Time to release OpenSSL 0.9.7 beta6.

The tag will be OpenSSL_0_9_7-beta6.
A few more NEWS items.
2002-12-17 14:24:51 +00:00 · 2002-12-17 14:21:55 +00:00 · 2002-12-17 08:01:28 +00:00 · 2002-12-16 18:59:05 +00:00 · 2002-12-16 18:17:24 +00:00 · 2002-12-16 06:06:06 +00:00
703 changed files with 31686 additions and 22086 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,3 +1,4 @@
 openssl.pc
 Makefile.ssl
 MINFO
 makefile.one
--- a/3443
+++ b/3443
--- a/225
+++ b/225
@@ -120,7 +120,7 @@ my $alpha_asm="::::::::";
 # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
 # So the md5_locl.h file has an undef B_ENDIAN if sun is defined
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -134,7 +134,7 @@ my %table=(
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
 "debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
@@ -144,8 +144,11 @@ my %table=(
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
 # Basic configs that should work on any (32 and less bit) box
@@ -158,24 +161,25 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
@@ -195,17 +199,16 @@ my %table=(
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# !!!Folowing can't be even tested yet!!!
+# GCC 3.1 is a requirement
-#    We have to wait till 64-bit glibc for SPARC is operational!!!
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
 # Sunos configs, assuming sparc for the gcc one.
-##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):::DES_UNROLL:::",
+##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
@@ -254,6 +257,9 @@ my %table=(
 "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # 64bit PARISC for GCC without optimization, which seems to make problems.
 # Submitted by <ross.alexander@uk.neceur.com>
 "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # IA-64 targets
 # I have no idea if this one actually works, feedback needed. <appro>
@@ -373,17 +379,19 @@ my %table=(
 "linux-pentium",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppro",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG:::::::::::linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -407,13 +415,13 @@ my %table=(
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # UnixWare 2.0x fails destest with -O
-"unixware-2.0","cc:-DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 2.1
-"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 7
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -431,10 +439,11 @@ my %table=(
 "aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 "aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn::::::-X 64",
 #
-# Cray T90 (SDSC)
+# Cray T90 and similar (SDSC)
 # It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT
 # defined.  The T90 ints and longs are 8 bytes long, and apparently the
 # B_ENDIAN code assumes 4 byte ints.  Fortunately, the non-B_ENDIAN and
@@ -444,7 +453,10 @@ my %table=(
 #'Taking the address of a bit field is not allowed. '
 #'An expression with bit field exists as the operand of "sizeof" '
 # (written by Wayne Schroeder <schroede@SDSC.EDU>)
-"cray-t90-cc", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",
+#
 # j90 is considered the base machine type for unicos machines,
 # so this configuration is now called "cray-j90" ...
 "cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",
 #
 # Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
@@ -472,7 +484,7 @@ my %table=(
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
 "SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
@@ -488,6 +500,7 @@ my %table=(
 # Windows NT, Microsoft Visual C++ 4.0
 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
 "VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
@@ -503,26 +516,42 @@ my %table=(
 # and its library files in util/pl/*)
 "Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
 # DJGPP
 "DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
-"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::",
+"ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
 "ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
 # Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-alpha",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-i386",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-m68k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-m88k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-mips",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-powerpc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
-"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::-fPIC",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@@ -535,11 +564,16 @@ my %table=(
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
 );
-my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
+my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
-	BC-16 Mingw32 OS2-EMX);
+	BC-32 BC-16 Mingw32 OS2-EMX);
 my $idx = 0;
 my $idx_cc = $idx++;
@@ -564,6 +598,7 @@ my $idx_shared_cflag = $idx++;
 my $idx_shared_ldflag = $idx++;
 my $idx_shared_extension = $idx++;
 my $idx_ranlib = $idx++;
 my $idx_arflags = $idx++;
 my $prefix="";
 my $openssldir="";
@@ -624,6 +659,7 @@ my $libs;
 my $target;
 my $options;
 my $symlink;
 my $make_depend=0;
 my %withargs=();
 my @argvcopy=@ARGV;
@@ -682,7 +718,7 @@ PROCESS_ARGS:
 			{ $threads=1; }
 		elsif (/^no-shared$/)
 			{ $no_shared=1; }
-		elsif (/^shared$/)
+		elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
 			{ $no_shared=0; }
 		elsif (/^no-zlib$/)
 			{ $zlib=0; }
@@ -710,6 +746,7 @@ PROCESS_ARGS:
 			$openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n";
 			if ($algo eq "RIJNDAEL")
 				{
 				push @skip, "aes";
 				$flags .= "-DOPENSSL_NO_AES ";
 				$depflags .= "-DOPENSSL_NO_AES ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n";
@@ -722,14 +759,6 @@ PROCESS_ARGS:
 				$depflags .= "-DOPENSSL_NO_MDC2 ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
 				}
 			if ($algo eq "EC" || $algo eq "SHA" || $algo eq "SHA1")
 				{
 				push @skip, "ecdsa";
 				$options .= " no-ecdsa";
 				$flags .= "-DOPENSSL_NO_ECDSA ";
 				$depflags .= "-DOPENSSL_NO_ECDSA ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_ECDSA\n";
 				}
 			if ($algo eq "MD5")
 				{
 				$no_md5 = 1;
@@ -889,6 +918,7 @@ print "Configuring for $target\n";
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
 $exe_ext=".exe" if ($target eq "Cygwin");
 $exe_ext=".exe" if ($target eq "DJGPP");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
@@ -896,7 +926,7 @@ chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
+$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 print "IsWindows=$IsWindows\n";
@@ -912,11 +942,11 @@ my $bn_ops = $fields[$idx_bn_ops];
 my $bn_obj = $fields[$idx_bn_obj];
 my $des_obj = $fields[$idx_des_obj];
 my $bf_obj = $fields[$idx_bf_obj];
-my $md5_obj = $fields[$idx_md5_obj];
+$md5_obj = $fields[$idx_md5_obj];
-my $sha1_obj = $fields[$idx_sha1_obj];
+$sha1_obj = $fields[$idx_sha1_obj];
 my $cast_obj = $fields[$idx_cast_obj];
 my $rc4_obj = $fields[$idx_rc4_obj];
-my $rmd160_obj = $fields[$idx_rmd160_obj];
+$rmd160_obj = $fields[$idx_rmd160_obj];
 my $rc5_obj = $fields[$idx_rc5_obj];
 my $dso_scheme = $fields[$idx_dso_scheme];
 my $shared_target = $fields[$idx_shared_target];
@@ -924,6 +954,7 @@ my $shared_cflag = $fields[$idx_shared_cflag];
 my $shared_ldflag = $fields[$idx_shared_ldflag];
 my $shared_extension = $fields[$idx_shared_extension];
 my $ranlib = $fields[$idx_ranlib];
 my $arflags = $fields[$idx_arflags];
 $cflags="$flags$cflags" if ($flags ne "");
@@ -942,6 +973,17 @@ else
 	my ($lresolv, $lpath, $lext);
 	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
 		{
 		die "Sorry, Heimdal is currently not supported\n";
 		}
 	##### HACK to force use of Heimdal.
 	##### WARNING: Since we don't really have adequate support for Heimdal,
 	#####          using this will break the build.  You'll have to make
 	#####          changes to the source, and if you do, please send
 	#####          patches to openssl-dev@openssl.org
 	if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/)
 		{
 		warn "Heimdal isn't really supported.  Your build WILL break\n";
 		warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n";
 		$withargs{"krb5-dir"} = "/usr/heimdal"
 			if $withargs{"krb5-dir"} eq "";
 		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
@@ -1041,6 +1083,11 @@ if ($no_asm)
 	$sha1_obj=$md5_obj=$rmd160_obj="";
 	}
 if (!$no_shared)
 	{
 	$cast_obj="";	# CAST assembler is not PIC
 	}
 if ($threads)
 	{
 	$cflags=$thread_cflags;
@@ -1051,25 +1098,21 @@ if ($zlib)
 	{
 	$cflags = "-DZLIB $cflags";
 	$cflags = "-DZLIB_SHARED $cflags" if $zlib == 2;
-	$lflags = "$lflags -lz" if $zlib == 2;
+	$lflags = "$lflags -lz" if $zlib == 1;
 	}
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
-if ($shared_target ne "")
+if ($shared_target eq "")
 	{
 	$no_shared = 1;
 	}
 if (!$no_shared)
 	{
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag $cflags";
 		}
 	if (!$no_shared)
 		{
 		#$shared_mark = "\$(SHARED_LIBS)";
 		}
 	}
 else
 	{
 	$no_shared = 1;
 	}
 if ($sys_id ne "")
@@ -1111,6 +1154,10 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
 $cflags =~ s/([\\\"])/\\\1/g;
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
@@ -1142,7 +1189,8 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	}
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
-open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
+unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
 open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
@@ -1187,6 +1235,7 @@ while (<IN>)
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
 	s/^ARFLAGS=.*/ARFLAGS= $arflags/;
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
@@ -1196,18 +1245,28 @@ while (<IN>)
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/)
 		{
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
 		{
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
 		}
 	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
 	print OUT $_."\n";
 	}
 close(IN);
 close(OUT);
 rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
 rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
 print "CC            =$cc\n";
 print "CFLAG         =$cflags\n";
@@ -1223,6 +1282,7 @@ print "SHA1_OBJ_ASM  =$sha1_obj\n";
 print "RMD160_OBJ_ASM=$rmd160_obj\n";
 print "PROCESSOR     =$processor\n";
 print "RANLIB        =$ranlib\n";
 print "ARFLAGS       =$arflags\n";
 print "PERL          =$perl\n";
 print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
 	if $withargs{"krb5-include"} ne "";
@@ -1278,7 +1338,8 @@ foreach (sort split(/\s+/,$bn_ops))
 	}
 open(IN,'<crypto/opensslconf.h.in') || die "unable to read crypto/opensslconf.h.in:$!\n";
-open(OUT,'>crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n";
+unlink("crypto/opensslconf.h.new") || die "unable to remove old crypto/opensslconf.h.new:$!\n" if -e "crypto/opensslconf.h.new";
 open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslconf.h.new:$!\n";
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
@@ -1372,6 +1433,8 @@ while (<IN>)
 	}
 close(IN);
 close(OUT);
 rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
 rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
 # Fix the date
@@ -1411,11 +1474,13 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
+	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
-		if $symlink;
+	my $make_targets = "";
-	### (system 'make depend') == 0 or exit $? if $depflags ne "";
+	$make_targets .= " links" if $symlink;
-	# Run "make depend" manually if you want to be able to delete
+	$make_targets .= " depend" if $depflags ne "" && $make_depend;
-	# the source code files of ciphers you left out.
+	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1425,7 +1490,16 @@ EOF
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
-	}	    
+	}
 	if ($depflags ne "" && !$make_depend) {
 		print <<EOF;
 Since you've disabled at least one algorithm, you need to do the following
 before building:
 	make depend
 EOF
 	}
 }
 print <<EOF;
@@ -1516,7 +1590,7 @@ sub print_table_entry
 	my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
 	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
-	my $shared_ldflag,my $shared_extension,my $ranlib)=
+	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 	print <<EOF
@@ -1544,6 +1618,7 @@ sub print_table_entry
 \$shared_ldflag = $shared_ldflag
 \$shared_extension = $shared_extension
 \$ranlib       = $ranlib
 \$arflags      = $arflags
 EOF
 	}
--- a/115
+++ b/115
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
 [LEGAL] Legal questions
@@ -29,15 +30,20 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 [BUILD] Questions about building and testing OpenSSL
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
 * Why does the OpenSSL test fail with "bc: stack empty"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 * What is special about OpenSSL on Redhat?
 * Why does the OpenSSL compilation fail on MacOS X?
 * Why does the OpenSSL test suite fail on MacOS X?
 [PROG] Questions about programming with OpenSSL
@@ -51,6 +57,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 ===============================================================================
@@ -59,7 +66,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6c was released on December 21st, 2001.
+OpenSSL 0.9.6h was released on December 5, 2002.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -130,6 +137,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 * How do I check the authenticity of the OpenSSL distribution?
 We provide MD5 digests and ASC signatures of each tarball.
 Use MD5 to check that a tarball from a mirror site is identical:
   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
 You can check authenticity using pgp or gpg. You need the OpenSSL team
 member public key used to sign it (download it from a key server). Then
 just do:
   pgp TARBALL.asc
 [LEGAL] =======================================================================
 * Do I need patent licenses to use OpenSSL?
@@ -215,8 +235,13 @@ For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
-versions.  However, be warned that /dev/random is usually a blocking
+versions.  An official statement from Sun with respect to /dev/random
-device, which may have some effects on OpenSSL.
+support can be found at
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
 However, be warned that /dev/random is usually a blocking device, which
 may have some effects on OpenSSL.
 A third party /dev/random solution for Solaris is available at
  http://www.cosy.sbg.ac.at/~andi/
 * Why do I get an "unable to write 'random state'" error message?
@@ -343,6 +368,13 @@ DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 The ways to print out the oneline format of the DN (Distinguished Name) have
 been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
 interface, the "-nameopt" option could be introduded. See the manual
 page of the "openssl x509" commandline tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
 [BUILD] =======================================================================
@@ -387,6 +419,17 @@ and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL test fail with "bc: stack empty"?
 On some DG/ux versions, bc seems to have a too small stack for calculations
 that the OpenSSL bntest throws at it.  This gets triggered when you run the
 test suite (using "make test").  The message returned is "bc: stack empty".
 The best way to deal with this is to find another implementation of bc
 and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation
@@ -451,6 +494,64 @@ under 'Program Files').  This needs to be done prior to running NMAKE,
 and the changes are only valid for the current DOS session.
 * What is special about OpenSSL on Redhat?
 Red Hat Linux (release 7.0 and later) include a preinstalled limited
 version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
 is disabled in this version. The same may apply to other Linux distributions.
 Users may therefore wish to install more or all of the features left out.
 To do this you MUST ensure that you do not overwrite the openssl that is in
 /usr/bin on your Red Hat machine. Several packages depend on this file,
 including sendmail and ssh. /usr/local/bin is a good alternative choice. The
 libraries that come with Red Hat 7.0 onwards have different names and so are
 not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
 /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
 /lib/libcrypto.so.2 respectively).
 Please note that we have been advised by Red Hat attempting to recompile the
 openssl rpm with all the cryptography enabled will not work. All other
 packages depend on the original Red Hat supplied openssl package. It is also
 worth noting that due to the way Red Hat supplies its packages, updates to
 openssl on each distribution never change the package version, only the
 build number. For example, on Red Hat 7.1, the latest openssl package has
 version number 0.9.6 and build number 9 even though it contains all the
 relevant updates in packages up to and including 0.9.6b.
 A possible way around this is to persuade Red Hat to produce a non-US
 version of Red Hat Linux.
 FYI: Patent numbers and expiry dates of US patents:
 MDC-2: 4,908,861 13/03/2007
 IDEA:  5,214,703 25/05/2010
 RC5:   5,724,428 03/03/2015
 * Why does the OpenSSL compilation fail on MacOS X?
 If the failure happens when trying to build the "openssl" binary, with
 a large number of undefined symbols, it's very probable that you have
 OpenSSL 0.9.6b delivered with the operating system (you can find out by
 running '/usr/bin/openssl version') and that you were trying to build
 OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
 MacOS X has a misfeature that's quite difficult to go around.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 * Why does the OpenSSL test suite fail on MacOS X?
 If the failure happens when running 'make test' and the RC4 test fails,
 it's very probable that you have OpenSSL 0.9.6b delivered with the
 operating system (you can find out by running '/usr/bin/openssl version')
 and that you were trying to build OpenSSL 0.9.6d.  The problem is that
 the loader ('ld') in MacOS X has a misfeature that's quite difficult to
 go around and has linked the programs "openssl" and the test programs
 with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
 libraries you just built.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 [PROG] ========================================================================
 * Is OpenSSL thread-safe?
@@ -616,5 +717,13 @@ if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
 versions, uniqueIdentifier was incorrectly used for X.509 certificates.
 The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
 Change your code to use the new name when compiling against OpenSSL 0.9.7.
 ===============================================================================
--- a/28
+++ b/28
@@ -2,8 +2,10 @@
 INSTALLATION ON THE UNIX PLATFORM
 ---------------------------------
- [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
+ [Installation on DOS (with djgpp), Windows, OpenVMS and MacOS (before MacOS X)
-  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+  is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.
  This document describes installation on operating systems in the Unix
  family.]
 To install OpenSSL, you will need:
@@ -137,8 +139,11 @@
     the failure that aren't problems in OpenSSL itself (like missing
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be forwarded to a public mailing list).  Include the
+     message will be recorded in the request tracker publicly readable
-     output of "make report" in your message.
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
     public mailing list). Include the output of "make report" in your message.
     Please check out the request tracker. Maybe the bug was already
     reported or has already been fixed.
     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -156,7 +161,8 @@
     try removing any compiler optimization flags from the CFLAGS line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
-     "make report".
+     "make report" in order to be added to the request tracker at
     http://www.openssl.org/support/rt2.html.
  4. If everything tests ok, install OpenSSL with
@@ -290,3 +296,15 @@
 targets for shared library creation, like linux-shared.  Those targets
 can currently be used on their own just as well, but this is expected
 to change in future versions of OpenSSL.
 Note on random number generation
 --------------------------------
 Availability of cryptographically secure random numbers is required for
 secret key generation. OpenSSL provides several options to seed the
 internal PRNG. If not properly seeded, the internal PRNG will refuse
 to deliver random bytes and a "PRNG not seeded error" will occur.
 On systems without /dev/urandom (or similar) device, it may be necessary
 to install additional support software to obtain random seed.
 Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
 and the FAQ for more information.
--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -0,0 +1,34 @@
 INSTALLATION ON THE DOS PLATFORM WITH DJGPP
 -------------------------------------------
 Openssl has been ported to DOS, but only with long filename support. If
 you wish to compile on native DOS with 8+3 filenames, you will have to
 tweak the installation yourself, including renaming files with illegal
 or duplicate names.
 You should have a full DJGPP environment installed, including the
 latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
 requires that PERL and BC also be installed.
 All of these can be obtained from the usual DJGPP mirror sites, such
 as "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to
 have the WATT-32 networking package installed before you try to compile
 openssl. This can be obtained from "http://www.bgnett.no/~giva/".
 The Makefile assumes that the WATT-32 code is in the directory
 specified by the environment variable WATT_ROOT. If you have watt-32
 in directory "watt32" under your main DJGPP directory, specify
 WATT_ROOT="/dev/env/DJDIR/watt32".
 To compile openssl, start your BASH shell. Then configure for DOS by
 running "./Configure" with appropriate arguments. The basic syntax for
 DOS is:
 ./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
 You may run out of DPMI selectors when running in a DOS box under
 Windows. If so, just close the BASH shell, go back to Windows, and
 restart BASH. Then run "make" again.
 Building openssl under DJGPP has been tested with DJGPP 2.03,
 GCC 2.952, GCC 2.953, perl 5.005_02 and perl 5.006_01.
--- a/INSTALL.OS2
+++ b/INSTALL.OS2
@@ -20,3 +20,12 @@
 If that finishes successfully you will find the libraries and programs in the
 "out" directory.
 Alternatively, you can make a dynamic build that puts the library code into
 crypto.dll and ssl.dll by running
 > make -f os2-emx-dll.mak
 This will build the above mentioned dlls and a matching pair of import
 libraries in the "out_dll" directory along with the set of test programs
 and the openssl application.
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -2,19 +2,21 @@
 INSTALLATION ON THE WIN32 PLATFORM
 ----------------------------------
 [Instructions for building for Windows CE can be found in INSTALL.WCE]
 Heres a few comments about building OpenSSL in Windows environments.  Most
 of this is tested on Win32 but it may also work in Win 3.1 with some
 modification.
- You need Perl for Win32.  Unless you will build on CygWin32, you will need
+ You need Perl for Win32.  Unless you will build on Cygwin, you will need
 ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- For CygWin32 users, there's more info in the CygWin32 section.
+ For Cygwin users, there's more info in the Cygwin section.
 and one of the following C compilers:
  * Visual C++
  * Borland C
-  * GNU C (Mingw32 or Cygwin32)
+  * GNU C (Mingw32 or Cygwin)
 If you want to compile in the assembly language routines with Visual C++ then
 you will need an assembler. This is worth doing because it will result in
@@ -81,8 +83,9 @@
 There are various changes you can make to the Win32 compile environment. By
 default the library is not compiled with debugging symbols. If you add 'debug'
- to the mk1mk.pl lines in the do_* batch file then debugging symbols will be
+ to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
- compiled in.
+ compiled in. Note that mk1mf.pl expects the platform to be the last argument
 on the command line, so 'debug' must appear before that, as all other options.
 The default Win32 environment is to leave out any Windows NT specific
 features.
@@ -94,6 +97,18 @@
 You can also build a static version of the library using the Makefile
 ms\nt.mak
 Borland C++ builder 5
 ---------------------
 * Configure for building with Borland Builder:
   > perl Configure BC-32
 * Create the appropriate makefile
   > ms\do_nasm
 * Build
   > make -f ms\bcb.mak
 Borland C++ builder 3 and 4
 ---------------------------
@@ -112,10 +127,10 @@
 * Compiler installation:
   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
-   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
+   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
-   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
+   the PATH environment variable in "System Properties"; or edit and
-   C:\egcs-1.1.2\mingw32.bat to set the PATH.
+   run C:\gcc-2.95.2\mingw32.bat to set the PATH.
 * Compile OpenSSL:
@@ -137,30 +152,30 @@
   > cd out
   > ..\ms\test
- GNU C (CygWin32)
+ GNU C (Cygwin)
- ---------------
+ --------------
- CygWin32 provides a bash shell and GNU tools environment running on
+ Cygwin provides a bash shell and GNU tools environment running
- NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
+ on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
- with CygWin is closer to a GNU bash environment such as Linux rather
+ Consequently, a make of OpenSSL with Cygwin is closer to a GNU
- than other W32 makes that are based on a single makefile approach.
+ bash environment such as Linux than to other W32 makes which are
- CygWin32 implements Posix/Unix calls through cygwin1.dll, and is
+ based on a single makefile approach. Cygwin implements Posix/Unix
- contrasted to Mingw32 which links dynamically to msvcrt.dll or
+ calls through cygwin1.dll, and is contrasted to Mingw32 which links
- crtdll.dll.
+ dynamically to msvcrt.dll or crtdll.dll.
- To build OpenSSL using CygWin32:
+ To build OpenSSL using Cygwin:
- * Install CygWin32 (see http://sourceware.cygnus.com/cygwin)
+ * Install Cygwin (see http://cygwin.com/)
 * Install Perl and ensure it is in the path (recent Cygwin perl 
   (version 5.6.1-2 of the latter has been reported to work) or
   ActivePerl)
- * Run the CygWin bash shell
+ * Run the Cygwin bash shell
 * $ tar zxvf openssl-x.x.x.tar.gz
   $ cd openssl-x.x.x
-   $ ./Configure no-threads CygWin32
+   $ ./config
   [...]
   $ make
   [...]
@@ -169,26 +184,22 @@
 This will create a default install in /usr/local/ssl.
- CygWin32 Notes:
+ Cygwin Notes:
 "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to CygWin
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
 stripping of carriage returns. To avoid this ensure that a binary
 mount is used, e.g. mount -b c:\somewhere /home.
- As of version 1.1.1 CygWin32 is relatively unstable in its handling
+ "bc" is not provided in older Cygwin distribution.  This causes a
 of cr/lf issues. These make procedures succeeded with versions 1.1 and
 the snapshot 20000524 (Slow!).
 "bc" is not provided in the CygWin32 distribution.  This causes a
 non-fatal error in "make test" but is otherwise harmless.  If
- desired, GNU bc can be built with CygWin32 without change.
+ desired and needed, GNU bc can be built with Cygwin without change.
 Installation
 ------------
- If you used the CygWin procedure above, you have already installed and
+ If you used the Cygwin procedure above, you have already installed and
 can skip this section.  For all other procedures, there's currently no real
 installation procedure for Win32.  There are, however, some suggestions:
--- a/INSTALL.WCE
+++ b/INSTALL.WCE
@@ -0,0 +1,71 @@
 INSTALLATION FOR THE WINDOWS CE PLATFORM
 ----------------------------------------
 Building OpenSSL for Windows CE requires the following external tools:
  * Microsoft eMbedded Visual C++ 3.0
  * wcecompat compatibility library (www.essemer.com.au)
  * Optionally ceutils for running automated tests (www.essemer.com.au)
 You also need Perl for Win32.  You will need ActiveState Perl, available
 from http://www.activestate.com/ActivePerl.
