Typo.

Submitted by: Reviewed by: PR:
Release 0.9.7-beta3
2002-07-30 11:30:03 +00:00 · 2002-07-30 11:27:18 +00:00 · 2002-07-30 11:21:19 +00:00 · 2002-07-30 07:18:03 +00:00 · 2002-07-29 13:28:57 +00:00 · 2002-07-29 12:34:14 +00:00
336 changed files with 9872 additions and 12441 deletions
--- a/182
+++ b/182
@@ -2,48 +2,78 @@
 OpenSSL CHANGES
 _______________
- Changes between 0.9.7 and 0.9.8  [xx XXX 2002]
+ Changes between 0.9.6e and 0.9.7  [XX xxx 2002]
-  *) Add a function EC_GROUP_check_discriminant() (defined via
+  *) Make sure tests can be performed even if the corresponding algorithms
-     EC_METHOD) that verifies that the curve discriminant is non-zero.
+     have been removed entirely.  This was also the last step to make
     OpenSSL compilable with DJGPP under all reasonable conditions.
     [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
-     Add a function EC_GROUP_check() that makes some sanity tests
+  *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
-     on a EC_GROUP, its generator and order.  This includes
+     to allow version independent disabling of normally unselected ciphers,
-     EC_GROUP_check_discriminant().
+     which may be activated as a side-effect of selecting a single cipher.
     [Nils Larsch <nla@trustcenter.de>]
-  *) Add ECDSA in new directory crypto/ecdsa/.
+     (E.g., cipher list string "RSA" enables ciphersuites that are left
     out of "ALL" because they do not provide symmetric encryption.
     "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
     [Lutz Jaenicke, Bodo Moeller]
-     Add applications 'openssl ecdsaparam' and 'openssl ecdsa'
+  *) Add appropriate support for separate platform-dependent build
-     (these are variants of 'openssl dsaparam' and 'openssl dsa').
+     directories.  The recommended way to make a platform-dependent
     build directory is the following (tested on Linux), maybe with
     some local tweaks:
-     ECDSA support is also included in various other files across the
+	# Place yourself outside of the OpenSSL source tree.  In
-     library.  Most notably,
+	# this example, the environment variable OPENSSL_SOURCE
-     - 'openssl req' now has a '-newkey ecdsa:file' option;
+	# is assumed to contain the absolute OpenSSL source directory.
-     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
+	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
-     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
+	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
-       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
+	(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
-       them suitable for ECDSA where domain parameters must be
+		mkdir -p `dirname $F`
-       extracted before the specific public key.
+		ln -s $OPENSSL_SOURCE/$F $F
-     [Nils Larsch <nla@trustcenter.de>]
+	done
-  *) Include some named elliptic curves, and add OIDs from X9.62,
+     To be absolutely sure not to disturb the source tree, a "make clean"
-     SECG, and WAP/WTLS.  The curves can be obtained from the new
+     is a good thing.  If it isn't successfull, don't worry about it,
-     functions
+     it probably means the source directory is very clean.
-          EC_GROUP_new_by_nid()
+     [Richard Levitte]
          EC_GROUP_new_by_name()
     Also add a 'nid' field to EC_GROUP objects, which can be accessed
     via
         EC_GROUP_set_nid()
         EC_GROUP_get_nid()
     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
- Changes between 0.9.6d and 0.9.7  [XX xxx 2002]
+  *) Make sure any ENGINE control commands make local copies of string
     pointers passed to them whenever necessary. Otherwise it is possible
     the caller may have overwritten (or deallocated) the original string
     data when a later ENGINE operation tries to use the stored values.
     [G<>tz Babin-Ebell <babinebell@trustcenter.de>]
  *) Improve diagnostics in file reading and command-line digests.
     [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
  *) Add AES modes CFB and OFB to the object database.  Correct an
     error in AES-CFB decryption.
     [Richard Levitte]
  *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 
     allows existing EVP_CIPHER_CTX structures to be reused after
     calling EVP_*Final(). This behaviour is used by encryption
     BIOs and some applications. This has the side effect that
     applications must explicitly clean up cipher contexts with
     EVP_CIPHER_CTX_cleanup() or they will leak memory.
     [Steve Henson]
  *) Check the values of dna and dnb in bn_mul_recursive before calling
     bn_mul_comba (a non zero value means the a or b arrays do not contain
     n2 elements) and fallback to bn_mul_normal if either is not zero.
     [Steve Henson]
  *) Fix escaping of non-ASCII characters when using the -subj option
     of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
     [Lutz Jaenicke]
  *) Make object definitions compliant to LDAP (RFC2256): SN is the short
     form for "surname", serialNumber has no short form.
     Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
     therefore remove "mail" short name for "internet 7".
     The OID for unique identifiers in X509 certificates is
     x500UniqueIdentifier, not uniqueIdentifier.
     Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
     [Lutz Jaenicke]
@@ -350,6 +380,10 @@
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
     more bits available for options that should not be part of
     SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
     [Bodo Moeller]
  *) Add some demos for certificate and certificate request creation.
@@ -470,8 +504,8 @@
     [Bodo Moeller, Lutz Jaenicke]
  *) Rationalise EVP so it can be extended: don't include a union of
-     cipher/digest structures, add init/cleanup functions. This also reduces
+     cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
-     the number of header dependencies.
+     (similar to those existing for EVP_CIPHER_CTX).
     Usage example:
         EVP_MD_CTX md;
@@ -1053,9 +1087,17 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
     handle the new API. Currently only ECB, CBC modes supported. Add new
-     AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites
+     AES OIDs.
-     for TLS" draft-ietf-tls-ciphersuite-03.txt.
+
-     [Ben Laurie, Steve Henson]
+     Add TLS AES ciphersuites as described in RFC3268, "Advanced
     Encryption Standard (AES) Ciphersuites for Transport Layer
     Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
     not enabled by default and were not part of the "ALL" ciphersuite
     alias because they were not yet official; they could be
     explicitly requested by specifying the "AESdraft" ciphersuite
     group alias.  In the final release of OpenSSL 0.9.7, the group
     alias is called "AES" and is part of "ALL".)
     [Ben Laurie, Steve  Henson, Bodo Moeller]
  *) New function OCSP_copy_nonce() to copy nonce value (if present) from
     request to response.
@@ -1625,7 +1667,75 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]
- Changes between 0.9.6c and 0.9.6d  [XX xxx 2002]
+ Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer.
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Fix cipher selection routines: ciphers without encryption had no flags
     for the cipher strength set and where therefore not handled correctly
     by the selection routines (PR #130).
     [Lutz Jaenicke]
  *) Fix EVP_dsa_sha macro.
     [Nils Larsch]
  *) New option
          SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
     that was added in OpenSSL 0.9.6d.
     As the countermeasure turned out to be incompatible with some
     broken SSL implementations, the new option is part of SSL_OP_ALL.
     SSL_OP_ALL is usually employed when compatibility with weird SSL
     implementations is desired (e.g. '-bugs' option to 's_client' and
     's_server'), so the new option is automatically set in many
     applications.
     [Bodo Moeller]
  *) Changes in security patch:
     Changes marked "(CHATS)" were sponsored by the Defense Advanced
     Research Projects Agency (DARPA) and Air Force Research Laboratory,
     Air Force Materiel Command, USAF, under agreement number
     F30602-01-2-0537.
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer. (CAN-2002-0659)
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Assertions for various potential buffer overflows, not known to
     happen in practice.
     [Ben Laurie (CHATS)]
  *) Various temporary buffers to hold ASCII versions of integers were
     too small for 64 bit platforms. (CAN-2002-0655)
     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
  *) Remote buffer overflow in SSL3 protocol - an attacker could
     supply an oversized master key in Kerberos-enabled versions.
     (CAN-2002-0657)
     [Ben Laurie (CHATS)]
  *) Remote buffer overflow in SSL3 protocol - an attacker could
     supply an oversized session ID to a client. (CAN-2002-0656)
     [Ben Laurie (CHATS)]
  *) Remote buffer overflow in SSL2 protocol - an attacker could
     supply an oversized client master key. (CAN-2002-0656)
     [Ben Laurie (CHATS)]
 Changes between 0.9.6c and 0.9.6d  [9 May 2002]
  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
     encoded as NULL) with id-dsa-with-sha1.
     [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
  *) Check various X509_...() return values in apps/req.c.
     [Nils Larsch <nla@trustcenter.de>]
--- a/102
+++ b/102
@@ -134,7 +134,7 @@ my %table=(
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
 "debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
@@ -144,8 +144,9 @@ my %table=(
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",
 # Basic configs that should work on any (32 and less bit) box
@@ -168,10 +169,11 @@ my %table=(
 "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
 "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
 "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
 "debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -195,10 +197,10 @@ my %table=(
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # !!!Folowing can't be even tested yet!!!
 #    We have to wait till 64-bit glibc for SPARC is operational!!!
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
@@ -254,6 +256,9 @@ my %table=(
 "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # 64bit PARISC for GCC without optimization, which seems to make problems.
 # Submitted by <ross.alexander@uk.neceur.com>
 "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # IA-64 targets
 # I have no idea if this one actually works, feedback needed. <appro>
@@ -375,7 +380,7 @@ my %table=(
 "linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
@@ -408,13 +413,13 @@ my %table=(
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # UnixWare 2.0x fails destest with -O
-"unixware-2.0","cc:-DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 2.1
-"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 7
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -476,7 +481,7 @@ my %table=(
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
 "SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
@@ -507,9 +512,15 @@ my %table=(
 # and its library files in util/pl/*)
 "Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
 # DJGPP
 "DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::",
@@ -528,12 +539,12 @@ my %table=(
 "OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::-fPIC",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@@ -635,6 +646,7 @@ my $libs;
 my $target;
 my $options;
 my $symlink;
 my $make_depend=0;
 my %withargs=();
 my @argvcopy=@ARGV;
@@ -733,14 +745,6 @@ PROCESS_ARGS:
 				$depflags .= "-DOPENSSL_NO_MDC2 ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
 				}
 			if ($algo eq "EC" || $algo eq "SHA" || $algo eq "SHA1")
 				{
 				push @skip, "ecdsa";
 				$options .= " no-ecdsa";
 				$flags .= "-DOPENSSL_NO_ECDSA ";
 				$depflags .= "-DOPENSSL_NO_ECDSA ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_ECDSA\n";
 				}
 			if ($algo eq "MD5")
 				{
 				$no_md5 = 1;
@@ -900,6 +904,7 @@ print "Configuring for $target\n";
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
 $exe_ext=".exe" if ($target eq "Cygwin");
 $exe_ext=".exe" if ($target eq "DJGPP");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
@@ -907,7 +912,7 @@ chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
+$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 print "IsWindows=$IsWindows\n";
@@ -1122,6 +1127,10 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
 $cflags =~ s/([\\\"])/\\\1/g;
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
@@ -1153,7 +1162,8 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	}
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
-open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
+unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
 open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
@@ -1207,18 +1217,28 @@ while (<IN>)
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/)
 		{
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
 		{
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
 		}
 	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
 	print OUT $_."\n";
 	}
 close(IN);
 close(OUT);
 rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
 rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
 print "CC            =$cc\n";
 print "CFLAG         =$cflags\n";
@@ -1289,7 +1309,8 @@ foreach (sort split(/\s+/,$bn_ops))
 	}
 open(IN,'<crypto/opensslconf.h.in') || die "unable to read crypto/opensslconf.h.in:$!\n";
-open(OUT,'>crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n";
+unlink("crypto/opensslconf.h.new") || die "unable to remove old crypto/opensslconf.h.new:$!\n" if -e "crypto/opensslconf.h.new";
 open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslconf.h.new:$!\n";
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
@@ -1383,6 +1404,8 @@ while (<IN>)
 	}
 close(IN);
 close(OUT);
 rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
 rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
 # Fix the date
@@ -1422,11 +1445,13 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
+	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
-		if $symlink;
+	my $make_targets = "";
-	### (system 'make depend') == 0 or exit $? if $depflags ne "";
+	$make_targets .= " links" if $symlink;
-	# Run "make depend" manually if you want to be able to delete
+	$make_targets .= " depend" if $depflags ne "" && $make_depend;
-	# the source code files of ciphers you left out.
+	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1437,6 +1462,15 @@ EOF
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
 	if ($depflags ne "" && !$make_depend) {
 		print <<EOF;
 Since you've disabled at least one algorithm, you need to do the following
 before building:
 	make depend
 EOF
 	}
 }
 print <<EOF;
--- a/87
+++ b/87
@@ -29,6 +29,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 [BUILD] Questions about building and testing OpenSSL
@@ -38,6 +39,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 * What is special about OpenSSL on Redhat?
 * Why does the OpenSSL compilation fail on MacOS X?
 * Why does the OpenSSL test suite fail on MacOS X?
 [PROG] Questions about programming with OpenSSL
@@ -51,6 +55,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 ===============================================================================
@@ -59,7 +64,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6c was released on December 21st, 2001.
+OpenSSL 0.9.6e was released on July 30, 2002.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -215,8 +220,11 @@ For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
-versions.  However, be warned that /dev/random is usually a blocking
+versions.  An official statement from Sun with respect to /dev/random
-device, which may have some effects on OpenSSL.
+support can be found at
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
 However, be warned that /dev/random is usually a blocking device, which
 may have some effects on OpenSSL.
 * Why do I get an "unable to write 'random state'" error message?
@@ -343,6 +351,13 @@ DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 The ways to print out the oneline format of the DN (Distinguished Name) have
 been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
 interface, the "-nameopt" option could be introduded. See the manual
 page of the "openssl x509" commandline tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
 [BUILD] =======================================================================
@@ -451,6 +466,64 @@ under 'Program Files').  This needs to be done prior to running NMAKE,
 and the changes are only valid for the current DOS session.
 * What is special about OpenSSL on Redhat?
 Red Hat Linux (release 7.0 and later) include a preinstalled limited
 version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
 is disabled in this version. The same may apply to other Linux distributions.
 Users may therefore wish to install more or all of the features left out.
 To do this you MUST ensure that you do not overwrite the openssl that is in
 /usr/bin on your Red Hat machine. Several packages depend on this file,
 including sendmail and ssh. /usr/local/bin is a good alternative choice. The
 libraries that come with Red Hat 7.0 onwards have different names and so are
 not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
 /lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
 /lib/libcrypto.so.2 respectively).
 Please note that we have been advised by Red Hat attempting to recompile the
 openssl rpm with all the cryptography enabled will not work. All other
 packages depend on the original Red Hat supplied openssl package. It is also
 worth noting that due to the way Red Hat supplies its packages, updates to
 openssl on each distribution never change the package version, only the
 build number. For example, on Red Hat 7.1, the latest openssl package has
 version number 0.9.6 and build number 9 even though it contains all the
 relevant updates in packages up to and including 0.9.6b.
 A possible way around this is to persuade Red Hat to produce a non-US
 version of Red Hat Linux.
 FYI: Patent numbers and expiry dates of US patents:
 MDC-2: 4,908,861 13/03/2007
 IDEA:  5,214,703 25/05/2010
 RC5:   5,724,428 03/03/2015
 * Why does the OpenSSL compilation fail on MacOS X?
 If the failure happens when trying to build the "openssl" binary, with
 a large number of undefined symbols, it's very probable that you have
 OpenSSL 0.9.6b delivered with the operating system (you can find out by
 running '/usr/bin/openssl version') and that you were trying to build
 OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
 MacOS X has a misfeature that's quite difficult to go around.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 * Why does the OpenSSL test suite fail on MacOS X?
 If the failure happens when running 'make test' and the RC4 test fails,
 it's very probable that you have OpenSSL 0.9.6b delivered with the
 operating system (you can find out by running '/usr/bin/openssl version')
 and that you were trying to build OpenSSL 0.9.6d.  The problem is that
 the loader ('ld') in MacOS X has a misfeature that's quite difficult to
 go around and has linked the programs "openssl" and the test programs
 with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
 libraries you just built.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 [PROG] ========================================================================
 * Is OpenSSL thread-safe?
@@ -616,5 +689,13 @@ if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
 versions, uniqueIdentifier was incorrectly used for X.509 certificates.
 The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
 Change your code to use the new name when compiling against OpenSSL 0.9.7.
 ===============================================================================
--- a/16
+++ b/16
@@ -2,8 +2,10 @@
 INSTALLATION ON THE UNIX PLATFORM
 ---------------------------------
- [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
+ [Installation on DOS (with djgpp), Windows, OpenVMS and MacOS (before MacOS X)
-  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+  is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.
  This document describes installation on operating systems in the Unix
  family.]
 To install OpenSSL, you will need:
@@ -137,8 +139,11 @@
     the failure that aren't problems in OpenSSL itself (like missing
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be forwarded to a public mailing list).  Include the
+     message will be recorded in the request tracker publicly readable
-     output of "make report" in your message.
