedule[16];
+	} _ossl_old_des_key_schedule[16];

-/* Map all function names to _ossl_old_des_* form, so we avoid all
+#ifndef OPENSSL_DES_LIBDES_COMPATIBILITY
+#define des_cblock DES_cblock
+#define const_des_cblock const_DES_cblock
+#define des_key_schedule DES_key_schedule
+#define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
+	DES_ecb3_encrypt((i),(o),&(k1),&(k2),&(k3),(e))
+#define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
+	DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e))
+#define des_ede3_cbcm_encrypt(i,o,l,k1,k2,k3,iv1,iv2,e)\
+	DES_ede3_cbcm_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv1),(iv2),(e))
+#define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
+	DES_ede3_cfb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n),(e))
+#define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
+	DES_ede3_ofb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n))
+#define des_options()\
+	DES_options()
+#define des_cbc_cksum(i,o,l,k,iv)\
+	DES_cbc_cksum((i),(o),(l),&(k),(iv))
+#define des_cbc_encrypt(i,o,l,k,iv,e)\
+	DES_cbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_ncbc_encrypt(i,o,l,k,iv,e)\
+	DES_ncbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
+	DES_xcbc_encrypt((i),(o),(l),&(k),(iv),(inw),(outw),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+	DES_cfb_encrypt((i),(o),(n),(l),&(k),(iv),(e))
+#define des_ecb_encrypt(i,o,k,e)\
+	DES_ecb_encrypt((i),(o),&(k),(e))
+#define des_encrypt1(d,k,e)\
+	DES_encrypt1((d),&(k),(e))
+#define des_encrypt2(d,k,e)\
+	DES_encrypt2((d),&(k),(e))
+#define des_encrypt3(d,k1,k2,k3)\
+	DES_encrypt3((d),&(k1),&(k2),&(k3))
+#define des_decrypt3(d,k1,k2,k3)\
+	DES_decrypt3((d),&(k1),&(k2),&(k3))
+#define des_xwhite_in2out(k,i,o)\
+	DES_xwhite_in2out((k),(i),(o))
+#define des_enc_read(f,b,l,k,iv)\
+	DES_enc_read((f),(b),(l),&(k),(iv))
+#define des_enc_write(f,b,l,k,iv)\
+	DES_enc_write((f),(b),(l),&(k),(iv))
+#define des_fcrypt(b,s,r)\
+	DES_fcrypt((b),(s),(r))
+#define des_crypt(b,s)\
+	DES_crypt((b),(s))
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#define crypt(b,s)\
+	DES_crypt((b),(s))
+#endif
+#define des_ofb_encrypt(i,o,n,l,k,iv)\
+	DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
+#define des_pcbc_encrypt(i,o,l,k,iv,e)\
+	DES_pcbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_quad_cksum(i,o,l,c,s)\
+	DES_quad_cksum((i),(o),(l),(c),(s))
+#define des_random_seed(k)\
+	_ossl_096_des_random_seed((k))
+#define des_random_key(r)\
+	DES_random_key((r))
+#define des_read_password(k,p,v) \
+	DES_read_password((k),(p),(v))
+#define des_read_2passwords(k1,k2,p,v) \
+	DES_read_2passwords((k1),(k2),(p),(v))
+#define des_set_odd_parity(k)\
+	DES_set_odd_parity((k))
+#define des_check_key_parity(k)\
+	DES_check_key_parity((k))
+#define des_is_weak_key(k)\
+	DES_is_weak_key((k))
+#define des_set_key(k,ks)\
+	DES_set_key((k),&(ks))
+#define des_key_sched(k,ks)\
+	DES_key_sched((k),&(ks))
+#define des_set_key_checked(k,ks)\
+	DES_set_key_checked((k),&(ks))
+#define des_set_key_unchecked(k,ks)\
+	DES_set_key_unchecked((k),&(ks))
+#define des_string_to_key(s,k)\
+	DES_string_to_key((s),(k))
+#define des_string_to_2keys(s,k1,k2)\
+	DES_string_to_2keys((s),(k1),(k2))
+#define des_cfb64_encrypt(i,o,l,ks,iv,n,e)\
+	DES_cfb64_encrypt((i),(o),(l),&(ks),(iv),(n),(e))
+#define des_ofb64_encrypt(i,o,l,ks,iv,n)\
+	DES_ofb64_encrypt((i),(o),(l),&(ks),(iv),(n))
+		
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+	des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+	des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+	des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+	des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define des_check_key DES_check_key
+#define des_rw_mode DES_rw_mode
+#else /* libdes compatibility */
+/* Map all symbol names to _ossl_old_des_* form, so we avoid all
   clashes with libdes */
+#define des_cblock _ossl_old_des_cblock
+#define des_key_schedule _ossl_old_des_key_schedule
 #define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
 	_ossl_old_des_ecb3_encrypt((i),(o),(k1),(k2),(k3),(e))
 #define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
 	_ossl_old_des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(e))
 #define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
-	_ossl_old_des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(e))
+	_ossl_old_des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n),(e))
 #define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
 	_ossl_old_des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n))
 #define des_options()\
@@ -127,8 +252,8 @@ typedef struct des_ks_struct
 	_ossl_old_des_ncbc_encrypt((i),(o),(l),(k),(iv),(e))
 #define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
 	_ossl_old_des_xcbc_encrypt((i),(o),(l),(k),(iv),(inw),(outw),(e))
-#define des_cfb_encrypt(i,o,l,k,iv,e)\
-	_ossl_old_des_cfb_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+	_ossl_old_des_cfb_encrypt((i),(o),(n),(l),(k),(iv),(e))
 #define des_ecb_encrypt(i,o,k,e)\
 	_ossl_old_des_ecb_encrypt((i),(o),(k),(e))
 #define des_encrypt(d,k,e)\
@@ -197,76 +322,79 @@ typedef struct des_ks_struct