 Windows CE support in OpenSSL relies on wcecompat.  All Windows CE specific
 issues should be directed to www.essemer.com.au.
 The C Runtime Library implementation for Windows CE that is included with
 Microsoft eMbedded Visual C++ 3.0 is incomplete and in some places
 incorrect.  wcecompat plugs the holes and tries to bring the Windows CE
 CRT to a level that is more compatible with ANSI C.  wcecompat goes further
 and provides low-level IO and stream IO support for stdin/stdout/stderr
 (which Windows CE does not provide).  This IO functionality is not needed
 by the OpenSSL library itself but is used for the tests and openssl.exe.
 More information is available at www.essemer.com.au.
 Building
 --------
 Setup the eMbedded Visual C++ environment.  There are batch files for doing
 this installed with eVC++.  For an ARM processor, for example, execute:
 > "C:\Program Files\Microsoft eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT"
 Next indicate where wcecompat is located:
 > set WCECOMPAT=C:\wcecompat
 Next you should run Configure:
 > perl Configure VC-CE
 Next you need to build the Makefiles:
 > ms\do_ms
 If you get errors about things not having numbers assigned then check the
 troubleshooting section in INSTALL.W32: you probably won't be able to compile
 it as it stands.
 Then from the VC++ environment at a prompt do:
 - to build static libraries:
   > nmake -f ms\ce.mak
 - or to build DLLs:
   > nmake -f ms\cedll.mak
 If all is well it should compile and you will have some static libraries and
 executables in out32, or some DLLs and executables in out32dll.  If you want
 to try the tests then make sure the ceutils are in the path and do:
 > cd out32
 > ..\ms\testce
 This will copy each of the test programs to the Windows CE device and execute
 them, displaying the output of the tests on this computer.  The output should
 look similar to the output produced by running the tests for a regular Windows
 build.
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/MacOS/GetHTTPS.src/MacSocket.cpp
+++ b/MacOS/GetHTTPS.src/MacSocket.cpp
@@ -1287,7 +1287,7 @@ EXITPOINT:
 //	Send some bytes
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength)
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength)
 {
 OSErr			errCode = noErr;
 int				bytesSent = 0;
@@ -1604,4 +1604,4 @@ EPInfo* epi = (EPInfo*) context;
 		}
 	}
 }
-*/
+*/
--- a/MacOS/GetHTTPS.src/MacSocket.h
+++ b/MacOS/GetHTTPS.src/MacSocket.h
@@ -62,7 +62,7 @@ int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const B
 //	Call this to send data on a socket
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength);
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength);
 //	If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
--- a/Makefile.org
+++ b/Makefile.org
@@ -15,6 +15,11 @@ OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -59,7 +64,8 @@ DEPFLAG=
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
-AR=ar r
+ARFLAGS=
 AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 PERL= perl
 TAR= tar
@@ -166,7 +172,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -204,7 +210,7 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
-all: Makefile.ssl sub_all
+all: Makefile.ssl sub_all openssl.pc
 sub_all:
 	@for i in $(DIRS); \
@@ -241,7 +247,7 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@@ -251,7 +257,8 @@ link-shared:
 		for i in $(SHLIBDIRS); do \
 			prev=lib$$i$(SHLIB_EXT); \
 			for j in $${tmp:-x}; do \
-				( set -x; ln -f -s $$prev lib$$i$$j ); \
+				( set -x; \
 				rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \
 				prev=lib$$i$$j; \
 			done; \
 		done; \
@@ -266,17 +273,13 @@ do_gnu-shared:
 	( set -x; ${CC} ${SHARED_LDFLAGS} \
 		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
 	libs="$$libs -l$$i"; \
 	done
-DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 	collect2=`gcc -print-prog-name=collect2 2>&1` && \
 	[ -n "$$collect2" ] && \
 	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
 	[ -n "$$my_ld" ] && \
 	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
 # For Darwin AKA Mac OS/X (dyld)
 do_darwin-shared: 
@@ -291,7 +294,8 @@ do_darwin-shared:
 do_cygwin-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	( set -x; ${CC}  -shared -o cyg$$i.dll \
+	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
 		-Wl,--no-whole-archive $$libs ) || exit 1; \
@@ -353,10 +357,13 @@ do_solaris-shared:
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  MINUSZ='-z '; \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
 			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
@@ -433,6 +440,7 @@ do_hpux-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Fl lib$$i.a -ldld -lc ) || exit 1; \
 	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 # This assumes that GNU utilities are *not* used
@@ -451,6 +459,7 @@ do_hpux64-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a -ldl -lc ) || exit 1; \
 	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 # The following method is said to work on all platforms.  Tests will
@@ -510,6 +519,19 @@ do_reliantunix-shared:
 	libs="$$libs -l$$i"; \
 	done
 openssl.pc:
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/lib'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir}' ) > openssl.pc
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@@ -528,6 +550,7 @@ clean:
 		rm -f $(LIBS); \
 	fi; \
 	done;
 	rm -f openssl.pc
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
 	@for i in $(ONEDIRS) ;\
@@ -560,6 +583,10 @@ links:
 	fi; \
 	done;
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -574,8 +601,10 @@ rehash: rehash.time
 rehash.time: certs
 	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
 		elif [ "$(PLATFORM)" != "Cygwin" ];  then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		$(PERL) tools/c_rehash certs)
 	touch rehash.time
@@ -583,9 +612,11 @@ test:   tests
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' OPENSSL_DEBUG_MEMORY=on tests );
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
 		elif [ "$(PLATFORM)" != "Cygwin" ];  then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		apps/openssl version -a
 report:
@@ -596,7 +627,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;
@@ -642,18 +673,27 @@ TABLE: Configure
 update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
-	@$(TAR) $(TARFLAGS) -cvf - \
+	find . -type d -print | xargs chmod 755
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 tar-snap:
 	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' | sort` |\
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
@@ -663,7 +703,7 @@ dist:
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='${SDIRS}' clean
-	@$(MAKE) tar
+	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
@@ -671,6 +711,7 @@ dist_pem_h:
 install: all install_docs
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkginfo \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -692,11 +733,12 @@ install: all install_docs
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-		fi \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-	done
+		fi; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -704,21 +746,26 @@ install: all install_docs
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)/cyg\1-$(SHLIB_VERSION_NUMBER)/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
-			fi \
+			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			make -f $$here/Makefile link-shared ); \
+			set $(MAKE); \
 			$$1 -f $$here/Makefile link-shared ); \
 	fi
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkginfo
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -726,23 +773,43 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@for i in doc/apps/*.pod; do \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
 		filecase=-i; \
 	fi; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
-		(cd `dirname $$i`; \
+		(cd `$(PERL) util/dirname.pl $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+		sh -c "$$pod2man \
-			 --release=$(VERSION) `basename $$i`) \
+			--section=$$sec --center=OpenSSL \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			--release=$(VERSION) `basename $$i`") \
-	done
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
-	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
 			 done); \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
-		(cd `dirname $$i`; \
+		(cd `$(PERL) util/dirname.pl $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+		sh -c "$$pod2man \
-			--release=$(VERSION) `basename $$i`) \
+			--section=$$sec --center=OpenSSL \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
 			 done); \
 	done
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/79
+++ b/79
@@ -8,11 +8,82 @@
  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
      o New library section OCSP.
-      o Complete haul-over of the ASN.1 library section.
+      o Complete rewrite of ASN1 code.
      o CRL checking in verify code and openssl utility.
      o Extension copying in 'ca' utility.
      o Flexible display options in 'ca' utility.
      o Provisional support for international characters with UTF8.
      o Support for external crypto devices ('engine') is no longer
        a separate distribution.
      o New elliptic curve library section.
      o New AES (Rijndael) library section.
      o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
        Linux x86_64, Linux 64-bit on Sparc v9
      o Extended support for some platforms: VxWorks
      o Enhanced support for shared libraries.
      o Now only builds PIC code when shared library support is requested.
      o Support for pkg-config.
      o Lots of new manuals.
      o Makes symbolic links to or copies of manuals to cover all described
        functions.
      o Change DES API to clean up the namespace (some applications link also
        against libdes providing similar functions having the same name).
        Provide macros for backward compatibility (will be removed in the
        future).
      o Unify handling of cryptographic algorithms (software and engine)
        to be available via EVP routines for asymmetric and symmetric ciphers.
      o NCONF: new configuration handling routines.
      o Change API to use more 'const' modifiers to improve error checking
        and help optimizers.
      o Finally remove references to RSAref.
      o Reworked parts of the BIGNUM code.
      o Support for new engines: Broadcom ubsec, Accelerated Encryption
        Processing, IBM 4758.
      o A few new engines added in the demos area.
      o Extended and corrected OID (object identifier) table.
      o PRNG: query at more locations for a random device, automatic query for
        EGD style random sources at several locations.
      o SSL/TLS: allow optional cipher choice according to server's preference.
      o SSL/TLS: allow server to explicitly set new session ids.
      o SSL/TLS: support Kerberos cipher suites (RFC2712).
 	Only supports MIT Kerberos for now.
      o SSL/TLS: allow more precise control of renegotiations and sessions.
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
-  Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
      o Better handling of SSL session caching.
      o Better comparison of distinguished names.
      o Better handling of shared libraries in a mixed GNU/non-GNU environment.
      o Support assembler code with Borland C.
      o Fixes for length problems.
      o Fixes for uninitialised variables.
      o Fixes for memory leaks, some unusual crashes and some race conditions.
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
      o Important building fixes on Unix.
  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
      o Various important bugfixes.
  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
      o Various SSL/TLS library bugfixes.
      o Fix DH parameter generation for 'non-standard' generators.
  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@@ -25,7 +96,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].
-  Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
@@ -58,7 +129,7 @@
      o Bug fixes for Win32, HP/UX and Irix.
      o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
        memory checking routines.
-      o Bug fixes for RSA operations in threaded enviroments.
+      o Bug fixes for RSA operations in threaded environments.
      o Bug fixes in misc. openssl applications.
      o Remove a few potential memory leaks.
      o Add tighter checks of BIGNUM routines.
--- a/64
+++ b/64
@@ -0,0 +1,64 @@
 * System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
    NOTE: The problem described here only applies when OpenSSL isn't built
    with shared library support (i.e. without the "shared" configuration
    option).  If you build with shared library support, you will have no
    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
 This is really a misfeature in ld, which seems to look for .dylib libraries
 along the whole library path before it bothers looking for .a libraries.  This
 means that -L switches won't matter unless OpenSSL is built with shared
 library support.
 The workaround may be to change the following lines in apps/Makefile.ssl and
 test/Makefile.ssl:
  LIBCRYPTO=-L.. -lcrypto
  LIBSSL=-L.. -lssl
 to:
  LIBCRYPTO=../libcrypto.a
  LIBSSL=../libssl.a
 It's possible that something similar is needed for shared library support
 as well.  That hasn't been well tested yet.
 Another solution that many seem to recommend is to move the libraries
 /usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
 directory, build and install OpenSSL and anything that depends on your
 build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
 original places.  Note that the version numbers on those two libraries
 may differ on your machine.
 As long as Apple doesn't fix the problem with ld, this problem building
 OpenSSL will remain as is.
 * Parallell make leads to errors
 While running tests, running a parallell make is a bad idea.  Many test
 scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
 The solution is simple for now: don't run parallell make when testing.
 * Bugs in gcc 3.0 triggered
 According to a problem report, there are bugs in gcc 3.0 that are
 triggered by some of the code in OpenSSL, more specifically in
 PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
 	header+=11;
 	if (*header != '4') return(0); header++;
 	if (*header != ',') return(0); header++;
 What happens is that gcc might optimize a little too agressively, and
 you end up with an extra incrementation when *header != '4'.
 We recommend that you upgrade gcc to as high a 3.x version as you can.
--- a/19
+++ b/19
@@ -1,5 +1,5 @@
- OpenSSL 0.9.8-dev 24 Sep 2000
+ OpenSSL 0.9.7-beta6 17 Dec 2002
 Copyright (c) 1998-2002 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -122,6 +122,13 @@
 lists the functions; you will probably have to look at the code to work out
 how to use them. Look at the example programs.
 PROBLEMS
 --------
 For some platforms, there are some known problems that may affect the user
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
 SUPPORT 
 -------
@@ -146,11 +153,13 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Report the bug to the OpenSSL project at:
+ Report the bug to the OpenSSL project via the Request Tracker
 (http://www.openssl.org/support/rt2.html) by mail to:
    openssl-bugs@openssl.org
- Note that mail to openssl-bugs@openssl.org is forwarded to a public
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
 readable request tracker database and is forwarded to a public
 mailing list. Confidential mail may be sent to openssl-security@openssl.org
 (PGP key available from the key servers).
@@ -164,7 +173,9 @@
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
- if a copy of the patch is sent to crypt@bxa.doc.gov
+ if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
 see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
 The preferred format for changes is "diff -u" output. You might
 generate it like this:
--- a/README.ENGINE
+++ b/README.ENGINE
@@ -154,7 +154,7 @@
    shared-library that contains the ENGINE implementation, and "NO_VCHECK"
    might possibly be useful if there is a minor version conflict and you
    (or a vendor helpdesk) is convinced you can safely ignore it.
-    "ENGINE_ID" is probably only needed if a shared-library implements
+    "ID" is probably only needed if a shared-library implements
    multiple ENGINEs, but if you know the engine id you expect to be using,
    it doesn't hurt to specify it (and this provides a sanity check if
    nothing else). "LIST_ADD" is only required if you actually wish the
@@ -174,7 +174,7 @@
       ENGINE *e = ENGINE_by_id("dynamic");
       ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
-       ENGINE_ctrl_cmd_string(e, "ENGINE_ID", "foo", 0);
+       ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
       ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
       ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
@@ -184,7 +184,7 @@
       openssl engine dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD \
                 -pre "CMD_FOO:some input data"
@@ -192,7 +192,7 @@
       openssl engine -vvvv dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD
    Applications that support the ENGINE API and more specifically, the
--- a/68
+++ b/68
@@ -1,10 +1,21 @@
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/02/13 10:21:25 $
+  ______________                           $Date: 2002/12/17 14:24:51 $
  DEVELOPMENT STATE
-    o  OpenSSL 0.9.7:  Under development...
+    o  OpenSSL 0.9.8:  Under development...
    o  OpenSSL 0.9.7-beta6: Released on December 17th, 2002
    o  OpenSSL 0.9.7-beta5: Released on December  5th, 2002
    o  OpenSSL 0.9.7-beta4: Released on November 19th, 2002
    o  OpenSSL 0.9.7-beta3: Released on July     30th, 2002
    o  OpenSSL 0.9.7-beta2: Released on June     16th, 2002
    o  OpenSSL 0.9.7-beta1: Released on June      1st, 2002
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
@@ -17,10 +28,24 @@
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  [See also http://www.openssl.org/support/rt2.html]
  RELEASE SHOWSTOPPERS
-    o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
+    o BN_mod_mul verification fails for mips3-sgi-irix
-      - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc
+      unless configured with no-asm
    o [2002-11-21]
      PR 343 mentions that scrubbing memory with 'memset(ptr, 0, n)' may
      be optimized away in modern compilers.  This is definitely not good
      and needs to be fixed immediately.  The formula to use is presented
      in:
      http://online.securityfocus.com/archive/82/297918/2002-10-27/2002-11-02/0
      The problem report that mentions this is:
      https://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=343
  AVAILABLE PATCHES
@@ -43,30 +68,13 @@
 	UTIL (a new set of library functions to support some higher level
 	      functionality that is currently missing).
 	Shared library support for VMS.
-	Kerberos 5 authentication
+	Kerberos 5 authentication (Heimdal)
 	Constification
 	OCSP
  NEEDS PATCH
    o  An (optional) countermeasure against the predictable-IV CBC
       weakness in SSL/TLS should be added; see
       http://www.openssl.org/~bodo/tls-cbc.txt
    o  All 'openssl' subprograms taking '-des' and '-des3' options should
       include AES support (0.9.7-dev)
    o  'openssl speed' should include AES support (0.9.7-dev)
    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
    o  OpenSSL_0_9_6-stable:
       #include <openssl/e_os.h> in exported header files is illegal since
       e_os.h is suitable only for library-internal use.
    o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
       or an error is reported
    o  "OpenSSL STATUS" is never up-to-date.
  OPEN ISSUES
@@ -95,22 +103,6 @@
                    which apparently is not flexible enough to generate
                    libcrypto)
    o  The perl/ stuff needs a major overhaul. Currently it's
       totally obsolete. Either we clean it up and enhance it to be up-to-date
       with the C code or we also could replace it with the really nice
       Net::SSLeay package we can find under
       http://www.neuronio.pt/SSLeay.pm.html.  Ralf uses this package for a
       longer time and it works fine and is a nice Perl module. Best would be
       to convince the author to work for the OpenSSL project and create a
       Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
       us.
       Status: Ralf thinks we should both contact the author of Net::SSLeay
               and look how much effort it is to bring Eric's perl/ stuff up
               to date.
               Paul +1
  WISHES
    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
--- a/980
+++ b/980
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -0,0 +1 @@
 sys$share:tcpip$ipc_shr.exe/share
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -114,9 +114,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#define NON_MAIN
+#include <ctype.h>
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -129,9 +127,17 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
-#include <strings.h>
+#  ifdef NO_STRINGS_H
    int	strcasecmp();
 #  else
 #    include <strings.h>
 #  endif /* NO_STRINGS_H */
 #endif
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #ifdef OPENSSL_SYS_WINDOWS
 #  include "bss_file.c"
 #endif
@@ -147,7 +153,7 @@ static UI_METHOD *ui_method = NULL;
 static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
 static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 /* Looks like this stuff is worth moving into separate function */
 static EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
@@ -310,9 +316,16 @@ void program_name(char *in, char *out, int size)
 	q=strrchr(p,'.');
 	if (q == NULL)
-		q = in+size;
+		q = p + strlen(p);
-	strncpy(out,p,q-p);
+	strncpy(out,p,size-1);
-	out[q-p]='\0';
+	if (q-p >= size)
 		{
 		out[size-1]='\0';
 		}
 	else
 		{
 		out[q-p]='\0';
 		}
 	}
 #else
 void program_name(char *in, char *out, int size)
@@ -324,8 +337,7 @@ void program_name(char *in, char *out, int size)
 		p++;
 	else
 		p=in;
-	strncpy(out,p,size-1);
+	BUF_strlcpy(out,p,size);
 	out[size-1]='\0';
 	}
 #endif
 #endif
@@ -333,19 +345,57 @@ void program_name(char *in, char *out, int size)
 #ifdef OPENSSL_SYS_WIN32
 int WIN32_rename(char *from, char *to)
 	{
-#ifdef OPENSSL_SYS_WINNT
+#ifndef OPENSSL_SYS_WINCE
-	int ret;
+	/* Windows rename gives an error if 'to' exists, so delete it
-/* Note: MoveFileEx() doesn't work under Win95, Win98 */
+	 * first and ignore file not found errror
-
+	 */
-	ret=MoveFileEx(from,to,MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED);
+	if((remove(to) != 0) && (errno != ENOENT))
-	return(ret?0:-1);
+		return -1;
 #undef rename
 	return rename(from, to);
 #else
-	unlink(to);
+	/* convert strings to UNICODE */
-	return MoveFile(from, to);
+	{
 	BOOL result = FALSE;
 	WCHAR* wfrom;
 	WCHAR* wto;
 	int i;
 	wfrom = malloc((strlen(from)+1)*2);
 	wto = malloc((strlen(to)+1)*2);
 	if (wfrom != NULL && wto != NULL)
 		{
 		for (i=0; i<(int)strlen(from)+1; i++)
 			wfrom[i] = (short)from[i];
 		for (i=0; i<(int)strlen(to)+1; i++)
 			wto[i] = (short)to[i];
 		result = MoveFile(wfrom, wto);
 		}
 	if (wfrom != NULL)
 		free(wfrom);
 	if (wto != NULL)
 		free(wto);
 	return result;
 	}
 #endif
 	}
 #endif
 #ifdef OPENSSL_SYS_VMS
 int VMS_strcasecmp(const char *str1, const char *str2)
 	{
 	while (*str1 && *str2)
 		{
 		int res = toupper(*str1) - toupper(*str2);
 		if (res) return res < 0 ? -1 : 1;
 		}
 	if (*str1)
 		return 1;
 	if (*str2)
 		return -1;
 	return 0;
 	}
 #endif
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
 	int num,len,i;
@@ -421,16 +471,20 @@ int app_init(long mesgwin)
 int dump_cert_text (BIO *out, X509 *x)
 {
-	char buf[256];
+	char *p;
 	X509_NAME_oneline(X509_get_subject_name(x),buf,256);
 	BIO_puts(out,"subject=");
 	BIO_puts(out,buf);
-	X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
+	p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0);
-	BIO_puts(out,"\nissuer= ");
+	BIO_puts(out,"subject=");
-	BIO_puts(out,buf);
+	BIO_puts(out,p);
 	OPENSSL_free(p);
 	p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0);
 	BIO_puts(out,"\nissuer=");
 	BIO_puts(out,p);
 	BIO_puts(out,"\n");
-        return 0;
+	OPENSSL_free(p);
 	return 0;
 }
 static int ui_open(UI *ui)
@@ -486,7 +540,7 @@ static int ui_close(UI *ui)
 	{
 	return UI_method_get_closer(UI_OpenSSL())(ui);
 	}
-int setup_ui_method()
+int setup_ui_method(void)
 	{
 	ui_method = UI_create_method("OpenSSL application user interface");
 	UI_method_set_opener(ui_method, ui_open);
@@ -495,7 +549,7 @@ int setup_ui_method()
 	UI_method_set_closer(ui_method, ui_close);
 	return 0;
 	}
-void destroy_ui_method()
+void destroy_ui_method(void)
 	{
 	if(ui_method)
 		{
@@ -561,7 +615,7 @@ int password_callback(char *buf, int bufsiz, int verify,
 		if (buff)
 			{
-			memset(buff,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buff,(unsigned int)bufsiz);
 			OPENSSL_free(buff);
 			}
@@ -571,13 +625,13 @@ int password_callback(char *buf, int bufsiz, int verify,
 			{
 			BIO_printf(bio_err, "User interface error\n");
 			ERR_print_errors(bio_err);
-			memset(buf,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
 			res = 0;
 			}
 		if (ok == -2)
 			{
 			BIO_printf(bio_err,"aborted!\n");
-			memset(buf,0,(unsigned int)bufsiz);
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
 			res = 0;
 			}
 		UI_free(ui);
@@ -790,7 +844,7 @@ end:
 	return(x);
 	}
-EVP_PKEY *load_key(BIO *err, const char *file, int format,
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
@@ -800,7 +854,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
-	if (file == NULL)
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
@@ -820,12 +874,19 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 		ERR_print_errors(err);
 		goto end;
 		}
-	if (BIO_read_filename(key,file) <= 0)
+	if (file == NULL && maybe_stdin)
 		{
-		BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+		setvbuf(stdin, NULL, _IONBF, 0);
-		ERR_print_errors(err);
+		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		goto end;
 		}
 	else
 		if (BIO_read_filename(key,file) <= 0)
 			{
 			BIO_printf(err, "Error opening %s %s\n",
