Typo.

Submitted by: Reviewed by: PR:
Release 0.9.7-beta3
2002-07-30 11:30:03 +00:00 · 2002-07-30 11:27:18 +00:00 · 2002-07-30 11:21:19 +00:00 · 2002-07-30 07:18:03 +00:00 · 2002-07-29 13:28:57 +00:00 · 2002-07-29 12:34:14 +00:00
336 changed files with 9872 additions and 12441 deletions
--- a/182
+++ b/182
@@ -2,48 +2,78 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7 and 0.9.8  [xx XXX 2002]
+ Changes between 0.9.6e and 0.9.7  [XX xxx 2002]

-  *) Add a function EC_GROUP_check_discriminant() (defined via
-     EC_METHOD) that verifies that the curve discriminant is non-zero.
+  *) Make sure tests can be performed even if the corresponding algorithms
+     have been removed entirely.  This was also the last step to make
+     OpenSSL compilable with DJGPP under all reasonable conditions.
+     [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]

-     Add a function EC_GROUP_check() that makes some sanity tests
-     on a EC_GROUP, its generator and order.  This includes
-     EC_GROUP_check_discriminant().
-     [Nils Larsch <nla@trustcenter.de>]
+  *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
+     to allow version independent disabling of normally unselected ciphers,
+     which may be activated as a side-effect of selecting a single cipher.

-  *) Add ECDSA in new directory crypto/ecdsa/.
+     (E.g., cipher list string "RSA" enables ciphersuites that are left
+     out of "ALL" because they do not provide symmetric encryption.
+     "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
+     [Lutz Jaenicke, Bodo Moeller]

-     Add applications 'openssl ecdsaparam' and 'openssl ecdsa'
-     (these are variants of 'openssl dsaparam' and 'openssl dsa').
+  *) Add appropriate support for separate platform-dependent build
+     directories.  The recommended way to make a platform-dependent
+     build directory is the following (tested on Linux), maybe with
+     some local tweaks:

-     ECDSA support is also included in various other files across the
-     library.  Most notably,
-     - 'openssl req' now has a '-newkey ecdsa:file' option;
-     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
-     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
-       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
-       them suitable for ECDSA where domain parameters must be
-       extracted before the specific public key.
-     [Nils Larsch <nla@trustcenter.de>]
+	# Place yourself outside of the OpenSSL source tree.  In
+	# this example, the environment variable OPENSSL_SOURCE
+	# is assumed to contain the absolute OpenSSL source directory.
+	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+	(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
+		mkdir -p `dirname $F`
+		ln -s $OPENSSL_SOURCE/$F $F
+	done

-  *) Include some named elliptic curves, and add OIDs from X9.62,
-     SECG, and WAP/WTLS.  The curves can be obtained from the new
-     functions
-          EC_GROUP_new_by_nid()
-          EC_GROUP_new_by_name()
-     Also add a 'nid' field to EC_GROUP objects, which can be accessed
-     via
-         EC_GROUP_set_nid()
-         EC_GROUP_get_nid()
-     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
+     To be absolutely sure not to disturb the source tree, a "make clean"
+     is a good thing.  If it isn't successfull, don't worry about it,
+     it probably means the source directory is very clean.
+     [Richard Levitte]

- Changes between 0.9.6d and 0.9.7  [XX xxx 2002]
+  *) Make sure any ENGINE control commands make local copies of string
+     pointers passed to them whenever necessary. Otherwise it is possible
+     the caller may have overwritten (or deallocated) the original string
+     data when a later ENGINE operation tries to use the stored values.
+     [G<>tz Babin-Ebell <babinebell@trustcenter.de>]
+
+  *) Improve diagnostics in file reading and command-line digests.
+     [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
+
+  *) Add AES modes CFB and OFB to the object database.  Correct an
+     error in AES-CFB decryption.
+     [Richard Levitte]
+
+  *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 
+     allows existing EVP_CIPHER_CTX structures to be reused after
+     calling EVP_*Final(). This behaviour is used by encryption
+     BIOs and some applications. This has the side effect that
+     applications must explicitly clean up cipher contexts with
+     EVP_CIPHER_CTX_cleanup() or they will leak memory.
+     [Steve Henson]
+
+  *) Check the values of dna and dnb in bn_mul_recursive before calling
+     bn_mul_comba (a non zero value means the a or b arrays do not contain
+     n2 elements) and fallback to bn_mul_normal if either is not zero.
+     [Steve Henson]
+
+  *) Fix escaping of non-ASCII characters when using the -subj option
+     of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
+     [Lutz Jaenicke]

  *) Make object definitions compliant to LDAP (RFC2256): SN is the short
     form for "surname", serialNumber has no short form.
     Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
     therefore remove "mail" short name for "internet 7".
+     The OID for unique identifiers in X509 certificates is
+     x500UniqueIdentifier, not uniqueIdentifier.
     Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
     [Lutz Jaenicke]

@@ -350,6 +380,10 @@
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
+
+     SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
+     more bits available for options that should not be part of
+     SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
     [Bodo Moeller]

  *) Add some demos for certificate and certificate request creation.
@@ -470,8 +504,8 @@
     [Bodo Moeller, Lutz Jaenicke]

  *) Rationalise EVP so it can be extended: don't include a union of
-     cipher/digest structures, add init/cleanup functions. This also reduces
-     the number of header dependencies.
+     cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
+     (similar to those existing for EVP_CIPHER_CTX).
     Usage example:

         EVP_MD_CTX md;
@@ -1053,9 +1087,17 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

  *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
     handle the new API. Currently only ECB, CBC modes supported. Add new
-     AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites
-     for TLS" draft-ietf-tls-ciphersuite-03.txt.
-     [Ben Laurie, Steve Henson]
+     AES OIDs.
+
+     Add TLS AES ciphersuites as described in RFC3268, "Advanced
+     Encryption Standard (AES) Ciphersuites for Transport Layer
+     Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
+     not enabled by default and were not part of the "ALL" ciphersuite
+     alias because they were not yet official; they could be
+     explicitly requested by specifying the "AESdraft" ciphersuite
+     group alias.  In the final release of OpenSSL 0.9.7, the group
+     alias is called "AES" and is part of "ALL".)
+     [Ben Laurie, Steve  Henson, Bodo Moeller]

  *) New function OCSP_copy_nonce() to copy nonce value (if present) from
     request to response.
@@ -1625,7 +1667,75 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]

- Changes between 0.9.6c and 0.9.6d  [XX xxx 2002]
+ Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
+
+  *) Add various sanity checks to asn1_get_length() to reject
+     the ASN1 length bytes if they exceed sizeof(long), will appear
+     negative or the content length exceeds the length of the
+     supplied buffer.
+     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
+  *) Fix cipher selection routines: ciphers without encryption had no flags
+     for the cipher strength set and where therefore not handled correctly
+     by the selection routines (PR #130).
+     [Lutz Jaenicke]
+
+  *) Fix EVP_dsa_sha macro.
+     [Nils Larsch]
+
+  *) New option
+          SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
+     that was added in OpenSSL 0.9.6d.
+
+     As the countermeasure turned out to be incompatible with some
+     broken SSL implementations, the new option is part of SSL_OP_ALL.
+     SSL_OP_ALL is usually employed when compatibility with weird SSL
+     implementations is desired (e.g. '-bugs' option to 's_client' and
+     's_server'), so the new option is automatically set in many
+     applications.
+     [Bodo Moeller]
+
+  *) Changes in security patch:
+
+     Changes marked "(CHATS)" were sponsored by the Defense Advanced
+     Research Projects Agency (DARPA) and Air Force Research Laboratory,
+     Air Force Materiel Command, USAF, under agreement number
+     F30602-01-2-0537.
+
+  *) Add various sanity checks to asn1_get_length() to reject
+     the ASN1 length bytes if they exceed sizeof(long), will appear
+     negative or the content length exceeds the length of the
+     supplied buffer. (CAN-2002-0659)
+     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
+  *) Assertions for various potential buffer overflows, not known to
+     happen in practice.
+     [Ben Laurie (CHATS)]
+
+  *) Various temporary buffers to hold ASCII versions of integers were
+     too small for 64 bit platforms. (CAN-2002-0655)
+     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
+
+  *) Remote buffer overflow in SSL3 protocol - an attacker could
+     supply an oversized master key in Kerberos-enabled versions.
+     (CAN-2002-0657)
+     [Ben Laurie (CHATS)]
+
+  *) Remote buffer overflow in SSL3 protocol - an attacker could
+     supply an oversized session ID to a client. (CAN-2002-0656)
+     [Ben Laurie (CHATS)]
+
+  *) Remote buffer overflow in SSL2 protocol - an attacker could
+     supply an oversized client master key. (CAN-2002-0656)
+     [Ben Laurie (CHATS)]
+
+
+ Changes between 0.9.6c and 0.9.6d  [9 May 2002]
+
+  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
+     encoded as NULL) with id-dsa-with-sha1.
+     [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]

  *) Check various X509_...() return values in apps/req.c.
     [Nils Larsch <nla@trustcenter.de>]
--- a/102
+++ b/102
@@ -134,7 +134,7 @@ my %table=(

 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
 "debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
@@ -144,8 +144,9 @@ my %table=(
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",

 # Basic configs that should work on any (32 and less bit) box
@@ -168,10 +169,11 @@ my %table=(
 "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
 "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
 "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 ####
 "debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -195,10 +197,10 @@ my %table=(
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::::",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # !!!Folowing can't be even tested yet!!!
 #    We have to wait till 64-bit glibc for SPARC is operational!!!
 #"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:ULTRASPARC::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
@@ -254,6 +256,9 @@ my %table=(
 "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# 64bit PARISC for GCC without optimization, which seems to make problems.
+# Submitted by <ross.alexander@uk.neceur.com>
+"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # IA-64 targets
 # I have no idea if this one actually works, feedback needed. <appro>
@@ -375,7 +380,7 @@ my %table=(
 "linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
@@ -408,13 +413,13 @@ my %table=(
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # UnixWare 2.0x fails destest with -O
-"unixware-2.0","cc:-DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",

 # UnixWare 2.1
-"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",

 # UnixWare 7
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -476,7 +481,7 @@ my %table=(

 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
 "SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",

@@ -507,9 +512,15 @@ my %table=(
 # and its library files in util/pl/*)
 "Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",

+# UWIN 
+"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+
+# DJGPP
+"DJGPP", "gcc:-I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/DJDIR/watt32/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",

 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown):::::::",
@@ -528,12 +539,12 @@ my %table=(
 "OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::-fPIC",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@@ -635,6 +646,7 @@ my $libs;
 my $target;
 my $options;
 my $symlink;
+my $make_depend=0;
 my %withargs=();

 my @argvcopy=@ARGV;
@@ -733,14 +745,6 @@ PROCESS_ARGS:
 				$depflags .= "-DOPENSSL_NO_MDC2 ";
 				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
 				}
-			if ($algo eq "EC" || $algo eq "SHA" || $algo eq "SHA1")
-				{
-				push @skip, "ecdsa";
-				$options .= " no-ecdsa";
-				$flags .= "-DOPENSSL_NO_ECDSA ";
-				$depflags .= "-DOPENSSL_NO_ECDSA ";
-				$openssl_algorithm_defines .= "#define OPENSSL_NO_ECDSA\n";
-				}
 			if ($algo eq "MD5")
 				{
 				$no_md5 = 1;
@@ -900,6 +904,7 @@ print "Configuring for $target\n";
 my $IsWindows=scalar grep /^$target$/,@WinTargets;

 $exe_ext=".exe" if ($target eq "Cygwin");
+$exe_ext=".exe" if ($target eq "DJGPP");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";

@@ -907,7 +912,7 @@ chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;

 $openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
+$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;


 print "IsWindows=$IsWindows\n";
@@ -1122,6 +1127,10 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}

+# "Stringify" the C flags string.  This permits it to be made part of a string
+# and works as well on command lines.
+$cflags =~ s/([\\\"])/\\\1/g;
+
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
@@ -1153,7 +1162,8 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	}

 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
-open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
+unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
+open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
@@ -1207,18 +1217,28 @@ while (<IN>)
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
-		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/;
+		}
+	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.dylib$/)
+		{
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.dylib/;
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 		}
+	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
+		{
+		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
+		}
 	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
 	print OUT $_."\n";
 	}
 close(IN);
 close(OUT);
+rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
+rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";

 print "CC            =$cc\n";
 print "CFLAG         =$cflags\n";
@@ -1289,7 +1309,8 @@ foreach (sort split(/\s+/,$bn_ops))
 	}

 open(IN,'<crypto/opensslconf.h.in') || die "unable to read crypto/opensslconf.h.in:$!\n";
-open(OUT,'>crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n";
+unlink("crypto/opensslconf.h.new") || die "unable to remove old crypto/opensslconf.h.new:$!\n" if -e "crypto/opensslconf.h.new";
+open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslconf.h.new:$!\n";
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";

@@ -1383,6 +1404,8 @@ while (<IN>)
 	}
 close(IN);
 close(OUT);
+rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
+rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";


 # Fix the date
@@ -1422,11 +1445,13 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
-		if $symlink;
-	### (system 'make depend') == 0 or exit $? if $depflags ne "";
-	# Run "make depend" manually if you want to be able to delete
-	# the source code files of ciphers you left out.
+	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
+	my $make_targets = "";
+	$make_targets .= " links" if $symlink;
+	$make_targets .= " depend" if $depflags ne "" && $make_depend;
+	$make_targets .= " gentests" if $symlink;
+	(system $make_command.$make_targets) == 0 or exit $?
+		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1437,6 +1462,15 @@ EOF
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
+	if ($depflags ne "" && !$make_depend) {
+		print <<EOF;
+
+Since you've disabled at least one algorithm, you need to do the following
+before building:
+
+	make depend
+EOF
+	}
 }

 print <<EOF;
--- a/87
+++ b/87
@@ -29,6 +29,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
+* Why is OpenSSL x509 DN output not conformant to RFC2253?

 [BUILD] Questions about building and testing OpenSSL

@@ -38,6 +39,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
+* What is special about OpenSSL on Redhat?
+* Why does the OpenSSL compilation fail on MacOS X?
+* Why does the OpenSSL test suite fail on MacOS X?

 [PROG] Questions about programming with OpenSSL

@@ -51,6 +55,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?

 ===============================================================================

@@ -59,7 +64,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6c was released on December 21st, 2001.
+OpenSSL 0.9.6e was released on July 30, 2002.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -215,8 +220,11 @@ For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
-versions.  However, be warned that /dev/random is usually a blocking
-device, which may have some effects on OpenSSL.
+versions.  An official statement from Sun with respect to /dev/random
+support can be found at
+  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
+However, be warned that /dev/random is usually a blocking device, which
+may have some effects on OpenSSL.


 * Why do I get an "unable to write 'random state'" error message?
@@ -343,6 +351,13 @@ DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.

+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+
+The ways to print out the oneline format of the DN (Distinguished Name) have
+been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
+interface, the "-nameopt" option could be introduded. See the manual
+page of the "openssl x509" commandline tool for details. The old behaviour
+has however been left as default for the sake of compatibility.

 [BUILD] =======================================================================

@@ -451,6 +466,64 @@ under 'Program Files').  This needs to be done prior to running NMAKE,
 and the changes are only valid for the current DOS session.


+* What is special about OpenSSL on Redhat?
+
+Red Hat Linux (release 7.0 and later) include a preinstalled limited
+version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
+is disabled in this version. The same may apply to other Linux distributions.
+Users may therefore wish to install more or all of the features left out.
+
+To do this you MUST ensure that you do not overwrite the openssl that is in
+/usr/bin on your Red Hat machine. Several packages depend on this file,
+including sendmail and ssh. /usr/local/bin is a good alternative choice. The
+libraries that come with Red Hat 7.0 onwards have different names and so are
+not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
+/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
+/lib/libcrypto.so.2 respectively).
+
+Please note that we have been advised by Red Hat attempting to recompile the
+openssl rpm with all the cryptography enabled will not work. All other
+packages depend on the original Red Hat supplied openssl package. It is also
+worth noting that due to the way Red Hat supplies its packages, updates to
+openssl on each distribution never change the package version, only the
+build number. For example, on Red Hat 7.1, the latest openssl package has
+version number 0.9.6 and build number 9 even though it contains all the
+relevant updates in packages up to and including 0.9.6b.
+
+A possible way around this is to persuade Red Hat to produce a non-US
+version of Red Hat Linux.
+
+FYI: Patent numbers and expiry dates of US patents:
+MDC-2: 4,908,861 13/03/2007
+IDEA:  5,214,703 25/05/2010
+RC5:   5,724,428 03/03/2015
+
+
+* Why does the OpenSSL compilation fail on MacOS X?
+
+If the failure happens when trying to build the "openssl" binary, with
+a large number of undefined symbols, it's very probable that you have
+OpenSSL 0.9.6b delivered with the operating system (you can find out by
+running '/usr/bin/openssl version') and that you were trying to build
+OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
+MacOS X has a misfeature that's quite difficult to go around.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+
+* Why does the OpenSSL test suite fail on MacOS X?
+
+If the failure happens when running 'make test' and the RC4 test fails,
+it's very probable that you have OpenSSL 0.9.6b delivered with the
+operating system (you can find out by running '/usr/bin/openssl version')
+and that you were trying to build OpenSSL 0.9.6d.  The problem is that
+the loader ('ld') in MacOS X has a misfeature that's quite difficult to
+go around and has linked the programs "openssl" and the test programs
+with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
+libraries you just built.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
 [PROG] ========================================================================

 * Is OpenSSL thread-safe?
@@ -616,5 +689,13 @@ if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.


+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+
+For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
+versions, uniqueIdentifier was incorrectly used for X.509 certificates.
+The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
+Change your code to use the new name when compiling against OpenSSL 0.9.7.
+
+
 ===============================================================================

--- a/16
+++ b/16
@@ -2,8 +2,10 @@
 INSTALLATION ON THE UNIX PLATFORM
 ---------------------------------

- [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
-  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+ [Installation on DOS (with djgpp), Windows, OpenVMS and MacOS (before MacOS X)
+  is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.
+  This document describes installation on operating systems in the Unix
+  family.]

 To install OpenSSL, you will need:

@@ -137,8 +139,11 @@
     the failure that aren't problems in OpenSSL itself (like missing
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
-     message will be forwarded to a public mailing list).  Include the
-     output of "make report" in your message.
+     message will be recorded in the request tracker publicly readable
+     via http://www.openssl.org/rt2.html and will be forwarded to a public
+     mailing list). Include the output of "make report" in your message.
+     Please check out the request tracker. Maybe the bug was already
+     reported or has already been fixed.

     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -156,7 +161,8 @@
     try removing any compiler optimization flags from the CFLAGS line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
-     "make report".
+     "make report" in order to be added to the request tracker at
+     http://www.openssl.org/rt2.html.