 #define des_check_key DES_check_key
 #define des_rw_mode DES_rw_mode
+#endif

 const char *_ossl_old_des_options(void);
-void _ossl_old_des_ecb3_encrypt(des_cblock *input,des_cblock *output,
-	des_key_schedule ks1,des_key_schedule ks2,
-	des_key_schedule ks3, int enc);
-DES_LONG _ossl_old_des_cbc_cksum(des_cblock *input,des_cblock *output,
-	long length,des_key_schedule schedule,des_cblock *ivec);
-void _ossl_old_des_cbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-void _ossl_old_des_ncbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-void _ossl_old_des_xcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,
-	des_cblock *inw,des_cblock *outw,int enc);
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	_ossl_old_des_key_schedule ks1,_ossl_old_des_key_schedule ks2,
+	_ossl_old_des_key_schedule ks3, int enc);
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+	_ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc);
 void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
-	long length,des_key_schedule schedule,des_cblock *ivec,int enc);
-void _ossl_old_des_ecb_encrypt(des_cblock *input,des_cblock *output,
-	des_key_schedule ks,int enc);
-void _ossl_old_des_encrypt(DES_LONG *data,des_key_schedule ks, int enc);
-void _ossl_old_des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
-void _ossl_old_des_encrypt3(DES_LONG *data, des_key_schedule ks1,
-	des_key_schedule ks2, des_key_schedule ks3);
-void _ossl_old_des_decrypt3(DES_LONG *data, des_key_schedule ks1,
-	des_key_schedule ks2, des_key_schedule ks3);
-void _ossl_old_des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, 
-	long length, des_key_schedule ks1, des_key_schedule ks2, 
-	des_key_schedule ks3, des_cblock *ivec, int enc);
+	long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	_ossl_old_des_key_schedule ks,int enc);
+void _ossl_old_des_encrypt(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt2(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+	_ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_decrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+	_ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
+	long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2, 
+	_ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc);
 void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
-	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num, int enc);
+	long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+	_ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc);
 void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
-	long length, des_key_schedule ks1, des_key_schedule ks2,
-	des_key_schedule ks3, des_cblock *ivec, int *num);
+	long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+	_ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num);

-void _ossl_old_des_xwhite_in2out(des_cblock (*des_key), des_cblock (*in_white),
-	des_cblock (*out_white));
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+	_ossl_old_des_cblock (*out_white));