 				key_descrip, file);
 			ERR_print_errors(err);
 			goto end;
 			}
 	if (format == FORMAT_ASN1)
 		{
 		pkey=d2i_PrivateKey_bio(key, NULL);
@@ -835,7 +896,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 		pkey=PEM_read_bio_PrivateKey(key,NULL,
 			(pem_password_cb *)password_callback, &cb_data);
 		}
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
 		pkey = load_netscape_key(err, key, file, key_descrip, format);
 #endif
@@ -859,7 +920,7 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format,
 	return(pkey);
 	}
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
@@ -869,7 +930,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
-	if (file == NULL)
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
@@ -889,11 +950,18 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 		ERR_print_errors(err);
 		goto end;
 		}
-	if (BIO_read_filename(key,file) <= 0)
+	if (file == NULL && maybe_stdin)
 		{
-		BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
+		setvbuf(stdin, NULL, _IONBF, 0);
-		ERR_print_errors(err);
+		BIO_set_fp(key,stdin,BIO_NOCLOSE);
-		goto end;
+		}
 	else
 		if (BIO_read_filename(key,file) <= 0)
 			{
 			BIO_printf(err, "Error opening %s %s\n",
 				key_descrip, file);
 			ERR_print_errors(err);
 			goto end;
 		}
 	if (format == FORMAT_ASN1)
 		{
@@ -904,7 +972,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 		pkey=PEM_read_bio_PUBKEY(key,NULL,
 			(pem_password_cb *)password_callback, &cb_data);
 		}
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
 		pkey = load_netscape_key(err, key, file, key_descrip, format);
 #endif
@@ -920,8 +988,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	return(pkey);
 	}
-#ifndef OPENSSL_NO_RC4
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-EVP_PKEY *
+static EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
 		const char *key_descrip, int format)
 	{
@@ -938,7 +1006,7 @@ load_netscape_key(BIO *err, BIO *key, const char *file,
 		goto error;
 	for (;;)
 		{
-		if (!BUF_MEM_grow(buf,size+1024*10))
+		if (!BUF_MEM_grow_clean(buf,size+1024*10))
 			goto error;
 		i = BIO_read(key, &(buf->data[size]), 1024*10);
 		size += i;
@@ -1066,6 +1134,7 @@ int set_cert_ex(unsigned long *flags, const char *arg)
 		{ "no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
 		{ "no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
 		{ "no_aux", X509_FLAG_NO_AUX, 0},
 		{ "no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
 		{ "ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
 		{ "ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
 		{ "ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
@@ -1209,18 +1278,20 @@ static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_T
 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
-	char buf[256];
+	char *buf;
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
 	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mline = 1;
 		indent = 4;
 	}
 	if(lflags == XN_FLAG_COMPAT) {
-		X509_NAME_oneline(nm,buf,256);
+		buf = X509_NAME_oneline(nm, 0, 0);
-		BIO_puts(out,buf);
+		BIO_puts(out, buf);
 		BIO_puts(out, "\n");
 		OPENSSL_free(buf);
 	} else {
 		if(mline) BIO_puts(out, "\n");
 		X509_NAME_print_ex(out, nm, indent, lflags);
@@ -1259,7 +1330,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
 }
 /* Try to load an engine in a shareable library */
-ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
+static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
 	{
 	ENGINE *e = ENGINE_by_id("dynamic");
 	if (e)
@@ -1314,3 +1385,36 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug)
 		}
        return e;
        }
 int load_config(BIO *err, CONF *cnf)
 	{
 	if (!cnf)
 		cnf = config;
 	if (!cnf)
 		return 1;
 	OPENSSL_load_builtin_modules();
 	if (CONF_modules_load(cnf, NULL, 0) <= 0)
 		{
 		BIO_printf(err, "Error configuring OpenSSL\n");
 		ERR_print_errors(err);
 		return 0;
 		}
 	return 1;
 	}
 char *make_config_name()
 	{
 	const char *t=X509_get_default_cert_area();
 	char *p;
 	p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2);
 	strcpy(p,t);
 #ifndef OPENSSL_SYS_VMS
 	strcat(p,"/");
 #endif
 	strcat(p,OPENSSL_CONF);
 	return p;
 	}
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -121,6 +121,7 @@
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/txt_db.h>
 #include <openssl/engine.h>
 #include <openssl/ossl_typ.h>
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
@@ -133,22 +134,26 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                       * (see e_os.h).  The string is
                                       * destroyed! */
 #ifdef OPENSSL_NO_STDIO
 BIO_METHOD *BIO_s_file();
 #endif
 #ifdef OPENSSL_SYS_WIN32
 #define rename(from,to) WIN32_rename((from),(to))
 int WIN32_rename(char *oldname,char *newname);
 #endif
 /* VMS below version 7.0 doesn't have strcasecmp() */
 #ifdef OPENSSL_SYS_VMS
 #define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
 int VMS_strcasecmp(const char *str1, const char *str2);
 #endif
 #ifndef MONOLITH
 #define MAIN(a,v)	main(a,v)
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
 extern CONF *config;
 extern BIO *bio_err;
 #endif
@@ -194,9 +199,10 @@ extern BIO *bio_err;
 		setup_ui_method(); } while(0)
 #  endif
 #  define apps_shutdown() \
-		do { destroy_ui_method(); EVP_cleanup(); \
+		do { CONF_modules_unload(1); destroy_ui_method(); \
-		ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); \
+		EVP_cleanup(); ENGINE_cleanup(); \
-		ERR_remove_state(0); ERR_free_strings(); } while(0)
+		CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); \
 		ERR_free_strings(); } while(0)
 #endif
 typedef struct args_st
@@ -215,8 +221,8 @@ typedef struct pw_cb_data
 int password_callback(char *buf, int bufsiz, int verify,
 	PW_CB_DATA *cb_data);
-int setup_ui_method();
+int setup_ui_method(void);
-void destroy_ui_method();
+void destroy_ui_method(void);
 int should_retry(int i);
 int args_from_file(char *file, int *argc, char **argv[]);
@@ -235,20 +241,25 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip);
-EVP_PKEY *load_key(BIO *err, const char *file, int format,
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip);
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
 ENGINE *setup_engine(BIO *err, const char *engine, int debug);
 int load_config(BIO *err, CONF *cnf);
 char *make_config_name(void);
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 			ASN1_GENERALIZEDTIME **pinvtm, char *str);
 int make_serial_index(TXT_DB *db);
 X509_NAME *do_subject(char *str, long chtype);
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -103,6 +103,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	prog=argv[0];
 	argc--;
 	argv++;
@@ -181,7 +184,7 @@ bad:
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
-		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
@@ -192,7 +195,6 @@ bad:
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
 		BIO_printf(bio_err," -out filename output DER encoding to file\n");
 		goto end;
 		}
@@ -330,6 +332,6 @@ end:
 	if (osk != NULL) sk_free(osk);
 	OBJ_cleanup();
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -64,7 +64,6 @@
 #include <ctype.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "apps.h"
 #include <openssl/conf.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -80,7 +79,11 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
-#include <strings.h>
+#  ifdef NO_STRINGS_H
    int	strcasecmp();
 #  else
 #    include <strings.h>
 #  endif /* NO_STRINGS_H */
 #endif
 #ifndef W_OK
@@ -90,11 +93,13 @@
 #    else
 #      include <unixlib.h>
 #    endif
-#  elif !defined(OPENSSL_SYS_VXWORKS)
+#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
 #    include <sys/file.h>
 #  endif
 #endif
 #include "apps.h"
 #ifndef W_OK
 #  define F_OK 0
 #  define X_OK 1
@@ -238,7 +243,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
 	int ext_copy);
 static X509_NAME *do_subject(char *subject);
 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, TXT_DB *db);
 static int do_updatedb(TXT_DB *db);
@@ -330,6 +334,7 @@ int MAIN(int argc, char **argv)
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
 	char *engine = NULL;
 	char *tofree=NULL;
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -557,24 +562,26 @@ bad:
 	ERR_load_crypto_strings();
-        e = setup_engine(bio_err, engine, 0);
+	e = setup_engine(bio_err, engine, 0);
 	/*****************************************************************/
 	tofree=NULL;
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
 	if (configfile == NULL)
 		{
-		/* We will just use 'buf[0]' as a temporary buffer.  */
+		const char *s=X509_get_default_cert_area();
 #ifdef OPENSSL_SYS_VMS
-		strncpy(buf[0],X509_get_default_cert_area(),
+		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
-			sizeof(buf[0])-1-sizeof(CONFIG_FILE));
+		strcpy(tofree,s);
 #else
-		strncpy(buf[0],X509_get_default_cert_area(),
+		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
-			sizeof(buf[0])-2-sizeof(CONFIG_FILE));
+		strcpy(tofree,s);
-		strcat(buf[0],"/");
+		strcat(tofree,"/");
 #endif
-		strcat(buf[0],CONFIG_FILE);
+		strcat(tofree,CONFIG_FILE);
-		configfile=buf[0];
+		configfile=tofree;
 		}
 	BIO_printf(bio_err,"Using configuration from %s\n",configfile);
@@ -589,6 +596,11 @@ bad:
 				,errorline,configfile);
 		goto err;
 		}
 	if(tofree)
 		OPENSSL_free(tofree);
 	if (!load_config(bio_err, conf))
 		goto err;
 	/* Lets get the config section we are using */
 	if (section == NULL)
@@ -692,9 +704,9 @@ bad:
 			goto err;
 			}
 		}
-	pkey = load_key(bio_err, keyfile, keyform, key, e, 
+	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 
 		"CA private key");
-	if (key) memset(key,0,strlen(key));
+	if (key) OPENSSL_cleanse(key,strlen(key));
 	if (pkey == NULL)
 		{
 		/* load_key() has already printed an appropriate message */
@@ -1151,9 +1163,14 @@ bad:
 			}
 		if (verbose)
 			{
-			if ((f=BN_bn2hex(serial)) == NULL) goto err;
+			if (BN_is_zero(serial))
-			BIO_printf(bio_err,"next serial number is %s\n",f);
+				BIO_printf(bio_err,"next serial number is 00\n");
-			OPENSSL_free(f);
+			else
 				{
 				if ((f=BN_bn2hex(serial)) == NULL) goto err;
 				BIO_printf(bio_err,"next serial number is %s\n",f);
 				OPENSSL_free(f);
 				}
 			}
 		if ((attribs=NCONF_get_section(conf,policy)) == NULL)
@@ -1273,7 +1290,13 @@ bad:
 			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
-			strncpy(buf[0],serialfile,BSIZE-4);
+			if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5)
 				{
 				BIO_printf(bio_err,"file name too long\n");
 				goto err;
 				}
 			strcpy(buf[0],serialfile);
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[0],"-new");
@@ -1283,7 +1306,7 @@ bad:
 			if (!save_serial(buf[0],serial)) goto err;
-			strncpy(buf[1],dbfile,BSIZE-4);
+			strcpy(buf[1],dbfile);
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[1],"-new");
@@ -1313,7 +1336,13 @@ bad:
 			j=x->cert_info->serialNumber->length;
 			p=(char *)x->cert_info->serialNumber->data;
-			strncpy(buf[2],outdir,BSIZE-(j*2)-6);
+			if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
 				{
 				BIO_printf(bio_err,"certificate file name too long\n");
 				goto err;
 				}
 			strcpy(buf[2],outdir);
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[2],"/");
@@ -1351,6 +1380,7 @@ bad:
 			{
 			/* Rename the database and the serial file */
 			strncpy(buf[2],serialfile,BSIZE-4);
 			buf[2][BSIZE-4]='\0';
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[2],"-old");
@@ -1379,6 +1409,7 @@ bad:
 				}
 			strncpy(buf[2],dbfile,BSIZE-4);
 			buf[2][BSIZE-4]='\0';
 #ifdef OPENSSL_SYS_VMS
 			strcat(buf[2],"-old");
@@ -1442,13 +1473,13 @@ bad:
 			}
 		if ((crldays == 0) && (crlhours == 0))
 			{
-			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
+			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
 			goto err;
 			}
 		if (verbose) BIO_printf(bio_err,"making CRL\n");
 		if ((crl=X509_CRL_new()) == NULL) goto err;
-		if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+		if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;
 		tmptm = ASN1_TIME_new();
 		if (!tmptm) goto err;
@@ -1501,11 +1532,6 @@ bad:
 			if (pkey->type == EVP_PKEY_DSA) 
 				dgst=EVP_dss1();
 			else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey->type == EVP_PKEY_ECDSA)
 				dgst=EVP_ecdsa();
 			else
 #endif
 				dgst=EVP_md5();
 			}
@@ -1550,7 +1576,13 @@ bad:
 			if (j <= 0) goto err;
 			X509_free(revcert);
-			strncpy(buf[0],dbfile,BSIZE-4);
+			if(strlen(dbfile) > BSIZE-5)
 				{
 				BIO_printf(bio_err,"filename too long\n");
 				goto err;
 				}
 			strcpy(buf[0],dbfile);
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[0],".new");
 #else
@@ -1564,7 +1596,12 @@ bad:
 				}
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
 			BIO_free_all(out);
 			out = NULL;
 			BIO_free_all(in);
 			in = NULL;
 			strncpy(buf[1],dbfile,BSIZE-4);
 			buf[1][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
 			strcat(buf[1],".old");
 #else
@@ -1589,6 +1626,8 @@ bad:
 	/*****************************************************************/
 	ret=0;
 err:
 	if(tofree)
 		OPENSSL_free(tofree);
 	BIO_free_all(Cout);
 	BIO_free_all(Sout);
 	BIO_free_all(out);
@@ -1608,7 +1647,7 @@ err:
 	NCONF_free(conf);
 	OBJ_cleanup();
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void lookup_fail(char *name, char *tag)
@@ -1673,7 +1712,7 @@ static BIGNUM *load_serial(char *serialfile)
 	ret=ASN1_INTEGER_to_BN(ai,NULL);
 	if (ret == NULL)
 		{
-		BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+		BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
 		goto err;
 		}
 err:
@@ -1864,7 +1903,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	if (subj)
 		{
-		X509_NAME *n = do_subject(subj);
+		X509_NAME *n = do_subject(subj, MBSTRING_ASC);
 		if (!n)
 			{
@@ -2076,9 +2115,11 @@ again2:
 			}
 		}
-	row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0);
+	if (BN_is_zero(serial))
-	row[DB_serial]=BN_bn2hex(serial);
+		row[DB_serial]=BUF_strdup("00");
-	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
+	else
 		row[DB_serial]=BN_bn2hex(serial);
 	if (row[DB_serial] == NULL)
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
@@ -2275,16 +2316,6 @@ again2:
 		EVP_PKEY_copy_parameters(pktmp,pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (pkey->type == EVP_PKEY_ECDSA)
 		dgst = EVP_ecdsa();
 	pktmp = X509_get_pubkey(ret);
 	if (EVP_PKEY_missing_parameters(pktmp) &&
 		!EVP_PKEY_missing_parameters(pkey))
 		EVP_PKEY_copy_parameters(pktmp, pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 	if (!X509_sign(ret,pkey,dgst))
 		goto err;
@@ -2301,10 +2332,10 @@ again2:
 	/* row[DB_serial] done already */
 	row[DB_file]=(char *)OPENSSL_malloc(8);
-	/* row[DB_name] done already */
+	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
 	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
-		(row[DB_file] == NULL))
+		(row[DB_file] == NULL) || (row[DB_name] == NULL))
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
@@ -2571,7 +2602,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
 		row[i]=NULL;
 	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
 	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
-	row[DB_serial]=BN_bn2hex(bn);
+	if (BN_is_zero(bn))
 		row[DB_serial]=BUF_strdup("00");
 	else
 		row[DB_serial]=BN_bn2hex(bn);
 	BN_free(bn);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
@@ -3008,65 +3042,128 @@ int make_revoked(X509_REVOKED *rev, char *str)
 	return ret;
 	}
-static X509_NAME *do_subject(char *subject)
+/*
 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
 X509_NAME *do_subject(char *subject, long chtype)
 	{
 	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
 	char *buf = OPENSSL_malloc(buflen);
 	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
 	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
 	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
 	char *sp = subject, *bp = buf;
 	int i, ne_num = 0;
 	X509_NAME *n = NULL;
 	int nid;
-	int i, nid, ne_num=0;
+	if (!buf || !ne_types || !ne_values)
 	{
 		BIO_printf(bio_err, "malloc error\n");
 		goto error;
 	}
-	char *ne_name = NULL;
+	if (*subject != '/')
-	char *ne_value = NULL;
+	{
 		BIO_printf(bio_err, "Subject does not start with '/'.\n");
 		goto error;
 	}
 	sp++; /* skip leading / */
-	char *tmp = NULL;
+	while (*sp)
 	char *p[2];
 	char *str_list[256];
 	p[0] = ",/";
 	p[1] = "=";
 	n = X509_NAME_new();
 	tmp = strtok(subject, p[0]);
 	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
 		{
-		char *token = tmp;
+		/* collect type */
-
+		ne_types[ne_num] = bp;
-		while (token[0] == ' ')
+		while (*sp)
-			token++;
+			{
-		str_list[ne_num] = token;
+			if (*sp == '\\') /* is there anything to escape in the type...? */
-
+				{
-		tmp = strtok(NULL, p[0]);
+				if (*++sp)
 					*bp++ = *sp++;
 				else
 					{
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 					}
 				}
 			else if (*sp == '=')
 				{
 				sp++;
 				*bp++ = '\0';
 				break;
 				}
 			else
 				*bp++ = *sp++;
 			}
 		if (!*sp)
 			{
 			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
 			goto error;
 			}
 		ne_values[ne_num] = bp;
 		while (*sp)
 			{
 			if (*sp == '\\')
 				{
 				if (*++sp)
 					*bp++ = *sp++;
 				else
 					{
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 					}
 				}
 			else if (*sp == '/')
 				{
 				sp++;
 				break;
 				}
 			else
 				*bp++ = *sp++;
 			}
 		*bp++ = '\0';
 		ne_num++;
 		}
 	if (!(n = X509_NAME_new()))
 		goto error;
 	for (i = 0; i < ne_num; i++)
 		{
-		ne_name  = strtok(str_list[i], p[1]);
+		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
 		ne_value = strtok(NULL, p[1]);
 		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
 			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
+			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
 			continue;
 			}
-		if (ne_value == NULL)
+		if (!*ne_values[i])
 			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
+			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
 			continue;
 			}
-		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
+		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
-			{
+			goto error;
 			X509_NAME_free(n);
 			return NULL;
 			}
 		}
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
 	return n;
 	}
 error:
 	X509_NAME_free(n);
 	if (ne_values)
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
 }
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	{
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -187,7 +187,7 @@ int MAIN(int argc, char **argv)
 			{
 			BIO_puts(STDout,SSL_CIPHER_description(
 				sk_SSL_CIPHER_value(sk,i),
-				buf,512));
+				buf,sizeof buf));
 			}
 		}
@@ -203,6 +203,6 @@ end:
 	if (ssl != NULL) SSL_free(ssl);
 	if (STDout != NULL) BIO_free_all(STDout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -87,6 +87,7 @@ static char *crl_usage[]={
 " -noout          - no CRL output\n",
 " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
 " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
 " -nameopt arg    - various certificate name options\n",
 NULL
 };
@@ -97,6 +98,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	unsigned long nmflag = 0;
 	X509_CRL *x=NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	int ret=1,i,num,badops=0;
@@ -105,7 +107,7 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
-	char **pp,buf[256];
+	char **pp;
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
 	X509_LOOKUP *lookup = NULL;
@@ -120,6 +122,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	if (bio_out == NULL)
 		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 			{
@@ -185,6 +190,11 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
@@ -268,9 +278,7 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_CRL_get_issuer(x),
+				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
 								buf,256);
 				BIO_printf(bio_out,"issuer= %s\n",buf);
 				}
 			if (hash == i)
@@ -369,7 +377,7 @@ end:
 		X509_STORE_free(store);
 	}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static X509_CRL *load_crl(char *infile, int format)
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -280,7 +280,7 @@ end:
 	if (crl != NULL) X509_CRL_free(crl);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /*
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -73,8 +73,9 @@
 #undef PROG
 #define PROG	dgst_main
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-		EVP_PKEY *key, unsigned char *sigin, int siglen);
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
 	  const char *file);
 int MAIN(int, char **);
@@ -88,8 +89,8 @@ int MAIN(int argc, char **argv)
 	BIO *bmd=NULL;
 	BIO *out = NULL;
 	const char *name;
-#define PROG_NAME_SIZE  16
+#define PROG_NAME_SIZE  39
-	char pname[PROG_NAME_SIZE];
+	char pname[PROG_NAME_SIZE+1];
 	int separator=0;
 	int debug=0;
 	int keyform=FORMAT_PEM;
@@ -112,8 +113,11 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	/* first check the program name */
-	program_name(argv[0],pname,PROG_NAME_SIZE);
+	program_name(argv[0],pname,sizeof pname);
 	md=EVP_get_digestbyname(pname);
@@ -273,10 +277,10 @@ int MAIN(int argc, char **argv)
 	if(keyfile)
 		{
 		if (want_pub)
-			sigkey = load_pubkey(bio_err, keyfile, keyform, NULL,
+			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		else
-			sigkey = load_key(bio_err, keyfile, keyform, NULL,
+			sigkey = load_key(bio_err, keyfile, keyform, 0, NULL,
 				e, "key file");
 		if (!sigkey)
 			{
@@ -316,29 +320,43 @@ int MAIN(int argc, char **argv)
 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-		do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen);
+		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
 			  siglen,"","(stdin)");
 		}
 	else
 		{
 		name=OBJ_nid2sn(md->type);
 		for (i=0; i<argc; i++)
 			{
 			char *tmp,*tofree=NULL;
 			int r;
 			if (BIO_read_filename(in,argv[i]) <= 0)
 				{
 				perror(argv[i]);
 				err++;
 				continue;
 				}
-			if(!out_bin) BIO_printf(out, "%s(%s)= ",name,argv[i]);
+			if(!out_bin)
-			do_fp(out, buf,inp,separator, out_bin, sigkey, 
+				{
-								sigbuf, siglen);
+				tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5);
 				sprintf(tmp,"%s(%s)= ",name,argv[i]);
 				}
 			else
 				tmp="";
 			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
 				siglen,tmp,argv[i]);
 			if(r)
 			    err=r;
 			if(tofree)
 				OPENSSL_free(tofree);
 			(void)BIO_reset(bmd);
 			}
 		}
 end:
 	if (buf != NULL)
 		{
-		memset(buf,0,BUFSIZE);
+		OPENSSL_cleanse(buf,BUFSIZE);
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
@@ -347,11 +365,12 @@ end:
 	if(sigbuf) OPENSSL_free(sigbuf);
 	if (bmd != NULL) BIO_free(bmd);
 	apps_shutdown();
-	EXIT(err);
+	OPENSSL_EXIT(err);
 	}
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-			EVP_PKEY *key, unsigned char *sigin, int siglen)
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
 	  const char *file)
 	{
 	int len;
 	int i;
@@ -359,21 +378,33 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	for (;;)
 		{
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
-		if (i <= 0) break;
+		if(i < 0)
 			{
 			BIO_printf(bio_err, "Read Error in %s\n",file);
 			ERR_print_errors(bio_err);
 			return 1;
 			}
 		if (i == 0) break;
 		}
 	if(sigin)
 		{
 		EVP_MD_CTX *ctx;
 		BIO_get_md_ctx(bp, &ctx);
 		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
-		if(i > 0) BIO_printf(out, "Verified OK\n");
+		if(i > 0)
-		else if(i == 0) BIO_printf(out, "Verification Failure\n");
+			BIO_printf(out, "Verified OK\n");
 		else if(i == 0)
 			{
 			BIO_printf(out, "Verification Failure\n");
 			return 1;
 			}
 		else
 			{
 			BIO_printf(bio_err, "Error Verifying Data\n");
 			ERR_print_errors(bio_err);
 			return 1;
 			}
-		return;
+		return 0;
 		}
 	if(key)
 		{
@@ -383,7 +414,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			{
 			BIO_printf(bio_err, "Error Signing Data\n");
 			ERR_print_errors(bio_err);
-			return;
+			return 1;
 			}
 		}
 	else
@@ -392,6 +423,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	if(binout) BIO_write(out, buf, len);
 	else 
 		{
 		BIO_write(out,title,strlen(title));
 		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
@@ -400,5 +432,6 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		BIO_printf(out, "\n");
 		}
 	return 0;
 	}
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -100,6 +100,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
@@ -330,6 +333,6 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -166,6 +166,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -487,7 +490,7 @@ bad:
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\t{ DH_free(dh); return(NULL); }\n");
 		if (dh->length)
-			printf("\tdh->length = %d;\n", dh->length);
+			printf("\tdh->length = %ld;\n", dh->length);
 		printf("\treturn(dh);\n\t}\n");
 		OPENSSL_free(data);
 		}
@@ -516,7 +519,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -79,6 +79,9 @@
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
 * -aes128	- encrypt output if PEM format
 * -aes192	- encrypt output if PEM format
 * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -modulus	- print the DSA public key
 */
@@ -106,6 +109,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
@@ -188,6 +194,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
@@ -304,6 +314,6 @@ end:
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -106,6 +106,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -183,9 +186,10 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -genkey       generate a DSA key\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
@@ -368,7 +372,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
--- a/apps/ecdsa.c
+++ b/apps/ecdsa.c
@@ -1,435 +0,0 @@
 /* apps/ecdsa.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ecdsa.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecdsa_main
 /* -inform arg	- input format - default PEM (one of DER, NET or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
 * -text	- print a text version
 * -pub		- print the ECDSA public key
 * -compressed  - print the public key in compressed form ( default )   
 * -hybrid 	- print the public key in hybrid form
 * -uncompressed - print the public key in uncompressed form
 *		  the last three options ( compressed, hybrid and uncompressed )
 *		  are only used if the "-pub" option is also selected.