+     via http://www.openssl.org/rt2.html and will be forwarded to a public
     mailing list). Include the output of "make report" in your message.
     Please check out the request tracker. Maybe the bug was already
     reported or has already been fixed.
     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -156,7 +161,8 @@
     try removing any compiler optimization flags from the CFLAGS line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
-     "make report".
+     "make report" in order to be added to the request tracker at
     http://www.openssl.org/rt2.html.
  4. If everything tests ok, install OpenSSL with
--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -0,0 +1,32 @@
 INSTALLATION ON THE DOS PLATFORM WITH DJGPP
 -------------------------------------------
 Openssl has been ported to DOS, but only with long filename support. If
 you wish to compile on native DOS with 8+3 filenames, you will have to
 tweak the installation yourself, including renaming files with illegal
 or duplicate names.
 You should have a full DJGPP environment installed, including the
 latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
 requires that PERL and BC also be installed.
 All of these can be obtained from the usual DJGPP mirror sites, such as
 "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to have
 the WATT-32 networking package installed before you try to compile
 openssl. This can be obtained from "http://www.bgnett.no/~giva/". The
 Makefile assumes that the WATT-32 code is in directory "watt32" under
 /dev/env/DJDIR.
 To compile openssl, start your BASH shell. Then configure for DOS by
 running "./Configure" with appropriate arguments. The basic syntax for
 DOS is:
 ./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
 You may run out of DPMI selectors when running in a DOS box under
 Windows. If so, just close the BASH shell, go back to Windows, and
 restart BASH. Then run "make" again.
 Building openssl under DJGPP has been tested with DJGPP 2.03,
 GCC 2.952, GCC 2.953, perl 5.005_02 and perl 5.006_01.
--- a/INSTALL.OS2
+++ b/INSTALL.OS2
@@ -20,3 +20,12 @@
 If that finishes successfully you will find the libraries and programs in the
 "out" directory.
 Alternatively, you can make a dynamic build that puts the library code into
 crypto.dll and ssl.dll by running
 > make -f os2-emx-dll.mak
 This will build the above mentioned dlls and a matching pair of import
 libraries in the "out_dll" directory along with the set of test programs
 and the openssl application.
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -94,6 +94,18 @@
 You can also build a static version of the library using the Makefile
 ms\nt.mak
 Borland C++ builder 5
 ---------------------
 * Configure for building with Borland Builder:
   > perl Configure BC-32
 * Create the appropriate makefile
   > ms\do_nasm
 * Build
   > make -f ms\bcb.mak
 Borland C++ builder 3 and 4
 ---------------------------
@@ -112,10 +124,10 @@
 * Compiler installation:
   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
-   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
+   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
-   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
+   the PATH environment variable in "System Properties"; or edit and
-   C:\egcs-1.1.2\mingw32.bat to set the PATH.
+   run C:\gcc-2.95.2\mingw32.bat to set the PATH.
 * Compile OpenSSL:
@@ -140,17 +152,17 @@
 GNU C (Cygwin)
 --------------
- Cygwin provides a bash shell and GNU tools environment running on
+ Cygwin provides a bash shell and GNU tools environment running
- NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
+ on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
- with Cygwin is closer to a GNU bash environment such as Linux rather
+ Consequently, a make of OpenSSL with Cygwin is closer to a GNU
- than other W32 makes that are based on a single makefile approach.
+ bash environment such as Linux than to other W32 makes which are
- Cygwin implements Posix/Unix calls through cygwin1.dll, and is
+ based on a single makefile approach. Cygwin implements Posix/Unix
- contrasted to Mingw32 which links dynamically to msvcrt.dll or
+ calls through cygwin1.dll, and is contrasted to Mingw32 which links
- crtdll.dll.
+ dynamically to msvcrt.dll or crtdll.dll.
 To build OpenSSL using Cygwin:
- * Install Cygwin (see http://sourceware.cygnus.com/cygwin)
+ * Install Cygwin (see http://cygwin.com/)
 * Install Perl and ensure it is in the path (recent Cygwin perl 
   (version 5.6.1-2 of the latter has been reported to work) or
@@ -176,13 +188,9 @@
 stripping of carriage returns. To avoid this ensure that a binary
 mount is used, e.g. mount -b c:\somewhere /home.
- As of version 1.1.1 Cygwin is relatively unstable in its handling
+ "bc" is not provided in older Cygwin distribution.  This causes a
 of cr/lf issues. These make procedures succeeded with versions 1.1 and
 the snapshot 20000524 (Slow!).
 "bc" is not provided in the Cygwin distribution.  This causes a
 non-fatal error in "make test" but is otherwise harmless.  If
- desired, GNU bc can be built with Cygwin without change.
+ desired and needed, GNU bc can be built with Cygwin without change.
 Installation
--- a/Makefile.org
+++ b/Makefile.org
@@ -166,7 +166,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -435,6 +435,7 @@ do_hpux-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Fl lib$$i.a -ldld -lc ) || exit 1; \
 	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 # This assumes that GNU utilities are *not* used
@@ -453,6 +454,7 @@ do_hpux64-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a -ldl -lc ) || exit 1; \
 	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 # The following method is said to work on all platforms.  Tests will
@@ -562,6 +564,10 @@ links:
 	fi; \
 	done;
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -576,8 +582,8 @@ rehash: rehash.time
 rehash.time: certs
 	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
 		$(PERL) tools/c_rehash certs)
 	touch rehash.time
@@ -585,9 +591,9 @@ test:   tests
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' OPENSSL_DEBUG_MEMORY=on tests );
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
 		apps/openssl version -a
 report:
@@ -598,7 +604,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;
@@ -644,13 +650,19 @@ TABLE: Configure
 update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
-	@$(TAR) $(TARFLAGS) -cvf - \
+	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 tar-snap:
@@ -665,7 +677,7 @@ dist:
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='${SDIRS}' clean
-	@$(MAKE) tar
+	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
@@ -697,8 +709,8 @@ install: all install_docs
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi \
+		fi; \
-	done
+	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -707,7 +719,7 @@ install: all install_docs
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib/cyg/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
@@ -715,7 +727,7 @@ install: all install_docs
 					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
-			fi \
+			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
@@ -732,18 +744,20 @@ install_docs:
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
+		(cd `$(PERL) util/dirname.pl $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
-			 --release=$(VERSION) `basename $$i`) \
+			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
+		(cd `$(PERL) util/dirname.pl $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
+		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
-			--release=$(VERSION) `basename $$i`) \
+			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
--- a/14
+++ b/14
@@ -21,9 +21,8 @@
        against libdes providing similar functions having the same name).
        Provide macros for backward compatibility (will be removed in the
        future).
-      o Unifiy handling of cryptographic algorithms (software and
+      o Unify handling of cryptographic algorithms (software and engine)
-        engine) to be available via EVP routines for asymmetric and
+        to be available via EVP routines for asymmetric and symmetric ciphers.
        symmetric ciphers.
      o NCONF: new configuration handling routines.
      o Change API to use more 'const' modifiers to improve error checking
        and help optimizers.
@@ -31,6 +30,7 @@
      o Reworked parts of the BIGNUM code.
      o Support for new engines: Broadcom ubsec, Accelerated Encryption
        Processing, IBM 4758.
      o Extended and corrected OID (object identifier) table.
      o PRNG: query at more locations for a random device, automatic query for
        EGD style random sources at several locations.
      o SSL/TLS: allow optional cipher choice according to server's preference.
@@ -38,6 +38,12 @@
      o SSL/TLS: support Kerberos cipher suites (RFC2712).
      o SSL/TLS: allow more precise control of renegotiations and sessions.
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
@@ -90,7 +96,7 @@
      o Bug fixes for Win32, HP/UX and Irix.
      o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
        memory checking routines.
-      o Bug fixes for RSA operations in threaded enviroments.
+      o Bug fixes for RSA operations in threaded environments.
      o Bug fixes in misc. openssl applications.
      o Remove a few potential memory leaks.
      o Add tighter checks of BIGNUM routines.
--- a/40
+++ b/40
@@ -0,0 +1,40 @@
 * System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
    NOTE: The problem described here only applies when OpenSSL isn't built
    with shared library support (i.e. without the "shared" configuration
    option).  If you build with shared library support, you will have no
    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
 This is really a misfeature in ld, which seems to look for .dylib libraries
 along the whole library path before it bothers looking for .a libraries.  This
 means that -L switches won't matter unless OpenSSL is built with shared
 library support.
 The workaround may be to change the following lines in apps/Makefile.ssl and
 test/Makefile.ssl:
  LIBCRYPTO=-L.. -lcrypto
  LIBSSL=-L.. -lssl
 to:
  LIBCRYPTO=../libcrypto.a
  LIBSSL=../libssl.a
 It's possible that something similar is needed for shared library support
 as well.  That hasn't been well tested yet.
 Another solution that many seem to recommend is to move the libraries
 /usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
 directory, build and install OpenSSL and anything that depends on your
 build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
 original places.  Note that the version numbers on those two libraries
 may differ on your machine.
 As long as Apple doesn't fix the problem with ld, this problem building
 OpenSSL will remain as is.
--- a/19
+++ b/19
@@ -1,5 +1,5 @@
- OpenSSL 0.9.8-dev XX xxx XXXX
+ OpenSSL 0.9.7-beta3 30 Jul 2002
 Copyright (c) 1998-2002 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -122,6 +122,13 @@
 lists the functions; you will probably have to look at the code to work out
 how to use them. Look at the example programs.
 PROBLEMS
 --------
 For some platforms, there are some known problems that may affect the user
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
 SUPPORT 
 -------
@@ -146,11 +153,13 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Report the bug to the OpenSSL project at:
+ Report the bug to the OpenSSL project via the Request Tracker
 (http://www.openssl.org/rt2.html) by mail to:
    openssl-bugs@openssl.org
- Note that mail to openssl-bugs@openssl.org is forwarded to a public
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
 readable request tracker database and is forwarded to a public
 mailing list. Confidential mail may be sent to openssl-security@openssl.org
 (PGP key available from the key servers).
@@ -164,7 +173,9 @@
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
- if a copy of the patch is sent to crypt@bxa.doc.gov
+ if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
 see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
 The preferred format for changes is "diff -u" output. You might
 generate it like this:
--- a/README.ENGINE
+++ b/README.ENGINE
@@ -154,7 +154,7 @@
    shared-library that contains the ENGINE implementation, and "NO_VCHECK"
    might possibly be useful if there is a minor version conflict and you
    (or a vendor helpdesk) is convinced you can safely ignore it.
-    "ENGINE_ID" is probably only needed if a shared-library implements
+    "ID" is probably only needed if a shared-library implements
    multiple ENGINEs, but if you know the engine id you expect to be using,
    it doesn't hurt to specify it (and this provides a sanity check if
    nothing else). "LIST_ADD" is only required if you actually wish the
@@ -174,7 +174,7 @@
       ENGINE *e = ENGINE_by_id("dynamic");
       ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
-       ENGINE_ctrl_cmd_string(e, "ENGINE_ID", "foo", 0);
+       ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
       ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
       ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
@@ -184,7 +184,7 @@
       openssl engine dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD \
                 -pre "CMD_FOO:some input data"
@@ -192,7 +192,7 @@
       openssl engine -vvvv dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD
    Applications that support the ENGINE API and more specifically, the
--- a/26
+++ b/26
@@ -1,10 +1,15 @@
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/04/13 22:47:04 $
+  ______________                           $Date: 2002/07/30 11:27:05 $
  DEVELOPMENT STATE
-    o  OpenSSL 0.9.7:  Under development...
+    o  OpenSSL 0.9.8:  Under development...
    o  OpenSSL 0.9.7-beta3: Released on July 30th, 2002
    o  OpenSSL 0.9.7-beta2: Released on June 16th, 2002
    o  OpenSSL 0.9.7-beta1: Released on June  1st, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
@@ -17,22 +22,11 @@
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  [See also http://www.openssl.org/support/rt2.html]
  RELEASE SHOWSTOPPERS
-    o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
+    o BN_mod_mul verification fails for mips3-sgi-irix
      - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc
        and other 64-bit platforms
 	Checked on			Result
 	alpha-cc (Tru64 version 4.0)	works
 	linux-alpha+bwx-gcc		doesn't work. Reported by
 					Sean O'Riordain <seanpor@acm.org>
 	OpenBSD-sparc64			doesn't work.  BN_mod_mul breaks.