-int _ossl_old_des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
-int _ossl_old_des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
-	des_cblock *iv);
+int _ossl_old_des_enc_read(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+	_ossl_old_des_cblock *iv);
+int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+	_ossl_old_des_cblock *iv);
 char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
 char *_ossl_old_des_crypt(const char *buf,const char *salt);
 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
 char *_ossl_old_crypt(const char *buf,const char *salt);
 #endif
 void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
-	int numbits,long length,des_key_schedule schedule,des_cblock *ivec);
-void _ossl_old_des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,
-	des_key_schedule schedule,des_cblock *ivec,int enc);
-DES_LONG _ossl_old_des_quad_cksum(des_cblock *input,des_cblock *output,
-	long length,int out_count,des_cblock *seed);
-void _ossl_old_des_random_seed(des_cblock key);
-void _ossl_old_des_random_key(des_cblock ret);
-int _ossl_old_des_read_password(des_cblock *key,const char *prompt,int verify);
-int _ossl_old_des_read_2passwords(des_cblock *key1,des_cblock *key2,
+	int numbits,long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+	_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+	long length,int out_count,_ossl_old_des_cblock *seed);
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key);
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret);
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key,const char *prompt,int verify);
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2,
 	const char *prompt,int verify);
-void _ossl_old_des_set_odd_parity(des_cblock *key);
-int _ossl_old_des_is_weak_key(des_cblock *key);
-int _ossl_old_des_set_key(des_cblock *key,des_key_schedule schedule);
-int _ossl_old_des_key_sched(des_cblock *key,des_key_schedule schedule);
-void _ossl_old_des_string_to_key(char *str,des_cblock *key);
-void _ossl_old_des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2);
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key);
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key);
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key);
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2);
 void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num, int enc);
+	_ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc);
 void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
-	des_key_schedule schedule, des_cblock *ivec, int *num);
+	_ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num);
+
+void _ossl_096_des_random_seed(des_cblock *key);

 /* The following definitions provide compatibility with the MIT Kerberos
- * library. The des_key_schedule structure is not binary compatible. */
+ * library. The _ossl_old_des_key_schedule structure is not binary compatible. */

 #define _KERBEROS_DES_H

--- a/crypto/des/des_old2.c
+++ b/crypto/des/des_old2.c
@@ -0,0 +1,82 @@
+/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with OpenSSL 0.9.6c.  OpenSSL now
+ * provides functions where "des_" has been replaced with "DES_" in
+ * the names, to make it possible to make incompatible changes that
+ * are needed for C type security and other stuff.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will dissapear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#undef OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+void _ossl_096_des_random_seed(DES_cblock *key)
+	{
+	RAND_seed(key, sizeof(DES_cblock));
+	}
--- a/crypto/des/destest.c
+++ b/crypto/des/destest.c
@@ -83,10 +83,9 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/des.h>
-#include <openssl/des_old.h>

-#if defined(PERL5) || defined(__FreeBSD__)
-#define crypt(c,s) (DES_crypt((c),(s)))
+#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT)
+#define crypt(c,s) (des_crypt((c),(s)))
 #endif

 /* tisk tisk - the test keys don't all have odd parity :-( */
@@ -333,8 +332,8 @@ static int ede_cfb64_test(unsigned char *cfb_cipher);
 int main(int argc, char *argv[])
 	{
 	int i,j,err=0;
-	DES_cblock in,out,outin,iv3,iv2;
-	DES_key_schedule ks,ks2,ks3;
+	des_cblock in,out,outin,iv3,iv2;
+	des_key_schedule ks,ks2,ks3;
 	unsigned char cbc_in[40];
 	unsigned char cbc_out[40];
 	DES_LONG cs;
@@ -381,7 +380,7 @@ int main(int argc, char *argv[])
 	/*	if (memcmp(cbc_out,cbc3_ok,
 		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
 		{
-		printf("DES_ede3_cbc_encrypt encrypt error\n");
+		printf("des_ede3_cbc_encrypt encrypt error\n");
 		err=1;
 		}
 	*/
@@ -392,7 +391,7 @@ int main(int argc, char *argv[])
 		{
 		int n;

-		printf("DES_ede3_cbcm_encrypt decrypt error\n");
+		printf("des_ede3_cbcm_encrypt decrypt error\n");
 		for(n=0 ; n < i ; ++n)
 		    printf(" %02x",cbc_data[n]);
 		printf("\n");
@@ -410,8 +409,8 @@ int main(int argc, char *argv[])
 		memcpy(in,plain_data[i],8);
 		memset(out,0,8);
 		memset(outin,0,8);
-		DES_ecb_encrypt(&in,&out,&ks,DES_ENCRYPT);
-		DES_ecb_encrypt(&out,&outin,&ks,DES_DECRYPT);
+		des_ecb_encrypt(&in,&out,ks,DES_ENCRYPT);
+		des_ecb_encrypt(&out,&outin,ks,DES_DECRYPT);