 *	  	  For a precise description of the the meaning of compressed,
 *		  hybrid and uncompressed please refer to the X9.62 standart.
 *		  All three forms represents ways to express the ecdsa public
 *		  key ( a point on a elliptic curve ) as octet string. Let len be
 *		  the length ( in bytes ) of an element of the field over which
 *		  the curve is defined, then a compressed octet string has the form
 *		  0x02 + result of BN_bn2bin() of the x coordinate of the public key
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE 	*e = NULL;
 	int 	ret = 1;
 	ECDSA 	*ecdsa = NULL;
 	int 	i, badops = 0;
 	const EVP_CIPHER *enc = NULL;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, text=0, noout=0;
 	int  	pubin = 0, pubout = 0;
 	char 	*infile, *outfile, *prog, *engine;
 	char 	*passargin = NULL, *passargout = NULL;
 	char 	*passin = NULL, *passout = NULL;
 	int 	pub = 0, point_form = 0;
 	unsigned char *buffer = NULL;
 	unsigned int  buf_len = 0;
 	BIGNUM	*tmp_bn = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	engine = NULL;
 	infile = NULL;
 	outfile = NULL;
 	informat = FORMAT_PEM;
 	outformat = FORMAT_PEM;
 	prog = argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 	{
 		if (strcmp(*argv,"-inform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-outform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-in") == 0)
 		{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 		}
 		else if (strcmp(*argv,"-out") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 		}
 		else if (strcmp(*argv,"-passin") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 		}
 		else if (strcmp(*argv,"-passout") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 		}
 		else if (strcmp(*argv, "-engine") == 0)
 		{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 		}
 		else if (strcmp(*argv, "-noout") == 0)
 			noout = 1;
 		else if (strcmp(*argv, "-text") == 0)
 			text = 1;
 		else if (strcmp(*argv, "-pub") == 0)
 		{
 			pub = 1;
 			buffer = (*(argv+1));
 			if (strcmp(buffer, "compressed") == 0)
 				point_form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp(buffer, "hybrid") == 0)
 				point_form = POINT_CONVERSION_HYBRID;
 			else if (strcmp(buffer, "uncompressed") == 0)
 				point_form = POINT_CONVERSION_UNCOMPRESSED;
 			if (point_form)
 			{
 				argc--;
 				argv++;
 			}
 		}
 		else if (strcmp(*argv, "-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv, "-pubout") == 0)
 			pubout=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 		{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 		}
 		argc--;
 		argv++;
 	}
 	if (badops)
 	{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
 		BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
 		BIO_printf(bio_err, " -in arg         input file\n");
 		BIO_printf(bio_err, " -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, " -out arg        output file\n");
 		BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, " -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err, " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err, " -idea           encrypt PEM output with cbc idea\n");
 #endif
 		BIO_printf(bio_err, " -text           print the key in text\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
 		BIO_printf(bio_err, " -pub [compressed | hybrid | uncompressed] \n");
 		BIO_printf(bio_err, "         compressed     print the public key in compressed form ( default )\n");   
 		BIO_printf(bio_err, "         hybrid         print the public key in hybrid form\n");
 		BIO_printf(bio_err, "         uncompressed   print the public key in uncompressed form\n");
 		goto end;
 	}
 	ERR_load_crypto_strings();
        e = setup_engine(bio_err, engine, 0);
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
 	{
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 	}
 	in = BIO_new(BIO_s_file());
 	out = BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 	{
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 	{
 		if (BIO_read_filename(in,infile) <= 0)
 		{
 			perror(infile);
 			goto end;
 		}
 	}
 	BIO_printf(bio_err,"read ECDSA key\n");
 	if (informat == FORMAT_ASN1) 
 	{
 		if (pubin) 
 			ecdsa = d2i_ECDSA_PUBKEY_bio(in, NULL);
 		else 
 			ecdsa = d2i_ECDSAPrivateKey_bio(in, NULL);
 	} else if (informat == FORMAT_PEM) 
 	{
 		if (pubin) 
 			ecdsa = PEM_read_bio_ECDSA_PUBKEY(in, NULL, NULL, NULL);
 		else 
 			ecdsa = PEM_read_bio_ECDSAPrivateKey(in, NULL, NULL, passin);
 	} else
 	{
 		BIO_printf(bio_err, "bad input format specified for key\n");
 		goto end;
 	}
 	if (ecdsa == NULL)
 	{
 		BIO_printf(bio_err,"unable to load Key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (outfile == NULL)
 	{
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	else
 	{
 		if (BIO_write_filename(out, outfile) <= 0)
 		{
 			perror(outfile);
 			goto end;
 		}
 	}
 	if (text) 
 		if (!ECDSA_print(out, ecdsa, 0))
 		{
 			perror(outfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	if (pub)
 	{
 		fprintf(stdout, "Public Key (");
 		if (point_form == POINT_CONVERSION_COMPRESSED)
 			fprintf(stdout, "COMPRESSED");
 		else if (point_form == POINT_CONVERSION_UNCOMPRESSED)
 			fprintf(stdout, "UNCOMPRESSED");
 		else if (point_form == POINT_CONVERSION_HYBRID)
 			fprintf(stdout, "HYBRID");
 		fprintf(stdout, ")=");
 		buf_len = EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, NULL, 0, NULL);
 		if (!buf_len)
 		{
 			BIO_printf(bio_err,"invalid public key length\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		if ((tmp_bn = BN_new()) == NULL ||
 		    (buffer = OPENSSL_malloc(buf_len)) == NULL) goto end;
 		if (!EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, buffer, buf_len, NULL) ||
 		    !BN_bin2bn(buffer, buf_len, tmp_bn))
 		{
 			BIO_printf(bio_err,"can not encode public key\n");
 			ERR_print_errors(bio_err);
 			OPENSSL_free(buffer);
 			goto end;
 		}
 		BN_print(out, tmp_bn);
 		fprintf(stdout,"\n");
 	}
 	if (noout) 
 		goto end;
 	BIO_printf(bio_err, "writing ECDSA key\n");
 	if (outformat == FORMAT_ASN1) 
 	{
 		if(pubin || pubout) 
 			i = i2d_ECDSA_PUBKEY_bio(out, ecdsa);
 		else 
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsa);
 	} else if (outformat == FORMAT_PEM) 
 	{
 		if(pubin || pubout)
 			i = PEM_write_bio_ECDSA_PUBKEY(out, ecdsa);
 		else 
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsa, enc,
 							NULL, 0, NULL, passout);
 	} else 
 	{
 		BIO_printf(bio_err, "bad output format specified for outfile\n");
 		goto end;
 	}
 	if (!i)
 	{
 		BIO_printf(bio_err, "unable to write private key\n");
 		ERR_print_errors(bio_err);
 	}
 	else
 		ret=0;
 end:
 	if (in) 	BIO_free(in);
 	if (out)	BIO_free_all(out);
 	if (ecdsa) 	ECDSA_free(ecdsa);
 	if (tmp_bn)	BN_free(tmp_bn);
 	if (passin) 	OPENSSL_free(passin);
 	if (passout) 	OPENSSL_free(passout);
 	apps_shutdown();
 	EXIT(ret);
 }
 #endif
--- a/apps/ecdsaparam.c
+++ b/apps/ecdsaparam.c
@@ -1,562 +0,0 @@
 /* apps/ecdsaparam.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecdsaparam_main
 /* -inform arg	  	- input format - default PEM (DER or PEM)
 * -outform arg 	- output format - default PEM
 * -in arg		- input file  - default stdin
 * -out arg		- output file - default stdout
 * -noout
 * -text
 * -C
 * -noout
 * -genkey		- generate a private public keypair based on the supplied curve
 * -named_curve		- use the curve oid instead of the parameters
 * -NIST_192		- use the NIST recommeded curve parameters over a 192 bit prime field
 * -NIST_224		- use the NIST recommeded curve parameters over a 224 bit prime field
 * -NIST_256		- use the NIST recommeded curve parameters over a 256 bit prime field
 * -NIST_384		- use the NIST recommeded curve parameters over a 384 bit prime field
 * -NIST_521		- use the NIST recommeded curve parameters over a 521 bit prime field
 * -X9_62_192v1		- use the X9_62 192v1 example curve over a 192 bit prime field
 * -X9_62_192v2		- use the X9_62 192v2 example curve over a 192 bit prime field
 * -X9_62_192v3		- use the X9_62 192v3 example curve over a 192 bit prime field
 * -X9_62_239v1		- use the X9_62 239v1 example curve over a 239 bit prime field
 * -X9_62_239v2		- use the X9_62 239v2 example curve over a 239 bit prime field
 * -X9_62_239v3		- use the X9_62 239v3 example curve over a 239 bit prime field
 * -X9_62_256v1		- use the X9_62 239v1 example curve over a 256 bit prime field
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE 	*e = NULL;
 	ECDSA 	*ecdsa = NULL;
 	int 	i, badops = 0, text = 0;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, noout = 0, C = 0, ret = 1;
 	char 	*infile, *outfile, *prog, *inrand = NULL;
 	int 	genkey = 0;
 	int 	need_rand = 0;
 	char 	*engine=NULL;
 	int	curve_type = EC_GROUP_NO_CURVE;
 	int	named_curve = 0;
 	BIGNUM	*tmp_1 = NULL, *tmp_2 = NULL, *tmp_3 = NULL, *tmp_4 = NULL, *tmp_5 = NULL,
 		*tmp_6 = NULL, *tmp_7 = NULL;
 	BN_CTX	*ctx = NULL;
 	EC_POINT *point = NULL;
 	unsigned char *data = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-outform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-in") == 0)
 		{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 		}
 		else if (strcmp(*argv,"-out") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 		}
 		else if(strcmp(*argv, "-engine") == 0)
 		{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 		}
 		else if (strcmp(*argv,"-text") == 0)
 			text = 1;
 		else if (strcmp(*argv,"-C") == 0)
 			C = 1;
 		else if (strcmp(*argv,"-genkey") == 0)
 		{
 			genkey = 1;
 			need_rand = 1;
 		}
 		else if (strcmp(*argv,"-rand") == 0)
 		{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 		}
 		else if (strcmp(*argv, "-named_curve") == 0)
 			named_curve = 1;
 		else if (strcmp(*argv, "-NIST_192") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_192;
 		else if (strcmp(*argv, "-NIST_224") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_224;
 		else if (strcmp(*argv, "-NIST_256") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_256;
 		else if (strcmp(*argv, "-NIST_384") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_384;
 		else if (strcmp(*argv, "-NIST_521") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_521;
 		else if (strcmp(*argv, "-X9_62_192v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V1;
 		else if (strcmp(*argv, "-X9_62_192v2") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V2;
 		else if (strcmp(*argv, "-X9_62_192v3") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V3;
 		else if (strcmp(*argv, "-X9_62_239v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V1;
 		else if (strcmp(*argv, "-X9_62_239v2") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V2;
 		else if (strcmp(*argv, "-X9_62_239v3") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V3;
 		else if (strcmp(*argv, "-X9_62_256v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_256V1;
 		else if (strcmp(*argv, "-noout") == 0)
 			noout=1;
 		else
 		{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 		}
 		argc--;
 		argv++;
 	}
 	if (badops)
 	{
 bad:
 		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -text         print the key in text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -named_curve  use the curve oid instead of the parameters\n");
 		BIO_printf(bio_err," -NIST_192     use the NIST recommeded curve parameters over a 192 bit prime field\n");
 		BIO_printf(bio_err," -NIST_224     use the NIST recommeded curve parameters over a 224 bit prime field\n");
 		BIO_printf(bio_err," -NIST_256     use the NIST recommeded curve parameters over a 256 bit prime field\n");
 		BIO_printf(bio_err," -NIST_384     use the NIST recommeded curve parameters over a 384 bit prime field\n");
 		BIO_printf(bio_err," -NIST_521     use the NIST recommeded curve parameters over a 521 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v1  use the X9_62 192v1 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v2  use the X9_62 192v2 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v3  use the X9_62 192v3 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v1  use the X9_62 239v1 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v2  use the X9_62 239v2 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v3  use the X9_62 239v3 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_256v1  use the X9_62 239v1 example curve over a 256 bit prime field\n");
 		goto end;
 	}
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 	{
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 	{
 		if (BIO_read_filename(in,infile) <= 0)
 		{
 			perror(infile);
 			goto end;
 		}
 	}
 	if (outfile == NULL)
 	{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	else
 	{
 		if (BIO_write_filename(out,outfile) <= 0)
 		{
 			perror(outfile);
 			goto end;
 		}
 	}
        e = setup_engine(bio_err, engine, 0);
 	if (need_rand)
 	{
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 		if (inrand != NULL)
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
 	}
 	if (curve_type != EC_GROUP_NO_CURVE)
 	{
 		if ((ecdsa = ECDSA_new()) == NULL)
 			goto end;
 		ecdsa->group = EC_GROUP_new_by_name(curve_type);
 		if (named_curve)
 			ECDSA_set_parameter_flags(ecdsa, ECDSA_FLAG_NAMED_CURVE);
 	}
 	else if (informat == FORMAT_ASN1)
 		ecdsa = d2i_ECDSAParameters_bio(in,NULL);
 	else if (informat == FORMAT_PEM)
 		ecdsa = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL);
 	else
 	{
 		BIO_printf(bio_err, "bad input format specified\n");
 		goto end;
 	}
 	if (ecdsa == NULL)
 	{
 		BIO_printf(bio_err, "unable to load ECDSA parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (text)
 	{
 		ECDSAParameters_print(out, ecdsa);
 	}
 	if (C)
 	{	// TODO : characteristic two
 		int 	l, len, bits_p;
 		if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
 		    (tmp_3 = BN_new()) == NULL || (tmp_4 = BN_new()) == NULL ||
 		    (tmp_5 = BN_new()) == NULL || (tmp_6 = BN_new()) == NULL ||
                    (tmp_7 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
 		{
 			perror("OPENSSL_malloc");
 			goto end;
 		}
 		if (!EC_GROUP_get_curve_GFp(ecdsa->group, tmp_1, tmp_2, tmp_3, ctx))
 			goto end;
 		if ((point = EC_GROUP_get0_generator(ecdsa->group)) == NULL)
 			goto end;
 		if (!EC_POINT_get_affine_coordinates_GFp(ecdsa->group, point, tmp_4, tmp_5, ctx))
 			goto end;
 		if (!EC_GROUP_get_order(ecdsa->group, tmp_6, ctx))
 			goto end;
 		if (!EC_GROUP_get_cofactor(ecdsa->group, tmp_7, ctx))
 			goto end;
 		len    = BN_num_bytes(tmp_1);
 		bits_p = BN_num_bits(tmp_1);
 		data=(unsigned char *)OPENSSL_malloc(len+20);
 		if (data == NULL)
 		{
 			perror("OPENSSL_malloc");
 			goto end;
 		}
 		l = BN_bn2bin(tmp_1, data);
 		printf("static unsigned char ecdsa%d_p[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_2, data);
 		printf("static unsigned char ecdsa%d_a[]={",bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_b[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_x[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_y[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_o[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_c[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		/* FIXME:
 		 * the generated code does not make much sense
 		 *
 		 * TODO:
 		 * use EC_GROUP_new_curve_GFp instead of using EC_GFp_mont_method directly
 		 */
 		printf("ECDSA *get_ecdsa%d()\n\t{\n",bits_p);
 		printf("\tint      ok=1;\n");
 		printf("\tECDSA    *ecdsa=NULL;\n");
 		printf("\tEC_POINT *point=NULL;\n");
 		printf("\tBIGNUM   *tmp_1=NULL,*tmp_2=NULL,*tmp_3=NULL;\n");
 		printf("\tBN_CTX   *ctx=NULL;\n\n");
 		printf("\tecdsa=ECDSA_new();\n");
 		printf("\ttmp_1=BN_new();\n");
 		printf("\ttmp_2=BN_new();\n");
 		printf("\ttmp_3=BN_new();\n");
 		printf("\tctx=BN_CTX_new();\n");
 		printf("\tif (!ecdsa || !tmp_1 || !tmp_2 || !tmp_3 || !ctx) ok=0;\n");
 		printf("\tif (ok && !ecdsa->group=EC_GROUP_new(EC_GFp_mont_method())) == NULL) ok=0;");
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_p,sizeof(ecdsa%d_p),tmp_1)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_a,sizeof(ecdsa%d_a),tmp_2)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_b,sizeof(ecdsa%d_b),tmp_3)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !EC_GROUP_set_curve_GFp(ecdsa->group,tmp_1,tmp_2,tmp_3,ctx)) ok=0;\n");
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_x,sizeof(ecdsa%d_p),tmp_1)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_y,sizeof(ecdsa%d_a),tmp_2)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && (point = EC_POINT_new(ecdsa->group)) == NULL) ok=0;\n");
 		printf("\tif (ok && !EC_POINT_set_affine_coordinates_GFp(ecdsa->group,point,tmp_1,tmp_2,ctx)) ok=0:\n");
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_o,sizeof(ecdsa%d_b),tmp_1)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !BN_bin2bn(ecdsa%d_c,sizeof(ecdsa%d_b),tmp_2)) ok=0;\n", bits_p, bits_p);
 		printf("\tif (ok && !EC_GROUP_set_generator(ecdsa->group,point,tmp_1,tmp_2)) ok=0;\n");
 		printf("\tif ((ecdsa->group == NULL) || (ecdsa->pub_key == NULL) || (ecdsa->priv_key == NULL))\n");
 		printf("\t\t{ ECDSA_free(ecdsa); return(NULL); }\n");
 		printf("\treturn(ecdsa);\n\t}\n");
 	}
 	if (!noout)
 	{
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECDSAParameters_bio(out, ecdsa);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECDSAParameters(out, ecdsa);
 		else	
 		{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 		}
 		if (!i)
 		{
 			BIO_printf(bio_err, "unable to write ECDSA parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if (genkey)
 	{
 		ECDSA *ecdsakey;
 		assert(need_rand);
 		if ((ecdsakey = ECDSAParameters_dup(ecdsa)) == NULL) goto end;
 		if (!ECDSA_generate_key(ecdsakey)) goto end;
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsakey);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsakey, NULL, NULL, 0, NULL, NULL);
 		else	
 		{
 			BIO_printf(bio_err, "bad output format specified for outfile\n");
 			goto end;
 		}
 		ECDSA_free(ecdsakey);
 	}
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
 	ret=0;
 end:
 	if (in != NULL) 	BIO_free(in);
 	if (out != NULL) 	BIO_free_all(out);
 	if (ecdsa != NULL) 	ECDSA_free(ecdsa);
 	if (tmp_1)		BN_free(tmp_1);
 	if (tmp_2)		BN_free(tmp_2);
 	if (tmp_3)		BN_free(tmp_3);
 	if (tmp_3)		BN_free(tmp_4);
 	if (tmp_3)		BN_free(tmp_5);
 	if (tmp_3)		BN_free(tmp_6);
 	if (tmp_3)		BN_free(tmp_7);
 	if (ctx)		BN_CTX_free(ctx);
 	if (data)		OPENSSL_free(data);
 	apps_shutdown();
 	EXIT(ret);
 }
 #endif
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -78,7 +78,7 @@ int set_hex(char *in,unsigned char *out,int size);
 #define BSIZE	(8*1024)
 #define	PROG	enc_main
-void show_ciphers(const OBJ_NAME *name,void *bio_)
+static void show_ciphers(const OBJ_NAME *name,void *bio_)
 	{
 	BIO *bio=bio_;
 	static int n;
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	static const char magic[]="Salted__";
-	char mbuf[8];	/* should be 1 smaller than magic */
+	char mbuf[sizeof magic-1];
 	char *strbuf=NULL;
 	unsigned char *buff=NULL,*bufsize=NULL;
 	int bsize=BSIZE,verbose=0;
@@ -117,8 +117,8 @@ int MAIN(int argc, char **argv)
 	const EVP_CIPHER *cipher=NULL,*c;
 	char *inf=NULL,*outf=NULL;
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
-#define PROG_NAME_SIZE  16
+#define PROG_NAME_SIZE  39
-	char pname[PROG_NAME_SIZE];
+	char pname[PROG_NAME_SIZE+1];
 	char *engine = NULL;
 	apps_startup();
@@ -127,8 +127,11 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	/* first check the program name */
-	program_name(argv[0],pname,PROG_NAME_SIZE);
+	program_name(argv[0],pname,sizeof pname);
 	if (strcmp(pname,"base64") == 0)
 		base64=1;
@@ -213,7 +216,7 @@ int MAIN(int argc, char **argv)
 				goto bad;
 				}
 			buf[0]='\0';
-			fgets(buf,128,infile);
+			fgets(buf,sizeof buf,infile);
 			fclose(infile);
 			i=strlen(buf);
 			if ((i > 0) &&
@@ -439,12 +442,12 @@ bad:
 			else {
 				if(enc) {
 					if(hsalt) {
-						if(!set_hex(hsalt,salt,PKCS5_SALT_LEN)) {
+						if(!set_hex(hsalt,salt,sizeof salt)) {
 							BIO_printf(bio_err,
 								"invalid hex salt value\n");
 							goto end;
 						}
-					} else if (RAND_pseudo_bytes(salt, PKCS5_SALT_LEN) < 0)
+					} else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
 						goto end;
 					/* If -P option then don't bother writing */
 					if((printkey != 2)
@@ -452,14 +455,14 @@ bad:
 							 sizeof magic-1) != sizeof magic-1
 					       || BIO_write(wbio,
 							    (char *)salt,
-							    PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) {
+							    sizeof salt) != sizeof salt)) {
 						BIO_printf(bio_err,"error writing output file\n");
 						goto end;
 					}
 				} else if(BIO_read(rbio,mbuf,sizeof mbuf) != sizeof mbuf
 					  || BIO_read(rbio,
 						      (unsigned char *)salt,
-				    PKCS5_SALT_LEN) != PKCS5_SALT_LEN) {
+				    sizeof salt) != sizeof salt) {
 					BIO_printf(bio_err,"error reading input file\n");
 					goto end;
 				} else if(memcmp(mbuf,magic,sizeof magic-1)) {
@@ -478,9 +481,9 @@ bad:
 			 * bug picked up by
 			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
 			if (str == strbuf)
-				memset(str,0,SIZE);
+				OPENSSL_cleanse(str,SIZE);
 			else
-				memset(str,0,strlen(str));
+				OPENSSL_cleanse(str,strlen(str));
 			}
 		if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv))
 			{
@@ -521,7 +524,7 @@ bad:
 			if (!nosalt)
 				{
 				printf("salt=");
-				for (i=0; i<PKCS5_SALT_LEN; i++)
+				for (i=0; i<sizeof salt; i++)
 					printf("%02X",salt[i]);
 				printf("\n");
 				}
@@ -583,7 +586,7 @@ end:
 	if (b64 != NULL) BIO_free(b64);
 	if(pass) OPENSSL_free(pass);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 int set_hex(char *in, unsigned char *out, int size)
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -356,6 +356,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	{
@@ -513,5 +516,5 @@ end:
 	sk_pop_free(post_cmds, identity);
 	if (bio_out != NULL) BIO_free_all(bio_out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -122,5 +122,5 @@ int MAIN(int argc, char **argv)
 			}
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -96,6 +96,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argv++;
 	argc--;
 	for (;;)
@@ -195,7 +198,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dh_cb(int p, int n, void *arg)
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -93,6 +93,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argv++;
 	argc--;
 	for (;;)
@@ -129,6 +132,14 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 		else if (**argv != '-' && dsaparams == NULL)
 			{
@@ -151,6 +162,10 @@ bad:
 #endif
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
@@ -231,6 +246,6 @@ end:
 	if (dsa != NULL) DSA_free(dsa);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -99,6 +99,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto err;
 	if ((out=BIO_new(BIO_s_file())) == NULL)
 		{
 		BIO_printf(bio_err,"unable to create BIO for output\n");
@@ -138,6 +141,14 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 		else if (strcmp(*argv,"-passout") == 0)
 			{
@@ -157,6 +168,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -out file       output the key to 'file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
@@ -243,7 +258,7 @@ err:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -15,22 +15,10 @@ $!
 $!  It was written so it would try to determine what "C" compiler to
 $!  use or you can specify which "C" compiler to use.
 $!
-$!  Specify RSAREF as P1 to compile with the RSAREF library instead of
+$!  Specify DEBUG or NODEBUG as P1 to compile with or without debugger
 $!  the regular one.  If you specify NORSAREF it will compile with the
 $!  regular RSAREF routines.  (Note: If you are in the United States
 $!  you MUST compile with RSAREF unless you have a license from RSA).