 	Needs checked on
 	[add platforms here]
      - BN_mod_mul verification fails for mips3-sgi-irix
      unless configured with no-asm
  AVAILABLE PATCHES
--- a/245
+++ b/245
@@ -1,3 +1,4 @@
 Output of `Configure TABLE':
 *** BC-16
 $cc           = bcc
@@ -79,15 +80,15 @@ $thread_cflag =
 $sys_id       = CYGWIN32
 $lflags       = 
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$bn_obj       = 
+$bn_obj       = asm/bn86-out.o asm/co86-out.o
-$des_obj      = 
+$des_obj      = asm/dx86-out.o asm/yx86-out.o
-$bf_obj       = 
+$bf_obj       = asm/bx86-out.o
-$md5_obj      = 
+$md5_obj      = asm/mx86-out.o
-$sha1_obj     = 
+$sha1_obj     = asm/sx86-out.o
-$cast_obj     = 
+$cast_obj     = asm/cx86-out.o
-$rc4_obj      = 
+$rc4_obj      = asm/rx86-out.o
-$rmd160_obj   = 
+$rmd160_obj   = asm/rm86-out.o
-$rc5_obj      = 
+$rc5_obj      = asm/r586-out.o
 $dso_scheme   = win32
 $shared_target= cygwin-shared
 $shared_cflag = 
@@ -119,6 +120,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 *** DJGPP
 $cc           = gcc
 $cflags       = -I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MSDOS
 $lflags       = -L/dev/env/DJDIR/watt32/lib -lwatt
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** FreeBSD
 $cc           = gcc
 $cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
@@ -427,8 +452,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** OpenBSD-i386
@@ -739,8 +764,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= reliantunix-shared
 $shared_cflag = 
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** SINIX
@@ -791,6 +816,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 *** UWIN
 $cc           = cc
 $cflags       = -DTERMIOS -DL_ENDIAN -O -Wall
 $unistd       = 
 $thread_cflag = 
 $sys_id       = UWIN
 $lflags       = 
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = win32
 $shared_target= 
 $shared_cflag = 
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** VC-MSDOS
 $cc           = cl
 $cflags       = 
@@ -1273,33 +1322,9 @@ $ranlib       =
 *** darwin-i386-cc
 $cc           = cc
-$cflags       = -O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN
+$cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
 $unistd       = 
-$thread_cflag = (unknown)
+$thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = -fPIC
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** darwin-ppc-cc
 $cc           = cc
 $cflags       = -O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = MACOSX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
@@ -1315,13 +1340,37 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
+$shared_ldflag = 
-$shared_extension = 
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
 *** darwin-ppc-cc
 $cc           = cc
 $cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
 $shared_ldflag = 
 $shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
 *** debug
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1489,7 +1538,7 @@ $ranlib       =
 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1513,7 +1562,7 @@ $ranlib       =
 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1555,8 +1604,8 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** debug-linux-elf-noefence
@@ -1775,6 +1824,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 *** debug-steve-linux-pseudo64
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -rdynamic -ldl
 $bn_ops       = SIXTY_FOUR_BIT
 $bn_obj       = 
 $des_obj      = dlfcn
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** debug-ulf
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe
@@ -2327,6 +2400,30 @@ $shared_ldflag =
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** hpux64-parisc-gcc
 $cc           = gcc
 $cflags       = -DB_ENDIAN -DMD32_XARRAY
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= hpux64-shared
 $shared_cflag = -fpic
 $shared_ldflag = 
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** hpux64-parisc2-cc
 $cc           = cc
 $cflags       = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
@@ -2981,7 +3078,7 @@ $cflags       = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8.o
 $des_obj      = 
@@ -2992,11 +3089,11 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
+$dso_scheme   = dlfcn
-$shared_target= 
+$shared_target= linux-shared
-$shared_cflag = 
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** linux-sparcv9
@@ -3005,7 +3102,7 @@ $cflags       = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8plus.o
 $des_obj      = 
@@ -3019,8 +3116,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** ncr-scde
@@ -3595,7 +3692,31 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -m64
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** solaris64-sparcv9-gcc31
 $cc           = gcc
 $cflags       = -mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
 $lflags       = -lsocket -lnsl -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = asm/md5-sparcv9.o
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
 $shared_ldflag = -m64
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
@@ -3673,11 +3794,11 @@ $ranlib       =
 *** unixware-2.0
 $cc           = cc
-$cflags       = -DFILIO_H
+$cflags       = -DFILIO_H -DNO_STRINGS_H
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
@@ -3697,11 +3818,11 @@ $ranlib       =
 *** unixware-2.0-pentium
 $cc           = cc
-$cflags       = -DFILIO_H -Kpentium
+$cflags       = -DFILIO_H -DNO_STRINGS_H -Kpentium
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
@@ -3725,7 +3846,7 @@ $cflags       = -O -DFILIO_H
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
@@ -3749,7 +3870,7 @@ $cflags       = -O -DFILIO_H -Kp6
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
@@ -3773,7 +3894,7 @@ $cflags       = -O -DFILIO_H -Kpentium
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -0,0 +1 @@
 sys$share:tcpip$ipc_shr.exe/share
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -129,7 +129,11 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
 #  ifdef NO_STRINGS_H
    int	strcasecmp();
 #  else
 #    include <strings.h>
 #  endif /* NO_STRINGS_H */
 #endif
 #ifdef OPENSSL_SYS_WINDOWS
@@ -310,10 +314,17 @@ void program_name(char *in, char *out, int size)
 	q=strrchr(p,'.');
 	if (q == NULL)
-		q = in+size;
+		q = p + strlen(p);
-	strncpy(out,p,q-p);
+	strncpy(out,p,size-1);
 	if (q-p >= size)
 		{
 		out[size-1]='\0';
 		}
 	else
 		{
 		out[q-p]='\0';
 		}
 	}
 #else
 void program_name(char *in, char *out, int size)
 	{
@@ -483,7 +494,7 @@ static int ui_close(UI *ui)
 	{
 	return UI_method_get_closer(UI_OpenSSL())(ui);
 	}
-int setup_ui_method()
+int setup_ui_method(void)
 	{
 	ui_method = UI_create_method("OpenSSL application user interface");
 	UI_method_set_opener(ui_method, ui_open);
@@ -492,7 +503,7 @@ int setup_ui_method()
 	UI_method_set_closer(ui_method, ui_close);
 	return 0;
 	}
-void destroy_ui_method()
+void destroy_ui_method(void)
 	{
 	if(ui_method)
 		{
@@ -918,7 +929,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	}
 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-EVP_PKEY *
+static EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
 		const char *key_descrip, int format)
 	{
@@ -1206,7 +1217,7 @@ static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_T
 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
-	char buf[256];
+	char *buf;
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
@@ -1215,9 +1226,10 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 		indent = 4;
 	}
 	if(lflags == XN_FLAG_COMPAT) {
-		X509_NAME_oneline(nm,buf,256);
+		buf = X509_NAME_oneline(nm, 0, 0);
 		BIO_puts(out, buf);
 		BIO_puts(out, "\n");
 		OPENSSL_free(buf);
 	} else {
 		if(mline) BIO_puts(out, "\n");
 		X509_NAME_print_ex(out, nm, indent, lflags);
@@ -1256,7 +1268,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
 }
 /* Try to load an engine in a shareable library */
-ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
+static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
 	{
 	ENGINE *e = ENGINE_by_id("dynamic");
 	if (e)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -134,10 +134,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                       * (see e_os.h).  The string is
                                       * destroyed! */
 #ifdef OPENSSL_NO_STDIO
 BIO_METHOD *BIO_s_file();
 #endif
 #ifdef OPENSSL_SYS_WIN32
 #define rename(from,to) WIN32_rename((from),(to))
 int WIN32_rename(char *oldname,char *newname);
@@ -217,8 +213,8 @@ typedef struct pw_cb_data
 int password_callback(char *buf, int bufsiz, int verify,
 	PW_CB_DATA *cb_data);
-int setup_ui_method();
+int setup_ui_method(void);
-void destroy_ui_method();
+void destroy_ui_method(void);
 int should_retry(int i);
 int args_from_file(char *file, int *argc, char **argv[]);
@@ -253,6 +249,8 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 			ASN1_GENERALIZEDTIME **pinvtm, char *str);
 int make_serial_index(TXT_DB *db);
 X509_NAME *do_subject(char *str, long chtype);
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -184,7 +184,7 @@ bad:
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
-		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
@@ -195,7 +195,6 @@ bad:
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
 		BIO_printf(bio_err," -out filename output DER encoding to file\n");
 		goto end;
 		}
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -80,7 +80,11 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
 #  ifdef NO_STRINGS_H
    int	strcasecmp();
 #  else
 #    include <strings.h>
 #  endif /* NO_STRINGS_H */
 #endif
 #ifndef W_OK
@@ -238,7 +242,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
 	int ext_copy);
 static X509_NAME *do_subject(char *subject);
 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, TXT_DB *db);
 static int do_updatedb(TXT_DB *db);
@@ -1451,13 +1454,13 @@ bad:
 			}
 		if ((crldays == 0) && (crlhours == 0))
 			{
-			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
+			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
 			goto err;
 			}
 		if (verbose) BIO_printf(bio_err,"making CRL\n");
 		if ((crl=X509_CRL_new()) == NULL) goto err;
-		if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+		if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;
 		tmptm = ASN1_TIME_new();
 		if (!tmptm) goto err;
@@ -1510,11 +1513,6 @@ bad:
 			if (pkey->type == EVP_PKEY_DSA) 
 				dgst=EVP_dss1();
 			else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey->type == EVP_PKEY_ECDSA)
 				dgst=EVP_ecdsa();
 			else
 #endif
 				dgst=EVP_md5();
 			}
@@ -1574,6 +1572,10 @@ bad:
 				}
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
 			BIO_free_all(out);
 			out = NULL;
 			BIO_free_all(in);
 			in = NULL;
 			strncpy(buf[1],dbfile,BSIZE-4);
 			buf[1][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
@@ -1581,10 +1583,6 @@ bad:
 #else
 			strcat(buf[1],"-old");
 #endif
 			BIO_free(in);
 			in = NULL;
 			BIO_free(out);
 			out = NULL;
 			if (rename(dbfile,buf[1]) < 0)
 				{
 				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
@@ -1879,7 +1877,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	if (subj)
 		{
-		X509_NAME *n = do_subject(subj);
+		X509_NAME *n = do_subject(subj, MBSTRING_ASC);
 		if (!n)
 			{
@@ -2290,16 +2288,6 @@ again2:
 		EVP_PKEY_copy_parameters(pktmp,pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (pkey->type == EVP_PKEY_ECDSA)
 		dgst = EVP_ecdsa();
 	pktmp = X509_get_pubkey(ret);
 	if (EVP_PKEY_missing_parameters(pktmp) &&
 		!EVP_PKEY_missing_parameters(pkey))
 		EVP_PKEY_copy_parameters(pktmp, pkey);
 	EVP_PKEY_free(pktmp);
 #endif
 	if (!X509_sign(ret,pkey,dgst))
 		goto err;
@@ -3023,65 +3011,124 @@ int make_revoked(X509_REVOKED *rev, char *str)
 	return ret;
 	}
-static X509_NAME *do_subject(char *subject)
+/*
 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
 X509_NAME *do_subject(char *subject, long chtype)
 	{
 	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
 	char *buf = OPENSSL_malloc(buflen);
 	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
 	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
 	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
 	char *sp = subject, *bp = buf;
 	int i, ne_num = 0;
 	X509_NAME *n = NULL;
 	int nid;
-	int i, nid, ne_num=0;
+	if (!buf || !ne_types || !ne_values)
 	char *ne_name = NULL;
 	char *ne_value = NULL;
 	char *tmp = NULL;
 	char *p[2];
 	char *str_list[256];
 	p[0] = ",/";
 	p[1] = "=";
 	n = X509_NAME_new();
 	tmp = strtok(subject, p[0]);
 	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
 	{
-		char *token = tmp;
+		BIO_printf(bio_err, "malloc error\n");
 		goto error;
 	}
-		while (token[0] == ' ')
+	if (*subject != '/')
-			token++;
+	{
-		str_list[ne_num] = token;
+		BIO_printf(bio_err, "Subject does not start with '/'.\n");
 		goto error;
 	}
 	sp++; /* skip leading / */
-		tmp = strtok(NULL, p[0]);
+	while (*sp)
 	{
 		/* collect type */
 		ne_types[ne_num] = bp;
 		while (*sp)
 		{
 			if (*sp == '\\') /* is there anything to escape in the type...? */
 				if (*++sp)
 					*bp++ = *sp++;
 				else
 				{
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 				}
 			else if (*sp == '=')
 			{
 				sp++;
 				*bp++ = '\0';
 				break;
 			}
 			else
 				*bp++ = *sp++;
 		}
 		if (!*sp)
 		{
 			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
 			goto error;
 		}
 		ne_values[ne_num] = bp;
 		while (*sp)
 		{
 			if (*sp == '\\')
 				if (*++sp)
 					*bp++ = *sp++;
 				else
 				{
 					BIO_printf(bio_err, "escape character at end of string\n");
 					goto error;
 				}
 			else if (*sp == '/')
 			{
 				sp++;
 				break;
 			}
 			else
 				*bp++ = *sp++;
 		}
 		*bp++ = '\0';
 		ne_num++;
 	}
 	if (!(n = X509_NAME_new()))
 		goto error;
 	for (i = 0; i < ne_num; i++)
 		{
-		ne_name  = strtok(str_list[i], p[1]);
+		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
 		ne_value = strtok(NULL, p[1]);
 		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
 			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
+			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
 			continue;
 			}
-		if (ne_value == NULL)
+		if (!*ne_values[i])
 			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
+			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
 			continue;
 			}
-		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
+		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
-			{
+			goto error;
 		}
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
 	return n;
 error:
 	X509_NAME_free(n);
 	if (ne_values)
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
 }
 		}
 	return n;
 	}
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	{
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -87,6 +87,7 @@ static char *crl_usage[]={
 " -noout          - no CRL output\n",
 " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
 " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
 " -nameopt arg    - various certificate name options\n",
 NULL
 };
@@ -97,6 +98,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	unsigned long nmflag = 0;
 	X509_CRL *x=NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	int ret=1,i,num,badops=0;
@@ -105,7 +107,7 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
-	char **pp,buf[256];
+	char **pp;
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
 	X509_LOOKUP *lookup = NULL;
@@ -188,6 +190,11 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
@@ -271,9 +278,7 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_CRL_get_issuer(x),
+				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
 								buf,256);
 				BIO_printf(bio_out,"issuer= %s\n",buf);
 				}
 			if (hash == i)
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -73,8 +73,9 @@
 #undef PROG
 #define PROG	dgst_main
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-		EVP_PKEY *key, unsigned char *sigin, int siglen);
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
 	  const char *file);
 int MAIN(int, char **);
@@ -319,22 +320,36 @@ int MAIN(int argc, char **argv)
 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-		do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen);
+		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
 			  siglen,"","(stdin)");
 		}
 	else
 		{
 		name=OBJ_nid2sn(md->type);
 		for (i=0; i<argc; i++)
 			{
 			char *tmp,*tofree=NULL;
 			int r;
 			if (BIO_read_filename(in,argv[i]) <= 0)
 				{
 				perror(argv[i]);
 				err++;
 				continue;
 				}
-			if(!out_bin) BIO_printf(out, "%s(%s)= ",name,argv[i]);
+			if(!out_bin)
-			do_fp(out, buf,inp,separator, out_bin, sigkey, 
+				{
-								sigbuf, siglen);
+				tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5);
 				sprintf(tmp,"%s(%s)= ",name,argv[i]);
 				}
 			else
 				tmp="";
 			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
 				siglen,tmp,argv[i]);
 			if(r)
 			    err=r;
 			if(tofree)
 				OPENSSL_free(tofree);
 			(void)BIO_reset(bmd);
 			}
 		}
@@ -353,8 +368,9 @@ end:
 	EXIT(err);
 	}
-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-			EVP_PKEY *key, unsigned char *sigin, int siglen)
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
 	  const char *file)
 	{
 	int len;
 	int i;
@@ -362,21 +378,33 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	for (;;)
 		{
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
-		if (i <= 0) break;
+		if(i < 0)
 			{
 			BIO_printf(bio_err, "Read Error in %s\n",file);
 			ERR_print_errors(bio_err);
 			return 1;
 			}
 		if (i == 0) break;
 		}
 	if(sigin)
 		{
 		EVP_MD_CTX *ctx;
 		BIO_get_md_ctx(bp, &ctx);
 		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
-		if(i > 0) BIO_printf(out, "Verified OK\n");
+		if(i > 0)
-		else if(i == 0) BIO_printf(out, "Verification Failure\n");
+			BIO_printf(out, "Verified OK\n");
 		else if(i == 0)
 			{
 			BIO_printf(out, "Verification Failure\n");
 			return 1;
 			}
 		else
 			{
 			BIO_printf(bio_err, "Error Verifying Data\n");
 			ERR_print_errors(bio_err);
 			return 1;
 			}
-		return;
+		return 0;
 		}
 	if(key)
 		{
@@ -386,7 +414,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			{
 			BIO_printf(bio_err, "Error Signing Data\n");
 			ERR_print_errors(bio_err);
-			return;
+			return 1;
 			}
 		}
 	else
@@ -395,6 +423,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	if(binout) BIO_write(out, buf, len);
 	else 
 		{
 		BIO_write(out,title,strlen(title));
 		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
@@ -403,5 +432,6 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		BIO_printf(out, "\n");
 		}
 	return 0;
 	}
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -186,7 +186,7 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -genkey       generate a DSA key\n");
--- a/apps/ecdsa.c
+++ b/apps/ecdsa.c
@@ -1,445 +0,0 @@
 /* apps/ecdsa.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ecdsa.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecdsa_main
 /* -inform arg	- input format - default PEM (one of DER, NET or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -des		- encrypt output if PEM format with DES in cbc mode
 * -des3	- encrypt output if PEM format
 * -idea	- encrypt output if PEM format
 * -aes128	- encrypt output if PEM format
 * -aes192	- encrypt output if PEM format
 * -aes256	- encrypt output if PEM format
 * -text	- print a text version
 * -pub		- print the ECDSA public key
 * -compressed  - print the public key in compressed form ( default )   
 * -hybrid 	- print the public key in hybrid form
 * -uncompressed - print the public key in uncompressed form
 *		  the last three options ( compressed, hybrid and uncompressed )
 *		  are only used if the "-pub" option is also selected.
 *	  	  For a precise description of the the meaning of compressed,
 *		  hybrid and uncompressed please refer to the X9.62 standart.