 		if (memcmp(out,cipher_data[i],8) != 0)
 			{
@@ -438,8 +437,8 @@ int main(int argc, char *argv[])
 		memcpy(in,plain_data[i],8);
 		memset(out,0,8);
 		memset(outin,0,8);
-		DES_ecb2_encrypt(&in,&out,&ks,&ks2,DES_ENCRYPT);
-		DES_ecb2_encrypt(&out,&outin,&ks,&ks2,DES_DECRYPT);
+		des_ecb2_encrypt(&in,&out,ks,ks2,DES_ENCRYPT);
+		des_ecb2_encrypt(&out,&outin,ks,ks2,DES_DECRYPT);

 		if (memcmp(out,cipher_ecb2[i],8) != 0)
 			{
@@ -466,7 +465,7 @@ int main(int argc, char *argv[])
 	memset(cbc_out,0,40);
 	memset(cbc_in,0,40);
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	DES_ncbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,&ks,
+	des_ncbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
 			 &iv3,DES_ENCRYPT);
 	if (memcmp(cbc_out,cbc_ok,32) != 0)
 		{
@@ -475,7 +474,7 @@ int main(int argc, char *argv[])
 		}

 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	DES_ncbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,&ks,
+	des_ncbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
 			 &iv3,DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)) != 0)
 		{
@@ -493,19 +492,19 @@ int main(int argc, char *argv[])
 	memset(cbc_out,0,40);
 	memset(cbc_in,0,40);
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	DES_xcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,&ks,
+	des_xcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
 			 &iv3,&cbc2_key,&cbc3_key, DES_ENCRYPT);
 	if (memcmp(cbc_out,xcbc_ok,32) != 0)
 		{
-		printf("DES_xcbc_encrypt encrypt error\n");
+		printf("des_xcbc_encrypt encrypt error\n");
 		err=1;
 		}
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	DES_xcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,&ks,
+	des_xcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,
 			 &iv3,&cbc2_key,&cbc3_key, DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
 		{
-		printf("DES_xcbc_encrypt decrypt error\n");
+		printf("des_xcbc_encrypt decrypt error\n");
 		err=1;
 		}
 #endif
@@ -532,16 +531,16 @@ int main(int argc, char *argv[])
 	/* i=((i+7)/8)*8; */
 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));

-	DES_ede3_cbc_encrypt(cbc_data,cbc_out,16L,&ks,&ks2,&ks3,&iv3,
+	des_ede3_cbc_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,
 			     DES_ENCRYPT);
-	DES_ede3_cbc_encrypt(&(cbc_data[16]),&(cbc_out[16]),i-16,&ks,&ks2,&ks3,
+	des_ede3_cbc_encrypt(&(cbc_data[16]),&(cbc_out[16]),i-16,ks,ks2,ks3,
 			     &iv3,DES_ENCRYPT);
 	if (memcmp(cbc_out,cbc3_ok,
 		(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
 		{
 		int n;

-		printf("DES_ede3_cbc_encrypt encrypt error\n");
+		printf("des_ede3_cbc_encrypt encrypt error\n");
 		for(n=0 ; n < i ; ++n)
 		    printf(" %02x",cbc_out[n]);
 		printf("\n");
@@ -552,12 +551,12 @@ int main(int argc, char *argv[])
 		}

 	memcpy(iv3,cbc_iv,sizeof(cbc_iv));
-	DES_ede3_cbc_encrypt(cbc_out,cbc_in,i,&ks,&ks2,&ks3,&iv3,DES_DECRYPT);
+	des_ede3_cbc_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
 		{
 		int n;

-		printf("DES_ede3_cbc_encrypt decrypt error\n");
+		printf("des_ede3_cbc_encrypt decrypt error\n");
 		for(n=0 ; n < i ; ++n)
 		    printf(" %02x",cbc_data[n]);
 		printf("\n");
@@ -576,14 +575,14 @@ int main(int argc, char *argv[])
 		}
 	memset(cbc_out,0,40);
 	memset(cbc_in,0,40);
-	DES_pcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,&ks,
+	des_pcbc_encrypt(cbc_data,cbc_out,strlen((char *)cbc_data)+1,ks,
 			 &cbc_iv,DES_ENCRYPT);
 	if (memcmp(cbc_out,pcbc_ok,32) != 0)
 		{
 		printf("pcbc_encrypt encrypt error\n");
 		err=1;
 		}
-	DES_pcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,&ks,&cbc_iv,
+	des_pcbc_encrypt(cbc_out,cbc_in,strlen((char *)cbc_data)+1,ks,&cbc_iv,
 			 DES_DECRYPT);
 	if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
 		{
@@ -608,8 +607,8 @@ int main(int argc, char *argv[])