 $!
 $!  Note: The RSAREF libraries are NOT INCLUDED and you have to
 $!        download it from "ftp://ftp.rsa.com/rsaref".  You have to
 $!        get the ".tar-Z" file as the ".zip" file dosen't have the
 $!        directory structure stored.  You have to extract the file
 $!        into the [.RSAREF] directory under the root directory as that
 $!        is where the scripts will look for the files.
 $!
 $!  Specify DEBUG or NODEBUG as P2 to compile with or without debugger
 $!  information.
 $!
-$!  Specify which compiler at P3 to try to compile under.
+$!  Specify which compiler at P2 to try to compile under.
 $!
 $!	   VAXC	 For VAX C.
 $!	   DECC	 For DEC C.
@@ -39,15 +27,16 @@ $!
 $!  If you don't speficy a compiler, it will try to determine which
 $!  "C" compiler to use.
 $!
-$!  P4, if defined, sets a TCP/IP library to use, through one of the following
+$!  P3, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!	UCX		for UCX
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!	TCPIP		for TCPIP (post UCX)
 $!
-$!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
+$!  P4, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
-$!  P6, if defined, sets a choice of programs to compile.
+$!  P5, if defined, sets a choice of programs to compile.
 $!
 $!
 $! Define A TCP/IP Library That We Will Need To Link To.
@@ -100,10 +89,6 @@ $! Define The CRYPTO Library.
 $!
 $ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB
 $!
 $! Define The RSAREF Library.
 $!
 $ RSAREF_LIB := SYS$DISK:[-.'ARCH'.EXE.RSAREF]LIBRSAGLUE.OLB
 $!
 $! Define The SSL Library.
 $!
 $ SSL_LIB := SYS$DISK:[-.'ARCH'.EXE.SSL]LIBSSL.OLB
@@ -292,73 +277,31 @@ $   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping.
 $   GOTO NEXT_FILE
 $ ENDIF
 $!
-$! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
+$! Link The Program.
 $! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
-$ IF (RSAREF.EQS."TRUE")
+$ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$! Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
-$   IF (TCPIP_LIB.NES."")
+$   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-$   THEN
+	'OBJECT_FILE''EXTRA_OBJ', -
-$!
+        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
-$!    Link With The RSAREF Library And A Specific TCP/IP Library.
+        'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	  'OBJECT_FILE''EXTRA_OBJ', -
          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
          'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $!  Else...
 $!
 $   ELSE
 $!
 $!    Link With The RSAREF Library And NO TCP/IP Library.
 $!
 $     LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	  'OBJECT_FILE''EXTRA_OBJ', -
          'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY,'RSAREF_LIB'/LIBRARY, -
          'OPT_FILE'/OPTION
 $!
 $!  End The TCP/IP Library Check.
 $!
 $   ENDIF
 $!
 $! Else...
 $!
 $ ELSE
 $!
-$!  Don't Link With The RSAREF Routines.
+$! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	'OBJECT_FILE''EXTRA_OBJ', -
        'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
        'OPT_FILE'/OPTION
 $!
-$!  Check To See If We Are To Link With A Specific TCP/IP Library.
+$! End The TCP/IP Library Check.
 $!
 $   IF (TCPIP_LIB.NES."")
 $   THEN
 $!
 $!    Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
 $       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	    'OBJECT_FILE''EXTRA_OBJ', -
            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
            'TCPIP_LIB','OPT_FILE'/OPTION
 $!
 $!  Else...
 $!
 $   ELSE
 $!
 $!    Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
 $       LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
 	    'OBJECT_FILE''EXTRA_OBJ', -
            'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
            'OPT_FILE'/OPTION
 $!
 $!  End The TCP/IP Library Check.
 $!
 $   ENDIF
 $!
 $! End The RSAREF Link Check.
 $!
 $ ENDIF
 $!
@@ -525,32 +468,6 @@ $! End The Crypto Library Check.
 $!
 $ ENDIF
 $!
 $! See If We Need The RSAREF Library.
 $!
 $ IF (RSAREF.EQS."TRUE")
 $ THEN
 $!
 $!  Look For The Library LIBRSAGLUE.OLB.
 $!
 $   IF (F$SEARCH(RSAREF_LIB).EQS."")
 $   THEN
 $!
 $!    Tell The User We Can't Find The LIBRSAGLUE.OLB Library.
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "Can't Find The Library ",RSAREF_LIB,"."
 $     WRITE SYS$OUTPUT "We Can't Link Without It."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Since We Can't Link Without It, Exit.
 $!
 $     EXIT
 $   ENDIF
 $!
 $! End The RSAREF Library Check.
 $!
 $ ENDIF
 $!
 $! Look For The Library LIBSSL.OLB.
 $!
 $ IF (F$SEARCH(SSL_LIB).EQS."")
@@ -581,87 +498,10 @@ $ CHECK_OPTIONS:
 $!
 $! Check To See If P1 Is Blank.
 $!
-$ P1 = "NORSAREF"
+$ IF (P1.EQS."NODEBUG")
 $ IF (P1.EQS."NORSAREF")
 $ THEN
 $!
-$!   P1 Is NORSAREF, So Compile With The Regular RSA Libraries.
+$!   P1 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    RSAREF = "FALSE"
 $!
 $! Else...
 $!
 $ ELSE
 $!
 $!  Check To See If We Are To Use The RSAREF Library.
 $!
 $   IF (P1.EQS."RSAREF")
 $   THEN
 $!
 $!    Check To Make Sure We Have The RSAREF Source Code Directory.
 $!
 $     IF (F$SEARCH("SYS$DISK:[-.RSAREF]SOURCE.DIR").EQS."")
 $     THEN
 $!
 $!      We Don't Have The RSAREF Souce Code Directory, So Tell The
 $!      User This.
 $!
 $       WRITE SYS$OUTPUT ""
 $       WRITE SYS$OUTPUT "It appears that you don't have the RSAREF Souce Code."
 $       WRITE SYS$OUTPUT "You need to go to 'ftp://ftp.rsa.com/rsaref'.  You have to"
 $       WRITE SYS$OUTPUT "get the '.tar-Z' file as the '.zip' file dosen't have the"
 $       WRITE SYS$OUTPUT "directory structure stored.  You have to extract the file"
 $       WRITE SYS$OUTPUT "into the [.RSAREF] directory under the root directory"
 $       WRITE SYS$OUTPUT "as that is where the scripts will look for the files."
 $       WRITE SYS$OUTPUT ""
 $!
 $!      Time To Exit.
 $!
 $       EXIT
 $!
 $!    Else...
 $!
 $     ELSE
 $!
 $!      Compile Using The RSAREF Library.
 $!
 $       RSAREF = "TRUE"
 $!
 $!    End The RSAREF Soure Directory Check.
 $!
 $     ENDIF
 $!
 $!  Else...
 $!
 $   ELSE 
 $!
 $!    They Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "     RSAREF   :  Compile With The RSAREF Library."
 $     WRITE SYS$OUTPUT "     NORSAREF :  Compile With The Regular RSA Library."
 $     WRITE SYS$OUTPUT ""
 $!
 $!    Time To EXIT.
 $!
 $     EXIT
 $!
 $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
 $! End P1 Check.
 $!
 $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
 $ IF (P2.EQS."NODEBUG")
 $ THEN
 $!
 $!   P2 Is NODEBUG, So Compile Without Debugger Information.
 $!
 $    DEBUGGER  = "NODEBUG"
 $    TRACEBACK = "NOTRACEBACK" 
@@ -676,7 +516,7 @@ $ ELSE
 $!
 $!  Check To See If We Are To Compile With Debugger Information.
 $!
-$   IF (P2.EQS."DEBUG")
+$   IF (P1.EQS."DEBUG")
 $   THEN
 $!
 $!    Compile With Debugger Information.
@@ -692,7 +532,7 @@ $!
 $!    Tell The User Entered An Invalid Option..
 $!
 $     WRITE SYS$OUTPUT ""
-$     WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
+$     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    DEBUG    :  Compile With The Debugger Information."
 $     WRITE SYS$OUTPUT "    NODEBUG  :  Compile Without The Debugger Information."
@@ -706,13 +546,13 @@ $!  End The Valid Arguement Check.
 $!
 $   ENDIF
 $!
-$! End The P2 Check.
+$! End The P1 Check.
 $!
 $ ENDIF
 $!
-$! Check To See If P3 Is Blank.
+$! Check To See If P2 Is Blank.
 $!
-$ IF (P3.EQS."")
+$ IF (P2.EQS."")
 $ THEN
 $!
 $!  O.K., The User Didn't Specify A Compiler, Let's Try To
@@ -725,7 +565,7 @@ $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
 $!
-$     P3 = "GNUC"
+$     P2 = "GNUC"
 $!
 $!  Else...
 $!
@@ -738,7 +578,7 @@ $     THEN
 $!
 $!      Looks Like DECC, Set To Use DECC.
 $!
-$       P3 = "DECC"
+$       P2 = "DECC"
 $!
 $!    Else...
 $!
@@ -746,7 +586,7 @@ $     ELSE
 $!
 $!      Looks Like VAXC, Set To Use VAXC.
 $!
-$       P3 = "VAXC"
+$       P2 = "VAXC"
 $!
 $!    End The VAXC Compiler Check.
 $!
@@ -760,9 +600,9 @@ $!  End The Compiler Check.
 $!
 $ ENDIF
 $!
-$! Check To See If We Have A Option For P4.
+$! Check To See If We Have A Option For P3.
 $!
-$ IF (P4.EQS."")
+$ IF (P3.EQS."")
 $ THEN
 $!
 $!  Find out what socket library we have available
@@ -772,7 +612,7 @@ $   THEN
 $!
 $!    We have SOCKETSHR, and it is my opinion that it's the best to use.
 $!
-$     P4 = "SOCKETSHR"
+$     P3 = "SOCKETSHR"
 $!
 $!    Tell the user
 $!
@@ -792,7 +632,7 @@ $     THEN
 $!
 $!	Last resort: a UCX or UCX-compatible library
 $!
-$	P4 = "UCX"
+$	P3 = "UCX"
 $!
 $!      Tell the user
 $!
@@ -816,12 +656,12 @@ $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 $!
 $!  Check To See If The User Entered A Valid Paramter.
 $!
-$ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC")
+$ IF (P2.EQS."VAXC").OR.(P2.EQS."DECC").OR.(P2.EQS."GNUC")
 $ THEN
 $!
 $!  Check To See If The User Wanted DECC.
 $!
-$   IF (P3.EQS."DECC")
+$   IF (P2.EQS."DECC")
 $   THEN
 $!
 $!    Looks Like DECC, Set To Use DECC.
@@ -851,7 +691,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use VAXC.
 $!
-$   IF (P3.EQS."VAXC")
+$   IF (P2.EQS."VAXC")
 $   THEN
 $!
 $!    Looks Like VAXC, Set To Use VAXC.
@@ -888,7 +728,7 @@ $   ENDIF
 $!
 $!  Check To See If We Are To Use GNU C.
 $!
-$   IF (P3.EQS."GNUC")
+$   IF (P2.EQS."GNUC")
 $   THEN
 $!
 $!    Looks Like GNUC, Set To Use GNUC.
@@ -917,31 +757,6 @@ $!  Set up default defines
 $!
 $   CCDEFS = """FLAT_INC=1""," + CCDEFS
 $!
 $!  Check To See If We Are To Compile With RSAREF Routines.
 $!
 $   IF (RSAREF.EQS."TRUE")
 $   THEN
 $!
 $!    Compile With RSAREF.
 $!
 $     CCDEFS = CCDEFS + ",""RSAref=1"""
 $!
 $!    Tell The User This.
 $!
 $     WRITE SYS$OUTPUT "Compiling With RSAREF Routines."
 $!
 $!    Else, We Don't Care.  Compile Without The RSAREF Library.
 $!
 $   ELSE
 $!
 $!    Tell The User We Are Compile Without The RSAREF Routines.
 $!
 $     WRITE SYS$OUTPUT "Compiling Without The RSAREF Routines.
 $!
 $!  End The RSAREF Check.
 $!
 $   ENDIF
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
 $ ELSE
@@ -949,7 +764,7 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P2," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    VAXC  :  To Compile With VAX C."
 $   WRITE SYS$OUTPUT "    DECC  :  To Compile With DEC C."
@@ -963,17 +778,18 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ IF P3.EQS."SOCKETSHR" .OR. P3.EQS."MULTINET" .OR. P3.EQS."UCX" -
     .OR. P3.EQS."TCPIP" .OR. P3.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
 $!
-$   IF P4.EQS."SOCKETSHR"
+$   IF P3.EQS."SOCKETSHR"
 $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -981,12 +797,12 @@ $   ENDIF
 $!
 $!  Check to see if MULTINET was chosen
 $!
-$   IF P4.EQS."MULTINET"
+$   IF P3.EQS."MULTINET"
 $   THEN
 $!
 $!    Set the library to use UCX emulation.
 $!
-$     P4 = "UCX"
+$     P3 = "UCX"
 $!
 $!    Done with MULTINET
 $!
@@ -994,27 +810,53 @@ $   ENDIF
 $!
 $!  Check to see if UCX was chosen
 $!
-$   IF P4.EQS."UCX"
+$   IF P3.EQS."UCX"
 $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
 $     ENDIF
 $!
 $!    Done with UCX
 $!
 $   ENDIF
 $!
 $!  Check to see if TCPIP (post UCX) was chosen
 $!
 $   IF P3.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP.
 $!
 $     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
 $   IF P3.EQS."NONE"
 $   THEN
 $!
 $!    Do not use TCPIP.
 $!
 $     TCPIP_LIB = ""
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Add TCP/IP type to CC definitions.
 $!
-$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
+$   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P3'"
 $!
 $!  Print info
 $!
@@ -1027,10 +869,11 @@ $!
 $!  Tell The User We Don't Know What They Want.
 $!
 $   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
+$   WRITE SYS$OUTPUT "The Option ",P3," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
 $   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Time To EXIT.
@@ -1057,7 +900,7 @@ $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $! Show user the result
 $!
-$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $! Special Threads For OpenVMS v7.1 Or Later
 $!
@@ -1065,9 +908,9 @@ $! Written By:  Richard Levitte
 $!              richard@levitte.org
 $!
 $!
-$! Check To See If We Have A Option For P5.
+$! Check To See If We Have A Option For P4.
 $!
-$ IF (P5.EQS."")
+$ IF (P4.EQS."")
 $ THEN
 $!
 $!  Get The Version Of VMS We Are Using.
@@ -1089,15 +932,15 @@ $!  End The VMS Version Check.
 $!
 $   ENDIF
 $!
-$! End The P5 Check.
+$! End The P4 Check.
 $!
 $ ENDIF
 $!
 $! Check if the user wanted to compile just a subset of all the programs.
 $!
-$ IF P6 .NES. ""
+$ IF P5 .NES. ""
 $ THEN
-$   PROGRAMS = P6
+$   PROGRAMS = P5
 $ ENDIF
 $!
 $!  Time To RETURN...
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -58,9 +58,9 @@
 #include <stdio.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include "apps.h"
 #undef PROG
 #define PROG nseq_main
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-in file  input file\n");
 		BIO_printf (bio_err, "-out file output file\n");
 		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
-		EXIT(1);
+		OPENSSL_EXIT(1);
 	}
 	if (infile) {
@@ -162,6 +162,6 @@ end:
 	BIO_free_all(out);
 	NETSCAPE_CERT_SEQUENCE_free(seq);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -58,11 +58,11 @@
 #include <stdio.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include "apps.h"
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD	(5 * 60)
@@ -145,6 +145,9 @@ int MAIN(int argc, char **argv)
 	int nmin = 0, ndays = -1;
 	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	SSL_load_error_strings();
 	args = argv + 1;
 	reqnames = sk_new_null();
@@ -550,8 +553,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-port num		 port to run responder on\n");
 		BIO_printf (bio_err, "-index file	 certificate status index file\n");
 		BIO_printf (bio_err, "-CA file		 CA certificate\n");
-		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign requests with\n");
+		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
-		BIO_printf (bio_err, "-rkey file	 responder key to sign requests with\n");
+		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
 		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
 		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
 		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
@@ -610,11 +613,11 @@ int MAIN(int argc, char **argv)
 			NULL, e, "CA certificate");
 		if (rcertfile)
 			{
-			rother = load_certs(bio_err, sign_certfile, FORMAT_PEM,
+			rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
 				NULL, e, "responder other certificates");
-			if (!sign_other) goto end;
+			if (!rother) goto end;
 			}
-		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, NULL, NULL,
+		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
 			"responder private key");
 		if (!rkey)
 			goto end;
@@ -660,7 +663,7 @@ int MAIN(int argc, char **argv)
 				NULL, e, "signer certificates");
 			if (!sign_other) goto end;
 			}
-		key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL,
+		key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
 			"signer private key");
 		if (!key)
 			goto end;
@@ -673,6 +676,18 @@ int MAIN(int argc, char **argv)
 	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
 	if (reqout)
 		{
 		derbio = BIO_new_file(reqout, "wb");
 		if(!derbio)
 			{
 			BIO_printf(bio_err, "Error opening file %s\n", reqout);
 			goto end;
 			}
 		i2d_OCSP_REQUEST_bio(derbio, req);
 		BIO_free(derbio);
 		}
 	if (ridx_filename && (!rkey || !rsigner || !rca_cert))
 		{
 		BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
@@ -806,6 +821,8 @@ int MAIN(int argc, char **argv)
 	if (!store)
 		store = setup_verify(bio_err, CAfile, CApath);
 	if (!store)
 		goto end;
 	if (verify_certfile)
 		{
 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
@@ -882,7 +899,7 @@ end:
 		SSL_CTX_free(ctx);
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 }
 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
@@ -1103,7 +1120,10 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
 	char *itmp, *row[DB_NUMBER],**rrow;
 	for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
 	bn = ASN1_INTEGER_to_BN(ser,NULL);
-	itmp = BN_bn2hex(bn);
+	if (BN_is_zero(bn))
 		itmp = BUF_strdup("00");
 	else
 		itmp = BN_bn2hex(bn);
 	row[DB_serial] = itmp;
 	BN_free(bn);
 	rrow=TXT_DB_get_by_index(db,DB_serial,row);
@@ -1159,7 +1179,7 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port
 	for(;;)
 		{
-		len = BIO_gets(cbio, inbuf, 1024);
+		len = BIO_gets(cbio, inbuf, sizeof inbuf);
 		if (len <= 0)
 			return 1;
 		/* Look for "POST" signalling start of query */
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -114,6 +114,7 @@
 #include <string.h>
 #include <stdlib.h>
 #define OPENSSL_C /* tells apps.h to use complete apps_startup() */
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
@@ -123,7 +124,6 @@
 #include <openssl/ssl.h>
 #include <openssl/engine.h>
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #include "apps.h"
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
@@ -139,11 +139,11 @@ static unsigned long MS_CALLBACK hash(const void *a_void);
 static int MS_CALLBACK cmp(const void *a_void,const void *b_void);
 static LHASH *prog_init(void );
 static int do_cmd(LHASH *prog,int argc,char *argv[]);
 CONF *config=NULL;
 char *default_config_file=NULL;
 /* Make sure there is only one when MONOLITH is defined */
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #endif
@@ -215,10 +215,11 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 int main(int Argc, char *Argv[])
 	{
 	ARGS arg;
-#define PROG_NAME_SIZE	16
+#define PROG_NAME_SIZE	39
-	char pname[PROG_NAME_SIZE];
+	char pname[PROG_NAME_SIZE+1];
 	FUNCTION f,*fp;
-	MS_STATIC char *prompt,buf[1024],config_name[256];
+	MS_STATIC char *prompt,buf[1024];
 	char *to_free=NULL;
 	int n,i,ret=0;
 	int argc;
 	char **argv,*p;
@@ -228,6 +229,10 @@ int main(int Argc, char *Argv[])
 	arg.data=NULL;
 	arg.count=0;
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */
 		{
 		if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))
@@ -252,23 +257,12 @@ int main(int Argc, char *Argv[])
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	/* Lets load up our environment a little */
 	p=getenv("OPENSSL_CONF");
 	if (p == NULL)
 		p=getenv("SSLEAY_CONF");
 	if (p == NULL)
-		{
+		p=to_free=make_config_name();
 		strcpy(config_name,X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
 		strcat(config_name,"/");
 #endif
 		strcat(config_name,OPENSSL_CONF);
 		p=config_name;
 		}
 	default_config_file=p;
@@ -284,7 +278,7 @@ int main(int Argc, char *Argv[])
 	prog=prog_init();
 	/* first check the program name */
-	program_name(Argv[0],pname,PROG_NAME_SIZE);
+	program_name(Argv[0],pname,sizeof pname);
 	f.name=pname;
 	fp=(FUNCTION *)lh_retrieve(prog,&f);
@@ -312,7 +306,7 @@ int main(int Argc, char *Argv[])
 		{
 		ret=0;
 		p=buf;
-		n=1024;
+		n=sizeof buf;
 		i=0;
 		for (;;)
 			{
@@ -346,6 +340,8 @@ int main(int Argc, char *Argv[])
 	BIO_printf(bio_err,"bad exit\n");
 	ret=1;
 end:
 	if (to_free)
 		OPENSSL_free(to_free);
 	if (config != NULL)
 		{
 		NCONF_free(config);
@@ -362,7 +358,7 @@ end:
 		BIO_free(bio_err);
 		bio_err=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #define LIST_STANDARD_COMMANDS "list-standard-commands"
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -16,10 +16,9 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #ifndef OPENSSL_NO_DES
-# include <openssl/des_old.h>
+# include <openssl/des.h>
 #endif
 #ifndef NO_MD5CRYPT_1
 # include <openssl/evp.h>
 # include <openssl/md5.h>
 #endif
@@ -79,6 +78,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto err;
 	out = BIO_new(BIO_s_file());
 	if (out == NULL)
 		goto err;
@@ -290,7 +292,7 @@ err:
 	if (out)
 		BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
@@ -479,7 +481,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	/* now compute password hash */
 #ifndef OPENSSL_NO_DES
 	if (usecrypt)
-		hash = des_crypt(passwd, *salt_p);
+		hash = DES_crypt(passwd, *salt_p);
 #endif
 #ifndef NO_MD5CRYPT_1
 	if (use1 || useapr1)
@@ -503,6 +505,6 @@ err:
 int MAIN(int argc, char **argv)
 	{
 	fputs("Program not available.\n", stderr)
-	EXIT(1);
+	OPENSSL_EXIT(1);
 	}
 #endif
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -127,6 +127,9 @@ int MAIN(int argc, char **argv)
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
    args = argv + 1;
@@ -151,6 +154,11 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp (*args, "-idea")) enc=EVP_idea_cbc();
 #endif
 		else if (!strcmp (*args, "-des3")) enc = EVP_des_ede3_cbc();
 #ifndef OPENSSL_NO_AES
 		else if (!strcmp(*args,"-aes128")) enc=EVP_aes_128_cbc();
 		else if (!strcmp(*args,"-aes192")) enc=EVP_aes_192_cbc();
 		else if (!strcmp(*args,"-aes256")) enc=EVP_aes_256_cbc();
 #endif
 		else if (!strcmp (*args, "-noiter")) iter = 1;
 		else if (!strcmp (*args, "-maciter"))
 					 maciter = PKCS12_DEFAULT_ITER;
@@ -279,6 +287,10 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-des3         encrypt private keys with triple DES (default)\n");
 #ifndef OPENSSL_NO_IDEA
 	BIO_printf (bio_err, "-idea         encrypt private keys with idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 	BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
 	BIO_printf (bio_err, "              encrypt PEM output with cbc aes\n");
 #endif
 	BIO_printf (bio_err, "-nodes        don't encrypt private keys\n");
 	BIO_printf (bio_err, "-noiter       don't use encryption iteration\n");
@@ -387,7 +399,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read MAC password");
 #endif
-	if(EVP_read_pw_string (macpass, 50, "Enter MAC Password:", export_cert))
+	if(EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert))
 	{
    	    BIO_printf (bio_err, "Can't read Password\n");
    	    goto end;
@@ -415,7 +427,7 @@ int MAIN(int argc, char **argv)
 	CRYPTO_push_info("process -export_cert");
 	CRYPTO_push_info("reading private key");
 #endif
-	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM,
+	key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1,
 		passin, e, "private key");
 	if (!key) {
 		goto export_end;
@@ -496,9 +508,10 @@ int MAIN(int argc, char **argv)
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
-		}
+		    /* Free first certificate */
-		sk_X509_free(chain2);
+		    X509_free(sk_X509_value(chain2, 0));
-		if (vret) {
+		    sk_X509_free(chain2);
 		} else {
 			BIO_printf (bio_err, "Error %s getting chain.\n",
 					X509_verify_cert_error_string(vret));
 			goto export_end;
@@ -525,8 +538,6 @@ int MAIN(int argc, char **argv)
 	}
 	sk_X509_pop_free(certs, X509_free);
 	certs = NULL;
 	/* ucert is part of certs so it is already freed */
 	ucert = NULL;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -534,7 +545,7 @@ int MAIN(int argc, char **argv)
 #endif
 	if(!noprompt &&
-		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
+		EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) {
 	    BIO_printf (bio_err, "Can't read Password\n");
 	    goto export_end;
        }
@@ -615,7 +626,6 @@ int MAIN(int argc, char **argv)
 	if (certs) sk_X509_pop_free(certs, X509_free);
 	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
 	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	if (ucert) X509_free(ucert);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -632,7 +642,7 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("read import password");
 #endif
-    if(!noprompt && EVP_read_pw_string(pass, 50, "Enter Import Password:", 0)) {
+    if(!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) {