 *		  All three forms represents ways to express the ecdsa public
 *		  key ( a point on a elliptic curve ) as octet string. Let len be
 *		  the length ( in bytes ) of an element of the field over which
 *		  the curve is defined, then a compressed octet string has the form
 *		  0x02 + result of BN_bn2bin() of the x coordinate of the public key
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE 	*e = NULL;
 	int 	ret = 1;
 	ECDSA 	*ecdsa = NULL;
 	int 	i, badops = 0;
 	const EVP_CIPHER *enc = NULL;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, text=0, noout=0;
 	int  	pubin = 0, pubout = 0;
 	char 	*infile, *outfile, *prog, *engine;
 	char 	*passargin = NULL, *passargout = NULL;
 	char 	*passin = NULL, *passout = NULL;
 	int 	pub = 0, point_form = 0;
 	unsigned char *buffer = NULL;
 	unsigned int  buf_len = 0;
 	BIGNUM	*tmp_bn = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	engine = NULL;
 	infile = NULL;
 	outfile = NULL;
 	informat = FORMAT_PEM;
 	outformat = FORMAT_PEM;
 	prog = argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 	{
 		if (strcmp(*argv,"-inform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-outform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-in") == 0)
 		{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 		}
 		else if (strcmp(*argv,"-out") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 		}
 		else if (strcmp(*argv,"-passin") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 		}
 		else if (strcmp(*argv,"-passout") == 0)
 		{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 		}
 		else if (strcmp(*argv, "-engine") == 0)
 		{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 		}
 		else if (strcmp(*argv, "-noout") == 0)
 			noout = 1;
 		else if (strcmp(*argv, "-text") == 0)
 			text = 1;
 		else if (strcmp(*argv, "-pub") == 0)
 		{
 			pub = 1;
 			buffer = (unsigned char *)(*(argv+1));
 			if (strcmp((char *)buffer, "compressed") == 0)
 				point_form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp((char *)buffer, "hybrid") == 0)
 				point_form = POINT_CONVERSION_HYBRID;
 			else if (strcmp((char *)buffer, "uncompressed") == 0)
 				point_form = POINT_CONVERSION_UNCOMPRESSED;
 			if (point_form)
 			{
 				argc--;
 				argv++;
 			}
 		}
 		else if (strcmp(*argv, "-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv, "-pubout") == 0)
 			pubout=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 		{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 		}
 		argc--;
 		argv++;
 	}
 	if (badops)
 	{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
 		BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
 		BIO_printf(bio_err, " -in arg         input file\n");
 		BIO_printf(bio_err, " -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, " -out arg        output file\n");
 		BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, " -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err, " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err, " -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err, "                 encrypt PEM output with cbc aes\n");
 #endif
 		BIO_printf(bio_err, " -text           print the key in text\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
 		BIO_printf(bio_err, " -pub [compressed | hybrid | uncompressed] \n");
 		BIO_printf(bio_err, "         compressed     print the public key in compressed form ( default )\n");   
 		BIO_printf(bio_err, "         hybrid         print the public key in hybrid form\n");
 		BIO_printf(bio_err, "         uncompressed   print the public key in uncompressed form\n");
 		goto end;
 	}
 	ERR_load_crypto_strings();
        e = setup_engine(bio_err, engine, 0);
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
 	{
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 	}
 	in = BIO_new(BIO_s_file());
 	out = BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 	{
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 	{
 		if (BIO_read_filename(in,infile) <= 0)
 		{
 			perror(infile);
 			goto end;
 		}
 	}
 	BIO_printf(bio_err,"read ECDSA key\n");
 	if (informat == FORMAT_ASN1) 
 	{
 		if (pubin) 
 			ecdsa = d2i_ECDSA_PUBKEY_bio(in, NULL);
 		else 
 			ecdsa = d2i_ECDSAPrivateKey_bio(in, NULL);
 	} else if (informat == FORMAT_PEM) 
 	{
 		if (pubin) 
 			ecdsa = PEM_read_bio_ECDSA_PUBKEY(in, NULL, NULL, NULL);
 		else 
 			ecdsa = PEM_read_bio_ECDSAPrivateKey(in, NULL, NULL, passin);
 	} else
 	{
 		BIO_printf(bio_err, "bad input format specified for key\n");
 		goto end;
 	}
 	if (ecdsa == NULL)
 	{
 		BIO_printf(bio_err,"unable to load Key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (outfile == NULL)
 	{
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	else
 	{
 		if (BIO_write_filename(out, outfile) <= 0)
 		{
 			perror(outfile);
 			goto end;
 		}
 	}
 	if (text) 
 		if (!ECDSA_print(out, ecdsa, 0))
 		{
 			perror(outfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	if (pub)
 	{
 		fprintf(stdout, "Public Key (");
 		if (point_form == POINT_CONVERSION_COMPRESSED)
 			fprintf(stdout, "COMPRESSED");
 		else if (point_form == POINT_CONVERSION_UNCOMPRESSED)
 			fprintf(stdout, "UNCOMPRESSED");
 		else if (point_form == POINT_CONVERSION_HYBRID)
 			fprintf(stdout, "HYBRID");
 		fprintf(stdout, ")=");
 		buf_len = EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, NULL, 0, NULL);
 		if (!buf_len)
 		{
 			BIO_printf(bio_err,"invalid public key length\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		if ((tmp_bn = BN_new()) == NULL ||
 		    (buffer = OPENSSL_malloc(buf_len)) == NULL) goto end;
 		if (!EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
 					     point_form, buffer, buf_len, NULL) ||
 		    !BN_bin2bn(buffer, buf_len, tmp_bn))
 		{
 			BIO_printf(bio_err,"can not encode public key\n");
 			ERR_print_errors(bio_err);
 			OPENSSL_free(buffer);
 			goto end;
 		}
 		BN_print(out, tmp_bn);
 		fprintf(stdout,"\n");
 	}
 	if (noout) 
 		goto end;
 	BIO_printf(bio_err, "writing ECDSA key\n");
 	if (outformat == FORMAT_ASN1) 
 	{
 		if(pubin || pubout) 
 			i = i2d_ECDSA_PUBKEY_bio(out, ecdsa);
 		else 
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsa);
 	} else if (outformat == FORMAT_PEM) 
 	{
 		if(pubin || pubout)
 			i = PEM_write_bio_ECDSA_PUBKEY(out, ecdsa);
 		else 
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsa, enc,
 							NULL, 0, NULL, passout);
 	} else 
 	{
 		BIO_printf(bio_err, "bad output format specified for outfile\n");
 		goto end;
 	}
 	if (!i)
 	{
 		BIO_printf(bio_err, "unable to write private key\n");
 		ERR_print_errors(bio_err);
 	}
 	else
 		ret=0;
 end:
 	if (in) 	BIO_free(in);
 	if (out)	BIO_free_all(out);
 	if (ecdsa) 	ECDSA_free(ecdsa);
 	if (tmp_bn)	BN_free(tmp_bn);
 	if (passin) 	OPENSSL_free(passin);
 	if (passout) 	OPENSSL_free(passout);
 	apps_shutdown();
 	EXIT(ret);
 }
 #endif
--- a/apps/ecdsaparam.c
+++ b/apps/ecdsaparam.c
@@ -1,660 +0,0 @@
 /* apps/ecdsaparam.c */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef OPENSSL_NO_ECDSA
 #include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	ecdsaparam_main
 /* -inform arg	  	- input format - default PEM (DER or PEM)
 * -outform arg 	- output format - default PEM
 * -in arg		- input file  - default stdin
 * -out arg		- output file - default stdout
 * -noout
 * -text
 * -check               - validate the ec parameters
 * -C
 * -noout
 * -genkey		- generate a private public keypair based on the supplied curve
 * -named_curve		- use the curve oid instead of the parameters
 * -NIST_192		- use the NIST recommended curve parameters over a 192 bit prime field
 * -NIST_224		- use the NIST recommended curve parameters over a 224 bit prime field
 * -NIST_256		- use the NIST recommended curve parameters over a 256 bit prime field
 * -NIST_384		- use the NIST recommended curve parameters over a 384 bit prime field
 * -NIST_521		- use the NIST recommended curve parameters over a 521 bit prime field
 * -X9_62_192v1		- use the X9_62 192v1 example curve over a 192 bit prime field
 * -X9_62_192v2		- use the X9_62 192v2 example curve over a 192 bit prime field
 * -X9_62_192v3		- use the X9_62 192v3 example curve over a 192 bit prime field
 * -X9_62_239v1		- use the X9_62 239v1 example curve over a 239 bit prime field
 * -X9_62_239v2		- use the X9_62 239v2 example curve over a 239 bit prime field
 * -X9_62_239v3		- use the X9_62 239v3 example curve over a 239 bit prime field
 * -X9_62_256v1		- use the X9_62 239v1 example curve over a 256 bit prime field
 * -SECG_PRIME_112R1    - use the SECG 112r1 recommended curve over a 112 bit prime field
 * -SECG_PRIME_112R2    - use the SECG 112r2 recommended curve over a 112 bit prime field
 * -SECG_PRIME_128R1    - use the SECG 128r1 recommended curve over a 128 bit prime field
 * -SECG_PRIME_128R2    - use the SECG 128r2 recommended curve over a 128 bit prime field
 * -SECG_PRIME_160K1    - use the SECG 160k1 recommended curve over a 160 bit prime field
 * -SECG_PRIME_160R1    - use the SECG 160r1 recommended curve over a 160 bit prime field
 * -SECG_PRIME_160R2    - use the SECG 160r2 recommended curve over a 160 bit prime field
 * -SECG_PRIME_192K1    - use the SECG 192k1 recommended curve over a 192 bit prime field
 * -SECG_PRIME_192R1    - use the SECG 192r1 recommended curve over a 192 bit prime field
 * -SECG_PRIME_224K1    - use the SECG 224k1 recommended curve over a 224 bit prime field
 * -SECG_PRIME_224R1    - use the SECG 224r1 recommended curve over a 224 bit prime field
 * -SECG_PRIME_256K1    - use the SECG 256k1 recommended curve over a 256 bit prime field
 * -SECG_PRIME_256R1    - use the SECG 256r1 recommended curve over a 256 bit prime field
 * -SECG_PRIME_384R1    - use the SECG 384r1 recommended curve over a 384 bit prime field
 * -SECG_PRIME_521R1    - use the SECG 521r1 recommended curve over a 521 bit prime field
 * -WTLS_6              - use the WAP/WTLS recommended curve number 6 over a 112 bit field
 * -WTLS_8              - use the WAP/WTLS recommended curve number 8 over a 112 bit field
 * -WTLS_9              - use the WAP/WTLS recommended curve number 9 over a 160 bit field
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE 	*e = NULL;
 	ECDSA 	*ecdsa = NULL;
 	int 	i, badops = 0, text = 0;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, noout = 0, C = 0, ret = 1;
 	char 	*infile, *outfile, *prog, *inrand = NULL;
 	int 	genkey = 0;
 	int	check = 0;
 	int 	need_rand = 0;
 	char 	*engine=NULL;
 	int	curve_type = EC_GROUP_NO_CURVE;
 	int	named_curve = 0;
 	BIGNUM	*tmp_1 = NULL, *tmp_2 = NULL, *tmp_3 = NULL, *tmp_4 = NULL, *tmp_5 = NULL,
 		*tmp_6 = NULL, *tmp_7 = NULL;
 	BN_CTX	*ctx = NULL;
 	EC_POINT *point = NULL;
 	unsigned char *data = NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-outform") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 		}
 		else if (strcmp(*argv,"-in") == 0)
 		{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 		}
 		else if (strcmp(*argv,"-out") == 0)
 		{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 		}
 		else if(strcmp(*argv, "-engine") == 0)
 		{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 		}
 		else if (strcmp(*argv,"-text") == 0)
 			text = 1;
 		else if (strcmp(*argv,"-C") == 0)
 			C = 1;
 		else if (strcmp(*argv,"-check") == 0)
 			check = 1;
 		else if (strcmp(*argv,"-genkey") == 0)
 		{
 			genkey = 1;
 			need_rand = 1;
 		}
 		else if (strcmp(*argv,"-rand") == 0)
 		{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 		}
 		else if (strcmp(*argv, "-named_curve") == 0)
 			named_curve = 1;
 		else if (strcmp(*argv, "-NIST_192") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_192;
 		else if (strcmp(*argv, "-NIST_224") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_224;
 		else if (strcmp(*argv, "-NIST_256") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_256;
 		else if (strcmp(*argv, "-NIST_384") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_384;
 		else if (strcmp(*argv, "-NIST_521") == 0)
 			curve_type = EC_GROUP_NIST_PRIME_521;
 		else if (strcmp(*argv, "-X9_62_192v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V1;
 		else if (strcmp(*argv, "-X9_62_192v2") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V2;
 		else if (strcmp(*argv, "-X9_62_192v3") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_192V3;
 		else if (strcmp(*argv, "-X9_62_239v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V1;
 		else if (strcmp(*argv, "-X9_62_239v2") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V2;
 		else if (strcmp(*argv, "-X9_62_239v3") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_239V3;
 		else if (strcmp(*argv, "-X9_62_256v1") == 0)
 			curve_type = EC_GROUP_X9_62_PRIME_256V1;
 		else if (strcmp(*argv, "-SECG_PRIME_112R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_112R1;
 		else if (strcmp(*argv, "-SECG_PRIME_112R2") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_112R2;
 		else if (strcmp(*argv, "-SECG_PRIME_128R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_128R1;
 		else if (strcmp(*argv, "-SECG_PRIME_128R2") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_128R2;
 		else if (strcmp(*argv, "-SECG_PRIME_160K1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_160K1;
 		else if (strcmp(*argv, "-SECG_PRIME_160R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_160R1;
 		else if (strcmp(*argv, "-SECG_PRIME_160R2") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_160R2;
 		else if (strcmp(*argv, "-SECG_PRIME_192K1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_192K1;
 		else if (strcmp(*argv, "-SECG_PRIME_192R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_192R1;
 		else if (strcmp(*argv, "-SECG_PRIME_224K1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_224K1;
 		else if (strcmp(*argv, "-SECG_PRIME_224R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_224R1;
 		else if (strcmp(*argv, "-SECG_PRIME_256K1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_256K1;
 		else if (strcmp(*argv, "-SECG_PRIME_256R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_256R1;
 		else if (strcmp(*argv, "-SECG_PRIME_384R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_384R1;
 		else if (strcmp(*argv, "-SECG_PRIME_521R1") == 0)
 			curve_type = EC_GROUP_SECG_PRIME_521R1;
 		else if (strcmp(*argv, "-WTLS_6") == 0)
 			curve_type = EC_GROUP_WTLS_6;
 		else if (strcmp(*argv, "-WTLS_8") == 0)
 			curve_type = EC_GROUP_WTLS_8;
 		else if (strcmp(*argv, "-WTLS_9") == 0)
 			curve_type = EC_GROUP_WTLS_9;
 		else if (strcmp(*argv, "-noout") == 0)
 			noout=1;
 		else
 		{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 		}
 		argc--;
 		argv++;
 	}
 	if (badops)
 	{
 bad:
 		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg        input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg       output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg            input file\n");
 		BIO_printf(bio_err," -out arg           output file\n");
 		BIO_printf(bio_err," -text              print the key in text\n");
 		BIO_printf(bio_err," -C                 Output C code\n");
 		BIO_printf(bio_err," -check             validate the ec parameters\n");
 		BIO_printf(bio_err," -noout             no output\n");
 		BIO_printf(bio_err," -rand              files to use for random number input\n");
 		BIO_printf(bio_err," -engine e          use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -named_curve       use the curve oid instead of the parameters\n");
 		BIO_printf(bio_err," -NIST_192          use the NIST recommended curve parameters over a 192 bit prime field\n");
 		BIO_printf(bio_err," -NIST_224          use the NIST recommended curve parameters over a 224 bit prime field\n");
 		BIO_printf(bio_err," -NIST_256          use the NIST recommended curve parameters over a 256 bit prime field\n");
 		BIO_printf(bio_err," -NIST_384          use the NIST recommended curve parameters over a 384 bit prime field\n");
 		BIO_printf(bio_err," -NIST_521          use the NIST recommended curve parameters over a 521 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v1       use the X9_62 192v1 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v2       use the X9_62 192v2 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_192v3       use the X9_62 192v3 example curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v1       use the X9_62 239v1 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v2       use the X9_62 239v2 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_239v3       use the X9_62 239v3 example curve over a 239 bit prime field\n");
 		BIO_printf(bio_err," -X9_62_256v1       use the X9_62 239v1 example curve over a 256 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_112R1  use the SECG 112r1 recommended curve over a 112 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_112R2  use the SECG 112r2 recommended curve over a 112 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_128R1  use the SECG 128r1 recommended curve over a 128 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_128R2  use the SECG 128r2 recommended curve over a 128 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_160K1  use the SECG 160k1 recommended curve over a 160 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_160R1  use the SECG 160r1 recommended curve over a 160 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_160R2  use the SECG 160r2 recommended curve over a 160 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_192K1  use the SECG 192k1 recommended curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_192R1  use the SECG 192r1 recommended curve over a 192 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_224K1  use the SECG 224k1 recommended curve over a 224 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_224R1  use the SECG 224r1 recommended curve over a 224 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_256K1  use the SECG 256k1 recommended curve over a 256 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_256R1  use the SECG 256r1 recommended curve over a 256 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_384R1  use the SECG 384r1 recommended curve over a 384 bit prime field\n");
 		BIO_printf(bio_err," -SECG_PRIME_521R1  use the SECG 521r1 recommended curve over a 521 bit prime field\n");
 		BIO_printf(bio_err," -WTLS_6            use the WAP/WTLS recommended curve number 6 over a 112 bit field\n");
 		BIO_printf(bio_err," -WTLS_8            use the WAP/WTLS recommended curve number 8 over a 112 bit field\n");
 		BIO_printf(bio_err," -WTLS_9            use the WAP/WTLS recommended curve number 9 over a 112 bit field\n");
 		goto end;
 	}
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 	{
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 	{
 		if (BIO_read_filename(in,infile) <= 0)
 		{
 			perror(infile);
 			goto end;
 		}
 	}
 	if (outfile == NULL)
 	{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	else
 	{
 		if (BIO_write_filename(out,outfile) <= 0)
 		{
 			perror(outfile);
 			goto end;
 		}
 	}
        e = setup_engine(bio_err, engine, 0);
 	if (need_rand)
 	{