 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	for (i=0; i<sizeof(plain); i++)
-		DES_cfb_encrypt(&(plain[i]),&(cfb_buf1[i]),
-			8,1,&ks,&cfb_tmp,DES_ENCRYPT);
+		des_cfb_encrypt(&(plain[i]),&(cfb_buf1[i]),
+			8,1,ks,&cfb_tmp,DES_ENCRYPT);
 	if (memcmp(cfb_cipher8,cfb_buf1,sizeof(plain)) != 0)
 		{
 		printf("cfb_encrypt small encrypt error\n");
@@ -618,8 +617,8 @@ int main(int argc, char *argv[])

 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	for (i=0; i<sizeof(plain); i++)
-		DES_cfb_encrypt(&(cfb_buf1[i]),&(cfb_buf2[i]),
-			8,1,&ks,&cfb_tmp,DES_DECRYPT);
+		des_cfb_encrypt(&(cfb_buf1[i]),&(cfb_buf2[i]),
+			8,1,ks,&cfb_tmp,DES_DECRYPT);
 	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
 		{
 		printf("cfb_encrypt small decrypt error\n");
@@ -634,7 +633,7 @@ int main(int argc, char *argv[])
 	printf("Doing ofb\n");
 	DES_set_key_checked(&ofb_key,&ks);
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	DES_ofb_encrypt(plain,ofb_buf1,64,sizeof(plain)/8,&ks,&ofb_tmp);
+	des_ofb_encrypt(plain,ofb_buf1,64,sizeof(plain)/8,ks,&ofb_tmp);
 	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
 		{
 		printf("ofb_encrypt encrypt error\n");
@@ -647,7 +646,7 @@ ofb_buf1[8+4], ofb_cipher[8+5], ofb_cipher[8+6], ofb_cipher[8+7]);
 		err=1;
 		}
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
-	DES_ofb_encrypt(ofb_buf1,ofb_buf2,64,sizeof(ofb_buf1)/8,&ks,&ofb_tmp);
+	des_ofb_encrypt(ofb_buf1,ofb_buf2,64,sizeof(ofb_buf1)/8,ks,&ofb_tmp);
 	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
 		{
 		printf("ofb_encrypt decrypt error\n");
@@ -668,7 +667,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 	num=0;
 	for (i=0; i<sizeof(plain); i++)
 		{
-		DES_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,&ks,&ofb_tmp,
+		des_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,&ofb_tmp,
 				  &num);
 		}
 	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
@@ -678,7 +677,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
 	num=0;
-	DES_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),&ks,&ofb_tmp,
+	des_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,&ofb_tmp,
 			  &num);
 	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
 		{
@@ -694,8 +693,8 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 	num=0;
 	for (i=0; i<sizeof(plain); i++)
 		{
-		DES_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,&ks,&ks,
-				       &ks,&ofb_tmp,&num);
+		des_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,ks,
+				       ks,&ofb_tmp,&num);
 		}
 	if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
 		{
@@ -704,7 +703,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}
 	memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
 	num=0;
-	DES_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),&ks,&ks,&ks,
+	des_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,ks,ks,
 			       &ofb_tmp,&num);
 	if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
 		{
@@ -714,7 +713,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);

 	printf("Doing cbc_cksum\n");
 	DES_set_key_checked(&cbc_key,&ks);
-	cs=DES_cbc_cksum(cbc_data,&cret,strlen((char *)cbc_data),&ks,&cbc_iv);
+	cs=des_cbc_cksum(cbc_data,&cret,strlen((char *)cbc_data),ks,&cbc_iv);
 	if (cs != cbc_cksum_ret)
 		{
 		printf("bad return value (%08lX), should be %08lX\n",
@@ -728,8 +727,8 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 		}

 	printf("Doing quad_cksum\n");
-	cs=DES_quad_cksum(cbc_data,(DES_cblock *)lqret,
-		(long)strlen((char *)cbc_data),2,(DES_cblock *)cbc_iv);
+	cs=des_quad_cksum(cbc_data,(des_cblock *)lqret,
+		(long)strlen((char *)cbc_data),2,(des_cblock *)cbc_iv);
 	if (cs != 0x70d7a63aL)
 		{
 		printf("quad_cksum error, ret %08lx should be 70d7a63a\n",
@@ -793,16 +792,16 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
 	for (i=0; i<4; i++)
 		{
 		printf(" %d",i);
-		DES_ncbc_encrypt(&(cbc_out[i]),cbc_in,
-				 strlen((char *)cbc_data)+1,&ks,
+		des_ncbc_encrypt(&(cbc_out[i]),cbc_in,
+				 strlen((char *)cbc_data)+1,ks,
 				 &cbc_iv,DES_ENCRYPT);
 		}
 	printf("\noutput word alignment test");
 	for (i=0; i<4; i++)
 		{
 		printf(" %d",i);
-		DES_ncbc_encrypt(cbc_out,&(cbc_in[i]),
-				 strlen((char *)cbc_data)+1,&ks,
+		des_ncbc_encrypt(cbc_out,&(cbc_in[i]),
+				 strlen((char *)cbc_data)+1,ks,
 				 &cbc_iv,DES_ENCRYPT);
 		}
 	printf("\n");
@@ -846,12 +845,12 @@ static char *pt(unsigned char *p)