  4. If everything tests ok, install OpenSSL with

--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -0,0 +1,32 @@
+
+ 
+ INSTALLATION ON THE DOS PLATFORM WITH DJGPP
+ -------------------------------------------
+
+ Openssl has been ported to DOS, but only with long filename support. If
+ you wish to compile on native DOS with 8+3 filenames, you will have to
+ tweak the installation yourself, including renaming files with illegal
+ or duplicate names.
+
+ You should have a full DJGPP environment installed, including the
+ latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
+ requires that PERL and BC also be installed.
+
+ All of these can be obtained from the usual DJGPP mirror sites, such as
+ "ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp". You also need to have
+ the WATT-32 networking package installed before you try to compile
+ openssl. This can be obtained from "http://www.bgnett.no/~giva/". The
+ Makefile assumes that the WATT-32 code is in directory "watt32" under
+ /dev/env/DJDIR.
+
+ To compile openssl, start your BASH shell. Then configure for DOS by
+ running "./Configure" with appropriate arguments. The basic syntax for
+ DOS is:
+ ./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
+ 
+ You may run out of DPMI selectors when running in a DOS box under
+ Windows. If so, just close the BASH shell, go back to Windows, and
+ restart BASH. Then run "make" again.
+
+ Building openssl under DJGPP has been tested with DJGPP 2.03,
+ GCC 2.952, GCC 2.953, perl 5.005_02 and perl 5.006_01.
--- a/INSTALL.OS2
+++ b/INSTALL.OS2
@@ -20,3 +20,12 @@

 If that finishes successfully you will find the libraries and programs in the
 "out" directory.
+
+ Alternatively, you can make a dynamic build that puts the library code into
+ crypto.dll and ssl.dll by running
+
+ > make -f os2-emx-dll.mak
+
+ This will build the above mentioned dlls and a matching pair of import
+ libraries in the "out_dll" directory along with the set of test programs
+ and the openssl application.
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -94,6 +94,18 @@
 You can also build a static version of the library using the Makefile
 ms\nt.mak

+ Borland C++ builder 5
+ ---------------------
+
+ * Configure for building with Borland Builder:
+   > perl Configure BC-32
+
+ * Create the appropriate makefile
+   > ms\do_nasm
+
+ * Build
+   > make -f ms\bcb.mak
+
 Borland C++ builder 3 and 4
 ---------------------------

@@ -112,10 +124,10 @@
 * Compiler installation:

   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
-   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
-   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
-   C:\egcs-1.1.2\mingw32.bat to set the PATH.
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
+   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
+   the PATH environment variable in "System Properties"; or edit and
+   run C:\gcc-2.95.2\mingw32.bat to set the PATH.

 * Compile OpenSSL:

@@ -140,17 +152,17 @@
 GNU C (Cygwin)
 --------------

- Cygwin provides a bash shell and GNU tools environment running on
- NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
- with Cygwin is closer to a GNU bash environment such as Linux rather
- than other W32 makes that are based on a single makefile approach.
- Cygwin implements Posix/Unix calls through cygwin1.dll, and is
- contrasted to Mingw32 which links dynamically to msvcrt.dll or
- crtdll.dll.
+ Cygwin provides a bash shell and GNU tools environment running
+ on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
+ Consequently, a make of OpenSSL with Cygwin is closer to a GNU
+ bash environment such as Linux than to other W32 makes which are
+ based on a single makefile approach. Cygwin implements Posix/Unix
+ calls through cygwin1.dll, and is contrasted to Mingw32 which links
+ dynamically to msvcrt.dll or crtdll.dll.

 To build OpenSSL using Cygwin:

- * Install Cygwin (see http://sourceware.cygnus.com/cygwin)
+ * Install Cygwin (see http://cygwin.com/)

 * Install Perl and ensure it is in the path (recent Cygwin perl 
   (version 5.6.1-2 of the latter has been reported to work) or
@@ -176,13 +188,9 @@
 stripping of carriage returns. To avoid this ensure that a binary
 mount is used, e.g. mount -b c:\somewhere /home.

- As of version 1.1.1 Cygwin is relatively unstable in its handling
- of cr/lf issues. These make procedures succeeded with versions 1.1 and
- the snapshot 20000524 (Slow!).
-
- "bc" is not provided in the Cygwin distribution.  This causes a
+ "bc" is not provided in older Cygwin distribution.  This causes a
 non-fatal error in "make test" but is otherwise harmless.  If
- desired, GNU bc can be built with Cygwin without change.
+ desired and needed, GNU bc can be built with Cygwin without change.


 Installation
--- a/Makefile.org
+++ b/Makefile.org
@@ -166,7 +166,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

@@ -435,6 +435,7 @@ do_hpux-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Fl lib$$i.a -ldld -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done

 # This assumes that GNU utilities are *not* used
@@ -453,6 +454,7 @@ do_hpux64-shared:
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a -ldl -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done

 # The following method is said to work on all platforms.  Tests will
@@ -562,6 +564,10 @@ links:
 	fi; \
 	done;

+gentests:
+	@(cd test && echo "generating dummy tests (if needed)..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -576,8 +582,8 @@ rehash: rehash.time
 rehash.time: certs
 	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
 		$(PERL) tools/c_rehash certs)
 	touch rehash.time

@@ -585,9 +591,9 @@ test:   tests

 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		export LD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH; \
 		apps/openssl version -a

 report:
@@ -598,7 +604,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;

@@ -644,13 +650,19 @@ TABLE: Configure

 update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE

+# Build distribution tar-file. As the list of files returned by "find" is
+# pretty long, on several platforms a "too many arguments" error or similar
+# would occur. Therefore the list of files is temporarily stored into a file
+# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
+# tar does not support the --files-from option.
 tar:
-	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort` |\
+	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
+	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
+	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz

 tar-snap:
@@ -665,7 +677,7 @@ dist:
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='${SDIRS}' clean
-	@$(MAKE) tar
+	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar

 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)
@@ -697,8 +709,8 @@ install: all install_docs
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi \
-	done
+		fi; \
+	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -707,7 +719,7 @@ install: all install_docs
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib/cyg/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
@@ -715,7 +727,7 @@ install: all install_docs
 					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
-			fi \
+			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
@@ -732,18 +744,20 @@ install_docs:
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			 --release=$(VERSION) `basename $$i`) \
+		(cd `$(PERL) util/dirname.pl $$i`; \
+		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+			--section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
-		(cd `dirname $$i`; \
-		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+		(cd `$(PERL) util/dirname.pl $$i`; \
+		sh -c "$(PERL) `cd ../../util; ./pod2mantest ignore` \
+			--section=$$sec --center=OpenSSL \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done

--- a/14
+++ b/14
@@ -21,9 +21,8 @@
        against libdes providing similar functions having the same name).
        Provide macros for backward compatibility (will be removed in the
        future).
-      o Unifiy handling of cryptographic algorithms (software and
-        engine) to be available via EVP routines for asymmetric and
-        symmetric ciphers.
+      o Unify handling of cryptographic algorithms (software and engine)
+        to be available via EVP routines for asymmetric and symmetric ciphers.
      o NCONF: new configuration handling routines.
      o Change API to use more 'const' modifiers to improve error checking
        and help optimizers.
@@ -31,6 +30,7 @@
      o Reworked parts of the BIGNUM code.
      o Support for new engines: Broadcom ubsec, Accelerated Encryption
        Processing, IBM 4758.
+      o Extended and corrected OID (object identifier) table.
      o PRNG: query at more locations for a random device, automatic query for
        EGD style random sources at several locations.
      o SSL/TLS: allow optional cipher choice according to server's preference.
@@ -38,6 +38,12 @@
      o SSL/TLS: support Kerberos cipher suites (RFC2712).
      o SSL/TLS: allow more precise control of renegotiations and sessions.
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
+      o SSL/TLS: support AES cipher suites (RFC3268).
+
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+
+      o Important security related bugfixes.
+      o Various SSL/TLS library bugfixes.

  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:

@@ -90,7 +96,7 @@
      o Bug fixes for Win32, HP/UX and Irix.
      o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
        memory checking routines.
-      o Bug fixes for RSA operations in threaded enviroments.
+      o Bug fixes for RSA operations in threaded environments.
      o Bug fixes in misc. openssl applications.
      o Remove a few potential memory leaks.
      o Add tighter checks of BIGNUM routines.
--- a/40
+++ b/40
@@ -0,0 +1,40 @@
+* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
+
+
+    NOTE: The problem described here only applies when OpenSSL isn't built
+    with shared library support (i.e. without the "shared" configuration
+    option).  If you build with shared library support, you will have no
+    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
+
+
+This is really a misfeature in ld, which seems to look for .dylib libraries
+along the whole library path before it bothers looking for .a libraries.  This
+means that -L switches won't matter unless OpenSSL is built with shared
+library support.
+
+The workaround may be to change the following lines in apps/Makefile.ssl and
+test/Makefile.ssl:
+
+  LIBCRYPTO=-L.. -lcrypto
+  LIBSSL=-L.. -lssl
+
+to:
+
+  LIBCRYPTO=../libcrypto.a
+  LIBSSL=../libssl.a
+
+It's possible that something similar is needed for shared library support
+as well.  That hasn't been well tested yet.
+
+
+Another solution that many seem to recommend is to move the libraries
+/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
+directory, build and install OpenSSL and anything that depends on your
+build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
+original places.  Note that the version numbers on those two libraries
+may differ on your machine.
+
+
+As long as Apple doesn't fix the problem with ld, this problem building
+OpenSSL will remain as is.
+
--- a/19
+++ b/19
@@ -1,5 +1,5 @@

- OpenSSL 0.9.8-dev XX xxx XXXX
+ OpenSSL 0.9.7-beta3 30 Jul 2002

 Copyright (c) 1998-2002 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -122,6 +122,13 @@
 lists the functions; you will probably have to look at the code to work out
 how to use them. Look at the example programs.

+ PROBLEMS
+ --------
+
+ For some platforms, there are some known problems that may affect the user
+ or application author.  We try to collect those in doc/PROBLEMS, with current
+ thoughts on how they should be solved in a future of OpenSSL.
+
 SUPPORT 
 -------

@@ -146,11 +153,13 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)

- Report the bug to the OpenSSL project at:
+ Report the bug to the OpenSSL project via the Request Tracker
+ (http://www.openssl.org/rt2.html) by mail to:

    openssl-bugs@openssl.org

- Note that mail to openssl-bugs@openssl.org is forwarded to a public
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
+ readable request tracker database and is forwarded to a public
 mailing list. Confidential mail may be sent to openssl-security@openssl.org
 (PGP key available from the key servers).

@@ -164,7 +173,9 @@
 textual explanation of what your patch does.

 Note: For legal reasons, contributions from the US can be accepted only
- if a copy of the patch is sent to crypt@bxa.doc.gov
+ if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
+ see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).

 The preferred format for changes is "diff -u" output. You might
 generate it like this:
--- a/README.ENGINE
+++ b/README.ENGINE
@@ -154,7 +154,7 @@
    shared-library that contains the ENGINE implementation, and "NO_VCHECK"
    might possibly be useful if there is a minor version conflict and you
    (or a vendor helpdesk) is convinced you can safely ignore it.
-    "ENGINE_ID" is probably only needed if a shared-library implements
+    "ID" is probably only needed if a shared-library implements
    multiple ENGINEs, but if you know the engine id you expect to be using,
    it doesn't hurt to specify it (and this provides a sanity check if
    nothing else). "LIST_ADD" is only required if you actually wish the
@@ -174,7 +174,7 @@

       ENGINE *e = ENGINE_by_id("dynamic");
       ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
-       ENGINE_ctrl_cmd_string(e, "ENGINE_ID", "foo", 0);
+       ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
       ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
       ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);

@@ -184,7 +184,7 @@

       openssl engine dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD \
                 -pre "CMD_FOO:some input data"

@@ -192,7 +192,7 @@

       openssl engine -vvvv dynamic \
                 -pre SO_PATH:/lib/libfoo.so \
-                 -pre ENGINE_ID:foo \
+                 -pre ID:foo \
                 -pre LOAD

    Applications that support the ENGINE API and more specifically, the
--- a/26
+++ b/26
@@ -1,10 +1,15 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/04/13 22:47:04 $
+  ______________                           $Date: 2002/07/30 11:27:05 $

  DEVELOPMENT STATE

-    o  OpenSSL 0.9.7:  Under development...
+    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.7-beta3: Released on July 30th, 2002
+    o  OpenSSL 0.9.7-beta2: Released on June 16th, 2002
+    o  OpenSSL 0.9.7-beta1: Released on June  1st, 2002
+    o  OpenSSL 0.9.6e: Released on July      30th, 2002
+    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
@@ -17,22 +22,11 @@
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998

+  [See also http://www.openssl.org/support/rt2.html]
+
  RELEASE SHOWSTOPPERS

-    o BIGNUM library failures on 64-bit platforms (0.9.7-dev):
-      - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc
-        and other 64-bit platforms
-
-	Checked on			Result
-	alpha-cc (Tru64 version 4.0)	works
-	linux-alpha+bwx-gcc		doesn't work. Reported by
-					Sean O'Riordain <seanpor@acm.org>
-	OpenBSD-sparc64			doesn't work.  BN_mod_mul breaks.
-
-	Needs checked on
-	[add platforms here]
-
-      - BN_mod_mul verification fails for mips3-sgi-irix
+    o BN_mod_mul verification fails for mips3-sgi-irix
      unless configured with no-asm

  AVAILABLE PATCHES
--- a/245
+++ b/245
@@ -1,3 +1,4 @@
+Output of `Configure TABLE':

 *** BC-16
 $cc           = bcc
@@ -79,15 +80,15 @@ $thread_cflag =
 $sys_id       = CYGWIN32
 $lflags       = 
 $bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
+$bn_obj       = asm/bn86-out.o asm/co86-out.o
+$des_obj      = asm/dx86-out.o asm/yx86-out.o
+$bf_obj       = asm/bx86-out.o
+$md5_obj      = asm/mx86-out.o
+$sha1_obj     = asm/sx86-out.o
+$cast_obj     = asm/cx86-out.o
+$rc4_obj      = asm/rx86-out.o
+$rmd160_obj   = asm/rm86-out.o
+$rc5_obj      = asm/r586-out.o
 $dso_scheme   = win32
 $shared_target= cygwin-shared
 $shared_cflag = 
@@ -119,6 +120,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

+*** DJGPP
+$cc           = gcc
+$cflags       = -I/dev/env/DJDIR/watt32/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall
+$unistd       = 
+$thread_cflag = 
+$sys_id       = MSDOS
+$lflags       = -L/dev/env/DJDIR/watt32/lib -lwatt
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+
 *** FreeBSD
 $cc           = gcc
 $cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
@@ -427,8 +452,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** OpenBSD-i386
@@ -739,8 +764,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= reliantunix-shared
 $shared_cflag = 
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** SINIX
@@ -791,6 +816,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

+*** UWIN
+$cc           = cc
+$cflags       = -DTERMIOS -DL_ENDIAN -O -Wall
+$unistd       = 
+$thread_cflag = 
+$sys_id       = UWIN
+$lflags       = 
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = win32
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+
 *** VC-MSDOS
 $cc           = cl
 $cflags       = 
@@ -1273,33 +1322,9 @@ $ranlib       =

 *** darwin-i386-cc
 $cc           = cc
-$cflags       = -O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN
+$cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
 $unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = MACOSX
-$lflags       = 
-$bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = -fPIC
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-
-*** darwin-ppc-cc
-$cc           = cc
-$cflags       = -O3 -nostdinc -I/System/Library/Frameworks/System.framework/Headers -I/System/Library/Frameworks/System.frameworks/Headers/bsd -I/usr/include -fomit-frame-pointer -Wall -DB_ENDIAN
-$unistd       = 
-$thread_cflag = (unknown)
+$thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
@@ -1315,13 +1340,37 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
+$ranlib       = 
+
+*** darwin-ppc-cc
+$cc           = cc
+$cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = MACOSX
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= darwin-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 

 *** debug
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1489,7 +1538,7 @@ $ranlib       =

 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1513,7 +1562,7 @@ $ranlib       =

 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wid-clash-31 -Wcast-align -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1555,8 +1604,8 @@ $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** debug-linux-elf-noefence
@@ -1775,6 +1824,30 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 

+*** debug-steve-linux-pseudo64
+$cc           = gcc
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -rdynamic -ldl
+$bn_ops       = SIXTY_FOUR_BIT
+$bn_obj       = 
+$des_obj      = dlfcn
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+
 *** debug-ulf
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe
@@ -2327,6 +2400,30 @@ $shared_ldflag =
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

+*** hpux64-parisc-gcc
+$cc           = gcc
+$cflags       = -DB_ENDIAN -DMD32_XARRAY
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= hpux64-shared
+$shared_cflag = -fpic
+$shared_ldflag = 
+$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
 *** hpux64-parisc2-cc
 $cc           = cc
 $cflags       = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY
@@ -2981,7 +3078,7 @@ $cflags       = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8.o
 $des_obj      = 
@@ -2992,11 +3089,11 @@ $cast_obj     =
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** linux-sparcv9
@@ -3005,7 +3102,7 @@ $cflags       = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = asm/sparcv8plus.o
 $des_obj      = 
@@ -3019,8 +3116,8 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$shared_extension = 
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

 *** ncr-scde
@@ -3595,7 +3692,31 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -m64
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+
+*** solaris64-sparcv9-gcc31
+$cc           = gcc
+$cflags       = -mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = ULTRASPARC
+$lflags       = -lsocket -lnsl -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = asm/md5-sparcv9.o
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= solaris-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -m64
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 

@@ -3673,11 +3794,11 @@ $ranlib       =

 *** unixware-2.0
 $cc           = cc
-$cflags       = -DFILIO_H
+$cflags       = -DFILIO_H -DNO_STRINGS_H
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
@@ -3697,11 +3818,11 @@ $ranlib       =

 *** unixware-2.0-pentium
 $cc           = cc
-$cflags       = -DFILIO_H -Kpentium
+$cflags       = -DFILIO_H -DNO_STRINGS_H -Kpentium
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
@@ -3725,7 +3846,7 @@ $cflags       = -O -DFILIO_H
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
@@ -3749,7 +3870,7 @@ $cflags       = -O -DFILIO_H -Kp6
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
@@ -3773,7 +3894,7 @@ $cflags       = -O -DFILIO_H -Kpentium
 $unistd       = 
 $thread_cflag = -Kthread
 $sys_id       = 
-$lflags       = -lsocket -lnsl -lx
+$lflags       = -lsocket -lnsl -lresolv -lx
 $bn_ops       = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
 $bn_obj       = 
 $des_obj      = 
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -0,0 +1 @@
+sys$share:tcpip$ipc_shr.exe/share
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -129,7 +129,11 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
+#  ifdef NO_STRINGS_H
+    int	strcasecmp();
+#  else
 #    include <strings.h>
+#  endif /* NO_STRINGS_H */
 #endif

 #ifdef OPENSSL_SYS_WINDOWS
@@ -310,10 +314,17 @@ void program_name(char *in, char *out, int size)

 	q=strrchr(p,'.');
 	if (q == NULL)
-		q = in+size;
-	strncpy(out,p,q-p);
+		q = p + strlen(p);
+	strncpy(out,p,size-1);
+	if (q-p >= size)
+		{
+		out[size-1]='\0';
+		}
+	else
+		{
 		out[q-p]='\0';
 		}
+	}
 #else
 void program_name(char *in, char *out, int size)
 	{
@@ -483,7 +494,7 @@ static int ui_close(UI *ui)
 	{
 	return UI_method_get_closer(UI_OpenSSL())(ui);
 	}
-int setup_ui_method()
+int setup_ui_method(void)
 	{
 	ui_method = UI_create_method("OpenSSL application user interface");
 	UI_method_set_opener(ui_method, ui_open);
@@ -492,7 +503,7 @@ int setup_ui_method()
 	UI_method_set_closer(ui_method, ui_close);
 	return 0;
 	}
-void destroy_ui_method()
+void destroy_ui_method(void)
 	{
 	if(ui_method)
 		{
@@ -918,7 +929,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format,
 	}

 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
-EVP_PKEY *
+static EVP_PKEY *
 load_netscape_key(BIO *err, BIO *key, const char *file,
 		const char *key_descrip, int format)
 	{
@@ -1206,7 +1217,7 @@ static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_T

 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
-	char buf[256];
+	char *buf;
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
@@ -1215,9 +1226,10 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 		indent = 4;
 	}
 	if(lflags == XN_FLAG_COMPAT) {
-		X509_NAME_oneline(nm,buf,256);
+		buf = X509_NAME_oneline(nm, 0, 0);
 		BIO_puts(out, buf);
 		BIO_puts(out, "\n");
+		OPENSSL_free(buf);
 	} else {
 		if(mline) BIO_puts(out, "\n");
 		X509_NAME_print_ex(out, nm, indent, lflags);
@@ -1256,7 +1268,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
 }