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 		if (inrand != NULL)
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
 	}
 	if (curve_type != EC_GROUP_NO_CURVE)
 	{
 		if ((ecdsa = ECDSA_new()) == NULL)
 			goto end;
 		ecdsa->group = EC_GROUP_new_by_name(curve_type);
 		if (named_curve)
 			ECDSA_set_parameter_flags(ecdsa, ECDSA_FLAG_NAMED_CURVE);
 	}
 	else if (informat == FORMAT_ASN1)
 		ecdsa = d2i_ECDSAParameters_bio(in,NULL);
 	else if (informat == FORMAT_PEM)
 		ecdsa = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL);
 	else
 	{
 		BIO_printf(bio_err, "bad input format specified\n");
 		goto end;
 	}
 	if (ecdsa == NULL)
 	{
 		BIO_printf(bio_err, "unable to load ECDSA parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if (text)
 	{
 		ECDSAParameters_print(out, ecdsa);
 	}
 	if (check)
 	{
 		if (ecdsa == NULL)
 			BIO_printf(bio_err, "no elliptic curve parameters\n");
 		BIO_printf(bio_err, "checking elliptic curve parameters: ");
 		if (!EC_GROUP_check(ecdsa->group, NULL))
 		{
 			BIO_printf(bio_err, "failed\n");
 			ERR_print_errors(bio_err);
 		}
 		else
 			BIO_printf(bio_err, "ok\n");
 	}
 	if (C)
 	{	/* TODO: characteristic two */
 		int 	l, len, bits_p;
 		if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
 		    (tmp_3 = BN_new()) == NULL || (tmp_4 = BN_new()) == NULL ||
 		    (tmp_5 = BN_new()) == NULL || (tmp_6 = BN_new()) == NULL ||
                    (tmp_7 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
 		{
 			perror("OPENSSL_malloc");
 			goto end;
 		}
 		if (!EC_GROUP_get_curve_GFp(ecdsa->group, tmp_1, tmp_2, tmp_3, ctx))
 			goto end;
 		if ((point = EC_GROUP_get0_generator(ecdsa->group)) == NULL)
 			goto end;
 		if (!EC_POINT_get_affine_coordinates_GFp(ecdsa->group, point, tmp_4, tmp_5, ctx))
 			goto end;
 		if (!EC_GROUP_get_order(ecdsa->group, tmp_6, ctx))
 			goto end;
 		if (!EC_GROUP_get_cofactor(ecdsa->group, tmp_7, ctx))
 			goto end;
 		len    = BN_num_bytes(tmp_1);
 		bits_p = BN_num_bits(tmp_1);
 		data=(unsigned char *)OPENSSL_malloc(len+20);
 		if (data == NULL)
 		{
 			perror("OPENSSL_malloc");
 			goto end;
 		}
 		l = BN_bn2bin(tmp_1, data);
 		printf("static unsigned char ecdsa%d_p[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_2, data);
 		printf("static unsigned char ecdsa%d_a[]={",bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_3, data);
 		printf("static unsigned char ecdsa%d_b[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		l = BN_bn2bin(tmp_4, data);
 		printf("static unsigned char ecdsa%d_x[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_5, data);
 		printf("static unsigned char ecdsa%d_y[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_6, data);
 		printf("static unsigned char ecdsa%d_o[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n");
 		l = BN_bn2bin(tmp_7, data);
 		printf("static unsigned char ecdsa%d_c[]={", bits_p);
 		for (i=0; i<l; i++)
 		{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 		}
 		printf("\n\t};\n\n");
 		/* FIXME:
 		 * generated code should check for errors
 		 */
 		printf("ECDSA *get_ecdsa%d(void)\n\t{\n",bits_p);
 		printf("\tint ok=0;\n");
 		printf("\tECDSA    *ecdsa=NULL;\n");
 		printf("\tEC_POINT *point=NULL;\n");
 		printf("\tBIGNUM   *tmp_1=NULL,*tmp_2=NULL,*tmp_3=NULL;\n\n");
 		printf("\tif ((ecdsa=ECDSA_new()) == NULL)\n");
 		printf("\t\treturn(NULL);\n\n");
 		printf("\t/* generate EC_GROUP structure */\n");
 		printf("\tif ((tmp_1 = BN_bin2bn(ecdsa%d_p, sizeof(ecdsa%d_p), NULL)) == NULL) goto err;\n", bits_p, bits_p);
 		printf("\tif ((tmp_2 = BN_bin2bn(ecdsa%d_a, sizeof(ecdsa%d_a), NULL)) == NULL) goto err;\n", bits_p, bits_p);
 		printf("\tif ((tmp_3 = BN_bin2bn(ecdsa%d_b, sizeof(ecdsa%d_b), NULL)) == NULL) goto err;\n", bits_p, bits_p);
 		printf("\tif ((ecdsa->group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL) goto err;\n\n");
 		printf("\t/* build generator */\n");
 		printf("\tif (!BN_bin2bn(ecdsa%d_x, sizeof(ecdsa%d_x), tmp_1)) goto err;\n", bits_p, bits_p);
 		printf("\tif (!BN_bin2bn(ecdsa%d_y, sizeof(ecdsa%d_y), tmp_2)) goto err;\n", bits_p, bits_p);
 		printf("\tif ((point = EC_POINT_new(ecdsa->group)) == NULL) goto err;\n");
 		printf("\tif (!EC_POINT_set_affine_coordinates_GFp(ecdsa->group, point, tmp_1, tmp_2, NULL)) goto err;\n");
 		printf("\t/* set generator, order and cofactor */\n");
 		printf("\tif (!BN_bin2bn(ecdsa%d_o, sizeof(ecdsa%d_o), tmp_1)) goto err;\n", bits_p, bits_p);
 		printf("\tif (!BN_bin2bn(ecdsa%d_c, sizeof(ecdsa%d_c), tmp_2)) goto err;\n", bits_p, bits_p);
 		printf("\tif (!EC_GROUP_set_generator(ecdsa->group, point, tmp_1, tmp_2)) goto err;\n");
 		printf("\n\tok=1;\n");
 		printf("err:\n");
 		printf("\tif (tmp_1) BN_free(tmp_1);\n");
 		printf("\tif (tmp_2) BN_free(tmp_2);\n");
 		printf("\tif (tmp_3) BN_free(tmp_3);\n");
 		printf("\tif (point) EC_POINT_free(point);\n");
 		printf("\tif (!ok)\n");
 		printf("\t\t{\n");
 		printf("\t\tECDSA_free(ecdsa);\n");
 		printf("\t\tecdsa = NULL;\n");
 		printf("\t\t}\n");
 		printf("\treturn(ecdsa);\n\t}\n");
 	}
 	if (!noout)
 	{
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECDSAParameters_bio(out, ecdsa);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECDSAParameters(out, ecdsa);
 		else	
 		{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 		}
 		if (!i)
 		{
 			BIO_printf(bio_err, "unable to write ECDSA parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if (genkey)
 	{
 		ECDSA *ecdsakey;
 		assert(need_rand);
 		if ((ecdsakey = ECDSAParameters_dup(ecdsa)) == NULL) goto end;
 		if (!ECDSA_generate_key(ecdsakey)) goto end;
 		if (outformat == FORMAT_ASN1)
 			i = i2d_ECDSAPrivateKey_bio(out, ecdsakey);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsakey, NULL, NULL, 0, NULL, NULL);
 		else	
 		{
 			BIO_printf(bio_err, "bad output format specified for outfile\n");
 			goto end;
 		}
 		ECDSA_free(ecdsakey);
 	}
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
 	ret=0;
 end:
 	if (in != NULL) 	BIO_free(in);
 	if (out != NULL) 	BIO_free_all(out);
 	if (ecdsa != NULL) 	ECDSA_free(ecdsa);
 	if (tmp_1)		BN_free(tmp_1);
 	if (tmp_2)		BN_free(tmp_2);
 	if (tmp_3)		BN_free(tmp_3);
 	if (tmp_3)		BN_free(tmp_4);
 	if (tmp_3)		BN_free(tmp_5);
 	if (tmp_3)		BN_free(tmp_6);
 	if (tmp_3)		BN_free(tmp_7);
 	if (ctx)		BN_CTX_free(ctx);
 	if (data)		OPENSSL_free(data);
 	apps_shutdown();
 	EXIT(ret);
 }
 #endif
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -78,7 +78,7 @@ int set_hex(char *in,unsigned char *out,int size);
 #define BSIZE	(8*1024)
 #define	PROG	enc_main
-void show_ciphers(const OBJ_NAME *name,void *bio_)
+static void show_ciphers(const OBJ_NAME *name,void *bio_)
 	{
 	BIO *bio=bio_;
 	static int n;
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -44,6 +44,7 @@ $!  keywords:
 $!
 $!	UCX		for UCX
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!	TCPIP		for TCPIP (post UCX)
 $!
 $!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
@@ -963,7 +964,8 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
@@ -973,7 +975,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -999,19 +1001,45 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
 $     ENDIF
 $!
 $!    Done with UCX
 $!
 $   ENDIF
 $!
 $!  Check to see if TCPIP (post UCX) was chosen
 $!
 $   IF P4.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP.
 $!
 $     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
 $   IF P4.EQS."NONE"
 $   THEN
 $!
 $!    Do not use TCPIP.
 $!
 $     TCPIP_LIB = ""
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Add TCP/IP type to CC definitions.
 $!
 $   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
@@ -1031,6 +1059,7 @@ $   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
 $   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Time To EXIT.
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -58,9 +58,9 @@
 #include <stdio.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include "apps.h"
 #undef PROG
 #define PROG nseq_main
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -58,11 +58,11 @@
 #include <stdio.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 #include "apps.h"
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD	(5 * 60)
@@ -553,8 +553,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-port num		 port to run responder on\n");
 		BIO_printf (bio_err, "-index file	 certificate status index file\n");
 		BIO_printf (bio_err, "-CA file		 CA certificate\n");
-		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign requests with\n");
+		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
-		BIO_printf (bio_err, "-rkey file	 responder key to sign requests with\n");
+		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
 		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
 		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
 		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
@@ -676,6 +676,18 @@ int MAIN(int argc, char **argv)
 	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
 	if (reqout)
 		{
 		derbio = BIO_new_file(reqout, "wb");
 		if(!derbio)
 			{
 			BIO_printf(bio_err, "Error opening file %s\n", reqout);
 			goto end;
 			}
 		i2d_OCSP_REQUEST_bio(derbio, req);
 		BIO_free(derbio);
 		}
 	if (ridx_filename && (!rkey || !rsigner || !rca_cert))
 		{
 		BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
@@ -809,6 +821,8 @@ int MAIN(int argc, char **argv)
 	if (!store)
 		store = setup_verify(bio_err, CAfile, CApath);
 	if (!store)
 		goto end;
 	if (verify_certfile)
 		{
 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -114,6 +114,7 @@
 #include <string.h>
 #include <stdlib.h>
 #define OPENSSL_C /* tells apps.h to use complete apps_startup() */
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
@@ -123,7 +124,6 @@
 #include <openssl/ssl.h>
 #include <openssl/engine.h>
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #include "apps.h"
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -779,7 +779,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
-		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) {
 			PKCS8_PRIV_KEY_INFO_free(p8);
 			return 0;
 		}
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -89,7 +89,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
-	int ret=0;
+	int ret=1;
 	char *engine=NULL;
 	apps_startup();
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -17,8 +17,6 @@ extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int ecdsa_main(int argc,char *argv[]);
 extern int ecdsaparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
@@ -80,12 +78,6 @@ FUNCTION functions[] = {
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecdsa",ecdsa_main},
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	{FUNC_TYPE_GENERAL,"ecdsaparam",ecdsaparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -33,8 +33,6 @@ foreach (@ARGV)
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ecdsa$/) || ($_ =~ /^ecdsaparam$/))
 		{ print "#ifndef OPENSSL_NO_ECDSA\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
--- a/apps/req.c
+++ b/apps/req.c
@@ -142,7 +142,6 @@ static int batch=0;
 #define TYPE_RSA	1
 #define TYPE_DSA	2
 #define TYPE_DH		3
 #define TYPE_ECDSA	4
 int MAIN(int, char **);
@@ -151,9 +150,6 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa_params=NULL;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	ECDSA *ecdsa_params = NULL;
 #endif
 	unsigned long nmflag = 0;
 	int ex=1,x509=0,days=30;
@@ -322,60 +318,8 @@ int MAIN(int argc, char **argv)
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				newkey=BN_num_bits(dsa_params->p);
 				}
 			else 
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (strncmp("ecdsa:",p,4) == 0)
 				{
 				X509 *xtmp=NULL;
 				EVP_PKEY *dtmp;
 				pkey_type=TYPE_ECDSA;
 				p+=6;
 				if ((in=BIO_new_file(p,"r")) == NULL)
 					{
 					perror(p);
 					goto end;
 					}
 				if ((ecdsa_params = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL)) == NULL)
 					{
 					ERR_clear_error();
 					(void)BIO_reset(in);
 					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
 						{	
 						BIO_printf(bio_err,"unable to load ECDSA parameters from file\n");
 						goto end;
 						}
 					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
 					if (dtmp->type == EVP_PKEY_ECDSA)
 						ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
 					EVP_PKEY_free(dtmp);
 					X509_free(xtmp);
 					if (ecdsa_params == NULL)
 						{
 						BIO_printf(bio_err,"Certificate does not contain ECDSA parameters\n");
 						goto end;
 						}
 					}
 				BIO_free(in);
 				in=NULL;
 				{
 				BIGNUM *order = BN_new();
 				if (!order)
 					goto end;
 				if (!EC_GROUP_get_order(ecdsa_params->group, order, NULL))
 					goto end;
 				newkey = BN_num_bits(order);
 				BN_free(order);
 				}
 				}
 			else 
 #endif
@@ -490,7 +434,6 @@ bad:
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -newkey ecdsa:file generate a new ECDSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
@@ -505,6 +448,7 @@ bad:
 		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
 		BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
 		goto end;
 		}
@@ -686,7 +630,7 @@ bad:
 			   message */
 			goto end;
 			}
-		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_ECDSA)
+		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
 			{
 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 			if (randfile == NULL)
@@ -710,15 +654,14 @@ bad:
 				newkey=DEFAULT_KEY_LENGTH;
 			}
-		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
+		if (newkey < MIN_KEY_LENGTH)
 		/* TODO: appropriate minimal keylength for the different algorithm (esp. ECDSA) */
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
 			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
 			goto end;
 			}
 		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-			newkey,(pkey_type == TYPE_RSA)?"RSA":(pkey_type == TYPE_DSA)?"DSA":"ECDSA");
+			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");
 		if ((pkey=EVP_PKEY_new()) == NULL) goto end;
@@ -740,14 +683,6 @@ bad:
 			dsa_params=NULL;
 			}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 			if (pkey_type == TYPE_ECDSA)
 			{
 			if (!ECDSA_generate_key(ecdsa_params)) goto end;
 			if (!EVP_PKEY_assign_ECDSA(pkey, ecdsa_params)) goto end;
 			ecdsa_params = NULL;
 			}
 #endif
 		app_RAND_write_file(randfile, bio_err);
@@ -853,10 +788,6 @@ loop:
 #ifndef OPENSSL_NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_ECDSA)
 			digest=EVP_ecdsa();
 #endif
 		if (req == NULL)
 			{
@@ -1138,9 +1069,6 @@ end:
 	OBJ_cleanup();
 #ifndef OPENSSL_NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (ecdsa_params != NULL) ECDSA_free(ecdsa_params);
 #endif
 	apps_shutdown();
 	EXIT(ex);
@@ -1210,64 +1138,22 @@ err:
 	return(ret);
 	}
 /*
 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
 	{
-	X509_NAME *n = NULL;
+	X509_NAME *n;
-	int i, nid, ne_num=0;
+	if (!(n = do_subject(subject, chtype)))
 		return 0;
-	char *ne_name = NULL;
+	if (!X509_REQ_set_subject_name(req, n))
 	char *ne_value = NULL;
 	char *tmp = NULL;
 	char *p[2];
 	char *str_list[256];
 	p[0] = ",/";
        p[1] = "=";
 	n = X509_NAME_new();
 	tmp = strtok(subject, p[0]);
 	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
 		{
 		char *token = tmp;
 		while (token[0] == ' ')
 			token++;
 		str_list[ne_num] = token;
 		tmp = strtok(NULL, p[0]);
 		ne_num++;
 		}
 	for(i = 0; i < ne_num; i++)
 		{
 		ne_name  = strtok(str_list[i], p[1]);
 		ne_value = strtok(NULL, p[1]);
 		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
 			{
 			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
 			continue;
 			}
 		if (ne_value == NULL)
 			{
 			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
 			continue;
 			}
 		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
 		{
 		X509_NAME_free(n);
 		return 0;
 		}
 		}
 	if (!X509_REQ_set_subject_name(req, n))
 		return 0;
 	X509_NAME_free(n);
 	return 1;
 }
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -433,6 +433,11 @@ bad:
 		goto end;
 		}
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
        e = setup_engine(bio_err, engine_id, 1);
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -455,11 +460,6 @@ bad:
 			}
 		}
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
        e = setup_engine(bio_err, engine_id, 1);
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -683,6 +683,11 @@ bad:
 		goto end;
 		}
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
        e = setup_engine(bio_err, engine_id, 1);
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -705,7 +710,7 @@ bad:
 			}
 		}
-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
 	if (nocert)
 #endif
 		{
@@ -715,11 +720,6 @@ bad:
 		s_dkey_file=NULL;
 		}
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
        e = setup_engine(bio_err, engine_id, 1);
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -85,7 +85,7 @@
 #include OPENSSL_UNISTD
 #endif
-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
 #define TIMES
 #endif
@@ -109,10 +109,6 @@
 #include <sys/timeb.h>
 #endif
 #ifdef _AIX
 #include <sys/select.h>
 #endif
 #if defined(sun) || defined(__ultrix)
 #define _POSIX_SOURCE
 #include <limits.h>
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -109,6 +109,12 @@ int MAIN(int argc, char **argv)
 	args = argv + 1;
 	ret = 1;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
@@ -465,7 +471,10 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 	} else if(operation == SMIME_SIGN) {
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		BIO_reset(in);
+		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
 		  BIO_printf(bio_err, "Can't rewind input file\n");
 		  goto end;
 		}
 	} else {
 		if(informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -245,7 +245,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-CAkeyform") == 0)
 			{
 			if (--argc < 1) goto bad;
-			CAformat=str2fmt(*(++argv));
+			CAkeyformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-days") == 0)
 			{
@@ -869,10 +869,6 @@ bad:
 		                if (Upkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (Upkey->type == EVP_PKEY_ECDSA)
 					digest=EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!sign(x,Upkey,days,clrext,digest,
@@ -892,10 +888,6 @@ bad:
 		                if (CApkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
 				if (CApkey->type == EVP_PKEY_ECDSA)
 					digest = EVP_ecdsa();
 #endif
 				assert(need_rand);
 				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -923,10 +915,10 @@ bad:
 				BIO_printf(bio_err,"Generating certificate request\n");
 #ifndef OPENSSL_NO_DSA
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
-				else if (pk->type == EVP_PKEY_ECDSA)
+#endif
 					digest=EVP_ecdsa();
 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
--- a/33
+++ b/33
@@ -390,18 +390,30 @@ exit 0
 # figure out if gcc is available and if so we use it otherwise
 # we fallback to whatever cc does on the system
-GCCVER=`(gcc --version) 2>/dev/null`
+GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
-  # then strip off whatever prefix Cygnus prepends the number with...