 static int cfb_test(int bits, unsigned char *cfb_cipher)
 	{
-	DES_key_schedule ks;
+	des_key_schedule ks;
 	int i,err=0;

 	DES_set_key_checked(&cfb_key,&ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	DES_cfb_encrypt(plain,cfb_buf1,bits,sizeof(plain),&ks,&cfb_tmp,
+	des_cfb_encrypt(plain,cfb_buf1,bits,sizeof(plain),ks,&cfb_tmp,
 			DES_ENCRYPT);
 	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
 		{
@@ -861,7 +860,7 @@ static int cfb_test(int bits, unsigned char *cfb_cipher)
 			printf("%s\n",pt(&(cfb_buf1[i])));
 		}
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
-	DES_cfb_encrypt(cfb_buf1,cfb_buf2,bits,sizeof(plain),&ks,&cfb_tmp,
+	des_cfb_encrypt(cfb_buf1,cfb_buf2,bits,sizeof(plain),ks,&cfb_tmp,
 			DES_DECRYPT);
 	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
 		{
@@ -875,14 +874,14 @@ static int cfb_test(int bits, unsigned char *cfb_cipher)

 static int cfb64_test(unsigned char *cfb_cipher)
 	{
-	DES_key_schedule ks;
+	des_key_schedule ks;
 	int err=0,i,n;

 	DES_set_key_checked(&cfb_key,&ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
-	DES_cfb64_encrypt(plain,cfb_buf1,12,&ks,&cfb_tmp,&n,DES_ENCRYPT);
-	DES_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),sizeof(plain)-12,&ks,
+	des_cfb64_encrypt(plain,cfb_buf1,12,ks,&cfb_tmp,&n,DES_ENCRYPT);
+	des_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),sizeof(plain)-12,ks,
 			  &cfb_tmp,&n,DES_ENCRYPT);
 	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
 		{
@@ -893,9 +892,9 @@ static int cfb64_test(unsigned char *cfb_cipher)
 		}
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
-	DES_cfb64_encrypt(cfb_buf1,cfb_buf2,17,&ks,&cfb_tmp,&n,DES_DECRYPT);
-	DES_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
-			  sizeof(plain)-17,&ks,&cfb_tmp,&n,DES_DECRYPT);
+	des_cfb64_encrypt(cfb_buf1,cfb_buf2,17,ks,&cfb_tmp,&n,DES_DECRYPT);
+	des_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+			  sizeof(plain)-17,ks,&cfb_tmp,&n,DES_DECRYPT);
 	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
 		{
 		err=1;
@@ -908,16 +907,16 @@ static int cfb64_test(unsigned char *cfb_cipher)

 static int ede_cfb64_test(unsigned char *cfb_cipher)
 	{
-	DES_key_schedule ks;
+	des_key_schedule ks;
 	int err=0,i,n;

 	DES_set_key_checked(&cfb_key,&ks);
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
-	DES_ede3_cfb64_encrypt(plain,cfb_buf1,12,&ks,&ks,&ks,&cfb_tmp,&n,
+	des_ede3_cfb64_encrypt(plain,cfb_buf1,12,ks,ks,ks,&cfb_tmp,&n,
 			       DES_ENCRYPT);
-	DES_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
-			       sizeof(plain)-12,&ks,&ks,&ks,
+	des_ede3_cfb64_encrypt(&(plain[12]),&(cfb_buf1[12]),
+			       sizeof(plain)-12,ks,ks,ks,
 			       &cfb_tmp,&n,DES_ENCRYPT);
 	if (memcmp(cfb_cipher,cfb_buf1,sizeof(plain)) != 0)
 		{
@@ -928,10 +927,10 @@ static int ede_cfb64_test(unsigned char *cfb_cipher)
 		}
 	memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
 	n=0;
-	DES_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,&ks,&ks,&ks,
+	des_ede3_cfb64_encrypt(cfb_buf1,cfb_buf2,(long)17,ks,ks,ks,
 			       &cfb_tmp,&n,DES_DECRYPT);
-	DES_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
-			       sizeof(plain)-17,&ks,&ks,&ks,
+	des_ede3_cfb64_encrypt(&(cfb_buf1[17]),&(cfb_buf2[17]),
+			       sizeof(plain)-17,ks,ks,ks,
 			       &cfb_tmp,&n,DES_DECRYPT);
 	if (memcmp(plain,cfb_buf2,sizeof(plain)) != 0)
 		{
--- a/crypto/des/fcrypt_b.c
+++ b/crypto/des/fcrypt_b.c
@@ -82,7 +82,7 @@ void fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
 	{
 	register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-	register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+	register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
 	register DES_LONG *s;
 	register int j;
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@@ -372,7 +372,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,