 /* Try to load an engine in a shareable library */
-ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
+static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
 	{
 	ENGINE *e = ENGINE_by_id("dynamic");
 	if (e)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -134,10 +134,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                       * (see e_os.h).  The string is
                                       * destroyed! */

-#ifdef OPENSSL_NO_STDIO
-BIO_METHOD *BIO_s_file();
-#endif
-
 #ifdef OPENSSL_SYS_WIN32
 #define rename(from,to) WIN32_rename((from),(to))
 int WIN32_rename(char *oldname,char *newname);
@@ -217,8 +213,8 @@ typedef struct pw_cb_data
 int password_callback(char *buf, int bufsiz, int verify,
 	PW_CB_DATA *cb_data);

-int setup_ui_method();
-void destroy_ui_method();
+int setup_ui_method(void);
+void destroy_ui_method(void);

 int should_retry(int i);
 int args_from_file(char *file, int *argc, char **argv[]);
@@ -253,6 +249,8 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 			ASN1_GENERALIZEDTIME **pinvtm, char *str);
 int make_serial_index(TXT_DB *db);

+X509_NAME *do_subject(char *str, long chtype);
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -184,7 +184,7 @@ bad:
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
-		BIO_printf(bio_err," -out arg      output file\n");
+		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
@@ -195,7 +195,6 @@ bad:
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
-		BIO_printf(bio_err," -out filename output DER encoding to file\n");
 		goto end;
 		}

--- a/apps/ca.c
+++ b/apps/ca.c
@@ -80,7 +80,11 @@
 #ifdef OPENSSL_SYS_WINDOWS
 #define strcasecmp _stricmp
 #else
+#  ifdef NO_STRINGS_H
+    int	strcasecmp();
+#  else
 #    include <strings.h>
+#  endif /* NO_STRINGS_H */
 #endif

 #ifndef W_OK
@@ -238,7 +242,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
 	int ext_copy);
-static X509_NAME *do_subject(char *subject);
 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, TXT_DB *db);
 static int do_updatedb(TXT_DB *db);
@@ -1451,13 +1454,13 @@ bad:
 			}
 		if ((crldays == 0) && (crlhours == 0))
 			{
-			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
+			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
 			goto err;
 			}

 		if (verbose) BIO_printf(bio_err,"making CRL\n");
 		if ((crl=X509_CRL_new()) == NULL) goto err;
-		if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+		if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;

 		tmptm = ASN1_TIME_new();
 		if (!tmptm) goto err;
@@ -1510,11 +1513,6 @@ bad:
 			if (pkey->type == EVP_PKEY_DSA) 
 				dgst=EVP_dss1();
 			else
-#endif
-#ifndef OPENSSL_NO_ECDSA
-			if (pkey->type == EVP_PKEY_ECDSA)
-				dgst=EVP_ecdsa();
-			else
 #endif
 				dgst=EVP_md5();
 			}
@@ -1574,6 +1572,10 @@ bad:
 				}
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
+			BIO_free_all(out);
+			out = NULL;
+			BIO_free_all(in);
+			in = NULL;
 			strncpy(buf[1],dbfile,BSIZE-4);
 			buf[1][BSIZE-4]='\0';
 #ifndef OPENSSL_SYS_VMS
@@ -1581,10 +1583,6 @@ bad:
 #else
 			strcat(buf[1],"-old");
 #endif
-			BIO_free(in);
-			in = NULL;
-			BIO_free(out);
-			out = NULL;
 			if (rename(dbfile,buf[1]) < 0)
 				{
 				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
@@ -1879,7 +1877,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,

 	if (subj)
 		{
-		X509_NAME *n = do_subject(subj);
+		X509_NAME *n = do_subject(subj, MBSTRING_ASC);

 		if (!n)
 			{
@@ -2290,16 +2288,6 @@ again2:
 		EVP_PKEY_copy_parameters(pktmp,pkey);
 	EVP_PKEY_free(pktmp);
 #endif
-#ifndef OPENSSL_NO_ECDSA
-	if (pkey->type == EVP_PKEY_ECDSA)
-		dgst = EVP_ecdsa();
-	pktmp = X509_get_pubkey(ret);
-	if (EVP_PKEY_missing_parameters(pktmp) &&
-		!EVP_PKEY_missing_parameters(pkey))
-		EVP_PKEY_copy_parameters(pktmp, pkey);
-	EVP_PKEY_free(pktmp);
-#endif
-

 	if (!X509_sign(ret,pkey,dgst))
 		goto err;
@@ -3023,65 +3011,124 @@ int make_revoked(X509_REVOKED *rev, char *str)
 	return ret;
 	}

-static X509_NAME *do_subject(char *subject)
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *do_subject(char *subject, long chtype)
 	{
+	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
+	char *buf = OPENSSL_malloc(buflen);
+	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
+	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
+
+	char *sp = subject, *bp = buf;
+	int i, ne_num = 0;
+
 	X509_NAME *n = NULL;
+	int nid;

-	int i, nid, ne_num=0;
-
-	char *ne_name = NULL;
-	char *ne_value = NULL;
-
-	char *tmp = NULL;
-	char *p[2];
-
-	char *str_list[256];
-       
-	p[0] = ",/";
-	p[1] = "=";
-
-	n = X509_NAME_new();
-
-	tmp = strtok(subject, p[0]);
-	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
+	if (!buf || !ne_types || !ne_values)
 	{
-		char *token = tmp;
+		BIO_printf(bio_err, "malloc error\n");
+		goto error;
+	}

-		while (token[0] == ' ')
-			token++;
-		str_list[ne_num] = token;
+	if (*subject != '/')
+	{
+		BIO_printf(bio_err, "Subject does not start with '/'.\n");
+		goto error;
+	}
+	sp++; /* skip leading / */

-		tmp = strtok(NULL, p[0]);
+	while (*sp)
+	{
+		/* collect type */
+		ne_types[ne_num] = bp;
+		while (*sp)
+		{
+			if (*sp == '\\') /* is there anything to escape in the type...? */
+				if (*++sp)
+					*bp++ = *sp++;
+				else
+				{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+				}
+			else if (*sp == '=')
+			{
+				sp++;
+				*bp++ = '\0';
+				break;
+			}
+			else
+				*bp++ = *sp++;
+		}
+		if (!*sp)
+		{
+			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
+			goto error;
+		}
+		ne_values[ne_num] = bp;
+		while (*sp)
+		{
+			if (*sp == '\\')
+				if (*++sp)
+					*bp++ = *sp++;
+				else
+				{
+					BIO_printf(bio_err, "escape character at end of string\n");
+					goto error;
+				}
+			else if (*sp == '/')
+			{
+				sp++;
+				break;
+			}
+			else
+				*bp++ = *sp++;
+		}
+		*bp++ = '\0';
 		ne_num++;
 	}

+	if (!(n = X509_NAME_new()))
+		goto error;
+
 	for (i = 0; i < ne_num; i++)
 		{
-		ne_name  = strtok(str_list[i], p[1]);
-		ne_value = strtok(NULL, p[1]);
-
-		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
+		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
 			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
+			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
 			continue;
 			}

-		if (ne_value == NULL)
+		if (!*ne_values[i])
 			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
+			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
 			continue;
 			}

-		if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
-			{
+		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
+			goto error;
+		}
+
+	OPENSSL_free(ne_values);
+	OPENSSL_free(ne_types);
+	OPENSSL_free(buf);
+	return n;
+
+error:
 	X509_NAME_free(n);
+	if (ne_values)
+		OPENSSL_free(ne_values);
+	if (ne_types)
+		OPENSSL_free(ne_types);
+	if (buf)
+		OPENSSL_free(buf);
 	return NULL;
 }
-		}
-
-	return n;
-	}
-

 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 	{
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -87,6 +87,7 @@ static char *crl_usage[]={
 " -noout          - no CRL output\n",
 " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
 " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
+" -nameopt arg    - various certificate name options\n",
 NULL
 };

@@ -97,6 +98,7 @@ int MAIN(int, char **);

 int MAIN(int argc, char **argv)
 	{
+	unsigned long nmflag = 0;
 	X509_CRL *x=NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	int ret=1,i,num,badops=0;
@@ -105,7 +107,7 @@ int MAIN(int argc, char **argv)
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
-	char **pp,buf[256];
+	char **pp;
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
 	X509_LOOKUP *lookup = NULL;
@@ -188,6 +190,11 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
+		else if (strcmp(*argv,"-nameopt") == 0)
+			{
+			if (--argc < 1) goto bad;
+			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
+			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
@@ -271,9 +278,7 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_CRL_get_issuer(x),
-								buf,256);
-				BIO_printf(bio_out,"issuer= %s\n",buf);
+				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
 				}

 			if (hash == i)
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -73,8 +73,9 @@
 #undef PROG
 #define PROG	dgst_main

-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-		EVP_PKEY *key, unsigned char *sigin, int siglen);
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
+	  const char *file);

 int MAIN(int, char **);

@@ -319,22 +320,36 @@ int MAIN(int argc, char **argv)
 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-		do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen);
+		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
+			  siglen,"","(stdin)");
 		}
 	else
 		{
 		name=OBJ_nid2sn(md->type);
 		for (i=0; i<argc; i++)
 			{
+			char *tmp,*tofree=NULL;
+			int r;
+
 			if (BIO_read_filename(in,argv[i]) <= 0)
 				{
 				perror(argv[i]);
 				err++;
 				continue;
 				}
-			if(!out_bin) BIO_printf(out, "%s(%s)= ",name,argv[i]);
-			do_fp(out, buf,inp,separator, out_bin, sigkey, 
-								sigbuf, siglen);
+			if(!out_bin)
+				{
+				tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5);
+				sprintf(tmp,"%s(%s)= ",name,argv[i]);
+				}
+			else
+				tmp="";
+			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
+				siglen,tmp,argv[i]);
+			if(r)
+			    err=r;
+			if(tofree)
+				OPENSSL_free(tofree);
 			(void)BIO_reset(bmd);
 			}
 		}
@@ -353,8 +368,9 @@ end:
 	EXIT(err);
 	}

-void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
-			EVP_PKEY *key, unsigned char *sigin, int siglen)
+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
+	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
+	  const char *file)
 	{
 	int len;
 	int i;
@@ -362,21 +378,33 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	for (;;)
 		{
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
-		if (i <= 0) break;
+		if(i < 0)
+			{
+			BIO_printf(bio_err, "Read Error in %s\n",file);
+			ERR_print_errors(bio_err);
+			return 1;
+			}
+		if (i == 0) break;
 		}
 	if(sigin)
 		{
 		EVP_MD_CTX *ctx;
 		BIO_get_md_ctx(bp, &ctx);
 		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
-		if(i > 0) BIO_printf(out, "Verified OK\n");
-		else if(i == 0) BIO_printf(out, "Verification Failure\n");
+		if(i > 0)
+			BIO_printf(out, "Verified OK\n");
+		else if(i == 0)
+			{
+			BIO_printf(out, "Verification Failure\n");
+			return 1;
+			}
 		else
 			{
 			BIO_printf(bio_err, "Error Verifying Data\n");
 			ERR_print_errors(bio_err);
+			return 1;
 			}
-		return;
+		return 0;
 		}
 	if(key)
 		{
@@ -386,7 +414,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			{
 			BIO_printf(bio_err, "Error Signing Data\n");
 			ERR_print_errors(bio_err);
-			return;
+			return 1;
 			}
 		}
 	else
@@ -395,6 +423,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	if(binout) BIO_write(out, buf, len);
 	else 
 		{
+		BIO_write(out,title,strlen(title));
 		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
@@ -403,5 +432,6 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		BIO_printf(out, "\n");
 		}
+	return 0;
 	}