+  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
-  GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'`
+  # does give us what we want though, so we use that.  We just just the
  # major and minor version numbers.
  # peak single digit before and after first dot, e.g. 2.95.1 gives 29
  GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
 else
  CC=cc
 fi
 GCCVER=${GCCVER:-0}
-
+if [ "$SYSTEM" = "HP-UX" ];then
  # By default gcc is a ILP32 compiler (with long long == 64).
  GCC_BITS="32"
  if [ $GCCVER -ge 30 ]; then
    # PA64 support only came in with gcc 3.0.x.
    # We look for the preprocessor symbol __LP64__ indicating
    # 64bit bit long and pointer.  sizeof(int) == 32 on HPUX64.
    if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then
      GCC_BITS="64"
    fi
  fi
 fi
 if [ "$SYSTEM" = "SunOS" ]; then
  if [ $GCCVER -ge 30 ]; then
    # 64-bit ABI isn't officially supported in gcc 3.0, but it appears
@@ -517,6 +529,10 @@ EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
  ppc64-*-linux2)
 	#Use the standard target for PPC architecture until we create a
 	#special one for the 64bit architecture.
 	OUT="linux-ppc" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -655,7 +671,16 @@ EOF
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
  *-hpux1*)
 	if [ $CC = "gcc" ];
 	then
 	  if [ $GCC_BITS = "64" ]; then
 	    OUT="hpux64-parisc-gcc"
 	  else
 	    OUT="hpux-parisc-gcc"
 	  fi
 	else
 	  OUT="hpux-parisc-$CC"
 	fi
 	KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null`
 	KERNEL_BITS=${KERNEL_BITS:-32}
 	CPU_VERSION=`(getconf CPU_VERSION) 2>/dev/null`
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -28,7 +28,7 @@ LIBS=
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
@@ -54,11 +54,11 @@ all: buildinf.h lib subdirs shared
 buildinf.h: ../Makefile.ssl
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
+	echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \
-	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
+	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo "  #define PLATFORM \"$(PLATFORM)\""; \
+	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`date`\""; \
+	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo "#endif" ) >buildinf.h
+	echo '#endif' ) >buildinf.h
 testapps:
 	if echo ${SDIRS} | fgrep ' des '; \
@@ -136,12 +136,12 @@ lint:
 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
 	done;
 clean:
@@ -180,7 +180,7 @@ cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
-ebcdic.o: ../include/openssl/opensslconf.h ebcdic.c
+ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c
 ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -75,7 +75,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -137,7 +137,7 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 	} else {
 		while (l--) {
 			if (n == 0) {
-				AES_decrypt(ivec, ivec, key);
+				AES_encrypt(ivec, ivec, key);
 			}
 			c = *(in);
 			*(out++) = *(in++) ^ ivec[n];
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -106,8 +106,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	while (l--) {
 		if (n == 0) {
 			AES_ctr128_inc(counter);
 			AES_encrypt(counter, tmp, key);
 			AES_ctr128_inc(counter);
 		}
 		*(out++) = *(in++) ^ tmp[n];
 		n = (n+1) % AES_BLOCK_SIZE;
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -60,10 +60,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
 #endif
 #ifdef _MSC_VER
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -71,8 +71,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	if (a == NULL) return(0);
 	len=a->length;
 	ret=1+len;
 	if (pp == NULL) return(ret);
 	if (len > 0)
 		{
@@ -100,6 +98,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
 	ret=1+len;
 	if (pp == NULL) return(ret);
 	p= *pp;
 	*(p++)=(unsigned char)bits;
--- a/crypto/asn1/a_enum.c
+++ b/crypto/asn1/a_enum.c
@@ -151,7 +151,17 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
 		{
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
 			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
 		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -397,7 +397,16 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
 		{
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
 			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
 		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	/* Correct zero case */
 	if(!ret->length)
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -118,7 +118,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}
        pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
 we will store the SET blobs */
        for (i=0; i<sk_num(a); i++)
@@ -135,7 +135,7 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = OPENSSL_malloc(totSize);
+        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;
 /* Copy to temp mem */
        p = pTempMem;
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include <time.h>
@@ -90,7 +143,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
 			{
 			/* special case: RFC 2459 tells us to omit 'parameters'
 			 * with id-dsa-with-sha1 */
 			ASN1_TYPE_free(a->parameter);
 			a->parameter = NULL;
 			}
 		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
@@ -169,7 +229,14 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
 			{
 			/* special case: RFC 2459 tells us to omit 'parameters'
 			 * with id-dsa-with-sha1 */
 			ASN1_TYPE_free(a->parameter);
 			a->parameter = NULL;
 			}
 		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -77,8 +77,8 @@
 /* Three IO functions for sending data to memory, a BIO and
 * and a FILE pointer.
 */
-
+#if 0				/* never used */
-int send_mem_chars(void *arg, const void *buf, int len)
+static int send_mem_chars(void *arg, const void *buf, int len)
 {
 	unsigned char **out = arg;
 	if(!out) return 1;
@@ -86,15 +86,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
 	*out += len;
 	return 1;
 }
 #endif
-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(BIO_write(arg, buf, len) != len) return 0;
 	return 1;
 }
-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -240,7 +241,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
 * #01234 format.
 */
-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
 	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
 	 * the DER encoding to readily obtained
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -222,6 +222,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	{
 	struct tm *tm;
 	struct tm data;
 	int offset;
 	int year;
@@ -238,7 +239,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	t -= offset*60; /* FIXME: may overflow in extreme cases */
-	{ struct tm data; tm = OPENSSL_gmtime(&t, &data); }
+	tm = OPENSSL_gmtime(&t, &data);
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
 	year = g2(s->data);
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -773,6 +773,7 @@ int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
 DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
@@ -1008,13 +1009,12 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_PKEY				 159
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
 #define ASN1_F_I2D_ECDSA_PUBKEY				 174
 #define ASN1_F_I2D_NETSCAPE_RSA				 162
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
-#define ASN1_F_OID_MODULE_INIT				 175
+#define ASN1_F_OID_MODULE_INIT				 174
 #define ASN1_F_PKCS5_PBE2_SET				 167
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -128,7 +128,6 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ECDSA_PUBKEY,0),	"i2d_ECDSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -123,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 		(int)(omax+ *pp));
 #endif
-#if 0
+	if (*plength > (omax - (*pp - p)))
 	if ((p+ *plength) > (omax+ *pp))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
 #endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -158,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
 			if (i > sizeof(long))
 				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -169,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		else
 			ret=i;
 		}
 	if (ret < 0)
 		return 0;
 	*pp=p;
 	*rl=ret;
 	return(1);
@@ -406,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)
 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -110,16 +107,6 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 			goto err;
 			}
 		break;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		if ((ret->pkey.ecdsa = d2i_ECDSAPrivateKey(NULL, 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
@@ -151,10 +138,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
 	/* Since we only need to discern "traditional format" RSA and DSA
 	 * keys we can just count the elements.
         */
-	if(sk_ASN1_TYPE_num(inkey) == 6) 
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
 		keytype = EVP_PKEY_DSA;
 	else if (sk_ASN1_TYPE_num(inkey) == 4)
 		keytype = EVP_PKEY_ECDSA;
 	else keytype = EVP_PKEY_RSA;
 	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
 	return d2i_PrivateKey(keytype, a, pp, length);
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -103,23 +100,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
-		if ((ret->pkey.dsa=d2i_DSAPublicKey(&(ret->pkey.dsa),
+		if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,
 			(const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		if ((ret->pkey.ecdsa = ECDSAPublicKey_set_octet_string(&(ret->pkey.ecdsa), 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
 			goto err;
 			}
 	break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PUBLICKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/i2d_pr.c
+++ b/crypto/asn1/i2d_pr.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -86,12 +83,6 @@ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 		return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
 		}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (a->type == EVP_PKEY_ECDSA)
 		{
 		return(i2d_ECDSAPrivateKey(a->pkey.ecdsa, pp));
 		}
 #endif
 	ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 	return(-1);
--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -82,10 +79,6 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
 		return(i2d_DSAPublicKey(a->pkey.dsa,pp));
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	case EVP_PKEY_ECDSA:
 		return(ECDSAPublicKey_get_octet_string(a->pkey.ecdsa, pp));
 #endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/n_pkey.c
+++ b/crypto/asn1/n_pkey.c
@@ -92,6 +92,8 @@ ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
 	ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
 } ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
 DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 ASN1_SEQUENCE(NETSCAPE_PKEY) = {
@@ -100,6 +102,8 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
 	ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(NETSCAPE_PKEY)
 DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -116,6 +116,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
 		goto err;
 	EVP_CIPHER_CTX_init(&ctx);
 	/* Dummy cipherinit to just setup the IV */
 	EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
 	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -69,9 +69,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 static int print(BIO *fp,const char *str,BIGNUM *num,
 		unsigned char *buf,int off);
@@ -99,10 +96,34 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 	char str[128];
 	const char *s;
 	unsigned char *m=NULL;
-	int i,ret=0;
+	int ret=0;
 	size_t buf_len=0, i;
-	i=RSA_size(x);
+	if (x->n)
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+		buf_len = (size_t)BN_num_bytes(x->n);
 	if (x->e)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->e)))
 			buf_len = i;
 	if (x->d)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->d)))
 			buf_len = i;
 	if (x->p)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->p)))
 			buf_len = i;
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
 	if (x->dmp1)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1)))
 			buf_len = i;
 	if (x->dmq1)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1)))
 			buf_len = i;
 	if (x->iqmp)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp)))
 			buf_len = i;
 	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -164,22 +185,25 @@ int DSA_print(BIO *bp, const DSA *x, int off)
 	{
 	char str[128];
 	unsigned char *m=NULL;
-	int i,ret=0;
+	int ret=0;
-	BIGNUM *bn=NULL;
+	size_t buf_len=0,i;
-	if (x->p != NULL)
+	if (x->p)
-		bn=x->p;
+		buf_len = (size_t)BN_num_bytes(x->p);
-	else if (x->priv_key != NULL)
+	if (x->q)
-		bn=x->priv_key;
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
-	else if (x->pub_key != NULL)
+			buf_len = i;
-		bn=x->pub_key;
+	if (x->g)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
 			buf_len = i;
 	if (x->priv_key)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key)))
 			buf_len = i;
 	if (x->pub_key)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key)))
 			buf_len = i;
-	/* larger than needed but what the hell :-) */
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (bn != NULL)
 		i=BN_num_bytes(bn)*2;
 	else
 		i=256;
 	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
 	if (m == NULL)
 		{
 		DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -212,150 +236,6 @@ err:
 	}
 #endif /* !OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_ECDSA
 #ifndef OPENSSL_NO_FP_API
 int ECDSA_print_fp(FILE *fp, const ECDSA *x, int off)
 {
 	BIO *b;
 	int ret;
 	if ((b=BIO_new(BIO_s_file())) == NULL)
 	{
 		ECDSAerr(ECDSA_F_ECDSA_PRINT_FP, ERR_R_BIO_LIB);
 		return(0);
 	}
 	BIO_set_fp(b, fp, BIO_NOCLOSE);
 	ret = ECDSA_print(b, x, off);
 	BIO_free(b);
 	return(ret);
 }
 #endif
 int ECDSA_print(BIO *bp, const ECDSA *x, int off)
 	{
 	char str[128];
 	unsigned char *buffer=NULL;
 	int     i, buf_len=0, ret=0, reason=ERR_R_BIO_LIB;
 	BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL,
 		*tmp_4=NULL, *tmp_5=NULL, *tmp_6=NULL,
 		*tmp_7=NULL;
 	BN_CTX  *ctx=NULL;
 	EC_POINT *point=NULL;
 	/* TODO: fields other than prime fields */
 	if (!x || !x->group)
 		{
 		reason = ECDSA_R_MISSING_PARAMETERS;
 		goto err;
 		}
 	if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
 		(tmp_3 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL ||
 		(tmp_6 = BN_new()) == NULL || (tmp_7 = BN_new()) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
 	if (!EC_GROUP_get_curve_GFp(x->group, tmp_1, tmp_2, tmp_3, ctx))
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	if ((point = EC_GROUP_get0_generator(x->group)) == NULL)
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	if (!EC_GROUP_get_order(x->group, tmp_6, NULL) || !EC_GROUP_get_cofactor(x->group, tmp_7, NULL))
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	if ((buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
 		{
 		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
 		goto err;
 		}
 	if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
 	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), 
 				buffer, buf_len, ctx)) goto err;
 	if ((tmp_4 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
 		{
 		reason = ERR_R_BN_LIB;
 		goto err;
 		}
 	if ((i = EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
 		{
 		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
 		goto err;
 		}
 	if (i > buf_len && (buffer = OPENSSL_realloc(buffer, i)) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		buf_len = i;
 		goto err;
 		}
 	if (!EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), 
 				buffer, buf_len, ctx))
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}
 	if ((tmp_5 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
 		{
 		reason = ERR_R_BN_LIB;
 		goto err;
 		}
 	if (tmp_1 != NULL)
 		i = BN_num_bytes(tmp_1)*2;
 	else
 		i=256;
 	if ((i + 10) > buf_len && (buffer = OPENSSL_realloc(buffer, i+10)) == NULL)
 		{
 		reason = ERR_R_MALLOC_FAILURE;
 		buf_len = i;
 		goto err;
 		}
 	if (off)
 		{
 		if (off > 128) off=128;
 		memset(str,' ',off);
 		}
 	if (x->priv_key != NULL)
 		{
 		if (off && (BIO_write(bp, str, off) <= 0)) goto err;
 		if (BIO_printf(bp, "Private-Key: (%d bit)\n", BN_num_bits(tmp_1)) <= 0) goto err;
 		}
 	if ((x->priv_key != NULL) && !print(bp, "priv:", x->priv_key, buffer, off)) goto err;
 	if ((tmp_5 != NULL) && !print(bp, "pub: ", tmp_5, buffer, off)) goto err;
 	if ((tmp_1 != NULL) && !print(bp, "P:   ", tmp_1, buffer, off)) goto err;
 	if ((tmp_2 != NULL) && !print(bp, "A:   ", tmp_2, buffer, off)) goto err;
 	if ((tmp_3 != NULL) && !print(bp, "B:   ", tmp_3, buffer, off)) goto err;