 error:
 	fprintf(stderr,"\n");
-#ifdef DEBUG
+#if 0
 	perror("fgets(tty)");
 #endif
 	/* What can we do if there is an error? */
--- a/crypto/des/spr.h
+++ b/crypto/des/spr.h
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */

-OPENSSL_GLOBAL const DES_LONG des_SPtrans[8][64]={
+OPENSSL_GLOBAL const DES_LONG DES_SPtrans[8][64]={
 {
 /* nibble 0 */
 0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
--- a/crypto/des/str2key.c
+++ b/crypto/des/str2key.c
@@ -86,9 +86,13 @@ void DES_string_to_key(const char *str, DES_cblock *key)
 		}
 #endif
 	DES_set_odd_parity(key);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
 	if(DES_is_weak_key(key))
 	    (*key)[7] ^= 0xF0;
 	DES_set_key(key,&ks);
+#else
+	DES_set_key_unchecked(key,&ks);
+#endif
 	DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
 	memset(&ks,0,sizeof(ks));
 	DES_set_odd_parity(key);
@@ -147,13 +151,21 @@ void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
 #endif
 	DES_set_odd_parity(key1);
 	DES_set_odd_parity(key2);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
 	if(DES_is_weak_key(key1))
 	    (*key1)[7] ^= 0xF0;
 	DES_set_key(key1,&ks);
+#else
+	DES_set_key_unchecked(key1,&ks);
+#endif
 	DES_cbc_cksum((const unsigned char*)str,key1,length,&ks,key1);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
 	if(DES_is_weak_key(key2))
 	    (*key2)[7] ^= 0xF0;
 	DES_set_key(key2,&ks);
+#else
+	DES_set_key_unchecked(key2,&ks);
+#endif
 	DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
 	memset(&ks,0,sizeof(ks));
 	DES_set_odd_parity(key1);
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -101,7 +101,7 @@ struct dh_st
 	int version;
 	BIGNUM *p;
 	BIGNUM *g;
-	int length; /* optional */
+	long length; /* optional */
 	BIGNUM *pub_key;	/* g^x */
 	BIGNUM *priv_key;	/* x */

@@ -195,9 +195,10 @@ void ERR_load_DH_strings(void);
 #define DH_F_DH_COMPUTE_KEY				 102
 #define DH_F_DH_GENERATE_KEY				 103
 #define DH_F_DH_GENERATE_PARAMETERS			 104
-#define DH_F_DH_NEW					 105
+#define DH_F_DH_NEW_METHOD				 105

 /* Reason codes. */
+#define DH_R_BAD_GENERATOR				 101
 #define DH_R_NO_PRIVATE_VALUE				 100

 #ifdef  __cplusplus
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -71,12 +71,13 @@ static ERR_STRING_DATA DH_str_functs[]=
 {ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),	"DH_compute_key"},
 {ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),	"DH_generate_key"},
 {ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),	"DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW,0),	"DH_new"},
+{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),	"DH_new_method"},
 {0,NULL}
 	};

 static ERR_STRING_DATA DH_str_reasons[]=
 	{
+{DH_R_BAD_GENERATOR                      ,"bad generator"},
 {DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
 {0,NULL}
 	};
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -82,7 +82,10 @@
 * Since DH should be using a safe prime (both p and q are prime),
 * this generator function can take a very very long time to run.
 */
-
+/* Actually there is no reason to insist that 'generator' be a generator.
+ * It's just as OK (and in some sense better) to use a generator of the
+ * order-q subgroup.
+ */
 DH *DH_generate_parameters(int prime_len, int generator,
 	     void (*callback)(int,int,void *), void *cb_arg)
 	{
@@ -100,30 +103,43 @@ DH *DH_generate_parameters(int prime_len, int generator,
 	t2 = BN_CTX_get(ctx);
 	if (t1 == NULL || t2 == NULL) goto err;
 	