--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -186,7 +186,7 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
-		BIO_printf(bio_err," -text         print the key in text\n");
+		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -genkey       generate a DSA key\n");
--- a/apps/ecdsa.c
+++ b/apps/ecdsa.c
@@ -1,445 +0,0 @@
-/* apps/ecdsa.c */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef OPENSSL_NO_ECDSA
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include "apps.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/ecdsa.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-
-#undef PROG
-#define PROG	ecdsa_main
-
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
- * -outform arg - output format - default PEM
- * -in arg	- input file - default stdin
- * -out arg	- output file - default stdout
- * -des		- encrypt output if PEM format with DES in cbc mode
- * -des3	- encrypt output if PEM format
- * -idea	- encrypt output if PEM format
- * -aes128	- encrypt output if PEM format
- * -aes192	- encrypt output if PEM format
- * -aes256	- encrypt output if PEM format
- * -text	- print a text version
- * -pub		- print the ECDSA public key
- * -compressed  - print the public key in compressed form ( default )   
- * -hybrid 	- print the public key in hybrid form
- * -uncompressed - print the public key in uncompressed form
- *		  the last three options ( compressed, hybrid and uncompressed )
- *		  are only used if the "-pub" option is also selected.
- *	  	  For a precise description of the the meaning of compressed,
- *		  hybrid and uncompressed please refer to the X9.62 standart.
- *		  All three forms represents ways to express the ecdsa public
- *		  key ( a point on a elliptic curve ) as octet string. Let len be
- *		  the length ( in bytes ) of an element of the field over which
- *		  the curve is defined, then a compressed octet string has the form
- *		  0x02 + result of BN_bn2bin() of the x coordinate of the public key
- */
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-	ENGINE 	*e = NULL;
-	int 	ret = 1;
-	ECDSA 	*ecdsa = NULL;
-	int 	i, badops = 0;
-	const EVP_CIPHER *enc = NULL;
-	BIO 	*in = NULL, *out = NULL;
-	int 	informat, outformat, text=0, noout=0;
-	int  	pubin = 0, pubout = 0;
-	char 	*infile, *outfile, *prog, *engine;
-	char 	*passargin = NULL, *passargout = NULL;
-	char 	*passin = NULL, *passout = NULL;
-	int 	pub = 0, point_form = 0;
-	unsigned char *buffer = NULL;
-	unsigned int  buf_len = 0;
-	BIGNUM	*tmp_bn = NULL;
-
-	apps_startup();
-
-	if (bio_err == NULL)
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
-
-	if (!load_config(bio_err, NULL))
-		goto end;
-
-	engine = NULL;
-	infile = NULL;
-	outfile = NULL;
-	informat = FORMAT_PEM;
-	outformat = FORMAT_PEM;
-
-	prog = argv[0];
-	argc--;
-	argv++;
-	while (argc >= 1)
-	{
-		if (strcmp(*argv,"-inform") == 0)
-		{
-			if (--argc < 1) goto bad;
-			informat=str2fmt(*(++argv));
-		}
-		else if (strcmp(*argv,"-outform") == 0)
-		{
-			if (--argc < 1) goto bad;
-			outformat=str2fmt(*(++argv));
-		}
-		else if (strcmp(*argv,"-in") == 0)
-		{
-			if (--argc < 1) goto bad;
-			infile= *(++argv);
-		}
-		else if (strcmp(*argv,"-out") == 0)
-		{
-			if (--argc < 1) goto bad;
-			outfile= *(++argv);
-		}
-		else if (strcmp(*argv,"-passin") == 0)
-		{
-			if (--argc < 1) goto bad;
-			passargin= *(++argv);
-		}
-		else if (strcmp(*argv,"-passout") == 0)
-		{
-			if (--argc < 1) goto bad;
-			passargout= *(++argv);
-		}
-		else if (strcmp(*argv, "-engine") == 0)
-		{
-			if (--argc < 1) goto bad;
-			engine= *(++argv);
-		}
-		else if (strcmp(*argv, "-noout") == 0)
-			noout = 1;
-		else if (strcmp(*argv, "-text") == 0)
-			text = 1;
-		else if (strcmp(*argv, "-pub") == 0)
-		{
-			pub = 1;
-			buffer = (unsigned char *)(*(argv+1));
-			if (strcmp((char *)buffer, "compressed") == 0)
-				point_form = POINT_CONVERSION_COMPRESSED;
-			else if (strcmp((char *)buffer, "hybrid") == 0)
-				point_form = POINT_CONVERSION_HYBRID;
-			else if (strcmp((char *)buffer, "uncompressed") == 0)
-				point_form = POINT_CONVERSION_UNCOMPRESSED;
-			if (point_form)
-			{
-				argc--;
-				argv++;
-			}
-		}
-		else if (strcmp(*argv, "-pubin") == 0)
-			pubin=1;
-		else if (strcmp(*argv, "-pubout") == 0)
-			pubout=1;
-		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
-		{
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
-			badops=1;
-			break;
-		}
-		argc--;
-		argv++;
-	}
-
-	if (badops)
-	{
-bad:
-		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
-		BIO_printf(bio_err, "where options are\n");
-		BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
-		BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
-		BIO_printf(bio_err, " -in arg         input file\n");
-		BIO_printf(bio_err, " -passin arg     input file pass phrase source\n");
-		BIO_printf(bio_err, " -out arg        output file\n");
-		BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
-		BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
-		BIO_printf(bio_err, " -des            encrypt PEM output with cbc des\n");
-		BIO_printf(bio_err, " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
-#ifndef OPENSSL_NO_IDEA
-		BIO_printf(bio_err, " -idea           encrypt PEM output with cbc idea\n");
-#endif
-#ifndef OPENSSL_NO_AES
-		BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
-		BIO_printf(bio_err, "                 encrypt PEM output with cbc aes\n");
-#endif
-		BIO_printf(bio_err, " -text           print the key in text\n");
-		BIO_printf(bio_err, " -noout          don't print key out\n");
-		BIO_printf(bio_err, " -pub [compressed | hybrid | uncompressed] \n");
-		BIO_printf(bio_err, "         compressed     print the public key in compressed form ( default )\n");   
-		BIO_printf(bio_err, "         hybrid         print the public key in hybrid form\n");
- 		BIO_printf(bio_err, "         uncompressed   print the public key in uncompressed form\n");
-		goto end;
-	}
-
-	ERR_load_crypto_strings();
-
-        e = setup_engine(bio_err, engine, 0);
-
-	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
-	{
-		BIO_printf(bio_err, "Error getting passwords\n");
-		goto end;
-	}
-
-	in = BIO_new(BIO_s_file());
-	out = BIO_new(BIO_s_file());
-	if ((in == NULL) || (out == NULL))
-	{
-		ERR_print_errors(bio_err);
-		goto end;
-	}
-
-	if (infile == NULL)
-		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-	else
-	{
-		if (BIO_read_filename(in,infile) <= 0)
-		{
-			perror(infile);
-			goto end;
-		}
-	}
-
-	BIO_printf(bio_err,"read ECDSA key\n");
-	if (informat == FORMAT_ASN1) 
-	{
-		if (pubin) 
-			ecdsa = d2i_ECDSA_PUBKEY_bio(in, NULL);
-		else 
-			ecdsa = d2i_ECDSAPrivateKey_bio(in, NULL);
-	} else if (informat == FORMAT_PEM) 
-	{
-		if (pubin) 
-			ecdsa = PEM_read_bio_ECDSA_PUBKEY(in, NULL, NULL, NULL);
-		else 
-			ecdsa = PEM_read_bio_ECDSAPrivateKey(in, NULL, NULL, passin);
-	} else
-	{
-		BIO_printf(bio_err, "bad input format specified for key\n");
-		goto end;
-	}
-	if (ecdsa == NULL)
-	{
-		BIO_printf(bio_err,"unable to load Key\n");
-		ERR_print_errors(bio_err);
-		goto end;
-	}
-
-	if (outfile == NULL)
-	{
-		BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-		{
-			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-			out = BIO_push(tmpbio, out);
-		}
-#endif
-	}
-	else
-	{
-		if (BIO_write_filename(out, outfile) <= 0)
-		{
-			perror(outfile);
-			goto end;
-		}
-	}
-
-	if (text) 
-		if (!ECDSA_print(out, ecdsa, 0))
-		{
-			perror(outfile);
-			ERR_print_errors(bio_err);
-			goto end;
-		}
-
-	if (pub)
-	{
-		fprintf(stdout, "Public Key (");
-		if (point_form == POINT_CONVERSION_COMPRESSED)
-			fprintf(stdout, "COMPRESSED");
-		else if (point_form == POINT_CONVERSION_UNCOMPRESSED)
-			fprintf(stdout, "UNCOMPRESSED");
-		else if (point_form == POINT_CONVERSION_HYBRID)
-			fprintf(stdout, "HYBRID");
-		fprintf(stdout, ")=");
-		buf_len = EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
-					     point_form, NULL, 0, NULL);
-		if (!buf_len)
-		{
-			BIO_printf(bio_err,"invalid public key length\n");
-			ERR_print_errors(bio_err);
-			goto end;
-		}
-		if ((tmp_bn = BN_new()) == NULL ||
-		    (buffer = OPENSSL_malloc(buf_len)) == NULL) goto end;
-		if (!EC_POINT_point2oct(ecdsa->group, EC_GROUP_get0_generator(ecdsa->group),
-					     point_form, buffer, buf_len, NULL) ||
-		    !BN_bin2bn(buffer, buf_len, tmp_bn))
-		{
-			BIO_printf(bio_err,"can not encode public key\n");
-			ERR_print_errors(bio_err);
-			OPENSSL_free(buffer);
-			goto end;
-		}
-		BN_print(out, tmp_bn);
-		fprintf(stdout,"\n");
-	}
-
-	if (noout) 
-		goto end;
-	BIO_printf(bio_err, "writing ECDSA key\n");
-	if (outformat == FORMAT_ASN1) 
-	{
-		if(pubin || pubout) 
-			i = i2d_ECDSA_PUBKEY_bio(out, ecdsa);
-		else 
-			i = i2d_ECDSAPrivateKey_bio(out, ecdsa);
-	} else if (outformat == FORMAT_PEM) 
-	{
-		if(pubin || pubout)
-			i = PEM_write_bio_ECDSA_PUBKEY(out, ecdsa);
-		else 
-			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsa, enc,
-							NULL, 0, NULL, passout);
-	} else 
-	{
-		BIO_printf(bio_err, "bad output format specified for outfile\n");
-		goto end;
-	}
-	if (!i)
-	{
-		BIO_printf(bio_err, "unable to write private key\n");
-		ERR_print_errors(bio_err);
-	}
-	else
-		ret=0;
-end:
-	if (in) 	BIO_free(in);
-	if (out)	BIO_free_all(out);
-	if (ecdsa) 	ECDSA_free(ecdsa);
-	if (tmp_bn)	BN_free(tmp_bn);
-	if (passin) 	OPENSSL_free(passin);
-	if (passout) 	OPENSSL_free(passout);
-	apps_shutdown();
-	EXIT(ret);
-}
-#endif
--- a/apps/ecdsaparam.c
+++ b/apps/ecdsaparam.c
@@ -1,660 +0,0 @@
-/* apps/ecdsaparam.c */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef OPENSSL_NO_ECDSA
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
-#include "apps.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
-#include <openssl/ecdsa.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-
-#undef PROG
-#define PROG	ecdsaparam_main
-
-/* -inform arg	  	- input format - default PEM (DER or PEM)
- * -outform arg 	- output format - default PEM
- * -in arg		- input file  - default stdin
- * -out arg		- output file - default stdout
- * -noout
- * -text
- * -check               - validate the ec parameters
- * -C
- * -noout
- * -genkey		- generate a private public keypair based on the supplied curve
- * -named_curve		- use the curve oid instead of the parameters
- * -NIST_192		- use the NIST recommended curve parameters over a 192 bit prime field
- * -NIST_224		- use the NIST recommended curve parameters over a 224 bit prime field
- * -NIST_256		- use the NIST recommended curve parameters over a 256 bit prime field
- * -NIST_384		- use the NIST recommended curve parameters over a 384 bit prime field
- * -NIST_521		- use the NIST recommended curve parameters over a 521 bit prime field
- * -X9_62_192v1		- use the X9_62 192v1 example curve over a 192 bit prime field
- * -X9_62_192v2		- use the X9_62 192v2 example curve over a 192 bit prime field
- * -X9_62_192v3		- use the X9_62 192v3 example curve over a 192 bit prime field
- * -X9_62_239v1		- use the X9_62 239v1 example curve over a 239 bit prime field
- * -X9_62_239v2		- use the X9_62 239v2 example curve over a 239 bit prime field
- * -X9_62_239v3		- use the X9_62 239v3 example curve over a 239 bit prime field
- * -X9_62_256v1		- use the X9_62 239v1 example curve over a 256 bit prime field
- * -SECG_PRIME_112R1    - use the SECG 112r1 recommended curve over a 112 bit prime field
- * -SECG_PRIME_112R2    - use the SECG 112r2 recommended curve over a 112 bit prime field
- * -SECG_PRIME_128R1    - use the SECG 128r1 recommended curve over a 128 bit prime field
- * -SECG_PRIME_128R2    - use the SECG 128r2 recommended curve over a 128 bit prime field
- * -SECG_PRIME_160K1    - use the SECG 160k1 recommended curve over a 160 bit prime field
- * -SECG_PRIME_160R1    - use the SECG 160r1 recommended curve over a 160 bit prime field
- * -SECG_PRIME_160R2    - use the SECG 160r2 recommended curve over a 160 bit prime field
- * -SECG_PRIME_192K1    - use the SECG 192k1 recommended curve over a 192 bit prime field
- * -SECG_PRIME_192R1    - use the SECG 192r1 recommended curve over a 192 bit prime field
- * -SECG_PRIME_224K1    - use the SECG 224k1 recommended curve over a 224 bit prime field
- * -SECG_PRIME_224R1    - use the SECG 224r1 recommended curve over a 224 bit prime field
- * -SECG_PRIME_256K1    - use the SECG 256k1 recommended curve over a 256 bit prime field
- * -SECG_PRIME_256R1    - use the SECG 256r1 recommended curve over a 256 bit prime field
- * -SECG_PRIME_384R1    - use the SECG 384r1 recommended curve over a 384 bit prime field
- * -SECG_PRIME_521R1    - use the SECG 521r1 recommended curve over a 521 bit prime field
- * -WTLS_6              - use the WAP/WTLS recommended curve number 6 over a 112 bit field
- * -WTLS_8              - use the WAP/WTLS recommended curve number 8 over a 112 bit field
- * -WTLS_9              - use the WAP/WTLS recommended curve number 9 over a 160 bit field
- */
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-	ENGINE 	*e = NULL;
-	ECDSA 	*ecdsa = NULL;
-	int 	i, badops = 0, text = 0;
-	BIO 	*in = NULL, *out = NULL;
-	int 	informat, outformat, noout = 0, C = 0, ret = 1;
-	char 	*infile, *outfile, *prog, *inrand = NULL;
-	int 	genkey = 0;
-	int	check = 0;
-	int 	need_rand = 0;
-	char 	*engine=NULL;
-	int	curve_type = EC_GROUP_NO_CURVE;
-	int	named_curve = 0;
-	BIGNUM	*tmp_1 = NULL, *tmp_2 = NULL, *tmp_3 = NULL, *tmp_4 = NULL, *tmp_5 = NULL,
-		*tmp_6 = NULL, *tmp_7 = NULL;
-	BN_CTX	*ctx = NULL;
-	EC_POINT *point = NULL;
-	unsigned char *data = NULL;
-
-	apps_startup();
-
-	if (bio_err == NULL)
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-
-	if (!load_config(bio_err, NULL))
-		goto end;
-
-	infile=NULL;
-	outfile=NULL;
-	informat=FORMAT_PEM;
-	outformat=FORMAT_PEM;
-
-	prog=argv[0];
-	argc--;
-	argv++;
-	while (argc >= 1)
-		{
-		if 	(strcmp(*argv,"-inform") == 0)
-		{
-			if (--argc < 1) goto bad;
-			informat=str2fmt(*(++argv));
-		}
-		else if (strcmp(*argv,"-outform") == 0)
-		{
-			if (--argc < 1) goto bad;
-			outformat=str2fmt(*(++argv));
-		}
-		else if (strcmp(*argv,"-in") == 0)
-		{
-			if (--argc < 1) goto bad;
-			infile= *(++argv);
-		}
-		else if (strcmp(*argv,"-out") == 0)
-		{
-			if (--argc < 1) goto bad;
-			outfile= *(++argv);
-		}
-		else if(strcmp(*argv, "-engine") == 0)
-		{
-			if (--argc < 1) goto bad;
-			engine = *(++argv);
-		}
-		else if (strcmp(*argv,"-text") == 0)
-			text = 1;
-		else if (strcmp(*argv,"-C") == 0)
-			C = 1;
-		else if (strcmp(*argv,"-check") == 0)
-			check = 1;
-		else if (strcmp(*argv,"-genkey") == 0)
-		{
-			genkey = 1;
-			need_rand = 1;
-		}
-		else if (strcmp(*argv,"-rand") == 0)
-		{
-			if (--argc < 1) goto bad;
-			inrand= *(++argv);
-			need_rand=1;
-		}
-		else if (strcmp(*argv, "-named_curve") == 0)
-			named_curve = 1;
-		else if (strcmp(*argv, "-NIST_192") == 0)
-			curve_type = EC_GROUP_NIST_PRIME_192;
-		else if (strcmp(*argv, "-NIST_224") == 0)
-			curve_type = EC_GROUP_NIST_PRIME_224;
-		else if (strcmp(*argv, "-NIST_256") == 0)
-			curve_type = EC_GROUP_NIST_PRIME_256;
-		else if (strcmp(*argv, "-NIST_384") == 0)
-			curve_type = EC_GROUP_NIST_PRIME_384;
-		else if (strcmp(*argv, "-NIST_521") == 0)
-			curve_type = EC_GROUP_NIST_PRIME_521;
-		else if (strcmp(*argv, "-X9_62_192v1") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_192V1;
-		else if (strcmp(*argv, "-X9_62_192v2") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_192V2;
-		else if (strcmp(*argv, "-X9_62_192v3") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_192V3;
-		else if (strcmp(*argv, "-X9_62_239v1") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_239V1;
-		else if (strcmp(*argv, "-X9_62_239v2") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_239V2;
-		else if (strcmp(*argv, "-X9_62_239v3") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_239V3;
-		else if (strcmp(*argv, "-X9_62_256v1") == 0)
-			curve_type = EC_GROUP_X9_62_PRIME_256V1;
-		else if (strcmp(*argv, "-SECG_PRIME_112R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_112R1;
-		else if (strcmp(*argv, "-SECG_PRIME_112R2") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_112R2;
-		else if (strcmp(*argv, "-SECG_PRIME_128R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_128R1;
-		else if (strcmp(*argv, "-SECG_PRIME_128R2") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_128R2;
-		else if (strcmp(*argv, "-SECG_PRIME_160K1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_160K1;
-		else if (strcmp(*argv, "-SECG_PRIME_160R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_160R1;
-		else if (strcmp(*argv, "-SECG_PRIME_160R2") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_160R2;
-		else if (strcmp(*argv, "-SECG_PRIME_192K1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_192K1;
-		else if (strcmp(*argv, "-SECG_PRIME_192R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_192R1;
-		else if (strcmp(*argv, "-SECG_PRIME_224K1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_224K1;
-		else if (strcmp(*argv, "-SECG_PRIME_224R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_224R1;
-		else if (strcmp(*argv, "-SECG_PRIME_256K1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_256K1;
-		else if (strcmp(*argv, "-SECG_PRIME_256R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_256R1;
-		else if (strcmp(*argv, "-SECG_PRIME_384R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_384R1;
-		else if (strcmp(*argv, "-SECG_PRIME_521R1") == 0)
-			curve_type = EC_GROUP_SECG_PRIME_521R1;
-		else if (strcmp(*argv, "-WTLS_6") == 0)
-			curve_type = EC_GROUP_WTLS_6;
-		else if (strcmp(*argv, "-WTLS_8") == 0)
-			curve_type = EC_GROUP_WTLS_8;
-		else if (strcmp(*argv, "-WTLS_9") == 0)
-			curve_type = EC_GROUP_WTLS_9;
-		else if (strcmp(*argv, "-noout") == 0)
-			noout=1;
-		else
-		{
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
-			badops=1;
-			break;
-		}
-		argc--;
-		argv++;
-	}
-
-	if (badops)
-	{
-bad:
-		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
-		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg        input format - DER or PEM\n");
-		BIO_printf(bio_err," -outform arg       output format - DER or PEM\n");
-		BIO_printf(bio_err," -in arg            input file\n");
-		BIO_printf(bio_err," -out arg           output file\n");
-		BIO_printf(bio_err," -text              print the key in text\n");
-		BIO_printf(bio_err," -C                 Output C code\n");
-		BIO_printf(bio_err," -check             validate the ec parameters\n");
-		BIO_printf(bio_err," -noout             no output\n");
-		BIO_printf(bio_err," -rand              files to use for random number input\n");
-		BIO_printf(bio_err," -engine e          use engine e, possibly a hardware device.\n");
-		BIO_printf(bio_err," -named_curve       use the curve oid instead of the parameters\n");
-		BIO_printf(bio_err," -NIST_192          use the NIST recommended curve parameters over a 192 bit prime field\n");
-		BIO_printf(bio_err," -NIST_224          use the NIST recommended curve parameters over a 224 bit prime field\n");
-		BIO_printf(bio_err," -NIST_256          use the NIST recommended curve parameters over a 256 bit prime field\n");
-		BIO_printf(bio_err," -NIST_384          use the NIST recommended curve parameters over a 384 bit prime field\n");
-		BIO_printf(bio_err," -NIST_521          use the NIST recommended curve parameters over a 521 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v1       use the X9_62 192v1 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v2       use the X9_62 192v2 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_192v3       use the X9_62 192v3 example curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v1       use the X9_62 239v1 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v2       use the X9_62 239v2 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_239v3       use the X9_62 239v3 example curve over a 239 bit prime field\n");
-		BIO_printf(bio_err," -X9_62_256v1       use the X9_62 239v1 example curve over a 256 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_112R1  use the SECG 112r1 recommended curve over a 112 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_112R2  use the SECG 112r2 recommended curve over a 112 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_128R1  use the SECG 128r1 recommended curve over a 128 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_128R2  use the SECG 128r2 recommended curve over a 128 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_160K1  use the SECG 160k1 recommended curve over a 160 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_160R1  use the SECG 160r1 recommended curve over a 160 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_160R2  use the SECG 160r2 recommended curve over a 160 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_192K1  use the SECG 192k1 recommended curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_192R1  use the SECG 192r1 recommended curve over a 192 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_224K1  use the SECG 224k1 recommended curve over a 224 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_224R1  use the SECG 224r1 recommended curve over a 224 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_256K1  use the SECG 256k1 recommended curve over a 256 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_256R1  use the SECG 256r1 recommended curve over a 256 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_384R1  use the SECG 384r1 recommended curve over a 384 bit prime field\n");
-		BIO_printf(bio_err," -SECG_PRIME_521R1  use the SECG 521r1 recommended curve over a 521 bit prime field\n");
-		BIO_printf(bio_err," -WTLS_6            use the WAP/WTLS recommended curve number 6 over a 112 bit field\n");
-		BIO_printf(bio_err," -WTLS_8            use the WAP/WTLS recommended curve number 8 over a 112 bit field\n");
-		BIO_printf(bio_err," -WTLS_9            use the WAP/WTLS recommended curve number 9 over a 112 bit field\n");
-		goto end;
-	}
-
-	ERR_load_crypto_strings();
-
-	in=BIO_new(BIO_s_file());
-	out=BIO_new(BIO_s_file());
-	if ((in == NULL) || (out == NULL))
-	{
-		ERR_print_errors(bio_err);
-		goto end;
-	}
-
-	if (infile == NULL)
-		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-	else
-	{
-		if (BIO_read_filename(in,infile) <= 0)
-		{
-			perror(infile);
-			goto end;
-		}
-	}
-	if (outfile == NULL)
-	{
-		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-		{
-		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-		out = BIO_push(tmpbio, out);
-		}
-#endif
-	}
-	else
-	{
-		if (BIO_write_filename(out,outfile) <= 0)
-		{
-			perror(outfile);
-			goto end;
-		}
-	}
-
-        e = setup_engine(bio_err, engine, 0);
-
-	if (need_rand)
-	{
-		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-		if (inrand != NULL)
-			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
-				app_RAND_load_files(inrand));
-	}
-
-	if (curve_type != EC_GROUP_NO_CURVE)
-	{
-		if ((ecdsa = ECDSA_new()) == NULL)
-			goto end;
-		ecdsa->group = EC_GROUP_new_by_name(curve_type);
-		if (named_curve)
-			ECDSA_set_parameter_flags(ecdsa, ECDSA_FLAG_NAMED_CURVE);
-	}
-	else if (informat == FORMAT_ASN1)
-		ecdsa = d2i_ECDSAParameters_bio(in,NULL);
-	else if (informat == FORMAT_PEM)
-		ecdsa = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL);
-	else
-	{
-		BIO_printf(bio_err, "bad input format specified\n");
-		goto end;
-	}
-	if (ecdsa == NULL)
-	{
-		BIO_printf(bio_err, "unable to load ECDSA parameters\n");
-		ERR_print_errors(bio_err);
-		goto end;
-	}
-
-	if (text)
-	{
-		ECDSAParameters_print(out, ecdsa);
-	}
-
-	if (check)
-	{
-		if (ecdsa == NULL)
-			BIO_printf(bio_err, "no elliptic curve parameters\n");
-		BIO_printf(bio_err, "checking elliptic curve parameters: ");
-		if (!EC_GROUP_check(ecdsa->group, NULL))
-		{
-			BIO_printf(bio_err, "failed\n");
-			ERR_print_errors(bio_err);
-		}
-		else
-			BIO_printf(bio_err, "ok\n");
-			
-	}
-	
-	if (C)
-	{	/* TODO: characteristic two */
-		int 	l, len, bits_p;
-		if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
-		    (tmp_3 = BN_new()) == NULL || (tmp_4 = BN_new()) == NULL ||
-		    (tmp_5 = BN_new()) == NULL || (tmp_6 = BN_new()) == NULL ||
-                    (tmp_7 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
-		{
-			perror("OPENSSL_malloc");
-			goto end;
-		}
-		if (!EC_GROUP_get_curve_GFp(ecdsa->group, tmp_1, tmp_2, tmp_3, ctx))
-			goto end;
-		if ((point = EC_GROUP_get0_generator(ecdsa->group)) == NULL)
-			goto end;
-		if (!EC_POINT_get_affine_coordinates_GFp(ecdsa->group, point, tmp_4, tmp_5, ctx))
-			goto end;
-		if (!EC_GROUP_get_order(ecdsa->group, tmp_6, ctx))
-			goto end;
-		if (!EC_GROUP_get_cofactor(ecdsa->group, tmp_7, ctx))
-			goto end;
-		
-		len    = BN_num_bytes(tmp_1);
-		bits_p = BN_num_bits(tmp_1);
-		data=(unsigned char *)OPENSSL_malloc(len+20);
-		if (data == NULL)
-		{
-			perror("OPENSSL_malloc");
-			goto end;
-		}
-		l = BN_bn2bin(tmp_1, data);
-		printf("static unsigned char ecdsa%d_p[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n\n");
-
-		l = BN_bn2bin(tmp_2, data);
-		printf("static unsigned char ecdsa%d_a[]={",bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n");
-
-		l = BN_bn2bin(tmp_3, data);
-		printf("static unsigned char ecdsa%d_b[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n\n");
-
-		l = BN_bn2bin(tmp_4, data);
-		printf("static unsigned char ecdsa%d_x[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n");
-
-		l = BN_bn2bin(tmp_5, data);
-		printf("static unsigned char ecdsa%d_y[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n");
-
-		l = BN_bn2bin(tmp_6, data);
-		printf("static unsigned char ecdsa%d_o[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n");
-
-		l = BN_bn2bin(tmp_7, data);
-		printf("static unsigned char ecdsa%d_c[]={", bits_p);
-		for (i=0; i<l; i++)
-		{
-			if ((i%12) == 0) printf("\n\t");
-			printf("0x%02X,",data[i]);
-		}
-		printf("\n\t};\n\n");
-
-		/* FIXME:
-		 * generated code should check for errors
-		 */
-
-		printf("ECDSA *get_ecdsa%d(void)\n\t{\n",bits_p);
-		printf("\tint ok=0;\n");
-		printf("\tECDSA    *ecdsa=NULL;\n");
-		printf("\tEC_POINT *point=NULL;\n");
-		printf("\tBIGNUM   *tmp_1=NULL,*tmp_2=NULL,*tmp_3=NULL;\n\n");
-		printf("\tif ((ecdsa=ECDSA_new()) == NULL)\n");
-		printf("\t\treturn(NULL);\n\n");
-		printf("\t/* generate EC_GROUP structure */\n");
-		printf("\tif ((tmp_1 = BN_bin2bn(ecdsa%d_p, sizeof(ecdsa%d_p), NULL)) == NULL) goto err;\n", bits_p, bits_p);
-		printf("\tif ((tmp_2 = BN_bin2bn(ecdsa%d_a, sizeof(ecdsa%d_a), NULL)) == NULL) goto err;\n", bits_p, bits_p);
-		printf("\tif ((tmp_3 = BN_bin2bn(ecdsa%d_b, sizeof(ecdsa%d_b), NULL)) == NULL) goto err;\n", bits_p, bits_p);
-		printf("\tif ((ecdsa->group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL) goto err;\n\n");
-		printf("\t/* build generator */\n");
-		printf("\tif (!BN_bin2bn(ecdsa%d_x, sizeof(ecdsa%d_x), tmp_1)) goto err;\n", bits_p, bits_p);
-		printf("\tif (!BN_bin2bn(ecdsa%d_y, sizeof(ecdsa%d_y), tmp_2)) goto err;\n", bits_p, bits_p);
-		printf("\tif ((point = EC_POINT_new(ecdsa->group)) == NULL) goto err;\n");
-		printf("\tif (!EC_POINT_set_affine_coordinates_GFp(ecdsa->group, point, tmp_1, tmp_2, NULL)) goto err;\n");
-		printf("\t/* set generator, order and cofactor */\n");
-		printf("\tif (!BN_bin2bn(ecdsa%d_o, sizeof(ecdsa%d_o), tmp_1)) goto err;\n", bits_p, bits_p);
-		printf("\tif (!BN_bin2bn(ecdsa%d_c, sizeof(ecdsa%d_c), tmp_2)) goto err;\n", bits_p, bits_p);
-		printf("\tif (!EC_GROUP_set_generator(ecdsa->group, point, tmp_1, tmp_2)) goto err;\n");
-		printf("\n\tok=1;\n");
-		printf("err:\n");
-		printf("\tif (tmp_1) BN_free(tmp_1);\n");
-		printf("\tif (tmp_2) BN_free(tmp_2);\n");
-		printf("\tif (tmp_3) BN_free(tmp_3);\n");
-		printf("\tif (point) EC_POINT_free(point);\n");
-		printf("\tif (!ok)\n");
-		printf("\t\t{\n");
-		printf("\t\tECDSA_free(ecdsa);\n");
-		printf("\t\tecdsa = NULL;\n");
-		printf("\t\t}\n");
-		printf("\treturn(ecdsa);\n\t}\n");
-	}
-
-
-	if (!noout)
-	{
-		if (outformat == FORMAT_ASN1)
-			i = i2d_ECDSAParameters_bio(out, ecdsa);
-		else if (outformat == FORMAT_PEM)
-			i = PEM_write_bio_ECDSAParameters(out, ecdsa);
-		else	
-		{
-			BIO_printf(bio_err,"bad output format specified for outfile\n");
-			goto end;
-		}
-		if (!i)
-		{
-			BIO_printf(bio_err, "unable to write ECDSA parameters\n");
-			ERR_print_errors(bio_err);
-			goto end;
-		}
-	}
-	if (genkey)
-	{
-		ECDSA *ecdsakey;
-
-		assert(need_rand);
-		if ((ecdsakey = ECDSAParameters_dup(ecdsa)) == NULL) goto end;
-		if (!ECDSA_generate_key(ecdsakey)) goto end;
-		if (outformat == FORMAT_ASN1)
-			i = i2d_ECDSAPrivateKey_bio(out, ecdsakey);
-		else if (outformat == FORMAT_PEM)
-			i = PEM_write_bio_ECDSAPrivateKey(out, ecdsakey, NULL, NULL, 0, NULL, NULL);
-		else	
-		{
-			BIO_printf(bio_err, "bad output format specified for outfile\n");
-			goto end;
-		}
-		ECDSA_free(ecdsakey);
-	}
-	if (need_rand)
-		app_RAND_write_file(NULL, bio_err);
-	ret=0;
-end:
-	if (in != NULL) 	BIO_free(in);
-	if (out != NULL) 	BIO_free_all(out);
-	if (ecdsa != NULL) 	ECDSA_free(ecdsa);
-	if (tmp_1)		BN_free(tmp_1);
-	if (tmp_2)		BN_free(tmp_2);
-	if (tmp_3)		BN_free(tmp_3);
-	if (tmp_3)		BN_free(tmp_4);
-	if (tmp_3)		BN_free(tmp_5);
-	if (tmp_3)		BN_free(tmp_6);
-	if (tmp_3)		BN_free(tmp_7);
-	if (ctx)		BN_CTX_free(ctx);
-	if (data)		OPENSSL_free(data);
-	apps_shutdown();
-	EXIT(ret);
-}
-#endif
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -78,7 +78,7 @@ int set_hex(char *in,unsigned char *out,int size);
 #define BSIZE	(8*1024)
 #define	PROG	enc_main