 	if ((tmp_4 != NULL) && !print(bp, "Gen: ", tmp_4, buffer, off)) goto err;
 	if ((tmp_6 != NULL) && !print(bp, "Order: ", tmp_6, buffer, off)) goto err;
 	if ((tmp_7 != NULL) && !print(bp, "Cofactor: ", tmp_7, buffer, off)) goto err;
 	ret=1;
 err:
 	if (!ret)
 		ECDSAerr(ECDSA_F_ECDSA_PRINT, reason);
 	if (tmp_1) BN_free(tmp_1);
 	if (tmp_2) BN_free(tmp_2);
 	if (tmp_3) BN_free(tmp_3);
 	if (tmp_4) BN_free(tmp_4);
 	if (tmp_5) BN_free(tmp_5);
 	if (tmp_6) BN_free(tmp_6);
 	if (tmp_7) BN_free(tmp_7);
 	if (ctx)   BN_CTX_free(ctx);
 	if (buffer != NULL) OPENSSL_free(buffer);
 	return(ret);
 	}
 #endif
 static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 	     int off)
 	{
@@ -428,10 +308,15 @@ int DHparams_print_fp(FILE *fp, const DH *x)
 int DHparams_print(BIO *bp, const DH *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
 	size_t buf_len=0, i;
-	i=BN_num_bytes(x->p);
+	if (x->p)
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+		buf_len = (size_t)BN_num_bytes(x->p);
 	if (x->g)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
 			buf_len = i;
 	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
@@ -481,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, const DSA *x)
 int DSAparams_print(BIO *bp, const DSA *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
 	size_t buf_len=0,i;
-	i=BN_num_bytes(x->p);
+	if (x->p)
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+		buf_len = (size_t)BN_num_bytes(x->p);
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
 	if (x->g)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
 			buf_len = i;
 	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
@@ -506,95 +399,3 @@ err:
 #endif /* !OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_ECDSA
 #ifndef OPENSSL_NO_FP_API
 int ECDSAParameters_print_fp(FILE *fp, const ECDSA *x)
 	{
 	BIO *b;
 	int ret;
 	if ((b=BIO_new(BIO_s_file())) == NULL)
 	{
 		ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT_FP, ERR_R_BIO_LIB);
 		return(0);
 	}
 	BIO_set_fp(b, fp, BIO_NOCLOSE);
 	ret = ECDSAParameters_print(b, x);
 	BIO_free(b);
 	return(ret);
 	}
 #endif
 int ECDSAParameters_print(BIO *bp, const ECDSA *x)
       {
       unsigned char *buffer=NULL;
       int     buf_len;
       int     reason=ERR_R_EC_LIB, i, ret=0;
       BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL, *tmp_4=NULL,
               *tmp_5=NULL, *tmp_6=NULL;
       BN_CTX  *ctx=NULL;
       EC_POINT *point=NULL;
       /* TODO: fields other than prime fields */
       if (!x || !x->group)
       {
 		reason = ECDSA_R_MISSING_PARAMETERS;
 		goto err;
       }
       if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
 	   (tmp_3 = BN_new()) == NULL || (tmp_5 = BN_new()) == NULL ||
           (tmp_6 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
       {
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 	}
 	if (!EC_GROUP_get_curve_GFp(x->group, tmp_1, tmp_2, tmp_3, ctx)) goto err;
 	if ((point = EC_GROUP_get0_generator(x->group)) == NULL) goto err;
 	if (!EC_GROUP_get_order(x->group, tmp_5, ctx)) goto err;
 	if (!EC_GROUP_get_cofactor(x->group, tmp_6, ctx)) goto err;	
 	buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx);
 	if (!buf_len || (buffer = OPENSSL_malloc(buf_len)) == NULL)
 	{
 		reason = ERR_R_MALLOC_FAILURE;
 		goto err;
 	}
 	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), buffer, buf_len, ctx))
 	{
 		reason = ERR_R_EC_LIB;
 		goto err;
 	}
 	if ((tmp_4 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
 	{
 		reason = ERR_R_BN_LIB;
 		goto err;
 	}
 	i = BN_num_bits(tmp_1) + 10;
 	if (i > buf_len && (buffer = OPENSSL_realloc(buffer, i)) == NULL)
 	{
 		reason=ERR_R_MALLOC_FAILURE;
 		goto err;
 	}
 	if (BIO_printf(bp, "ECDSA-Parameters: (%d bit)\n", BN_num_bits(tmp_1)) <= 0) goto err;
 	if (!print(bp, "Prime p:", tmp_1, buffer, 4)) goto err;
 	if (!print(bp, "Curve a:", tmp_2, buffer, 4)) goto err;
 	if (!print(bp, "Curve b:", tmp_3, buffer, 4)) goto err;
 	if (!print(bp, "Generator (compressed):", tmp_4, buffer, 4)) goto err; 
 	if (!print(bp, "Order:", tmp_5, buffer, 4)) goto err;
 	if (!print(bp, "Cofactor:", tmp_6, buffer, 4)) goto err;
 	ret=1;
 err:
 	if (tmp_1)  BN_free(tmp_1);
 	if (tmp_2)  BN_free(tmp_2);
 	if (tmp_3)  BN_free(tmp_3);
 	if (tmp_4)  BN_free(tmp_4);
 	if (tmp_5)  BN_free(tmp_5);
 	if (tmp_6)  BN_free(tmp_6);
 	if (ctx)    BN_CTX_free(ctx);
 	if (buffer) OPENSSL_free(buffer);
 	ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT, reason);
 	return(ret);
 	}
 #endif
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -134,15 +134,6 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 		}
 	else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey != NULL && pkey->type == EVP_PKEY_ECDSA)
 		{
 			BIO_printf(bp, "%12sECDSA Public Key: \n","");
 			ECDSA_print(bp, pkey->pkey.ecdsa, 16);
 		}
 	else
 #endif
 		BIO_printf(bp,"%12sUnknown Public Key:\n","");
 	if (pkey != NULL)
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -93,15 +93,6 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 		}
 		else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_ECDSA)
 		{
 			BIO_printf(out, "  ECDSA Public Key:\n");
 			ECDSA_print(out, pkey->pkey.ecdsa,2);
 		}
 		else
 #endif
 			BIO_printf(out,"  Unknown Public Key:\n");
 		EVP_PKEY_free(pkey);
 	}
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -66,9 +66,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #ifndef OPENSSL_NO_ECDSA
 #include <openssl/ecdsa.h>
 #endif
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -231,14 +228,6 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 			DSA_print(bp,pkey->pkey.dsa,16);
 			}
 		else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 		if (pkey->type == EVP_PKEY_ECDSA)
 			{
 			BIO_printf(bp, "%12sECDSA Public Key:\n","");
 			ECDSA_print(bp, pkey->pkey.ecdsa, 16);
 			}
 		else
 #endif
 			BIO_printf(bp,"%12sUnknown Public Key:\n","");
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -64,8 +64,7 @@
 /* Minor tweak to operation: free up EVP_PKEY */
 static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-	if (operation == ASN1_OP_FREE_POST)
+	if(operation == ASN1_OP_FREE_POST) {
 		{
 		X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
 		EVP_PKEY_free(pubkey->pkey);
 	}
@@ -109,8 +108,9 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			a->parameter->type=V_ASN1_NULL;
 			}
 		}
 	else
 #ifndef OPENSSL_NO_DSA
-	else if (pkey->type == EVP_PKEY_DSA)
+		if (pkey->type == EVP_PKEY_DSA)
 		{
 		unsigned char *pp;
 		DSA *dsa;
@@ -119,7 +119,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		dsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
 		i=i2d_DSAparams(dsa,NULL);
-		p=(unsigned char *)OPENSSL_malloc(i);
+		if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
 		pp=p;
 		i2d_DSAparams(dsa,&pp);
 		a->parameter=ASN1_TYPE_new();
@@ -128,68 +128,19 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		ASN1_STRING_set(a->parameter->value.sequence,p,i);
 		OPENSSL_free(p);
 		}
 	else
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	else if (pkey->type == EVP_PKEY_ECDSA)
 		{
 		int nid=0;
 		unsigned char *pp;
 		ECDSA *ecdsa;
 		ecdsa = pkey->pkey.ecdsa;
 		ASN1_TYPE_free(a->parameter);
 		if ((a->parameter = ASN1_TYPE_new()) == NULL)
 			{
 			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
 			goto err;
 			}
 		if ((ECDSA_get_parameter_flags(ecdsa) & ECDSA_FLAG_NAMED_CURVE) && (nid = EC_GROUP_get_nid(ecdsa->group)))
 			{
 			/* just set the OID */
 			a->parameter->type = V_ASN1_OBJECT;
 			a->parameter->value.object = OBJ_nid2obj(nid);
 			}
 		else /* explicit parameters */
 			{
 			if ((i = i2d_ECDSAParameters(ecdsa, NULL)) == 0)
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
 				goto err;
 				}
 			if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}	
 			pp = p;
 			if (!i2d_ECDSAParameters(ecdsa, &pp))
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
 				OPENSSL_free(p);
 				goto err;
 				}
 			a->parameter->type = V_ASN1_SEQUENCE;
 			if ((a->parameter->value.sequence = ASN1_STRING_new()) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
 				OPENSSL_free(p);
 				goto err;
 				}
 			ASN1_STRING_set(a->parameter->value.sequence, p, i);
 			OPENSSL_free(p);
 			}
 		}
 #endif
 	else if (1)
 		{
 		X509err(X509_F_X509_PUBKEY_SET,X509_R_UNSUPPORTED_ALGORITHM);
 		goto err;
 		}
 	if ((i=i2d_PublicKey(pkey,NULL)) <= 0) goto err;
-	if ((s=(unsigned char *)OPENSSL_malloc(i+1)) == NULL) goto err;
+	if ((s=(unsigned char *)OPENSSL_malloc(i+1)) == NULL)
 		{
 		X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 	p=s;
 	i2d_PublicKey(pkey,&p);
 	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
@@ -222,7 +173,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	long j;
 	int type;
 	unsigned char *p;
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#ifndef OPENSSL_NO_DSA
 	const unsigned char *cp;
 	X509_ALGOR *a;
 #endif
@@ -238,31 +189,21 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	if (key->public_key == NULL) goto err;
 	type=OBJ_obj2nid(key->algor->algorithm);
-	if ((ret = EVP_PKEY_new()) == NULL)
+	p=key->public_key->data;
        j=key->public_key->length;
        if ((ret=d2i_PublicKey(type,NULL,&p,(long)j)) == NULL)
 		{
-		X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+		X509err(X509_F_X509_PUBKEY_GET,X509_R_ERR_ASN1_LIB);
 		goto err;
 		}
-	ret->type = EVP_PKEY_type(type);
+	ret->save_parameters=0;
 	/* the parameters must be extracted before the public key (ECDSA!) */
 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
 	a=key->algor;
 #endif
 	if (0)
 		;
 #ifndef OPENSSL_NO_DSA
-	else if (ret->type == EVP_PKEY_DSA)
+	a=key->algor;
 	if (ret->type == EVP_PKEY_DSA)
 		{
 		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
 			{
 			if ((ret->pkey.dsa = DSA_new()) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			ret->pkey.dsa->write_params=0;
 			cp=p=a->parameter->value.sequence->data;
 			j=a->parameter->value.sequence->length;
@@ -272,53 +213,6 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 		ret->save_parameters=1;
 		}
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	else if (ret->type == EVP_PKEY_ECDSA)
 		{
 		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
 			{
 			/* type == V_ASN1_SEQUENCE => we have explicit parameters
                         * (e.g. parameters in the X9_62_EC_PARAMETERS-structure )
 			 */
 			if ((ret->pkey.ecdsa= ECDSA_new()) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			cp = p = a->parameter->value.sequence->data;
 			j = a->parameter->value.sequence->length;
 			if (!d2i_ECDSAParameters(&ret->pkey.ecdsa, &cp, (long)j))
 				{
 				X509err(X509_F_X509_PUBKEY_GET, ERR_R_ECDSA_LIB);
 				goto err;
 				}
 			}
 		else if (a->parameter && (a->parameter->type == V_ASN1_OBJECT))
 			{
 			/* type == V_ASN1_OBJECT => the parameters are given
 			 * by an asn1 OID
 			 */
 			if (ret->pkey.ecdsa == NULL)
 				ret->pkey.ecdsa = ECDSA_new();
 			if (ret->pkey.ecdsa->group)
 				EC_GROUP_free(ret->pkey.ecdsa->group);
 			ret->pkey.ecdsa->parameter_flags |= ECDSA_FLAG_NAMED_CURVE;
 			if ((ret->pkey.ecdsa->group = EC_GROUP_new_by_name(OBJ_obj2nid(a->parameter->value.object))) == NULL)
 				goto err;
 			}
 			/* the case implicitlyCA is currently not implemented */
 		ret->save_parameters = 1;
 		}
 #endif
 	p=key->public_key->data;
        j=key->public_key->length;
        if ((ret = d2i_PublicKey(type, &ret, &p, (long)j)) == NULL)
 		{
 		X509err(X509_F_X509_PUBKEY_GET, X509_R_ERR_ASN1_LIB);
 		goto err;
 		}
 	key->pkey=ret;
 	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_EVP_PKEY);
 	return(ret);
@@ -342,8 +236,7 @@ EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
 	pktmp = X509_PUBKEY_get(xpk);
 	X509_PUBKEY_free(xpk);
 	if(!pktmp) return NULL;
-	if(a)
+	if(a) {
 		{
 		EVP_PKEY_free(*a);
 		*a = pktmp;
 	}
@@ -378,8 +271,7 @@ RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
 	EVP_PKEY_free(pkey);
 	if(!key) return NULL;
 	*pp = q;
-	if (a)
+	if(a) {
 		{
 		RSA_free(*a);
 		*a = key;
 	}
@@ -392,8 +284,7 @@ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
 	int ret;
 	if(!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if (!pktmp)
+	if(!pktmp) {
 		{
 		ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -418,8 +309,7 @@ DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
 	EVP_PKEY_free(pkey);
 	if(!key) return NULL;
 	*pp = q;
-	if (a)
+	if(a) {
 		{
 		DSA_free(*a);
 		*a = key;
 	}
@@ -432,8 +322,7 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
 	int ret;
 	if(!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if(!pktmp)
+	if(!pktmp) {
 		{
 		ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -443,41 +332,3 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
 	return ret;
 }
 #endif
 #ifndef OPENSSL_NO_ECDSA
 ECDSA *d2i_ECDSA_PUBKEY(ECDSA **a, unsigned char **pp, long length)
 	{
 	EVP_PKEY *pkey;
 	ECDSA *key;
 	unsigned char *q;
 	q = *pp;
 	pkey = d2i_PUBKEY(NULL, &q, length);
 	if (!pkey) return(NULL);
 	key = EVP_PKEY_get1_ECDSA(pkey);
 	EVP_PKEY_free(pkey);
 	if (!key)  return(NULL);
 	*pp = q;
 	if (a)
 		{
 		ECDSA_free(*a);
 		*a = key;
 		}
 	return(key);
 	}
 int i2d_ECDSA_PUBKEY(ECDSA *a, unsigned char **pp)
 	{
 	EVP_PKEY *pktmp;
 	int ret;
 	if (!a)	return(0);
 	if ((pktmp = EVP_PKEY_new()) == NULL)
 		{
 		ASN1err(ASN1_F_I2D_ECDSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 	EVP_PKEY_set1_ECDSA(pktmp, a);
 	ret = i2d_PUBKEY(pktmp, pp);
 	EVP_PKEY_free(pktmp);
 	return(ret);
 	}
 #endif
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@@ -96,7 +96,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bio/Makefile.ssl
+++ b/crypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -56,6 +56,13 @@
 * [including the GNU Public Licence.]
 */
 /* disable assert() unless BIO_DEBUG has been defined */
 #ifndef BIO_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 /* 
 * Stolen from tjh's ssl/ssl_trc.c stuff.
 */
@@ -716,12 +723,13 @@ doapr_outch(
    if (buffer) {
 	while (*currlen >= *maxlen) {
 	    if (*buffer == NULL) {
 		assert(*sbuffer != NULL);
 		if (*maxlen == 0)
 		    *maxlen = 1024;
 		*buffer = OPENSSL_malloc(*maxlen);
-		if (*currlen > 0)
+		if (*currlen > 0) {
 		    assert(*sbuffer != NULL);
 		    memcpy(*buffer, *sbuffer, *currlen);
 		}
 		*sbuffer = NULL;
 	    } else {
 		*maxlen += 1024;
@@ -761,7 +769,9 @@ int BIO_vprintf (BIO *bio, const char *format, va_list args)
 	{
 	int ret;
 	size_t retlen;
-	MS_STATIC char hugebuf[1024*10];
+	char hugebuf[1024*2];	/* Was previously 10k, which is unreasonable
 				   in small-stack environments, like threads
 				   or DOS programs. */
 	char *hugebufp = hugebuf;
 	size_t hugebufsize = sizeof(hugebuf);
 	char *dynbuf = NULL;
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -484,7 +484,11 @@ int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
 	{
 	int i;
 #ifdef __DJGPP__
 	i=ioctlsocket(fd,type,(char *)arg);
 #else
 	i=ioctlsocket(fd,type,arg);
 #endif /* __DJGPP__ */
 	if (i < 0)
 		SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
 	return(i);
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -103,7 +103,7 @@ static int nbiof_new(BIO *bi)
 	{
 	NBIO_TEST *nt;
-	nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST));
+	if (!(nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)))) return(0);
 	nt->lrn= -1;
 	nt->lwn= -1;
 	bi->ptr=(char *)nt;
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -554,7 +554,9 @@ BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
 BIO_METHOD *BIO_s_fd(void);
 #ifndef OPENSSL_SYS_OS2
 BIO_METHOD *BIO_s_log(void);
 #endif
 BIO_METHOD *BIO_s_bio(void);
 BIO_METHOD *BIO_s_null(void);
 BIO_METHOD *BIO_f_null(void);
@@ -647,6 +649,7 @@ void ERR_load_BIO_strings(void);
 #define BIO_F_CONN_CTRL					 127
 #define BIO_F_CONN_STATE				 115
 #define BIO_F_FILE_CTRL					 116
 #define BIO_F_FILE_READ					 130
 #define BIO_F_LINEBUFFER_CTRL				 129
 #define BIO_F_MEM_READ					 128
 #define BIO_F_MEM_WRITE					 117
--- a/crypto/bio/bio_err.c
+++ b/crypto/bio/bio_err.c
@@ -91,6 +91,7 @@ static ERR_STRING_DATA BIO_str_functs[]=
 {ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
 {ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
 {ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
 {ERR_PACK(0,BIO_F_FILE_READ,0),	"FILE_READ"},
 {ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),	"LINEBUFFER_CTRL"},
 {ERR_PACK(0,BIO_F_MEM_READ,0),	"MEM_READ"},
 {ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -7,10 +7,19 @@
 * for which no specific BIO method is available.