 	BIO_printf (bio_err, "Can't read Password\n");
 	goto end;
    }
@@ -686,7 +696,7 @@ int MAIN(int argc, char **argv)
    if(passin) OPENSSL_free(passin);
    if(passout) OPENSSL_free(passout);
    apps_shutdown();
-    EXIT(ret);
+    OPENSSL_EXIT(ret);
 }
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
@@ -767,7 +777,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
-		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) {
 			PKCS8_PRIV_KEY_INFO_free(p8);
 			return 0;
 		}
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -89,7 +89,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
-	int ret=0;
+	int ret=1;
 	char *engine=NULL;
 	apps_startup();
@@ -301,5 +301,5 @@ end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -63,7 +63,6 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include "apps.h"
 #define PROG pkcs8_main
 int MAIN(int, char **);
@@ -83,13 +82,16 @@ int MAIN(int argc, char **argv)
 	int nocrypt = 0;
 	X509_SIG *p8;
 	PKCS8_PRIV_KEY_INFO *p8inf;
-	EVP_PKEY *pkey;
+	EVP_PKEY *pkey=NULL;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 	char *engine=NULL;
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
@@ -219,7 +221,8 @@ int MAIN(int argc, char **argv)
 	if (topk8)
 		{
 		BIO_free(in); /* Not needed in this section */
-		pkey = load_key(bio_err, infile, informat, passin, e, "key");
+		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
 		if (!pkey) {
 			return (1);
 		}
@@ -241,7 +244,8 @@ int MAIN(int argc, char **argv)
 			if(passout) p8pass = passout;
 			else {
 				p8pass = pass;
-				EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
 					return (1);
 			}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
@@ -298,7 +302,7 @@ int MAIN(int argc, char **argv)
 		if(passin) p8pass = passin;
 		else {
 			p8pass = pass;
-			EVP_read_pw_string(pass, 50, "Enter Password:", 0);
+			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
 		}
 		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
 		X509_SIG_free(p8);
@@ -347,6 +351,7 @@ int MAIN(int argc, char **argv)
 			return (1);
 	}
 	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -17,8 +17,6 @@ extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int ecdsa_main(int argc,char *argv[]);
 extern int ecdsaparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
@@ -80,12 +78,6 @@ FUNCTION functions[] = {
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecdsa",ecdsa_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecdsaparam",ecdsaparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -33,8 +33,6 @@ foreach (@ARGV)
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ecdsa$/) || ($_ =~ /^ecdsaparam$/))
 		{ print "#ifndef OPENSSL_NO_ECDSA\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -92,6 +92,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto err;
 	badopt = 0;
 	i = 0;
 	while (!badopt && argv[++i] != NULL)
@@ -210,5 +213,5 @@ err:
 	if (out)
 		BIO_free_all(out);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/req.c
+++ b/apps/req.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include "../crypto/cryptlib.h"
 #define SECTION		"req"
@@ -142,7 +143,6 @@ static int batch=0;
 #define TYPE_RSA	1
 #define TYPE_DSA	2
 #define TYPE_DH		3
 #define TYPE_ECDSA	4
 int MAIN(int, char **);
@@ -152,10 +152,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa_params=NULL;
 #endif
-#ifndef OPENSSL_NO_ECDSA
+	unsigned long nmflag = 0, reqflag = 0;
 	ECDSA *ecdsa_params = NULL;
 #endif
 	unsigned long nmflag = 0;
 	int ex=1,x509=0,days=30;
 	X509 *x509ss=NULL;
 	X509_REQ *req=NULL;
@@ -180,7 +177,8 @@ int MAIN(int argc, char **argv)
 	const EVP_MD *md_alg=NULL,*digest=EVP_md5();
 	unsigned long chtype = MBSTRING_ASC;
 #ifndef MONOLITH
-	MS_STATIC char config_name[256];
+	char *to_free;
 	long errline;
 #endif
 	req_conf = NULL;
@@ -309,7 +307,7 @@ int MAIN(int argc, char **argv)
 						goto end;
 						}
-					dtmp=X509_get_pubkey(xtmp);
+					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
 					if (dtmp->type == EVP_PKEY_DSA)
 						dsa_params=DSAparams_dup(dtmp->pkey.dsa);
 					EVP_PKEY_free(dtmp);
@@ -321,63 +319,11 @@ int MAIN(int argc, char **argv)
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				newkey=BN_num_bits(dsa_params->p);
 				in=NULL;
 				}
 			else 
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (strncmp("ecdsa:",p,4) == 0)
 				{
 				X509 *xtmp=NULL;
 				EVP_PKEY *dtmp;
 				pkey_type=TYPE_ECDSA;
 				p+=6;
 				if ((in=BIO_new_file(p,"r")) == NULL)
 					{
 					perror(p);
 					goto end;
 					}
 				if ((ecdsa_params = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL)) == NULL)
 					{
 					ERR_clear_error();
 					(void)BIO_reset(in);
 					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
 						{	
 						BIO_printf(bio_err,"unable to load ECDSA parameters from file\n");
 						goto end;
 						}
 					dtmp=X509_get_pubkey(xtmp);
 					if (dtmp->type == EVP_PKEY_ECDSA)
 						ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
 					EVP_PKEY_free(dtmp);
 					X509_free(xtmp);
 					if (ecdsa_params == NULL)
 						{
 						BIO_printf(bio_err,"Certificate does not contain ECDSA parameters\n");
 						goto end;
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				{
 				BIGNUM *order = BN_new();
 				if (!order)
 					goto end;
 				if (!EC_GROUP_get_order(ecdsa_params->group, order, NULL))
 					goto end;
 				newkey = BN_num_bits(order);
 				BN_free(order);
 				}
 				}
 			else
 #endif
 #ifndef OPENSSL_NO_DH
 				if (strncmp("dh:",p,4) == 0)
 				{
@@ -411,6 +357,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-reqopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_cert_ex(&reqflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-subject") == 0)
 			subject=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -489,7 +440,6 @@ bad:
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -newkey ecdsa:file generate a new ECDSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
@@ -504,6 +454,8 @@ bad:
 		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
 		BIO_printf(bio_err," -nameopt arg   - various certificate name options\n");
 		BIO_printf(bio_err," -reqopt arg    - various request text options\n\n");
 		goto end;
 		}
@@ -519,22 +471,15 @@ bad:
 	if (p == NULL)
 		p=getenv("SSLEAY_CONF");
 	if (p == NULL)
-		{
+		p=to_free=make_config_name();
 		strcpy(config_name,X509_get_default_cert_area());
 #ifndef OPENSSL_SYS_VMS
 		strcat(config_name,"/");
 #endif
 		strcat(config_name,OPENSSL_CONF);
 		p=config_name;
 		}
 	default_config_file=p;
 	config=NCONF_new(NULL);
-	i=NCONF_load(config, p);
+	i=NCONF_load(config, p, &errline);
 #endif
 	if (template != NULL)
 		{
-		long errline;
+		long errline = -1;
 		if( verbose )
 			BIO_printf(bio_err,"Using configuration from %s\n",template);
@@ -560,6 +505,8 @@ bad:
 	if (req_conf != NULL)
 		{
 		if (!load_config(bio_err, req_conf))
 			goto end;
 		p=NCONF_get_string(req_conf,NULL,"oid_file");
 		if (p == NULL)
 			ERR_clear_error();
@@ -675,7 +622,7 @@ bad:
 	if (keyfile != NULL)
 		{
-		pkey = load_key(bio_err, keyfile, keyform, passin, e,
+		pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
 			"Private Key");
 		if (!pkey)
 			{
@@ -683,7 +630,7 @@ bad:
 			   message */
 			goto end;
 			}
-		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_ECDSA)
+		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
 			{
 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 			if (randfile == NULL)
@@ -707,15 +654,14 @@ bad:
 				newkey=DEFAULT_KEY_LENGTH;
 			}
-		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
+		if (newkey < MIN_KEY_LENGTH)
 		/* TODO: appropriate minimal keylength for the different algorithm (esp. ECDSA) */
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
 			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
 			goto end;
 			}
 		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-			newkey,(pkey_type == TYPE_RSA)?"RSA":(pkey_type == TYPE_DSA)?"DSA":"ECDSA");
+			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
 		if ((pkey=EVP_PKEY_new()) == NULL) goto end;
@@ -737,14 +683,6 @@ bad:
 			dsa_params=NULL;
 			}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey_type == TYPE_ECDSA)
 			{
 			if (!ECDSA_generate_key(ecdsa_params)) goto end;
 			if (!EVP_PKEY_assign_ECDSA(pkey, ecdsa_params)) goto end;
 			ecdsa_params = NULL;
 			}
 #endif
 		app_RAND_write_file(randfile, bio_err);
@@ -850,10 +788,6 @@ loop:
 #ifndef OPENSSL_NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_ECDSA)
 			digest=EVP_ecdsa();
 #endif
 		if (req == NULL)
 			{
@@ -885,19 +819,20 @@ loop:
 			/* Set version to V3 */
 			if(!X509_set_version(x509ss, 2)) goto end;
 			if (serial)
-				X509_set_serialNumber(x509ss, serial);
+				{
 				if (!X509_set_serialNumber(x509ss, serial)) goto end;
 				}
 			else
-				ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
+				{
 				if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end;
 				}
-			X509_set_issuer_name(x509ss,
+			if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
-				X509_REQ_get_subject_name(req));
+			if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
-			X509_gmtime_adj(X509_get_notBefore(x509ss),0);
+			if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
-			X509_gmtime_adj(X509_get_notAfter(x509ss),
+			if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
 				(long)60*60*24*days);
 			X509_set_subject_name(x509ss,
 				X509_REQ_get_subject_name(req));
 			tmppkey = X509_REQ_get_pubkey(req);
-			X509_set_pubkey(x509ss,tmppkey);
+			if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
 			EVP_PKEY_free(tmppkey);
 			/* Set up V3 context struct */
@@ -1046,9 +981,9 @@ loop:
 	if (text)
 		{
 		if (x509)
-			X509_print(out,x509ss);
+			X509_print_ex(out, x509ss, nmflag, reqflag);
 		else	
-			X509_REQ_print(out,req);
+			X509_REQ_print_ex(out, req, nmflag, reqflag);
 		}
 	if(subject) 
@@ -1118,6 +1053,10 @@ loop:
 		}
 	ex=0;
 end:
 #ifndef MONOLITH
 	if(to_free)
 		OPENSSL_free(to_free);
 #endif
 	if (ex)
 		{
 		ERR_print_errors(bio_err);
@@ -1134,12 +1073,9 @@ end:
 	OBJ_cleanup();
 #ifndef OPENSSL_NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (ecdsa_params != NULL) ECDSA_free(ecdsa_params);
 #endif
 	apps_shutdown();
-	EXIT(ex);
+	OPENSSL_EXIT(ex);
 	}
 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
@@ -1199,71 +1135,29 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int attribs,
 		}
 	if(!i) goto err;
-	X509_REQ_set_pubkey(req,pkey);
+	if (!X509_REQ_set_pubkey(req,pkey)) goto err;
 	ret=1;
 err:
 	return(ret);
 	}
 /*
 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
 	{
-	X509_NAME *n = NULL;
+	X509_NAME *n;
-	int i, nid, ne_num=0;
+	if (!(n = do_subject(subject, chtype)))
-
+		return 0;
 	char *ne_name = NULL;
 	char *ne_value = NULL;
 	char *tmp = NULL;
 	char *p[2];
 	char *str_list[256];
 	p[0] = ",/";
        p[1] = "=";
 	n = X509_NAME_new();
 	tmp = strtok(subject, p[0]);
 	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
 		{
 		char *token = tmp;
 		while (token[0] == ' ')
 			token++;
 		str_list[ne_num] = token;
 		tmp = strtok(NULL, p[0]);
 		ne_num++;
 		}
 	for(i = 0; i < ne_num; i++)
 		{
 		ne_name  = strtok(str_list[i], p[1]);
 		ne_value = strtok(NULL, p[1]);
 		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
 			{
 			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
 			continue;
 			}
 		if (ne_value == NULL)
 			{
 			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
 			continue;
 			}
 		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
 			{
 			X509_NAME_free(n);
 			return 0;
 			}
 		}
 	if (!X509_REQ_set_subject_name(req, n))
 		{
 		X509_NAME_free(n);
 		return 0;
 		}
 	X509_NAME_free(n);
 	return 1;
 }
@@ -1322,13 +1216,19 @@ start:		for (;;)
 				}
 			/* If OBJ not recognised ignore it */
 			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
 			if(strlen(v->name) > sizeof buf-9)
 			   {
 			   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 			   return 0;
 			   }
 			sprintf(buf,"%s_default",v->name);
 			if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
 				ERR_clear_error();
 				def="";
 				}
 			sprintf(buf,"%s_value",v->name);
 			if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
@@ -1375,6 +1275,12 @@ start2:			for (;;)
 				if ((nid=OBJ_txt2nid(type)) == NID_undef)
 					goto start2;
 				if(strlen(v->name) > sizeof buf-9)
 				   {
 				   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 				   return 0;
 				   }
 				sprintf(buf,"%s_default",type);
 				if ((def=NCONF_get_string(req_conf,attr_sect,buf))
 					== NULL)
@@ -1478,6 +1384,7 @@ start:
 	(void)BIO_flush(bio_err);
 	if(value != NULL)
 		{
 		OPENSSL_assert(strlen(value) < sizeof buf-2);
 		strcpy(buf,value);
 		strcat(buf,"\n");
 		BIO_printf(bio_err,"%s\n",value);
@@ -1487,7 +1394,7 @@ start:
 		buf[0]='\0';
 		if (!batch)
 			{
-			fgets(buf,1024,stdin);
+			fgets(buf,sizeof buf,stdin);
 			}
 		else
 			{
@@ -1536,6 +1443,7 @@ start:
 	(void)BIO_flush(bio_err);
 	if (value != NULL)
 		{
 		OPENSSL_assert(strlen(value) < sizeof buf-2);
 		strcpy(buf,value);
 		strcat(buf,"\n");
 		BIO_printf(bio_err,"%s\n",value);
@@ -1545,7 +1453,7 @@ start:
 		buf[0]='\0';
 		if (!batch)
 			{
-			fgets(buf,1024,stdin);
+			fgets(buf,sizeof buf,stdin);
 			}
 		else
 			{
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -79,6 +79,9 @@
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
 * -aes128	- encrypt output if PEM format
 * -aes192	- encrypt output if PEM format
 * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -modulus	- print the RSA key modulus
 * -check	- verify key consistency
@@ -110,6 +113,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -195,6 +201,10 @@ bad:
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
@@ -228,12 +238,12 @@ bad:
 		if (pubin)
 			pkey = load_pubkey(bio_err, infile,
 				(informat == FORMAT_NETSCAPE && sgckey ?
-					FORMAT_IISSGC : informat),
+					FORMAT_IISSGC : informat), 1,
 				passin, e, "Public Key");
 		else
 			pkey = load_key(bio_err, infile,
 				(informat == FORMAT_NETSCAPE && sgckey ?
-					FORMAT_IISSGC : informat),
+					FORMAT_IISSGC : informat), 1,
 				passin, e, "Private Key");
 		if (pkey != NULL)
@@ -359,7 +369,7 @@ end:
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_RSA */
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -104,6 +104,9 @@ int MAIN(int argc, char **argv)
 	argv++;
 	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	pad = RSA_PKCS1_PADDING;
@@ -166,12 +169,12 @@ int MAIN(int argc, char **argv)
 	switch(key_type) {
 		case KEY_PRIVKEY:
-		pkey = load_key(bio_err, keyfile, keyform,
+		pkey = load_key(bio_err, keyfile, keyform, 0,
 			NULL, e, "Private Key");
 		break;
 		case KEY_PUBKEY:
-		pkey = load_pubkey(bio_err, keyfile, keyform,
+		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
 			NULL, e, "Public Key");
 		break;
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -134,7 +134,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	err=	X509_STORE_CTX_get_error(ctx);
 	depth=	X509_STORE_CTX_get_error_depth(ctx);
-	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
 	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
 	if (!ok)
 		{
@@ -154,7 +154,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	switch (ctx->error)
 		{
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
+		X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
 		BIO_printf(bio_err,"issuer= %s\n",buf);
 		break;
 	case X509_V_ERR_CERT_NOT_YET_VALID:
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -140,6 +140,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
 #undef fileno
 #endif
 #define fileno(a) (int)_fileno(a)
 #endif
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
@@ -271,6 +279,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
@@ -430,6 +441,11 @@ bad:
 		goto end;
 		}
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
        e = setup_engine(bio_err, engine_id, 1);
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -452,11 +468,6 @@ bad:
 			}
 		}
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
        e = setup_engine(bio_err, engine_id, 1);
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -659,7 +670,11 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
 #ifdef OPENSSL_SYS_WINCE
 					if(!i && (!_kbhit() || !read_tty) ) continue;
 #else
 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
 #endif
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,NULL);
 			}
@@ -743,8 +758,8 @@ re_start:
 				goto shut;
 				}
 			}
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-		/* Assume Windows can always write */
+		/* Assume Windows/DOS can always write */
 		else if (!ssl_pending && write_tty)
 #else
 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
@@ -825,7 +840,11 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			}
 #ifdef OPENSSL_SYS_WINDOWS
 #ifdef OPENSSL_SYS_WINCE
 		else if (_kbhit())
 #else
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 #endif
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -889,16 +908,16 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
+	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
+	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
-	if (mbuf != NULL) { memset(mbuf,0,BUFSIZZ); OPENSSL_free(mbuf); }
+	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);
 		bio_c_out=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
@@ -927,10 +946,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			for (i=0; i<sk_X509_num(sk); i++)
 				{
 				X509_NAME_oneline(X509_get_subject_name(
-					sk_X509_value(sk,i)),buf,BUFSIZ);
+					sk_X509_value(sk,i)),buf,sizeof buf);
 				BIO_printf(bio,"%2d s:%s\n",i,buf);
 				X509_NAME_oneline(X509_get_issuer_name(
-					sk_X509_value(sk,i)),buf,BUFSIZ);
+					sk_X509_value(sk,i)),buf,sizeof buf);
 				BIO_printf(bio,"   i:%s\n",buf);
 				if (c_showcerts)
 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
@@ -945,10 +964,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
 				PEM_write_bio_X509(bio,peer);
 			X509_NAME_oneline(X509_get_subject_name(peer),
-				buf,BUFSIZ);
+				buf,sizeof buf);
 			BIO_printf(bio,"subject=%s\n",buf);
 			X509_NAME_oneline(X509_get_issuer_name(peer),
-				buf,BUFSIZ);
+				buf,sizeof buf);
 			BIO_printf(bio,"issuer=%s\n",buf);
 			}
 		else
@@ -970,7 +989,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			{
 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
 			}
-		p=SSL_get_shared_ciphers(s,buf,BUFSIZ);
+		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
 		if (p != NULL)
 			{
 			/* This works only for SSL 2.  In later protocol
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -144,6 +144,14 @@ typedef unsigned int u_int;
 #include <conio.h>
 #endif
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
 #undef fileno
 #endif
 #define fileno(a) (int)_fileno(a)
 #endif
 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
 #undef FIONBIO
@@ -320,10 +328,10 @@ static char **local_argv;
 static int ebcdic_new(BIO *bi);
 static int ebcdic_free(BIO *a);
 static int ebcdic_read(BIO *b, char *out, int outl);
-static int ebcdic_write(BIO *b, char *in, int inl);
+static int ebcdic_write(BIO *b, const char *in, int inl);
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
 static int ebcdic_gets(BIO *bp, char *buf, int size);
-static int ebcdic_puts(BIO *bp, char *str);
+static int ebcdic_puts(BIO *bp, const char *str);
 #define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
 static BIO_METHOD methods_ebcdic=
@@ -388,7 +396,7 @@ static int ebcdic_read(BIO *b, char *out, int outl)
 	return(ret);
 }
-static int ebcdic_write(BIO *b, char *in, int inl)
+static int ebcdic_write(BIO *b, const char *in, int inl)
 {
 	EBCDIC_OUTBUFF *wbuf;
 	int ret=0;
@@ -421,7 +429,7 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 	return(ret);
 }
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
 	long ret;
@@ -440,7 +448,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
 static int ebcdic_gets(BIO *bp, char *buf, int size)
 {
-	int i, ret;
+	int i, ret=0;
 	if (bp->next_bio == NULL) return(0);
 /*	return(BIO_gets(bp->next_bio,buf,size));*/
 	for (i=0; i<size-1; ++i)
@@ -459,7 +467,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size)
 	return (ret < 0 && i == 0) ? ret : i;
 }
-static int ebcdic_puts(BIO *bp, char *str)
+static int ebcdic_puts(BIO *bp, const char *str)
 {
 	if (bp->next_bio == NULL) return(0);
 	return ebcdic_write(bp, str, strlen(str));
@@ -504,6 +512,9 @@ int MAIN(int argc, char *argv[])
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	verify_depth=0;
 #ifdef FIONBIO
 	s_nbio=0;
@@ -680,6 +691,11 @@ bad:
 		goto end;
 		}
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
        e = setup_engine(bio_err, engine_id, 1);
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -702,7 +718,7 @@ bad:
 			}
 		}
-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
 	if (nocert)
 #endif
 		{
@@ -712,11 +728,6 @@ bad:
 		s_dkey_file=NULL;
 		}
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
        e = setup_engine(bio_err, engine_id, 1);
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -857,7 +868,7 @@ end:
 		bio_s_out=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
@@ -1173,7 +1184,7 @@ err:
 	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
 	if (buf != NULL)
 		{
-		memset(buf,0,bufsize);
+		OPENSSL_cleanse(buf,bufsize);
 		OPENSSL_free(buf);
 		}
 	if (ret >= 0)
@@ -1225,14 +1236,14 @@ static int init_ssl_connection(SSL *con)
 		{
 		BIO_printf(bio_s_out,"Client certificate\n");
 		PEM_write_bio_X509(bio_s_out,peer);
-		X509_NAME_oneline(X509_get_subject_name(peer),buf,BUFSIZ);
+		X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
 		BIO_printf(bio_s_out,"subject=%s\n",buf);
-		X509_NAME_oneline(X509_get_issuer_name(peer),buf,BUFSIZ);
+		X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
 		BIO_printf(bio_s_out,"issuer=%s\n",buf);
 		X509_free(peer);
 		}
-	if (SSL_get_shared_ciphers(con,buf,BUFSIZ) != NULL)
+	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
@@ -1392,7 +1403,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			else
 				{
 				BIO_printf(bio_s_out,"read R BLOCK\n");
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
 				sleep(1);
 #endif
 				continue;
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -83,9 +83,9 @@ typedef unsigned int u_int;
 static struct hostent *GetHostByName(char *name);
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void);
+static void ssl_sock_cleanup(void);
 #endif
-static int sock_init(void);
+static int ssl_sock_init(void);
 static int init_client_ip(int *sock,unsigned char ip[4], int port);
 static int init_server(int *sock, int port);
 static int init_server_long(int *sock, int port,char *ip);
@@ -118,7 +118,7 @@ static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
 		case WM_DESTROY:
 		case WM_CLOSE:
 			SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc);
-			sock_cleanup();
+			ssl_sock_cleanup();
 			break;
 			}
 		}
@@ -135,26 +135,34 @@ static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
 #endif /* OPENSSL_SYS_WINDOWS */
 #ifdef OPENSSL_SYS_WINDOWS
-static void sock_cleanup(void)
+static void ssl_sock_cleanup(void)
 	{
 	if (wsa_init_done)
 		{
 		wsa_init_done=0;
 #ifndef OPENSSL_SYS_WINCE
 		WSACancelBlockingCall();
 #endif
 		WSACleanup();
 		}
 	}
 #endif
-static int sock_init(void)
+static int ssl_sock_init(void)
 	{
-#ifdef OPENSSL_SYS_WINDOWS
+#ifdef WATT32
 	extern int _watt_do_exit;
 	_watt_do_exit = 0;
 	dbug_init();
 	if (sock_init())
 		return (0);