-void show_ciphers(const OBJ_NAME *name,void *bio_)
+static void show_ciphers(const OBJ_NAME *name,void *bio_)
 	{
 	BIO *bio=bio_;
 	static int n;
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -44,6 +44,7 @@ $!  keywords:
 $!
 $!	UCX		for UCX
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
+$!	TCPIP		for TCPIP (post UCX)
 $!
 $!  P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
 $!
@@ -963,7 +964,8 @@ $ ENDIF
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX"
+$ IF P4.EQS."SOCKETSHR" .OR. P4.EQS."MULTINET" .OR. P4.EQS."UCX" -
+     .OR. P4.EQS."TCPIP" .OR. P4.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
@@ -973,7 +975,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -999,19 +1001,45 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
 $     ENDIF
 $!
 $!    Done with UCX
 $!
 $   ENDIF
 $!
+$!  Check to see if TCPIP (post UCX) was chosen
+$!
+$   IF P4.EQS."TCPIP"
+$   THEN
+$!
+$!    Set the library to use TCPIP.
+$!
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
+$!  Check to see if NONE was chosen
+$!
+$   IF P4.EQS."NONE"
+$   THEN
+$!
+$!    Do not use TCPIP.
+$!
+$     TCPIP_LIB = ""
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
 $!  Add TCP/IP type to CC definitions.
 $!
 $   CCDEFS = CCDEFS + ",TCPIP_TYPE_''P4'"
@@ -1031,6 +1059,7 @@ $   WRITE SYS$OUTPUT "The Option ",P4," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Time To EXIT.
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -58,9 +58,9 @@

 #include <stdio.h>
 #include <string.h>
+#include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
-#include "apps.h"

 #undef PROG
 #define PROG nseq_main
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -58,11 +58,11 @@

 #include <stdio.h>
 #include <string.h>
+#include "apps.h"
 #include <openssl/pem.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-#include "apps.h"

 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD	(5 * 60)
@@ -553,8 +553,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-port num		 port to run responder on\n");
 		BIO_printf (bio_err, "-index file	 certificate status index file\n");
 		BIO_printf (bio_err, "-CA file		 CA certificate\n");
-		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign requests with\n");
-		BIO_printf (bio_err, "-rkey file	 responder key to sign requests with\n");
+		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
+		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
 		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
 		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
 		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
@@ -676,6 +676,18 @@ int MAIN(int argc, char **argv)

 	if (req_text && req) OCSP_REQUEST_print(out, req, 0);

+	if (reqout)
+		{
+		derbio = BIO_new_file(reqout, "wb");
+		if(!derbio)
+			{
+			BIO_printf(bio_err, "Error opening file %s\n", reqout);
+			goto end;
+			}
+		i2d_OCSP_REQUEST_bio(derbio, req);
+		BIO_free(derbio);
+		}
+
 	if (ridx_filename && (!rkey || !rsigner || !rca_cert))
 		{
 		BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
@@ -809,6 +821,8 @@ int MAIN(int argc, char **argv)

 	if (!store)
 		store = setup_verify(bio_err, CAfile, CApath);
+	if (!store)
+		goto end;
 	if (verify_certfile)
 		{
 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -114,6 +114,7 @@
 #include <string.h>
 #include <stdlib.h>
 #define OPENSSL_C /* tells apps.h to use complete apps_startup() */
+#include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
@@ -123,7 +124,6 @@
 #include <openssl/ssl.h>
 #include <openssl/engine.h>
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
-#include "apps.h"
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -779,7 +779,10 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 		print_attribs (out, bag->attrib, "Bag Attributes");
 		if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
 				return 0;
-		if (!(pkey = EVP_PKCS82PKEY (p8))) return 0;
+		if (!(pkey = EVP_PKCS82PKEY (p8))) {
+			PKCS8_PRIV_KEY_INFO_free(p8);
+			return 0;
+		}
 		print_attribs (out, p8->attributes, "Key Attributes");
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		PEM_write_bio_PrivateKey (out, pkey, enc, NULL, 0, NULL, pempass);
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -89,7 +89,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
-	int ret=0;
+	int ret=1;
 	char *engine=NULL;

 	apps_startup();
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -17,8 +17,6 @@ extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
-extern int ecdsa_main(int argc,char *argv[]);
-extern int ecdsaparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
@@ -80,12 +78,6 @@ FUNCTION functions[] = {
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	{FUNC_TYPE_GENERAL,"ecdsa",ecdsa_main},
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	{FUNC_TYPE_GENERAL,"ecdsaparam",ecdsaparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -33,8 +33,6 @@ foreach (@ARGV)
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^ecdsa$/) || ($_ =~ /^ecdsaparam$/))
-		{ print "#ifndef OPENSSL_NO_ECDSA\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
--- a/apps/req.c
+++ b/apps/req.c
@@ -142,7 +142,6 @@ static int batch=0;
 #define TYPE_RSA	1
 #define TYPE_DSA	2
 #define TYPE_DH		3
-#define TYPE_ECDSA	4

 int MAIN(int, char **);

@@ -151,9 +150,6 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 #ifndef OPENSSL_NO_DSA
 	DSA *dsa_params=NULL;
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	ECDSA *ecdsa_params = NULL;
 #endif
 	unsigned long nmflag = 0;
 	int ex=1,x509=0,days=30;
@@ -322,60 +318,8 @@ int MAIN(int argc, char **argv)
 						}
 					}
 				BIO_free(in);
-				in=NULL;
 				newkey=BN_num_bits(dsa_params->p);
-				}
-			else 
-#endif
-#ifndef OPENSSL_NO_ECDSA
-				if (strncmp("ecdsa:",p,4) == 0)
-				{
-				X509 *xtmp=NULL;
-				EVP_PKEY *dtmp;
-
-				pkey_type=TYPE_ECDSA;
-				p+=6;
-				if ((in=BIO_new_file(p,"r")) == NULL)
-					{
-					perror(p);
-					goto end;
-					}
-				if ((ecdsa_params = PEM_read_bio_ECDSAParameters(in, NULL, NULL, NULL)) == NULL)
-					{
-					ERR_clear_error();
-					(void)BIO_reset(in);
-					if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
-						{	
-						BIO_printf(bio_err,"unable to load ECDSA parameters from file\n");
-						goto end;
-						}
-
-					if ((dtmp=X509_get_pubkey(xtmp)) == NULL) goto end;
-					if (dtmp->type == EVP_PKEY_ECDSA)
-						ecdsa_params = ECDSAParameters_dup(dtmp->pkey.ecdsa);
-					EVP_PKEY_free(dtmp);
-					X509_free(xtmp);
-					if (ecdsa_params == NULL)
-						{
-						BIO_printf(bio_err,"Certificate does not contain ECDSA parameters\n");
-						goto end;
-						}
-					}
-
-				BIO_free(in);
 				in=NULL;
-				
-				{
-				BIGNUM *order = BN_new();
-				
-				if (!order)
-					goto end;
-				if (!EC_GROUP_get_order(ecdsa_params->group, order, NULL))
-					goto end;
-				newkey = BN_num_bits(order);
-				BN_free(order);
-				}
-
 				}
 			else 
 #endif
@@ -490,7 +434,6 @@ bad:
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
-		BIO_printf(bio_err," -newkey ecdsa:file generate a new ECDSA key, parameters taken from CA in 'file'\n");
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
@@ -505,6 +448,7 @@ bad:
 		BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n");
 		BIO_printf(bio_err," -reqexts ..    specify request extension section (override value in config file)\n");
 		BIO_printf(bio_err," -utf8          input characters are UTF8 (default ASCII)\n");
+		BIO_printf(bio_err," -nameopt arg    - various certificate name options\n");
 		goto end;
 		}

@@ -686,7 +630,7 @@ bad:
 			   message */
 			goto end;
 			}
-		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA || EVP_PKEY_type(pkey->type) == EVP_PKEY_ECDSA)
+		if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
 			{
 			char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 			if (randfile == NULL)
@@ -710,15 +654,14 @@ bad:
 				newkey=DEFAULT_KEY_LENGTH;
 			}

-		if (newkey < MIN_KEY_LENGTH && (pkey_type == TYPE_RSA || pkey_type == TYPE_DSA))
-		/* TODO: appropriate minimal keylength for the different algorithm (esp. ECDSA) */
+		if (newkey < MIN_KEY_LENGTH)
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
 			BIO_printf(bio_err,"it needs to be at least %d bits, not %d\n",MIN_KEY_LENGTH,newkey);
 			goto end;
 			}
 		BIO_printf(bio_err,"Generating a %d bit %s private key\n",
-			newkey,(pkey_type == TYPE_RSA)?"RSA":(pkey_type == TYPE_DSA)?"DSA":"ECDSA");
+			newkey,(pkey_type == TYPE_RSA)?"RSA":"DSA");

 		if ((pkey=EVP_PKEY_new()) == NULL) goto end;

@@ -740,14 +683,6 @@ bad:
 			dsa_params=NULL;
 			}
 #endif
-#ifndef OPENSSL_NO_ECDSA
-			if (pkey_type == TYPE_ECDSA)
-			{
-			if (!ECDSA_generate_key(ecdsa_params)) goto end;
-			if (!EVP_PKEY_assign_ECDSA(pkey, ecdsa_params)) goto end;
-			ecdsa_params = NULL;
-			}
-#endif

 		app_RAND_write_file(randfile, bio_err);

@@ -853,10 +788,6 @@ loop:
 #ifndef OPENSSL_NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
-#endif
-#ifndef OPENSSL_NO_ECDSA
-		if (pkey->type == EVP_PKEY_ECDSA)
-			digest=EVP_ecdsa();
 #endif
 		if (req == NULL)
 			{
@@ -1138,9 +1069,6 @@ end:
 	OBJ_cleanup();
 #ifndef OPENSSL_NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	if (ecdsa_params != NULL) ECDSA_free(ecdsa_params);
 #endif
 	apps_shutdown();
 	EXIT(ex);
@@ -1210,64 +1138,22 @@ err:
 	return(ret);
 	}

+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
 static int build_subject(X509_REQ *req, char *subject, unsigned long chtype)
 	{
-	X509_NAME *n = NULL;
+	X509_NAME *n;

-	int i, nid, ne_num=0;
+	if (!(n = do_subject(subject, chtype)))
+		return 0;

-	char *ne_name = NULL;
-	char *ne_value = NULL;
-
-	char *tmp = NULL;
-	char *p[2];
-
-	char *str_list[256];
-       
-	p[0] = ",/";
-        p[1] = "=";
-
-	n = X509_NAME_new();
-
-	tmp = strtok(subject, p[0]);
-	while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
-		{
-		char *token = tmp;
-
-		while (token[0] == ' ')
-			token++;
-		str_list[ne_num] = token;
-
-		tmp = strtok(NULL, p[0]);
-		ne_num++;
-		}
-
-	for(i = 0; i < ne_num; i++)
-		{
-		ne_name  = strtok(str_list[i], p[1]);
-		ne_value = strtok(NULL, p[1]);
-
-		if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
-			{
-			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
-			continue;
-			}
-
-		if (ne_value == NULL)
-			{
-			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
-			continue;
-			}
-
-		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_value, -1,-1,0))
+	if (!X509_REQ_set_subject_name(req, n))
 		{
 		X509_NAME_free(n);
 		return 0;
 		}
-		}
-
-	if (!X509_REQ_set_subject_name(req, n))
-		return 0;
 	X509_NAME_free(n);
 	return 1;
 }
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -433,6 +433,11 @@ bad:
 		goto end;
 		}

+	OpenSSL_add_ssl_algorithms();
+	SSL_load_error_strings();
+
+        e = setup_engine(bio_err, engine_id, 1);
+
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -455,11 +460,6 @@ bad:
 			}
 		}

-	OpenSSL_add_ssl_algorithms();
-	SSL_load_error_strings();
-
-        e = setup_engine(bio_err, engine_id, 1);
-
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -683,6 +683,11 @@ bad:
 		goto end;
 		}

+	SSL_load_error_strings();
+	OpenSSL_add_ssl_algorithms();
+
+        e = setup_engine(bio_err, engine_id, 1);
+
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@@ -705,7 +710,7 @@ bad:
 			}
 		}

-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA)
 	if (nocert)
 #endif
 		{
@@ -715,11 +720,6 @@ bad:
 		s_dkey_file=NULL;
 		}

-	SSL_load_error_strings();
-	OpenSSL_add_ssl_algorithms();
-
-        e = setup_engine(bio_err, engine_id, 1);
-
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -85,7 +85,7 @@
 #include OPENSSL_UNISTD
 #endif

-#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
 #define TIMES
 #endif

@@ -109,10 +109,6 @@
 #include <sys/timeb.h>
 #endif

-#ifdef _AIX
-#include <sys/select.h>
-#endif
-
 #if defined(sun) || defined(__ultrix)
 #define _POSIX_SOURCE
 #include <limits.h>
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -109,6 +109,12 @@ int MAIN(int argc, char **argv)
 	args = argv + 1;
 	ret = 1;

+	apps_startup();
+
+	if (bio_err == NULL)
+		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+
 	if (!load_config(bio_err, NULL))
 		goto end;