 * See ssl/ssltest.c for some hints on how this can be used. */
 /* BIO_DEBUG implies BIO_PAIR_DEBUG */
 #ifdef BIO_DEBUG
 # ifndef BIO_PAIR_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
+#  define BIO_PAIR_DEBUG
 # endif
 #endif
 /* disable assert() unless BIO_PAIR_DEBUG has been defined */
 #ifndef BIO_PAIR_DEBUG
 # ifndef NDEBUG
 #  define NDEBUG
 # endif
 #endif
 #include <assert.h>
 #include <limits.h>
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -162,6 +162,12 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
 	if (b->init && (out != NULL))
 		{
 		ret=fread(out,1,(int)outl,(FILE *)b->ptr);
 		if(ret == 0 && ferror((FILE *)b->ptr))
 			{
 			SYSerr(SYS_F_FREAD,get_last_sys_error());
 			BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
 			ret=-1;
 			}
 		}
 	return(ret);
 	}
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -169,7 +169,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -136,7 +136,7 @@ extern "C" {
 #define BN_MASK2h	(0xffffffff00000000LL)
 #define BN_MASK2h1	(0xffffffff80000000LL)
 #define BN_TBIT		(0x8000000000000000LL)
-#define BN_DEC_CONV	(10000000000000000000LL)
+#define BN_DEC_CONV	(10000000000000000000ULL)
 #define BN_DEC_FMT1	"%llu"
 #define BN_DEC_FMT2	"%019llu"
 #define BN_DEC_NUM	19
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -200,10 +200,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
-	BN_lshift(sdiv,divisor,norm_shift);
+	if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
 	sdiv->neg=0;
 	norm_shift+=BN_BITS2;
-	BN_lshift(snum,num,norm_shift);
+	if (!(BN_lshift(snum,num,norm_shift))) goto err;
 	snum->neg=0;
 	div_n=sdiv->top;
 	num_n=snum->top;
@@ -327,7 +327,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		tmp->top=j;
 		j=wnum.top;
-		BN_sub(&wnum,&wnum,tmp);
+		if (!BN_sub(&wnum,&wnum,tmp)) goto err;
 		snum->top=snum->top+wnum.top-j;
@@ -335,7 +335,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 			{
 			q--;
 			j=wnum.top;
-			BN_add(&wnum,&wnum,sdiv);
+			if (!BN_add(&wnum,&wnum,sdiv)) goto err;
 			snum->top+=wnum.top-j;
 			}
 		*(resp--)=q;
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -397,6 +397,12 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
 	{
 	BIGNUM *r = NULL;
 	/* This function does not work if
 	 *      words <= b->dmax && top < words
 	 * because BN_dup() does not preserve 'dmax'!
 	 * (But bn_dup_expand() is not used anywhere yet.)
 	 */
 	if (words > b->dmax)
 		{
 		BN_ULONG *a = bn_expand_internal(b, words);
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -221,7 +221,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
 	if (!BN_add(t2,a,t1)) goto err;
-	BN_rshift(ret,t2,mont->ri);
+	if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */
 	if (BN_ucmp(ret, &(mont->N)) >= 0)
@@ -282,8 +282,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BN_ULONG buf[2];
 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-		BN_zero(R);
+		if (!(BN_zero(R))) goto err;
-		BN_set_bit(R,BN_BITS2);			/* R */
+		if (!(BN_set_bit(R,BN_BITS2))) goto err;	/* R */
 		buf[0]=mod->d[0]; /* tmod = N mod word size */
 		buf[1]=0;
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -66,7 +66,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */
+#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
 /* Here follows specialised variants of bn_add_words() and
   bn_sub_words().  They have the property performing operations on
   arrays of different sizes.  The sizes of those arrays is expressed through
@@ -408,16 +408,22 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		return;
 		}
 #  endif
-	if (n2 == 8)
+	/* Only call bn_mul_comba 8 if n2 == 8 and the
 	 * two arrays are complete [steve]
 	 */
 	if (n2 == 8 && dna == 0 && dnb == 0)
 		{
 		bn_mul_comba8(r,a,b);
 		return; 
 		}
 # endif /* BN_MUL_COMBA */
 	/* Else do normal multiply */
 	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
 		{
-		/* This should not happen */
+		bn_mul_normal(r,a,n2+dna,b,n2+dnb);
-		bn_mul_normal(r,a,n2,b,n2);
+		if ((dna + dnb) < 0)
 			memset(&r[2*n2 + dna + dnb], 0,
 				sizeof(BN_ULONG) * -(dna + dnb));
 		return;
 		}
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
@@ -958,7 +964,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 	if ((al == 0) || (bl == 0))
 		{
-		BN_zero(r);
+		if (!BN_zero(r)) goto err;
 		return(1);
 		}
 	top=al+bl;
@@ -1038,7 +1044,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
 			{
 			BIGNUM *tmp_bn = (BIGNUM *)b;
-			bn_wexpand(tmp_bn,al);
+			if (bn_wexpand(tmp_bn,al) == NULL) goto err;
 			tmp_bn->d[bl]=0;
 			bl++;
 			i--;
@@ -1046,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
 			{
 			BIGNUM *tmp_bn = (BIGNUM *)a;
-			bn_wexpand(tmp_bn,bl);
+			if (bn_wexpand(tmp_bn,bl) == NULL) goto err;
 			tmp_bn->d[al]=0;
 			al++;
 			i++;
@@ -1061,14 +1067,14 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 			t = BN_CTX_get(ctx);
 			if (al == j) /* exact multiple */
 				{
-				bn_wexpand(t,k*2);
+				if (bn_wexpand(t,k*2) == NULL) goto err;
-				bn_wexpand(rr,k*2);
+				if (bn_wexpand(rr,k*2) == NULL) goto err;
 				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
 				}
 			else
 				{
-				bn_wexpand(t,k*4);
+				if (bn_wexpand(t,k*4) == NULL) goto err;
-				bn_wexpand(rr,k*4);
+				if (bn_wexpand(rr,k*4) == NULL) goto err;
 				bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
 				}
 			rr->top=top;
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -925,7 +925,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 		/* r := a^t mod b */
 		b->neg=0;
-		if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err; /* XXX should be BN_mod_exp_recp, but ..._recp triggers a bug that must be fixed */
+		if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err;
 		b->neg=1;
 		if (BN_is_word(r, 1))
--- a/crypto/buffer/Makefile.ssl
+++ b/crypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/cast/Makefile.ssl
+++ b/crypto/cast/Makefile.ssl
@@ -97,7 +97,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/comp/Makefile.ssl
+++ b/crypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -89,14 +89,14 @@ conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_api.o: conf_api.c
-conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+conf_def.o: ../../e_os.h ../../include/openssl/bio.h
-conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
+conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
-conf_def.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-conf_def.o: ../../include/openssl/opensslconf.h
+conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_def.o: conf_def.c conf_def.h
+conf_def.o: ../cryptlib.h conf_def.c conf_def.h
 conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -111,55 +111,73 @@ conf_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_lib.o: conf_lib.c
-conf_mall.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mall.o: ../../e_os.h ../../include/openssl/aes.h
-conf_mall.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+conf_mall.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_mall.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_mall.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 conf_mall.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_mall.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 conf_mall.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_mall.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mall.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 conf_mall.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_mall.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-conf_mall.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 conf_mall.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
 conf_mall.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
 conf_mall.o: ../../include/openssl/objects.h
 conf_mall.o: ../../include/openssl/opensslconf.h
 conf_mall.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 conf_mall.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 conf_mall.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 conf_mall.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 conf_mall.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_mall.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_mall.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-conf_mall.o: ../cryptlib.h conf_mall.c
+conf_mall.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_mall.c
-conf_mod.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mod.o: ../../e_os.h ../../include/openssl/aes.h
-conf_mod.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+conf_mod.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_mod.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_mod.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 conf_mod.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_mod.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 conf_mod.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_mod.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mod.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 conf_mod.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_mod.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-conf_mod.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+conf_mod.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-conf_mod.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+conf_mod.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
 conf_mod.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 conf_mod.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 conf_mod.o: ../../include/openssl/opensslconf.h
 conf_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
 conf_mod.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
 conf_mod.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_mod.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 conf_mod.o: ../cryptlib.h conf_mod.c
-conf_sap.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_sap.o: ../../e_os.h ../../include/openssl/aes.h
-conf_sap.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+conf_sap.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-conf_sap.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_sap.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
 conf_sap.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_sap.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 conf_sap.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_sap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_sap.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 conf_sap.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_sap.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-conf_sap.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-conf_sap.o: ../../include/openssl/opensslconf.h
+conf_sap.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
 conf_sap.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
 conf_sap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 conf_sap.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
 conf_sap.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_sap.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_sap.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-conf_sap.o: ../cryptlib.h conf_sap.c
+conf_sap.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_sap.c
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -129,6 +129,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);
 void OPENSSL_config(const char *config_name);
 void OPENSSL_no_config(void);
 /* New conf code.  The semantics are different from the functions above.
   If that wasn't the case, the above functions would have been replaced */
@@ -141,10 +142,10 @@ struct conf_st
 	};
 CONF *NCONF_new(CONF_METHOD *meth);
-CONF_METHOD *NCONF_default();
+CONF_METHOD *NCONF_default(void);
-CONF_METHOD *NCONF_WIN32();
+CONF_METHOD *NCONF_WIN32(void);
 #if 0 /* Just to give you an idea of what I have in mind */
-CONF_METHOD *NCONF_XML();
+CONF_METHOD *NCONF_XML(void);
 #endif
 void NCONF_free(CONF *conf);
 void NCONF_free_data(CONF *conf);
@@ -176,6 +177,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
 			   unsigned long flags);
 void CONF_modules_unload(int all);
 void CONF_modules_finish(void);
 void CONF_modules_free(void);
 int CONF_module_add(const char *name, conf_init_func *ifunc,
 		    conf_finish_func *ffunc);
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 #include "cryptlib.h"
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -208,12 +209,12 @@ static int def_load(CONF *conf, const char *name, long *line)
 static int def_load_bio(CONF *conf, BIO *in, long *line)
 	{
 #define BUFSIZE	512
 	char btmp[16];
 	int bufnum=0,i,ii;
 	BUF_MEM *buff=NULL;
 	char *s,*p,*end;
 	int again,n;
 	long eline=0;
 	char btmp[DECIMAL_SIZE(eline)+1];
 	CONF_VALUE *v=NULL,*tv;
 	CONF_VALUE *sv=NULL;
 	char *section=NULL,*buf;
--- a/crypto/conf/conf_lib.c
+++ b/crypto/conf/conf_lib.c
@@ -382,8 +382,9 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
 	return conf->meth->dump(conf, out);
 	}
 /* This function should be avoided */
-#undef NCONF_get_number
+#if 0
 long NCONF_get_number(CONF *conf,char *group,char *name)
 	{
 	int status;
@@ -397,4 +398,4 @@ long NCONF_get_number(CONF *conf,char *group,char *name)
 		}
 	return ret;
 	}
-
+#endif
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -230,7 +230,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
 		{
 		if (!(flags & CONF_MFLAGS_SILENT))
 			{
-			char rcode[10];
+			char rcode[DECIMAL_SIZE(ret)+1];
 			CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
 			sprintf(rcode, "%-8d", ret);
 			ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -103,9 +103,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"dynlock",
 	"engine",
 	"ui",
-	"ecdsa",
+#if CRYPTO_NUM_LOCKS != 31
 	"ec",
 #if CRYPTO_NUM_LOCKS != 33
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -494,3 +492,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 #endif
 void OpenSSLDie(const char *file,int line,const char *assertion)
    {
    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
 	    file,line,assertion);
    abort();
    }
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -89,6 +89,14 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 /* size of string represenations */
 #define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
 #define HEX_SIZE(type)         ((sizeof(type)*2)
 /* die if we have to */
 void OpenSSLDie(const char *file,int line,const char *assertion);
 #define die(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
 #ifdef  __cplusplus
 }
 #endif
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -49,6 +49,7 @@ $!  P5, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!	UCX		for UCX
 $!	TCPIP		for TCPIP (post UCX)
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!
 $!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
@@ -640,6 +641,7 @@ $   WRITE SYS$OUTPUT "	",APPLICATION,".exe"
 $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
 $!
 $   ON ERROR THEN GOTO NEXT_APPLICATION
 $   IF (RSAREF.EQS."TRUE")
 $   THEN
 $!
@@ -1358,7 +1360,8 @@ $   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX"
+$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
@@ -1368,7 +1371,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -1394,19 +1397,45 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
 $     ENDIF
 $!
 $!    Done with UCX
 $!
 $   ENDIF
 $!
 $!  Check to see if TCPIP was chosen
 $!
 $   IF P5.EQS."TCPIP"
 $   THEN
 $!
 $!    Set the library to use TCPIP (post UCX).
 $!
 $     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Check to see if NONE was chosen
 $!
 $   IF P5.EQS."NONE"
 $   THEN
 $!
 $!    Do not use a TCPIP library.
 $!
 $     TCPIP_LIB = ""
 $!
 $!    Done with TCPIP
 $!
 $   ENDIF
 $!
 $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
@@ -1422,6 +1451,7 @@ $   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
 $   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Time To EXIT.
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -126,9 +126,7 @@ extern "C" {
 #define	CRYPTO_LOCK_DYNLOCK		28
 #define	CRYPTO_LOCK_ENGINE		29
 #define	CRYPTO_LOCK_UI			30
-#define CRYPTO_LOCK_ECDSA               31
+#define	CRYPTO_NUM_LOCKS		31
 #define CRYPTO_LOCK_EC			32
 #define	CRYPTO_NUM_LOCKS		33
 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -235,7 +233,6 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
 #define CRYPTO_EX_INDEX_ENGINE		9
 #define CRYPTO_EX_INDEX_X509		10
 #define CRYPTO_EX_INDEX_UI		11
 #define CRYPTO_EX_INDEX_ECDSA		12
 /* Dynamically assigned indexes start from this value (don't use directly, use
 * via CRYPTO_ex_data_new_class). */
--- a/crypto/des/Makefile.ssl
+++ b/crypto/des/Makefile.ssl
@@ -108,7 +108,6 @@ files:
 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(TOP)/util/point.sh ../../perlasm asm/perlasm
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
@@ -131,7 +130,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -173,7 +173,7 @@ typedef struct _ossl_old_des_ks_struct
 	DES_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
 	DES_crypt((b),(s))
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
 	DES_crypt((b),(s))
 #endif
@@ -366,7 +366,7 @@ int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule
 	_ossl_old_des_cblock *iv);
 char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
 char *_ossl_old_des_crypt(const char *buf,const char *salt);
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#if !defined(PERL5) && !defined(NeXT)
 char *_ossl_old_crypt(const char *buf,const char *salt);
 #endif
 void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@@ -246,7 +246,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 	long status;
 	unsigned short channel = 0;
 #else
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
 	TTY_STRUCT tty_orig,tty_new;
 #endif
 #endif
--- a/crypto/dh/Makefile.ssl
+++ b/crypto/dh/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -112,12 +112,10 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dh_gen.o: ../cryptlib.h dh_gen.c
-dh_key.o: ../../e_os.h ../../include/openssl/asn1.h
+dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_key.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dh_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
@@ -125,12 +123,10 @@ dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 dh_key.o: ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_lib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dh_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dh_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
--- a/Show More
+++ b/Show More