+	if (generator <= 1)
+		{
+		DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_BAD_GENERATOR);
+		goto err;
+		}
 	if (generator == DH_GENERATOR_2)
 		{
-		BN_set_word(t1,24);
-		BN_set_word(t2,11);
+		if (!BN_set_word(t1,24)) goto err;
+		if (!BN_set_word(t2,11)) goto err;
 		g=2;
 		}
-#ifdef undef  /* does not work for safe primes */
+#if 0 /* does not work for safe primes */
 	else if (generator == DH_GENERATOR_3)
 		{
-		BN_set_word(t1,12);
-		BN_set_word(t2,5);
+		if (!BN_set_word(t1,12)) goto err;
+		if (!BN_set_word(t2,5)) goto err;
 		g=3;
 		}
 #endif
 	else if (generator == DH_GENERATOR_5)
 		{
-		BN_set_word(t1,10);
-		BN_set_word(t2,3);
+		if (!BN_set_word(t1,10)) goto err;
+		if (!BN_set_word(t2,3)) goto err;
 		/* BN_set_word(t3,7); just have to miss
 		 * out on these ones :-( */
 		g=5;
 		}
 	else
+		{
+		/* in the general case, don't worry if 'generator' is a
+		 * generator or not: since we are using safe primes,
+		 * it will generate either an order-q or an order-2q group,
+		 * which both is OK */
+		if (!BN_set_word(t1,2)) goto err;
+		if (!BN_set_word(t2,1)) goto err;
 		g=generator;
+		}
 	
 	p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
 	if (p == NULL) goto err;
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -107,20 +107,29 @@ DH *DH_new_method(ENGINE *engine)
 	ret=(DH *)OPENSSL_malloc(sizeof(DH));
 	if (ret == NULL)
 		{
-		DHerr(DH_F_DH_NEW,ERR_R_MALLOC_FAILURE);
+		DHerr(DH_F_DH_NEW_METHOD,ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}

 	ret->meth = DH_get_default_method();
-	ret->engine = engine;
-	if(!ret->engine)
+	if (engine)
+		{
+		if (!ENGINE_init(engine))
+			{
+			DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
+			OPENSSL_free(ret);
+			return NULL;
+			}
+		ret->engine = engine;
+		}
+	else
 		ret->engine = ENGINE_get_default_DH();
 	if(ret->engine)
 		{
 		ret->meth = ENGINE_get_DH(ret->engine);
 		if(!ret->meth)
 			{
-			DHerr(DH_F_DH_NEW,ERR_R_ENGINE_LIB);
+			DHerr(DH_F_DH_NEW_METHOD,ERR_R_ENGINE_LIB);
 			ENGINE_finish(ret->engine);
 			OPENSSL_free(ret);
 			return NULL;
@@ -145,6 +154,8 @@ DH *DH_new_method(ENGINE *engine)
 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
 	if ((ret->meth->init != NULL) && !ret->meth->init(ret))
 		{
+		if (ret->engine)
+			ENGINE_finish(ret->engine);
 		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
--- a/crypto/dh/dhtest.c
+++ b/crypto/dh/dhtest.c
@@ -117,6 +117,16 @@ int main(int argc, char *argv[])
 	a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
 	if (a == NULL) goto err;

+	if (!DH_check(a, &i)) goto err;
+	if (i & DH_CHECK_P_NOT_PRIME)
+		BIO_puts(out, "p value is not prime\n");
+	if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+		BIO_puts(out, "p value is not a safe prime\n");
+	if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+		BIO_puts(out, "unable to check the generator value\n");
+	if (i & DH_NOT_SUITABLE_GENERATOR)
+		BIO_puts(out, "the g value is not a generator\n");
+
 	BIO_puts(out,"\np    =");
 	BN_print(out,a->p);
 	BIO_puts(out,"\ng    =");
@@ -175,6 +185,8 @@ int main(int argc, char *argv[])
 	else
 		ret=0;
 err:
+	ERR_print_errors_fp(stderr);
+
 	if (abuf != NULL) OPENSSL_free(abuf);
 	if (bbuf != NULL) OPENSSL_free(bbuf);
 	if(b != NULL) DH_free(b);
--- a/Show More
+++ b/Show More