@@ -465,7 +471,10 @@ int MAIN(int argc, char **argv)
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 	} else if(operation == SMIME_SIGN) {
 		p7 = PKCS7_sign(signer, key, other, in, flags);
-		BIO_reset(in);
+		if (BIO_reset(in) != 0 && (flags & PKCS7_DETACHED)) {
+		  BIO_printf(bio_err, "Can't rewind input file\n");
+		  goto end;
+		}
 	} else {
 		if(informat == FORMAT_SMIME) 
 			p7 = SMIME_read_PKCS7(in, &indata);
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -245,7 +245,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-CAkeyform") == 0)
 			{
 			if (--argc < 1) goto bad;
-			CAformat=str2fmt(*(++argv));
+			CAkeyformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-days") == 0)
 			{
@@ -869,10 +869,6 @@ bad:
 		                if (Upkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
-#ifndef OPENSSL_NO_ECDSA
-				if (Upkey->type == EVP_PKEY_ECDSA)
-					digest=EVP_ecdsa();
-#endif

 				assert(need_rand);
 				if (!sign(x,Upkey,days,clrext,digest,
@@ -892,10 +888,6 @@ bad:
 		                if (CApkey->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
-#ifndef OPENSSL_NO_ECDSA
-				if (CApkey->type == EVP_PKEY_ECDSA)
-					digest = EVP_ecdsa();
-#endif
 				
 				assert(need_rand);
 				if (!x509_certify(ctx,CAfile,digest,x,xca,
@@ -923,10 +915,10 @@ bad:

 				BIO_printf(bio_err,"Generating certificate request\n");

+#ifndef OPENSSL_NO_DSA
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
-				else if (pk->type == EVP_PKEY_ECDSA)
-					digest=EVP_ecdsa();
+#endif

 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
--- a/33
+++ b/33
@@ -390,18 +390,30 @@ exit 0

 # figure out if gcc is available and if so we use it otherwise
 # we fallback to whatever cc does on the system
-GCCVER=`(gcc --version) 2>/dev/null`
+GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
-  # then strip off whatever prefix Cygnus prepends the number with...
-  GCCVER=`echo $GCCVER | sed 's/^[a-z]*\-//'`
+  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
+  # does give us what we want though, so we use that.  We just just the
+  # major and minor version numbers.
  # peak single digit before and after first dot, e.g. 2.95.1 gives 29
  GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
 else
  CC=cc
 fi
 GCCVER=${GCCVER:-0}
-
+if [ "$SYSTEM" = "HP-UX" ];then
+  # By default gcc is a ILP32 compiler (with long long == 64).
+  GCC_BITS="32"
+  if [ $GCCVER -ge 30 ]; then
+    # PA64 support only came in with gcc 3.0.x.
+    # We look for the preprocessor symbol __LP64__ indicating
+    # 64bit bit long and pointer.  sizeof(int) == 32 on HPUX64.
+    if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then
+      GCC_BITS="64"
+    fi
+  fi
+fi
 if [ "$SYSTEM" = "SunOS" ]; then
  if [ $GCCVER -ge 30 ]; then
    # 64-bit ABI isn't officially supported in gcc 3.0, but it appears
@@ -517,6 +529,10 @@ EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
+  ppc64-*-linux2)
+	#Use the standard target for PPC architecture until we create a
+	#special one for the 64bit architecture.
+	OUT="linux-ppc" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
@@ -655,7 +671,16 @@ EOF
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
  *-hpux1*)
+	if [ $CC = "gcc" ];
+	then
+	  if [ $GCC_BITS = "64" ]; then
+	    OUT="hpux64-parisc-gcc"
+	  else
+	    OUT="hpux-parisc-gcc"
+	  fi
+	else
 	  OUT="hpux-parisc-$CC"
+	fi
 	KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null`
 	KERNEL_BITS=${KERNEL_BITS:-32}
 	CPU_VERSION=`(getconf CPU_VERSION) 2>/dev/null`
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -28,7 +28,7 @@ LIBS=

 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa dh dso engine aes \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

@@ -54,11 +54,11 @@ all: buildinf.h lib subdirs shared

 buildinf.h: ../Makefile.ssl
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
-	echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
-	echo "  #define PLATFORM \"$(PLATFORM)\""; \
-	echo "  #define DATE \"`date`\""; \
-	echo "#endif" ) >buildinf.h
+	echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \
+	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
+	echo '  #define PLATFORM "$(PLATFORM)"'; \
+	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
+	echo '#endif' ) >buildinf.h

 testapps:
 	if echo ${SDIRS} | fgrep ' des '; \
@@ -136,12 +136,12 @@ lint:

 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
+	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ); \
 	done;

 clean:
@@ -180,7 +180,7 @@ cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
-ebcdic.o: ../include/openssl/opensslconf.h ebcdic.c
+ebcdic.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h ebcdic.c
 ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -75,7 +75,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -137,7 +137,7 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 	} else {
 		while (l--) {
 			if (n == 0) {
-				AES_decrypt(ivec, ivec, key);
+				AES_encrypt(ivec, ivec, key);
 			}
 			c = *(in);
 			*(out++) = *(in++) ^ ivec[n];
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -106,8 +106,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,

 	while (l--) {
 		if (n == 0) {
-			AES_ctr128_inc(counter);
 			AES_encrypt(counter, tmp, key);
+			AES_ctr128_inc(counter);
 		}
 		*(out++) = *(in++) ^ tmp[n];
 		n = (n+1) % AES_BLOCK_SIZE;
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -60,10 +60,7 @@

 #include <stdio.h>
 #include <stdlib.h>
-
-#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
-#endif

 #ifdef _MSC_VER
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -71,8 +71,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	if (a == NULL) return(0);

 	len=a->length;
-	ret=1+len;
-	if (pp == NULL) return(ret);

 	if (len > 0)
 		{
@@ -100,6 +98,10 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
+
+	ret=1+len;
+	if (pp == NULL) return(ret);
+
 	p= *pp;

 	*(p++)=(unsigned char)bits;
--- a/crypto/asn1/a_enum.c
+++ b/crypto/asn1/a_enum.c
@@ -151,7 +151,17 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
+		{
+		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
+		if (!new_data)
+			{
+			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		ret->data=new_data;
+		}
+
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -397,7 +397,16 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
+	if (ret->length < len+4)
+		{
+		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
+		if (!new_data)
+			{
+			ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_MALLOC_FAILURE);
+			goto err;
+			}
+		ret->data=new_data;
+		}
 	ret->length=BN_bn2bin(bn,ret->data);
 	/* Correct zero case */
 	if(!ret->length)
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -118,7 +118,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}

        pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        if (!(rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)))) return 0; /* In this array
 we will store the SET blobs */

        for (i=0; i<sk_num(a); i++)
@@ -135,7 +135,7 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = OPENSSL_malloc(totSize);
+        if (!(pTempMem = OPENSSL_malloc(totSize))) return 0;

 /* Copy to temp mem */
        p = pTempMem;
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */

 #include <stdio.h>
 #include <time.h>
@@ -90,7 +143,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+			{
+			/* special case: RFC 2459 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 */
+			ASN1_TYPE_free(a->parameter);
+			a->parameter = NULL;
+			}
+		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
@@ -169,7 +229,14 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		else
 			a=algor2;
 		if (a == NULL) continue;
-		if (	(a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+			{
+			/* special case: RFC 2459 tells us to omit 'parameters'
+			 * with id-dsa-with-sha1 */
+			ASN1_TYPE_free(a->parameter);
+			a->parameter = NULL;
+			}
+		else if ((a->parameter == NULL) || 
 			(a->parameter->type != V_ASN1_NULL))
 			{
 			ASN1_TYPE_free(a->parameter);
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -77,8 +77,8 @@
 /* Three IO functions for sending data to memory, a BIO and
 * and a FILE pointer.
 */
-
-int send_mem_chars(void *arg, const void *buf, int len)
+#if 0				/* never used */
+static int send_mem_chars(void *arg, const void *buf, int len)
 {
 	unsigned char **out = arg;
 	if(!out) return 1;
@@ -86,15 +86,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
 	*out += len;
 	return 1;
 }
+#endif

-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(BIO_write(arg, buf, len) != len) return 0;
 	return 1;
 }

-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -240,7 +241,7 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
 * #01234 format.
 */

-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
 	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
 	 * the DER encoding to readily obtained
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -222,6 +222,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	{
 	struct tm *tm;
+	struct tm data;
 	int offset;
 	int year;

@@ -238,7 +239,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)

 	t -= offset*60; /* FIXME: may overflow in extreme cases */

-	{ struct tm data; tm = OPENSSL_gmtime(&t, &data); }
+	tm = OPENSSL_gmtime(&t, &data);
 	
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
 	year = g2(s->data);
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -773,6 +773,7 @@ int 	ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int 	ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);

 DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
 DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
 DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
@@ -1008,13 +1009,12 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_X509_PKEY				 159
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
-#define ASN1_F_I2D_ECDSA_PUBKEY				 174
 #define ASN1_F_I2D_NETSCAPE_RSA				 162
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
-#define ASN1_F_OID_MODULE_INIT				 175
+#define ASN1_F_OID_MODULE_INIT				 174
 #define ASN1_F_PKCS5_PBE2_SET				 167
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -128,7 +128,6 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),	"d2i_X509_PKEY"},
 {ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),	"I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),	"i2d_DSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_I2D_ECDSA_PUBKEY,0),	"i2d_ECDSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0),	"i2d_Netscape_RSA"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),	"i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),	"i2d_PublicKey"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -59,6 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>

 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -123,15 +124,13 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 		(int)(omax+ *pp));

 #endif
-#if 0
-	if ((p+ *plength) > (omax+ *pp))
+	if (*plength > (omax - (*pp - p)))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
-#endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -158,6 +157,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
+			if (i > sizeof(long))
+				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -169,6 +170,8 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 		else
 			ret=i;
 		}
+	if (ret < 0)
+		return 0;
 	*pp=p;
 	*rl=ret;
 	return(1);
@@ -406,7 +409,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b)

 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];

 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif

 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -110,16 +107,6 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
 			goto err;
 			}
 		break;
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	case EVP_PKEY_ECDSA:
-		if ((ret->pkey.ecdsa = d2i_ECDSAPrivateKey(NULL, 
-			(const unsigned char **)pp, length)) == NULL)
-			{
-			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
-			goto err;
-			}
-		break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PRIVATEKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
@@ -151,10 +138,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp,
 	/* Since we only need to discern "traditional format" RSA and DSA
 	 * keys we can just count the elements.
         */
-	if(sk_ASN1_TYPE_num(inkey) == 6) 
-		keytype = EVP_PKEY_DSA;
-	else if (sk_ASN1_TYPE_num(inkey) == 4)
-		keytype = EVP_PKEY_ECDSA;
+	if(sk_ASN1_TYPE_num(inkey) == 6) keytype = EVP_PKEY_DSA;
 	else keytype = EVP_PKEY_RSA;
 	sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
 	return d2i_PrivateKey(keytype, a, pp, length);
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -68,9 +68,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif

 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 	     long length)
@@ -103,23 +100,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
-		if ((ret->pkey.dsa=d2i_DSAPublicKey(&(ret->pkey.dsa),
+		if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,
 			(const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
 			goto err;
 			}
 		break;
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	case EVP_PKEY_ECDSA:
-		if ((ret->pkey.ecdsa = ECDSAPublicKey_set_octet_string(&(ret->pkey.ecdsa), 
-			(const unsigned char **)pp, length)) == NULL)
-			{
-			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
-			goto err;
-			}
-	break;
 #endif
 	default:
 		ASN1err(ASN1_F_D2I_PUBLICKEY,ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/i2d_pr.c
+++ b/crypto/asn1/i2d_pr.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif

 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -86,12 +83,6 @@ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 		return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
 		}
 #endif
-#ifndef OPENSSL_NO_ECDSA
-	if (a->type == EVP_PKEY_ECDSA)
-		{
-		return(i2d_ECDSAPrivateKey(a->pkey.ecdsa, pp));
-		}
-#endif

 	ASN1err(ASN1_F_I2D_PRIVATEKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 	return(-1);
--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -67,9 +67,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif

 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 	{
@@ -82,10 +79,6 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 #ifndef OPENSSL_NO_DSA
 	case EVP_PKEY_DSA:
 		return(i2d_DSAPublicKey(a->pkey.dsa,pp));
-#endif
-#ifndef OPENSSL_NO_ECDSA
-	case EVP_PKEY_ECDSA:
-		return(ECDSAPublicKey_get_octet_string(a->pkey.ecdsa, pp));
 #endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/n_pkey.c
+++ b/crypto/asn1/n_pkey.c
@@ -92,6 +92,8 @@ ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
 	ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
 } ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)

+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)

 ASN1_SEQUENCE(NETSCAPE_PKEY) = {
@@ -100,6 +102,8 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = {
 	ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(NETSCAPE_PKEY)

+DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY)
 IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)

 static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -116,6 +116,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
 		goto err;

+	EVP_CIPHER_CTX_init(&ctx);
+
 	/* Dummy cipherinit to just setup the IV */
 	EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
 	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -69,9 +69,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif

 static int print(BIO *fp,const char *str,BIGNUM *num,
 		unsigned char *buf,int off);
@@ -99,10 +96,34 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 	char str[128];
 	const char *s;
 	unsigned char *m=NULL;
-	int i,ret=0;
+	int ret=0;
+	size_t buf_len=0, i;

-	i=RSA_size(x);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->n)
+		buf_len = (size_t)BN_num_bytes(x->n);
+	if (x->e)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->e)))
+			buf_len = i;
+	if (x->d)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->d)))
+			buf_len = i;
+	if (x->p)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->p)))
+			buf_len = i;
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->dmp1)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->dmp1)))
+			buf_len = i;
+	if (x->dmq1)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->dmq1)))
+			buf_len = i;
+	if (x->iqmp)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->iqmp)))
+			buf_len = i;
+
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		RSAerr(RSA_F_RSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -164,22 +185,25 @@ int DSA_print(BIO *bp, const DSA *x, int off)
 	{
 	char str[128];
 	unsigned char *m=NULL;
-	int i,ret=0;
-	BIGNUM *bn=NULL;
+	int ret=0;
+	size_t buf_len=0,i;

-	if (x->p != NULL)
-		bn=x->p;
-	else if (x->priv_key != NULL)
-		bn=x->priv_key;
-	else if (x->pub_key != NULL)
-		bn=x->pub_key;
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	if (x->priv_key)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->priv_key)))
+			buf_len = i;
+	if (x->pub_key)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->pub_key)))
+			buf_len = i;

-	/* larger than needed but what the hell :-) */
-	if (bn != NULL)
-		i=BN_num_bytes(bn)*2;
-	else
-		i=256;
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
@@ -212,150 +236,6 @@ err:
 	}
 #endif /* !OPENSSL_NO_DSA */

-#ifndef OPENSSL_NO_ECDSA
-#ifndef OPENSSL_NO_FP_API
-int ECDSA_print_fp(FILE *fp, const ECDSA *x, int off)
-{
-	BIO *b;
-	int ret;
- 
-	if ((b=BIO_new(BIO_s_file())) == NULL)
-	{
-		ECDSAerr(ECDSA_F_ECDSA_PRINT_FP, ERR_R_BIO_LIB);
-		return(0);
-	}
-	BIO_set_fp(b, fp, BIO_NOCLOSE);
-	ret = ECDSA_print(b, x, off);
-	BIO_free(b);
-	return(ret);
-}
-#endif
-
-int ECDSA_print(BIO *bp, const ECDSA *x, int off)
-	{
-	char str[128];
-	unsigned char *buffer=NULL;
-	int     i, buf_len=0, ret=0, reason=ERR_R_BIO_LIB;
-	BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL,
-		*tmp_4=NULL, *tmp_5=NULL, *tmp_6=NULL,
-		*tmp_7=NULL;
-	BN_CTX  *ctx=NULL;
-	EC_POINT *point=NULL;
- 
-	/* TODO: fields other than prime fields */
-       
-	if (!x || !x->group)
-		{
-		reason = ECDSA_R_MISSING_PARAMETERS;
-		goto err;
-		}
-	if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
-		(tmp_3 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL ||
-		(tmp_6 = BN_new()) == NULL || (tmp_7 = BN_new()) == NULL)
-		{
-		reason = ERR_R_MALLOC_FAILURE;
-		goto err;
-		}
-	if (!EC_GROUP_get_curve_GFp(x->group, tmp_1, tmp_2, tmp_3, ctx))
-		{
-		reason = ERR_R_EC_LIB;
-		goto err;
-		}
-	if ((point = EC_GROUP_get0_generator(x->group)) == NULL)
-		{
-		reason = ERR_R_EC_LIB;
-		goto err;
-		}
-	if (!EC_GROUP_get_order(x->group, tmp_6, NULL) || !EC_GROUP_get_cofactor(x->group, tmp_7, NULL))
-		{
-		reason = ERR_R_EC_LIB;
-		goto err;
-		}
-	if ((buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
-		{
-		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
-		goto err;
-		}
-	if ((buffer = OPENSSL_malloc(buf_len)) == NULL)
-		{
-		reason = ERR_R_MALLOC_FAILURE;
-		goto err;
-		}
-	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), 
-				buffer, buf_len, ctx)) goto err;
-	if ((tmp_4 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
-		{
-		reason = ERR_R_BN_LIB;
-		goto err;
-		}
-	if ((i = EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), NULL, 0, ctx)) == 0)
-		{
-		reason = ECDSA_R_UNEXPECTED_PARAMETER_LENGTH;
-		goto err;
-		}
-	if (i > buf_len && (buffer = OPENSSL_realloc(buffer, i)) == NULL)
-		{
-		reason = ERR_R_MALLOC_FAILURE;
-		buf_len = i;
-		goto err;
-		}
-	if (!EC_POINT_point2oct(x->group, x->pub_key, ECDSA_get_conversion_form(x), 
-				buffer, buf_len, ctx))
-		{
-		reason = ERR_R_EC_LIB;
-		goto err;
-		}
-	if ((tmp_5 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
-		{
-		reason = ERR_R_BN_LIB;
-		goto err;
-		}
-	if (tmp_1 != NULL)
-		i = BN_num_bytes(tmp_1)*2;
-	else
-		i=256;
-	if ((i + 10) > buf_len && (buffer = OPENSSL_realloc(buffer, i+10)) == NULL)
-		{
-		reason = ERR_R_MALLOC_FAILURE;
-		buf_len = i;
-		goto err;
-		}
-	if (off)
-		{
-		if (off > 128) off=128;
-		memset(str,' ',off);
-		}
-	if (x->priv_key != NULL)
-		{
-		if (off && (BIO_write(bp, str, off) <= 0)) goto err;
-		if (BIO_printf(bp, "Private-Key: (%d bit)\n", BN_num_bits(tmp_1)) <= 0) goto err;
-		}
-  
-	if ((x->priv_key != NULL) && !print(bp, "priv:", x->priv_key, buffer, off)) goto err;
-	if ((tmp_5 != NULL) && !print(bp, "pub: ", tmp_5, buffer, off)) goto err;
-	if ((tmp_1 != NULL) && !print(bp, "P:   ", tmp_1, buffer, off)) goto err;
-	if ((tmp_2 != NULL) && !print(bp, "A:   ", tmp_2, buffer, off)) goto err;
-	if ((tmp_3 != NULL) && !print(bp, "B:   ", tmp_3, buffer, off)) goto err;
-	if ((tmp_4 != NULL) && !print(bp, "Gen: ", tmp_4, buffer, off)) goto err;
-	if ((tmp_6 != NULL) && !print(bp, "Order: ", tmp_6, buffer, off)) goto err;
-	if ((tmp_7 != NULL) && !print(bp, "Cofactor: ", tmp_7, buffer, off)) goto err;
-	ret=1;
-err:
-	if (!ret)
- 		ECDSAerr(ECDSA_F_ECDSA_PRINT, reason);
-	if (tmp_1) BN_free(tmp_1);
-	if (tmp_2) BN_free(tmp_2);
-	if (tmp_3) BN_free(tmp_3);
-	if (tmp_4) BN_free(tmp_4);
-	if (tmp_5) BN_free(tmp_5);
-	if (tmp_6) BN_free(tmp_6);
-	if (tmp_7) BN_free(tmp_7);
-	if (ctx)   BN_CTX_free(ctx);
-	if (buffer != NULL) OPENSSL_free(buffer);
-	return(ret);
-	}
-#endif
-
 static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 	     int off)
 	{
@@ -428,10 +308,15 @@ int DHparams_print_fp(FILE *fp, const DH *x)
 int DHparams_print(BIO *bp, const DH *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
+	size_t buf_len=0, i;