 #elif defined(OPENSSL_SYS_WINDOWS)
 	if (!wsa_init_done)
 		{
 		int err;
 #ifdef SIGINT
-		signal(SIGINT,(void (*)(int))sock_cleanup);
+		signal(SIGINT,(void (*)(int))ssl_sock_cleanup);
 #endif
 		wsa_init_done=1;
 		memset(&wsa_state,0,sizeof(wsa_state));
@@ -196,7 +204,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port)
 	struct sockaddr_in them;
 	int s,i;
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 	memset((char *)&them,0,sizeof(them));
 	them.sin_family=AF_INET;
@@ -261,7 +269,7 @@ static int init_server_long(int *sock, int port, char *ip)
 	struct sockaddr_in server;
 	int s= -1,i;
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 	memset((char *)&server,0,sizeof(server));
 	server.sin_family=AF_INET;
@@ -318,7 +326,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
 	int len;
 /*	struct linger ling; */
-	if (!sock_init()) return(0);
+	if (!ssl_sock_init()) return(0);
 #ifndef OPENSSL_SYS_WINDOWS
 redoit:
@@ -448,7 +456,7 @@ static int host_ip(char *str, unsigned char ip[4])
 		{ /* do a gethostbyname */
 		struct hostent *he;
-		if (!sock_init()) return(0);
+		if (!ssl_sock_init()) return(0);
 		he=GetHostByName(str);
 		if (he == NULL)
@@ -529,9 +537,12 @@ static struct hostent *GetHostByName(char *name)
 		ret=gethostbyname(name);
 		if (ret == NULL) return(NULL);
 		/* else add to cache */
-		strncpy(ghbn_cache[lowi].name,name,128);
+		if(strlen(name) < sizeof ghbn_cache[0].name)
-		memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
+			{
-		ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
+			strcpy(ghbn_cache[lowi].name,name);
 			memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
 			ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
 			}
 		return(ret);
 		}
 	else
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -85,7 +85,7 @@
 #include OPENSSL_UNISTD
 #endif
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
 #define TIMES
 #endif
@@ -109,10 +109,6 @@
 #include <sys/timeb.h>
 #endif
 #ifdef _AIX
 #include <sys/select.h>
 #endif
 #if defined(sun) || defined(__ultrix)
 #define _POSIX_SOURCE
 #include <limits.h>
@@ -150,6 +146,8 @@
 #undef BUFSIZZ
 #define BUFSIZZ 1024*10
 #define MYBUFSIZ 1024*8
 #undef min
 #undef max
 #define min(a,b) (((a) < (b)) ? (a) : (b))
@@ -324,6 +322,11 @@ static int parseArgs(int argc, char **argv)
 		{
 		if (--argc < 1) goto bad;
 		s_www_path= *(++argv);
 		if(strlen(s_www_path) > MYBUFSIZ-100)
 			{
 			BIO_printf(bio_err,"-www option too long\n");
 			badop=1;
 			}
 		}
 	else if(strcmp(*argv,"-bugs") == 0)
 	    st_bugs=1;
@@ -484,7 +487,7 @@ int MAIN(int argc, char **argv)
 	tm_Time_F(START);
 	for (;;)
 		{
-		if (finishtime < time(NULL)) break;
+		if (finishtime < (long)time(NULL)) break;
 #ifdef WIN32_STUFF
 		if( flushWinMsgs(0) == -1 )
@@ -535,9 +538,9 @@ int MAIN(int argc, char **argv)
 		}
 	totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
-	i=(int)(time(NULL)-finishtime+maxTime);
+	i=(int)((long)time(NULL)-finishtime+maxTime);
 	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 	/* Now loop and time connections using the same session id over and over */
@@ -569,7 +572,7 @@ next:
 	nConn = 0;
 	totalTime = 0.0;
-	finishtime=time(NULL)+maxTime;
+	finishtime=(long)time(NULL)+maxTime;
 	printf( "starting\n" );
 	bytes_read=0;
@@ -577,7 +580,7 @@ next:
 	for (;;)
 		{
-		if (finishtime < time(NULL)) break;
+		if (finishtime < (long)time(NULL)) break;
 #ifdef WIN32_STUFF
 		if( flushWinMsgs(0) == -1 )
@@ -627,7 +630,7 @@ next:
 	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,time(NULL)-finishtime+maxTime,bytes_read/nConn);
+	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
 	ret=0;
 end:
@@ -639,7 +642,7 @@ end:
 		tm_ctx=NULL;
 		}
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /***********************************************************************
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -273,7 +273,7 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (x != NULL) SSL_SESSION_free(x);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static SSL_SESSION *load_sess_id(char *infile, int format)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -109,6 +109,15 @@ int MAIN(int argc, char **argv)
 	args = argv + 1;
 	ret = 1;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	while (!badarg && *args && *args[0] == '-') {
 		if (!strcmp (*args, "-encrypt")) operation = SMIME_ENCRYPT;
 		else if (!strcmp (*args, "-decrypt")) operation = SMIME_DECRYPT;
@@ -128,6 +137,14 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_rc2_cbc();
 		else if (!strcmp (*args, "-rc2-64")) 
 				cipher = EVP_rc2_64_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (!strcmp(*args,"-aes128"))
 				cipher = EVP_aes_128_cbc();
 		else if (!strcmp(*args,"-aes192"))
 				cipher = EVP_aes_192_cbc();
 		else if (!strcmp(*args,"-aes256"))
 				cipher = EVP_aes_256_cbc();
 #endif
 		else if (!strcmp (*args, "-text")) 
 				flags |= PKCS7_TEXT;
@@ -283,6 +300,10 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-rc2-40        encrypt with RC2-40 (default)\n");
 		BIO_printf (bio_err, "-rc2-64        encrypt with RC2-64\n");
 		BIO_printf (bio_err, "-rc2-128       encrypt with RC2-128\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf (bio_err, "-aes128, -aes192, -aes256\n");
 		BIO_printf (bio_err, "               encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf (bio_err, "-nointern      don't search certificates in message for signer\n");
 		BIO_printf (bio_err, "-nosigs        don't verify message signature\n");
@@ -407,7 +428,7 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 	if(keyfile) {
-		key = load_key(bio_err, keyfile, keyform, passin, e,
+		key = load_key(bio_err, keyfile, keyform, 0, passin, e,
 			       "signing key file");
 		if (!key) {
 			goto end;
@@ -450,7 +471,10 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 	} else if(operation == SMIME_SIGN) {
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		BIO_reset(in);
+		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
 		  BIO_printf(bio_err, "Can't rewind input file\n");
 		  goto end;
 		}
 	} else {
 		if(informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
@@ -490,9 +514,9 @@ int MAIN(int argc, char **argv)
 	} else if(operation == SMIME_VERIFY) {
 		STACK_OF(X509) *signers;
 		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
-			BIO_printf(bio_err, "Verification Successful\n");
+			BIO_printf(bio_err, "Verification successful\n");
 		} else {
-			BIO_printf(bio_err, "Verification Failure\n");
+			BIO_printf(bio_err, "Verification failure\n");
 			goto end;
 		}
 		signers = PKCS7_get0_signers(p7, other, flags);
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -131,7 +131,7 @@
 #endif
 #ifndef OPENSSL_NO_DES
-#include <openssl/des_old.h>
+#include <openssl/des.h>
 #endif
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
@@ -187,7 +187,8 @@
 /* The following if from times(3) man page.  It may need to be changed */
 #ifndef HZ
-# ifdef _SC_CLK_TCK
+# if defined(_SC_CLK_TCK) \
     && (!defined(OPENSSL_SYS_VMS) || __CTRL_VER >= 70000000)
 #  define HZ ((double)sysconf(_SC_CLK_TCK))
 # else
 #  ifndef CLK_TCK
@@ -374,9 +375,11 @@ int MAIN(int argc, char **argv)
 	int mret=1;
 	long count=0,save_count=0;
 	int i,j,k;
 #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
 	long rsa_count;
 #endif
 #ifndef OPENSSL_NO_RSA
 	unsigned rsa_num;
 	long rsa_count;
 #endif
 	unsigned char md[EVP_MAX_MD_SIZE];
 #ifndef OPENSSL_NO_MD2
@@ -437,9 +440,9 @@ int MAIN(int argc, char **argv)
 	unsigned char iv[MAX_BLOCK_SIZE/8];
 #ifndef OPENSSL_NO_DES
 	DES_cblock *buf_as_des_cblock = NULL;
-	static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+	static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-	static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+	static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-	static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+	static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
 	DES_key_schedule sch;
 	DES_key_schedule sch2;
 	DES_key_schedule sch3;
@@ -515,6 +518,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 #ifndef OPENSSL_NO_RSA
 	memset(rsa_key,0,sizeof(rsa_key));
 	for (i=0; i<RSA_NUM; i++)
@@ -527,7 +533,7 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 #ifndef OPENSSL_NO_DES
-	buf_as_des_cblock = (des_cblock *)buf;
+	buf_as_des_cblock = (DES_cblock *)buf;
 #endif
 	if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
@@ -856,7 +862,7 @@ int MAIN(int argc, char **argv)
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
-#ifdef TIMES
+#if defined(TIMES) || defined(USE_TOD)
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
@@ -1136,7 +1142,7 @@ int MAIN(int argc, char **argv)
 		HMAC_CTX_init(&hctx);
 		HMAC_Init_ex(&hctx,(unsigned char *)"This is a key...",
-			16,EVP_md5());
+			16,EVP_md5(), NULL);
 		for (j=0; j<SIZE_NUM; j++)
 			{
@@ -1144,9 +1150,9 @@ int MAIN(int argc, char **argv)
 			Time_F(START);
 			for (count=0,run=1; COND(c[D_HMAC][j]); count++)
 				{
-				HMAC_Init_ex(&hctx,NULL,0,NULL);
+				HMAC_Init_ex(&hctx,NULL,0,NULL,NULL);
-                                HMAC_Update(&hctx,buf,lengths[j]);
+				HMAC_Update(&hctx,buf,lengths[j]);
-                                HMAC_Final(&hctx,&(hmac[0]),NULL);
+				HMAC_Final(&hctx,&(hmac[0]),NULL);
 				}
 			d=Time_F(STOP);
 			print_result(D_HMAC,j,count,d);
@@ -1598,7 +1604,7 @@ show_res:
 		printf("%s ",RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES
-		printf("%s ",des_options());
+		printf("%s ",DES_options());
 #endif
 #ifndef OPENSSL_NO_AES
 		printf("%s ",AES_options());
@@ -1622,7 +1628,7 @@ show_res:
 #endif
 #ifdef HZ
 #define as_string(s) (#s)
-		printf("HZ=%g", HZ);
+		printf("HZ=%g", (double)HZ);
 # ifdef _SC_CLK_TCK
 		printf(" [sysconf value]");
 # endif
@@ -1723,7 +1729,7 @@ end:
 			DSA_free(dsa_key[i]);
 #endif
 	apps_shutdown();
-	EXIT(mret);
+	OPENSSL_EXIT(mret);
 	}
 static void print_message(const char *s, long num, int length)
@@ -1776,7 +1782,7 @@ static char *sstrsep(char **string, const char *delim)
    if (**string == 0)
        return NULL;
-    memset(isdelim, 0, 256);
+    memset(isdelim, 0, sizeof isdelim);
    isdelim[0] = 1;
    while (*delim)
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -98,6 +98,9 @@ int MAIN(int argc, char **argv)
 	if (!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	prog=argv[0];
 	argc--;
 	argv++;
@@ -183,7 +186,7 @@ bad:
 	if(keyfile) {
 		pkey = load_key(bio_err,
 				strcmp(keyfile, "-") ? keyfile : NULL,
-				FORMAT_PEM, passin, e, "private key");
+				FORMAT_PEM, 1, passin, e, "private key");
 		if(!pkey) {
 			goto end;
 		}
@@ -292,5 +295,5 @@ end:
 	EVP_PKEY_free(pkey);
 	if(passin) OPENSSL_free(passin);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -100,6 +100,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argc--;
 	argv++;
 	for (;;)
@@ -229,7 +232,7 @@ end:
 	sk_X509_pop_free(untrusted, X509_free);
 	sk_X509_pop_free(trusted, X509_free);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e)
@@ -327,7 +330,8 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 	if (!ok)
 		{
 		X509_NAME_oneline(
-				X509_get_subject_name(ctx->current_cert),buf,256);
+				X509_get_subject_name(ctx->current_cert),buf,
 				sizeof buf);
 		printf("%s\n",buf);
 		printf("error %d at %d depth lookup:%s\n",ctx->error,
 			ctx->error_depth,
--- a/apps/version.c
+++ b/apps/version.c
@@ -122,7 +122,7 @@
 # include <openssl/rc4.h>
 #endif
 #ifndef OPENSSL_NO_DES
-# include <openssl/des_old.h>
+# include <openssl/des.h>
 #endif
 #ifndef OPENSSL_NO_IDEA
 # include <openssl/idea.h>
@@ -186,7 +186,7 @@ int MAIN(int argc, char **argv)
 		printf("%s ",RC4_options());
 #endif
 #ifndef OPENSSL_NO_DES
-		printf("%s ",des_options());
+		printf("%s ",DES_options());
 #endif
 #ifndef OPENSSL_NO_IDEA
 		printf("%s ",idea_options());
@@ -200,5 +200,5 @@ int MAIN(int argc, char **argv)
 	if (dir)  printf("%s\n",SSLeay_version(SSLEAY_DIR));
 end:
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/winrand.c
+++ b/apps/winrand.c
@@ -118,7 +118,6 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
        HDC hdc;
 	PAINTSTRUCT ps;
        RECT rect;
        char buffer[200];
        static int seeded = 0;
 	switch (iMsg)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -122,7 +122,7 @@ static char *x509_usage[]={
 " -CAkey arg      - set the CA key, must be PEM format\n",
 "                   missing, it is assumed to be in the CA file.\n",
 " -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial       - serial file\n",
+" -CAserial arg   - serial file\n",
 " -set_serial     - serial number to use\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
@@ -191,6 +191,9 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	{
@@ -242,7 +245,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-CAkeyform") == 0)
 			{
 			if (--argc < 1) goto bad;
-			CAformat=str2fmt(*(++argv));
+			CAkeyformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-days") == 0)
 			{
@@ -476,7 +479,7 @@ bad:
 	if (extfile)
 		{
-		long errorline;
+		long errorline = -1;
 		X509V3_CTX ctx2;
 		extconf = NCONF_new(NULL);
 		if (!NCONF_load(extconf, extfile,&errorline))
@@ -767,10 +770,11 @@ bad:
 				int y,z;
 				X509_NAME_oneline(X509_get_subject_name(x),
-					buf,256);
+					buf,sizeof buf);
 				BIO_printf(STDout,"/* subject:%s */\n",buf);
 				m=X509_NAME_oneline(
-					X509_get_issuer_name(x),buf,256);
+					X509_get_issuer_name(x),buf,
 					sizeof buf);
 				BIO_printf(STDout,"/* issuer :%s */\n",buf);
 				z=i2d_X509(x,NULL);
@@ -858,18 +862,14 @@ bad:
 				if (Upkey == NULL)
 					{
 					Upkey=load_key(bio_err,
-						keyfile,keyformat, passin, e,
+						keyfile, keyformat, 0,
-						"Private key");
+						passin, e, "Private key");
 					if (Upkey == NULL) goto end;
 					}
 #ifndef OPENSSL_NO_DSA
 		                if (Upkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (Upkey->type == EVP_PKEY_ECDSA)
 					digest=EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!sign(x,Upkey,days,clrext,digest,
@@ -881,18 +881,15 @@ bad:
 				if (CAkeyfile != NULL)
 					{
 					CApkey=load_key(bio_err,
-						CAkeyfile,CAkeyformat, passin,
+						CAkeyfile, CAkeyformat,
-						e, "CA Private Key");
+						0, passin, e,
 						"CA Private Key");
 					if (CApkey == NULL) goto end;
 					}
 #ifndef OPENSSL_NO_DSA
 		                if (CApkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (CApkey->type == EVP_PKEY_ECDSA)
 					digest = EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -913,17 +910,17 @@ bad:
 				else
 					{
 					pk=load_key(bio_err,
-						keyfile,FORMAT_PEM, passin, e,
+						keyfile, FORMAT_PEM, 0,
-						"request key");
+						passin, e, "request key");
 					if (pk == NULL) goto end;
 					}
 				BIO_printf(bio_err,"Generating certificate request\n");
 #ifndef OPENSSL_NO_DSA
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
-				else if (pk->type == EVP_PKEY_ECDSA)
+#endif
 					digest=EVP_ecdsa();
 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
@@ -1020,7 +1017,7 @@ end:
 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
 	if (passin) OPENSSL_free(passin);
 	apps_shutdown();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
@@ -1078,7 +1075,7 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
 		}
 	else 
 		{
-		if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
+		if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2))
 			{
 			BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
 			ERR_print_errors(bio_err);
--- a/78
+++ b/78
@@ -344,6 +344,17 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	exit 0
 	;;
    *"CRAY T3E")
       echo "t3e-cray-unicosmk"; exit 0;
       ;;
    *CRAY*)
       echo "j90-cray-unicos"; exit 0;
       ;;
    NONSTOP_KERNEL*)
       echo "nsr-tandem-nsk"; exit 0;
       ;;
 esac
 #
@@ -383,18 +394,33 @@ exit 0
 # figure out if gcc is available and if so we use it otherwise
 # we fallback to whatever cc does on the system
-GCCVER=`(gcc --version) 2>/dev/null`
+GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
-  # then strip off whatever prefix Cygnus prepends the number with...
+  # then strip off whatever prefix egcs prepends the number with...
-  GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'`
+  # Hopefully, this will work for any future prefixes as well.
  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
  # does give us what we want though, so we use that.  We just just the
  # major and minor version numbers.
  # peak single digit before and after first dot, e.g. 2.95.1 gives 29
  GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
 else
  CC=cc
 fi
 GCCVER=${GCCVER:-0}
-
+if [ "$SYSTEM" = "HP-UX" ];then
  # By default gcc is a ILP32 compiler (with long long == 64).
  GCC_BITS="32"
  if [ $GCCVER -ge 30 ]; then
    # PA64 support only came in with gcc 3.0.x.
    # We look for the preprocessor symbol __LP64__ indicating
    # 64bit bit long and pointer.  sizeof(int) == 32 on HPUX64.
    if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then
      GCC_BITS="64"
    fi
  fi
 fi
 if [ "$SYSTEM" = "SunOS" ]; then
  if [ $GCCVER -ge 30 ]; then
    # 64-bit ABI isn't officially supported in gcc 3.0, but it appears
@@ -510,6 +536,10 @@ EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
  ppc64-*-linux2)
 	#Use the standard target for PPC architecture until we create a
 	#special one for the 64bit architecture.
 	OUT="linux-ppc" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -517,12 +547,13 @@ EOF
  ppc-apple-darwin*) OUT="darwin-ppc-cc" ;;
  i386-apple-darwin*) OUT="darwin-i386-cc" ;;
  sparc64-*-linux2)
-	#Before we can uncomment following lines we have to wait at least
+	echo "WARNING! If *know* that your GNU C supports 64-bit/V9 ABI"
-	#till 64-bit glibc for SPARC is operational:-(
+	echo "         and wish to build 64-bit library, then you have to"
-	#echo "WARNING! If you wish to build 64-bit library, then you have to"
+	echo "         invoke './Configure linux64-sparcv9' *manually*."
-	#echo "         invoke './Configure linux64-sparcv9' *manually*."
+	if [ "$TEST" = "false" ]; then
-	#echo "         Type return if you want to continue, Ctrl-C to abort."
+	  echo "          You have about 5 seconds to press Ctrl-C to abort."
-	#read waste < /dev/tty
+	  (stty -icanon min 0 time 50; read waste) < /dev/tty
 	fi
 	OUT="linux-sparcv9" ;;
  sparc-*-linux2)
 	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
@@ -555,6 +586,7 @@ EOF
  arm*-*-linux2) OUT="linux-elf-arm" ;;
  s390-*-linux2) OUT="linux-s390" ;;
  s390x-*-linux?) OUT="linux-s390x" ;;
  x86_64-*-linux?) OUT="linux-x86_64" ;;
  *-*-linux2) OUT="linux-elf"
 	if [ "$GCCVER" -gt 28 ]; then
          if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then
@@ -613,9 +645,17 @@ EOF
  *86*-*-netbsd) OUT="NetBSD-x86" ;;
  sun3*-*-netbsd) OUT="NetBSD-m68" ;;
  *-*-netbsd) OUT="NetBSD-sparc" ;;
  *86*-*-openbsd) OUT="OpenBSD-x86" ;;
  alpha*-*-openbsd) OUT="OpenBSD-alpha" ;;
  *86*-*-openbsd) OUT="OpenBSD-i386" ;;
  m68k*-*-openbsd) OUT="OpenBSD-m68k" ;;
  m88k*-*-openbsd) OUT="OpenBSD-m88k" ;;
  mips*-*-openbsd) OUT="OpenBSD-mips" ;;
  pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
  powerpc*-*-openbsd) OUT="OpenBSD-powerpc" ;;
  sparc64*-*-openbsd) OUT="OpenBSD-sparc64" ;;
  sparc*-*-openbsd) OUT="OpenBSD-sparc" ;;
  vax*-*-openbsd) OUT="OpenBSD-vax" ;;
  hppa*-*-openbsd) OUT="OpenBSD-hppa" ;;
  *-*-openbsd) OUT="OpenBSD" ;;
  *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
  *-*-osf) OUT="alphaold-cc" ;;
@@ -640,7 +680,16 @@ EOF
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
  *-hpux1*)
-	OUT="hpux-parisc-$CC"
+	if [ $CC = "gcc" ];
 	then
 	  if [ $GCC_BITS = "64" ]; then
 	    OUT="hpux64-parisc-gcc"
 	  else
 	    OUT="hpux-parisc-gcc"
 	  fi
 	else
 	  OUT="hpux-parisc-$CC"
 	fi
 	KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null`
 	KERNEL_BITS=${KERNEL_BITS:-32}
 	CPU_VERSION=`(getconf CPU_VERSION) 2>/dev/null`
@@ -680,6 +729,9 @@ EOF
  mips-sony-newsos4) OUT="newsos4-gcc" ;;
  *-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
  *-*-cygwin) OUT="Cygwin" ;;
  t3e-cray-unicosmk) OUT="cray-t3e" ;;
  j90-cray-unicos) OUT="cray-j90" ;;
  nsr-tandem-nsk) OUT="tandem-c89" ;;
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
@@ -714,7 +766,7 @@ case "$GUESSOS" in
  i386-*) options="$options 386" ;;
 esac
-for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 rijndael ripemd rsa sha
+for i in bf cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 aes ripemd rsa sha
 do
  if [ ! -d crypto/$i ]
  then
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -28,7 +28,7 @@ LIBS=
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -36,8 +36,8 @@ GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
 SRC= $(LIBSRC)
@@ -54,11 +54,11 @@ all: buildinf.h lib subdirs shared
 buildinf.h: ../Makefile.ssl
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
+	echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \
-	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
+	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo "  #define PLATFORM \"$(PLATFORM)\""; \
+	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`date`\""; \
+	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo "#endif" ) >buildinf.h
+	echo '#endif' ) >buildinf.h
 testapps:
 	if echo ${SDIRS} | fgrep ' des '; \
@@ -98,7 +98,7 @@ lib:	$(LIBOBJ)
 shared:
 	if [ -n "$(SHARED_LIBS)" ]; then \
-		(cd ..; make $(SHARED_LIB)); \
+		(cd ..; $(MAKE) $(SHARED_LIB)); \
 	fi
 libs:
@@ -136,12 +136,12 @@ lint:
 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
 	done;
 clean:
@@ -180,7 +180,7 @@ cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
-ebcdic.o: ../include/openssl/opensslconf.h ebcdic.c
+ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c
 ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -193,6 +193,10 @@ mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
 mem_clr.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_clr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem_clr.o: ../include/openssl/symhacks.h mem_clr.c
 mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -26,8 +26,8 @@ TEST=
 APPS=
 LIB=$(TOP)/libcrypto.a
-LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c
+LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c aes_ctr.c
-LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o
+LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o aes_cfb.o aes_ofb.o aes_ctr.o
 SRC= $(LIBSRC)
@@ -54,7 +54,7 @@ files:
 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@#$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 install: installs
@@ -75,7 +75,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -88,10 +88,16 @@ clean:
 aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
 aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
 aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
 aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h
 aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h
 aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_misc.o: ../../include/openssl/opensslconf.h
 aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c
 aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ofb.o: ../../include/openssl/opensslconf.h aes_locl.h aes_ofb.c
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@@ -1,6 +1,6 @@
 /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -58,8 +58,10 @@
 static const int AES_DECRYPT = 0;
 static const int AES_ENCRYPT = 1;
-#define AES_MAXNR 14 /* array size can't be a const in C */
+/* Because array size can't be a const in C, the following two are macros.