-	i=BN_num_bytes(x->p);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
@@ -481,10 +366,18 @@ int DSAparams_print_fp(FILE *fp, const DSA *x)
 int DSAparams_print(BIO *bp, const DSA *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,i,ret=0;
+	int reason=ERR_R_BUF_LIB,ret=0;
+	size_t buf_len=0,i;

-	i=BN_num_bytes(x->p);
-	m=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
+	if (x->p)
+		buf_len = (size_t)BN_num_bytes(x->p);
+	if (x->q)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
+			buf_len = i;
+	if (x->g)
+		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
+			buf_len = i;
+	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
 		reason=ERR_R_MALLOC_FAILURE;
@@ -506,95 +399,3 @@ err:

 #endif /* !OPENSSL_NO_DSA */

-#ifndef OPENSSL_NO_ECDSA
-#ifndef OPENSSL_NO_FP_API
-int ECDSAParameters_print_fp(FILE *fp, const ECDSA *x)
-	{
-	BIO *b;
-	int ret;
- 
-	if ((b=BIO_new(BIO_s_file())) == NULL)
-	{
-		ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT_FP, ERR_R_BIO_LIB);
-		return(0);
-	}
-	BIO_set_fp(b, fp, BIO_NOCLOSE);
-	ret = ECDSAParameters_print(b, x);
-	BIO_free(b);
-	return(ret);
-	}
-#endif
-
-int ECDSAParameters_print(BIO *bp, const ECDSA *x)
-       {
-       unsigned char *buffer=NULL;
-       int     buf_len;
-       int     reason=ERR_R_EC_LIB, i, ret=0;
-       BIGNUM  *tmp_1=NULL, *tmp_2=NULL, *tmp_3=NULL, *tmp_4=NULL,
-               *tmp_5=NULL, *tmp_6=NULL;
-       BN_CTX  *ctx=NULL;
-       EC_POINT *point=NULL;
- 
-       /* TODO: fields other than prime fields */
-       if (!x || !x->group)
-       {
-		reason = ECDSA_R_MISSING_PARAMETERS;
-		goto err;
-       }
-       if ((tmp_1 = BN_new()) == NULL || (tmp_2 = BN_new()) == NULL ||
-	   (tmp_3 = BN_new()) == NULL || (tmp_5 = BN_new()) == NULL ||
-           (tmp_6 = BN_new()) == NULL || (ctx = BN_CTX_new()) == NULL)
-       {
-		reason = ERR_R_MALLOC_FAILURE;
-		goto err;
-	}
-	if (!EC_GROUP_get_curve_GFp(x->group, tmp_1, tmp_2, tmp_3, ctx)) goto err;
-	if ((point = EC_GROUP_get0_generator(x->group)) == NULL) goto err;
-	if (!EC_GROUP_get_order(x->group, tmp_5, ctx)) goto err;
-	if (!EC_GROUP_get_cofactor(x->group, tmp_6, ctx)) goto err;	
-	buf_len = EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), NULL, 0, ctx);
-	if (!buf_len || (buffer = OPENSSL_malloc(buf_len)) == NULL)
-	{
-		reason = ERR_R_MALLOC_FAILURE;
-		goto err;
-	}
-	if (!EC_POINT_point2oct(x->group, point, ECDSA_get_conversion_form(x), buffer, buf_len, ctx))
-	{
-		reason = ERR_R_EC_LIB;
-		goto err;
-	}
-	if ((tmp_4 = BN_bin2bn(buffer, buf_len, NULL)) == NULL)
-	{
-		reason = ERR_R_BN_LIB;
-		goto err;
-	}
-  
-	i = BN_num_bits(tmp_1) + 10;
-	if (i > buf_len && (buffer = OPENSSL_realloc(buffer, i)) == NULL)
-	{
-		reason=ERR_R_MALLOC_FAILURE;
-		goto err;
-	}
- 
-	if (BIO_printf(bp, "ECDSA-Parameters: (%d bit)\n", BN_num_bits(tmp_1)) <= 0) goto err;
-	if (!print(bp, "Prime p:", tmp_1, buffer, 4)) goto err;
-	if (!print(bp, "Curve a:", tmp_2, buffer, 4)) goto err;
-	if (!print(bp, "Curve b:", tmp_3, buffer, 4)) goto err;
-	if (!print(bp, "Generator (compressed):", tmp_4, buffer, 4)) goto err; 
-	if (!print(bp, "Order:", tmp_5, buffer, 4)) goto err;
-	if (!print(bp, "Cofactor:", tmp_6, buffer, 4)) goto err;
-	ret=1;
-err:
-	if (tmp_1)  BN_free(tmp_1);
-	if (tmp_2)  BN_free(tmp_2);
-	if (tmp_3)  BN_free(tmp_3);
-	if (tmp_4)  BN_free(tmp_4);
-	if (tmp_5)  BN_free(tmp_5);
-	if (tmp_6)  BN_free(tmp_6);
-	if (ctx)    BN_CTX_free(ctx);
-	if (buffer) OPENSSL_free(buffer);
-	ECDSAerr(ECDSA_F_ECDSAPARAMETERS_PRINT, reason);
-	return(ret);
-	}
-  
-#endif
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -134,15 +134,6 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
 		}
 	else
 #endif
-#ifndef OPENSSL_NO_ECDSA
-		if (pkey != NULL && pkey->type == EVP_PKEY_ECDSA)
-		{
-			BIO_printf(bp, "%12sECDSA Public Key: \n","");
-			ECDSA_print(bp, pkey->pkey.ecdsa, 16);
-		}
-	else
-#endif
-
 		BIO_printf(bp,"%12sUnknown Public Key:\n","");

 	if (pkey != NULL)
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -93,15 +93,6 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 		}
 		else
 #endif
-#ifndef OPENSSL_NO_ECDSA
-		if (pkey->type == EVP_PKEY_ECDSA)
-		{
-			BIO_printf(out, "  ECDSA Public Key:\n");
-			ECDSA_print(out, pkey->pkey.ecdsa,2);
-		}
-		else
-#endif
-
 			BIO_printf(out,"  Unknown Public Key:\n");
 		EVP_PKEY_free(pkey);
 	}
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -66,9 +66,6 @@
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
-#ifndef OPENSSL_NO_ECDSA
-#include <openssl/ecdsa.h>
-#endif
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -231,14 +228,6 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 			DSA_print(bp,pkey->pkey.dsa,16);
 			}
 		else
-#endif
-#ifndef OPENSSL_NO_ECDSA
-		if (pkey->type == EVP_PKEY_ECDSA)
-			{
-			BIO_printf(bp, "%12sECDSA Public Key:\n","");
-			ECDSA_print(bp, pkey->pkey.ecdsa, 16);
-			}
-		else
 #endif
 			BIO_printf(bp,"%12sUnknown Public Key:\n","");

--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -64,8 +64,7 @@
 /* Minor tweak to operation: free up EVP_PKEY */
 static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-	if (operation == ASN1_OP_FREE_POST)
-		{
+	if(operation == ASN1_OP_FREE_POST) {
 		X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
 		EVP_PKEY_free(pubkey->pkey);
 	}
@@ -109,8 +108,9 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			a->parameter->type=V_ASN1_NULL;
 			}
 		}
+	else
 #ifndef OPENSSL_NO_DSA
-	else if (pkey->type == EVP_PKEY_DSA)
+		if (pkey->type == EVP_PKEY_DSA)
 		{
 		unsigned char *pp;
 		DSA *dsa;
@@ -119,7 +119,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		dsa->write_params=0;
 		ASN1_TYPE_free(a->parameter);
 		i=i2d_DSAparams(dsa,NULL);
-		p=(unsigned char *)OPENSSL_malloc(i);
+		if ((p=(unsigned char *)OPENSSL_malloc(i)) == NULL) goto err;
 		pp=p;
 		i2d_DSAparams(dsa,&pp);
 		a->parameter=ASN1_TYPE_new();
@@ -128,68 +128,19 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		ASN1_STRING_set(a->parameter->value.sequence,p,i);
 		OPENSSL_free(p);
 		}
+	else
 #endif
-#ifndef OPENSSL_NO_ECDSA
-	else if (pkey->type == EVP_PKEY_ECDSA)
-		{
-		int nid=0;
-		unsigned char *pp;
-		ECDSA *ecdsa;
-		
-		ecdsa = pkey->pkey.ecdsa;
-		ASN1_TYPE_free(a->parameter);
-
-		if ((a->parameter = ASN1_TYPE_new()) == NULL)
-			{
-			X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
-			goto err;
-			}
-
-		if ((ECDSA_get_parameter_flags(ecdsa) & ECDSA_FLAG_NAMED_CURVE) && (nid = EC_GROUP_get_nid(ecdsa->group)))
-			{
-			/* just set the OID */
-			a->parameter->type = V_ASN1_OBJECT;
-			a->parameter->value.object = OBJ_nid2obj(nid);
-			}
-		else /* explicit parameters */
-			{
-			if ((i = i2d_ECDSAParameters(ecdsa, NULL)) == 0)
-				{
-				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
-				goto err;
-				}
-			if ((p = (unsigned char *) OPENSSL_malloc(i)) == NULL)
-				{
-				X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
-				goto err;
-				}	
-			pp = p;
-			if (!i2d_ECDSAParameters(ecdsa, &pp))
-				{
-				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ECDSA_LIB);
-				OPENSSL_free(p);
-				goto err;
-				}
-			a->parameter->type = V_ASN1_SEQUENCE;
-			if ((a->parameter->value.sequence = ASN1_STRING_new()) == NULL)
-				{
-				X509err(X509_F_X509_PUBKEY_SET, ERR_R_ASN1_LIB);
-				OPENSSL_free(p);
-				goto err;
-				}
-			ASN1_STRING_set(a->parameter->value.sequence, p, i);
-			OPENSSL_free(p);
-			}
-		}
-#endif
-	else if (1)
 		{
 		X509err(X509_F_X509_PUBKEY_SET,X509_R_UNSUPPORTED_ALGORITHM);
 		goto err;
 		}

 	if ((i=i2d_PublicKey(pkey,NULL)) <= 0) goto err;
-	if ((s=(unsigned char *)OPENSSL_malloc(i+1)) == NULL) goto err;
+	if ((s=(unsigned char *)OPENSSL_malloc(i+1)) == NULL)
+		{
+		X509err(X509_F_X509_PUBKEY_SET,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
 	p=s;
 	i2d_PublicKey(pkey,&p);
 	if (!M_ASN1_BIT_STRING_set(pk->public_key,s,i)) goto err;
@@ -222,7 +173,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	long j;
 	int type;
 	unsigned char *p;
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#ifndef OPENSSL_NO_DSA
 	const unsigned char *cp;
 	X509_ALGOR *a;
 #endif
@@ -238,31 +189,21 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 	if (key->public_key == NULL) goto err;

 	type=OBJ_obj2nid(key->algor->algorithm);
-	if ((ret = EVP_PKEY_new()) == NULL)
+	p=key->public_key->data;
+        j=key->public_key->length;
+        if ((ret=d2i_PublicKey(type,NULL,&p,(long)j)) == NULL)
 		{
-		X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
+		X509err(X509_F_X509_PUBKEY_GET,X509_R_ERR_ASN1_LIB);
 		goto err;
 		}
-	ret->type = EVP_PKEY_type(type);
+	ret->save_parameters=0;

-	/* the parameters must be extracted before the public key (ECDSA!) */
-	
-#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
-	a=key->algor;
-#endif
-
-	if (0)
-		;
 #ifndef OPENSSL_NO_DSA
-	else if (ret->type == EVP_PKEY_DSA)
+	a=key->algor;
+	if (ret->type == EVP_PKEY_DSA)
 		{
 		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
 			{
-			if ((ret->pkey.dsa = DSA_new()) == NULL)
-				{
-				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
-				goto err;
-				}
 			ret->pkey.dsa->write_params=0;
 			cp=p=a->parameter->value.sequence->data;
 			j=a->parameter->value.sequence->length;
@@ -272,53 +213,6 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 		ret->save_parameters=1;
 		}
 #endif
-#ifndef OPENSSL_NO_ECDSA
-	else if (ret->type == EVP_PKEY_ECDSA)
-		{
-		if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
-			{
-			/* type == V_ASN1_SEQUENCE => we have explicit parameters
-                         * (e.g. parameters in the X9_62_EC_PARAMETERS-structure )
-			 */
-			if ((ret->pkey.ecdsa= ECDSA_new()) == NULL)
-				{
-				X509err(X509_F_X509_PUBKEY_GET, ERR_R_MALLOC_FAILURE);
-				goto err;
-				}
-			cp = p = a->parameter->value.sequence->data;
-			j = a->parameter->value.sequence->length;
-			if (!d2i_ECDSAParameters(&ret->pkey.ecdsa, &cp, (long)j))
-				{
-				X509err(X509_F_X509_PUBKEY_GET, ERR_R_ECDSA_LIB);
-				goto err;
-				}
-			}
-		else if (a->parameter && (a->parameter->type == V_ASN1_OBJECT))
-			{
-			/* type == V_ASN1_OBJECT => the parameters are given
-			 * by an asn1 OID
-			 */
-			if (ret->pkey.ecdsa == NULL)
-				ret->pkey.ecdsa = ECDSA_new();
-			if (ret->pkey.ecdsa->group)
-				EC_GROUP_free(ret->pkey.ecdsa->group);
-			ret->pkey.ecdsa->parameter_flags |= ECDSA_FLAG_NAMED_CURVE;
-			if ((ret->pkey.ecdsa->group = EC_GROUP_new_by_name(OBJ_obj2nid(a->parameter->value.object))) == NULL)
-				goto err;
-			}
-			/* the case implicitlyCA is currently not implemented */
-		ret->save_parameters = 1;
-		}
-#endif
-
-	p=key->public_key->data;
-        j=key->public_key->length;
-        if ((ret = d2i_PublicKey(type, &ret, &p, (long)j)) == NULL)
-		{
-		X509err(X509_F_X509_PUBKEY_GET, X509_R_ERR_ASN1_LIB);
-		goto err;
-		}
-
 	key->pkey=ret;
 	CRYPTO_add(&ret->references,1,CRYPTO_LOCK_EVP_PKEY);
 	return(ret);
@@ -342,8 +236,7 @@ EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp,
 	pktmp = X509_PUBKEY_get(xpk);
 	X509_PUBKEY_free(xpk);
 	if(!pktmp) return NULL;
-	if(a)
-		{
+	if(a) {
 		EVP_PKEY_free(*a);
 		*a = pktmp;
 	}
@@ -378,8 +271,7 @@ RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
 	EVP_PKEY_free(pkey);
 	if(!key) return NULL;
 	*pp = q;
-	if (a)
-		{
+	if(a) {
 		RSA_free(*a);
 		*a = key;
 	}
@@ -392,8 +284,7 @@ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
 	int ret;
 	if(!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if (!pktmp)
-		{
+	if(!pktmp) {
 		ASN1err(ASN1_F_I2D_RSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -418,8 +309,7 @@ DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
 	EVP_PKEY_free(pkey);
 	if(!key) return NULL;
 	*pp = q;
-	if (a)
-		{
+	if(a) {
 		DSA_free(*a);
 		*a = key;
 	}
@@ -432,8 +322,7 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
 	int ret;
 	if(!a) return 0;
 	pktmp = EVP_PKEY_new();
-	if(!pktmp)
-		{
+	if(!pktmp) {
 		ASN1err(ASN1_F_I2D_DSA_PUBKEY, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
@@ -443,41 +332,3 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp)
 	return ret;
 }
 #endif
-
-#ifndef OPENSSL_NO_ECDSA
-ECDSA *d2i_ECDSA_PUBKEY(ECDSA **a, unsigned char **pp, long length)
-	{
-	EVP_PKEY *pkey;
-	ECDSA *key;
-	unsigned char *q;
-	q = *pp;
-	pkey = d2i_PUBKEY(NULL, &q, length);
-	if (!pkey) return(NULL);
-	key = EVP_PKEY_get1_ECDSA(pkey);
-	EVP_PKEY_free(pkey);
-	if (!key)  return(NULL);
-	*pp = q;
-	if (a)
-		{
-		ECDSA_free(*a);
-		*a = key;
-		}
-	return(key);
-	}
-
-int i2d_ECDSA_PUBKEY(ECDSA *a, unsigned char **pp)
-	{
-	EVP_PKEY *pktmp;
-	int ret;
-	if (!a)	return(0);
-	if ((pktmp = EVP_PKEY_new()) == NULL)
-		{
-		ASN1err(ASN1_F_I2D_ECDSA_PUBKEY, ERR_R_MALLOC_FAILURE);
-		return(0);
-		}
-	EVP_PKEY_set1_ECDSA(pktmp, a);
-	ret = i2d_PUBKEY(pktmp, pp);
-	EVP_PKEY_free(pktmp);
-	return(ret);
-	}
-#endif
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@@ -96,7 +96,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bio/Makefile.ssl
+++ b/crypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -56,6 +56,13 @@
 * [including the GNU Public Licence.]
 */

+/* disable assert() unless BIO_DEBUG has been defined */
+#ifndef BIO_DEBUG
+# ifndef NDEBUG
+#  define NDEBUG
+# endif
+#endif
+
 /* 
 * Stolen from tjh's ssl/ssl_trc.c stuff.
 */
@@ -716,12 +723,13 @@ doapr_outch(
    if (buffer) {
 	while (*currlen >= *maxlen) {
 	    if (*buffer == NULL) {
-		assert(*sbuffer != NULL);
 		if (*maxlen == 0)
 		    *maxlen = 1024;
 		*buffer = OPENSSL_malloc(*maxlen);
-		if (*currlen > 0)
+		if (*currlen > 0) {
+		    assert(*sbuffer != NULL);
 		    memcpy(*buffer, *sbuffer, *currlen);
+		}
 		*sbuffer = NULL;
 	    } else {
 		*maxlen += 1024;
@@ -761,7 +769,9 @@ int BIO_vprintf (BIO *bio, const char *format, va_list args)
 	{
 	int ret;
 	size_t retlen;
-	MS_STATIC char hugebuf[1024*10];
+	char hugebuf[1024*2];	/* Was previously 10k, which is unreasonable
+				   in small-stack environments, like threads
+				   or DOS programs. */
 	char *hugebufp = hugebuf;
 	size_t hugebufsize = sizeof(hugebuf);
 	char *dynbuf = NULL;
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -484,7 +484,11 @@ int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
 	{
 	int i;

+#ifdef __DJGPP__
+	i=ioctlsocket(fd,type,(char *)arg);
+#else
 	i=ioctlsocket(fd,type,arg);
+#endif /* __DJGPP__ */
 	if (i < 0)
 		SYSerr(SYS_F_IOCTLSOCKET,get_last_socket_error());
 	return(i);
--- a/crypto/bio/bf_nbio.c
+++ b/crypto/bio/bf_nbio.c
@@ -103,7 +103,7 @@ static int nbiof_new(BIO *bi)
 	{
 	NBIO_TEST *nt;