-static const int AES_BLOCK_SIZE = 16; /* bytes */
+   Both sizes are in bytes. */
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16
 #ifdef  __cplusplus
 extern "C" {
@@ -74,17 +76,33 @@ typedef struct aes_key_st AES_KEY;
 const char *AES_options(void);
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key);
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key);
+	AES_KEY *key);
 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 	AES_KEY *key);
-void AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key);
+void AES_encrypt(const unsigned char *in, unsigned char *out,
-void AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key);
+	const AES_KEY *key);
 void AES_decrypt(const unsigned char *in, unsigned char *out,
 	const AES_KEY *key);
 void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
-	       	     const AES_KEY *key, const int enc);
+	const AES_KEY *key, const int enc);
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
-	       	     const unsigned long length, const AES_KEY *key,
+	const unsigned long length, const AES_KEY *key,
-		     unsigned char *ivec, const int enc);
+	unsigned char *ivec, const int enc);
 void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num, const int enc);
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char counter[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num);
 #ifdef  __cplusplus
 }
--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -49,7 +49,13 @@
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -57,33 +63,49 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 		     const unsigned long length, const AES_KEY *key,
 		     unsigned char *ivec, const int enc) {
-	int n;
+	unsigned long n;
 	unsigned long len = length;
-	unsigned char tmp[16];
+	unsigned char tmp[AES_BLOCK_SIZE];
 	assert(in && out && key && ivec);
 	assert(length % AES_BLOCK_SIZE == 0);
 	assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
-	if (AES_ENCRYPT == enc)
+	if (AES_ENCRYPT == enc) {
-		while (len > 0) {
+		while (len >= AES_BLOCK_SIZE) {
-			for(n=0; n < 16; ++n)
+			for(n=0; n < sizeof tmp; ++n)
 				tmp[n] = in[n] ^ ivec[n];
 			AES_encrypt(tmp, out, key);
-			memcpy(ivec, out, 16);
+			memcpy(ivec, out, AES_BLOCK_SIZE);
-			len -= 16;
+			len -= AES_BLOCK_SIZE;
-			in += 16;
+			in += AES_BLOCK_SIZE;
-			out += 16;
+			out += AES_BLOCK_SIZE;
 		}
-	else
+		if (len) {
-		while (len > 0) {
+			for(n=0; n < len; ++n)
-			memcpy(tmp, in, 16);
+				tmp[n] = in[n] ^ ivec[n];
 			for(n=len; n < AES_BLOCK_SIZE; ++n)
 				tmp[n] = ivec[n];
 			AES_encrypt(tmp, tmp, key);
 			memcpy(out, tmp, len);
 			memcpy(ivec, tmp, sizeof tmp);
 		}			
 	} else {
 		while (len >= AES_BLOCK_SIZE) {
 			memcpy(tmp, in, sizeof tmp);
 			AES_decrypt(in, out, key);
-			for(n=0; n < 16; ++n)
+			for(n=0; n < AES_BLOCK_SIZE; ++n)
 				out[n] ^= ivec[n];
-			memcpy(ivec, tmp, 16);
+			memcpy(ivec, tmp, AES_BLOCK_SIZE);
-			len -= 16;
+			len -= AES_BLOCK_SIZE;
-			in += 16;
+			in += AES_BLOCK_SIZE;
-			out += 16;
+			out += AES_BLOCK_SIZE;
 		}
 		if (len) {
 			memcpy(tmp, in, sizeof tmp);
 			AES_decrypt(tmp, tmp, key);
 			for(n=0; n < len; ++n)
 				out[n] ^= ivec[n];
 			memcpy(ivec, tmp, sizeof tmp);
 		}			
 	}
 }
--- a/crypto/ecdsa/ecs_vrf.c
+++ b/crypto/ecdsa/ecs_vrf.c
@@ -1,4 +1,4 @@
-/* crypto/ecdsa/ecdsa_vrf.c */
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -17,12 +17,12 @@
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
+ *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
@@ -31,7 +31,7 @@
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -47,10 +47,6 @@
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
@@ -108,34 +104,54 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <openssl/ecdsa.h>
 #include <openssl/engine.h>
-/* returns
+#ifndef AES_DEBUG
- *      1: correct signature
+# ifndef NDEBUG
- *      0: incorrect signature
+#  define NDEBUG
- *     -1: error
+# endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 /* The input and output encrypted as though 128bit cfb mode is being
 * used.  The extra state information to record how much of the
 * 128bit block we have used is contained in *num;
 */
-int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, ECDSA_SIG *sig, ECDSA *ecdsa)
+
-	{
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
-	return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, ecdsa);
+	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num, const int enc) {
 	unsigned int n;
 	unsigned long l = length;
 	unsigned char c;
 	assert(in && out && key && ivec && num);
 	n = *num;
 	if (enc) {
 		while (l--) {
 			if (n == 0) {
 				AES_encrypt(ivec, ivec, key);
 			}
 			ivec[n] = *(out++) = *(in++) ^ ivec[n];
 			n = (n+1) % AES_BLOCK_SIZE;
 		}
 	} else {
 		while (l--) {
 			if (n == 0) {
 				AES_encrypt(ivec, ivec, key);
 			}
 			c = *(in);
 			*(out++) = *(in++) ^ ivec[n];
 			ivec[n] = c;
 			n = (n+1) % AES_BLOCK_SIZE;
 		}
 	}
-/* returns
+	*num=n;
- *      1: correct signature
+}
 *      0: incorrect signature
 *     -1: error
 */
 int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, ECDSA *ecdsa)
 	{
 	ECDSA_SIG *s;
 	int ret=-1;
 	s = ECDSA_SIG_new();
 	if (s == NULL) return(ret);
 	if (d2i_ECDSA_SIG(&s,&sigbuf,sig_len) == NULL) goto err;
 	ret=ECDSA_do_verify(dgst,dgst_len,s,ecdsa);
 err:
 	ECDSA_SIG_free(s);
 	return(ret);
 	}
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -28,7 +28,13 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
   compatible API */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <stdlib.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
@@ -715,16 +721,6 @@ static const u32 rcon[] = {
 	0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
 };
 #define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 #ifdef _MSC_VER
 #define GETU32(p) SWAP(*((u32 *)(p)))
 #define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
 #else
 #define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
 #define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
 #endif
 /**
 * Expand the cipher key into the encryption key schedule.
 */
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -0,0 +1,128 @@
 /* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 /* NOTE: CTR mode is big-endian.  The rest of the AES code
 * is endian-neutral. */
 /* increment counter (128-bit int) by 2^64 */
 static void AES_ctr128_inc(unsigned char *counter) {
 	unsigned long c;
 	/* Grab 3rd dword of counter and increment */
 #ifdef L_ENDIAN
 	c = GETU32(counter + 8);
 	c++;
 	PUTU32(counter + 8, c);
 #else
 	c = GETU32(counter + 4);
 	c++;
 	PUTU32(counter + 4, c);
 #endif
 	/* if no overflow, we're done */
 	if (c)
 		return;
 	/* Grab top dword of counter and increment */
 #ifdef L_ENDIAN
 	c = GETU32(counter + 12);
 	c++;
 	PUTU32(counter + 12, c);
 #else
 	c = GETU32(counter +  0);
 	c++;
 	PUTU32(counter +  0, c);
 #endif
 }
 /* The input encrypted as though 128bit counter mode is being
 * used.  The extra state information to record how much of the
 * 128bit block we have used is contained in *num, and the
 * encrypted counter is kept in ecount_buf.  Both *num and
 * ecount_buf must be initialised with zeros before the first
 * call to AES_ctr128_encrypt().
 */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char counter[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num) {
 	unsigned int n;
 	unsigned long l=length;
 	assert(in && out && key && counter && num);
 	assert(*num < AES_BLOCK_SIZE);
 	n = *num;
 	while (l--) {
 		if (n == 0) {
 			AES_encrypt(counter, ecount_buf, key);
 			AES_ctr128_inc(counter);
 		}
 		*(out++) = *(in++) ^ ecount_buf[n];
 		n = (n+1) % AES_BLOCK_SIZE;
 	}
 	*num=n;
 }
--- a/crypto/aes/aes_ecb.c
+++ b/crypto/aes/aes_ecb.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -49,7 +49,13 @@
 *
 */
 #ifndef AES_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -1,6 +1,6 @@
 /* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -60,9 +60,15 @@
 #include <stdio.h>
 #include <stdlib.h>
 #if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
 #if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
 #else
 # define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
 # define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
 #endif
 typedef unsigned long u32;
--- a/crypto/aes/aes_misc.c
+++ b/crypto/aes/aes_misc.c
@@ -1,6 +1,6 @@
 /* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/crypto/ecdsa/ecs_gen.c
+++ b/crypto/ecdsa/ecs_gen.c
@@ -1,4 +1,4 @@
-/* crypto/ecdsa/ecs_gen.c */
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -17,12 +17,12 @@
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
+ *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
@@ -31,7 +31,7 @@
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -47,10 +47,6 @@
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
@@ -108,26 +104,39 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/bn.h>
 #include <openssl/ecdsa.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
-#ifdef __cplusplus
+#ifndef AES_DEBUG
-extern "C" {
+# ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
-ECDSA *ECDSA_generate_parameters(int bits,
+#include <assert.h>
-		unsigned char *seed_in, int seed_len,
+
-		int *counter_ret, unsigned long *h_ret,
+#include <openssl/aes.h>
-		void (*callback)(int, int, void *),
+#include "aes_locl.h"
-		void *cb_arg)
+
-	{
+/* The input and output encrypted as though 128bit ofb mode is being
-		return NULL;
+ * used.  The extra state information to record how much of the
 * 128bit block we have used is contained in *num;
 */
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num) {
 	unsigned int n;
 	unsigned long l=length;
 	assert(in && out && key && ivec && num);
 	n = *num;
 	while (l--) {
 		if (n == 0) {
 			AES_encrypt(ivec, ivec, key);
 		}
 		*(out++) = *(in++) ^ ivec[n];
 		n = (n+1) % AES_BLOCK_SIZE;
 	}
-#ifdef  __cplusplus
+
 	*num=n;
 }
 #endif
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -71,8 +71,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	if (a == NULL) return(0);
 	len=a->length;
 	ret=1+len;
 	if (pp == NULL) return(ret);
 	if (len > 0)
 		{
@@ -100,6 +98,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
 	ret=1+len;
 	if (pp == NULL) return(ret);
 	p= *pp;
 	*(p++)=(unsigned char)bits;
@@ -118,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	unsigned char *p,*s;
 	int i;
 	if (len < 1)
 		{
 		i=ASN1_R_STRING_TOO_SHORT;
 		goto err;
 		}
 	if ((a == NULL) || ((*a) == NULL))
 		{
 		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
@@ -183,7 +191,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 		if (a->data == NULL)
 			c=(unsigned char *)OPENSSL_malloc(w+1);
 		else
-			c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
+			c=(unsigned char *)OPENSSL_realloc_clean(a->data,
 								 a->length,
 								 w+1);
 		if (c == NULL) return(0);
 		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -285,7 +285,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 			goto err;
 			}
-		if (!BUF_MEM_grow(&b,num+os->length))
+		if (!BUF_MEM_grow_clean(&b,num+os->length))
 			{
 			c->error=ERR_R_BUF_LIB;
 			goto err;
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -149,7 +149,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	ASN1_CTX c;
 	int want=HEADER_SIZE;
 	int eos=0;
 #if defined(__GNUC__) && defined(__ia64)
 	/* pathetic compiler bug in all known versions as of Nov. 2002 */
 	long off=0;
 #else
 	int off=0;
 #endif
 	int len=0;
 	b=BUF_MEM_new();
@@ -166,7 +171,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			{
 			want-=(len-off);
-			if (!BUF_MEM_grow(b,len+want))
+			if (!BUF_MEM_grow_clean(b,len+want))
 				{
 				ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
 				goto err;
@@ -221,18 +226,23 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			if (want > (len-off))
 				{
 				want-=(len-off);
-				if (!BUF_MEM_grow(b,len+want))
+				if (!BUF_MEM_grow_clean(b,len+want))
 					{
 					ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
-				i=BIO_read(in,&(b->data[len]),want);
+				while (want > 0)
 				if (i <= 0)
 					{
-					ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+					i=BIO_read(in,&(b->data[len]),want);
-					goto err;
+					if (i <= 0)
 						{
 						ASN1err(ASN1_F_ASN1_D2I_BIO,
 						    ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
 					len+=i;
 					want -= i;
 					}
 				len+=i;
 				}
 			off+=(int)c.slen;
 			if (eos <= 0)
--- a/crypto/asn1/a_enum.c
+++ b/crypto/asn1/a_enum.c
@@ -151,7 +151,17 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
 		{
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
 			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
 		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -397,7 +397,16 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
 		{
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
 			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
 		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	/* Correct zero case */
 	if(!ret->length)
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -183,8 +183,8 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 	if ((a == NULL) || (a->data == NULL))
 		return(BIO_write(bp,"NULL",4));
-	i=i2t_ASN1_OBJECT(buf,80,a);
+	i=i2t_ASN1_OBJECT(buf,sizeof buf,a);
-	if (i > 80) i=80;
+	if (i > sizeof buf) i=sizeof buf;
 	BIO_write(bp,buf,i);
 	return(i);
 	}
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -118,7 +118,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}
        pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
 we will store the SET blobs */
        for (i=0; i<sk_num(a); i++)
@@ -135,7 +135,7 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = OPENSSL_malloc(totSize);
+        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
 /* Copy to temp mem */
        p = pTempMem;
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include <time.h>
@@ -90,7 +143,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
 			{
 			/* special case: RFC 2459 tells us to omit 'parameters'
 			 * with id-dsa-with-sha1 */
 			ASN1_TYPE_free(a->parameter);
 			a->parameter = NULL;
 			}
 		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
@@ -144,9 +204,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	EVP_MD_CTX_cleanup(&ctx);
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
@@ -169,7 +229,14 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
 			{
 			/* special case: RFC 2459 tells us to omit 'parameters'
 			 * with id-dsa-with-sha1 */
 			ASN1_TYPE_free(a->parameter);
 			a->parameter = NULL;
 			}
 		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
@@ -220,8 +287,8 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	EVP_MD_CTX_cleanup(&ctx);
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -63,6 +63,7 @@
 #include <openssl/asn1.h>
 #include "charmap.h"
 #include "cryptlib.h"
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
 * Enhanced string and name printing routines handling
@@ -77,8 +78,8 @@
 /* Three IO functions for sending data to memory, a BIO and
 * and a FILE pointer.
 */
-
+#if 0				/* never used */
-int send_mem_chars(void *arg, const void *buf, int len)
+static int send_mem_chars(void *arg, const void *buf, int len)
 {
 	unsigned char **out = arg;
 	if(!out) return 1;
@@ -86,15 +87,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
 	*out += len;
 	return 1;
 }
 #endif
-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(BIO_write(arg, buf, len) != len) return 0;
 	return 1;
 }
-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -113,14 +115,17 @@ typedef int char_io(void *arg, const void *buf, int len);
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
 {
 	unsigned char chflgs, chtmp;
-	char tmphex[11];
+	char tmphex[HEX_SIZE(long)+3];
 	if(c > 0xffffffffL)
 		return -1;
 	if(c > 0xffff) {
-		BIO_snprintf(tmphex, 11, "\\W%08lX", c);
+		BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c);
 		if(!io_ch(arg, tmphex, 10)) return -1;
 		return 10;
 	}
 	if(c > 0xff) {
-		BIO_snprintf(tmphex, 11, "\\U%04lX", c);
+		BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c);
 		if(!io_ch(arg, tmphex, 6)) return -1;
 		return 6;
 	}
@@ -194,7 +199,7 @@ static int do_buf(unsigned char *buf, int buflen,
 		if(type & BUF_TYPE_CONVUTF8) {
 			unsigned char utfbuf[6];
 			int utflen;
-			utflen = UTF8_putc(utfbuf, 6, c);
+			utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
 			for(i = 0; i < utflen; i++) {
 				/* We don't need to worry about setting orflags correctly
 				 * because if utflen==1 its value will be correct anyway 
@@ -240,7 +245,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
 * #01234 format.
 */
-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
 	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
 	 * the DER encoding to readily obtained
@@ -460,7 +465,7 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
 		if(fn_opt != XN_FLAG_FN_NONE) {
 			int objlen, fld_len;
 			if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
-				OBJ_obj2txt(objtmp, 80, fn, 1);
+				OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
 				fld_len = 0; /* XXX: what should this be? */
 				objbuf = objtmp;
 			} else {
@@ -543,7 +548,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
 	ASN1_STRING stmp, *str = &stmp;
 	int mbflag, type, ret;
-	if(!*out || !in) return -1;
+	if(!in) return -1;
 	type = in->type;
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
@@ -552,6 +557,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
-	if(out) *out = stmp.data;
+	*out = stmp.data;
 	return stmp.length;
 }
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -152,7 +152,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	if (t->data[0] >= '5') strcpy(str, "19");
 	else strcpy(str, "20");
-	strcat(str, (char *)t->data);
+	BUF_strlcat(str, (char *)t->data, t->length+2);
 	return ret;
 	}
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -62,7 +62,7 @@
 int ASN1_TYPE_get(ASN1_TYPE *a)
 	{
-	if (a->value.ptr != NULL)
+	if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL))
 		return(a->type);
 	else
 		return(0);
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -222,6 +222,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	{
 	struct tm *tm;
 	struct tm data;
 	int offset;
 	int year;
@@ -238,7 +239,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	t -= offset*60; /* FIXME: may overflow in extreme cases */
-	{ struct tm data; tm = OPENSSL_gmtime(&t, &data); }
+	tm = OPENSSL_gmtime(&t, &data);
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
 	year = g2(s->data);
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -103,7 +103,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
@@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	EVP_VerifyInit_ex(&ctx,type, NULL);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -70,7 +70,6 @@
 #include <openssl/symhacks.h>
 #include <openssl/e_os2.h>
 #include <openssl/ossl_typ.h>
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
@@ -440,6 +439,8 @@ typedef const ASN1_ITEM * ASN1_ITEM_EXP(void);
 DECLARE_STACK_OF(ASN1_INTEGER)
 DECLARE_ASN1_SET_OF(ASN1_INTEGER)
 DECLARE_STACK_OF(ASN1_GENERALSTRING)
 typedef struct asn1_type_st
 	{
 	int type;
@@ -771,6 +772,7 @@ int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
 DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
@@ -1006,12 +1008,12 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_PKEY				 159
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
 #define ASN1_F_I2D_ECDSA_PUBKEY				 174
 #define ASN1_F_I2D_NETSCAPE_RSA				 162
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
 #define ASN1_F_OID_MODULE_INIT				 174
 #define ASN1_F_PKCS5_PBE2_SET				 167
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
@@ -1021,6 +1023,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_X509_PKEY_NEW				 173
 /* Reason codes. */
 #define ASN1_R_ADDING_OBJECT				 171
 #define ASN1_R_AUX_ERROR				 100
 #define ASN1_R_BAD_CLASS				 101
 #define ASN1_R_BAD_OBJECT_HEADER			 102
@@ -1034,6 +1037,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_DECODE_ERROR				 110
 #define ASN1_R_DECODING_ERROR				 111
 #define ASN1_R_ENCODE_ERROR				 112
 #define ASN1_R_ERROR_LOADING_SECTION			 172
 #define ASN1_R_ERROR_PARSING_SET_ELEMENT		 113
 #define ASN1_R_ERROR_SETTING_CIPHER_PARAMS		 114
 #define ASN1_R_EXPECTING_AN_INTEGER			 115
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -128,12 +128,12 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ECDSA_PUBKEY,0),	"i2d_ECDSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
 {ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),	"i2d_RSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_LONG_C2I,0),	"LONG_C2I"},
 {ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),	"OID_MODULE_INIT"},
 {ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),	"PKCS5_pbe2_set"},
 {ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),	"X509_CINF_NEW"},
 {ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),	"X509_CRL_add0_revoked"},
@@ -146,6 +146,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 static ERR_STRING_DATA ASN1_str_reasons[]=
 	{
 {ASN1_R_ADDING_OBJECT                    ,"adding object"},
 {ASN1_R_AUX_ERROR                        ,"aux error"},
 {ASN1_R_BAD_CLASS                        ,"bad class"},
 {ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
@@ -159,6 +160,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
 {ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
 {ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -57,8 +57,10 @@
 */
 #include <stdio.h>
 #include <limits.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -123,15 +125,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 		(int)(omax+ *pp));
 #endif
-#if 0
+	if (*plength > (omax - (p - *pp)))
 	if ((p+ *plength) > (omax+ *pp))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
 #endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -142,7 +142,7 @@ err:
 static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 	{
 	unsigned char *p= *pp;
-	long ret=0;
+	unsigned long ret=0;
 	int i;
 	if (max-- < 1) return(0);
@@ -158,6 +158,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
 			if (i > sizeof(long))
 				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -169,8 +171,10 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		else
 			ret=i;
 		}
 	if (ret > LONG_MAX)
 		return 0;
 	*pp=p;
-	*rl=ret;
+	*rl=(long)ret;
 	return(1);
 	}
@@ -406,7 +410,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -79,12 +79,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
 	else
 		p="prim: ";
 	if (BIO_write(bp,p,6) < 6) goto err;
-	if (indent)
+	BIO_indent(bp,indent,128);
 		{
 		if (indent > 128) indent=128;
 		memset(str,' ',indent);
 		if (BIO_write(bp,str,indent) < indent) goto err;
 		}
 	p=str;
 	if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
--- a/crypto/asn1/asn_moid.c
+++ b/crypto/asn1/asn_moid.c
@@ -65,21 +65,31 @@
 /* Simple ASN1 OID module: add all objects in a given section */
 /* NOTE: doesn't do anything other than print debug messages yet... */
 static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 	{
-	fprintf(stderr, "Called oid_module_init: name %s, value %s\n",
+	int i;
-			CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+	const char *oid_section;
 	STACK_OF(CONF_VALUE) *sktmp;
 	CONF_VALUE *oval;
 	oid_section = CONF_imodule_get_value(md);
 	if(!(sktmp = NCONF_get_section(cnf, oid_section)))
 		{
 		ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
 		return 0;
 		}
 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
 		{
 		oval = sk_CONF_VALUE_value(sktmp, i);
 		if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
 			{
 			ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
 			return 0;
 			}
 		}
 	return 1;
-	}
+}
 static void oid_module_finish(CONF_IMODULE *md)
 	{
 	fprintf(stderr, "Called oid_module_finish: name %s, value %s\n",
 			CONF_imodule_get_name(md), CONF_imodule_get_value(md));
 	}
 void ASN1_add_oid_module(void)
 	{
-	CONF_module_add("oid_section", oid_module_init, oid_module_finish);
+	CONF_module_add("oid_section", oid_module_init, 0);
 	}
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -110,16 +107,6 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 			goto err;
 			}
 		break;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		if ((ret->pkey.ecdsa = d2i_ECDSAPrivateKey(NULL, 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
@@ -151,10 +138,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
 	/* Since we only need to discern "traditional format" RSA and DSA
 	 * keys we can just count the elements.
         */
-	if(sk_ASN1_TYPE_num(inkey) == 6) 
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
 		keytype = EVP_PKEY_DSA;
 	else if (sk_ASN1_TYPE_num(inkey) == 4)
 		keytype = EVP_PKEY_ECDSA;
 	else keytype = EVP_PKEY_RSA;
 	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
 	return d2i_PrivateKey(keytype, a, pp, length);
--- a/Show More
+++ b/Show More