-	nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST));
+	if (!(nt=(NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)))) return(0);
 	nt->lrn= -1;
 	nt->lwn= -1;
 	bi->ptr=(char *)nt;
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -554,7 +554,9 @@ BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
 BIO_METHOD *BIO_s_fd(void);
+#ifndef OPENSSL_SYS_OS2
 BIO_METHOD *BIO_s_log(void);
+#endif
 BIO_METHOD *BIO_s_bio(void);
 BIO_METHOD *BIO_s_null(void);
 BIO_METHOD *BIO_f_null(void);
@@ -647,6 +649,7 @@ void ERR_load_BIO_strings(void);
 #define BIO_F_CONN_CTRL					 127
 #define BIO_F_CONN_STATE				 115
 #define BIO_F_FILE_CTRL					 116
+#define BIO_F_FILE_READ					 130
 #define BIO_F_LINEBUFFER_CTRL				 129
 #define BIO_F_MEM_READ					 128
 #define BIO_F_MEM_WRITE					 117
--- a/crypto/bio/bio_err.c
+++ b/crypto/bio/bio_err.c
@@ -91,6 +91,7 @@ static ERR_STRING_DATA BIO_str_functs[]=
 {ERR_PACK(0,BIO_F_CONN_CTRL,0),	"CONN_CTRL"},
 {ERR_PACK(0,BIO_F_CONN_STATE,0),	"CONN_STATE"},
 {ERR_PACK(0,BIO_F_FILE_CTRL,0),	"FILE_CTRL"},
+{ERR_PACK(0,BIO_F_FILE_READ,0),	"FILE_READ"},
 {ERR_PACK(0,BIO_F_LINEBUFFER_CTRL,0),	"LINEBUFFER_CTRL"},
 {ERR_PACK(0,BIO_F_MEM_READ,0),	"MEM_READ"},
 {ERR_PACK(0,BIO_F_MEM_WRITE,0),	"MEM_WRITE"},
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -7,10 +7,19 @@
 * for which no specific BIO method is available.
 * See ssl/ssltest.c for some hints on how this can be used. */

+/* BIO_DEBUG implies BIO_PAIR_DEBUG */
+#ifdef BIO_DEBUG
 # ifndef BIO_PAIR_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
+#  define BIO_PAIR_DEBUG
+# endif
+#endif
+
+/* disable assert() unless BIO_PAIR_DEBUG has been defined */
+#ifndef BIO_PAIR_DEBUG
+# ifndef NDEBUG
 #  define NDEBUG
 # endif
+#endif

 #include <assert.h>
 #include <limits.h>
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -162,6 +162,12 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)
 	if (b->init && (out != NULL))
 		{
 		ret=fread(out,1,(int)outl,(FILE *)b->ptr);
+		if(ret == 0 && ferror((FILE *)b->ptr))
+			{
+			SYSerr(SYS_F_FREAD,get_last_sys_error());
+			BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
+			ret=-1;
+			}
 		}
 	return(ret);
 	}
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -169,7 +169,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -136,7 +136,7 @@ extern "C" {
 #define BN_MASK2h	(0xffffffff00000000LL)
 #define BN_MASK2h1	(0xffffffff80000000LL)
 #define BN_TBIT		(0x8000000000000000LL)
-#define BN_DEC_CONV	(10000000000000000000LL)
+#define BN_DEC_CONV	(10000000000000000000ULL)
 #define BN_DEC_FMT1	"%llu"
 #define BN_DEC_FMT2	"%019llu"
 #define BN_DEC_NUM	19
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -200,10 +200,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,

 	/* First we normalise the numbers */
 	norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
-	BN_lshift(sdiv,divisor,norm_shift);
+	if (!(BN_lshift(sdiv,divisor,norm_shift))) goto err;
 	sdiv->neg=0;
 	norm_shift+=BN_BITS2;
-	BN_lshift(snum,num,norm_shift);
+	if (!(BN_lshift(snum,num,norm_shift))) goto err;
 	snum->neg=0;
 	div_n=sdiv->top;
 	num_n=snum->top;
@@ -327,7 +327,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 		tmp->top=j;

 		j=wnum.top;
-		BN_sub(&wnum,&wnum,tmp);
+		if (!BN_sub(&wnum,&wnum,tmp)) goto err;

 		snum->top=snum->top+wnum.top-j;

@@ -335,7 +335,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 			{
 			q--;
 			j=wnum.top;
-			BN_add(&wnum,&wnum,sdiv);
+			if (!BN_add(&wnum,&wnum,sdiv)) goto err;
 			snum->top+=wnum.top-j;
 			}
 		*(resp--)=q;
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -397,6 +397,12 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
 	{
 	BIGNUM *r = NULL;

+	/* This function does not work if
+	 *      words <= b->dmax && top < words
+	 * because BN_dup() does not preserve 'dmax'!
+	 * (But bn_dup_expand() is not used anywhere yet.)
+	 */
+	
 	if (words > b->dmax)
 		{
 		BN_ULONG *a = bn_expand_internal(b, words);
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -221,7 +221,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,

 	if (!BN_mul(t1,t2,&mont->N,ctx)) goto err;
 	if (!BN_add(t2,a,t1)) goto err;
-	BN_rshift(ret,t2,mont->ri);
+	if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */

 	if (BN_ucmp(ret, &(mont->N)) >= 0)
@@ -282,8 +282,8 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		BN_ULONG buf[2];

 		mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2;
-		BN_zero(R);
-		BN_set_bit(R,BN_BITS2);			/* R */
+		if (!(BN_zero(R))) goto err;
+		if (!(BN_set_bit(R,BN_BITS2))) goto err;	/* R */

 		buf[0]=mod->d[0]; /* tmod = N mod word size */
 		buf[1]=0;
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -66,7 +66,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"

-#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */
+#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__)) || defined(__DJGPP__) /* Assembler implementation exists only for x86 */
 /* Here follows specialised variants of bn_add_words() and
   bn_sub_words().  They have the property performing operations on
   arrays of different sizes.  The sizes of those arrays is expressed through
@@ -408,16 +408,22 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 		return;
 		}
 #  endif
-	if (n2 == 8)
+	/* Only call bn_mul_comba 8 if n2 == 8 and the
+	 * two arrays are complete [steve]
+	 */
+	if (n2 == 8 && dna == 0 && dnb == 0)
 		{
 		bn_mul_comba8(r,a,b);
 		return; 
 		}
 # endif /* BN_MUL_COMBA */
+	/* Else do normal multiply */
 	if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL)
 		{
-		/* This should not happen */
-		bn_mul_normal(r,a,n2,b,n2);
+		bn_mul_normal(r,a,n2+dna,b,n2+dnb);
+		if ((dna + dnb) < 0)
+			memset(&r[2*n2 + dna + dnb], 0,
+				sizeof(BN_ULONG) * -(dna + dnb));
 		return;
 		}
 	/* r=(a[0]-a[1])*(b[1]-b[0]) */
@@ -958,7 +964,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)

 	if ((al == 0) || (bl == 0))
 		{
-		BN_zero(r);
+		if (!BN_zero(r)) goto err;
 		return(1);
 		}
 	top=al+bl;
@@ -1038,7 +1044,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
 			{
 			BIGNUM *tmp_bn = (BIGNUM *)b;
-			bn_wexpand(tmp_bn,al);
+			if (bn_wexpand(tmp_bn,al) == NULL) goto err;
 			tmp_bn->d[bl]=0;
 			bl++;
 			i--;
@@ -1046,7 +1052,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 		else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
 			{
 			BIGNUM *tmp_bn = (BIGNUM *)a;
-			bn_wexpand(tmp_bn,bl);
+			if (bn_wexpand(tmp_bn,bl) == NULL) goto err;
 			tmp_bn->d[al]=0;
 			al++;
 			i++;
@@ -1061,14 +1067,14 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 			t = BN_CTX_get(ctx);
 			if (al == j) /* exact multiple */
 				{
-				bn_wexpand(t,k*2);
-				bn_wexpand(rr,k*2);
+				if (bn_wexpand(t,k*2) == NULL) goto err;
+				if (bn_wexpand(rr,k*2) == NULL) goto err;
 				bn_mul_recursive(rr->d,a->d,b->d,al,t->d);
 				}
 			else
 				{
-				bn_wexpand(t,k*4);
-				bn_wexpand(rr,k*4);
+				if (bn_wexpand(t,k*4) == NULL) goto err;
+				if (bn_wexpand(rr,k*4) == NULL) goto err;
 				bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
 				}
 			rr->top=top;
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -925,7 +925,7 @@ int test_kron(BIO *bp, BN_CTX *ctx)
 		/* r := a^t mod b */
 		b->neg=0;
 		
-		if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err; /* XXX should be BN_mod_exp_recp, but ..._recp triggers a bug that must be fixed */
+		if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err;
 		b->neg=1;

 		if (BN_is_word(r, 1))
--- a/crypto/buffer/Makefile.ssl
+++ b/crypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/cast/Makefile.ssl
+++ b/crypto/cast/Makefile.ssl
@@ -97,7 +97,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/comp/Makefile.ssl
+++ b/crypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -89,14 +89,14 @@ conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_api.o: conf_api.c
-conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-conf_def.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-conf_def.o: ../../include/openssl/opensslconf.h
+conf_def.o: ../../e_os.h ../../include/openssl/bio.h
+conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
+conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_def.o: conf_def.c conf_def.h
+conf_def.o: ../cryptlib.h conf_def.c conf_def.h
 conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -111,55 +111,73 @@ conf_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 conf_lib.o: conf_lib.c
-conf_mall.o: ../../e_os.h ../../include/openssl/asn1.h
-conf_mall.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-conf_mall.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_mall.o: ../../e_os.h ../../include/openssl/aes.h
+conf_mall.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+conf_mall.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+conf_mall.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_mall.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf_mall.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_mall.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mall.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_mall.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_mall.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-conf_mall.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_mall.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+conf_mall.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+conf_mall.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+conf_mall.o: ../../include/openssl/objects.h
 conf_mall.o: ../../include/openssl/opensslconf.h
 conf_mall.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+conf_mall.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+conf_mall.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 conf_mall.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 conf_mall.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_mall.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-conf_mall.o: ../cryptlib.h conf_mall.c
-conf_mod.o: ../../e_os.h ../../include/openssl/asn1.h
-conf_mod.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-conf_mod.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_mall.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+conf_mall.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_mall.c
+conf_mod.o: ../../e_os.h ../../include/openssl/aes.h
+conf_mod.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+conf_mod.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+conf_mod.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_mod.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf_mod.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_mod.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_mod.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_mod.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_mod.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-conf_mod.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-conf_mod.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+conf_mod.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+conf_mod.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+conf_mod.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+conf_mod.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_mod.o: ../../include/openssl/opensslconf.h
 conf_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+conf_mod.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+conf_mod.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_mod.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
 conf_mod.o: ../cryptlib.h conf_mod.c
-conf_sap.o: ../../e_os.h ../../include/openssl/asn1.h
-conf_sap.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-conf_sap.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+conf_sap.o: ../../e_os.h ../../include/openssl/aes.h
+conf_sap.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+conf_sap.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+conf_sap.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 conf_sap.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+conf_sap.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 conf_sap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 conf_sap.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-conf_sap.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 conf_sap.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-conf_sap.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-conf_sap.o: ../../include/openssl/opensslconf.h
+conf_sap.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+conf_sap.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+conf_sap.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+conf_sap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+conf_sap.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+conf_sap.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-conf_sap.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-conf_sap.o: ../cryptlib.h conf_sap.c
+conf_sap.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+conf_sap.o: ../../include/openssl/x509_vfy.h ../cryptlib.h conf_sap.c
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -129,6 +129,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);

 void OPENSSL_config(const char *config_name);
+void OPENSSL_no_config(void);

 /* New conf code.  The semantics are different from the functions above.
   If that wasn't the case, the above functions would have been replaced */
@@ -141,10 +142,10 @@ struct conf_st
 	};

 CONF *NCONF_new(CONF_METHOD *meth);
-CONF_METHOD *NCONF_default();
-CONF_METHOD *NCONF_WIN32();
+CONF_METHOD *NCONF_default(void);
+CONF_METHOD *NCONF_WIN32(void);
 #if 0 /* Just to give you an idea of what I have in mind */
-CONF_METHOD *NCONF_XML();
+CONF_METHOD *NCONF_XML(void);
 #endif
 void NCONF_free(CONF *conf);
 void NCONF_free_data(CONF *conf);
@@ -176,6 +177,7 @@ int CONF_modules_load_file(const char *filename, const char *appname,
 			   unsigned long flags);
 void CONF_modules_unload(int all);
 void CONF_modules_finish(void);
+void CONF_modules_free(void);
 int CONF_module_add(const char *name, conf_init_func *ifunc,
 		    conf_finish_func *ffunc);

--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
+#include "cryptlib.h"

 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -208,12 +209,12 @@ static int def_load(CONF *conf, const char *name, long *line)
 static int def_load_bio(CONF *conf, BIO *in, long *line)
 	{
 #define BUFSIZE	512
-	char btmp[16];
 	int bufnum=0,i,ii;
 	BUF_MEM *buff=NULL;
 	char *s,*p,*end;
 	int again,n;
 	long eline=0;
+	char btmp[DECIMAL_SIZE(eline)+1];
 	CONF_VALUE *v=NULL,*tv;
 	CONF_VALUE *sv=NULL;
 	char *section=NULL,*buf;
--- a/crypto/conf/conf_lib.c
+++ b/crypto/conf/conf_lib.c
@@ -382,8 +382,9 @@ int NCONF_dump_bio(const CONF *conf, BIO *out)
 	return conf->meth->dump(conf, out);
 	}

+
 /* This function should be avoided */
-#undef NCONF_get_number
+#if 0
 long NCONF_get_number(CONF *conf,char *group,char *name)
 	{
 	int status;
@@ -397,4 +398,4 @@ long NCONF_get_number(CONF *conf,char *group,char *name)
 		}
 	return ret;
 	}
-
+#endif
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -230,7 +230,7 @@ static int module_run(const CONF *cnf, char *name, char *value,
 		{
 		if (!(flags & CONF_MFLAGS_SILENT))
 			{
-			char rcode[10];
+			char rcode[DECIMAL_SIZE(ret)+1];
 			CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
 			sprintf(rcode, "%-8d", ret);
 			ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -103,9 +103,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"dynlock",
 	"engine",
 	"ui",
-	"ecdsa",
-	"ec",
-#if CRYPTO_NUM_LOCKS != 33
+#if CRYPTO_NUM_LOCKS != 31
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -494,3 +492,11 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif

 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+    {
+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+	    file,line,assertion);
+    abort();
+    }
+
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -89,6 +89,14 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"

+/* size of string represenations */
+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)         ((sizeof(type)*2)
+
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define die(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+
 #ifdef  __cplusplus
 }
 #endif
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -49,6 +49,7 @@ $!  P5, if defined, sets a TCP/IP library to use, through one of the following
 $!  keywords:
 $!
 $!	UCX		for UCX
+$!	TCPIP		for TCPIP (post UCX)
 $!	SOCKETSHR	for SOCKETSHR+NETLIB
 $!
 $!  P6, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up)
@@ -640,6 +641,7 @@ $   WRITE SYS$OUTPUT "	",APPLICATION,".exe"
 $!
 $! Link The Program, Check To See If We Need To Link With RSAREF Or Not.
 $!
+$   ON ERROR THEN GOTO NEXT_APPLICATION
 $   IF (RSAREF.EQS."TRUE")
 $   THEN
 $!
@@ -1358,7 +1360,8 @@ $   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
-$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX"
+$ IF P5.EQS."SOCKETSHR" .OR. P5.EQS."MULTINET" .OR. P5.EQS."UCX" -
+     .OR. P5.EQS."TCPIP" .OR. P5.EQS."NONE"
 $ THEN
 $!
 $!  Check to see if SOCKETSHR was chosen
@@ -1368,7 +1371,7 @@ $   THEN
 $!
 $!    Set the library to use SOCKETSHR
 $!
-$     TCPIP_LIB = "[-.VMS]SOCKETSHR_SHR.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT"
 $!
 $!    Done with SOCKETSHR
 $!
@@ -1394,19 +1397,45 @@ $   THEN
 $!
 $!    Set the library to use UCX.
 $!
-$     TCPIP_LIB = "[-.VMS]UCX_SHR_DECC.OPT/OPT"
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT"
 $     IF F$TRNLNM("UCX$IPC_SHR") .NES. ""
 $     THEN
-$       TCPIP_LIB = "[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
+$       TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT"
 $     ELSE
 $       IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN -
-	  TCPIP_LIB = "[-.VMS]UCX_SHR_VAXC.OPT/OPT"
+	  TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT"
 $     ENDIF
 $!
 $!    Done with UCX
 $!
 $   ENDIF
 $!
+$!  Check to see if TCPIP was chosen
+$!
+$   IF P5.EQS."TCPIP"
+$   THEN
+$!
+$!    Set the library to use TCPIP (post UCX).
+$!
+$     TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT"
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
+$!  Check to see if NONE was chosen
+$!
+$   IF P5.EQS."NONE"
+$   THEN
+$!
+$!    Do not use a TCPIP library.
+$!
+$     TCPIP_LIB = ""
+$!
+$!    Done with TCPIP
+$!
+$   ENDIF
+$!
 $!  Print info
 $!
 $   WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB
@@ -1422,6 +1451,7 @@ $   WRITE SYS$OUTPUT "The Option ",P5," Is Invalid.  The Valid Options Are:"
 $   WRITE SYS$OUTPUT ""
 $   WRITE SYS$OUTPUT "    SOCKETSHR  :  To link with SOCKETSHR TCP/IP library."
 $   WRITE SYS$OUTPUT "    UCX        :  To link with UCX TCP/IP library."
+$   WRITE SYS$OUTPUT "    TCPIP      :  To link with TCPIP (post UCX) TCP/IP library."
 $   WRITE SYS$OUTPUT ""
 $!
 $!  Time To EXIT.
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -126,9 +126,7 @@ extern "C" {
 #define	CRYPTO_LOCK_DYNLOCK		28
 #define	CRYPTO_LOCK_ENGINE		29
 #define	CRYPTO_LOCK_UI			30
-#define CRYPTO_LOCK_ECDSA               31
-#define CRYPTO_LOCK_EC			32
-#define	CRYPTO_NUM_LOCKS		33
+#define	CRYPTO_NUM_LOCKS		31

 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -235,7 +233,6 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
 #define CRYPTO_EX_INDEX_ENGINE		9
 #define CRYPTO_EX_INDEX_X509		10
 #define CRYPTO_EX_INDEX_UI		11
-#define CRYPTO_EX_INDEX_ECDSA		12

 /* Dynamically assigned indexes start from this value (don't use directly, use
 * via CRYPTO_ex_data_new_class). */
--- a/crypto/des/Makefile.ssl
+++ b/crypto/des/Makefile.ssl
@@ -108,7 +108,6 @@ files:

 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(TOP)/util/point.sh ../../perlasm asm/perlasm
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
@@ -131,7 +130,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/des/des_old.h
+++ b/crypto/des/des_old.h
@@ -173,7 +173,7 @@ typedef struct _ossl_old_des_ks_struct
 	DES_fcrypt((b),(s),(r))
 #define des_crypt(b,s)\
 	DES_crypt((b),(s))
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__)
 #define crypt(b,s)\
 	DES_crypt((b),(s))
 #endif
@@ -366,7 +366,7 @@ int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule
 	_ossl_old_des_cblock *iv);
 char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
 char *_ossl_old_des_crypt(const char *buf,const char *salt);
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#if !defined(PERL5) && !defined(NeXT)
 char *_ossl_old_crypt(const char *buf,const char *salt);
 #endif
 void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
--- a/crypto/des/read_pwd.c
+++ b/crypto/des/read_pwd.c
@@ -246,7 +246,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 	long status;
 	unsigned short channel = 0;
 #else
-#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
 	TTY_STRUCT tty_orig,tty_new;
 #endif
 #endif
--- a/crypto/dh/Makefile.ssl
+++ b/crypto/dh/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -112,12 +112,10 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dh_gen.o: ../cryptlib.h dh_gen.c
-dh_key.o: ../../e_os.h ../../include/openssl/asn1.h
-dh_key.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dh_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
@@ -125,12 +123,10 @@ dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 dh_key.o: ../cryptlib.h dh_key.c
-dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h
-dh_lib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dh_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dh_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
 dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
--- a/Show More
+++ b/Show More